All about Security, News, Events and Incidents

Patch Lady – I smell a Rat
Posted on August 26th, 2019 at 20:03 Susan Bradley Comment on the AskWoody Lounge
(coming to you from the friendly wifi of United Airlines as I fly to the Quest/The Experts Conference)

So twice lately someone has asked about articles indicating that we should patch now. Yesterday. Like the day before yesterday. And yet, when I’m reading the articles, I can’t find a single specific update they are talking about.


and

https://www.forbes.com/sites/daveyw...e-control-hack-attack-confirmed/#268cd4715bdb

Okay so the gist of the article (that I can tell is) that a research firm came out with a PR whitepaper on NanoRat 1.2.2 and said that it’s being used more in attacks. The attacks come in via phishing and macro enabled documents.

So…..? This is different than any of the other daily phishing attacks I see in my spam filters?

And all you can tell me is to “patch now”? Patching my operating system won’t patch if I’m stupid enough to click on something. Patching my operating system won’t patch if I’m stupid enough to enter my credentials on a well done web page pretending to be my mail server needing me to “upgrade”.

Bottom line, telling me to patch now when there’s no specific operating system update in the August updates that will protect us from this is just running around like Chicken Little telling me the sky is falling.

Come on tech sites, stop using Public relations stunts to write your content. There’s enough true security stories out there for us to be more than scared over. (The one that concerns me is the recent ransomware coming into multiple government entities via a shared managed service providers).

Make no mistake the bad guys want to get us, but articles like these that give no good solid actionable items other than “patch” when it’s not even Patch Tuesday are just ridiculous.

 

After posting this DDIO / RDMA NetCAT response from Intel:
http://forum.notebookreview.com/thr...atches-and-more.812424/page-129#post-10950369

I found these released today:

National Cyber Awareness System =>Current Activity Landing => Intel Releases Security Updates
https://www.us-cert.gov/ncas/current-activity/2019/08/13/intel-releases-security-updates

Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

• RAID Web Console 2 Advisory INTEL-SA-00246
• NUC Advisory INTEL-SA-00272
• Authenticate Advisory INTEL-SA-00275
• Driver and Support Assistant Advisory INTEL-SA-00276
• Remote Displays SDK Advisory INTEL-SA-00277
• Processor Identification Utility for Windows Advisory INTEL-SA-00281
• Computing Improvement Program Advisory INTEL-SA-00283

And, these from a couple of days ago...

Intel Releases Security Updates, Mitigations for Multiple Products
Original release date: June 11, 2019 | Last revised: June 12, 2019
https://www.us-cert.gov/ncas/curren...ecurity-Updates-Mitigations-Multiple-Products

Intel has released security updates and recommendations to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

• NUC Firmware Advisory INTEL-SA-00264
• RAID Web Console 3 for Windows Advisory INTEL-SA-00259
• Omni-Path Fabric Manager GUI Advisory INTEL-SA-00257
• Open Cloud Integrity Technology and OpenAttestation Advisory INTEL-SA-00248
• Partial Physical Address Leakage Advisory INTEL-SA-00247
• Turbo Boost Max Technology 3.0 Advisory INTEL-SA-00243
• SGX for Linux Advisory INTEL-SA-00235
• PROSet/Wireless WiFi Software Advisory INTEL-SA-00232
• Accelerated Storage Manager in Intel Rapid Storage Technology Enterprise Advisory INTEL-SA-00226
• Chipset Device Software (INF Update Utility) Advisory INTEL-SA-00224
• ITE Tech Consumer Infrared Driver for Windows 10 Advisory INTEL-SA-00206

 

!

"German vuln-hunting firm Greenbone Networks found 590 "medical image archive systems online" containing a startling 737 million images, of which it said around 400 million were downloadable."

"A significant number of these servers have no protection at all, they aren't password protected and have no encryption."

https://www.theregister.co.uk/2019/09/17/24m_medical_records_unsecured_online/

 

Five years later, Heartbleed vulnerability still unpatched

 

CYBERSECURITY TODAY zdnet.com | Sept 26, 2019
Cisco warning: These routers have 9.9/10-severity security flaw

Cisco has disclosed over a dozen high-severity vulnerabilities affecting the widely deployed Cisco IOS and IOS XE network automation software, including a nasty one affecting its industrial routers and grid routers.

 

"Twitter: No, really, we're very sorry we sold your security info for a boatload of cash"
lol, another instance showing privacy, security, rules, trust etc only exists in theory.

https://www.theregister.co.uk/2019/10/09/twitter_data_leak/

 

"New Microsoft NTLM Flaws May Allow Full Domain Compromise"

- Two security vulnerabilities in Microsoft's NTLM authentication protocol allow attackers to bypass the MIC (Message Integrity Code) protection and downgrade NTLM security features leading to full domain compromise.

- Microsoft patched the two NTLM flaws and issued security advisories as part of the Patch Tuesday security updates issued yesterday after Preempt’s disclosure.

https://www.bleepingcomputer.com/ne...-ntlm-flaws-may-allow-full-domain-compromise/

---

On the bright side, at least the vulnerability wasn't caused by a Windows 10 update.

 

SECURITY
Hacker Selling User Info Stolen From Prostitution Forums bleepingcomputers.com | Oct 10, 2019
Popular prostitution and escort forums in the Netherlands and Italy have suffered data breaches that exposed the usernames, email addresses, and hashed passwords for their registered members.

----------------------------------

D-Link no longer wants to fix router vulnerability
Published on 10th October 2019 by Günter Born

​

The D-Link Routers DIR-652, DIR-655, DIR-866L, and DHP-1565 have a critical remote execution vulnerability, but the manufacturer does not want to fix it.

---------------------------------


Windows 10 Mobile with a security problem that will not be resolved [Workaround]
good Morning October 10, 2019 17:30 2 comments
On 8/10, the KB4522809 was shipped for Windows 10 Mobile. This increased the version number to 15254.590. As always, the changes are "identical" to the PC version of the 1709. But a security hole is no longer closed. Under the CVE-2019-1314 ...

 

Attackers Are Exploiting an Apple iTunes Zero-Day Bug to Install Ransomware on Windows Machines wccftech.com | Oct 12, 2019

A zero-day vulnerability in Apple iTunes for Windows enabled attackers to bypass antivirus detection on Windows devices. The targeted BitPaymer or IEncrypt ransomware campaign was detected by the security folks at Morphisec who called the iTunes exploit a "new and alarming evasion technique."

This Apple zero-day vulnerability is in the Bonjour updater that comes packaged with iTunes and iCloud for Windows. Morphisec said that the the "adversaries abused an unquoted path to maintain persistence and evade detection." The unquoted path vulnerability is a widely known bug that occurs due to developers forgetting to surround a file path with quotation marks. This latest zero-day is a proof that developers continue to ignore quotes.

Apple has fixed the flaw but it will affect even those who have uninstalled iTunes for Windows
Apple fixed the vulnerability with the release of iTunes 12.10.1 for Windows and iCloud for Windows 7.14, as well, since Bonjour updater ships with both of them.

Morphisec warns that even if you don't currently run iTunes but did so in the past, you could still be at risk, hinting that this could be the reason why attackers chose this process for evasion.

In most cases, people are not aware that they need to uninstall the Apple Software Update component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working.

We were surprised by the results of an investigation that showed Apple Software Update is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Apple Software Update component remains silently, un-updated, and still working in the background. Following this discovery, we identified the attack surface and the motivation of the attacker to choose this process for evasion.​

Morphisec researchers also added that Apple developers "haven't fixed all the vulnerabilities reported by us, only the one that was abused by the attackers." In any case, if you do use iTunes, make sure to update it to the very latest version. Mac users aren't affected by this bug.

 

Hackers Breach Avast Antivirus Network Through Insecure VPN Profile bleepingcomputers.com | Oct 21, 2019

Hackers accessed the internal network of Czech cybersecurity company Avast, likely aiming for a supply chain attack targeting CCleaner. Detected on September 25, intrusion attempts started since May 14.
Following an investigation, the antivirus maker determined that the attacker was able to gain access using compromised credentials via a temporary VPN account.


Update [10.21.2019]: When CCleaner 5.63 came out on October 15, BleepingComputer sought comments from Avast about the reason and benefits of the update since it was an unexpected move. The company delayed responding to our questions at the time.
CCleaner General Manager David Peterson explains in a blog post today that the reason for automatically updating all CCleaner installations since 5.57 to the current latest version was a preventative measure to ensure that all users run a genuine release.
"We took these steps preventatively as our investigation is continuing, but we wanted to eliminate the risk of fraudulent software being delivered to our users. Since we have indications that the attempts to infiltrate our systems began in May this year, we automatically updated users on builds released after this time to ensure their safety."

A legitimate way (nice way) try snooping in their customers computers?