Week in review

AUSCERT Week In Review for April 22nd 2022

22 Apr 2022

Greetings, The commemoration of ANZAC Day has become entrenched in Australia and New Zealand’s identity, marking the anniversary of the first major military action fought by members of the Australian and New Zealand Army Corps (ANZAC). The Light Up The Dawn website, coordinated by RSL Australia, is the perfect place to learn about how you can commemorate those who are serving and those who have served. Lest We Forget. Sadly, the presence of war remains today with the conflict in Ukraine showing no signs of easing. Although Easter is being observed in Russia this Sunday, April 24th, The Cyber Wire update earlier this week stated that governments in the west shouldn’t let their guard down concerning potential cyber attacks. AUSCERT has seen a surge in registrations for this year’s conference over the past few days which is exciting news! With just over two weeks to go until Australia’s premier information security conference gets underway, we encourage anyone interested in coming along to check out our sensational line-up of speakers and tutorials and Register Today for AUSCERT2022! Lastly, AUSCERT is recruiting for two Software Developers with skills in Python on Linux platforms, and what an opportunity for developers with an interest in cyber security! As part of the AUSCERT team, you'd work along side Analysts and Infrastructure Engineers and, speaking of the AUSCERT Conference, you also get the chance to participate in the event too! CISA warns of attackers now exploiting Windows Print Spooler bug Date: 2022-04-19 Author: Bleeping Computer The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler. This high severity vulnerability (tracked as CVE-2022-22718) impacts all versions of Windows per Microsoft's advisory and it was patched during the February 2022 Patch Tuesday. The only information Microsoft shared about this security flaw is that threat actors can exploit it locally in low-complexity attacks without user interaction. Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021 Date: 2022-04-20 Author: The Hacker News Google Project Zero called 2021 a "record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said. US and allies warn of Russian hacking threat to critical infrastructure Date: 2022-04-20 Author: Bleeping Computer Today, Five Eyes cybersecurity authorities warned critical infrastructure network defenders of an increased risk that Russia-backed hacking groups could target organizations within and outside Ukraine's borders. The warning comes from cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom in a joint cybersecurity advisory with info on Russian state-backed hacking operations and Russian-aligned cybercrime groups. Hackers can infect >100 Lenovo models with unremovable malware. Are you patched? Date: 2022-04-20 Author: Ars Technica Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect. Attacker Dwell Times Down, But No Consistent Correlation to Breach Impact: Mandiant Date: 2022-04-19 Author: SecurityWeek.Com The good news is that median intruder dwell time is down again – down from 24 days in 2020 to 21 days in 2021. The bad news is the figure gives little indication of the true nature of successful intruder activity across the whole security ecosphere. Dwell time is the length of time between assumed initial intrusion and detection of an intrusion. The usual assumption is that the shorter the dwell time, the less damage can be done. This is not a valid assumption across all intrusions. The figures come from Mandiant’s M-Trends 2022 report, which is based on the firm’s breach investigations between October 1, 2020, and December 31, 2021. They show that the median dwell time figure has consistently declined over the last few years: from 205 days in 2014 through 78 (2018), 56 (2019), 24 (2020) to 21 (2021). The problem is that the dwell time has no consistent correlation to the breach effect. ESB-2022.1726 – Cisco Umbrella Virtual Appliance: CVSS (Max): 7.5 A vulnerability could allow an unauthenticated, remote attacker to impersonate a Virtual Appliance. One of many Cisco bulletins this week. ASB-2022.0113 – Oracle Communications Applications: CVSS (Max): 10.0 It was Oracle's 3-monthly patch day this week (Critical Patch Update). Some of the CVSS ratings reached 10.0. ASB-2022.0091 – Oracle Virtualization: CVSS (Max): 9.0 Another Oracle product affected was the popular VM VirtualBox. ESB-2022.1714 – Siemens OpenSSL Vulnerabilities in Industrial Products: CVSS (Max): 5.9 ICS-CERT published many advisories this week for Industrial Control Systems (ICS) including SCADA (Supervisory Control and Data Aquisition) systems. This OpenSSL issue affects many systems and devices. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for April 14th 2022

14 Apr 2022

Greetings, Each week of 2022 seems to be moving at a faster pace than the one before and here we are, at Easter already! Four days to relax, rejoice, reframe – and indulge in far too many chocolate eggs, bunnies, and bilbies along with some hot cross buns of course! It’s also the first week of at least three (four if you’re in Queensland) that have one day less in the working week. Now, whilst that might be celebrated, it also means that we have fewer business days until AUSCERT2022! We have some fantastic Sponsors, Speakers, Tutorials and, some sensational surprises in store this year! Spots are filling fast so, to ensure you don’t miss out, Register today for Australia’s premier cyber security conference. AUSCERT will maintain minimal coverage for the Easter holidays from Friday 15 April to Monday 18 April. AUSCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Have a safe, enjoyable and relaxing Easter break everyone! Mandatory cyber security incident reporting now in force Date: 2022-04-12 Author: iTnews Home Affairs minister Karen Andrews has published the implementation of Australia’s critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors. Under the Security of Critical Infrastructure 2018 Act, multiple industry assets are deemed to be critical. Security Nihilism Is Putting Your Company and Its Employees at Risk Date: 2022-04-09 Author: Dark Reading When it comes to staying safe and secure in our digital worlds, sometimes it can feel like giving up is the only choice. This idea of “security nihilism” isn’t new. Security teams have always faced incredibly challenging problems while trying to enable safe and trustworthy experiences across all the technology we use. It can be a difficult trap to overcome for security practitioners, but it’s even more dangerous when employees start to feel it. Security nihilism creates new and worsens existing problems that put a company’s data — and the employees who are stewards of that data — at risk. GitHub can now alert of supply-chain bugs in new dependencies Date: 2022-04-08 Author: Bleeping Computer GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities. This is achieved by adding the new Dependency Review GitHub Action to an existing workflow in one of your projects. You can do it through your repository’s Actions tab under Security or straight from the GitHub Marketplace. It works with the help of an API endpoint that will help you understand the security impact of dependency changes before adding them to your repository at every pull request. Creating a Security Culture Where People Can Admit Mistakes Date: 2022-04-12 Author: Dark Reading Andy Ellis, advisory CISO for Orca Security and a longtime Akamai veteran, likes to tell a story about a potentially serious security incident. One of his team members was testing the email integration of a new incident tracking system. Unfortunately, the test email, titled “[TEST] Meteor strike destroys the headquarters,” went to everyone in the company and created a loop that crashed the mail servers. As Ellis recounts, “The next day the responsible employee tweeted a picture of themselves training for a 5K run, and I replied, ‘Preparing to outrun the meteor?'” New pilot program to help meet urgent demand for cyber security skills Date: 2022-04-12 Author: Riotact Cyber security may have been a big winner in the Federal Budget but finding the people to make the Federal Government’s ambitious plans a reality will be challenging. The ACT Government and Digital Skills Organisation (DSO) aims to help address the cyber skills shortage and meet the needs of the ACT’s growing tech sector with a new 12-month pilot program through the Canberra Cyber Hub. It will focus on developing a new National Skills Framework for cyber security in cooperation with industry. ESB-2022.1488.2 – UPDATED ALERT VMware products: CVSS (Max): 9.8 VMware has now confirmed the exploitation of CVE-2022-22954 has occurred in the wild ESB-2022.1560 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1 Adobe Commerce and Magento Open Source are vulnerable to Remote Code Execution. Adobe has released patches to address the issue ESB-2022.1623 – ALERT Cisco Wireless LAN Controller: CVSS (Max): 10.0 Cisco has released advisory regarding a critical authentication bypass vulnerability affecting several Wireless controllers ASB-2022.0085 – ALERT Microsoft Windows products: CVSS (Max): 9.8 Microsoft has addressed multiple vulnerabilities during Patch Tuesday in its upstream Windows products ASB-2022.0086.3 – UPDATE Nginx Zero-Day Multiple mitigation measures are available for the recent zero day vulnerability for nginx web server Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for April 8th 2022

8 Apr 2022

Greetings, Late yesterday, VMware confirmed that it had patched eight bugs in an array of its products. Many news sources, including The Hacker News, have advised that the vulnerabilities could be exploited with five of the bugs identified as critical. The five products affected are Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. It is advised that the vulnerabilities should be patched as soon as possible with a bulletin issued by AUSCERT yesterday with further information: ESB-2022.1488. If you weren’t already aware, each of the remaining working weeks in April are just four days long courtesy of some well-placed public holidays! Whilst that ensures consecutive long weekends, it also means that time is running out to book your spot at our 21st Annual AUSCERT Cyber Security Conference, AUSCERT2022. There are also limited booths remaining for our exhibition is full! If you’re interested in Sponsorship, contact our team via email: conference@auscert.org.au Feds slay dark-web souk Hydra: Servers and $25m in crypto-coins seized Date: 2022-04-05 Author: The Register US and German federal agencies came down hard on Hydra, the longest-running known dark-web marketplace trafficking in illegal drugs and money-laundering services, with a multi-pronged attack that aimed to cut off multiple heads of the nefarious online beast. First, German federal police in coordination with US law enforcement seized Hydra servers and cryptocurrency wallets containing $25 million in Bitcoin, thus shutting down the online souk. Later on Tuesday, the US Justice Department announced criminal charges against one of the alleged Hydra operators and system administrators, 30-year-old Dmitry Olegovich Pavlov of Russia. Borat RAT: Multiple threat of ransomware, DDoS and spyware Date: 2022-04-04 Author: The Register A new remote access trojan (RAT) dubbed “Borat” doesn’t come with many laughs but offers bad actors a menu of cyberthreats to choose from. RATs are typically used by cybercriminals to get full control of a victim’s system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble. ASD to create cyber security hubs in three states using REDSPICE budget funding. Date: 2022-04-06 Author: iTnews The Australian Signals Directorate will create cyber security hubs in Melbourne, Brisbane and Perth after receiving $9.9 billion in the federal budget to boost its offensive and defensive capabilities. Amid criticism over its plan to double in size over the next decade, director-general Rachel Noble told senate estimates the new hubs would allow the cyber spy agency to tap into a wider talent pool. This new malware targets AWS Lambda environments | ZDNet Date: 2022-04-06 Author: zdnet A new malware variant that targets AWS Lambda has been discovered. On Wednesday, researchers from Cado Security published their findings on Denonia, malware currently being used in targeted attacks against Lambda. Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services. VMware admins asked to patch eight vulnerabilities – Security – iTnews Date: 2022-04-07 Author: itnews VMware has patched eight bugs in five of its products that were uncovered by Qihoo 360 security researcher Steven Seeley. An advisory notes the eight vulnerabilities affect five different products: Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. Workspace ONE Access is impacted by two critical authentication bypass vulnerabilities, denoted as CVE-2022-22955 and CVE-2022-22956. They would allow an attacker to “bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework”, the advisory says. ESB-2022.1418.2 – UPDATE GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.1 GitLab released fixed versions for Community Edition and Enterprise Edition to address multiple vulnerabilities including a critical vulnerability which could allow account takeover. ESB-2022.1444.4 – UPDATE Cisco Products: CVSS (Max): 9.8 Acknowledging the recent Spring Framework vulnerability, Cisco has been updating its advisory identifying multiple affected products ESB-2022.1480 – Firefox: CVSS (Max): 7.5* Mozilla has updated Firefox version to 99 which fixes multiple vulnerabilities ESB-2022.1484.2 – UPDATED ALERT Tenable.sc: CVSS (Max): 9.8 Tenable has released patch for Tenable.sc addressing 2 vulnerabilities including a critical CVE-2022-23943 ESB-2022.1488 – ALERT VMware products: CVSS (Max): 9.8 VMware released patches to address critical vulnerabilities in several products Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for April 1st 2022

1 Apr 2022

Greetings, The latest episode of our podcast is here! We discuss Security Orchestration, Automation, and Response, or SOAR, the topic for last year’s conference and how it can benefit organisational processes, automation and improving efficiencies – regardless of size. You’ll also hear from the AUSCERT team about the malicious URL feed and how it works with SOAR, Member Slack, AUSCERT’s AusISAC and how these can benefit members as well as a bit of a teaser for the upcoming cyber security conference. AUSCERT is gearing up to deliver a range of training sessions, aimed at anyone that looks after their organisation’s cyber security. Our next course, Incident Response Planning, is being held next week on April 5 & 6. The courses are delivered virtually and in two half-day sessions from 9 am to 12:30 pm each day. Learning outcomes for participants: Understand the NIST IR (incident response) process; Self-assess IR process maturity; Design and implement a Cyber Security Incident Response Plan; Create and customise cyber security incident playbooks; Understand the usefulness of cyber security policies and frameworks to IR; Gain awareness of the most common cyber security attacks; and, Appreciate the role of tabletop discussion exercises in IR planning and improvement Places are limited so be sure to secure your spot and book now. Lastly, today is April Fool’s Day when pranks and jokes are played for laughs, as long as they don’t go too far! What we all need right now, is some joy and laughter so why not take a moment to browse some of the great April Fools pranks from history that includes the Left-Handed Whopper, Smell-o-vision and Gmail Motion, a new technology that would allow people to write emails using only hand gestures! IoT warning: Hackers are gaining access to UPS devices. Here’s how to protect yours Date: 2022-03-30 Author: ZDNet Change the default user name and password settings on your internet-connected uninterruptible power supply (UPS) units, the US government has warned. UPS units are meant to provide power backup to keep devices, appliances and applications connected to the internet by supplying off-grid power to places like a data center during a power outage. But hackers have been targeting internet-connected UPS units to disrupt the backup power supply. The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) said they “are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices.” Russia facing internet outages due to equipment shortage Date: 2022-03-28 Author: Bleeping Computer Russia’s RSPP Commission for Communications and IT, the country’s largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment. To raise awareness, the commission has compiled a document that reflects the practical challenges facing the industry in Russia at this time and also presents a set of proposals specifically crafted to alleviate them. Russian media that have seen the document in question say that the warning is dire, as the commission highlights the reserves of telecom operator equipment will only last for another six months. Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show Date: 2022-03-29 Author: TechCrunch The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. Customers only learned of Okta’s January security breach on March 22 after the Lapsus$ hacking group published screenshots revealing it had accessed Okta’s internal apps and systems some two months earlier. Okta admitted the compromise in a blog post, and later confirmed 366 of its corporate customers are affected by the breach, or about 2.5% of its customer base. Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware Date: 2022-03-28 Author: The Hacker News A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. “The emails use a social engineering technique of conversation hijacking (also known as thread hijacking),” Israeli company Intezer said in a report shared with The Hacker News. “A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.” The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. Critical Sophos Firewall vulnerability allows remote code execution Date: 2022-03-27 Author: Bleeping Computer Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE). Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall. On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for. Zero-Day Vulnerability Discovered in Java Spring Framework Date: 2022-03-31 Author: Dark Reading A zero-day vulnerability found in the popular Java Web application development framework Spring likely puts a wide variety of Web apps at risk of remote attack, security researchers disclosed on March 30. The vulnerability — dubbed Spring4Shell and SpringShell by some security firms — has caused a great deal of confusion over the past 24 hours as researchers struggled to determine if the issue was new, or related to older vulnerabilities. Researchers with cybersecurity services firm Praetorian and threat intelligence firm Flashpoint independently confirmed that the exploit attacks a new vulnerability, which could be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration. Google: Russian phishing attacks target NATO, European military Date: 2022-03-30 Author: Bleeping Computer The Google Threat Analysis Group (TAG) says more and more threat actors are now using Russia’s war in Ukraine to target Eastern European and NATO countries, including Ukraine, in phishing and malware attacks. The report’s highlight are credential phishing attacks coordinated by a Russian-based threat group tracked as COLDRIVER against a NATO Centre of Excellence and Eastern European militaries. The Russian hackers also targeted a Ukrainian defense contractor and several US-based non-governmental organizations (NGOs) and think tanks. Okta: “We made a mistake” delaying the Lapsus$ hack disclosure Date: 2022-03-27 Author: Bleeping Computer Okta has admitted that it made a mistake delaying the disclosure of hack from the Lapsus$ data extortion group that took place in January. Additionally, the company has provided a detailed timeline of the incident and its investigation activities. On Friday, Okta expressed regret for not disclosing details about the Lapsus$ hack sooner and shared a detailed timeline of the incident and its investigation. Australian Budget 2022 delivers AU$9.9 billion for spicy cyber Date: 2022-03-29 Author: ZDNet The federal government has released its 2022-23 federal Budget, containing a AU$9.9 billion kitty for bolstering cybersecurity and intelligence capabilities in the midst of a growing cyberthreat landscape around the world. The near-AU$10 billion will be spent across a decade under a program called Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers (REDSPICE). “This is the biggest ever investment in Australia’s cyber preparedness,” said Treasurer Josh Frydenburg, who announced the Budget on Tuesday night. Hive ransomware shuts down California health care organization Date: 2022-03-30 Author: The Record Partnership HealthPlan of California, a nonprofit that helps hundreds of thousands of people access health care in California, is in the midst of being attacked by the Hive ransomware group. The organization is one of the largest Medi-Cal Managed Care Plan providers in Northern California and serves more than 610,000 Medi-Cal beneficiaries in 14 northern California counties. It is unclear when the attack began and Partnership HealthPlan of California is currently unable to respond to requests for comment, but local California newspaper The Press Democrat was the first to report on March 24 that the organization was facing technical issues. ASB-2022.0075 – Spring Boot and Spring Cloud: CVSS (Max): 9.8 AUSCERT released an advisory to its members which includes information on Spring Framework vulnerability. AUSCERT encourages the affected members to review mitigation information and act accordingly. ESB-2022.1346.3 – UPDATE vCenter Server and Cloud Foundation: CVSS (Max): 5.5 Updates have been released to remediate information disclosure vulnerability in VMware vCenter Server. ESB-2022.1310 – chromium: CVSS (Max): None The users are encouraged to upgrade their chromium packages to fix a security issue that could result in the execution of arbitrary code if a malicious website is visited. ESB-2022.1411 – Google Chrome: CVSS (Max): None Google has addressed multiple vulnerabilities with the release of Chrome version 100. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for 25th March 2022

25 Mar 2022

Greetings, Earlier this week, the Okta breach saw many of their customers worldwide become alerted to the potential risk with third party vendors. The group suspected of causing the breach, Lapsus$, were also involved in attacks on Microsoft and Nvidia. itnews reported early Friday morning, that several suspects had been arrested in London following an investigation into the ransom-seeking gang. Some of those arrested are said to only be aged between 16 and 21. AUSCERT issued an ASB on Thursday, March 24th, about the Lapsus $ Okta incident, which can be viewed at the following link: ASB-2022.0073 As the war in Ukraine enters a second month, the heightened risk concerning a major cyber attack from Russia on the USA has resulted in speculation that the Australia, New Zealand and United States Security Treaty (ANZUS) is expected to be activated. Such an attack would come as retaliation for sanctions imposed upon Russia, including by Australia. However, should Australia be a target for such retaliatory action, assurance has been given by Joe Biden’s top cyber security advisor that the US would respond. The Sydney Morning Herald provides further details that include the White House issuing a statement for all companies to “lock the digital door” against potential attacks. The AUSCERT team has received a flurry of emails and calls concerning the upcoming AUSCERT2022 Cyber Security Conference which is a fantastic sign that people out there are interested in coming along. Our line-up of speakers has been confirmed and we are fine tuning the program that we will be sure to let everyone know about when it’s ready for you to peruse! In the meantime, be sure to check out who we have coming along and, a little more about this year’s theme, Rethink, Reskill, Reboot. Authentication firm Okta probes report of digital breach Date: 2022-03-23 Author: Reuters Authentication services provider Okta Inc (OKTA.O) is investigating a report of a digital breach, the company said on Tuesday, after hackers posted screenshots showing what they claimed was its internal company environment. A hack at Okta could have major consequences because thousands of other companies rely on the San Francisco-based firm to manage access to their own networks and applications. The company was aware of the reports and was investigating, Okta official Chris Hollis said in a brief statement. Okta: Lapsus$ attackers had access to support engineer’s laptop Date: 2022-03-23 Author: ZDNet Okta says that a rapid investigation into the sharing of screenshots appearing to show a data breach has revealed they relate to a “contained” security incident that took place in January 2022. Okta, an enterprise identity and access management firm, launched an inquiry after the LAPSUS$ hacking group posted screenshots on Telegram that the hackers claimed were taken after obtaining access to “Okta.com Superuser/Admin and various other systems.” Microsoft confirms they were hacked by Lapsus$ extortion group Date: 2022-03-22 Author: Bleeping Computer Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code. Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps. In a new blog post published tonight, Microsoft has confirmed that one of their employee’s accounts was compromised by Lapsus$, providing limited access to source code repositories. New Phishing toolkit lets anyone create fake Chrome browser windows Date: 2022-03-19 Author: Bleeping Computer A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. When signing into websites, it is common to see the option to sign with Google, Microsoft, Apple, Twitter, or even Steam. White House issues call to action in light of new intelligence on Russian cyberthreat Date: 2022-03-21 Author: CyberScoop The Biden administration renewed calls Monday for the private sector to address known vulnerabilities and shore up cyberdefenses in light of a looming possibility of a cyberattack from Russia on U.S. infrastructure. The latest warning is “based on evolving threat intelligence, that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States,” Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology, said at a press conference Monday. A Closer Look at the LAPSUS$ Data Extortion Group Date: 2022-03-23 Author: Krebs on Security Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations. BitRAT malware now spreading as a Windows 10 license activator Date: 2022-03-21 Author: Bleeping Computer A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators. BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it. As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software. Australia launches federal cybercrime centre as part of national plan Date: 2022-03-21 Author: ZDNet Australian Home Affairs Minister Karen Andrews has launched a centre to bolster the country’s cybercrime fighting efforts. The AU$89 million cybercrime centre forms part of Home Affairs’ national plan to combat cybercrime, which was announced alongside the centre’s launch on Monday morning. The AU$89 million was provided through the AU$1.67 billion in funding for Australia’s cybersecurity strategy by the federal government. Andrews said the national plan and the Australian Federal Police’s (AFP) new cybercrime centre, called Joint Policing Cybercrime Coordination Centre (JPC3), would bring together the experience, powers, capabilities, and intelligence needed to build a strong, multi-faceted response. Newer Conti ransomware source code leaked out of revenge Date: 2022-03-20 Author: Bleeping Computer A Ukrainian security researcher has leaked newer malware source code from the Conti ransomware operation in revenge for the cybercriminals siding with Russia on the invasion of Ukraine. Conti is an elite ransomware gang run by Russian-based threat actors. With their involvement in developing numerous malware families, it is considered one of the most active cybercrime operations. However, after the Conti Ransomware operation sided with Russia on the invasion of Ukraine, a Ukrainian researcher named ‘Conti Leaks’ decided to leak data and source code belonging to the ransomware gang out of revenge. Microsoft Azure developers targeted by 200-plus data-stealing npm packages Date: 2022-03-24 Author: The Register A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public. ASB-2022.0071 – .au direct domain names: AUSCERT’s advisory for its members contains important information about .au Direct Domain names. We encourage all our members who consider their domains to be registered in .au direct, to do so within six months to avoid any potential issues arising later. ASB-2022.0072 – Potential Cyberattacks : US President warns the public to be aware of possible escalation of cyber-attacks from Russia. ASB-2022.0073 – Lapsus $ Okta incident: AUSCERT’s advisory on Lapsus$ Okta incident includes Microsoft recommended defence against DEV-0537. ESB-2022.1275 – VMware Carbon Black App Control (AppC): CVSS (Max): 9.1 Updates are available to remediate the vulnerabilities in VMware Carbon Black App Control. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for March 18th 2022

18 Mar 2022

Greetings, Today, March 18th, is World Sleep Day – yes, really! There are many benefits from having quality sleep that includes improved mental health, mood, and decision-making. It has also been recognised as significant in preventative health and wellbeing, alongside fitness and nutrition. There are many ways that we can each improve our sleep that ranges from exercise in the morning to a warm shower at night and setting cut-off times from technology each evening to allow a wind down before sleep. The Sleep Health Foundation is on a mission to improve as many lives through better sleep and have a range of resources and activities designed to help them with that goal. Some folks that may be taking on some suggestions on improved sleep ahead of their presentations are our Speakers for this year’s AUSCERT2022 Cyber Security Conference! That’s right, we have officially announced our line-up that includes Keynote Speakers Kath Koschel of The Kindness Factory and Lesley Carhart amongst some familiar faces and first-timers. Visit the AUSCERT2022 website to see our speaking line-up and, perhaps register yourself to come along to the Gold Coast this May? Lastly, we wanted to advise, or remind those in the know, of the upcoming release of .au direct domain names. As detailed in our recent blog, the Australian Domain Administration (auDA) will be making the shorter and simpler domain names available from Thursday, March 24th, 2022. The blog highlights the advantages of the upcoming release but also outlines some precautionary measures that may apply to you and your business. QNAP warns severe Linux bug affects most of its NAS devices Date: 2022-03-14 Author: Bleeping Computer Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed ‘Dirty Pipe’ that allows attackers with local access to gain root privileges. The ‘Dirty Pipe’ security bug affects Linux Kernel 5.8 and later versions, even on Android devices. If successfully exploited, it allows non-privileged users to inject and overwrite data in read-only files, including SUID processes that run as root. Android malware Escobar steals your Google Authenticator MFA codes Date: 2022-03-12 Author: Bleeping Computer The Aberebot Android banking trojan has returned under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes. The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft. New ransomware LokiLocker bundles destructive wiping component Date: 2022-03-17 Author: CSO Online A new ransomware operation dubbed LokiLocker has slowly been gaining traction since August among cybercriminals, researchers warn. The malicious program uses a relatively rare code obfuscation technique and includes a file wiper component that attackers could use against non-compliant victims. “LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021,” researchers from BlackBerry’s Research & Intelligence Team said in a new report. New Linux botnet exploits Log4J, uses DNS tunneling for comms Date: 2022-03-15 Author: Bleeping Computer A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies. The newly found malware, dubbed B1txor20 by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), focuses its attacks on Linux ARM, X64 CPU architecture devices. The botnet uses exploits targeting the Log4J vulnerability to infect new hosts, a very appealing attack vector seeing that dozens of vendors use the vulnerable Apache Log4j logging library. Ukraine invasion opens political rift between cybercriminals Date: 2022-03-15 Author: The Register Cybercriminals are taking sides over Russia’s deadly invasion of Ukraine, putting either the West or Moscow in their sights, according to Accenture. The consultancy giant’s Cyber Threat Intelligence team, which tracks illicit dark-web activity, said in a report dated Monday that this is the first time it has witnessed “financially motivated threat actors divided along ideological factions.” ESB-2022.1083 – macOS Monterey: CVSS (Max): 9.1* Apple has released advisory to address multiple vulnerabilities in the packages used in macOS ESB-2022.1076 – Apache HTTP Server: CVSS (Max): 7.4 Multiple vulnerabilities affecting Apache HTTP server have been fixed in version 2.4.53 ESB-2022.1108 – squid: CVSS (Max): 9.6 An incorrect input validation vulnerability leading to cache poisoning has been addressed ESB-2022.1147 – Bind 9.18.0: CVSS (Max): 7.0 ISC advises updates to Bind to address multiple vulnerabilities. ESB-2022.1165 – Treck TCP/IP Stack: CVSS (Max): 10.0 Treck TCP/IP Stack is widely used in embedded systems. It is recommended to update the version to 6.0.1.67 or later ASB-2022.0070 – Microsoft Edge (Chromium-based): CVSS (Max): 6.3* Microsoft has advised users to update Edge (Chromium based) to address multiple vulnerabilities assigned by Google Chrome Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for 11th March 2022

11 Mar 2022

Greetings, We are excited to announce our second keynote speaker for AUSCERT2022, Lesley Carhart. Lesley, also known by her Twitter handle ‘Hacks4Pancakes’, is the Director of Incident Response for North America at the industrial cybersecurity company Dragos, Inc., leading response to and proactively hunting for threats in customers’ ICS environments. You may find Lesley organizing resume and interview clinics at several cybersecurity conferences, lecturing, and blogging and tweeting prolifically about cybersecurity. When not working, Lesley enjoys being a youth martial arts instructor. This is Lesley’s first time speaking in-person Down Under and we can’t wait to see them on the Gold Coast in May! If you’d like to see Lesley in person or, perhaps one of our many other informative and engaging presenters, why not register today to ensure that you don’t miss out? AUSCERT2022 will again be held at The Star Gold Coast and will be broadcast virtually, allowing you to attend in the format that suits you best. As it enters the second week, the invasion of Ukraine continues to reveal risks, real and potential, for individuals and organisations the world over. Harvard Business Review discusses possible preventative measures to take in order to be as safe as possible and, what a global cyberwar may look like. New Linux bug gives root on all major distros, exploit released Date: 2022-03-07 Author: Bleeping Computer [Refer AUSCERT Security Bulletin: ASB-2022.0061] A new Linux vulnerability known as ‘Dirty Pipe’ allows local users to gain root privileges through publicly available exploits. Today, security researcher Max Kellermann responsibly disclosed the ‘Dirty Pipe’ vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. Malware now using NVIDIA’s stolen code signing certificates Date: 2022-03-05 Author: Bleeping Computer Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data. The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online after NVIDIA refused to negotiate with them. Big tech decries Australia’s anti-trolling Bill for not allowing innocent dissemination defence Date: 2022-03-07 Author: ZDNet Meta, Twitter, and YouTube have all echoed the same concerns about Australia’s proposed anti-trolling laws, saying it would place an “unprecedented level” of defamation risk on social media platforms as it seeks to remove the defence of innocent dissemination. The innocent dissemination defence allows entities, such as social media platforms, to not be liable for defamation if they had no knowledge of the defamatory material, and their failure to detect the material was not due to negligence. Russia-Ukraine war: NYC on ‘ultra-high alert’ amid increased risk of Russian retaliatory cyberattack Date: 2022-03-07 Author: Fox News New York state is facing “increased risk” of cyberattack from Russian retaliators, while city agents have seen more breach attempts amid heightened tensions that have arisen from the Russian invasion of Ukraine, officials said Monday. Sen. Kirsten Gillibrand, a New York Democrat, met with New York City and police department officials on Monday morning. The New York Police Department (NYPD) has found no specific credible cybersecurity threats to the city so far, but not for a lack of effort, officials have said. Samsung confirms hackers stole Galaxy devices source code Date: 2022-03-07 Author: Bleeping Computer Samsung Electronics confirmed on Monday that its network was breached and the hackers stole confidential information, including source code present in Galaxy smartphones. As first reported by BleepingComputer, the data extortion group Lapsus$ leaked at the end of last week close to 190GB of archives claiming to have been stolen from Samsung Electronics. Smartphone malware is on the rise, here’s what to watch out for Date: 2022-03-10 Author: ZDNet There’s been a surge in mobile malware attacks as cyber criminals ramp up their attempts to deliver malicious text messages and applications to users in order to steal sensitive information including passwords and bank details. Cybersecurity researchers at Proofpoint say they detected a 500% jump in attempted mobile malware attacks during the first few months of 2022, with significant peaks at the beginning and end of February. Internet Backbone Giant Lumen Shuns .RU Date: 2022-03-08 Author: Krebs on Security Lumen Technologies, an American company that operates one of the largest Internet backbones and carries a significant percentage of the world’s Internet traffic, said today it will stop routing traffic for organizations based in Russia. Lumen’s decision comes just days after a similar exit by backbone provider Cogent, and amid a news media crackdown in Russia that has already left millions of Russians in the dark about what is really going on with their president’s war in Ukraine. ASB-2022.0062 – ALERT Microsoft Windows, Windows Server, Remote Desktop Client and Image/Video Extensions: CVSS (Max): 8.8 Microsoft has released its monthly security patch update for the month of March 2022 and also noted that exploitation of CVE-2022-24508 is more likely to be targeted by threat actors ESB-2022.0967 – Adobe After Effects: CVSS (Max): 7.8 Adobe has released an update for Adobe After Effects for Windows and macOS. Successful exploitation could lead to arbitrary code execution in the context of the current user ASB-2022.0065 – ALERT Microsoft Exchange Server: CVSS (Max): 8.8 Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue in its monthly security patch update ESB-2022.0991 – MozillaFirefox: CVSS (Max): 8.8 Mozilla released a security update for two new vulnerabilities in Mozilla Firefox Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for 4th March 2022

4 Mar 2022

Greetings, Next Tuesday, March 8 2022, is International Women’s Day, a day to celebrate women’s achievements and increase visibility whilst also calling out inequality. This year’s theme is “Break The Bias”, an opportunity to recognize and take action to level the playing field. Gender bias, discrimination and stereotyping are ever present obstacles facing women the world over. Whether it’s intentional or unconscious, it’s up to all of us to encourage and support a more diverse and inclusive society. You can learn more about International Women’s Day including, how to help Break The Bias, not just for a day, but permanently. Education is vital in our ever-changing and adapting world. At AUSCERT, we want to provide our members the opportunity to develop and strengthen their skills and contribute to a robust cyber security strategy. We have a list of online training courses for 2022, aimed at anyone that looks after cyber security. This training is exclusive for AUSCERT Members only for the price of $750 (inc. GST) per person, per training course. You can view the current dates of courses and book online here. Lastly, we want to acknowledge the devastating “rain bomb” that wreaked havoc on the east coast of Australia this week. The prolonged and immense rain has saturated our landscapes and left a trail of destruction with creeks and rivers turned into fast moving torrents. There are several services available to seek assistance or support our fellow Aussies in their time of need. If you need help or can lend a hand, below are a few organisations and initiatives that may suit your needs: GIVIT Vinnies Flood Appeal Brisbane Mud Army 2.0 ACSC on high alert following Russian attack on Ukraine Date: 2022-02-25 Author: Cyber Security Connect In the wake of Russian-linked cyber attacks on Ukraine, Prime Minister Scott Morrison and the Australian Cyber Security Centre (ACSC) have issued a warning to Australian organisations that malicious activity may have local ramifications. Similar warnings have been issued by the UK’s NCSC and the US Department of Homeland Security following recent sanctions on Russian institutions. As Australian society becomes increasingly digitised, agencies must prioritise measures to secure data and critical infrastructure against threat actors. Ukraine recruits “IT Army” to hack Russian entities, lists 31 targets Date: 2022-02-26 Author: Bleeping Computer Ukraine is recruiting a volunteer “IT army” of security researchers and hackers to conduct cyberattacks on thirty-one Russian entities, including government agencies, critical infrastructure, and banks. Saturday afternoon, Ukraine’s Minister for Digital Transformation Mykhaylo Fedorov announced that they need volunteer “digital talents” for an “IT Army” to conduct operational tasks against Russia on the cyber frontline. Google increasing account protections for users impacted by Russian invasion of Ukraine Date: 2022-03-01 Author: ZDNet Google detailed a series of measures it’s taking to help those impacted by the ongoing Russian invasion of Ukraine deal with associated cyber threats and privacy risks. In a lengthy Twitter thread, Google Europe ran through a list of measures it’s taking to automatically safeguard accounts, as well as measures users themselves can take to increase their privacy and security through freely available account features. First, the company made it clear that it is actively attempting to “look out for and disrupt disinfo campaigns, hacking, and financially motivated abuse” surrounding the conflict. This effort includes collaborations with other companies and “relevant government bodies” to address rising threats. Russia Sanctions May Spark Escalating Cyber Conflict Date: 2022-02-25 Author: Krebs on Security President Biden joined European leaders this week in enacting economic sanctions against Russia in response to its invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure. Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia. New ‘highly sophisticated’ malware linked to Chinese cyberattackers Date: 2022-03-02 Author: Citizen Digital A leading cybersecurity firm says it has discovered a “highly sophisticated” piece of malware being used by Chinese hacking teams to attack government and critical infrastructure targets. Symantec, a division of U.S.-based software designer and manufacturer Broadcom, said the earliest known sample of the malware, which has been dubbed Daxin, dates back to 2013, while Microsoft first documented the hacking tool in December 2013. A report by the company’s Threat Hunter Team says Daxin is “without doubt” the most advanced piece of malware it has seen used “by a China-linked actor.” The unit says Daxin was discovered along with other hacking tools previously used by Chinese cyberattackers. Senate passes cybersecurity act forcing orgs to report cyberattacks, ransom payments Date: 2022-03-03 Author: ZDNet The US Senate approved new cybersecurity legislation that will force critical infrastructure organizations to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. The Strengthening American Cybersecurity Act passed by unanimous consent on Tuesday after being introduced on February 8 by Senators Rob Portman and Gary Peters, ranking member and chairman of the Senate Homeland Security and Governmental Affairs Committee. Over 100,000 medical infusion pumps vulnerable to years old critical bug Date: 2022-03-02 Author: Bleeping Computer Data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are running with known security issues that attackers could exploit. The findings reveal that tens of thousands of devices are vulnerable to six critical-severity flaws (9.8 out of 10) reported in 2019 and 2020. International hackers answer Ukraine’s call to launch cyber operations against Russia Date: 2022-03-02 Author: ABC As Russian artillery bombarded Ukraine’s infrastructure on Sunday, one of the country’s most senior government ministers issued an unusual call to arms. The world was already supplying Ukraine with anti-tank missiles and military intelligence, but Vice Prime Minister Mykhailo Fedorov, tweeting a link to a public channel on Telegram, also called for hackers and tech specialists to join the “cyber front”. Microsoft: Ukraine hit with new FoxBlade malware hours before invasion Date: 2022-02-28 Author: Bleeping Computer Microsoft said that Ukrainian networks were targeted with newly found malware several hours before Russia’s invasion of Ukraine on February 24th. Researchers with the Microsoft Threat Intelligence Center (MSTIC) observed destructive attacks targeting Ukraine and spotted a new malware strain they dubbed FoxBlade. DDoSers are using a potent new method to deliver attacks of unthinkable size | Ars Technica Date: 2022-03-02 Author: Ars Technica Last August, academic researchers discovered a potent new method for knocking sites offline: a fleet of misconfigured servers more than 100,000 strong that can amplify floods of junk data to once-unthinkable sizes. These attacks, in many cases, could result in an infinite routing loop that causes a self-perpetuating flood of traffic. Now, content-delivery network Akamai says attackers are exploiting the servers to target sites in the banking, travel, gaming, media, and web-hosting industries. ASB-2022.0059 – Ukraine AUSCERT’s advisory for members contains IOCs that are of interest in protecting networks and sources providing mitigation information. ESB-2021.4216.3 – UPDATE Atlassian Products: CVSS (Max): 10.0 Atlassian updated the advisory initially released on 13 Dec 2021 to contain additional information for Data Center & Server products distributed via the Atlassian Marketplace. ESB-2022.0878 – VMware Tools: CVSS (Max): 5.6 VMware is aware of an uncontrolled search path vulnerability in VMware Tools for Windows where, if exploited, a malicious actor may be able to execute code with system privileges . VMware has released updates to remediate the vulnerability in affected VMware products. ESB-2022.0840 – GitLab Community Edition and Enterprise Edition : CVSS (Max): 9.6 Gitlab recommends GitLab Community Edition and GitLab Enterprise Edition be immediately updated to one of the versions released in the most recent critical security release. Gitlab advises that these versions contain important security fixes. ESB-2022.0688.3 – UPDATE Cisco Cloud Email Security: CVSS (Max): 7.5 Cisco has released software updates that address a vulnerability in DANE email verification component of Cisco AsyncOS Software for Cisco Email Security Appliance. Cisco also advises of workarounds that address the vulnerability. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for 25th February 2022

25 Feb 2022

Greetings, If you're involved in managing security awareness, your chance to make a difference is here with the SANS Security Awareness survey! AUSCERT has partnered with our friends at SANS on their 2022 SANS Institute Security Awareness Survey. You'll get early access to the free report and enter in a raffle to win a free pass to the Awareness Summit or an MGT433 course. The survey takes less than 10 minutes of your time but hurry, it closes today (February 25, 2022). Take the survey here Thanks in advance for your support! You’re invited to attend a critical Townhall session with the Department of Home Affairs on the Ransomware Action Plan and Proposed Reporting Regime. As part of Australia’s Ransomware Action Plan released last year, the Government is seeking to develop a ransomware incident reporting obligation for businesses – and is seeking your views on those proposed obligations. If you’re interested, register today so you don’t miss out! On a more sombre note, the much predicted and feared invasion of Ukraine by Russia became a reality yesterday. This attack has already demonstrated some twenty-first century tactics, including a concerted effort to disrupt the infrastructure of Ukraine through cyber-attacks. ABC reports on the various methods being utilised and the predicted escalation of their use and impact. This could extend to countries geographically distanced from the physical location of the conflict, including Australia. The Australian government has advised several companies had already been alerted to possible attacks, suggesting all should prepare for malicious attacks whether they’re direct or unintended or uncontained activities. AUSCERT Security Bulletin ASB-2022.0059 will soon be published and will provide advice and links regarding the current situation in Ukraine in relation to cybersecurity threats. This will include a list of IoCs (indicators of compromise) we have collated. We recommend members review these and consider searching or blocking threats accordingly. Employees’ dodgy tech habits posing a risk to Australian businesses Date: 2022-02-22 Author: Cyber Security Connect KnowBe4 announced new research which has found that more than six in 10 Australian office workers (63 per cent) don't believe using their work email for personal activity is a security risk to their employer. The KnowBe4 data also revealed that more than half of that number engage with suspicious emails and SMS and only 5 per cent can correctly identify which emails and SMS are legitimate or scams. Furthermore, only four in 10 (40 per cent) employees say they always report suspicious emails and SMS to the IT team responsible for cyber security. More than half (52 per cent) say they engage with suspicious emails and SMS. CISA publishes list of free security tools for business protection Date: 2022-02-18 Author: The Register The US Cybersecurity and Infrastructure Agency (CISA) has published a web catalog of free cybersecurity resources in the hope that those overseeing critical infrastructure can use the tools to better secure their systems. "CISA is super proud to announce the start of a new catalog of free resources available to those critical infrastructure owners and operators who would benefit from tools to help their security and resilience," said CISA director Jen Easterly in a statement. Disturbing Mass Text Operation Terrorizes Ukraine as Russian Troops Move In Date: 2022-02-23 Author: The Daily Beast Ukrainian government websites were knocked offline Wednesday in a new wave of cyberattacks pummeling Ukraine, just as Russian forces are starting to roll into the country and Ukraine declares a nationwide state of emergency over Russia’s recent aggression. The sites of Ukraine’s Ministry of Foreign Affairs, its Security Service or SBU, and Cabinet of Ministers were all down Wednesday. Banks are also affected, Ukraine’s minister of digital transformation, Mykhailo Fedorov, said on his Telegram channel. Ukrainian soldiers have also recently reported receiving alarming text messages urging them to flee or be killed, in what appeared to be an attempt to degrade their morale. US says Russian state hackers lurked in defense contractor networks for months Date: 2022-02-17 Author: Ars Technica Hackers backed by the Russian government have breached the networks of multiple US defense contractors in a sustained campaign that has revealed sensitive information about US weapons-development communications infrastructure, the federal government said on Wednesday. The campaign began no later than January 2020 and has continued through this month, according to a joint advisory by the FBI, National Security Agency, and the Cybersecurity and Infrastructure Security Agency. The hackers have been targeting and successfully hacking cleared defense contractors, or CDCs, which support contracts for the US Department of Defense and intelligence community. Microsoft offers defense against 'ice phishing' crypto scammers Date: 2022-02-18 Author: The Register Microsoft has some advice on how to defend against "ice phishing" and other novel attacks that aim to empty cryptocurrency wallets, for those not already abstaining. Ice fishing involves cutting a hole in a frozen body of water in order to catch fish. Ice phishing, as Microsoft describes it, is a clickjacking, or a user interface redress attack, that "[tricks] a user into signing a transaction that delegates approval of the user’s tokens to the attacker." Australia promises cyber support to Ukraine as Russian forces array along its borders Date: 2022-02-21 Author: ABC News Australia will expand cyber training for Ukrainian officials and could join a broader coalition of Western countries to provide the besieged Eastern European nation with military equipment or other support as fears of a Russian invasion continue to mount. Late on Sunday, the United Kingdom, Australia and the United States formally blamed Russia's main intelligence agency for a series of cyber attacks on Ukraine's major banks six days ago, with Foreign Minister Marise Payne and Defence Minister Peter Dutton declaring Moscow was responsible for an "ongoing unacceptable and disruptive pattern of malicious cyber activity". 464 Australian data breaches reported to the OAIC in latter half of 2021 Date: 2022-02-22 Author: ZDNet The private health services industry is once again the sector with the highest number of reported data breaches in Australia, accounting for 18% of all breaches notified to the Office of the Australian Information Commissioner (OAIC) during the latter half of 2021. Out of the total 464 data breach notifications sent to the OAIC during the six months to December, private health service providers reported 83 of them. Finance filed the second most with 56, while legal, accounting, and management services rounded out the top three with 51. The 464 data breaches received by the information commissioner under the Notifiable Data Breaches (NDB) scheme marked a 6% increase when compared to the first half of 2021. ESB-2021.3503.2 – UPDATE Cisco IOS XE SD-WAN Software: CVSS (Max): 7.8 Cisco has released software updates to address a vulnerability in their IOS XE SD-WAN Software which if exploited could allow an authenticated local attacker to execute arbitrary commands with root privileges. ESB-2022.0768 – python-pillow: CVSS (Max): 9.8 RedHat's latest update for python-pillow fixes multiple vulnerabilities. RedHat has rated this update as having a security impact of Important. ESB-2022.0805 – Cisco Nexus 9000 Series Switches: 8.6 A vulnerability in Cisco Nexus 9000 Series Switches could lead to a Denial of Service. Cisco has released software updates that address this vulnerability. ESB-2022.0817 – MozillaFirefox: CVSS (Max): 7.5 An update has been released to fix 8 vulnerabilities in Mozilla Firefox including Privilege Escalation to SYSTEM on Windows. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 18th February 2022

18 Feb 2022

Greetings, February 13 – 19 is “Random acts of kindness Week”, an opportunity for everyone to do one small act of kindness each day! You can help make kindness the norm! The foundation behind the initiative encourages and challenges everyone to try different activities from giving a gift card to being a kid again and letting someone know that they bring joy! Although celebrations end this weekend, every day of the year is an opportunity to be kind. To help you, the Random Acts of Kindness Foundation has some great ideas to inspire you to make kindness the norm. Someone that has made kindness part of their every day is Kath Koschel, our keynote speaker for AuSCERT2022. Kath’s amazing and inspiring story saw her choose to make kindness part of every day. The flow-on effects resulted in The Kindness Factory, whose mission it is to make the world a kinder place. The journey to where Kath is today was possible in large part, to her resilience. This aspect of who we are is discussed in our latest episode of “Share Today, Save Tomorrow”, AUSCERT’s podcast series. You will also hear from Kylie Watson, a Technology Executive and Sociologist, who talks about her experience and perspective of working in the cyber industry that incorporates psychology, providing a unique perspective. Lastly, AUSCERT recently finalised a range of training sessions that we will deliver in 2022, designed for anyone that looks after their organisation’s cyber security. You can view training dates and book directly online HERE. This training is exclusive for AUSCERT Members only. ‘You can’t stop it’: in rural Australia, digital coercive control can be inescapable Date: 2022-02-17 Author: The Conversation [This article contains information about domestic and family violence that may be triggering.] Domestic and family violence perpetrators commonly use technology such as phones and other devices as a weapon to control and entrap victims and survivors, alongside other forms of abuse. This “digital coercive control” is not bound to a particular location and can follow targets anywhere, any time they access devices or digital media. For women outside urban Australia, technology-enabled abuse can pose more risk than for those in cities. In research funded by the Australian Institute of Criminology, we spoke to 13 such women who have been subjected to digital coercive control to understand what it is like. Massive QR breach from NSW Government exposes 500,000 people Date: 2022-02-15 Author: news.com.au More than 500,000 addresses – including those of defence sites, domestic violence shelters and a missile maintenance unit – in a massive NSW Government QR code bungle. The hundreds of thousands of locations were collected by the NSW Customer Services Department through its QR code registration system, having registered as wanting to comply with Covid-Safe directions. Joint Aust-UK-US intelligence paper highlights ransomware threat Date: 2022-02-14 Author: InnovationAus A joint report coordinated by the cybersecurity authorities of the US, the UK, and Australia has warned of the increased global threat of ransomware attack and have advised organisations to take immediate precautions. In the financial year 2020-21 the Australian Cyber Security Centre (ACSC) received more than 67,500 reports of cybercrime an increase of 13 per cent on the preceding year. Released on February 9, the ACSC co-authored paper found that ransomware attackers increased their impact by targeting the cloud, managed service providers, industrial processes, the software supply chain, and by timing them on holidays and weekends. Emotet Now Spreading Through Malicious Excel Files Date: 2022-02-16 Author: Threatpost An ongoing malicious email campaign that includes macro-laden files and multiple layers of obfuscation has been active since late December. The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found. Researchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they wrote in a report published online Tuesday. TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands Date: 2022-02-16 Author: Threatpost The resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an eye to virulent follow-on attacks. Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check Point Research (CPR), which are being cherry-picked for victimization. According to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others. ESB-2022.0621 – Adobe Commerce: CVSS (Max): 9.8 Adobe has released security updates for Adobe Commerce and Magento Open Source. This vulnerability is being exploited in the wild ESB-2022.0642 – macOS Monterey 12.2.1: CVSS (Max): None Apple has released updates to its webkit engine used by Safari to address a remote code execution vulnerability ESB-2022.0653 – Google Chrome: CVSS (Max): None Google has released stable update for Chrome to address multiple vulnerabilities. Google is also aware that the exploit for CVE-2022-0609 exists in the wild ESB-2022.0693 – Drupal core: CVSS (Max): None Drupal has fixed an improper input validation vulnerability affecting Drupal Core ESB-2022.0695 – Jenkins Plugins: CVSS (Max): 8.8 Multiple command execution vulnerabilities in pipeline related plugins has been addressed by Jenkins Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 11th February 2022

11 Feb 2022

Greetings, International Safer Internet Day took place on February 8, which was an opportunity for everyone to ensure they play it safe and fair online. There is no place for online abuse. We can all help to make life online enjoyable by being kind and respectful to each other. Research shows that Australians are learning and caring more about online safety than ever before and if you wish to learn more, visit the eSafety Commissioner website to help you to Play it Fair! The beginning of this week also saw Meta (formerly Facebook) lose a bid to dismiss legal action against them that related to the misuse of information of some of its Australian users. The social media giant was also flagged for not taking “responsible steps” to keep that information safe. This was the second time Meta’s request was denied following a ruling in late 2020 with authorities ruling that the company operated within Australia and collected data therein. Business Insider details the journey to the decision, made by the full bench of the Federal Court, which could have long-lasting and broad ramifications. Elsewhere, Telstra revealed plans to improve and increase its’ cyber security offerings to the Australian government. The pandemic has been identified as the catalyst for the increase in digital adoption which has also seen cyber attacks adapt and increase. itnews highlights how that, along with the government’s plans to centralise networks, are part of the reason for Telstra to create a specialised team to provide cyber security services at all levels of government. Have a great weekend! Microsoft February 2022 Patch Tuesday: 48 bugs squashed, one zero-day resolved Date: 2022-02-09 Author: ZDNet Microsoft has released 48 security fixes for software, including a patch for a zero-day bug, but there are no critical-severity flaws on the list this month. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits. Products impacted by February’s security update include the Windows Kernel, Hyper-V, Microsoft Outlook and Office, Azure Data Explorer, and Microsoft SharePoint. ASIO tracking foreign spies on dating apps Tinder and Bumble Date: 2022-02-09 Author: The Sydney Morning Herald The boss of Australia’s counter-espionage agency ASIO has warned foreign spies appear to be using dating apps such as Tinder, Bumble and Hinge to get sensitive information from Australians. In his latest annual threat assessment delivered on Wednesday night, Mr Burgess for the first time confirmed that espionage and foreign interference has supplanted terrorism as ASIO’s principal security concern. [Mr Burgess] also revealed his agency recently foiled a foreign interference plot in the lead-up to an election in Australia, which involved an attempt to install political candidates at the behest of a foreign government. Microsoft will block downloaded macros in Office versions going back to 2013 Date: 2022-02-08 Author: Ars Technica In the interest of combating ransomware and other malware, Microsoft is planning a major change in how its Office software handles macros: when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros. The change will be previewed starting in April in Office version 2203, before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013. The Mac, iOS, Android, and web versions of Office won’t be affected. China suspected of cyber attack on News Corp Date: 2022-02-07 Author: Cyber Security Connect According to Reuters, hackers broke into News Corp email accounts and compromised the data of an unspecified number of journalists, the media firm disclosed last week. The hack was likely aimed at gathering intelligence for Beijing’s benefit, according to News Corp’s internet security adviser. The breach was discovered in late January and affected emails and documents of what it described as a limited number of employees, including journalists. News Corp, which publishes The Wall Street Journal, confirmed that cyber security firm Mandiant had contained the breach. Australia’s anti-trolling Bill enters Parliament retaining defamation focus Date: 2022-02-10 Author: ZDNet The federal government has officially introduced the highly-publicised anti-trolling Bill into Parliament. The Bill, Social Media (Anti-Trolling) Bill 2022, was first announced by Australian Prime Minister Scott Morrison in November as a mechanism that would “unmask anonymous online trolls” and address toxic content existing on social media platforms. The anti-trolling Bill has since been touted by the Liberal Senator and Attorney-General Michaelia Cash as one of her party’s primary items that it wants to push out before the federal election. UK.gov threatens to make adults give credit card details for access to Facebook or TikTok Date: 2022-02-08 Author: The Register Adults will have to hand over credit card or passport details before they can access social media sites, the British government threatened this morning. Internet use age verification – first floated and then abandoned via the country’s 2017 Digital Economy Act – will return in the UK’s Online Safety Bill, digital minister Chris Philp MP has vowed, linking the technology, widely criticised by privacy activists, to protecting children from pornography websites. No early data on use of Australia’s cyber-abuse takedown laws Date: 2022-02-08 Author: iTnews Immmediate applications of Australia’s new cyber-abuse takedown laws that came into force on January 23 remain unclear, with parties on all sides saying it is too early to have access to meaningful data. The “world-first scheme” gives Australia’s eSafety commissioner Julie Inman Grant authority to have the ‘worst of the worst’ content removed from the internet, “no matter where it is hosted”. Vodafone Portugal struggles to restore service following cyberattack Date: 2022-02-09 Author: ViralAmo Vodafone Portugal is slowly working to recover following a “deliberate and malicious cyberattack” that brought down services used by millions of people and businesses in that country, including those for ambulances and other emergency services. Vodafone Portugal—a subsidiary of UK-based Vodafone Group with 4.3 million cell phone subscribers and 3.4 million fibre subscribers—said in a statement that the attack began on Monday evening. The attack quickly took down the subsidiary’s 4G and 5G networks and halted fixed voice, television, SMS, and voice and digital answering services. Google fixes remote escalation of privileges bug on Android Date: 2022-02-08 Author: Bleeping Computer Google has released the February 2022 Android security updates, addressing two critical vulnerabilities, one being a remote escalation of privilege that requires no user interaction. The vulnerability is tracked as CVE-2021-39675, carrying a “critical” severity rating, and affects only Android 12, the latest version of the popular OS. These flaws are typically leveraged by sophisticated spyware vendors that independently discover and privately use zero-days in mobile operating systems. However, in this case, Google hasn’t seen any signs of active exploitation. ASB-2022.0050 – Microsoft 365 Apps for Enterprise: CVSS (Max): 8.8 Microsoft has released its monthly security patch update for the month of February 2022. ESB-2022.0532 – Adobe Creative Cloud Desktop Application: CVSS (Max): 7.0 Adobe has released an update for the Creative Cloud Installer for Windows. This update includes a fix for a critical vulnerability that could lead to arbitrary code execution in the context of the current user. ESB-2022.0554 – Python: CVSS (Max): 9.8 Python could be made to execute arbitrary code or denial of service if it received a specially crafted input. ESB-2022.0524 – Android: CVSS (Max): 9.1* The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 4th February 2022

4 Feb 2022

Greetings, The beginning of February signified the Lunar New Year which in 2022, is the Year of the Tiger. Many Asian cultures historically follow a lunar calendar which sees the Lunar New Year fall on a different day than the (solar) Gregorian calendar. People born during a Tiger Year are thought to be natural leaders who are both brave and thrill-seeking, often craving attention. Some might say, these attributes are embodied by a lot of the competitors at this year’s Winter Olympic Games that officially gets underway tonight, in Beijing China. Though an exciting time for all taking part, the FBI has issued a warning to athletes to take a temporary, or burner, phone with them to mitigate risk of cyberattacks. NPR details the reason for this with all participants and officials required to download and use an app as part of the COVID-19 safety protocols. With over 450 million cyberattacks connected to the 2020 Tokyo Olympic and Paralympic games, the FBI is concerned the app would be a potential target for ransomware and malware, data theft, and distributed denial of service attacks. Elsewhere, a recent situation at Spotify has seen an exodus from the music streaming service. Subsequently, people across the globe have been looking at alternative platforms for their audio fixations with ZDNet providing a range of services to compare and evaluate to help in the decision-making process to get back to enjoying your favourite artists, songs and podcasts (including our very own ‘Share today, Save tomorrow’) 600K WordPress sites impacted by critical plugin RCE vulnerability Date: 2022-01-31 Author: Bleeping Computer Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution (RCE) vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site. "The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax_load_more and ajax_eael_product_gallery functions." explains PatchStack researchers who discovered the vulnerability. Malicious hybrid cloud campaign uses 0Auth apps to target C-level executives Date: 2022-01-28 Author: SC Media Researchers reported a new hybrid cloud campaign — dubbed OiVaVoii — that uses hijacked Office 365 users and a sophisticated combination of malicious OAuth apps and targeted phishing threats to attack many C-level executives, including CEOs, general managers, former board members and the presidents of companies. In a Jan. 28 blog post, Proofpoint researchers said starting on Jan. 18, they observed account takeovers by malicious OAuth apps stealing OAuth tokens and via credential theft. The researchers said there are other risks after the account takeovers, mainly data leakage, continued phishing, lateral movement, brand abuse and malware distribution. NSW Police warns of new FluBot malware scam phishing texts Date: 2022-02-01 Author: Cyber Security Connect NSW Police posted a warning on their official Facebook page about the new FluBot phishing texts that have been making the rounds, sending malware links that enables download and installation of malicious software on to devices. According to Scamwatch, many Australians have been receiving scam text messages about missed calls, voicemails, deliveries and photo uploads since August 2021. The text messages ask recipients to tap on a link to download or access something. Doing so will download a specific type of malware to your device. These are “FluBot” text messages. Australian Red Cross clients potentially caught up in international cyber attack Date: 2022-01-31 Author: iTnews Australian Red Cross is contacting clients and reviewing its local systems and services in the wake of a “major” cyber attack on a large database hosted by the International Committee of the Red Cross (ICRC). The database held case file details on more than 500,000 people worldwide who had sought services for loved ones missing or uncontactable overseas due to disaster or conflict, or that were being held in immigration detention. Scammers continue to spoof job listings to steal money and data, FBI warns Date: 2022-02-02 Author: The Record Since at least early 2020, video game giant Riot Games has been dealing with a scam that is increasingly ensnaring companies and job seekers alike. According to a lawsuit filed by the company in November, a team of scammers “undertook an extensive, coordinated, and highly sophisticated fraud scheme” that lured eager professionals into handing over banking information and other sensitive data by dangling fraudulent job postings and interviews with fake human resources representatives. Similar scams have been reported by Biogen, Vox Media, Harvard University and many others. On Tuesday, the US Federal Bureau of Investigation warned that these scams have cost victims an average of [US]$3,000 since 2019, and often negatively impact their credit scores. The FBI’s Internet Crime Complaint Center (IC3) specifically alerted companies to a lack of strong security verification standards on recruitment websites, which allows criminals to post fake job ads. ESB-2022.0429 – Samba: CVSS (Max): 9.9 All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability leading to root compromise ESB-2022.0462 – Google Chrome: CVSS (Max): None Google has released updates to Chrome to address 19 security vulnerabilities ASB-2022.0049 – Microsoft Edge (Chromium-based): CVSS (Max): 7.7* Following Google Chrome advisory, Microsoft has also released updates for Edge (Chromium based) with an addition of 3 unique CVEs ESB-2022.0454 – ALERT Cisco RV Series Routers: CVSS (Max): 10.0 Multiple vulnerabilities in RV series routers have been identified with a CVSS score of 10.0 ESB-2022.0501 – GitLab Community Edition and GitLab Enterprise Edition: CVSS (Max): 7.7 GitLab has released security updates to address multiple vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more