Latest cyber threats, vulnerabilities, data breaches and security updates
Thursday October 18, 2018:
‘Operation Oceansalt’ wave of cyber attacks

A new campaign dubbed 'Operation Oceansalt' has been spotted targeting victims in 
South Korea, U.S., and Canada.

The McAfee Advanced Threat Research team released the findings in a new report “Operation Oceansalt Attacks South Korea, U.S., and Canada with Source Code from Chinese Hacker Group.”  According to McAfee, the threat that was launched in "five distinct waves adapted to their separate targets."

McAfee said the new campaign could be linked to hacker group APT1, or Comment Crew, which was a Chinese military-linked threat actor that conducted offensive cyber operations against U.S. targets going back 10 years. 

"The Oceansalt malware uses large parts of code from the Seasalt implant, which was linked to the Chinese hacking group Comment Crew," McAfee said in the blog post.

Although the possible suspect is Comment Crew, McAfee said there is a possibility the code could have been used by an adversary. 

Alternatively, McAfee also said the activity could be a “false flag” operation that suggests the re-emergence of Comment Crew as well.

Wednesday October 17, 2018:
Oracle security updates for October

Oracle has released its Critical Patch Update for October 2018 that addresses 301 vulnerabilities across multiple product families. 

Of the 301 vulnerabilities, nearly 50 have a CVSS score of 9.0 or higher (10.0 being the highest).

The Critical Patch Update contains 65 new security fixes for Oracle Fusion Middleware

"56 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials," Oracle said. 

In addition, new security fixes were made available for Oracle Database Server (7), Oracle Java SE (12), Oracle MySQL (38) and Oracle PeopleSoft Products (24), to name just a few of the product families. 

Two of the Oracle Database vulnerabilities can be remotely exploitable without authentication. One of those fixes is for Java VM (CVE-2018-3259). 

One of the fixed vulnerabilities (CVE-2018-2913) impacts Oracle GoldenGate Monitoring Manager and is rated 10.0.

See the full Oracle security update here

VMware security updates

VMware has released a security update to address a critical vulnerability in ESXi, Workstation, and Fusion products. 

The update (VMSA-2018-0026) specifically address an out-of-bounds read vulnerability (CVE-2018-6974) in SVGA device.

VMware said the issue may allow a guest to execute code on the host.

Tuesday October 16, 2018:
Agent Tesla malware discovered

Cisco Talos security experts discovered a new malware campaign that distributes a trojan dubbed "Agent Tesla" used to steal data. Loki information stealer was also discovered in the campaign. 

"Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid, Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don't detect it," Talos stated in a recent blog post

Talos also said that Agent Tesla can steal user's login information from multiple software, to include Google Chrome, Mozilla Firefox, Microsoft Outlook and others.

The malware can "capture screenshots, record webcams, and allow attackers to install additional malware on infected systems."

Monday October 15, 2018:
Multiple PHP vulnerabilities fixed 

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released a security advisory that addresses multiple PHP vulnerabilities. 

The Hypertext Preprocessor (PHP) vulnerabilities are rated High severity and could allow an attacker to execute arbitrary code  in the context of the affected application.  

Systems impacted include PHP 7.2 prior to 7.2.11 and PHP 7.1 prior to 7.1.23.

"Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition," MS-ISAC warned in the advisory

System administrators should upgrade PHP installations as soon as possible. 

Pentagon cyber breach 

The Pentagon announced on Friday there has been a cyber breach of Defense Department travel records that includes the compromise of personal information and payment card data from U.S. military and civilian personnel.

"According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered," The Associated Press reports

Saturday October 13, 2018:
Microsoft Edge RCE vulnerability POC exploit

A proof-of-concept (POC) has been released for an exploit of a recently patched Microsoft Edge vulnerability. 

The Windows Shell Remote Code Execution (RCE) vulnerability (CVE-2018-8495) exists when Windows Shell improperly handles URIs. The bug was patched this past Tuesday as part of Microsoft's October security updates. 

Trend Micro's Zero Day Initiative (ZDI) released an updated security advisory on the threat: 

"This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page and perform a UI action."

A security researcher Abdulrahman Al-Qabandi published the Microsoft Edge RCE exploit POC and video in a blog post.

"Chaining a few bugs in Edge I was able to achieve remote code execution by mainly abusing custom URI schemes," 
Al-Qabandi said. 

The researcher previously disclosed the vulnerability exploit to ZDI. 

Friday October 12, 2018:
Facebook provides security update on breach that impacted 30M users

Facebook published an update on the security breach that impacted millions of users two weeks ago. 

The company downgraded the user impact to 30 million users from 50 million users and also shared the details of the attacks that exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018.

"The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted 'View As,' a feature that lets people see what their own profile looks like to someone else. It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts," Facebook stated in the security update on Friday. 

According to Facebook, the attackers first controlled a set of accounts that were connected to Facebook friends.

The attackers then "used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people," Facebook said.  

The attackers leveraged a portion of the 400,000 user's lists of friend to then steal access tokens on 30 million people. 

The breakdown of what the attackers accessed: 
  • For 15 million people -- name and contact details (i.e., phone number, email, or both, depending on what people had on their profiles).
  • For 14 million people -- the same two sets of data (from above), in addition to other sensitive details people had on their profiles. This data included "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches."
  • For remaining 1 million people -- no information was accessed.

"We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation," Facebook said. On the 25th of September, Facebook confirmed the activity was a cyber attack and discovered the vulnerability being exploited. 

Within two days of the discovery, Facebook then closed the vulnerability, stopped the cyber attack and quickly reset access tokens for users who were potentially exposed.   

Facebook said they are continuing to work with the FBI to analyze and investigate the breach. The company has also been asked by law enforcement not to disclose information on the possible attackers as the investigation continues.

Facebook users can check whether they were impacted by the breach by visiting the Facebook Help Center