State-Sponsored Cyber Actors do State-Sponsored Cyber Actor stuff

US-CERT published a joint Technical Alert (TA) resulting from efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) providing information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. And they provide some nice concrete information that can be reacted to. The fact that this happens is not new, and there is no reason to think Russia is the only ones who does this, they are not doing anything spectacular or fancy either. Check for the indicators provided, keep calm and carry on.

In a separate note, Oracle announces 250 security fixes in quarterly patch update, Cisco published important and critical security advisories for Firepower, ASA and WebEx.

Top 5 Security links
RSA 2018 Keynote – The Five Most Dangerous New Attack Techniques
PCI Council Releases Guidelines for Cloud Compliance
Hacking charge for URL-manipulation in Canada
Drupalgeddon 2 Vulnerability Used to Infect Servers With Backdoors & Coinminers
Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

(Blogpost image by Andrew Choy from Santa Clara, California, “San Francisco International Airport at night“, Creative Commons Attribution-Share Alike)

Intel tells remote keyboard users to delete app after critical bug found.

On Tuesday, Intel warned of a critical escalation of privilege vulnerability (CVE-2018-3641) in all versions of the Intel Remote Keyboard that allows a network attacker to inject keystrokes as if they were a local user.

The vulnerability received a Common Vulnerabilities and Exposure (CVE) score of 9.0 out of 10.

As part of the same advisory, Intel shared two additional Remote Keyboard vulnerabilities, both rated high. The bugs (CVE-2018-3645 and CVE-2018-3638) allow an “authorized local attacker to execute arbitrary code as a privileged user” and had CVE scores of 8.8 and 7.2, according to Intel.

An Intel spokesperson told Threatpost the product had already been scheduled for discontinuation, and the discontinuation is not related to the security advisory. Despite being discontinued, Intel still maintains a Remote Keyboard product page for the app and it is still available for download via Apple’s App Store and Google Play. According to Google Play, the app has been installed over 500,000 times.

Top 5 Security links
https://blog.cloudflare.com/announcing-1111/
https://www.elastic.co/blog/gdpr-personal-data-pseudonymization-part-1
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/
https://blog.infostruction.com/2018/04/02/feodo-banking-trojan-dropper-analysis/
https://www.commondreams.org/news/2018/04/05/not-50-million-not-87-million-facebook-admits-data-most-its-2-billion-users

AMD Vulnerabilities

This week, CTS-Labs sent out an advisory regarding AMD Vulnerabilities.
What’s worth noting about this is that the vulnerabilities all require local administrator access to exploit, and if an attacker already got that access it means that it’s basically game over in either case. There are also concerns that this was done in order to manipulate stock prices, and the fact that CTS-Labs only gave AMD a one day heads up before going public (instead of the regular 30 – 90 days) have set off red flags for some parties.

Top 5 Security links
Let’s have a sober look at these ‘ere annoying AMD chip security flaws
APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware
ISPs Caught Injecting Cryptocurrency Miners and Spyware In Some Countries
Pre-Installed Malware Found On 5 Million Popular Android Phones
Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities