Transcription
Weekly IT Security News Bulletin, 2018-W028 January – 14 January 2018HeadlinesPhishing campaigns in Google Apps ScriptsSecurity researchers found a new attack method to exploit Google Apps Script forphishing campaigns. The Google Apps Script is a JavaScript-based scripting languagethat automates actions of the Google Apps services, such as Docs, Sheets, Slides andForms, just like macros in Microsoft Office. Malware could be distributed under theradar of most users and defensive tools by leveraging Google Apps Script and GoogleApps’ built-in document sharing capabilities to support automated malwaredownloads and sophisticated social engineering schemes.The attacker uploads malicious files or programs onto Google Drive, creates publiclinks to them, and shares an arbitrary Google Doc embedded with a Google AppsScript to deliver the malicious links. The malicious files are then automaticallydownloaded and recipients will be tricked to open the files. Since the link to theGoogle Doc for editing is from a legitimate source and contains no malware itself,the attack is difficult to be detected. The exploitation is possible even without userinteraction, as confirmed by the researchers.To mitigate the risk, Google blocked specific Apps Script events including installabletriggers, which cause certain events to occur automatically and simple triggers, whichpresent custom interfaces in Docs editors in another user’s session. The researchersadvised organisations to apply a combination of software-as-a-service applicationsecurity, end user education, and email gateway security to cope with the emergingthreat.AdviceEnd users should exercise caution before clicking links to Google Docs unless thesender is known or can be verified.System administrators or end users should keep endpoint security solutions up-todate to guard against malware infection.System administrators could deploy sandboxing solutions at email or web gatewaysto detect and block the phishing links at run time.SourcesProofpointInfosecurityGovCERT.HK Weekly IT Security News Bulletin 2018-W021
Backdoor open to network storageBackdoor was found in a family of network-attached storage (NAS) devices, whichcould lead to remote root code execution on the affected devices. NAS devices areusually used as a personal cloud storage for organising photos and videos, and haveability to sync the local data automatically with various cloud and web based servicesfor global access by individuals and businesses.The problem was caused by the misuse and misunderstanding of a PHP function bythe developer of a PHP script running on the vulnerable devices. The bug allowsunrestricted file upload by a remote attacker, who could then install and execute aweb shell on the devices with the root privilege. A hardcoded set of username andpassword was also uncovered by the security researcher who reverse-engineeredthe CGI binaries accessible from the device’s web interface. With the hardcodedcredentials, an attacker may even gain access to the internal NAS device once theuser visits the hacker website where an embedded iframe or img tag makes a hiddenlogin request to the vulnerable device using its predictable default hostname.The researcher further discovered other vulnerabilities including cross-site requestforgery, command injection, denial of service and information disclosure. Themanufacturer updated that the critical issues were addressed with firmware updatesin 2017 and other issues being handled in future updates.AdviceUpdate the firmware of your NAS device or enable automatic update.Avoid visiting unknown websites to prevent your internal NAS device from cross-siterequest forgery attack via your browsing computer.Implement sound data protection practices including data encryption, regular databackups, strong passwords, and network access controls for your NAS device.SourcesGulftechWestern DigitalThe Hacker NewsGovCERT.HK Weekly IT Security News Bulletin 2018-W022
Product Vulnerability Notes & Security Updates1.Adobe Flash ash-player/apsb18-01.htmlhttps://www.hkcert.org/my url/en/alert/180110022.Apple ple.com/kb/HT2084033.Cisco Unified Communications .debian.org/tracker/CVE-2017-57545.F5 s://support.f5.com/csp/article/K912290036.General Motors and Shanghai OnStar (SOS) iOS -17-234-04GovCERT.HK Weekly IT Security News Bulletin 2018-W023
7.Gentoo 38.Huawei visories/huawei-sa-20180106-01-cpu-en9.IBM WebSphere id swg2201240910. Juniper ge content&id ge content&id ge content&id ge content&id ge content&id ge content&id ge content&id ge content&id ge content&id ge content&id ge content&id JSA1084211. Microsoft rmationjanuary-9-2018https://www.hkcert.org/my url/en/alert/1801100112. Moxa -18-011-02GovCERT.HK Weekly IT Security News Bulletin 2018-W024
13. ty-announce/2018-01/msg00031.html14. Phoenix Contact FL -18-011-0315. Oracle 006.html16. Red 7. Rockwell Automation Allen-Bradley MicroLogix 1400 /ICSA-18-009-01GovCERT.HK Weekly IT Security News Bulletin 2018-W025
18. php?l slackware-security&y 2018&m slackwaresecurity.43255719. 18/suse-su-20180069-1/20. Symantec ity-advisories/SA155.html21. 1-1/GovCERT.HK Weekly IT Security News Bulletin 2018-W026
22. VMware Mware-Releases-Security-Updates23. rg/security/wnpa-sec-2018-04.htmlSources of product vulnerability information:AdobeAppleCiscoDebianF5Gentoo SEOracle LinuxRed rkContacts:cert@govcert.gov.hkGovCERT.HK Weekly IT Security News Bulletin 2018-W027
GovCERT.HK Weekly IT Security News Bulletin 2018-W02 1 Weekly IT Security News Bulletin, 2018-W02 8 January - 14 January 2018 Headlines Phishing campaigns in Google Apps Scripts
