Blogs

How to use the YARA rules for the "Copy-paste compromises" advisory

26 Jun 2020

How to use the YARA rules for the "Copy-paste compromises" advisory Regarding today’s “copy-paste compromises” advisory from the ACSC, we’ve had a lot of enquiries on how to download and consume the indicators of compromise (IoCs) provided. This is a how-to guide for YARA rules you may have received. Here is our full commentary on the alert. Downloading the files Feel free to download them from the original source; however, we’ve had some enquiries asking for assistance with this, so have re-published the public files in CloudStor, as well as imported them directly into our member MISP instances for members of the CAUDIT-ISAC and AusMISP agreements. Original ACSC source on cyber.gov.au AUSCERT CAUDIT-ISAC MISP on CAUDIT MISP AUSCERT AusMISP on AusMISP The files comprise a list of IoCs in CSV (comma-separated values) format, plus source code for a web shell in .txt (text) format, as well as PDF and Word versions of the advisory. You may also have received a list of YARA rules under the green level of the Traffic Light Protocol, in which case here’s how to use them. The green level does not permit us to redistribute them. Indicators of compromise in CSV We’re not aware of a single simple way to consume these. You can massage them into a suitable format or formats to search for them, but YARA rules are the standard automated way to do this, and are the focus of this guide. YARA rules YARA rules are a widely-used way to format IoCs in a way which can be used by scanning engines. Some more info, and the official source, and the official documentation. How to use Yara rules on your entire fleet (if you’re prepared and lucky) Many Endpoint Detection and Response (EDR) solutions provide Yara support. If you have one deployed, you can import the Yara rules and run it, which will be relatively quick and easy. If not, you could try using your existing fleet management system to deploy Yara and run a scan. E.g. for Windows, perhaps push out an installation via SCCM or Group Policy and then some kind of group policy background script to run the scan and deliver results. If you try this, we’d love to hear how it goes, and we’d also love any info or scripts you can provide that might help other members. Consider whether this is worth doing for your fleet. Otherwise, keep reading. How to use Yara rules on Windows Official binaries are available so you’re in good shape. Head to their Releases page and grab the latest binary for your architecture (at time of writing, yara-v4.0.1-1323-win32.zip or yara-v4.0.1-1323-win64.zip). Once in, you can scan individual directories or drives, ideally in an admin shell: yara64.exe -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" C: (the yarac.exe binary is for compiling rules, which you probably don’t need to do.) How to use Yara rules on Linux Your distribution’s package manager will likely have a version available. Give that a try first. However, the YARA project notes that the version available in some distros’ repositories is out of date and may contain security vulnerabilities, so check the version – the latest release at time of writing is v4.0.1, updated mid-May 2020. yum install yara apt install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null You may wish to run this as a privileged user to ensure maximum access, but balance this with the security risk of older versions. If your distribution’s version is unacceptable, the Yara project has some information on compiling from source. Compiling from source is an often time-consuming and fiddly process. How to use Yara rules on macOS Homebrew (an unofficial but very widely-used package manager) seems to be the best way other than compiling from source. It has the very latest release, v4.0.1, without the known security issues of older versions. brew install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null  Or only scan specific parts: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /path/to/likely/folders/or/mounts What to do if you find something Firstly, any rule matches starting with “heuristic” are just that – heuristics. You may wish to investigate them in closer detail, but there will be plenty of false positives, so don’t panic when you see them, and don’t start by investigating them. Consider advising the ACSC that you need assistance. Copying their advice here for convenience: If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371). If you are an AUSCERT member, you can call the 24/7 Member Hotline (login required) for advice. It’s also worth noting that the ACSC’s advisory states that this has been a ramping up of events over time, and our interpretation of that is that most organisations will not need to spend all weekend frantically digging – just make it a priority on Monday.

Learn more

Blogs

Business Email Compromise

24 Jun 2020

Business Email Compromise June 2020 update Here at AUSCERT, we’ve again seen an increase in instances of business email compromise and would like to take this opportunity to update the list of useful resources on this topic.  Scammers will take advantage of any opportunity to steal your money, personal information, or both. Right now, they are using the uncertainties surrounding the COVID-19 pandemic and remote working.  You may find the following articles useful:  Advice from the ACSC (cyber.gov.au): Understanding and preventing BECScamwatch: The cost of BEC (report from 2019)Threatpost: General advice from Threatpost on issues caused by working from home, including BEC_____ We’ve blogged about this before, but instances of business email compromise (BEC) are increasing. The FBI is warning potential victims of a dramatic increase in the BEC scam, with a 270% increase in identified victims and exposed loss since January 2015. From October 2013 through February 2016, losses have exceeded USD 2.3 billion. BEC scams work because they target specific employees of an organisation with email that appears to be from their CEO, asking for a wire transfer of funds to a nominated recipient. Criminals either compromise the CEO’s email account through phishing, or they use a very similar domain to the targeted organisation to send the message from. Often, the fraud targets organisations that regularly perform wire transfer payments. The emails avoid being caught as spam because they are not mass-mailed and address specific individuals. There are some actions you can take to combat this threat: Educate users, particularly those that handle payments, of the nature of the attack. Follow up email requests with a telephone call to verify their veracity. Implement appropriate checking of financial transactions. Implement Sender Policy Framework (SPF) to prevent attackers from impersonating your domain; and to help detect and block emails sent to your organisation that use forged domains. Don’t click on links or open attachments in unsolicited emails. Keep desktop anti-malware up to date. Don’t use your computer day-to-day with an administrator account. https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scamshttps://www.ic3.gov/media/2015/150827-1.aspx

Learn more

Blogs

AUSCERT commentary "major cyber attack on Australian governments and business"

21 Jun 2020

AUSCERT commentary "major cyber attack on Australian governments and business" Friday 19 June 2020 11.45am AEST This morning Prime Minister Scott Morrison and Minister for Defence Linda Reynolds announced that Australian organisations, including governments and businesses, are currently being targeted by a sophisticated foreign “state-based” actor. [1] The Prime Minister says there does not appear to have been any large scale breaches of people’s personal information but described the attacks as malicious.  “It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.” As an initial step, we encourage everyone to follow the Government’s latest advisory from the ACSC and ASD. [2]  Echoing the words of the Minister for Defence Linda Reynolds, we recommend members promptly patch internet-facing software, devices and operating systems and to implement multifactor authentication across all remote services. [2] In addition to the above, this most recent advisory from the ACSC has identified that threat actors are using exploits that are publicly known to have patches or mitigations available.The following vulnerabilities CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access.  AUSCERT strongly encourages members to ensure that all Microsoft Sharepoint, Citrix ADC, Citrix Gateway and Telerik UI are kept up to date. Members, this is the time to review the vectors of vulnerability and see if any indicators of compromise can be found attempting to access your network or has left traces of their activity within your networks.   After the IoCs have been verified not to have affected your network, it will be beneficial to then review and apply ASD’s Essential 8 where applicable. [3] With respect to the IoCs shared on [2], our team has taken the steps to consume this into our MISP instance and are happy to coordinate the sharing of relevant information with our members. As always, members are welcome to contact us for any further information and assistance via auscert@auscert.org.au.  Last but not least, AUSCERT is working with our international counterparts in cyber security to handle the indicators of compromise (IoC). [1] https://www.abc.net.au/news/2020-06-19/foreign-cyber-hack-targets-australian-government-and-business/12372470 [2] https://www.cyber.gov.au/news/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks [3] https://www.cyber.gov.au/publications/essential-eight-explained Additional references: Recent ACSC Advisories via https://www.cyber.gov.au/ Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks (18 June 2020) Advisory 2020-006: Active exploitation of vulnerability in Microsoft Internet Information Services last updated 22nd May 2020 Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors last updated 22nd may 2020  Recent NIST Advisories via https://www.nist.gov/ https://nvd.nist.gov/vuln/detail/CVE-2019-18935 https://nvd.nist.gov/vuln/detail/CVE-2019-19781 https://nvd.nist.gov/vuln/detail/CVE-2019-0604   Our own guidance on consuming YARA rules https://wordpress-admin.auscert.org.au/blog/2020-06-19-how-to-use-yara-rules-copy-paste-compromises-advisory

Learn more

Blogs

Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781

24 Apr 2020

Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781 Version 1.2 NB. The information in this blog is provided as is and will be updated according to the situation as it evolves. 1.2 Available patch for Citrix ADC versions 11.1 and 12.0 [20th January 2020] 1.1 Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. [17th January 2020]  1.0 Initial publication [14th January 2020] Summary Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers in Australia are vulnerable to CVE-2019-19781. AUSCERT has received information from a trusted third party source [1] about opportunistic scans being performed. Constituents are being contacted about the vulnerability and the applicable mitigation [2][3][4]. This blog post also serves as a general notice; issued for all who own and operate the vulnerable appliance. Update v1.1: Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. Update v1.2:  Patches being made available for Citrix ADC versions 11.1 and 12.0 [13]   Description Citrix (NetScaler) endpoints are vulnerable to CVE-2019-19781 affecting the following products[5]: o Citrix ADC and Citrix Gateway version 13.0 all supported builds o Citrix ADC and NetScaler Gateway version 12.1 all supported builds o Citrix ADC and NetScaler Gateway version 12.0 all supported builds (Patch issued from Citrix)[13] o Citrix ADC and NetScaler Gateway version 11.1 all supported builds (Patch issued from Citrix)[13] o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds Unauthenticated Remote Code execution has been demonstrated to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India[6] and TrustedSec[7]. A summary report is available from BadPackets[1]. A notification is available from US-CERT[8] and has been reported in the media by Bleeping Computer[9]. Testing Vulnerability Proof-of-Concept (PoC) to validate CVE-2019-19781 without extracting sensitive information. A successful “HTTP 200/OK” response to this scan indicates the Citrix (NetScaler) server is vulnerable to further attacks. curl -k -I --path-as-is https://<IP_address>/vpn/../vpns/cfg/smb.conf   Suggested Mitigation Patch is currently available from Citrix only for ADC versions 11.1 and 12.0,[13] and it is expected that further firmware updates be made available by the end of January 2020. Citrix has provided mitigations steps to prevent further compromise[3]. Note that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided, so be sure that you are running a safe version.   Remediation Actions A forensic guide is available from Trusted Sec to find evidence of a compromise[10]. Talos has issued out snort rules[11] to detect the exploit. A Suricata rule for this emerging threat is also available[12]. Reference and Credits [1] Badpackets https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/ [2] Citrix Advisory https://support.citrix.com/article/CTX267027 [3] Mitigation Steps for CVE-2019-19781 https://support.citrix.com/article/CTX267679 [4] AUSCERT ESB-2019.4708 https://portal.auscert.org.au/bulletins/ESB-2019.4708/ [5] Reddit https://www.reddit.com/r/sysadmin/comments/en5y8l/multiple_exploits_for_cve201919781_citrix/ [6] Project Zero India https://github.com/projectzeroindia/CVE-2019-19781 [7] Trustedsec Github https://github.com/trustedsec/cve-2019-19781 [8] US-CERT https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability [9] Bleeping Computers https://www.bleepingcomputer.com/news/security/cisa-releases-test-tool-for-citrix-adc-cve-2019-19781-vulnerability/ [10] Trusted Sec Forensic Guide https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/ [11] Talos https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html [12] Suricata Emerging Threats https://rules.emergingthreats.net/open/ [13] Vulnerability Update: First permanent fixes available, timeline accelerated https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/

Learn more

Blogs

COVID-19 Cyber Threats: Observations, OSINT and Safety Recommendations

18 Mar 2020

COVID-19 Cyber Threats: Observations, OSINT and Safety Recommendations Here at AUSCERT, we have been regularly covering appropriate COVID-19 (aka coronavirus) articles and its development in the various editions of our AUSCERT Daily Intelligence Report (ADIR) and Week in Review (WIR) emails.  The purpose of this blog post is to:  Remind readers that it is common for threat actors to use the most compelling or big news topics of the times to be used in malspam attacks to incite their targets to open a crafted attachment linked to a website. Inform readers of the various vectors or attack angles that threat actors have deployed using COVID-19 as their theme so they (organisations) can make informed decisions and take appropriate actions. AUSCERT have been made aware from either direct reports or via OSINT research that related threats have been seen relating to emails, mobile apps, web-applications; and social engineering scams. Some articles have pointed to the need for minitoring anomalous remote access attempts. Summary of general recommendations AUSCERT’s recommendations to aid resilience during these times of COVID-19 themed attacks are as follows: Avoid clicking on promotional links in emails Beware of COVID-19 related phishing schemes and fake alerts/health advisories Don’t click on baits such as an “80% discount on an exclusive cure” or “treatment for coronavirus“ Enforce multi-factor authentication where possible If there is some general information that can be found searching through an online search, do that instead of clicking the link from a suspicious sender. If unsure about the authenticity of a website, don’t proceed with any login procedures Log all remote access events Monitor data exfiltration points Monitor for land speed anomalies or credential sharing Monitor remote access devices Organisations should ensure VPN and RDP servers are up-to-date Detail In more detail, we reiterate that COVID-19 as the latest trending news has been no exception to the trend of opportunistic crime. When threat actors consider which lures to use on their campaigns; it is no wonder that any related permutation of an event relating to COVID-19 will likely be very attractive.   Emails AUSCERT has been made aware of Australian organisations receiving malspam related to COVID-19 as a subject header. Some (non exhaustive) examples include:  Working from home statements from supervisors Recommendations to avoid infection Statements from Health Authorities (World, Federal, State or Employment related) One recent example showed an email disguised to be from the Director of Milan University surfaced in the pretense of steps to be undertaken to prevent further spread of the virus. The threat actor motivation became clear when a malicious URL link asked for the user login details and password.  Another sophisticated attack method that researchers reported contained an MS Word document from the World Health Organisation with an embedded URL that lead to a fake MS Office website.   Web applications Threat actors are cloning, impersonating or crafting websites to facilitate their COVID-19 related scams. Researchers have found that more than 4000 COVID-19 related domains were registered globally. Of those, around 5% could be malicious and an additional 5% are suspicious. A recent example as reported by industry journalists from security organisations and featured in a recent edition of our ADIR;  stated that a clone of the (legitimate) Johns Hopkins University coronavirus map was used to spread malware. This is a call for people to be careful about which websites to trust.  In addition to this, security researchers at Malwarebytes reported finding malicious code hiding behind the fake website that claimed to have the look-and-feel of the legitimate map yet able to show an up-to-date global heatmap of COVID-19 reports.  Malwarebytes reported that the malicious code skims for passwords and credit card details, as a variant of the AzorUlt spyware. Advice is to be sure to only use trusted AND verified information sources from government and research institution’s websites.   Social Media Social media users need to be wary of two specific scams that are likely to play off the current COVID-19 situation. The first is fake fundraising initiatives. “Fundraising” threat actors will use stories and images of real people to tap into society’s pathos. Notably, these scammers will utilise legitimate fundraising platforms like GoFundMe to solicitate donations. Be cautious of any individuals asking for donations. The second threat for COVID-19 related scams deals with investments. As the Securities and Exchange Commission (SEC) recently warned, criminals will use social media to promote microcap stocks which they claim have a product or service that can help prevent or treat COVID-19 patients. These are what is known in industry as pump-and-dump scams that could cost investors a lot of money. Be sure to perform some independent research. A quick search will help clear any cloudiness about the proposed investment. In conclusion, stay alert on social media. Even though these websites are intended for social interactions and help people connect to each other in times of need, stay conscious when scrolling through your news feed.   Malware and mobile apps Lures of downloading mobile apps related to COVID-19 have also turned into a suspicious platform.  The use of these tactics have been seen to be used at every level of the threat actors and encompasses the spreading of a well-known set of malware. It is important to ensure that a high level of vigilance is used on any related malspam. This is even more so for any workforce that is going to be working from home as there may be further limited channels to cross check statements from emails. Recorded Future recently observed an extensive list of actors and malware employing various techniques’ including Trickbot, Lokibot, and Agent Tesla, targeting a broad set of victims, including those in the USA, Italy, Ukraine, and Iran in particular. Threat actors have also endeavoured to gain the trust of victims using branding associated with the U.S. Centres for Disease Control and Prevention (CDC) and the World Health Organization (WHO), as well as country-specific health agencies such as the Public Health Centre of the Ministry of Health of Ukraine and China’s Ministry of Health, and companies such as FedEx. COVID-19 Android ransomware application such as Covidlock have impacted individuals and has been subject of industry analysis. The Covidlock application was named as such because of the malware’s capabilities and its background story. It uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware. Please ensure that you download mobile applications only from official stores (Apple/Android). There is a much higher risk of downloading malware from untrusted 3rd party stores.   Phishing kits Often the COVID-19 campaigns are highly convincing due to cyber criminals using professional phishing kits. For example, these kits are programmed to use perfectly matched logos and email formats of legitimate organisations. Additionally, threat actors will incorporate “combosquatting” and “typosquatting” tactics to fool users into thinking the link is legitimate. One example of typosquatting is when an attacker uses popular domains that are misspelled incorrectly but look like real a domain name. For example, faecbook.com or wellsfagro.com. Combosquatting and typosquatting have similar tactics used to fool users, however, the domain name is appended with -security. For example, wellsfargo-security.com or security-chase.com. Notice the domains are not misspelled but prepended or appended with the word security.   Phone and text messages Threat actors are already impersonating the UN’s health agency to carry out a variety of scams, from account takeovers to phony donation requests and the spread of malware. The FTC is also warning of spoofed emails, text messages, and phone calls that claim to be from the Centre for Disease Control (CDC).   Advanced Persistent Threat (APT) Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current COVID-19 scare, in order to deliver a previously unknown malware implant to the target. This specific campaign leverages the COVID-19 pandemic to lure victims to trigger the infection chain. The attackers updated their toolset from documents with macros and older RTF exploits to the latest variation of the RoyalRoad RTF exploit-builder observed in the wild. By taking a closer look at the campaign, Checkpoint was able tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus. Campaign IOCs We highly recommend readers review this report. Checkpoint provides a full analysis of the TTPs utilised throughout this campaign, the infrastructure, and the new tools they uncovered during their research, of what they believe to be a Chinese-based threat actor. Source: https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/   Royal Road – Specifics/IOCs Royal Road is an RTF weaponiser, sometimes called “8.t RTF exploit builder”. This tool is shared between multiple threat actors and is known to exploit: CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 The RTF file has a various of characteristics that help with attribution. There are many threat actors who use Royal Road, of whom can be divided into three groups and suppose connections between actors. To review documented IOCS – see “Appendix-1: IOC” in the article that follows. Source: https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html   COVID-19 Scams: further industry analysis Wired published an interesting article associated with coronavirus phishing scams. “It’s not surprising that they would attempt to incorporate the coronavirus into that playbook so quickly. But the move illustrates how phishing attempts so consistently hew to certain time-tested topics and themes”. The article went on to describe that “the success rate of seasonally themed phishing emails pales in comparison, though, to those pegged to a critical world event. People living through Brexit uncertainty or a natural disaster have disproportionate questions and concerns. Attackers can exploit those fears and doubts by suggesting they have answers”. The takeaway is to always be aware that “email scammers often try to elicit a sense of fear and urgency in victims”. Source: https://www.wired.com/story/coronavirus-phishing-scams/   As of March 11, 2020 Recorded Future following their own analysis believe that COVID-19 has been primarily used by cybercriminals as a theme for phishing lures. However, they observed that at least three cases where reference to COVID-19 was leveraged by possible nation-state actors. They assessed that as the number of COVID-19 cases, as well as publicity around the virus rises globally, both cybercriminals and nation-state actors will increasingly exploit the crisis as a cyberattack vector.  They further assessed that: “Cybercriminals will often use the branding of “trusted” organisations in these phishing attacks, especially the World Health Organization, in order to build credibility and get users to open attachments or click on the link” “For the duration of the outbreak, COVID-19 will continue to be used as a lure, and that new versions of these lures targeting new countries will emerge” Their analysis is interesting reading and in-depth, therefore readers should consider reading the full analysis available via the following link. Source: https://www.recordedfuture.com/coronavirus-panic-exploit/ Now that we’ve covered a list of observations and OSINT findings above, let’s look at the following safety recommendations from ACSC, ASD and US-CERT:  Australian Gov: ACSC and ASD In their article Cyber security is essential when prepping for COVID-19, the ACSC suggested considerations should be made to incorporate a set of defined proactive strategies to address cyber threats, which include those associated with COVID-19, quoting the ASD:   “The Australian Signals Directorate (ASD) would like to remind you to incorporate cyber security into your contingency planning. As more staff may work from home, and the use of remote access technology increases, adversaries may attempt to take advantage. ASD’s Australian Cyber Security Centre (ACSC) encourages Australians to remain vigilant and ensure sound cyber security practices.” Source: https://www.cyber.gov.au/news/cyber-security-essential-when-preparing-covid-19   USA Gov: US-CERT Organisations should be vigilant to COVID-19 themed cyber threats and consider your enterprise VPN security as it relates to staff working remotely (teleworking). The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19 related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19. CISA encourages individuals to remain vigilant and take the following precautions: Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information. Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information. Review CISA Insights on Risk Management for COVID-19 for more information. Source: https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams   US-CERT further addressed the case for enterprise VPN security within their security bulletin reference Alert (AA20-073A). As organisations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organisation’s information technology (IT) network. As organisations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organisations to adopt a heightened state of cybersecurity. CISA encourages organisations to review the following recommendations when considering alternate workplace options Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. Alert employees to an expected increase in phishing attempts. Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Implement MFA on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords. Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritise users that will require higher bandwidths. Source: https://www.us-cert.gov/ncas/alerts/aa20-073a   Summary Individuals and organisations should expect to see a wide range of COVID-19 related phishing emails, smishing (text message phishing), and phone fraud scams over the coming weeks. These scams will focus on our insecurities about how the virus is spreading. The scams can take on several forms – for instance, fake health agency warnings about infections in your local area, vaccine and treatment offers, and alerts about critical supply shortages. In particular, individuals should avoid clicking on promotional links in emails. Don’t click on baits such as an “80% discount on an exclusive cure” or “treatment for coronavirus“ If unsure about the authenticity of a website, don’t proceed with any login procedures. If there is some general information that can be found searching through an online search, do that instead of clicking the link from a suspicious sender. Organisations should enforce multi-factor authentication where possible, and ensure VPN and RDP servers are up to date. IT/Security teams should log all remote access events and monitor data exfiltration points, monitor for land speed anomalies/credential sharing and monitor remote access devices. If there is any doubt to a received item, individuals should reach out to the appropriate teams within their organisations for reassurance. Organisations should be vigilant to COVID-19 themed cyber threats. Any organisation that believe they have been victim to a targeted attack should contact the ACSC.  And in turn, all AUSCERT member organisations know they can reach out to us here at AUSCERT for further assistance. We are here to help.   In the meantime during this time of change and challenge, please stay safe in both our physical and virtual worlds.   All the best, Colin Chamberlain CISSP Principal Analyst, AUSCERT   Other sources: https://www.grahamcluley.com/coronavirus-map-used-to-spread-malware/ https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/ https://www.business2community.com/cybersecurity/coronavirus-covid-19-3-scams-to-watch-out-for-02293067 https://cointelegraph.com/news/covidlock-exploits-coronavirus-fears-with-bitcoin-ransomware https://twitter.com/hashtag/CovidLock?src=hash https://cyware.com/news/exploring-various-ways-in-which-hackers-are-milking-the-covid-19-scare-254d1f9b http://www.zumatech.com/email-spoofing-how-to-recognize-a-spoofed-email-message/ https://news.un.org/en/story/2020/02/1058381 https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tracking-app-coughs-up-ransomware https://cointelegraph.com/news/covidlock-exploits-coronavirus-fears-with-bitcoin-ransomware https://twitter.com/hashtag/CovidLock?src=hash

Learn more

Blogs

AUSCERT and the APCERT CYBER DRILL 2020

13 Mar 2020

AUSCERT and the APCERT CYBER DRILL 2020 “BANKER DOUBLES DOWN ON MINING”   This year, AUSCERT took on a more proactive approach in the Asia Pacific region by taking on the lead role in coordinating this annual drill.  As the lead, AUSCERT created the scenario and orchestrated the creation of “the inject” – which are the prompts sent to all involved teams.  Of course, it goes without saying that the drill was not entirely AUSCERT’s contribution.   Contribution, either be it via infrastructure through ticketing systems; or communication as well as artefact creations came from various other national computer emergency response teams around the Asia Pacific. AUSCERT had the opportunity to lead these teams and coordinated the various resources to ensure that APCERT/CSIRT, as well as all invited partners and guest CERTs/CSIRTs spanning across the globe, through this cyber security drill are ready to cooperate in handling incidents as they come. Please see below for a copy of the official media release:      APCERT Secretariat: JPCERT/CCJapan Computer Emergency Response Team Coordination CenterContact: apcert-sec@apcert.orgURL: www.apcert.org   11 March 2020  MEDIA RELEASE  The Asia Pacific Computer Emergency Response Team (APCERT) today has successfully completed its annual drill to test the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. The theme of this year’s APCERT Drill is “Banker doubles down on Miner”. This exercise reflects real incidents and issues that exist on the Internet. The participants handled a case of a local business affected by malware infection which is triggered by data breach. Throughout the exercise, the participating teams activated and tested their incident handling arrangements. This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. 25 CSIRTs from 19 economies of APCERT (Australia, Bangladesh, Brunei Darussalam, People’s Republic of China, Chinese Taipei, Hong Kong, India, Indonesia, Japan, Korea, Lao People’s Democratic Republic, Macau, Malaysia, Myanmar, New Zealand, Singapore, Sri Lanka, Thailand, and Vietnam) participated in the drill. From the external parties, CSIRTs from 7 economies (Benin, Egypt, Jordan, Morocco, Nigeria, Pakistan and Tunisia) of OIC-CERT and AfricaCERT participated. About APCERT APCERT was established by leading and national Computer Security Incident Response Teams (CSIRTs) from the economies of the Asia Pacific region to improve cooperation, response and information sharing among CSIRTs in the region. APCERT Operational Members consist of 30 CSIRTs from 21 economies. Further information about APCERT can be found at: www.apcert.org/. ~ End ~ Original copy of this media release can be found HERE  

Learn more

Blogs

AUSCERT and the APCERT CYBER DRILL 2019

12 Mar 2020

AUSCERT and the APCERT CYBER DRILL 2019   “Catastrophic Silent Draining in Enterprise Network”   Exactly a week a week ago, our team was involved in the 2019 APCERT Cyber Drill.    AUSCERT is proud to announce that we had some staff members as part of the running committee tasked with assisting the organization responsible for this drill and various other staff members as participants. Last but not least, AUSCERT will be running this drill next year in 2020 and the entire team is excited and looking forward to this opportunity.   Please see below for a copy of the official media release:      APCERT Secretariat: JPCERT/CCJapan Computer Emergency Response Team Coordination CenterContact: apcert-sec@apcert.orgURL: www.apcert.org   31 July 2019 MEDIA RELEASE The Asia Pacific Computer Emergency Response Team (APCERT) today has successfully completed its annual drill to test the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. The theme of this year’s APCERT Drill is “Catastrophic Silent Draining in Enterprise Network.” This exercise reflects real incidents and issues that exist on the Internet. This year’s scenario was inspired by a latest security attack on an organization, which relates to the vulnerability that could allow attackers to completely take over vulnerable websites to deliver malware backdoor and cryptocurrency miners. This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. Throughout the exercise, the participating teams activated and tested their incident handling arrangements.  This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. 26 CSIRTs from 20 economies of APCERT (Australia, Bhutan, Brunei Darussalam, People’s Republic of China, Chinese Taipei, Hong Kong, India, Indonesia, Japan, Korea, Lao People’s Democratic Republic, Macao, Malaysia, Mongolia, Myanmar, New Zealand, Singapore, Sri Lanka, Thailand, and Vietnam) participated in the drill. Original copy of this media release can be found HERE  

Learn more

Blogs

The Let's Encrypt CAA Code Bug – A Plain View

5 Mar 2020

The Let's Encrypt CAA Code Bug – A Plain View What happened Let’s Encrypt recently found a bug in their CAA checking code and after remediating the bug [1] on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), announced they would revoke approximately 2.6% of their active certificates that were potentially affected by the bug, totalling approximately 3 million certificates [2]. Let’s Encrypt company engineers provided a technical update [1]: “ On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking. The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt. We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance. Our preliminary investigation suggests the bug was introduced on 2019-07-25. We will conduct a more detailed investigation and provide a postmortem when it is complete. “   Cert Revocation, Renewal and Replacement Let’s Encrypt report they are aiming to “complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST)”. Those affected should continue to renew and replace affected with new certificates. [3]   Impact Whilst this might not be seen as critical on the surface, a certificate is fundamentally used to establish and maintain site trustworthiness between two parties.  Essentially, certificates are used by browsers to ensure that the site we intended to visit is really the one we’ve arrived at. Leaving a revoked certificate in-place could trigger errors in browsers and other applications, cause loss availability and/or trust, all potentially causing harm to the companies that rely on them.   Impacted Customer Communications From Let’s Encrypt Let’s Encrypted reported they “have sent notification emails to affected subscribers who have registered an email address”, although believe some customers “may not have received an email if they did not provide an email address while registering” their ACME account. [3] In this latter scenario, Let’s Encrypt are directing customers with any need to re-subscribe to email notifications to https://letsencrypt.org/docs/expiration-emails/ . [3] It is worth considering that email delivery issues or spam filtering may also be the cause of missing the email which ultimately advises affected customers to renew their certificates. [3]   If you are looking for the missing email you can search for the following subject line within your mailbox or email gateway logs: “ACTION REQUIRED: Renew these Let’s Encrypt certificates by March 4”   If you are unsure whether your hostname is affected, use the checking tools described in this post.   Via AUSCERT As a passionate not-for-profit CERT organisation, we routinely monitor industry updates, news and other intel feeds. Due to this practice, we were promptly aware of the public bug announcement from Let’s Encrypt and following a proactive course of action, we identified AUSCERT Members with affected certificates and are currently working with them.   Identifying an affected certificate Let’s Encrypt have published a page hosting the list of affected serial numbers relating to the 2020.02.29 CAA Rechecking Incident [3].  That page details the downloadable file contains a list of all affected certs, sorted by account ID. [4] Checking Tools/methods There are several methods or tools providing a means to check for an affected certificate. Online Common Tools Curl OpenSSL Purpose built script   Online If you want to double check whether a given hostname still needs its certificate replaced, you can use the tool seen in the screenshot below available at: https://checkhost.unboundtest.com/ .   Common Tools Curl The curl command on a linux system can be used in conjunction with online tool https://checkhost.unboundtest.com/ against a target website to show its current certificate serial number. The following two example indicate affected and non-affected certificate responses. Response 1: Affected Certificate $ curl -XPOST -d ‘fqdn=www.REDACTED.au’ https://checkhost.unboundtest.com/checkhost The certificate currently available on www.REDACTED.au needs renewal because it is affected by the Let’s Encrypt CAA rechecking problem. Its serial number is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. See your ACME client documentation for instructions on how to renew a certificate. Response 2: Non-Affected Certificate $ curl -XPOST -d ‘fqdn=letsencrypt.org’ https://checkhost.unboundtest.com/checkhost The certificate currently available on letsencrypt.org is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 03a1c95bdaa36a8268327f2253cbd3ba2436   OpenSSL As seen in the following examples, the openssl command (linux) can be used against a target website to show its current certificate serial number: openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d : Response:         Serial Number             0fd078dd48f1a2bd4d0f2ba96b6038fe   openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d : Response:         Serial Number             03a1c95bdaa36a8268327f2253cbd3ba2436   Purpose-Built Script Github – Let’s Encrypt CAA (lecaa) checking scripts [5] A purpose-built script hosted on Github [5] and created by Hanno Böck [6] “…allows you to efficiently check affected hosts”. Hanno Böck advised on his github page that the script was created after “Let’s Encrypt announced a bug in their system’s CAA checks, which forced them to revoke 3 million certificates on very short notice”.   Let’s Encrypt credit the lecaa script as useful tool and refer customer to use it by advising “if you have a large list of domains you need to check, this tool will be more effective. [3]   Where certificates are found that are not affected, Let’s Encrypt said “even if you received an email, it’s possible that the affected certificates have been replaced by newer certs not affected by the bug. (Either due to being issued in the last few days since it was fixed, or simply by not meeting the specific timing criteria necessary for the bug to trigger.) In that case, it’s not necessary to renew them again”. [3]   Questions Anyone who has questions should review the Q & A’s seen on Let’s Encrypt’s FAQ [2], then should questions remain after such review, they should contact Let’s Encrypt directly.   References [1] 2020.02.29 CAA Rechecking Bug https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 [2] Revoking certain certificates on March 4 https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864 [3] Download affected certificate serials for 2020.02.29 CAA Rechecking Incidenthttps://letsencrypt.org/caaproblem/ [4] File containing serial number of the affected certificates https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz [5] Github – Purpose Built Checker (lecaa) https://github.com/hannob/lecaa [6] Hanno Böck https://hboeck.de/  

Learn more

Blogs

2019 Cyber Security Survey

28 Oct 2019

2019 Cyber Security Survey Complete the 2019 Cyber Security Survey The cyber landscape is constantly changing, and the number and level of sophistication of attacks are increasing.  Being aware of the latest cyber security threats and trends in the industry can help your organisation put the right measures in place to protect against cyber threats.  Is your organisation prepared to manage the impact of a significant cyber event?  How do your cyber practices stack up against other organisations in your industry? The fourth BDO and AUSCERT Cyber Security Survey is now open. This annual survey, aimed at key decision makers, identifies the current cyber security trends, issues and threats facing businesses in Australia and New Zealand. Participation gives you direct access to our survey report, allowing you to: Compare your organisation’s cyber maturity against peers Benchmark your business’ current cyber security efforts with trends in your industry Identify potential gaps in your organisation’s cyber security approach Determine ways to improve your organisation’s cyber security culture, planning and response measures. Take part now Don’t miss out on your chance to gain free insight into the maturity of your organisation’s cyber security approach. The survey closes at midnight on Friday 1 November. The survey is anonymous and takes less than 10 minutes to complete. The survey also offers the chance to win one of three Apple Watches.* For more information about this survey contact our team: membership@auscert.org.au * Refer to the survey competition terms and conditions.    

Learn more

Blogs

AUSCERT at the APCERT Conference 2019

22 Oct 2019

AUSCERT at the APCERT Conference 2019 AUSCERT was represented at the recent APCERT 2019 gathering in Singapore by Senior Information Security Analyst, Geoff Thonon and Senior Security System Administrator, Colby Prior.  Highlights of this work trip included the below initiatives.  _____________________________________________________________________________________________________________________________ APCERT-AGM 2019 Teams that are part of APCERT (Asia Pacific Computer Emergency Team)[1] took part in the APCERT Conference 2019 which kicked off on Sunday the 29th September.  This was Day One of the APCERT Annual General Meeting and like with all groups that meet once-a-year, the day was filled with reports on the years’ activities. Working Groups [2] were queued up and reported on the progress of various projects that makes the APCERT community more effective as a whole.  [1] http://www.apcert.org/[2] http://www.apcert.org/about/structure/groups.html   AUSCERT @ APCERT Drill-WG AUSCERT co-presented  with the convenor of ThaiCERT on the APCERT-Drill that took place in 2019 [1].  AUSCERT rallied the group to participate in and briefed them about the APCERT-Drill 2020, within a diverse set of roles.  Along with rallying the group for the coming Drill, some factors were highlighted in using the currently available platform(s) within APCERT in terms of communication and coordination, as well as using this event to further further promote cooperation with all new CERTs/CSIRTs in the Asia Pacific region.    [1] http://www.apcert.org/documents/pdf/APCERT_Drill2019_Press%20Release.pdf ______________________________________________________________________________________________________________________________ We look forward to hosting the APCERT-Drill in 2020 and to meeting our colleagues at the next APCERT annual conference!

Learn more