PwC Weekly Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Malware
Mac malware uses ‘ancient’ code to target biomedical facilities
Threats and vulnerabilities US-CERT issues warning after hackers offer SMB zero-day
Threat and
vulnerabilities Malware Top stories
Threats and vulnerabilities Oracle’s monster security update: 270 fixes and over 100 remotely exploitable flaws
Threats and vulnerabilities
Top story
MongoDB, ElasticSearch hackers now target Hadoop with ransomware
IPv6 vulnerable to fragmentation attacks
that threaten core internet routers
Oracle’s monster security update: 270 fixes and
over 100 remotely exploitable flaws
Threat and vulnerabilities
Oracle has released its first quarterly critical patch update of the year, urging customers to immediately apply the bundle's 270 fixes to a number of its products.
Product families fixed in this update include Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
Oracle's updates are typically large but the 270 fixes in this advisory are just short of Oracle'srecord critical update last July, which contained 276 fixes.
As with previous updates, Oracle is urging
customers to apply the updates "without delay" as
"it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches".
Security firm Qualysnotesthat over 100 of the flaws fixed in this update can be used by a remote attacker without requiring credentials.
Patches for Oracle's FLEXCUBE financial applications make up 20 percent of this update, with a large share of fixes available for Oracle Applications, Fusion Middleware, MySQL, and Java, as well a significant number of fixes for Oracle retail applications, and PeopleSoft.
Overall, 16 of the 17 Java flaws are remotely exploitable without needing user logins, while five of the 27 MySQL flaws are remotely exploitable.
Qualys' analysis of several popular databases shows that MySQL has seen the largest number of
vulnerabilities by CVE tags over the past five years.
The cloud security firm reports a 30 percent uptick in those vulnerabilities between 2015 and 2016.
Among the fixes are eight patches for Oracle's retail applications, including one for MICROS, its POS systems. Oracle notes that a bug in the MICROS Lucas system is one of two that is remotely exploitable over the web and doesn't require authentication. The other remote issue affects the Oracle Retail Order Broker.
Source:
http://www.zdnet.com/article/oracles- monster-security-update-270-fixes-and- over-100-remotely-exploitable-flaws
Malware Threats and
vulnerabilities
Our perspective
Administrators are advised to assess the risk of vulnerabilities within the network and apply patches immediately to prevent critical remotely exploitable flaws.
POS systems have emerged as a prime target for malware designed to nab credit cards from retailer and hotel chains. MICROS came into focus last yearafter Krebs on Security reported a serious breach of Oracle's MICROS support portal, which is used by its retail customers. The portal was said to have been seen communicating with a server controlled by the Russian Carbanak, a notorious cybercrime gang.
Top stories
The United States Computer Emergency Readiness Team (US-CERT) has issued a warning after the threat group calling itself Shadow Brokers has offered to sell what it claims to be a zero-day exploit targeting the Server Message Block (SMB) network file sharing protocol.
“In response to public reporting of a potential Server Message Block (SMB) vulnerability, US- CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems,”US- CERT said.
The agency is likely referring to a recent
announcement from Shadow Brokers. After several failed attempts to monetize exploits and hacking tools allegedly stolen from the NSA-linked Equation Group, Shadow Brokers recently decided toretire.
While the hackers claim to have quit the business, their exploits are still up for sale for an indefinite period of time for the price of 10,000 bitcoins, currently worth roughly $8.7 million.
A few days before announcing its retirement, Shadow Brokers hadoffered to sellWindows exploits and anti-malware bypass tools. One of the exploits, available for 250 bitcoins, was described as a remote code execution zero-day targeting SMB.
The group has also advertised an “SMB cloaked backdoor” for 50 bitcoins and a package that includes IIS, RDP RPC and SMB exploits for 250 bitcoins.
In order to prevent potential attacks, US-CERT has advised users and administrators to
considerdisablingSMB v1, and block all versions of SMB at the network boundary. SMB typically uses port 445 (TCP/UDP), ports 137 and 138 (UDP), and port 139 (TCP).
However, US-CERT has cautioned users that blocking or disabling SMB could prevent access to files or devices, and that the benefits should be weighed against potential disruptions.
US-CERT issues
warning after hackers offer SMB zero-day
While some of theexploits leaked by Shadow Brokershave turned out to be valid, it’s unclear if the remaining tools are as valuable as claimed. It is unlikely that we will find out too soon given their price tag, unless the hackers decide to leak the files for free.
This is not the first time US-CERT has issued an alert following a Shadow Brokers announcement. In September, the agencywarnedorganizations after the threat group released exploitation tools for old and new vulnerabilities affecting Cisco products.
Threats and vulnerabilities
Source:
http://www.securityweek.com/us-cert- issues-warning-after-hackers-offer-smb- zero-day
Our perspective
Almost all Windows systems support file and printer sharing traffic by using the Server Message Block (SMB) protocol. So, it is advised not to disable SMB v2 or SMB v3 on Windows systems to avoid any repercussions.
US-CERT recommends that administrators assess the benefits of risk mitigation against potential disruptions to users by disabling SMB v1 and/or limiting all versions of SMB traffic by blocking TCP port 445 with related protocols on UDP ports 137–138 and TCP port 139. It is also strongly recommended to ratify firewall changes before implementing them.
Malware Threat and
vulnerabilities Top stories
Malware
A strain of malware which targets Mac machines has been spotted in the wild, and while new, makes use of antiquated code to target biomedical facilities.
This week,researchers from Malwarebytes saidthe malware, dubbed Quimitchin, was discovered after an IT administrator detected unusual traffic flowing out of a computer based on Apple's Mac OS X operating system.
According to the team, Quimitchin has been "in existence, undetected, for some time" and has been primarily used to target biomedical research centers.
Quimitchin is named after ancient Aztec spies and suits as the malicious code's primary purpose is to spy on victims, although it is also registered by Apple as Fruitfly.
The malware is able to perform various tasks including grabbing screen sizes and mouse cursor positions, taking screenshots, simulating mouse clicks and key presses, as well as rudimentary remote control functions.
The simplistic malware consists of only two files on the surface, a.plistfile that simply keeps the other.clientfile running at all times. The.plistfile includes a simple launch agent and the .clientfile takes the form of an obfuscated perl script used to communicate with command and control (C&C) centers.
"The script also includes some code for taking screen captures via shell commands," the team says.
"Interestingly, it has code to do this both using the Mac "screencapture" command and the Linux "xwd"
command. It also has code to get the system's uptime, using the Mac "uptime" command or the Linux "cat /proc/uptime" command."
While the malware's binary code is focused on screen captures and webcam access, Quimitchin utilizes system calls which Malwarebytes dubs "truly antique" as they date back to pre-OS X times. In addition, the binary includes open-source libjpeg code, which was last updated in 1998.
Mac malware uses
‘ancient’ code to target biomedical facilities
If Quimitchin infects a system, the malware will download a perl script from the C&C server which uses mDNS to build a map of all other devices on the local network, including their names, IPv6 and IPv4 addresses, and ports in use. Another script attempts to connect to these devices.
"The presence of Linux shell commands in the original script led us to try running this malware on a Linux machine, where we found that -- with the exception of the Mach-O binary -- everything ran just fine," the analysis continued. "This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample."
The security researchers were also able to locate several Quimitchin Windows executable files which communicate with the same C&C server, however, they were only submitted to VirusTotal once and are detected as generic, basic malicious code.
Quimitchin's elderly backbone does not necessarily mean the malware has been in circulation for that long, as it could be the cyberattackers behind it do not understand Mac well and were relying on old code and documentation when creating the malware.
It may also be that old system calls are in use to try and avoid detection by modern engines -- but the simplistic and ancient code makes it easy to detect and eradicate.
Malwarebytes says the only reason Quimitchin hasn't appeared on the radar before is that the malware is used in very specific, targeted campaigns, which limits exposure. So far, only biomedical research facilities are at risk, but Apple has already released a patch behind the scenes which will prevent infection without the need for a major security update.
Threats and vulnerabilities
Source:
http://www.zdnet.com/article/new- biomedical-mac-malware-uses-ancient- code/
Threat and
vulnerabilities Top stories
MongoDB,
ElasticSearch hackers now target Hadoop with ransomware
Top
storiesFollowing recent cyber attacks on MongoDB and ElasticSearch, hackers are now targeting Internet- facing Hadoop Distributed File System (HDFS) installations.
As with the attacks on MongoDB and ElasticSearch, hackers are holding databases for ransom and, in many reported cases, simply deleting the data. It has now been confirmed by Fidelis Cybersecurity Threat Research that these sort of attacks are happening on HDFS instances, with the company estimating that the potential exposure of this attack is around 8,000-10,000 HDFS installations
worldwide.
In one incident, Fidelis observed an attacker erasing most of the directories and creating a single
directory called
“NODATA4U_SECUREYOURSHIT”. There was no attempt to claim a ransom or any other
communication — the data was simply deleted and the directory name was left as a calling card. Further investigation saw a core issue similar to MongoDB, namely the default configuration can allow “access without authentication.”
This means an attacker with basic proficiency in HDFS can start deleting files. On or around January 5 to January 6, traffic to port 50070 soared as attackers scanned for open HDFS installations to target.
Fidelis also pointed out that the cyber crooks could originate from China, though the company was quick to point out that attackers use infrastructure all over the world to hide their identities. Evidence of this being the work of a hack originating in China was evident from a spike in traffic seen when the attack occurred. Port statistics from theSANS Internet Storm Centerand theQihoo 360’s Netlabshows that the spike is almost exclusively from a single Chinese IP of 125.64.94.201 Fidelis stated that any database service directly exposed to the internet without adequate authentication is at risk.
Threats and
vulnerabilities Malware
Source:
http://www.cbronline.com/news/cybersecu rity/breaches/mongodb-elasticsearch- hackers-now-target-hadoop-ransomware The security company advised service providers to
“implement strong authentication and access isolation. Users of such services should assess these protective measures before entrusting their data to these services. Always back up data using a robust monitoring program to detect and respond to instances in the event unauthorized access occurs.”
Threat and vulnerabilities
IPv6 vulnerable to
fragmentation attacks that threaten core
internet routers
Top
storiesA trio of 'net experts argues that a key IPv6 protocol needs fixing to get rid of a fragmentation attack vector against routers in large-scale core networks.
The vector, called “atomic fragments” has long been regarded with suspicion by IPv6 security wonks.
Here, for example, is a Black Hat 2012 presentation illustrating the threat.
Now, prolific Internet Engineering Task Force (IETF) contributor Fernando Gont has helped writeRFC 8021, that formally places the feature on the “considered harmful” list.
That's more serious than it sounds: "considered harmful” is code for “get rid of this as soon as possible!"
Fixing this bug is therefore important because a vulnerability in a protocol flows on to any product that implements the protocol – and that would mean vendors at the heart of the Internet, like Cisco, Juniper, Ericsson, Huaweiet al- have to deal with it.
While systems using recent BSD and Linux kernels are immune, the point of the RFC is to get rid of the atomic fragment risk at the protocol level.
What's an atomic fragment?
An atomic fragment is designed into the IPv6 fragmentation mechanism. As RFC 6496explains them: “when a host receives an ICMPv6 'Packet Too Big' message advertising a 'Next-Hop MTU' smaller than 1280 (the minimum IPv6 MTU), it is not required to reduce the assumed Path-MTU, but must simply include a Fragment Header in all subsequent packets sent to that destination. The resulting packets will thus not actually be
fragmented into several pieces but will just include a Fragment Header with both the 'Fragment Offset' and the 'M' flag set to 0 (we refer to these packets as 'atomic fragments').”The problem is these atomic fragments present a denial-of-service (DoS) vector.
Threats and vulnerabilities
Source:
http://www.theregister.co.uk/2017/01/18/n et_boffin_ipv6_needs_hardening_against_
fragmentation_attacks Malware
From RFC 8021: “If an attacker sends a forged ICMPv6 PTB [packet too big] error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]).
When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario.”
Co-author of the new RFC, Fernando Gont of SI6 Networks, explained toThe Registerthat his RFC is the result of long debate in the IPv6 security
community.
“This attack vector is essentially based on two different pieces of work: the generation of atomic fragments (i.e., how to trigger fragmentation at a target system), and the filtering of IPv6 fragments (i.e., what actually gets the packets dropped, causing a DoS.”
Threat and vulnerabilities
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
In India, PwC has offices in these cities: Ahmedabad, Bangalore, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub- license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation.
© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
MB/January2017-8543
