Blogs

AUSCERT2021 Information Security Excellence Winner

21 Jun 2021

AUSCERT2021 Information Security Excellence Winner [A copy of this interview article is also featured on Edition 3 of the Women in Security Magazine, published by Source2Create.] Jacqui is Founder and Executive Manager of the Australian Women in Security Network (AWSN) which aims to connect, support and inspire more people, in particular, women and female-identifying professionals to pursue a career in security. She is also co-author of the international book ‘Women in the security profession’. In April 2021, Jacqui decided to take a leap of faith and is now devoting 100% of her time to building the AWSN as a not-for-profit organisation. In short, AWSN has been Jacqui’s “passion project” for close to 7 years. Today, AWSN is a national group of close to 2,500 members across Australia with linkages to a number of prominent sponsors. It is an open network of people aiming to grow the number of women and female-identifying professionals in the cyber security community. AWSN’s mission is to support, inspire, and connect women and female-identifying professionals in the industry and those looking to enter the field with the tools, knowledge, a connected network and platforms they’ll need in order to build their confidence and cultivate their interest. Kudos to Jacqui for her tireless work in building the AWSN to where it is today, and with that – it is with great honour that we award her the Winner of Information Security Excellence in 2021.  Tell us a little about your professional career? My interest in technology started off when I worked at a help desk at Australia Post and in the area of  PC support at an insolvency company during uni where I studied a Bachelor of Information Systems. I then graduated and became a unix adminstrator for a few years before then deciding that I wanted to see and travel the world! When I was back-packing in Europe I ran out of money (as you do!) and got a job working on the helpdesk at Schlumberger. I got the opportunity to retrain to be a technical consultant. They put me through some really intensive technical networking and security training and at the end they asked what I wanted to do. I thought security was interesting, and this is pretty much how my security career journey began! I then worked as a security consultant for multiple large scale projects where I’d worked on a variety of different areas such as implementing AV, PKI solutions, performing risk assessments and technical assessments, policy-writing, and basically anything that was thrown at me at the time. I ended up spending 7 years in London and 7 years in Paris as a consultant working on many interesting projects which I loved. When I came back to Australia, I continued to consult on different projects before then moving to the in-house security team at ANZ. I started in their Identity and Access Management (IAM) team, then moved on to designing the cybercrime controls for ANZ’s institutional banking arm; and finally moved to head the Security Education and Influence team in a job share role. I then decided that I really wanted to help small businesses who I saw being affected by cybercrime and ended up spending a year in start-up land with the folks at Cynch Security. You’re the founder of AWSN. Can you tell us more about how AWSN was born and what your mission is? The idea of the AWSN (Australian Women in Security Network) was born when I returned from a 14-year stint overseas and came back to Melbourne. I walked into a security event and was overwhelmed by being the only female in the room. It was something I had gotten used to in Europe; but it really hit me when I came back to my home country to see and experience  it, especially when I didn’t know anyone in the room. I’d met one other female participant and she took me under her wing and introduced me to some people. We then brought together a number of female colleagues for casual breakfasts and met up before the start of security conferences. We spoke about how much we enjoyed working in security and some talked about the challenges they faced with being the only females in their teams. After a while, I was thinking that there may be other women out there also feeling alone, so I started a LinkedIn group. This then grew organically over time and soon local state-based chapters started to pop up across Australia. These then grew into more formal events and now our community consists of around 2500 people. The AWSN is an open network of people aiming to grow the number of women in the security community. We support, inspire, and act as role models. We connect women in the industry and those looking to enter the field with the tools, knowledge, network and platforms needed to build confidence and interest. As a network, we know the diversity of online threats require diversity of thought on how to address them, and this is where our network thrives.We do this mainly through events, hand-on workshops, training, mentoring and speaking engagements through community groups, universities and high schools. Congratulations on winning the Information Security Excellence award! What does winning this award mean to you? It was an absolute honour to have received this award. This means so very much to me and I sometimes still pinch myself with disbelief! I believe that this is a community recognition award, as the AWSN couldn’t have got to where it is today without all the volunteers, sponsors, donors, mentors, coaches, speakers, writers and all the people supporting us over the years. Receiving this award means that the Information Security industry in Australia recognises that what the AWSN is doing is important and meaningful work AND that we are on the right track with what we are trying to achieve. It means that all the hard work and hours that myself and all our volunteers put in to make AWSN what it is today is worth it! Thank you to everyone who has contributed to our cause, you know who you are. What do you see as some of the main cyber threats in today’s society and their accompanying risks? Are you seeing any trends of particular threats becoming more common? Good question! There are many and I could probably talk for hours on this topic. But if I were to choose two, which I think we as a society/community need to work together on a lot more are application vulnerabilities and supply chain risks. As we continue to use technology and build systems, apps, software faster than ever – often security is something that is considered at the last minute or sometimes, never! We shouldn’t expect the users of our systems or apps to know what to look out for when it comes to a security breach. Hence, it is my personal belief that technology should really adopt a “secure-by-design” philosophy and make it easy for users to apply security updates when they are required. When it comes to the topic of supply chain risk, some of these cyber threat issues stem from the fact that small businesses (which btw, constitutes 98% of all Australian businesses**) often cannot afford security consultants to help them with implementing secure processes or expensive security services and products to protect their company assets. These businesses are particularly vulnerable to threats such as business email compromise (BEC), ransomware or data breaches which are increasingly becoming more and more common. These can have downstream implications on large corporations, critical infrastructure and Government agencies as it is very likely that at some point these smaller businesses are further down in their supply chain. It’s cliche, but cyber security really IS in everyone’s interest – no matter the size of your workplace. ** figure obtained from the Australian Small Business and Family Enterprise Ombudsman (ASBFEO) If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be? To stay humble and keep an open mind. Remember and realise that most of our society don’t know what we know, and that no question should be considered a silly question. I don’t think that there is anyone in our sector who knows absolutely everything about security, so we shouldn’t treat/blame users like they should have known better in case of a breach or an incident. There are many people out there (they could be your grandparents, friends, family members  and colleagues) who are confused and overwhelmed by what they know and what they don’t know about the topic of cyber security. It is this stigma that cyber security is difficult and tricky which often makes many security departments feared or are perceived to be unapproachable. We, as a community therefore all have a responsibility to show them that we are keen to help them learn and have them join us on this journey. We cannot fight this battle with just technology and largely rely on humans to report things that are suspicious, to consult with us before they are about to go live with a system and to sign off on our budgets. Therefore, we need everyone on our side and we need to show that we are open to listen and help.  As a community, I think we need to communicate better, prioritise (based on known risks) and provide them with easy and accessible information, solutions and advice – so as not to confuse the general public further. What’s one common challenge you find women and female-identifying professionals are facing in the cybersecurity industry and how can organisations continue to support them? A common challenge I’ve personally found with women and female-identifying professionals in male-dominated teams is that they feel they are not heard or given the same opportunities as their male counterparts. They are often questioned why they are there and instead of asking or referring to them as subject matter experts, they are sometimes asked to be referred to a male counterpart as it’s assumed they don’t know the answer or have anything to contribute to a particular security topic. Everyone should be given an equal opportunity to contribute, and by this I don’t mean just females, but also young/elderly males, people of different ethnicities, people of different backgrounds who need a voice. Organisations must address this better, it needs to be a fundamental yet important goal within all teams or we will continue to lose good talent! And when good talent is lost, it makes it hard for upcoming new talent to see people like themselves in a career path in security, and we absolutely need this new talent in order to fight the new security and technology challenges ahead.  

Learn more

Blogs

AUSCERT2021 Diversity and Inclusion Champion

15 Jun 2021

AUSCERT2021 Diversity and Inclusion Champion This year, to mark the occasion of AUSCERT’s 20th annual conference anniversary, the team has decided to introduce a new award category – the AUSCERT Diversity & Inclusion Champion.  At AUSCERT, we believe that Diversity & Inclusion champions are leaders who take responsibility for instilling a diverse and inclusive workplace culture. According to the Diversity Council of Australia, the definition of a Diversity & Inclusion champion is someone who plays both a symbolic and an active strategic role. Their symbolic function is to demonstrate leadership support for diversity and inclusion by attending diversity events and delivering diversity messages to stakeholder groups within the company and externally. They contribute to diversity strategy development and implementation by serving on diversity councils, campaigning for support from their fellow colleagues, and consulting with diversity leaders. Pip Jenkinson, CEO and Co-Founder of Baidam Solutions is the inaugural winner of this AUSCERT award. For those unfamiliar with Pip, his work at Baidam emphasises the importance of partnerships with some of Australia’s largest employers to create job opportunities and funding for cybersecurity certification training. Baidam gives a significant percentage of the company’s profits to providing pathways to employment in the IT sector for Indigenous and First Nations people. Pip’s and Baidam’s journey is an inspiring story and shows a great example of how organisations can combine profit with social good. It is with great honour that we award Pip with the inaugural AUSCERT Diversity & Inclusion Champion award. Tell us a little about your professional career? I have had a very diverse career and my pathway to a career in cyber security certainly  wasn’t a straight line. Growing up on a farm in Bathurst NSW, I have worked in shearing sheds, at building sites; and I have also served in the Army. I then decided to enrol at university as a mature age student in a Business degree. My first “real” job outside of university was a sales representative for Guinness in Dublin, Ireland and I was fortunate to travel around the United Kingdom, working in some pretty amazing places. I returned to Australia and stayed within the wine trade, working (and tasting) some of Australia’s best wines and meeting some extraordinary people who were producing wine at an award-winning International standard. These folks were all working really hard to cement the image of Australia as a producer of wine that would rival some of the most famous International brands. One day, out of the blue I decided to apply for a role in ICT sales, working for a large cyber security vendor. When I was shortlisted for an interview, I was so nervous about meeting my potential line manager because I didn’t know much about the sector but I gave it my best shot. There were 4 interview rounds in total and there were many other competitive applicants with greater experience than myself, but when I was offered the role, it was life changing for me! This in turn motivated me to ask for some feedback and I was promptly told that I was hired based on attitude, not aptitude. I was motivated to learn as much as I could and certainly made mistakes along the way – but I was so grateful for the opportunity to improve, to earn a good wage and to alway remember where my start in the cyber security industry came from; and hopefully one day, being able to repay this gesture and opportunity. Can you tell us more about your work at Baidam? At a macro level, Baidam Solutions is an Indigenous owned enterprise. Baidam is a supplier of cyber security goods and services to State and Federal governments and ASX-listed corporations. We model our offerings around the ASD “Essential Eight.” At a micro level, we have created a pretty special business model that directly links a social outcome to a commercial drive. From the profits retained within our supply-chain and it in itself being free from any Government assistance or subsidy, we have been able to support two lifetime University based scholarships for Indigenous students in the STEM fields; as well as numerous industry recognised certifications. The recipients of these scholarships are now working within various SOC teams across Australia. I am incredibly fortunate to work in a team that all share a single company vision and company mission – “To increase Indingeous diversity and inclusion in the ICT sector by using education as a vehicle to build technical equity in our First Nations cyber security aspirants.” Congratulations on winning the Diversity and Inclusion Champion award! What does winning this award mean to you? I was absolutely humbled and quite frankly, speechless to win the award! I received the award on behalf of the whole team at Badaim Solutions. We all know that cyber security is a team sport and there is a great team that stands beside me. The award was really special, being the first at anything is hard, but also rewarding. We are the first Supply Nations certified cyber security practice headquartered in Queensland. Therefore, it is our job to help other Indigenous security professionals get a foothold in the industry and it is our job to lead by example,in everything we do. To be the recipient of the inaugural AUSCERT Diversity and Inclusion Champion award is a huge honour and one that must be given the respect that it deserves, to continually uphold the principles of Diversity and Inclusion and be a role model for others to follow.  What recommendations would you give to other organisations looking to provide pathways for employment in the IT sector for Indigenous and First Nations peoples? Do your research. Be committed and do it for the RIGHT reasons. Invest in cultural immersion programs to lift the knowledge of the entire organisation, don’t leave everything to the folks from Human Resources. Obtain advice and understand that there are many cultural events that don’t neatly sit inside within a standard Fair Work Act 2009 employment contract. Be sensitive and flexible and if you do a good job, the results will speak for itself, you will enjoy a richer, more diverse and inclusive employee talent pool that is more representative of the community that you operate in. Baidam’s journey is an inspiring story and a great example of how organisations can combine profit with social good. What advice would you have for organisations looking to do this? Well, this one is very simple. Just do more and do it more often! We are showing other organisations what is possible when focused on sustainable, social return on investment (SROI) rather than purely ROI. Whether you are looking to support Women’s businesses, Veterans businesses, LGBTIQ+ businesses, Australian Disability Enterprises or a myriad of other social  businesses,find a reason to do business other than the pursuit of profit! Draw a line in the sand today, not tomorrow and stand for something other than profit, your customers will appreciate it and so will your staff. Finally, what do you think are the main challenges and opportunities for the cyber security industry in the coming years? Like my past experience in the wine trade industry, Australia has the opportunity to be recognised as a global leader in the production of cyber security talent as well as sovereign cyber security solution capabilities – truly! As a community, we need to do more to support the local companies who are helping this flourishing marketplace. So where possible, buy local, support local and invest locally. I think the Australian Government is doing a good job in supporting this idea, but as with most things, greater work needs to be done. The challenges in our sector are well documented and includes amongst others; a skills shortage and a culture of sourcing projects off-shore. The final challenge, directly linked to the Indigenous cultures that Baidam represents (one that we all need to overcome!) is a mental one …  We MUST change our thoughts from “Why would I buy through an Indingeous business?” to “Why wouldn’t I buy from an Indigenous business?” To sum it up for me, I’d like to share this Norman Vincent Peale quote, “Change your thoughts and you can change your world”.                          

Learn more

Blogs

AUSCERT2021 Member Organisation of the Year Winner

7 Jun 2021

AUSCERT2021 Member Organisation of the Year Winner We recently had the pleasure of chatting with Daniel Ross and Cody Byrnes from the Australian Taxation Office (ATO) who won the AUSCERT Member Organisation of the Year for 2021. Daniel and Cody both opened up about what it is like to be an AUSCERT member and how the ATO is dealing with new cyber security issues. How long has the Australian Taxation Office been an AUSCERT Member? Our membership goes back well over 10 years, and we’re always really pleased to come along to the AUSCERT conference each year. This was Cody’s and my first year in attendance and it was an overall fantastic experience. What value do you get out of the on-going AUSCERT membership? Our membership with AUSCERT has been invaluable in helping us successfully respond to the myriad of tax and super scams targeting Australians on a daily basis. The AUSCERT Team support us through the takedown of malicious phishing websites, domains and spam email accounts used in these scam campaigns, blocking the ability of the scammers and heavily reducing the number of potential scam victims. Their assistance in sharing the details of these scams with other AUSCERT members also broadens our reach in stopping these scams and heightens our ability to detect future scam campaigns. Congratulations on winning the Member Organisation Of The Year award! What does winning this award mean to you? Thank you! AUSCERT has provided much benefit to ATO over the years. It is great to know that the threat intelligence we share back with them and the broader community is of equal benefit and we appreciate receiving such recognition for this. What advice would you give other AUSCERT members? Engage and be involved with AUSCERT and the community members, and share back what you can, as we are stronger at defending against threats as a community. What cyber security challenges have you faced this year? We think we see a lot of similar challenges to other cyber security teams we talk to: making sure we’ve got the right resourcing, tools and skills in an ever-evolving landscape. One of the more specific challenges we face is protecting the public from ATO themed scams that try to steal their money or personal information. We’ve got a number of preventative strategies in place, as well as rapidly responding to threats as they emerge. This is where we work closely with AUSCERT to quickly respond. It’s very easy for a malicious actor to create a domain with ATO or tax in the title, so we need intelligence to identify these and quick response pipelines to de-activate the malicious domain and minimise the risk of a member of the public being compromised. What do you see as some of the main cyber threats in today’s society? Patching, scams, and supply chain are recurring common threats in today’s society. We see malicious actors weaponising vulnerabilities before patches have been implemented and therefore patching is still a very effective security mechanism in preventing threats to individuals and organisations alike. Scams continue to be an effective method in circumventing technical controls, and supply chain is increasingly targeted as a method of compromising the clients of the particular chain.      

Learn more

Blogs

AUSCERT2021 Member Individual of the Year Winner

1 Jun 2021

AUSCERT2021 Member Individual of the Year Winner After the recent AUSCERT2021 conference, we caught up with Simon Coggins (Principal Systems Engineer at CQUniversity) to discuss his role in the cyber security sector, and how he felt about being awarded AUSCERT2021’s ‘Member Individual of The Year’. Tell us a little about your professional career? I’ve always been interested in system administration and networking. When I was in high school I started my own Bulletin Board System with a large user base and had a FidoNet address so that we could transfer email and forum posts around the world. While studying at university I started working at the local Internet Service Provider. We were small enough to only have a few staff so everyone had multiple jobs. I was a Sysadmin, Network Engineer, Developer and Tech Support. This led me to work at a University in NSW where I was the Network and Systems Management Officer. My role there involved  both networking and system administration duties as well as acting as a translation bridge between the network team and the sysadmin team. After working for 6 years at this university, friends I knew through the System Administrators Guild of Australia suggested I apply for a job at Central Queensland University, so I did.. That brings me to my current job that I’ve been in for over 15 years now. I started out as a Senior Systems Administrator and a few job title changes and roles later I’m now a Principal Systems Engineer. Because of my System Administration and Networking background and an understanding of how everything fitted together, this acted as a catalyst for security to start being included in things I was looking at. What’s involved in your day-to-day role as Principal Systems Engineer at CQUniversity ? I’m always busy doing something and every day is different. I’m the primary lead on our Linux Fleet, Firewalls, Load Balancers, SIEM platform, SAN Storage, Email Security, and the list goes on. So on any given day I will be doing operational work to keep the fleet of services running, level 3 work tickets that come in about weird issues that need problem solving, or project work for evaluating new products and testing them. Given I have a better than average understanding of how our network and systems fit together, and I have good problem solving skills, that allows me to help identify the cause of complex issues quicker. I like to think that my primary role is to automate my boring jobs where possible so I can focus on the fun ones but at the end of the day, I’m just someone that likes to solve problems, and in the process help people. Congratulations on winning the Member Individual of the Year! What does winning this award mean to you? What course will you use your SANS-sponsored prize for? It’s a great honour. AUSCERT is very trusted in the security community so getting this award is a huge deal. For me it means that what I’m doing is definitely helping other people. When I do things for CQUniversity I think to myself “Would this help me if someone else shared it?” If so, then I go and share that with the wider community via AUSCERT. This award reaffirms I’m doing good in the community. As for SANS courses, have you seen the list? It’s huge! I’m still trying to decide what I want to do, I’m thinking maybe Continuous Monitoring and Security Operations or something else on the Blue Team track. What do you see as some of the main cyber threats in today’s society? Are you seeing any trends of particular threats becoming more common? Ransomware and Phishing is the obvious choice, but for us we are seeing more and more supply chain attacks. The SolarWinds and PasswordState attacks drive home that you can do everything you possibly can to protect your systems, but you are only as good as the security of the companies that provide your tools. We need to update to fix security vulnerabilities but we can’t update until we’re sure the update hasn’t been compromised. Delay updating and you could end up with ransomware, be proactive and end up with a state based actor in your systems … It’s getting very hard! If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be? In most cases you aren’t the only one defending against that cyber incident. At the end of the day we’re all Cyber Security Professionals and we’re probably defending against the same thing, at least across the same industry. You might be surprised to find out that your industry, even though it is competitive at front of house, already has an information sharing mechanism in place to assist and share common threats across the industry and there is a good chance that AUSCERT knows where to point you. They are also happy to accept any security reports, malware samples, and indicators of compromise that you might have, anonymise them and share them with the wider community of AUSCERT members if you wish to remain anonymous.    

Learn more

Blogs

AUSCERT2020 Member Individual of the Year Winner

1 Jun 2021

AUSCERT2020 Member Individual of the Year Winner During the AUSCERT2020 Conference, we caught up with Rachael Leighton (Principal Advisor, Cyber Strategy & Awareness @ DPC Vic Gov) to discuss her role in the cyber security fight, and how she felt about being awarded AUSCERT2020’s ‘Member Individual of The Year. Tell us a little about your professional career? I actually started as a primary school teacher by trade. Then, during 2009 I worked as a volunteer firefighter and ended up contributing towards a community education program. This was my initial foray into IT, as part of the education project involved upgrading radios and informing the community on what to do. After this, I continued to work for different companies in an organisational change capacity. Eventually I ended up in a Big 4 bank and was working on the same floor as the anti-terror and anti-fraud team. One day I asked them—how do people learn and understand this stuff about cyber security? I realised that if I didn’t know it, surely others didn’t either. From there, my passion for educating people and encouraging organisations to change their behaviour, to consider cyber security and to cultivate a cyber culture was born. What’s involved in your day-to-day role at Principal Advisor—Cyber Strategy & Awareness for the Department of Premier and Cabinet? I see myself kind of like a conductor of an orchestra. When we think of cyber security and government, we, as government have a role in creating a Cyber Safe Victoria and that means… there are lots of moving parts – lots of activity that needs to take place and lots of different teams to secure all our kit. There is still some heavy lifting to do to connect the dots between academia, industry and government to form a vibrant cyber ecosystem. That’s my role – to bring all this together, usually through engaging and with meeting the right people, identifying synergies and opportunities for connecting them together.  Congratulations on winning Member Individual Of The Year. What does winning this award mean to you? I’m so honoured to get this award. To me, this validates the importance of collaboration. At the end of the day, cyber is hard. If we want to get ahead of the bad guys, we need to be sharing info, reporting incidents, and establishing a trusted and healthy feedback loop. This can be difficult to achieve when the traditional mindset of cyber security professionals is to protect what’s valuable. Yet it’s more beneficial for us all to break down the walls and build trust across the cyber community.    Trust was immediate for me when working with AUSCERT. The team will do anything they can to help Vic Gov uplift cyber posture. So thanks AUSCERT, I really appreciate this award. To be recognised for the willingness, and the crazy, that is cyber education and engagement is beautiful. If you could give one piece of advice for organisations and IT / cyber security professionals, what would that be? Reach out—don’t go it alone. Don’t try to be a lone hero—we are stronger together. We are a cyber family. Just like the baddies work together and collaborate, if we want to succeed against them, then we too need to work together.            

Learn more

Blogs

Easter's Facebook Revelations

6 Apr 2021

Easter's Facebook Revelations Initial Release 2021-04-06   Well it has made the news that Facebook had a data leak of 533 Million of its users, including 106 Countries [1].  What better time for this to be made public than on an Easter Sunday.  To avoid taking most of your time reading this blog, the spoiler is that the data seems to be data from 2019 [2] and that there seems to be no passwords leaked. Although there may be a little discrepancies at the date of when the fix could have been made effective, one party stating August 2019 [2] and another stating January 2020 [3][4] it may be a reasonable conclusion to say that the data has been out there for a while already. Now that we have a fair idea that this data has been out for a good amount of time, it would be nice to be able to find out what type of data was released.  After all, just in case that the news is now proportionately reported [3][5], and it is only now with the news articles that the security team is asked to perform some checks. So, a data breach makes an impact when data types are associated with each other. Single types of data listed out have limited effect, but an association on two data types carries more effect than the sum of two separate lists.  Also, some data pairs, when associated, have more impact than other pairs.  For example, two data type associations such as Email Address and Password, has a deeper impact than the associations of the types, Email Address and Name.  Luckily, it seems that passwords are not in the mix of the data that is said to be available from the 533M leak.  Of the 533 Million the association of information are: [4] Predominantly Account to Phone Number; Mostly includes Names and Gender; Many including Date of Birth, Location, Relationship Status and Employer; and 2.5 million records including Email Addresses. In case you have to check[ 5] your account holders if they have been part of the Facebook 533 Million data records leak, the service from HaveIBeenPwned [6] may be used. As for recommendations arising from this new old-news, there is nothing novel in the following steps: Check if the emails that you take care of are part of this breach by domain search; [7] Check if the breach is from the Facebook leaks;(time permitting follow through with other breach(s) if listed in the Domain Search report.) Check credential pairs, if listed but not in this case of 533M Facebook, are not active; Check it is understood the impact of other information associations have, yet keeping perspective that: Data association may be on other social media services, Further associations could be made on other social media services. Recommend settings to restrict searchability; [8] Advocate the usage of strong passwords, password managers and MFA use;Although not within the scope of effect of this instance of a data leak. Be aware that Phishing campaigns may increase due to this “news”. [9] Last but not least feel better that Facebook has officially discontinued API access to those fields as of 2018 [10], and in turn raise your concern should other social media API access provide these same searchability.   References:  [1] 533 million Facebook users’ phone numbers leaked on hacker forumhttps://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/ [2] “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”https://twitter.com/liz_shepherd/status/1378398417450377222 [3] “In early 2020 a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information 533m users across all countries”https://twitter.com/underthebreach/status/1349674272227266563 [4] HIBP – Facebook Dataleakhttps://haveibeenpwned.com/PwnedWebsites#Facebook [5] How to check if you’re part of the Facebook data breachhttps://www.theverge.com/22367727/facebook-data-breach-haveibeenpwned  [6] HaveIBeenPwnedhttps://haveibeenpwned.com/ [7] Domain Searchhttps://haveibeenpwned.com/DomainSearch  [8] How do I control who can look me up on Facebook using my email address or mobile phone number?https://m.facebook.com/help/131297846947406https://www.facebook.com/help/131297846947406 [9] Possible Phishing Campaigns Arising from Facebook’s Data Leakhttps://www.csa.gov.sg/singcert/advisories/ad-2021-004 [10] Facebook Graph API – Userhttps://developers.facebook.com/docs/graph-api/reference/user 

Learn more

Blogs

Patching for HAFNIUM is just half of the story

17 Mar 2021

Patching for HAFNIUM is just half of the story UPDATE 2021-03-17  Altered the diagram with respect to new guidance from Microsoft [6]   On the 2nd of March, a posting by The Department of Homeland Security (U.S.) didn’t mince its words and placed an Emergency Directive to perform a thorough check of any Microsoft Exchange servers at your control [1]. This article served a guide for “agencies that have the expertise” to “forensically triage artefacts”. Note that the 2nd of March was two weeks ago now – since then there have been a number of tools that have been made available to enable the task of identifying, checking, mitigating, patching, and cleaning of your servers and systems [2][3][4]. These tools were created to help caretakers of Microsoft Exchange Servers that are deemed vulnerable to quickly AND efficiently purge – to the best effort possible – any compromise(s) of the servers.  The lesson here is that there has been (and this continues to grow) a huge amount of effort in making sure that caretakers go beyond the simple sole act of patching. Currently there are activities from third-parties to help notify those caretakers of Exchange Servers should their systems appear flagged as being vulnerable. More often than not, the response may be is “It’s OK, we have just patched!”. Whilst this in itself is good, in the light of the fact that these vulnerabilities were 0-day, and the patch came after exploit activities were detected, ALL instances of the Exchange Server needs to be checked if any compromise(s) have happened – due to the fact that persistent mechanisms, such as a webshell(s), may have been already installed.  Indicators of Compromise are being gathered on a daily basis [5], and the tools are being revamped so it also means that each time there is an update to the tools made available, it may also be wise to check if the newest version picks anything up! A diagram (see below) has been created by our team, which should assist Microsoft Exchange server caretakers to check and see where in their task-flow they are at.  Let it be noted there is no real hard-stop listed on this diagram. Until there are no more indicators being published and the tool(s) have stopped being updated, we recommend referring to it. Additionally, there are bound to be more useful tool(s) made available after the publication of this article – so do stay vigilant!     Good luck, stay informed and stay safe. AUSCERT Team    References [1] https://cyber.dhs.gov/ed/21-02/ [2] https://github.com/microsoft/CSS-Exchange/tree/main/Security [3] https://github.com/ANSSI-FR/DFIR-O365RC [4] https://checkmyowa.unit221b.com/ [5] https://us-cert.cisa.gov/ncas/alerts/aa21-062a [6] https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/    Resource noted in Diagram  NMAP Scan Report – http-vuln-cve2021-26855.nse https://github.com/microsoft/CSS-Exchange/tree/main/Security#http-vuln-cve2021-26855nse Shadowserver Reports March 11 ’21 https://www.shadowserver.org/news/shadowserver-special-reports-exchange-scanning/March 12 ’21 https://www.shadowserver.org/news/shadowserver-special-reports-exchange-scanning-2/March 15 ’21 https://www.shadowserver.org/news/shadowserver-special-reports-exchange-scanning-3/March 15 ’21 https://www.shadowserver.org/news/shadowserver-special-reports-exchange-scanning-4/ Microsoft Defender for Endpoint https://www.microsoft.com/en-au/microsoft-365/security/endpoint-defender Check My OWA https://checkmyowa.unit221b.com/ ExchangeMitigations.ps1 https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchangemitigationsps1   PATCH THE SERVERS https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901   microsoft/CSS-Exchange https://github.com/microsoft/CSS-Exchange/tree/main/Security   aa21-062a https://us-cert.cisa.gov/ncas/alerts/aa21-062a  

Learn more

Blogs

Safer Internet Day 2021 — how you can #StartTheChat

8 Feb 2021

Safer Internet Day 2021 — how you can #StartTheChat This blog was originally published via Medium here. This year, Orange Digital has joined forces with our friends at AUSCERT to raise further awareness about ‘Safer Internet Day 2021’ on Tuesday, February 9th. This year marks the 18th anniversary of this very important day and is all about bringing the global community together with the purpose of making online experiences better for everyone. Over the last 12+ months, we can all agree that the internet has been critical in connecting people for work, learning, socialising, and more. If you told us at the beginning of 2020 that remote work and education would be a ‘new kind of normal’, chances are you wouldn’t have believed it. A recent study from The Economic Times revealed that most HR managers (42%) said their organisations will continue to operate with remote work, with almost 40% of respondents saying they will follow a hybrid work structure alternating between WFH and in-office days. Furthermore, this study identified that these organisations will continue to work from home in 2021 and operate under a hybrid model for the next 5 years. Facebook further supports these trends, with recent data predicting over half of the Australian workforce will be fully remote in the next 10 years. With these stats in mind, it’s clear that we’re moving towards a large majority of jobs becoming location-agnostic. This leads me to the 2021 Safer Internet Day theme: “Together for a better Internet”… At a time where online communication and connection is at an all-time high, we each have a part to play in the chat about online safety at home, school, work, and within the community. AUSCERT, Australia’s pioneer Cyber Security Response Team, is on the front foot in the realm of online safety and recently shared a very handy resource from their colleagues at UQ ITS to raise awareness for Safer Internet Day and share advice on how to protect your data and your family. You can read the full article here.  “As we know, cyber-criminals are adept at exploiting people via the Internet, so it’s important to know what to look out for…” At last year’s AUSCERT2020 conference, Australian eSafety Commissioner Julie Inman-Grant also spoke on the topic of “Online Safety during & after Covid-19”. As we gear ourselves for the year ahead, this topic of conversation remains extremely pertinent. When we approached AUSCERT to discuss Safer Internet Day, Mike Holm; AUSCERT Senior Manager, shared that AUSCERT is actively encouraging members and the greater public to #StartTheChat. As Australia’s pioneer Cyber Security Response Team, AUSCERT is focused on helping its members prevent, detect, respond and mitigate cyber-based attacks, while also engaging members by empowering their people, capabilities, and capacities. To #StartTheChat within your workplace, eSafety provides a range of online safety information and resources to share with your colleagues. Check it out here. There are also plenty of free resources and activities to help you #StartTheChat with students, family, friends, and the community during 2021.  

Learn more

Blogs

Emotet, now neutralised, may have friends you'll want to clean off your systems.

1 Feb 2021

Emotet, now neutralised, may have friends you'll want to clean off your systems. April 25th 2021[1] is now going to be on everyone’s mind in the Cyber Security industry. This is the day the Emotet botnet, as we know it, would be “reset”[2]. However, the method of the reset is interesting and places CERTs, the police forces and criminals[3] in a strange interaction that may create friction within their shared end-goal of protecting end-users. Emotet is arguably a botnet that deserves the attention it has gotten – to be taken down. It seems that it has gained that attention from operation “Ladybird”[4] in neutering the botnet as it now stands. But what now? And what about the efforts to protect end-users by parties from the various non “law enforcement agencies”. The amount of attention that the Emotet botnet has congregated the effort of some amazing groups of people to be able to feed details to the information security industry about what domain and connections should be deemed indicative of infected end-points. Cryptolaemus[5] is one such a group that comes to mind that provides such information. Under normal circumstances, information such as this – about indicators of compromise (IoC), are sent to the security team who then most likely blocks connections and identify affected end-points. But this very action of trying to block connection(s) may now be working against the actions taken to neuter the Emotet botnet. The controlling servers that distribute updates of the botnet, have been seized and are now controlled by the Dutch Police[2], and the Emotet code has been altered and allowed to then have that new code distributed[4]. This new code is said to include a kill-switch, which is controlled by a date, and that date is April 25th 2021 at 12:00 and the new code is now being delivered[6]. So now we have an industry that protects by not letting end-points to connect or interact with command and control servers, and another industry hoping that there will be further interactions so that the latest version of Emotet will be downloaded that will contain the kill-switch code! If this does not sound as complementary efforts then you may have a point for conversation. Also add to this mix – the signal sent to management and leadership teams around the world – that the botnet is neutered, may provide a false sense of security. It’s worth noting and reiterating at this point that Emotet is not a be-all and end-all malware but rather more of a platform that allows other malware to be installed[4][7][8]. Threat hunting should not be halted, rather it should be given more resources due a piece of contrarian fact. If you did not block connections with Emotet’s C2[9] then you may now have a neutered, kill-switched version of Emotet from the Dutch police – otherwise it is still lingering in its present active form. As for anything Emotet has downloaded before that neutered version is installed, the additional malware may still remain active on end-points. Now that it is clear that threat hunting has no break from this botnet takeover, there are a few twists to this event that needs to be investigated. Although this blog piece may not be able to provide all the answers, here are some questions a takeover of a botnet raises and possible reasons behind it.  Why the choice of April 25th 2021 at 12:00?[1][10] for the kill-switch and why should the sector wait so long?[11][12].The idea behind such a long wait is now that the botnet has been neutered[13] there is a window to look for “…Emotet malware and see if other gangs used it to deploy other threats…” as stated by Randy Pargman to ZDNet[2]. In essence, the use of Emotet as a beacon to find other installed malware may work. What also works is that media attention on Emotet botnet takeover may incite management and leaders to provide threat hunting teams with extra resource(s) over the next two months in chasing Emotet infected end-points. What will the kill-switch do?The name of the sub-routine “uninstall_emotet()” [1][10] looks promising. Beyond that any service call implication of a software having a self-destruct code written by extra-judiciary entities and distributed by a botnet is beyond the scope of this article. It may be safe to say that one should get ready for service calls in case there are issues. Looking on the positive side, there are two months lee-way to find the infected end-points. Will using a kill-switch, which alters the end-point behaviour without the owner consenting to the change, have any legal ramifications?You may have to talk to your lawyers about any issues that deals with advice around the law of the jurisdiction within which you are operating in. Note that altering software code on an end-point without the owner’s consent may find this action foul to some regulations around some jurisdictions. Even if the nations involved in the coordinated action are in agreement to waive responsibilities; Emotet knows no boundaries. And last but not least …  What about the seized data from the C2’s?Yes, the Dutch police may now possibly have all your data that the Emotet botnet exfiltrated. The Dutch police has set up a function where the entry of an email address on their site will invoke an email back to the email address tested about whether it is in the data set seized[14]. This may work for savvy individuals but enterprises may need to consider enterprise questions such as the deliberation of all email addresses of the organisation to an extra-jurisdiction law enforcement agency. Also, the collation of response(s) from that agency needs to be considered, before it gets flagged as spam or received by the user of the email account. No matter how the enterprise wants to re-route or act on the response, there will be lots of thinking and planning to be done! The takeover of the Emotet botnet by law enforcement agency may signal the end of one botnet. Yet, today only means that this botnet is no longer a threat, but all the damage and installs it has made over time is still a clear and present threat. The clean-up process on one of the most prominent botnets of this decade has only just started. It is hoped that after such media attention, organisations will take this opportunity to inject a bit more resources in cleaning affected end-points, and possible compromised accounts. Perhaps after the clean-up there are some resources still allocated to implement well deserved preventative and detective measures. After all – an “Ounce of prevention is worth a pound of cure!”[15]. REFERENCES:  [1] https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/[2] https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-march-25-2021/[3] CERTs, cops, and criminals Peter Zinn Sr. High Tech Crime Advisor,KLPD (National Crime Squad), NL on Monday 13th June 2011 https://www.first.org/conference/2011/program/index.html[4] International police operation LadyBird: global botnet Emotet 27th Jan 2021 dismantled https://translate.google.com/translate?sl=auto&tl=en&u=https://www.politie.nl/nieuws/2021/januari/27/11-internationale-politieoperatie-ladybird-botnet-emotet-wereldwijd-ontmanteld.html[5] https://paste.cryptolaemus.com/[6] https://twitter.com/milkr3am/status/1354459859912192002[7] https://twitter.com/Cryptolaemus1/status/1354521918775427072[8] https://twitter.com/MalwareTechBlog/status/1354411804747681793[9] https://twitter.com/milkr3am/status/1354473617145409545[10] https://twitter.com/milkr3am/status/1354459859912192002[11] https://twitter.com/t15_v/status/1354519818226032642 [12] https://twitter.com/cyberadelaide/status/1354489619795083269[13] https://team-cymru.com/blog/2021/01/27/taking-down-emotet/[14] https://2yx7ciusygbulydqop52nqwfpe–www-politie-nl.translate.goog/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html[15] https://www.ushistory.org/franklin/philadelphia/fire.htm  

Learn more

Blogs

AUSCERT statement “QuoVadis Global SSL ICA G3” issue impacting multiple customers

22 Jan 2021

AUSCERT statement “QuoVadis Global SSL ICA G3” issue impacting multiple customers Update 3: 12:00pm AEST 22 January 2021Update 2: 12:30pm AEST 18 January 2021 Update 1: 2:00pm AEST 16 January 2021Initial statement release: 12:00pm AEST 15 January 2021  “QuoVadis Global SSL ICA G3” issue impacting multiple AUSCERT  DigiCert + QuoVadis customers Update 3 (12:00pm AEST 22-1-2021) Further to our last update, DigiCert + QuoVadis have provided AUSCERT with a RCA for AUSCERT Members. At 11:51am AEST the RCA was distributed by the AUSCERT Team to AUSCERT Members via email.   Update 2 (12:30pm AEST 18-1-2021) Further to our last update, DigiCert + QuoVadis have today provided further details of three possible practices which may have caused this issue for impacted certificates. 1. The organisation has pinned their application to the retired ICA –  DigiCert + QuoVadis advises that this is bad practice.2. The organisation has configured their server to only trust that specific ICA, which forces the client to use it. Then, when the ICA is changed, the chain of trust is broken.3. The organisation operates a trust store which includes the old versions of the ICAs. All certificates that are using the Global G2 or G3 ICAs have a potential impact, as these were both retired. The new ICAs were made available from September 2020 and from November 2020 all certificates issued from Trust Link will have been issued from these new ICAs. Impacted customers may simply need to install the new ICA on their server to resolve the issues. Also sharing these two external resources here: A DigiCert + QuoVadis’ statement regarding ICA replacements can be found here: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html Last but not least, a corporate statement from  DigiCert + QuoVadis regarding this issue can also be found on their website here:  https://www.quovadisglobal.ch/Unternehmen/NewsAndEvents/Begrenzte%20Systemverfuegbarkeit.aspx [NOTE: this same statement was covered by AUSCERT in the initial publication of our statement (blog post) with the exception of the signing service instructions found at the bottom of this page.] Update 1 (2:00pm AEST 16-1-2021) As a part of initial correspondence with DigiCert + QuoVadis we were informed that their teams were working to gather a report of all certificates impacted by the ICA changes on Friday, 15 January 2021. However, we were discouraged to receive an update today, 16 January 2021, that the DigiCert + QuoVadis teams are unable to report the certificates which were impacted by this ICA change. The DigiCert + QuoVadis team largely believe the impacted certificates are receiving errors due to applications being pinned to the serial number of the revoked ICA. Here is more information on certificate pinning: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/ As we continue to work with DigiCert + QuoVadis regarding this incident, please be assured we will continue to urge they provide further assistance for remediation.    Initial statement (12:00pm AEST 15-1-2021)  The AUSCERT team was made aware that a number of our Certificate Services clients have been experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST. Following this notification, the team acted immediately and got in touch with the team from DigiCert + QuoVadis for clarification. An internal investigation was then conducted by the DigiCert + QuoVadis compliance team and following this, we can now confirm that the QuoVadis Global SSL ICA G3 intermediate certificate (ICA) was revoked earlier today. An action which AUSCERT was unaware of prior to it taking place. The new version was made available to QuoVadis users last year and can be downloaded from the following repositories: Repository: https://www.quovadisglobal.nl/Repository/DownloadRootsAndCRL.aspx Direct download of new ICA: http://trust.quovadisglobal.com/qvsslg3.crt The replacement is also in Trust Link.The certificate does not need to be replaced as it has the same chain. Impacted users will have to configure the server with the new ICA, replacing the old version. Again, please refer to the above repository for the new ICA details.The rotation of ICAs is a policy DigiCert has introduced in order to prevent non best practise habits from occurring, such as certificate pinning. Further information on certificate pinning can be found here: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/  Again, the AUSCERT team was not made aware of the revocation and had worked on investigating this problem as soon as we were alerted by members. DigiCert + QuoVadis  apologises that significant notice hasn’t been provided to those impacted members. Does this impact all certificates? No, this has only impacted one of several ICAs QuoVadis use. The AUSCERT team has now been in contact (via email) with all those members whom we are aware have been impacted by this issue.  If you are an affected member requiring further assistance with regards to this issue, please contact:  AUSCERT Membership Team 07 3365 4417 cs@auscert.org.au   

Learn more

Blogs

AUSCERT: What to Expect in 2021

12 Jan 2021

AUSCERT: What to Expect in 2021 Membership matters – optimising and elevating our services As we bid goodbye to our members at the end of last year, we delivered a sneak preview of what the team hopes to achieve in the new year. While there are doubtless many unknowns awaiting us in 2021, here are some key issues on the AUSCERT agenda:  IMAGE: AUSCERT Strategic Plans 2021   Expand and enhance our delivery of threat intelligence   As a team, we aim to form and publish a Cyber Threat Intelligence (CTI) strategy document to help us align with our members’ needs – and in tandem with developing this CTI strategy – our goal is to also publish IoCs to members in STIX format.   To complement this initiative, our team is looking to introduce some enhanced functionalities on the AUSCERT Member Portal; such as an Incident Portal with file upload facility which includes analysis and feedback.  The team is aiming to rebrand, reinvigorate and relaunch the CAUDIT-ISAC initiative as “The AHECS-ISAC, powered by AUSCERT”.   And last but not least, in tandem with the CTI strategy and CAUDIT-ISAC relaunch, the team aims to launch MISP access for all members.  Remain a trusted incident response partner, both locally and globally   As a team, we aim to broaden our incident response capability with consistent training and drills – especially through our strong relationship with the APCERT community as witnessed in 2020, 2019 and in previous years; as well as maintain our standing within the worldwide CERT community through FIRST.   Continue to foster a strong relationship with the local Australian cyber security sector “key players”; especially the ASD via Australian Cyber Security Centre, AustCyber and IDCare et. al.   Consistent and useful engagement with our members   As a team, we will be celebrating the 20th anniversary of our annual cyber security conference; Australia’s oldest and premier cyber security conference. The AUSCERT2021 conference theme will be “SOARing with cyber” and this annual event provides our members with the optimum opportunity for professional development and upskilling.  AUSCERT will continue to maintain, uphold and explore State-government memberships.   The team will aim to increase the number of blog articles and publications targeting senior to mid-level members.   And last but not least, the AUSCERT team will focus on continuous improvements across all membership services.  The cyber security landscape is ever-changing, and AUSCERT continues to be passionate about engaging our members to empower your people, capabilities and capacities.

Learn more

Blogs

Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software

20 Dec 2020

Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software Image: SUNBURST Malware Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software Update: 21:30 AEST December 20 2020 Update: 21:30 AEST December 19 2020 Update: 10:00 AEST December 18 2020 Update: 22:30 AEST December 15 2020 Update: 15:00 AEST December 15 2020Update: 14:00 AEST December 15 2020 Initial Publication : 09:00 AEST December 15 2020     Update (21:30 AEST 20-12-2020) US-CERT CISA announces [14] and made available, at the time of writing, an update to their advisory [12] which “… provides new mitigation guidance and revises the indicators of compromise table…” [14].  The emergency directive from the U.S. Department of Homeland Security (DHS) has also updated their directive to include supplementary guidance.[15]   Update (21:30 AEST 19-12-2020) It has been confirmed that at the moment of writing of this update, the US-CERT CISA advisory, that was public as at (10:00 AEST 18-12-2020) is now returning “Access Denied”. As it was a public advisory at that time it may be possible to find a copy of this advisory, whilst it is still available, in archives[13].   Update (10:00 AEST 18-12-2020) SolarWinds states that Orion was their only product affected by the breach [10].  Also recently a joint statement was released by the U.S. Government [11] that heralds actions and updates from US-CERT CISA about the events surrounding and leverage of the SolarWinds Orion breach and recommended mitigation steps [12].   Update (22:30 AEST 15-12-2020) Additional IoC and TTP information from research organisations Volexity[9]   Update (15:00 AEST 15-12-2020)The headline of an earlier version of this article incorrectly attributed the vulnerable software to FireEye. FireEye is a third-party research firm. We apologise for any confusions caused by our initial publication. A new subject headline is now in place to better reflect the incident.  Update (14:00 AEST 15-12-2020) A set of IoCs have been published by Talos[7] and the number of affected clients is expected to be “fewer than 18,000” world wide according to the SEC filing of the incident[8]. The hotfix is expected to be made available “on or prior to 15th December 2020” [8] (date and time as per U.S.A. time zone)   Initial (09:00 AEST 15-12-2020) Introduction: FireEye has discovered a supply chain attack against SolarWinds which has resulted in trojanised versions of SolarWinds Orion being distributed. These trojanised versions, being distributed through their supply chain, meant that the code was correctly signed.   Multiple trojanised updates were digitally signed from March to May 2020 and posted to the SolarWinds Orion updates website, including those listed here: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp [1]   The trojanised version of the update has remained dormant for 2 weeks and FireEye has released counter measures [2] as malicious activity can now be traced with the following released IoC. [3]   RECOMMENDED ACTION: It is highly advised that the advisories from FireEye[1] and SolarWinds[6] be reviewed where actionable steps to detect and protect your network are suggested.   This includes the following steps:   1. It is highly recommended to download the latest software of SolarWinds Orion and apply the relevant version.   2. If you are a SolarWinds Orion client, please check the downloading of any updates between the months of March to May 2020.   3. If at all possible and relevant, apply detection rules released by FireEye to determine whether or not malicious activity is currently in your network.   4. If at all possible, check network logs for Indicators of Compromise (IoC) for any signs of activity that may have occurred in your network.   The US-CERT has notified members of the public about the current issue via a briefing document [4] and the media is also focusing and disseminating information on this event swiftly. [5]   For AUSCERT’s constituents using AUSCERT managed MISP the list of IoCs have been published on December 14. AUSCERT is currently contacting its constituents about possible installations of SolarWinds Orion on their network perimeter(s).      [1] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html [2] Github – Fireeye – Sunburst countermeasures https://github.com/fireeye/sunburst_countermeasures [3] Github – Fireeye – Sunburst IoC https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release [4] US-CERT CISA Active Exploitation of SolarWinds Software https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software [5] Bleeping Computer – US govt, FireEye breached after SolarWinds supply-chain attack https://www.bleepingcomputer.com/news/security/us-govt-fireeye-breached-after-solarwinds-supply-chain-attack/ [6] SolarWinds Security Advisory https://www.solarwinds.com/securityadvisory [7] Threat Advisory: SolarWinds supply chain attack https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html  [8] US-SEC – CURRENT REPORT – SOLARWINDS CORPORATION (001-38711) https://sec.report/Document/0001628280-20-017451/  [9] Dark Halo Leverages SolarWinds Compromise to Breach Organizations https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  [10] SolarWinds said no other products were compromised in recent hack https://www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/ [11] Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-intelligence-odni [12] Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations https://us-cert.cisa.gov/ncas/alerts/aa20-352a  [13] Internet Archives – Wayback Machine https://archive.org/ [14] CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise https://us-cert.cisa.gov/ncas/current-activity/2020/12/19/cisa-updates-alert-and-releases-supplemental-guidance-emergency [15] Emergency Directive 21-01 https://cyber.dhs.gov/ed/21-01/#supplemental-guidance 

Learn more