Source SDK and Games

Valve Corporation released a patch that addresses a simple buffer overflow vulnerability, identified by One Up Security researcher Justin Taft, in the Source software development kit (SDK), which allowed malicious code to be downloaded and remotely executed on Steam users’ machines. Although the Source Engine is not open source, Valve allows third-party developers to create custom modifications or assets for Source games. Generally, when these modifications or assets are applied to a game server, a user's game automatically downloads the updates when connected to play. The NJCCIC recommends all users apply updates for Source games, third-party developers apply the Source SDK patch as soon as possible, and gamers disable auto-downloads for third-party gaming assets.

iSmartAlarm

Ilia Shnaidman, a researcher for Dojo by BullGuard, reported five vulnerabilities in the firmware of iSmartAlarm and iSmartAlarm cube products, a smart home security system. Successful exploitation of CVE-2017-7726CVE-2017-7727CVE-2017-7728,CVE-2017-7729, and CVE-2017-7730 could allow a threat actor to bypass authentication, take over devices, and disable alarm systems, leaving homes exposed to burglaries. The researcher reported the vulnerabilities to iSmartAlarm in February and disclosed them publicly on July 5, 2017. The NJCCIC recommends owners and operators of vulnerable iSmartAlarm devices review Ilia Shnaidman’s report, consider discontinuing the use of any affected devices, andapply iSmartAlarm firmware updates as soon as they are released.

Xen

Xen released an update to address several vulnerabilities that, if exploited, could result in unauthorized privilege escalation by a paravirtualization (PV) guest. All versions of Xen up to version 5 are vulnerable. The NJCCIC recommends Xen administrators review the Xen Security Advisory and apply the appropriate set of patches as soon as possible.

Cisco IOS and IOS XE

Cisco released security updates to address multiple Simple Network Management Protocol (SNMP) vulnerabilities in its IOS and IOS XE software. Successful exploitation of these vulnerabilities could allow a threat actor to execute code and take control of an affected system. The NJCCIC recommends users and administrators review Cisco’s Security Advisory and apply the necessary updates.

"Bad Taste"

A German researcher named Nils Dagsson Moskopp discovered a vulnerability, CVE-2017-11421, that he dubbed “Bad Taste,” affecting GNOME Files, formerly known as Nautilus, the default file manager/explorer for Linux distros using the GNOME desktop. Successful exploitation of this vulnerability could allow a threat actor to gain an initial foothold on vulnerable systems. Moskopp published a proof of concept demonstrating an exploit of the vulnerability by dropping an empty file with the name badtaste.txt on a user's computer, but he states a remote threat actor could do more damage. The Debian project patched the vulnerability hours after it was reported by Moskopp, and the gnome-exe-thumbnailer, which parses MSI and EXE files inside the GNOME Files app, was also fixed. The NJCCIC recommends users and administrators using GNOME Files review Moskopp’spost and the subsequent Bleeping Computer article, follow the recommendation to delete all files found in /usr/share/thumbnailers, and apply any necessary updates.

Apple Products

Apple released security updates to fix vulnerabilities in multiple products, including iCloud for Windows, iOS, iTunes for Windows, Safari, macOS, tvOS, and watchOS. Successful exploitation of these vulnerabilities could allow a remote threat actor take control over an affected system. The NJCCIC recommends all users and administrators of Apple products review Apple’s Security Update and apply the necessary updates as soon as possible.

Malicious Actors Targeting New WordPress Installations

Wordfence researchers reported observing a recent spike in compromises of newly created WordPress-powered websites. The malicious actors are scanning websites for the presence of /wp-admin/setup-config.php, a URL that denotes when new instances of WordPress have been installed on a server, but have yet to be configured. Once a new WordPress installation is located, the hackers complete the configuration of the site, entering their own database server information and providing themselves with administrative access. The hackers can then use this access to install a malicious shell in the directory of the victim’s hosting account and gain full control of that account, execute malicious code on the victim’s website, and upload custom malicious plugins. The NJCCIC recommends all administrators of WordPress-powered websites, as well as website hosting providers, review the Wordfence security report and implement the appropriate recommended solution to help protect websites and hosting accounts from the WPSetup attack.

Samba

Samba released a security advisory notifying users that threat actors are exploiting a seven-year old remote code execution vulnerability, CVE-2017-7494, known as “SambaCry” or “EternalRed,” affecting all unpatched versions of Samba from 3.5.0 up. Samba issued versions 4.6.4, 4.5.10, and 4.4.14 as security releases to address the vulnerability and patches are available for earlier versions. Threat actors are reportedly exploiting this vulnerability to install a backdoor trojan, dubbed “SHELLBIND,” on Linux devices running the vulnerable versions of the Samba file-sharing server. Successful exploitation of this vulnerability could allow a remote threat actor to execute a shared library from a writeable share and take control of the affected system. These attacks have largely targeted internet-of-things (IoT) devices, specifically network-attached storage (NAS) devices. Previous exploits against the SambaCry vulnerability were used to mine the Monero cryptocurrencyThe NJCCIC recommends all users and administrators of Samba review the security advisory, apply the necessary update or patch, and utilize whitelisting to only allow necessary ports and protocols on your network.

SAP POS

SAP released updates to patch 23 vulnerabilities in several of its products. Successful exploitation of the most severe vulnerabilities in SAP POS, SAP's point-of-sale (PoS) solution, could allow an unauthenticated threat actor to gain access to the SAP PoS system, allowing them to read, write, or delete files stored on the server, shut down the application, or monitor content from the receipt window of the affected system. The NJCCIC recommends all administrators of SAP products review the SAP Security Notes and apply the necessary updates.

Cryptocurrency Mining Trojan is Second-Most Widespread Mac Malware

A cryptocurrency-mining Trojan, DevilRobber, is currently targeting the Mac operating system (OSX).Coinbitminer - was the second-most widespread Mac malware variant in June, accounting for 21.6 percent of all detections, up from 2.4 percent in May, according to Symantec. The cause of the recent increase in infections is currently unknown. DevilRobber infects victims via malicious Mac applications distributed via BitTorrent trackers. The NJCCIC recommends all Mac users follow security best practices, such as allowing only necessary services and connections from the internet and blocking all others, applying the Principle of Least Privilege, and keeping operating system patch levels up-to-date.

Hewlett Packard Enterprise (HPE) SiteScope

HP released a patch to address multiple vulnerabilities within HPE SiteScope v11.2x and v11.3x. If exploited, these vulnerabilities could be used by a malicious actor to bypass security restrictions, gain access to sensitive information, and remotely execute arbitrary code. The NJCCIC recommends administrators of HPE SiteScope review HP Security Bulletin HPESBGN03763 1 and apply the necessary updates.

HUMAX WiFi Router Model HG-100R

Trustwave researchers discovered a vulnerability affecting the HUMAX WiFi Router Model HG-R100 that, if exploited, could allow a remote threat actor to retrieve the router console’s administrative password as well as its WiFi credentials. The NJCCIC recommends users of vulnerable HUMAX WiFi routers review the Trustwave SpiderLabs Security Advisory TWSL2017-010 and avoid exposing affected routers to the internet until and unless the vulnerability is patched.

Malicious Email Campaign Containing Ursnif Keylogger Impacting New Jersey Organizations

On Wednesday afternoon, the NJCCIC received a Cyber Incident Report from an organization stating that several of its employees received a suspicious email containing a password-protected document. The NJCCIC email security team also verified that several New Jersey state employees received similar emails. The sender field contains a random name and the subject line contains the same name that is displayed in the signature of the email. The body of the email references a money transfer and contains a password to open and view the attached document. This attachment contains four embedded documents that, if opened, prompts the recipient to run a malicious JavaScript file that installs the Ursnif keylogger, a data-stealing Trojan that captures keystrokes made on the infected system. In April 2017, security firm PhishMe reportedobserving a similar widespread Ursnif distribution campaign that also used password-protected email attachments designed to trick recipients into installing the malware. The NJCCIC recommends warning end users about this threat and reminding them never to open emails from unknown senders. If applicable, review email quarantine logs and delete emails associated with this campaign prior to their release. If an end user on your network has already opened the email attachment, disconnect the impacted system from the network and thoroughly scan it and clean the infection. For associated IoCs, please see the article about this campaign published on BleepingComputer.