Security Bulletin #128 – 15 Juin 2017
Microsoft patches two critical remote code execution (RCE) flaws that have been exploited in attacks
Microsoft released June Patch Tuesday updates that address more than 90 vulnerabilities, including two critical remote code execution (RCE) vulnerabilities that have been exploited in attacks. The first vulnerability, tracked as CVE-2017-8464, is a LNK remote code execution flaw in Windows that could be triggered by tricking victims into displaying the icon of a specially crafted shortcut file. The second RCE vulnerability tracked as CVE-2017-8543, is a remote code execution vulnerability affecting Windows Search. Microsoft also fixed 18 critical flaws, the last security updates also patch some of the vulnerabilities disclosed at Pwn2Own hacking competition.
MACSPY – Remote Access Trojan as a service on Dark web
Reporters for the online service “Bleeping Computer” have uncovered a new threat to Apple being offered on the dark web. It is described as the most sophisticated malware for Mac OS-x operating system to date. The software combines with a provided TOR portal to enable users to hack into and obtain surveillance information from targeted MAC computers. The authors of the malware claim that they created it because Apple products have grown so popular. It is this popularity of Apple products that appears to have driven their desire to create the remote access Trojan (RAT) program. The free version of the MacSpy malware is designed to monitor Apple users, record data on the Mac system and then covertly spin it back to the controller who launched the attacks. MacSpy can capture screen image and has an embedded keylogger. In addition, MacSpy can also capture ICloud synced data such as photos, provide voice recording surveillance, extract clipboard contents and download browser information. The paid version of MacSpy has many similar features seen inside programs developed by the CIA as shown in the Wikileaks Vault 7 releases. The remote controller can update the Trojan silently, extract any file, encrypt whole user directories, deliver scheduled dumps of an entire infected system, and extract social media and email data for surveillance.
US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware
The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. It is used to infect hundreds of thousands of computers globally as part of its DDoS botnet network. According to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber-attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. DeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol (CGP) attacks. The botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks. Other malware used by Hidden Cobra include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, including DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. These are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra: Hangul Word Processor bug (CVE-2015-6585), Microsoft Silverlight flaw (CVE-2015-8651), Adobe Flash Player 184.108.40.2064 and 19.x vulnerability (CVE-2016-0034), Adobe Flash Player 220.127.116.11 Vulnerability (CVE-2016-1019), Adobe Flash Player 18.104.22.168 Vulnerability (CVE-2016-4117). The simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall.
CERTFR-2017-AVI-181: Multiples vulnerabilities in Microsoft Windows OS (14 June 2017)
CERTFR-2017-AVI-180: Multiples vulnerabilities in Microsoft Windows (14 June 2017)
CERTFR-2017-AVI-179: Multiples vulnerabilities in Microsoft Edge (14 June 2017)
CERTFR-2017-AVI-178: Multiples vulnerabilities in Microsoft Internet Explorer (14 June 2017)
CERTFR-2017-AVI-177: Multiples vulnerabilities in Microsoft Office (14 June 2017)
CERTFR-2017-AVI-176: Multiples vulnerabilities in Microsoft products (14 June 2017)
CERTFR-2017-AVI-175: Multiples vulnerabilities in Adobe Flash Player and Shockwave Player (14 June 2017)
CERTFR-2017-AVI-174: Multiples vulnerabilities in Mozilla Firefox (14 June 2017)