Subscribe: US-CERT Cyber Security Alerts and Tips
http://www.us-cert.gov/channels/userdocs.rdf
Preview: US-CERT Cyber Security Alerts and Tips

US-CERT: The United States Computer Emergency Readiness Team





 



FTC Releases Announcement on Identity Theft

Fri, 28 Apr 2017 02:55:37 +0000

Original release date: April 27, 2017

The Federal Trade Commission (FTC) recommends that consumers who are affected by identity theft file a report at IdentityTheft.gov—a one-stop resource to help you report and recover from identity theft. Information provided there includes checklists, sample letters, and links to other resources.

US-CERT encourages consumers to learn about identity theft by reviewing FTC's blog post and US-CERT's Tip on Preventing and Responding to Identity Theft.


This product is provided subject to this Notification and this Privacy & Use policy.





TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors

Thu, 27 Apr 2017 22:50:51 +0000

Original release date: April 27, 2017 | Last revised: April 28, 2017 Systems Affected Networked Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.NCCIC will update this document as information becomes available.For a downloadable copy of this report and listings of IOCs, see:Report (.pdf)IOCs (.xlsx)IOCs (STIX)To report activity related to this Incident Report Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870. Description Risk EvaluationNCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color) Yellow (Medium)A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.DetailsWhile NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers. To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients.Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network.Figure 1: Structure of a traditional business network and an IT service provider networkTechnical AnalysisThe threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures (TTPs). The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates. Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement.Command and Control (C2) primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity. Listings of observed domains are found in this document’s associated STIX package and .xlsx file. The indicators should be used to observe potential malicious activity on your network.User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some[...]



Adobe Releases Security Updates for ColdFusion

Wed, 26 Apr 2017 13:03:54 +0000

Original release date: April 26, 2017

Adobe has released security updates to address a vulnerability in ColdFusion. Exploitation of this vulnerability may allow a remote attacker to take control of an affected website.                   

Users and administrators are encouraged to review Adobe Security Bulletin APSB17-14 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.





Pre-Installed Applications Developed with Portrait Displays SDK Contain Critical Vulnerability

Tue, 25 Apr 2017 22:15:30 +0000

Original release date: April 25, 2017

Applications developed using the Portrait Displays software development kit (SDK), versions 2.30 through 2.34, contain a critical vulnerability. A local attacker could exploit this vulnerability to take control of an affected system.

The affected applications, pre-installed on some Fujitsu, HP, and Philips devices, are:

  • Fujitsu DisplayView Click: Version 6.0 and 6.01. The issue was fixed in Version 6.3.
  • Fujitsu DisplayView Click Suite: Version 5. The issue is addressed by patch in Version 5.9.
  • HP Display Assistant: Version 2.1. The issue was fixed in Version 2.11.
  • HP My Display: Version 2.0. The issue was fixed in Version 2.1.
  • Philips Smart Control Premium: Versions 2.23, 2.25. The issue was fixed in Version 2.26.

US-CERT recommends users and administrators review Vulnerability Note VU#219739 for additional information and refer to their device vendors for appropriate patches. Portrait Displays has released a patch for its SDK software.


This product is provided subject to this Notification and this Privacy & Use policy.





IBM Releases Security Update

Tue, 25 Apr 2017 12:47:59 +0000

Original release date: April 25, 2017

IBM has released a security update to address a vulnerability in IBM Domino server IMAP EXAMINE. An attacker could exploit this vulnerability to take control of an affected system.

 Available updates include:

  • Domino 9.0.1 Feature Pack 8 Interim Fix 2
  • Domino 8.5.3 Fix Pack 6 Interim Fix 17

Users and administrators are encouraged to review the CERT/CC Vulnerability Note VU#676632 and IBM's Security Bulletin for more information and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.





SB17-114: Vulnerability Summary for the Week of April 17, 2017

Mon, 24 Apr 2017 12:11:53 +0000

Original release date: April 24, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.  High VulnerabilitiesPrimaryVendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoapache -- tomcatIn Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.2017-04-177.5CVE-2017-5651BIDCONFIRMMLISTapache -- traffic_serverApache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.2017-04-177.8CVE-2016-5396CONFIRMcanonical -- ubuntu_linuxThe crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.2017-04-147.2CVE-2016-0727MISCBIDSECTRACKUBUNTUCONFIRMCONFIRMffmpeg -- ffmpegFFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c.2017-04-147.5CVE-2017-7859BIDMISCffmpeg -- ffmpegFFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c.2017-04-147.5CVE-2017-7862BIDMISCMISCffmpeg -- ffmpegFFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c.2017-04-147.5CVE-2017-7863BIDMISCMISCffmpeg -- ffmpegFFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c.2017-04-147.5CVE-2017-7865BIDMISCMISCffmpeg -- ffmpegFFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c.2017-04-147.5CVE-2017-7866BIDMISCMISCflatcore -- flatcore-cmsSQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the [...]



Drupal Releases Security Updates

Thu, 20 Apr 2017 00:17:53 +0000

Original release date: April 19, 2017

Drupal has released an advisory to address a vulnerability in Drupal core 8.x versions prior to 8.2.8 and 8.3.1. A remote attacker could exploit this vulnerability to obtain sensitive information.

US-CERT encourages users and administrators to review Drupal's Security Advisory and upgrade to version 8.2.8 or 8.3.1.


This product is provided subject to this Notification and this Privacy & Use policy.





Cisco Releases Security Updates

Thu, 20 Apr 2017 00:14:27 +0000

Original release date: April 19, 2017

Cisco has released updates to address several high-impact vulnerabilities affecting multiple products. These and other lower-impact vulnerabilities are listed at Cisco Security Advisories and Alerts. A remote attacker could exploit one of the high-impact vulnerabilities to cause a denial-of-service condition.

Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.





Mozilla Releases Security Updates

Thu, 20 Apr 2017 00:04:38 +0000

Original release date: April 19, 2017

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.

US-CERT encourages users and administrators to review the Mozilla Security Advisories for Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.





Google Releases Security Updates for Chrome

Thu, 20 Apr 2017 00:02:20 +0000

Original release date: April 19, 2017

Google has released Chrome version 58.0.3029.81 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker may exploit to take control of an affected system.

Users and administrators are encouraged to review the Chrome Releases page and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.