Router ravaging, crippling code, and why not to p*ss off IT staff

Roundup It has been a busy week for security, with the CYBERUK 2018 conference in the UK and the industry gearing up for BSides and the RSA conference in San Francisco next week.

But there have been a bunch of smaller stories that may have slipped under your radar, plus all the other bits and pieces we've covered this week.

Wreckin' routers

Last month, Kaspersky warned of advanced malware, dubbed Slingshot, that uses routers to infect networks. Well, here's some more along those lines. A report [PDF] by Akamai discusses software nasties leveraging vulnerable Universal Plug and Play (UPnP) services offered by routers and gateways to press-gang at least 65,000 boxes.

In all, Akamai estimated that around five million routers could be vulnerable to hijacking via UPnP exploits: miscreants can use the flaws to rewrite networking tables, and turn devices into proxy servers. It has compiled a list of 400 router models from 73 manufacturers that are hackable, and if you've got one of these then it's time to either upgrade your kit or mitigate the risk.

More crap ransomware

Over the past month, a ransomware variant called GandCrab has been popping up on people's systems. But the writers appear to have cocked up with one variant of the code, according to security researcher Brad Duncan.

The code spreads via infected Word documents but the writers made an error in how VBScript compiles. So when some benighted user clicks on the dummy doc they get a warning about a compiling error instead of a massive bout of file encryption and a ransom demand.

Drupalgeddon!

Two weeks ago engineers at the popular content management system Drupal patched a serious flaw in its platform. As so often happens, the patch has now been reverse engineered.

If you want more details on the mechanics of the bug itself Checkpoint did an excellent analysis of the flaw and its likely effects. Someone in the malware writing community has most likely read it too, because there is now exploit code circulating in the wild.

Daniel Cid, founder of security shop Sucuri, claims to have found the code and is warning users who haven't already patched to do so as quickly as possible. The proof of concept code is already up on GitHub and hackers are expected to hit Drupal users hard.

Staff shenanigans

As any security professional will tell you it's not outside hacking attacks that make up the bulk of issues, but your own staff.

As a case in point take Suzette Kugler, a former database administrator with regional airline PenAir – until she retired in February last year. Apparently unsatisfied with her payoff, Kugler set up a number of dummy accounts on PenAir's servers and began to make mischief.

Kugler used the accounts to delete critical files and brought down the airline's booking network. Engineers worked through the night to get systems up and running and then called the cops, who quickly fingered Kugler and arrested her.

A first time offender, Kugler pleaded guilty to one count of fraud and was sentenced to five years of probation, and 250 hours of community service. What should have been a pleasant retirement is now probably going to be spent picking up trash and paying back the near $6,000 it took to fix the system. ®