April continues on a growing trend of high-profile vulnerabilities with Badlock, a man-in-the-middle vulnerability in Windows and Samba services. The author of Badlock provided a very long patch preparation time so that teams could apply the patch within the shortest possible time after release. There is a growing need for critical patches that need to be applied within the shortest possible period of time after their release, especially in open source components, however, many vendors are lagging behind in providing a quick turnaround for patch releases, if at all. Apple Quicktime for Windows is an example of a company deciding to abandon its product, rather than fixing its discovered vulnerabilities, leaving any users who may still be using the software or still have it installed, vulnerable to serious exploits.
PCI DSSv3.2 has now been released with new requirements. The biggest impact of these requirements is on service providers. Some of these new requirements are recommended practices until June 2018 while others must be in place by June 30, 2016. We have released an overview of the changes on our website https://www.shearwater.com.au/new-version-of-pci-dss-released-v3-2/
- A group called ‘Platinum’ are using a windows feature known as hot patching to maliciously update system components without the need to reboot. “The potential use of hotpatching as a stealth way to inject malicious code into running processes was described by security researcher Alex Ionescu at the SyScan security conference in 2013. “
- A new flavour of the Zeus Banking Trojan has come to light and has been dubbed “Panda Banker”. This Banking Trojan is distributed via email as a Microsoft Word attachment and utilises CVE-2014-1761 and CVE-2012-0158, both Rich Text File vulnerabilities. Successful exploitation results in ‘Panda Banker’ being downloaded from 78[.]128[.]92[.]31/gert.exe
- Gumtree user information has been compromised on the weekend of the 23rd and 24th of April. Gumtree claim no passwords or payment information was compromised, but it is still recommended that all users change their passwords as soon as possible. https://au.news.yahoo.com/thewest/wa/a/31469695/gumtree-accounts-hacked-in-mass-attack/
- The American Dental Association has sent out USBs to its members that contains malware. The USB devices were manufactured in China and it is suspected that one of the USB duplication machines had become infected. http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/
- Almost 1.5Gb of data, stolen from the Qatar National Bank (QNB), was released online on the 25th of April. It includes Personally Identifiable Data ranging from email addresses to account numbers and passwords. http://news.softpedia.com/news/qatar-national-bank-suffers-massive-data-breach-no-money-stolen-503449.shtml
Patches and Updates
- Badlock is a man in the middle vulnerability that affected DCERPC traffic that allowed an attacker to impersonate an authenticated user. This vulnerability affected windows computers, and any computer using the SAMBA software. The CVE number for windows is CVE-2016-0128 and the CVE number for SAMBA is CVE-2016-2118. Patches are available for windows and SAMBA. http://rhelblog.redhat.com/2016/04/15/how-badlock-was-discovered-and-fixed/
- US-CERT advises windows users to uninstall Apple Quicktime. The Trend Micro Zero Day Initiative have discovered two new unpatched vulnerabilities that could be used to remotely compromise Windows computers. As Apple will no longer be providing security updates for Quicktime for Windows it should be uninstalled on all systems as soon as possible.
- OpenSSL will release versions 1.0.2h and 1.0.1t that will fix a range of vulnerabilities that are rated as high severity.
- Oracle has released a Critical Patch advisory for April 2016 which contains 136 security fixes across the various Oracle products including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL. It is recommended that these updates are applied as soon as possible.
- SAMBA patched multiple vulnerabilities including denial of service and man in the middle vulnerabilities. In addition to applying these patches, they recommend that additional configuration steps be taken to protect from man in the middle vulnerabilities. The changes involve setting mandatory server signing and disable NTLMv1 authentication. Without these settings man in the middle attacks are still possible. For more information please see the following link.
- PCI DSS version 3.2 was released on the 29th of April. This version has a number of changes that will affect organisations, especially service providers. For more information see: http://www.shearwater.com.au/new-version-of-pci-dss-released-v3-2/
- iPads are still vulnerable to the 1st January 1970 date bug in iOS version 9.3.1 and earlier. A malicious attacker could spoof time.apple.com and push incorrect time to iOS devices that will cause them to be rendered useless. http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/
- The plaintiffs in the Ashley Madison case are unable to sue without revealing their identities in the class action against Avid Life Media, the parent company of Ashley Madison. A number of ‘John Doe’s’ have removed themselves from the class action as a result of the ruling.
- A spreadsheet has been compiled containing lists of known ransomware malware. The list contains the extensions that the malware use, screenshots, and a decryptor tool if available.