BF-SIRT Newsletter 2018-23

New Vulnerability Found in All Modern Intel CPUs

Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology. Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw.

Unlike other chip vulnerabilities, this one does not reside in the hardware layer, so this can be fixed by new microcode from Intel. As always, keep your software up to date.

Top 5 Security links
Startup Working on Contentious Pentagon AI Project Was Hacked
Tens of Thousands of Android Devices Are Exposing Their Debug Port
Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’
Feds Bust Dozens of Email Scammers, but Your Inbox Still Isn’t Safe
What got breached this week? Ticket portals, DNA sites, and Atlanta’s police cameras

 

(Blogpost image by Alexandru-Bogdan Ghita, “CPU in Socket”, “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-22

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.

Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Top 5 Security links

Another flash update
Shipping industry cybersecurity: A shipwreck waiting to happen
Widespread Google groups misconfiguration exposes sensitive information
Destructive and MiTM capabilities of VPNFilter Malware revealed
When cybercriminals are rubbish at cybersecurity

BF-SIRT Newsletter 2018-21

BUG in GIT opens developers systems up to attack.

Git repository hosting services GitHub, GitLab and Microsoft VSTS each patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository.

Developers behind the open-source development Git tool pushed out Git 2.17.1, addressing two bugs (CVE-2018-11233 and CVE-2018-11235).

“These are tricky vulnerabilities that will require the Git hosting services to patch, but also individual developers who are using the tool,” said Tim Jarrett, senior director of security, Veracode.

Of the two vulnerabilities, CVE-2018-11235 is the most worrisome, researchers said.

The vulnerability is described as a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post-checkout hooks, which are executed within the context of the project. Those hooks can be defined within the submodules, and submodules can be malicious and directed to execute code.

“The software does not properly validate submodule ‘names’ supplied via the untrusted .gitmodules file when appending them to the ‘$GIT_DIR/modules’ directory. A remote repository can return specially crafted data to create or overwrite files on the target user’s system when the repository is cloned, causing arbitrary code to be executed on the target user’s system,” according to a SecurityTracker description of the flaw.

Top 5 Security links

European Commission “doesn’t plan to comply with GDPR” – well, sort of
PCI Security Standards Council publishes PCI DSS 3.2.1
Google patches 34 browser bugs in chrome67, adds spectre fixes
How to turn PGP back on as safely as possible
Research shows 75% of ‘open’ Redis servers infected

BF-SIRT Newsletter 2018-20

VIRGINIA TECH AND DASHLANE ANALYSIS FIND RISKY, LAZY PASSWORDS THE NORM

Dashlane analyzed over 61 million passwords and uncovered some troubling password patterns. The analysis was conducted with research provided by Dr. Gang Wang, an Assistant Professor in the Department of Computer Science at Virginia Tech.

The Virginia Tech project, described as “the first large-scale empirical analysis of password reuse and modification patterns…” resulted in a landmark research paper: “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services.” Dr. Wang granted Dashlane’s Analytics Team access to the anonymized version of the 61.5 million passwords from the project so they could conduct further research into password trends.

Top 5 Security links

Amazon comes under fire for facial recognition platform
New VPNFilter malware targets at least 500K networking devices worldwide
Why not to use sha256crypt  or sha512crypt they’re dangerous
Intel’s ‘virtual fences’ spectre fix won’t protect against variant 4
The good and bad news about blockchain security

BF-SIRT Newsletter 2018-19

Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

Don’t panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now.

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.

Top 5 Security links

Critical Linux flaw opens the door to full root access

Multi-stage email word attack without macros

GDPR phishing scam targets apple accounts

Hardcoded password found in Cisco Enterprise software, again

Another severe flaw in Signal desktop app

BF-SIRT Newsletter 2018-18

TWITTER URGES USERS TO CHANGE PASSWORDS DUE TO GLITCH

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone. While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

“I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost. “We’re sharing this information so everyone can make an informed decision on the security of their account.

Top 5 Security links
Meow, click me , Meow
Facebook’s getting a clear history button
Medical devices vulnerable to KRACK Wi-Fi attacks
Security Trade-Offs in the new EU privacy law
Glitch: new ‘Rowhammer’ attack can remotely hijack Android phones

BF-SIRT Newsletter 2018-17

Know what Instagram knows – here’s how you download your data

Instagram, the visual story-centric social media platform owned by Facebook, has now added a long-requested feature: the ability for users to download their data – including images, posts and comments.

Not to be cynical, but Instagram is not making this move out of the kindness of its heart: the compliance deadline for GDPR is in a month and data portability is one of its many requirements.

Top 5 Security links
Biggest marketplace selling internet paralysing ddos attacks taken down
F-secure hack unlocks millions of hotel rooms with handheld device
When your CA turns against you
Pyromine uses nsa exploit for monero mining and backdoors

Apples latest updates are out apfs password leakage bug squashed

San Francisco Airport (SFO) at night

BF-SIRT Newsletter 2018-16

State-Sponsored Cyber Actors do State-Sponsored Cyber Actor stuff

US-CERT published a joint Technical Alert (TA) resulting from efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) providing information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. And they provide some nice concrete information that can be reacted to. The fact that this happens is not new, and there is no reason to think Russia is the only ones who does this, they are not doing anything spectacular or fancy either. Check for the indicators provided, keep calm and carry on.

 

In a separate note, Oracle announces 250 security fixes in quarterly patch update, Cisco published important and critical security advisories for Firepower, ASA and WebEx.

 

Top 5 Security links
RSA 2018 Keynote – The Five Most Dangerous New Attack Techniques
PCI Council Releases Guidelines for Cloud Compliance
Hacking charge for URL-manipulation in Canada
Drupalgeddon 2 Vulnerability Used to Infect Servers With Backdoors & Coinminers
Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

 

(Blogpost image by Andrew Choy from Santa Clara, California, “San Francisco International Airport at night“, Creative Commons Attribution-Share Alike)

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure

Yesterday, US-CERT posted a bulletin about Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices ( https://www.us-cert.gov/ncas/alerts/TA18-106A ).
Our take on this is that this is something one must always assume to be happening, and if the bulletin is accurate then it’s not something Russia is alone in doing:
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
https://www.engadget.com/2016/08/21/nsa-technique-for-cisco-spying/

It is vital to have critical controls in place to protect against these types of attacks, and to be prepared to take action based on concrete Indicators of Compromise provided in alerts and threat intelligence. Basefarm is a member of FIRST.org, TF-CSIRT and Swedish CERT-Forum, which helps us gather intelligence such as this in a timely manner.

 

(Blogpost image by Erik Mandre, “Karu-Ursus arctos-Erik Mandre.jpg“, Creative Commons Attribution-Share Alike)

BF-SIRT Newsletter 2018-15

Facebook

On Tuesday and Wednesday this week, Mark Zuckerberg took part of congressional hearings regarding Cambridge Analytica and privacy concerns regarding Facebook. There are multiple news outlets covering the story, and KrebsonSecurity also wrote an article about how one should not trust these type of quizzes and such may receive data about you and your friends when you do them (which is how Cambridge Analytica got a hold of information about more than 50 million users when they approved access to the app “This is your digital life”).

Facebook has since added a website that allows you to check if your information was leaked or not, and they have also added additional privacy information on what type of data you have uploaded to Facebook with regards to Contacts, Call and Text history if you allowed Messenger or Facebook on your mobile to do so.

Facebook has also updated their bug bounty program and now offers a $40,000 bounty if you find evidence of Data Leaks.a

 

Top 5 Security links
Finland hit by a data breach affecting over 130,000 users
Drupal CVE-2018-7600 PoC is Public
Outlook bug allowed hackers to use .rtf files to steal windows passwords
Your Windows PC can get hacked by simply visiting a website if you don’t update
PowerHammer lets hackers steal data from air-gapped computers through power lines