NIC-CERT 08thFebruary 2018 eNewsletter
1. Adobe flash player zero-day exploit discovered
South Korean authorities have released a warning against a new Flash zero-day exploit. The South Korean CERT published a warning of a new Adobe Flash Player zero-day that the North Korean hackers are responsible for exploiting this Flash Player zero day targeting South Korean individuals who focus on researching North Korea. The Korean CERT in its warning said that an “attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file.”
The Word or Excel document embeds a Flash SWF file. From this warning, it appears that the bug hasn’t been addressed by Adobe as yet, which means systems elsewhere could also be at risk
Reference: https://helpx.adobe.com/security/products/flash-player/apsa18-01.html
2. Privacy of fitness tracking application breached after soldiers’ exercise routes shared online
The website and mobile application Strava which connects to smartphones and wearable fitness trackers like Fitbits to track and share athletic activity online, landed in trouble after posting a heat map that shows where its users run, bicycle and exercise.
The alarm was first raised by Nathan Ruser, a 20-year-old Australian student, and analyst at the Institute for United Conflict Analysts, who through Twitter posts described that Strava’s heat map appeared to reveal the movement patterns of security forces at remotely-located military bases. All of this data comes through Strava, a mobile application that works with smartphones and fitness trackers.
This demonstrates that the user should be aware of the nature of the information that a device reveals to the outside world. While a single user may use the application for one particular activity, massive volumes of this information may reveal a group’s activities.
Reference: https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location- of-secret-us-army-bases
3. Botnet discovered in Grand Theft Auto videogame
Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect the IoT devicesassociated with them.
Satori is a derivative of Mirai is a botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world’s largest websites.The vulnerabilities associated are CVE-2014-8361and CVE-2017-17215and they affect certain Huawei and Realtek routers.
Radware’s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas.
Reference: https://www.infosecurity-magazine.com/news/jenx-botnet-emerges-to-target-iot/
NIC-CERT 08thFebruary 2018 eNewsletter
4. Oracle micros POS vulnerability puts 300000 systems at risk
A new security flaw has been discovered which is affecting Oracle MICROS point-of-sale (POS) systems. The vulnerability allows attackers to collect configuration files from the affected POS systems, and use this data to gain full access to the POS system and attached services. This flaw is highly dangerous considering a lot of customer financial or personal data is linked with these systems.
Security researchers have discovered that always tried to leverage vulnerabilities that could be used to target POS systems as they are “a hacker’s coveted choice.” The exploit has been discovered by security researcher Dmitry Chastuhin last year affecting Oracle MICROS POS systems. Tracked as CVE-2018-2636, the vulnerability has been given a rating of 8.1 out of 10, meaning it is highly severe.
References: https://threatpost.com/oracle-micros-pos-vulnerability-puts-300000-systems-at-risk/129736/
5. Leaky amazon s3 bucket exposes personal data of 12,000 social media influencers
A misconfigured Amazon (S3) Simple Storage Service bucket managed by Paris marketing firmOctoly left contact information and personal details for more than 12,000 social media influencers.
The exposed data also included a wealth of information about the companies that use Octoly’s services, which include L’Oreal and Estée Lauder, as well as thousands of analytics reports generated by a company called Deep Social. The reports contain detailed information on Octoly’s members’ online influence, activity, followers and personal tastes.
After repeated warnings, Octoly deleted the backup, but spreadsheets containing personally identifiable information weren’t locked down until 1stFebruray.
Octoly connects popular Instagram, Twitter and YouTube users with companies that provide them consumer goods and services at no charge in hopes of getting favourable reviews or otherwise amplifying their brand image online.
References:http://www.hackbusters.com/news/stories/2600564-leaky-amazon-s3-bucket- exposes-personal-data-of-12-000-social-media-influencers
NIC-CERT 08thFebruary 2018 eNewsletter
6. Cisco issues new patches for critical firewall software vulnerability
Cisco released new patches for a critical vulnerability in its Adaptive Security Appliance software after investigation.
Cisco has announced the vulnerability, CVE-2018-0101which received a Common Vulnerability Scoring System of 10.0 which is the highest possible. This was initially discovered by Cedric Halbronn from NCC Group.There are no known incidents of the vulnerability being exploited, but Cisco has issued advisory to apply the updated patches. It now affects 15 products that run ASA software, including a wide range of Firepower Security Appliance versions, ASA 5500-X Series Next-Generation Firewalls and ASA 5500 Series Adaptive Security Appliances.
Reference:http://www.hackbusters.com/news/stories/2599509-cisco-issues-new-patches-for- critical-firewall-software-vulnerability
7. New Monero crypto mining botnet leverages android debugging tool
A new botnet that distributes malware for mining Monero cryptocurrency has been discovered which infects Android devices through a port linked with a debugging tool for the OS, according to researchers at Qihoo 360 Netlab.Most of the Android devices being targeted by ADB.Miner are located in China and South Korea, but 360 Netlab is not identifying any of them at this time.
It is known as ADBMiner by 360 Netlab.The botnet is gaining entry to Android devices–mostly smartphones and TV boxes–through port 5555, which is associated with Android Debug Bridge, a command-line tool that is used for debugging, installing apps and other purposes. It is reported that port number 5555 scanning traffic has hit the top 10, according to 360 Netlab’s own scanning data.
Reference: https://blacklakesecurity.com/new-monero-crypto-mining-botnet-leverages-android- debugging-tool/
8. Grammarly patches chrome extension bug that exposed users documents
Grammarly has fixed a bug with its Chrome browser extension that exposed its authorization tokens to websites, allowing sites to assume the identity of a user and view their account’s documents.
Grammarly patched the security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its release. The security issue potentially affected text saved in the Grammarly Editor.This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.
However, Grammarly has already addressed the problem and pushed an update to the Chrome Web Store and Mozilla, There are more than 20 million users of Grammarly’s Chrome extension, and the company also offers a web-based editor. Its software scans writing for grammar, spelling, punctuation and style, offering up corrections and suggestions.
Reference:https://threatpost.com/grammarly-patches-chrome-extension-bug-that-exposed-users- docs/129794/ NIC-CERT 08thFebruary 2018 eNewsletter
9. Google introduces new category in the bug bounty program
Google is adding a new category in the Big Bounty program that includes vulnerabilities that could result in the theft of private data of user, information being transferred unencrypted, or bugs that result in access to protected app components. These will carry a $1,000 award.
The bug bounty program has programs across the various Google products, Chrome and Android, and they even introduced a program in October to track security issues in some of the most popular apps in the Google Play store.
There are more than 3.5 million apps on the Play store at present, which makes policing it a sizable task. Google recent said it booted 700,000 apps from the store during 2017, a 70 percent rise over 2016. Ninety-nine percent of bad applications were removed before anyone could install them, Google said.The bug bounty program has programs across the various Google products, Chrome and Android, and they even introduced a program in October to track security issues in some of the most popular apps in the Google Play store.
Reference:https://threatpost.com/google-expands-play-marketplace-bug-bounty- program/129824/
10. 36 people charged for cyber-crime in Infraud
Thirty-six people have been charged for their alleged involvement in running a cyber-crime service responsible for millions of losses.
The Infraud Organisation is said to have dealt in stolen credit cards and passwords and engaged in bank fraud and ID theft. As of March 2017, its dark-web-based service’s discussion forum is said to have had 10,901 registered members.
Five apprehended defendants were based in the US while others came from France, Canada, Pakistan, Russia Egypt, Italy and Macedonia among other countries.They apprehended suspects also include UK-based Anthony Nnamdi Okeakpu, who is alleged to have joined in December 2010 and have used the nickname “moneymafia”.
Reference: https://krebsonsecurity.com/2018/02/u-s-arrests-13-charges-36-in-infraud-cybercrime- forum-bust/