The commonly observed threat category for the past week was phishing schemes. Security researchers from various cyber security companies uncovered various phishing schemes that was used in wild. So, it is important for the users to be aware about such phishing schemes and be vigilant against them.
Figure 1: Threat Categories
The following graph represents the trend in different cyber threats as compared to previous week.
Linux Crypto Miners Are Now Using Rootkits to Stay Hidden (November 09, 2018)
Crypto miner Trojans that are being created and distributed to unsuspecting victims. One problem for crypto miners, though, is that the offending process is easily detectable due to their heavy CPU utilization. To make it harder to spot a crypto miner process that is utilizing all the CPU, a new variant has been discovered for Linux that attempts to hide its presence by utilizing a rootkit. According to a new report by TrendMicro, this new crypto miner + rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.
Recommendation: Disable unwanted privileges, minimize the use of unverified libraries or repositories; Harden the systems by using verified security extensions that can help with issues like misconfigurations; Reduce the system’s attack surface through access control policies that manage access to files and system or network resources; and regularly monitor systems and networks for anomalous activities. Patch the systems regularly to prevent vulnerabilities from being exploited; use updated versions of server-based applications to lessen the risk of compromises; and employ security mechanisms such as intrusion detection and prevention systems.
Microsoft Releases Info on Protecting BitLocker From DMA Attacks (November 08, 2018)
Soon after research was released that BitLocker drives could be decrypted using SSD hardware encryption flaws, Microsoft released a support bulletin describing how to protect BitLocker from 1394 & Thunderbolt DMA attacks. 1394 and Thunderbolt devices are capable of Direct Memory Access, or DMA, which unless restricted, allows these devices to read and write to the entire system memory of the computer without utilizing the computer’s processor.
Recommendation: Enable the “External device enumeration” policy; Patches are released for the vulnerability, so update the system with the latest patches.
VirtualBox Zero-Day Vulnerability Details and Exploit Are Publicly Available (November 06, 2018)
A Russian vulnerability researcher and exploit developer has published detailed information about a zero-day vulnerability in VirtualBox. His explanations include step-by-step instructions for exploiting the bug. According to the initial details in the disclosure, the issue is present in a shared code base of the virtualization software, available on all supported operating systems. Exploiting the vulnerability allows an attacker to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer, used for running code from most user programs, with the least privileges.
Recommendation: Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can’t, change the mode from NAT to another one. The former way is more secure.
HSBC Bank Data Breach Exposed Account Numbers, Balances, and More (November 06, 2018)
A data breach at HSBC Bank has allowed attackers to gain access to a limited amount of customer’s information such as account numbers, balances, addresses, transaction history, and much more. California law requires business who conduct business with California residents to file security notices with the Attorney General’s office in the event of a data breach or other cyber security incident. If a notice is sent to more than 500 California residents, then the business must also submit a sample of the notice, so it can be made available online.
Recommendation: Regularly change passwords and use unique passwords at each site visited; Enroll for a credit monitoring service; Regularly monitor for bank transactions.
Popular WooCommerce WordPress Plugin Patches Critical Vulnerability (November 06, 2018)
Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the unpatched websites. WooCommerce is one the most popular eCommerce plugins for WordPress that helps websites to upgrade their standard blog to a powerful online store. WooCommerce powers nearly 35% of e-stores on the internet, with more than 4 million installations.
Recommendation: Update your WordPress and Woocommerce to the latest available security update.
Apache Struts Team Urges Users for Library Update to Plug Years-Old Bugs (November 06, 2018)
The Apache Software Foundation reiterates its recommendation for users of Struts to make sure their installations run a version of the Commons FileUpload library newer than 1.3.2, lest they expose their projects to possible remote code execution attacks. Versions of the library prior to 1.3.3 have a deserialization problem with a Java Object, which could be exploited to write or copy files to arbitrary locations on the disk. According to the original advisory for the vulnerability, “while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call.” Unless there is a different mechanism to add file upload capability to web applications built with Struts, the framework defaults to the Commons FileUpload component.
Recommendation: Apache Struts versions from 2.5.12 and above are not affected because they already have the newer Commons FileUpload release. So, update to the latest version.
U-Boot’s Trusted Boot Validation Bypassed (November 06, 2018)
Memory handling issues in U-Boot open-source bootloader for embedded devices make possible multiple exploitation techniques that lead to arbitrary code execution. U-Boot, short for the Universal Boot Loader, is a first-stage and second-stage bootloader. It is responsible for the initial hardware configuration and loading the operating system (OS) kernel. It has support for a variety of architectures, including ARM, MIPS, and PowerPC. Among the types of devices, it can initiate are Chromebooks, routers, and Amazon Kindle. To ensure that authentic code is running on the system, U-Boot features ‘Verified Boot’ – its own version of Secure Boot – which verifies the integrity of the images it loads.
Recommendation: Patches are released, please update with the latest patches.
Weekly Threat Briefing
DISCLAIMER: This product is provided “as is” for informational purposes only. Marlabs does not provide any warranties of any kind regarding any information contained within. Marlabs does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a community. TLP: GREEN information may not be released outside of the community.