Latest cyber threats, vulnerabilities, data breaches and security updates
Friday February 16, 2018:
Apache CouchDB vulnerabilities exploited

Security researchers from Trend Micro have spotted two vulnerabilities that are being exploited on popular open source database management systems. The two are Apache CouchDB JSON Remote Privilege Escalation Vulnerability (CVE-2017-12635) and Apache CouchDB _config Command Execution (CVE-2017-12636). Each of these bugs were patched back in November 2017.

"Due to differences in CouchDB’s parsers, exploitation of these vulnerabilities can provide attackers with duplicate keys that allow them access control — including administrator rights — within the system. The attackers can then use these functions to execute arbitrary code," Trend Micro stated in the report

Security experts have been warning users of the surge in cryptocurrency miners due to growing popularity and prices of digital currencies, such as Bitcoin, Monero and many others. System administrators and users should regularly keep systems up to date with latest patches, change default account credentials to strong passwords and enable firewalls and intrusion detection systems, just to name a few critical security safeguards to keep systems safe. 

Cyber news

Also in the news today...

Dell EMC VMAX patch: "Dell EMC has patched two critical flaws in vApp Manager, the management interface for its VMAX enterprise storage systems, and is urging all customers to implement fixes as soon as possible," Help Net Security reports. See more information on the vulnerabilities - CVE-2018-1215 and CVE-2018-1216.

NotPetya malware blame: "The Australian government has on Friday joined its United Kingdom and United States allies in attributing the NotPetya malware attack to Russia," ZDNet reports

Cyber criminals abuse SWIFT to steal millions: "Unknown criminals abused the SWIFT network to steal 339.5 million rubles ($6 million) from the Central Bank of Russia in 2017...The bank’s Financial Sector Computer Emergency Response Team (FinCERT) revealed the attack in its report on illegal transactions that occurred in 2017," Tripwire reports

Unsecured AWS S3 bucket exposes FedEx customers: "Kromtech Security Center researchers came across the exposed information, which included 119,000 scanned documents such as passports, driver's licenses, security IDs and the like, on an open S3 server belonging to Bongo International, a company FedEx purchased in 2014 and which became part of the shipping firm's now-shuttered FedEx CrossBorder service," SC Magazine reports

Macro-less email word attack: "Recently, we have been receiving a lot of standard macro-related downloaders, most of them distributed from the Necurs botnet. However, the sample we look at today takes a longer, macro-less approach," Trustware researchers reports

Thursday February 15, 2018:

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified Trojan malware variants, HARDRAIN and BADCALL, used by the North Korean government. The North Korean government 
malicious cyber activity is referred to by the U.S. government as HIDDEN COBRA.

As part of the NCCIC/US-CERT alert, analysis and 
technical details on the tools and infrastructure used by cyber actors of the North Korean government were revealed. The purpose of the report is to provide network defenders the details needed to help reduce exposure to HIDDEN COBRA cyber activity. 

A brief excerpt of the malware described in each of the Malware Analysis Reports (MARs):

"This report provides analysis of three (3) malicious executable files. The first two (2) files are 32-bit Windows executables that function as proxy servers and implement a 'Fake TLS' method similar to the behavior described in a previously published NCCIC report, MAR-10135536-B. The third file is an Android Package Kit (APK) file designed to run on Android platforms as a fully functioning Remote Access Tool (RAT)."

A MAR is intended to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs) observed in the malware. 

Cyber news

Also in the news today...

DoubleDoor botnet: "NewSky Security’s honeypots have detected a new IoT botnet in the making. The botnet was named DoubleDoor, as it leverages two distinct backdoors to get to the target: ZyXEL PK5001Z modems," Help Net Security reports

TrickBot cryptocurrency attacks: "The inner workings of TrickBot’s cryptocoin attack rely on an existing TrickBot attack tactic: webinjections. This age-old favorite tool of many banking Trojans is a form of man-in-the-browser attack that enables malware to modify webpages presented to the user," Security Intelligence reports

Bitcoin phishing gang makes millions: "Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims," Cisco's Talos Security team reports. The Talos team added detailed analysis of the cybercriminal campaign dubbed COINHOARDER.

Wednesday February 14, 2018:
Microsoft February Patch Updates

Microsoft issued February 2018 Security Updates that includes more than 50 fixes, 14 of them critical. The updates address multiple Microsoft products to include Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, ChakraCore and Adobe Flash.

One of the most notable critical vulnerabilities fixed is an Outlook memory corruption vulnerability (CVE-2018-0852)
that could allow an attacker to run arbitrary code in the context of the current user to take control of the affected system. This scary bug also allows an attacker to use the Outlook Preview Pane as an attack vector.  

Another critical fix addresses a StructuredQuery Remote Code Execution (RCE) vulnerability (CVE-2018-0825) that could also allow an attacker to take control of the affected Windows system. Qualys said this patch should be on the top of the priority list and 
Microsoft said exploitation of this bug is more likely.

The update also includes out-of-band Office patches issues in mid-January and Adobe Flash fixes from last week. See the Security Update Guide for more details on all patches.

Adobe Acrobat and Reader security updates

Adobe released a security update (APSB18-02) for Adobe Reader and Acrobat for Windows and Mac operating systems. The update addresses 41 vulnerabilities to include 17 rated as critical. Adobe says the critical vulnerabilities could potentially allow an attacker to take control of the affected system, so updates should be applied as soon as possible. 

Adobe also updated Adobe Experience Manager (APSB18-04) that includes two cross-site scripting vulnerabilities (CVE-2018-4875 and CVE-2018-4876), one rated moderate and the other important. 

Cyber news

Also in the news today...

Zero-day vulnerability in Telegram: "Cybercriminals exploited Telegram flaw to launch multipurpose attacks...In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service," Kaspersky Lab researchers reported

Malicious WordPress plugins found: "On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads," Sucuri Security researchers said on Monday. 

Meltdown and Spectre detector: "Microsoft's added a Meltdown-and-Spectre detector to Windows Analytics, the company's telemetry analysis tool for sysadmins," The Register reports. The new tool was revealed on Tuesday. 

Lazarus targets global banks, Bitcoin users: "McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact," McAfee Labs reports

Tuesday February 13, 2018:
AndroRAT exploits older Android vulnerability

Are you still running an older version of Android operating system? If so, you may want to upgrade your device now. Trend Micro researchers detected a new variant of Android Remote Access Tool (AndroRAT) that targets an older publicly disclosed vulnerability (CVE-2015-1805) that allows an attacker to compromise older Android devices to perform privilege escalation. 
Google since patched the vulnerability back in March of 2016. 

According to the report, AndroRAT "can inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture." AndroRAT is disguised as a malicious utility app called "TrashCleaner" that could possibly be downloaded via a malicious URL. 

Users should avoid downloading apps from third party app stores and instead only use legitimate app stores. Also keep your Android device current with latest patches or supported version of OS. Anti-malware and mobile application reputation software can also add stronger layers of defense to help detect malicious software on your mobile device.  

More Cybersecurity news

Also in the news...

Winter Olympics Cyberattack: "Winter Olympics officials have confirmed that a cyberattack occurred during the games’ opening ceremony on Feb. 9, but are remaining mum on the source of the attack. Researchers say the attack employed malware, dubbed Olympic Destroyer, that was written with the sole intention of destroying systems, not to steal data," Threatpost reports

NetGear home router patches: "If you're using a Netgear router at home, it's time to get patching. The networking hardware maker has just released a tsunami of patches for a couple of dozen models of its kit," The Register reports

Facebook privacy settings run into legal trouble: "Facebook’s default privacy settings and some of its terms of service fall afoul of the German Federal Data Protection Act, the Berlin Regional Court has found," Help Net Security reports

Monday February 12, 2018:
Lenovo warns of critical WiFi vulnerabilities

Lenovo warned its customers about two critical Broadcom WiFi vulnerabilities that affect 25 ThinkPad models. The firmware vulnerabilities impact Broadcom’s BCM4356 Wireless LAN Driver for Windows 10 and contain buffer overflow flaws. What's interesting is these are the same two firmware vulnerabilities (CVE-2017-11120 and CVE-2017-11121) that were patched by Apple and Google back in September.

More background on the Broadcom WiFi vulnerabilities as stated by Lenovo in their security advisory:

"Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU). Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates. Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed."

Both of the vulnerabilities are rated critical and the highest rated CVSS score of 10.0. As Threatpost reported Friday, the first vulnerability CVE-2017-11120 was identified by Google Project Zero researcher Gal Beniamini in June and subsequently disclosed publicly last September.

“Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” Beniamini said.

ThinkPad users are strongly encouraged to update to the latest WiFi driver versions on affected ThinkPad models. 

More Cybersecurity news

Also in the news...

Russian supercomputers used to mine cryptocurrency: "Employees at the Russian Federation Nuclear Center have been arrested on suspicion of using supercomputers at the facility to mine cryptocurrency," ZDNet reports

Hacking of third party technology provider Text Help leads to thousands of website infections with crypto-miner script: "Bad actors secretly infected more than 4,000 websites with the script for a crypto-miner after hacking a single technology provider," Tripwire reports.

One security researcher said this could have been easily avoidable with one "tiny change" in how the script was loaded.