Security Bulletin #106 – 16 May 2017
WannaCry Ransomware: Everything you need to know
Since this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats. WannaCry is said to be so unique and nasty as it has the ability to self-spread without even need to click any link or a file. Once infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly. What has happened so far? Day 1: OutCry — WannaCry targeted over 90,000 computers in 99 countries. Day 2: The Patch Day — a security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows. Day 3: New Variants Arrives — Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks. The attack is not over yet, security researchers have detected some new versions of this ransomware, dubbed WannaCry 2.0, which couldn’t be stopped by the kill switch. The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits. Some simple tips you should always follow are: 1) Always Install Security Updates 2) Patch SMB Vulnerability 3) Disable SMB 4) Enable Firewall & Block SMB Ports 5) Use an Antivirus Program 6) Be Suspicious of Emails, Websites, and Apps 7) Regular Backup your Files 8) Keep Your Knowledge Up-to-Date. Is NSA/CIA to be blamed? Microsoft has hit out at the US government for facilitating cyber-attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage.
Malicious registry keys: Reflective injection
Mimosa Wireless kit has multiple security holes
5G wireless vendor Mimosa Wireless has patched against a bunch of remote code execution, denial-of-service and file disclosure vulnerabilities. The products' Web interface reveal device serial numbers, which another page in the same interface can be used to force a factory reset without authentication. The web interface also leaks passwords: an attacker can use an unsanitized GET to download files as root, which ends up as more-or-less complete pwnage: his can be used to view unsalted, MD5-hashed administrator passwords, which can then be cracked, giving the attacker full admin access to the device’s web interface. This vulnerability can also be used to view the plaintext pre-shared key (PSK) for encrypted connections, or to view the device’s serial number (which leads to DoS). The bugs apply to firmware versions below 2.2.3 and were patched in a mid-April release from Mimosa.
CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017)
CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017)
CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017)
CERTFR-2017-ALE-009 : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)
CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)
CERTFR-2017-AVI-154 : Multiples vulnérabilités dans Microsoft Windows XP, Windows Server 2003 et Windows 8 (15 mai 2017)
CERTFR-2017-AVI-153 : Multiples vulnérabilités dans Moodle (15 mai 2017)