Shearwater-Security-Report-_-October-2019

Shearwater Security Report | October 2019


Each month Shearwater’s Managed Security Services Team brings you the latest Threats, Exploits and Industry News from Australia and around the world.

Read this month’s Security Report to learn about:

• Current Threats and Exploits
• Revised Information Security Manual (ISM)
• Notifiable Data Breach (NDB) Quarterly Report
• Australia’s 2020 Cyber Security Strategy

Current Threats and Exploits

❖ Emergency Microsoft IE Patch

On September 23, Microsoft issued an emergency security update for Internet Explorer.(1)

The patch addresses a critical vulnerability in IE that is currently being exploited by attackers in the wild. If not fixed, the memory corruption bug would allow a scripting-engine to be abused by a malicious web page or email to achieve remote code execution.

The result would mean Windows PCs could be hijacked by viewing a suitably booby-trapped web site, or message, when using IE. Malware, spyware, and other software could then be injected to run on the computer.

Microsoft considers this vulnerability so risky, that it wasn’t prepared to wait to release the patch with its monthly ‘Patch Tuesday’ bundle. Due to the severity of the bug, combined with the fact that it is being actively targeted, Microsoft chose to issue an emergency release.

ACTION: Ensure your patches are updated here.


Multiple Apple Patches

Releasing one patch in a week – OK
Releasing two patches in a week – Hmmmm
Releasing three patches in a week – OUCH!

To top it off, such a rapid release of so many updates within a few short weeks following iOS13’s initial release isn’t a good look. The patches affect iOS, macOS, iPadOS, and watchOS.(2)

Between September 24 and 30, Apple dropped the following patches: 

13.1: Fixes include faulty app icons, sign-in failures, Mail problems, Siri not working with CarPlay properly, and stability issues. It also addresses an out-of-bounds memory read that might allow an attacker to execute arbitrary code on the target machine. This update affects a number of operating systems across several Apple platforms. Apple released updates designated macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, and Security Update 2019-005 Sierra; watchOS 5.3.2; and iOS 12.4.2.

13.1.1: Fixes include a security update to stop third-party keyboards operating as if they’d been given user permissions when they hadn’t been. This update also addresses errors in the “sandbox” that iOS and iPadOS use to limit the permissions and resources available to an app. Because of the error, third-party app extensions could run with the wrong permissions, gaining access to resources they should not have been able to reach.

13.1.2: Fixes include plugging security bugs and addressing problems associated with the flashlight and camera. This update also addresses a bug where the progress bar for iCloud Backup could continue to show after a successful backup, a bug that could result in a loss of display calibration data and an issue where shortcuts could not be run from HomePod.

If you’re already running iOS13, then it would be recommended to upgrade to 13.1.2.

However, if you’re still running iOS12 or below, probably best to wait a while to see if additional patches are released in coming weeks.

ACTION: A full list of Apple updates can be found here.


Exim Mail Patches

With potentially tens of thousands of Australian networks hosting Exim mail servers, the risks are high each time a vulnerability is discovered.

Exim administrators have been warned to patch their installations following the discovery of a string expansion bug that could be used for denial of service (DoS) attacks and remote code execution.(3)

A new patch has been released with version 4.92.3 of the mail server. Those using versions 4.92, 4.92.1 or 4.92.2 should update their systems.

ACTION: Updates to Exim 4.92.3 can be found here.


D-Link Firmware Update

D-Link makes some of the most widely used routers in Australia.

Researches recently discovered vulnerabilities in an older version of the router whereby passwords were being leaked through its web-based management interface.

The model in question is the DSL-2875AL wireless ADSL2+ modem. Although it’s now been discontinued, many Australians could still be using it.(4)

It has been claimed that anyone with local network access could simply use a web browser to view the romfile.cfg file stored on the router, without any authentication required. The file contains the password to the device in clear text.

Such vulnerabilities are serious as they would allow attackers to control the routers over which all user data travels to their internet providers.

D-Link strenuously states that these vulnerabilities are not present in current products available in the Australian market, and that patches for the vulnerabilities on older models were released some time ago.

In case you are using an older D-Link model and need to update it, D-Link firmware updates are available.

ACTION: D-Link firmware updates can be found here.


❖ OnApp Cloud Vulnerability

With cloud computing now ubiquitous, a whole new world of possible vulnerabilities has opened up.

Most cloud computing risks stem from poor user management. However, Australian researches discovered a flaw in OnApp’s Cloud Management Platform. OnApp powers thousands of cloud systems around the world. The Cloud Management Platform is designed to take the complexity out of building and managing cloud infrastructure.

In many cases, an organisation with multiple servers will manage all of them from the same Cloud Management Platform. The Australian researchers discovered that the access keys used to launch an SSH connection to one of the servers would grant access any of the other servers hosted on the same Cloud Management Platform.

This design flaw could let an attacker access, steal, change, or eliminate data on a server through no fault of the user.

Attackers could do this even if they didn’t have the private key, since many cloud providers offer free trial accounts that only require an email address to sign up. An attacker wouldn’t have to provide any identifying details to gain access to the first server in order to launch an attack on the other servers.

The flaw has the potential to affect hundreds of thousands of production servers and organisations around the world.(5)

ACTION: Updates to mitigate this treat can be found here.

 

 

INDUSTRY NEWS

❖ Revised ISM

In line with their ongoing efforts to transition from a compliance-based approach to a principles-based framework, the Australian Signals Directorate has issued an updated Information Security Manual (ISM).

This shift comes on the back of an extensive 12-month review.

The ISM now incorporates four Cyber Security Principles that will help guide organisations:

  • Govern: Identifying and managing security risks.
  • Protect: Implementing security controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events.
  • Respond: Responding to and recovering from cyber security incidents.

Using their corporate risk-management frameworks to apply these four principles, organisations should be better placed to protect their systems and information from cyber threats.

The purpose of the ISM is to assist Australian government agencies apply a risk-based approach to protecting their information and systems. Updated monthly, it is designed primarily for Chief Information Security Officers and cyber security professionals. It aims to keep them up to date with current cyber security risks and appropriate mitigation strategies. (6)

With the ISM being updated on a regular basis, it’s important to conduct ongoing reviews to verify that your organisation’s systems remain in alignment. Speak to Shearwater’s team of ISM experts for further advice.


❖ NDB Quarterly Report

The Office of the Australian Information Commissioner (OAIC) has released its latest Notifiable Data Breaches (NDB) quarterly report.(7)

While notified data breaches were up 14% in the most recent quarter (April to June 2019), the figure is still in-line with longer term trends:

Quarter Total number of notifications
July to September 2018 245
October to December 2018 262
January to March 2019 215
April to June 2019 245

The NDB scheme came into effect in February 2018. It requires disclosure and reporting of data breaches when a breach is likely to result in serious harm to those whose information was impacted.

The causes of this quarter’s 245 breaches include:
• Malicious or Criminal Attacks: 151 breaches
• Human Error: 84 breaches
• System Faults: 10 breaches
Source-of-data-breaches-by-percentage-All-sectors
This serves as a timely reminder of just how important it is to ensure the employees within your organisation have ongoing cyber security training. Attack vectors such as phishing emails deliberately target people, as busy staff are all too often tricked into clicking dangerous links or opening malicious attachments.

To find out how Shearwater’s “Phriendly Phishing” training program can significantly enhance your staff’s cybersecurity preparedness, request a free trial today


❖ Australia’s 2020 Cyber Security Strategy

Back in 2016, the Australian Government released a 4-year National Cybersecurity Strategy.

Since then, the entire cybersecurity landscape has changed. So, with 2020 just around the corner, an update is well and truly warranted.

To kick things off, the government has released a discussion paper. The new strategy will aim to position Australia to meet the rapidly evolving cyber threat environment.

“The magnitude of the threats faced by Australian businesses and families has increased. They will become more acute as our society and economy become increasingly connected. As the threat evolves, so too must our response”.(8)

Topics under discussion include:
• Government’s role in a changing world
• Enterprise, innovation and cyber security
• A trusted marketplace with skilled professionals
• A hostile environment for malicious cyber actors
• A cyber-aware community

Submissions close 1 November 2019 and can be SUBMITTED HERE.

 

 

 

(1) https://www.theregister.co.uk/2019/09/23/microsoft_internet_explorer_cve_2019_1367/
(2) https://www.darkreading.com/vulnerabilities—threats/apple-patches-multiple-vulnerabilities-across-platforms/d/d-id/1335941
(3) https://www.itnews.com.au/news/scads-of-aussie-exim-mail-servers-need-patching-again-531695
(4) https://www.itnews.com.au/news/d-link-wireless-modems-found-to-leak-passwords-530800
(5) https://www.vice.com/en_in/article/ywanev/thousands-of-cloud-computing-servers-could-be-owned-with-very-simple-attack-researchers-say
(6) https://www.cyber.gov.au/news/australian-government-information-security-manual-updated
(7) https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019.pdf
(8) https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/cyber-security-strategy-2020


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.