Weekly Threat Report 17th November 2017

New banking trojan discovered

Security researchers have discovered a new trojan targeting customers of banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites. Known as IcedID, the malware uses web browser manipulation techniques to trick users into entering their login credentials and payment authorisation details into malicious webpages. The malware affects systems infected by the highly persistent Emotet banking trojan that hijacks computers to form…

Link: Weekly Threat Report 17th November 2017
Source: NCSC Reports

GlibC Vulnerability affecting Linux

What is it?

This vulnerability could allow a malicious actor to send specially crafted data to trigger a stack overflow in the getaddrinfo() function in the glibc DNS client resolver code (‘resolv/nss_dns’) and execute arbitrary code on the target system. The code will run with the privileges of the target application using the glibc library.

This vulnerability has been assigned CVE-2015-7547 (https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html) but was introduced in…

Link: GlibC Vulnerability affecting Linux
Source: NCSC Alerts

DROWN vulnerability

Executive summary

A newly discovered OpenSSL security vulnerability, dubbed DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), enables a 20 year old and long deprecated security protocol, Secure Sockets Layer (SSLv2), to be used to attack modern websites.

An attack exploiting this could decrypt secure HTTPS communications, which can be used to protect sensitive data in transit between your browser and the server. It is estimated that at least one-third of all websites could be…

Link: DROWN vulnerability
Source: NCSC Alerts

Apple QuickTime for Windows

Summary

QuickTime for Microsoft Windows is no longer supported by Apple and the current advice is to remove it from all Windows OS Devices devices.

The removal instructions can be found here https://support.apple.com/HT205771

QuickTime for Mac OSX is unaffected, can be considered to still be supported, and subject to security patches as required.

Further details

Two vulnerabilities have been found and published by the TippingPoint Zero Day Initiative (ZDI) and, as per their rules,…

Link: Apple QuickTime for Windows
Source: NCSC Alerts

Symantec Norton Anti-virus and Endpoint Protection – multiple high severity vulnerabilities

Executive summary

Multiple critical vulnerabilities have been reported in a number of different security products from Symantec, affecting both enterprise and consumer products.

These vulnerabilities include a ‘100% reliable remote exploit’ and a ‘wormable’ flaw that requires no user interaction by the victim for an attacker to exploit.

The vulnerabilities have been fixed by Symantec and performing a manual ‘LiveUpdate’ will update the software to the…

Link: Symantec Norton Anti-virus and Endpoint Protection – multiple high severity vulnerabilities
Source: NCSC Alerts

HTTP/2

Executive summary

HTTP/2 is a faster and more technically advanced version of the current HTTP 1.1 and is being widely adopted following its approval in February 2015. It is already supported by major browsers – Chrome, Firefox, IE11, Edge, Safari, and Opera – and is thought to be used by about one in ten websites.

Four vulnerabilities rated as severe have been discovered in this new version, but fixes have already been made available through a coordinated approach between the…

Link: HTTP/2
Source: NCSC Alerts

Quadrooter vulnerability affecting Android

Executive summary

A number of vulnerabilities have been discovered in the Qualcomm chipsets used in many Android handsets from many of the leading manufacturers. Exploitation of these vulnerabilities could allow an unauthorised user to take full control of an Android device but in order to do so an authorised user would first need to install a malicious app.

Google have stated that three of the four vulnerabilities have been patched with the fourth due in September, although updates will…

Link: Quadrooter vulnerability affecting Android
Source: NCSC Alerts

Multiple vulnerabilities in various products

Executive summary

On 15 August 2016, CERT-UK was made aware of a list of exploits posted online. These exploits are targeted at vulnerabilities in software found in Cisco switches, routers and firewall products, Fortinet’s Fortiguard, Watchguard and TopSec. Whilst Fortninet and Watchgaurd determined the vulnerabilities were patched years ago, of the two Cisco vulnerabilities, one has been confirmed as a zero-day.

Vulnerabilities – Cisco

The two vulnerabilities affecting Cisco…

Link: Multiple vulnerabilities in various products
Source: NCSC Alerts

Data breach of 500m Yahoo accounts

Summary

CERT-UK is aware of reports of an attack on the technology firm Yahoo in which up to 500 million user accounts were breached.

In August 2016, a hacker known as “Peace” was reportedly attempting to sell information from 200 million Yahoo accounts breached in an attack from 2014. Initially believed to be speculation, Yahoo has now revealed that a breach did take place compromising the data of 500 million accounts. This is believed to be the biggest public breach of…

Link: Data breach of 500m Yahoo accounts
Source: NCSC Alerts

‘Dirty COW’ Linux privilege escalation vulnerability being actively exploited

Executive Summary

A vulnerability has been discovered in the Linux kernel which could give untrusted users unfettered root access. This vulnerability has been present in the Linux kernel for nine years but has only just been discovered. The vulnerability allows for privilege escalation that can be exploited easily and reliably. The fact that this flaw exists in nearly every version of Linux from at least the last nine years means this vulnerability should be taken seriously and patched as…

Link: ‘Dirty COW’ Linux privilege escalation vulnerability being actively exploited
Source: NCSC Alerts