Category Archives: Security Alert

Node.js HTTP/2 Server Denial of Service Vulnerability

CVE Number – CVE-2018-7161

A vulnerability in the HTTP/2 implementation feature of Node.js could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists when the affected software interacts with an HTTP/2 server in such a way that triggers a cleanup bug where objects are used in native code after they are no longer available. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted node server that provides an HTTP/2 server. An exploit could cause the node server to crash, resulting in a DoS condition.The Node.js Foundation has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must send a request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software
  • The Node.js Foundation has released software updates at the following link: Node.js 10.4.1





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Netgear Security Advisory for Pre-Authentication Command Injection [CVE-2018-11106]

CVE Number = CVE-2018-11106 ( PSV-2018-0051)

NETGEAR has released fixes for a pre-authentication command injection in request_handler.php  security vulnerability on the following product models:

  • WC7500, running firmware versions prior to 6.5.3.5
  • WC7520, running firmware versions prior to 2.5.0.46
  • WC7600v1, running firmware versions prior to 6.5.3.5
  • WC7600v2, running firmware versions prior to 6.5.3.5
  • WC9500, running firmware versions prior to 6.5.3.5

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

To download the latest firmware for your NETGEAR product:

  1. Visit NETGEAR Support.
  2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
  3. Click Downloads.
  4. Under Current Versions, select the download whose title begins with Firmware Version.
  5. Click Download.
  6. Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

The pre-authentication command injection in request_handler.php vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Schneider Electric – Multiple Vulnerabilities In U.motion Builder

Schneider Electric has become aware of multiple vulnerabilities in the U.motion Builder product.

U.motion is a building automation solution used by commercial facilities, key manufacturing, and energy sectors around the world. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

Researchers discovered that the Builder software is affected by 16 vulnerabilities, including path traversals and other bugs that can lead to information disclosure, and remote code execution flaws via SQL injection.

A majority of the security holes have been classified as medium severity, but some of them are more serious based on their CVSS score.

The most severe, with a CVSS score of 10, actually impacts the Samba software suite. The flaw allows remote code execution and it has been dubbed “SambaCry” by some members of the industry due to similarities to the WannaCry attack. The vulnerability, tracked as CVE-2017-7494, has been found to impact devices from several major vendors, including Cisco, Netgear, QNAP, Synology, Veritas, Sophos and F5 Networks.

Another serious vulnerability in U.motion Builder, identified as CVE-2018-7777, allows an authenticated attacker to remotely execute arbitrary code by sending specially crafted requests to the targeted server. One of the SQL injection flaws, CVE-2018-7765, has also been classified as high severity.

Most of these weaknesses were reported to Schneider by researcher Andrea Micalizzi, also known as “rgod,” and one was disclosed to the company by Constantin-Cosmin Craciun.

The issues affect U.motion Builder versions prior to 1.3.4, which Schneider released in early February. In addition to providing patches, the company has shared some recommendations for mitigating potential attacks.

This is not the first time Micalizzi has been credited for finding vulnerabilities in U.motion Builder. Last year, ICS-CERT reported that the researcher had found half a dozen types of flaws in this software. Those issues were disclosed in late June 2017 before patches were made available by Schneider as they were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) more than one year earlier.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Typeframe Malware Via North Korea Hacking Group Known As Hidden Cobra

The US Department of Homeland Security said that it has identified malicious cyber activity by the North Korean government, according to a new report released on Thursday, just days after the historic summit between President Donald Trump and North Korean dictator Kim Jong Un.

This malware variant is known as TYPEFRAME, according to the report by the DHS Computer Emergency Readiness Team, noting that “the US Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA”.

Themalware samples that have been checked so far consist of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.

More info: https://www.us-cert.gov/ncas/analysis-reports/AR18-165A

C&C IP’s And Host’s To Block

111.207.78.204

181.119.19.56

184.107.209.2

59.90.93.97

80.91.118.45

81.0.213.173

98.101.211.162




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Adobe Acrobat XML Formal Architecture Object Mismatch Use-After-Free Arbitrary Code Execution Vulnerability [CVE-2018-4977]

CVE Number = CVE-2018-4977

A vulnerability in the XML Formal Architecture engine of Adobe Acrobat DC and Adobe Acrobat Reader DC could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a mismatch between old and new event objects, resulting in a use-after-free memory error that could allow improper memory access. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

Adobe has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link or file that submits malicious input to the affected software.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
  • Adobe has confirmed the vulnerability and released a security bulletin at the following link: APSB18-02
Fixed Software





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Adobe Acrobat Enhanced Metafile Format Heap Overflow Vulnerability [CVE-2018-4968]

A vulnerability in the image conversion engine component of Adobe Acrobat DC and Adobe Acrobat Reader DC could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a heap overflow memory corruption error that could occur when the affected software is handling Enhanced Metafile Format (EMF) data. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

CVE Number = CVE-2018-4968

Adobe has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link or file that submits malicious input to the affected software.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
  • Adobe has confirmed the vulnerability and released a security bulletin at the following link: APSB18-02
Fixed Software





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Fake TSB Account Emails

There is a lot of fake TSB e-mails going around at the moment, here is the details for just one we received today.  We had two of these e-mails two hours apart from each other and they ended up in our inbox, and we have good spam protection so a lot of work has gone into this email to bypass spam filters on e-mail.   There is no obvious spelling or grammar errors on this e-mail.

On our e-mail the subject was TSB and the from address was [email protected] and the link they wanted you to click was iiinin.com/sign-in.php this then took you to another URL on the domain wlengineering.co.za with a fake login page, the aim of this is to get your login details.

The text of the e-mail said ” Due to several failed attempts to access your online Account . We temporarily de-activated your account access. To your Protection you have to Verify Your Identity . To confirm your account

Fake TSB login page




Fake TSB email

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Hackers Access Almost 6 Million Bank Card Details At Dixons Carphone

Dixons Carphone has said that it has been the victim of an “unauthorised data access” in which millions of customer bank card details were targeted over the past 12 months.

The company believed there were attempts since last July – only discovered over the past week – to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.

Dixons Carphone Warehouse says there has been no evidence of fraud as a result of the hack, but there are a few general tips below if you’re worried:

  • Regularly check your accounts. It’s good practice to regularly keep an eye on your bank accounts and credit card statements. If you spot anything unusual contact your provider immediately.
  • Watch out for scams. Be alert and watch out for potential scam emails or calls – don’t simply assume they are genuine even if they look believable.
  • Change your password. Dixons Carphone Warehouse doesn’t think any passwords were taken, but if you’re worried change your password, and change it on other sites where you have used the same one.

In a statement the company said :-

As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security  experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.

Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment
provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.

Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.

Dixons Carphone Chief Executive, Alex Baldock, said:
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Foscam Camera Web Management Vulnerability (CVE-2018-6830)

Multiple Foscam Camera could allow a remote attacker to delete arbitrary files from the system, caused by a flaw in the Web management interface. By sending a specially-crafted HTTP GET request, An attacker could exploit this vulnerability to delete arbitrary files from the system.

Affected products :-

Foscam FI9800P V3 2.82.2.33
Foscam FI9803P V4 2.84.2.33
Foscam FI9816P V3 2.81.2.33
Foscam FI9821EP V2 2.81.2.33
Foscam FI9821P V3 2.81.2.33
Foscam FI9826P V3 2.81.2.33
Foscam FI9831P V3 2.81.2.33

No remedy available as of June 6th 2018.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Operation Prowli Malware

An advanced malware campaign known as Operation Prowli has been observed targeting a variety of systems worldwide. Vulnerable platforms include content management systems (CMS), IoT devices and modems; with financial, industrial and governmental organisations affected worldwide.

The attackers behind Operation Prowli are focused on making money from their efforts rather than ideology or espionage.  The first source of revenue comes from cryptocurrency mining. Typically, cryptocurrency mining is considered a resource-heavy operation that involves a large upfront investment followed by ongoing traffic and energy costs. The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains.

Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.




The attackers behind Operation Prowli use a wide variety of bespoke malware tools and exploits to compromise systems. A worm called r2r2 is used to scan for systems with publicly reachable SSH ports and performs brute-force attack against them to gain access. It will then download and install a variant of the XMRig cryptocurrency miner before scanning for new targets.

Manual attacks are performed against CMS servers with the intention of re-purposing them to serve malicious files to users. Different payloads are delivered depending on the type of device visiting the compromised websites. Affected servers will also be used in malvertising, SEO fraud and traffic redistribution campaigns.

Further details regaing this can be found here – https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/

Domain’s / IP’s To Block

startreceive[.]tk

stats.startreceive[.]tk (traffic redirection)

wp.startreceive[.]tk (C&C)

roi777.com

minexmr.com

185.212.128.154



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.