SECURITY WARNINGS & Notices - Please post them here

[polonus]

Closer to home, EFF warned because of the recent 'supply chain" CCleaner attack:

Read:
https://air.mozilla.org/why-and-how-of-reproducible-builds-distrusting-our-own-infrastructure-for-safer-software-releases/
also
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Why it becomes harder and harder to have trust in Trust!

polonus

[bob3160]

Closer to home, EFF warned because of the recent 'supply chain" CCleaner attack:

Read:
https://air.mozilla.org/why-and-how-of-reproducible-builds-distrusting-our-own-infrastructure-for-safer-software-releases/
also
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Why it becomes harder and harder to have trust in Trust!

polonus

A simple analogy. A Restaurant with one excellent cook is pretty trustworthy.
When expansion happens and we now have 10 cooks, that trustworthiness now decreases because it's harder to trust 10 people.
It also becomes harder to track the responsible person when something goes wrong. It also becomes harder to quickly correct the problem.

[polonus]

Poor Internal Security Measures/Practices Take a Toll:
More data lost or stolen in first half of this year  than in all of 2016

http://breachlevelindex.com/assets/Breach-Level-Index-Report-H1-2017-Gemalto.pdf
-> https://www.theregister.co.uk/2017/09/20/gemalto_breach_index/

Wise up, folks, now learn and educate, don't be sloppy or let yourselves be dumbed down
by legit and illegal data grabbers 

pol

[polonus]

More concerns about the CCleaner Control and Command Server,
additional malware has been installed to a small number of victims,
approx. 20 servers with 8 organizations, that have infested around 2.2 million users.
Thanks to api-hacker group: "Chinese time zone PRC, APT17/Group 72".

Read: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Some more background on this sophisticated hacker group:
https://blogs.cisco.com/security/talos/opening-zxshell  &  https://attack.mitre.org/wiki/Group/G0001

Information the info stealer gathers:
local hostname
organization
owner
operating system details
CPU speed
total physical memory

polonus

[polonus]

Serious gaping hole in Joomla CMS - update asap: https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

pol

[polonus]

Word Press plug-in developers partnered with spammers and spammed you for 4 to 5 years:
https://www.wordfence.com/blog/2017/09/coordinated-plugin-spam/

It's all about the money...

pol

[bob3160]

Continuing update on the Ccleaner investigation:
https://blog.avast.com/progress-on-ccleaner-investigation

[polonus]

In the light of the recent CCleaner data breach with many victims in my country, the Netherlands I pondered on this info,
that has been available for us all for quite some time. But what can the common end-user do, when no one protects us
against the spooks that instigate this on the infrastructure....

Where government agents put us at risk, command-and-control-server with weaknesses and RATs:
Read:
http://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware
&
https://campustechnology.com/articles/2017/05/02/industry-tool-detects-thousands-of-c2-server-rats.aspx
&
https://www.fireeye.com/blog/threat-research/2010/09/chasing-cnc-servers-part-2.html
&
https://tweakers.net/nieuws/123911/interpol-en-beveiligingsbedrijven-identificeren-8800-c2-servers-in-zuidoost-azie.html
(use Google translate to do a quick and dirty translation into English)

If there is no hardenened server security or low end insecure C2 servers are being used, those entities (groups/firms) these actions are directed against are "food for the birds"  soon. Helped by weak implementations, hiding data traffic via non-public clouds with all sorts of holes, like we had cloudbleed, etc. Unsigned versions  -> https://www.theregister.co.uk/2017/09/21/slack_linux/

It is a mess, dear forum folks, and it is going from bad to worse. What they wanna cover?

polonus

[polonus]

This went wrong with the CCleaner compromittal : Wrong low-end server administering.

- One did not have any insight in (non-standard) network traffic;
- No following up/alert for the server being low on diskspace;
- No following up/alert that logging was being removed / Did they have permission (RCE/EoP?);
- No  log backup but an external system;
- No follow up/alert that the database was corrupted;
- No follow up/alert that a re-installation of the database had been taken place.

Hopefully avast servers are better being protected...

polonus

[polonus]

Heartbleed, Cloudbleed..... Is there more , yes -Optionsbleed:
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Not always configured as should be: https://simonecarletti.com/blog/2016/08/redirect-domain-http-https-www-apache/

polonus

[polonus]

Another one to join the leakers'band. Verizon: https://www.theregister.co.uk/2017/09/22/verizon_falls_for_the_old_unguarded_aws_s3_bucket_trick_exposes_internal_system/

Data breaches, data breaches and more data breaches: https://mackeepersecurity.com/post/verizon-wireless-employee-exposed-confidential-data-online

polonus

P.S. More clumsiness, Adobe looses a private key online: https://www.theregister.co.uk/2017/09/22/oh_dear_adobe_security_blog_leaks_private_key_info/

D

[polonus]

Hundreds of firms vulnerable to be hacked easily via support ticket:

https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

polonus

[polonus]

Malicious website crypto-mining:

https://www.cybereason.com/labs-cybereason-detects-adylkuzz-cryptocurrency-botnet-using-doublepulsar-exploit-in-japan/

Re: https://unix.stackexchange.com/questions/144412/why-am-i-getting-inconsistent-ip-values-from-icanhazip-com-or-curlmyip-com
and  https://forums.malwarebytes.com/topic/167967-2325325467-hxxpicanhazipcom/
and  https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-ADRF/detailed-analysis.aspx

polonus

P.S. Also look here: http://www.badbitcoin.org/thebadlist/

[Pondus]

Additional information regarding the recent CCleaner APT security incident
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

[polonus]

Interesting, Pondus, very in teresting, all around LA's ServerCrate C2 server,
and the links to Rumania, shortly a peak into the sordid little world of state actor infostealers.

Not a place to dwell in...

polonus