Welcome to this week's Security Bulletins.

We have some positive news from Europe. French National Police, in collaboration with the antivirus company Avast, has managed to bring down Monero Bitcoin mining bot, Retadup. It has gained popularity in the recent past. Avast had gathered extensive threat intelligence on Retadup and they have contacted the French authorities with this information as a large part of the Command and Control (CnC) was located in France. The French Police took down the CnC server and after analyzing the contents, proactively replaced the CnC server with a disinfection server, which would respond to incoming bot requests with self-destruction instructions for the malware. Reports suggest that this operation has neutralized more than 850,000 Retadup infections.


Sans ISC Infosec Forums has published an interesting article on the presence of compilers in the Windows environment which is not so common, unlike Unix based systems. Hence malware targeting Windows systems often comes precompiled as an executable. The article provides insights into the usage of two executables, "jsc.exe" and "msbuild.exe" which are part of the .NET Runtime Environment and is a common thing to find in most corporate systems. The former is a JScript compiler and the latter is a tool which is used to automatically build applications. Although they are very essential for the proper working of most of the applications, researchers have found instances of misuse of these tools for malicious intent. In this particular instance, they were used to compile the next stage malware from the victim machine itself. It turns out to be a pretty good AV evasion method as in most cases the AV Engines only look for the executables and not the source code.


Twitter CEO Jack Dorsey has taken a hard hit earlier this week as his account was reportedly compromised. The attacker accomplished his objective using the feature to tweet using SMS. Twitter has officially stated that none of its systems were compromised and blamed the mobile provider for their "security oversight" leading to the account being compromised. They have also suspended the tweet by SMS feature, but before that, the attacker had already posted some offensive and racist comments.


Center for Internet Security has published an advisory on multiple PHP vulnerabilities which could be used for Arbitrary Code Execution. PHP is a programming language which is predominantly used in the web industry, which signifies the impact it could have on web applications. As per CIS, "Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.” Although there are no reports of this vulnerability being exploited as of now, small to large businesses as well as government entities are at high risk. The reported vulnerabilities are said to be affecting PHP 7.1 versions prior to 7.1.32, PHP 7.2 versions prior to 7.2.22 and PHP 7.3 versions prior to 7.3.9. The recommended actions include upgrading to the latest version of PHP, auditing the system for any suspicious modifications before applying patches, enforce the "Principle of Least Privilege" to all systems & services and caution towards untrusted websites or links. In light of this, Magento has notified its customers about the severity of the vulnerabilities and have also recommended redeploying Magento Commerce between September 19th and 30th and upgrading PHP to the patched versions.


It is very common to see Dovecot if you are running your own mail server in a Unix environment. We do have some good news in this case! The Remote Code Execution vulnerability in Dovecot was just patched. Openwall describes the vulnerability as follows, "IMAP and ManageSieve protocol parsers do not properly handle NULL byte when scanning data in quoted strings, leading to out-of-bounds heap memory writes". This could be exploited by a highly skilled attacker to leak sensitive data and in some cases lead to RCE. There are no workarounds to this vulnerability other than updating to the latest patched versions, Dovecot 2.3.7 and its addon Pigeonhole 0.5.7.


Marcel Afrahim, a malware researcher have found another abuse of Cloudflare services by malware authors. It is somewhat common to see Cloudflare proxies being used to obfuscate the actual malware origin and to bypass common blocklists, but in this case, the Astaroth Trojan utilized the Cloudflare workers feature, which is a serverless computing offering from Cloudflare. It can be used for load balancing. User can upload specific javascript code and they are executed within Cloudflare to serve requests to certain URLs. Notably, Cloudflare offers a free tier which allows running 1,00,000 workers a day.