AUSCERT Week in Review for 1st October 2021 Greetings, Today is International Coffee Day, an opportunity to celebrate the tasty brew that provides a kickstart to get us going or provides a boost to sustain us when needed. How do you prefer your coffee? Earlier in the week, it was revealed that almost 10 million Android devices globally had been infected with malware delivered via GriftHorse apps. The Register reported on the Trojan code that has already netted millions of dollars. ZDNet advised many experts, including VMware and CISA, have been begging people to address the CVE-2021-22005 issue, a vulnerability with VMware vCenter, by updating their systems as soon as possible. Microsoft rolled out a new feature to Exchange that will automatically install temporary mitigations that block active security flaws until an official patch is released by Microsoft. The Record wrote about the proactive move by Microsoft with its first-of-its-kind security feature. Lastly, we wanted to advise of some upcoming training that is being held in the last quarter of 2021, delivered remotely via Zoom. The courses will focus on Cyber Security Risk Management and Introduction to Cyber for IT Professionals. Dates and further information can be found on the online booking portal or, by contacting us via email at training@auscert.org.au Emergency Google Chrome update fixes zero-day exploited in the wild Date: 2021-09-24 Author: Bleeping Computer Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild. “Google is aware that an exploit for CVE-2021-37973 exists in the wild,” the browser vendor revealed in Friday’s security advisory. Victoria launches five-year, AU$50 million cyber strategy Date: 2021-09-20 Author: ZDNet The Victorian government has launched a new five-year cyber strategy that will see over AU$50 million be allocated towards bolstering the state’s cybersecurity resilience. The cyber strategy will focus on three core missions that government has described as providing safe and reliable delivery of government services, creating a cyber safe place, and creating a “vibrant” cyber economy. The strategy will be implemented through the state’s chief information security officer releasing annual mission delivery plans that outline specific activities associated with the three core missions. The CISO will develop this plan in consultation with relevant stakeholders across government, industry, and the community. Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes Date: 2021-09-27 Author: The Record Microsoft will soon roll out a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years. Called the Microsoft Exchange Emergency Mitigation service, the new feature works by automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches. The Emergency Mitigation service will be enabled by default for all Exchange servers once they install the September 2021 Cumulative Updates for Exchange servers, which are shipping out soon, after Microsoft delayed their release last week to have more time to work on it. Wide-ranging BEC scam underscores dangers of doing business with (un)trusted suppliers Date: 2021-09-27 Author: SC Media Such schemes, referred to as “business email compromise,” often don’t get nearly the amount of attention or public awareness as ransomware and other forms of cybercrime, but the cumulative losses to businesses and individuals every year often dwarf what is seen in almost all other areas of digital crime. According to the latest annual internet crime report from the FBI, they helped fuel a record account of complaints reported to authorities by the American public in 2020, with 19,369 complaints and adjusted losses of $1.8 billion attributed to BEC schemes alone. Govt cyber incident intervention powers likely to be rushed in Date: 2021-09-30 Author: iTnews ‘Last resort’ powers that would allow the government to intervene to contain a cyber attack on critical infrastructure should be “swiftly legislated”, a parliamentary committee says. ESB-2021.3226 – ALERT Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google Chrome has released updates to fix an actively exploited zero-day vulnerability tracked as CVE-2021-37973. ASB-2021.0187 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft last week rolled out updates for its Chromium based Edge browser addressing multiple vulnerabilities including the zero day CVE-2021-37973. ESB-2021.3214 – Traffix SDC: Denial of service – Remote/unauthenticated F5 is yet to release the fix for Traffix SDC to address use-after-free vulnerability in glibc. ESB-2021.3262 – GitLab Community Edition and GitLab Enterprise Edition: Multiple vulnerabilities GitLab addresses numerous vulnerabilities in latest security release including stored XSS, DNS rebinding, and a bunch of permission mishaps. ESB-2021.3162.2 – UPDATE ALERT VMware vCenter Server & Cloud Foundation : Multiple vulnerabilities VMware has updated their security advisory to confirm that CVE-2021-22005 is being exploited in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 29th October 2021 Greetings, AUSCERT is always looking for ways to increase our value to our members. We know that data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. As part of this, we would like to hear your feedback on the idea of us delivering data governance advisory services. We are seeking expressions of interest for services such as these and would welcome feedback via our online survey. All submissions are confidential and will assist us evaluate the need for this service to your organisation. The Women in Security Magazine explores different journeys of women in security, gains career perspectives from industry experts, and offers different technology perspectives, includes insights from industry greats on diversity and inclusion, and so much more! Issue 5 explores the misconception concerning the shortage of skilled women in the security industry which includes an interview with AUSCERT team member, Vishaka, about her journey into the field of cyber security. As we celebrate Cyber Security Awareness Month, it’s important to ensure you have access to the right information and tools you need to make informed decisions about your cyber risk tolerance. Overview of Malware Hosted on Discord’s Content Delivery Network Date: 2021-10-20 Author: RiskIQ RiskIQ’s Research team has begun analyzing Discord’s Content Delivery Network links with files ending in certain extensions (like exe, dll, compressed and document file extensions) to identify malware files posted to Discord servers. Through this research, we can identify the Discord channel ID to pivot off of in the RiskIQ platform. Overall, since mid-September 2021, RiskIQ was able to identify over 100 Discord URLs delivering malicious content, such as AsyncRAT, Raccoon Stealer, Agent Tesla, and many other Backdoors, Password Stealers, and Trojans. Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom, gaming platforms Date: 2021-10-25 Author: ZDNet The federal government has released an exposure draft for what it has labelled an Online Privacy Bill that it hopes will enhance online privacy protections for Australians through an expansion of the nation’s Privacy Act. “The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy,” the federal government wrote in the Bill’s explanatory paper. Under current legislation, the federal government can only make two kinds of binding privacy codes, which are the Australian Privacy Principle code (APP) and a credit reporting code. The Bill is seeking to expand the Privacy Act to allow government to create a third code specifically for regulating three classes of organisations: Social media platforms, data brokers, and large online platforms. Mozilla Firefox cracks down on malicious add-ons used by 455,000 users Date: 2021-10-26 Author: ZDNet Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities. These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords Date: 2021-10-27 Author: ZDNet Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns. Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. 1,000,000 Sites Affected by OptinMonster Vulnerabilities Date: 2021-10-27 Author: Wordfence On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021. ESB-2021.3563 – ALERT macOS Big Sur: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Apple macOS Big Sur, the most severe of which could allow root compromise ESB-2021.3602 – Junos OS and Junos OS Evolved: Multiple vulnerabilities Juniper has released new software versions for Juno OS to address multiple vulnerabilities which could lead to root compromise ESB-2021.3605 – salt: Root compromise – Existing account An issue was discovered in SaltStack Salt which allows a user who has control of the source, and source_hash URLs to gain full file system access as root ESB-2021.3599 – Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Multiple vulnerabilities Cisco has released updates for multiple vulnerabilities identified in Cisco ASA and Cisco FTD software ESB-2021.3608 – GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): Multiple vulnerabilities Gitlab has released security updates to fix multiple vulnerabilities identified in Community Edition and Enterprise Edition Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 22nd October 2021 Greetings, With the announcement of the new slate of Apple products this week that include MacBooks and AirPods, which now looks to be an annual occurrence, questions arise as to whether some of the newer versions are a needed evolution of technology or simply a tactic to increase sales. A recent article from ZDNet discusses if the drive to incorporate new and untested elements (with the goal to create the need for consumers to upgrade) come at the cost of functionality. Red Teaming, social engineering and stolen identities – war stories from the field is the topic of Episode 6 of AUSCERT’s podcast series, “Share today, save tomorrow”. It features co-Founder and CEO of Hacktive, Chris Gatford who has been responsible for delivering Attack and Penetration and Technical Security Assessments and reviewed countless IT environments and has directed and been responsible for numerous security assessments for a variety of corporations and government departments. Mike Holm returns to discuss a recent Apache Vulnerability and AUSCERT’s response, notifying member’s that were potentially susceptible to the vulnerability in a very timely manner as well as the expansion of services to include advisory on Data Governance and running Tabletop exercises. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts. We’re excited to announce the release a snapshot of our service stats for Quarter 3, 2021 in an overview of the cyber security incidents reported by members, from 1 July – 30 September 2021 and includes a summary of other key achievements this quarter. We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 3 2021. Microsoft asks admins to patch PowerShell to fix WDAC bypass Date: 2021-10-18 Author: Bleeping Computer Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October. ACCC warns phone users to be aware of evolving Flubot scams Date: 2021-10-17 Author: ABC News A text message scam that contacts thousands of Australians a day has evolved to entice phone users to install software security — to protect against its own malicious malware. Since August, Australians have received text messages purporting to be an unopened voicemail notification, with a link encouraging users to download the scam “voicemail”. Cyber security experts are warning the scam has morphed into an elaborate scheme that plays on users’ security fears. In a strange twist, the scam is enticing phone users to download extra security to protect their phone — from their own scam. Australia’s Ransomware Action Plan – What does it mean for you? Date: 2021-10-14 Author: Willis Towers Watson Will Australia introduce a mandatory ransomware incident reporting regime? The government’s Ransomware Action Plan seeks to create a cultural shift in the way Australia responds to this cyber threat. On 13 October 2021, the Minister for Home Affairs Karen Andrews announced the Ransomware Action Plan which is intended to support Australian individuals, businesses, and critical infrastructure. The plan responds to significant public concern around rising losses to business and the community caused by malicious cyber extortion attacks and the worrying increase in financial and identity frauds perpetrated following ransomware attacks. It also provides key insights into the Australian Government’s wider cyber security objectives. Supply chain attacks are the hacker’s new favourite weapon. And the threat is getting bigger Date: 2021-10-20 Author: ZDNet Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it’s possible to find a potential way into thousands of targets at once. Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies. Female Cybersecurity Leaders: Who Wants Them? Date: 2021-10-20 Author: LinkedIn [Spoilers: many organisations can benefit from the female CISO’s point of view.] Last year, the world witnessed one of the greatest industrial changes in living memory with the pandemic igniting rapid, exponential growth. Caught off guard, and now in our post-pandemic reflective reality, one thing has become crystal clear. The world seeks a new kind of leader – one who must not only embrace change but become an instigator of it and renown for it. The era of the fast follower – a company that quickly imitates the innovations of its competitors – is over. Thanks to technology, continual rapid change is here to stay. For years we’ve known it was coming, what with Industry 4.0 on the horizon. And that’s why effective leaders must become experts of change. The first mover advantage is back! Google unmasks two-year-old phishing & malware campaign targeting YouTube users Date: 2021-10-21 Author: The Record by Recorded Future Almost two years after a wave of complaints flooded Google’s support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google’s security team has finally tracked down the root cause of these attacks. In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to “a group of hackers recruited in a Russian-speaking forum.” TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. ASB-2021.022 – ALERT Oracle Insurance Applications: Multiple vulnerabilities Oracle has released a critical patch update that fixes multiple vulnerabilities in Oracle Insurance Applications ASB-2021.0212 – ALERT Oracle Communications products: Multiple vulnerabilities Oracle’s most recent patch update includes fixes for 71 new security patches and additional third party patches for Oracle Communication products ASB-2021.0203 – ALERT Oracle Fusion Middleware Products: Multiple vulnerabilities Oracle released 38 new security patches for multiple vulnerabilities in Oracle Fusion Middleware. 30 of these vulnerabilities may be exploited over a network without requiring user credentials ASB-2021.0198 – ALERT MySQL products: Multiple vulnerabilities Multiple vulnerabilities identified in Oracle MySQL have been addressed by Oracle’s October patch update ASB-2021.0225 – Microsoft Surface Pro 3: Reduced security – Existing account Microsoft encourages its customers to practice good security habits to address bypass vulnerability that affects Microsoft Surface Pro 3 Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 8th October 2021 Greetings, The global outage of Facebook, Instagram and WhatsApp earlier in the week highlighted the impact a small error can have on an entire network. It’s believed that the outage was caused by a routine maintenance job that unintentionally resulted in Facebook’s data centres being disconnected from the internet, making Facebook, WhatsApp and Instagram inaccessible. With over 3.5 billion users around the planet, MIT Technology Review writes on how dependant people have become on one company’s data centre and the impact an outage on this scale has. Earlier in the week, AUSCERT team members participated in a multi-national drill that saw their skills tested with a simulated malware attack. Of the eight tasks they were asked to complete, the most challenging required the duo to analyse, evaluate and re-assess their response to what they correctly deduced was a ransomware attack. Fifteen teams took part with both AUSCERT team members expressing they enjoyed the challenge that tested abilities from file decryption to port scanning to gain an understanding of how the attack occurred. Exercises such as this provide our team with current, real-world scenarios that reinforce, add-to and enhance their skillset to ensure AUSCERT remains at the forefront of cyber security defence. Lastly, October is Cybersecurity Awareness Month, the perfect time to remind individuals and organizations of the importance of cybersecurity and to encourage active use of measures that foster vigilance and offer protection. There are many ways to improve protection against common online threats and cybercrime. At AUSCERT, we’re passionate about data security and keeping your information safe. That’s why we deliver 24/7 service to our members alongside a range of comprehensive tools to strengthen your cyber security strategy. To stay up-to-date with the latest cyber information, security alerts and more, simply head to our website, scroll to the bottom and subscribe! Legislation expanding digital identity scheme to private sector finally unveiled Date: 2021-10-04 Author: Innovation Aus The federal government has finally unveiled exposure legislation expanding its digital identity program to state governments and the private sector, with a whirlwind consultation period commencing before it is soon introduced to Parliament. The legislation will introduce two voluntary schemes to accredit companies and governments as service providers or relying partners in the digital identity program, as well as enshrining extra privacy safeguards in law and establishing a permanent oversight authority for the scheme. The digital identity scheme, a whole-of-government federal program aiming to provide identity verification across a range of government services and private sector offering, has been in the works for six years at a cost of more than $450 million, but legislation is required to expand it to the private sector. Understanding How Facebook Disappeared from the Internet Date: 2021-10-05 Author: Cloudflare “Facebook can’t be down, can it?”, we thought, for a second. Today at 1651 UTC, we opened an internal incident entitled “Facebook DNS lookup returning SERVFAIL” because we were worried that something was wrong with our DNS resolver 1.1.1.1. But as we were about to post on our public status page we realized something else more serious was going on. Social media quickly burst into flames, reporting what our engineers rapidly confirmed too. Facebook and its affiliated services WhatsApp and Instagram were, in fact, all down. Their DNS names stopped resolving, and their infrastructure IPs were unreachable. It was as if someone had “pulled the cables” from their data centres all at once and disconnected them from the Internet. Why Windows 11’s security is such a big deal Date: 2021-10-05 Author: TechRepublic The hardware requirements for Windows 11 have led to a lot of debate about exactly what changes in newer PCs and processors; they’ve also led to enterprises thinking about what security features they need in hardware. Microsoft’s second Security Signals report shows that enterprise security decision-makers are concerned about the security impact of hybrid work, and they expect PC hardware to help, said Dave Weston, director of OS security at Microsoft. Twitch source code, creator earnings exposed in 125GB leak Date: 2021-10-07 Author: Ars Technica Live video broadcasting service Twitch has been hit by a massive hack that exposed 125GB of the company’s data. In a 4chan thread posted (and removed) Wednesday, an anonymous user posted a torrent file of the data dump. The dump contains the company’s source code and details of money earned by Twitch creators. ESB-2021.3341 – Security update for apache2 Apache has another vulnerability! Here we have an SSRF via a specially crafted uri – not a fun combination. You also get a DoS for free as well. Patch your systems! ESB-2021.3321 – firefox-esr security update Extending the exhaustive list of Firefox memory corruption bugs, more have been discovered which were capable of resulting in execution of code. We use past tense, but if you don’t update, it could be present tense for you! ESB-2021.3294 – USN-5104-1: Squid vulnerability Black hat sharks have begun to encircle at-risk-squids, threatening them with DoS and confidential data disclosures. Update your systems to save the squids! ESB-2021.3287 – Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) Two for the price of one, an alert was put out for Apache systems this week, after a vulnerability allowing an attacker to link to urls outside of the expected document root was “fixed” (spoiler: not quite the first time around)… Needless to say, we recommend patching this immediately. ESB-2021.3276 – USN-5101-1: MongoDB vulnerability A DoS vulnerability discovered in MongoDB puts many home movie collections at risk. Probably some other more important services too, but think about the movies… Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 24th September 2021 Greetings, We wanted to remind everyone that it’s worth having a look to be sure that you’re not affected by the VMware vCenter vulnerability related to CVE-2021-22005 – a patch is available and so is a quicker (but temporary) mitigation. We notified a small number of members yesterday of internet-exposed servers. More information can be found in this Bleeping Computer article. Bleeping Computer also reported on a vulnerability in macOS Finder that makes it possible for attackers to run commands on Macs running any macOS version up the most recent release, Big Sur. With the unveiling of Apple’s IOS 15 this week, there has been a lot of focus on their increased efforts to offer consumers greater control over who sees their data. MacRumors released a guide on the new privacy and security features that have seen mixed reactions concerning Apple’s handling of user data. Lastly, to all the parents, guardians and family members experiencing school holidays, remember, this too shall pass so enjoy the family time and/or look forward to the end… good luck! DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public Date: 2021-09-17 Author: The Record Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub. Discovered over the summer by cloud security firm Wiz, the vulnerability resides in an app called Open Management Infrastructure (OMI), which Microsoft has been silently installing by default on most Azure Linux virtual machines. Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials Date: 2021-09-22 Author: The Record Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world. Based on his finding, Serper said he registered a series of Autodiscover-based top-level domains that were still available online. […] For more than four months, between April 16, 2021, and August 25, 2021, Serper said these servers received hundreds of requests, complete with thousands of credentials, from users that were trying to set up their email clients, but their email clients were failing to find their employer’s proper Autodiscover endpoint. Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation Date: 2021-09-22 Author: The Hacker News Microsoft has opened the lid on a large-scale phishing-as-a-service operation that’s involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. “With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report. Researchers compile list of vulnerabilities abused by ransomware gangs Date: 2021-09-18 Author: Bleeping Computer Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks. All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT, on Twitter over the weekend. Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors. ESB-2021-3190 – Cisco IOS XE Software multiple vulnerabilities Cisco IOS XE is currently experiencing technical difficulties – those difficulties? A range of quite serious vulnerabilities, ranging from unauthenticated code execution to DoS, all warranting a patch. ESB-2021-3162 – VMSA-2021-0020 – VMware vCenter Server updates address Security bugs in VCenter server that were privately disclosed to VMWare have been classified as “critical” after it was discovered they were, in fact, critical. ASB-2021-0183-2 – Microsoft Patch Tuesday update for Azure for September 2021 It was good to see Microsoft stay consistent this week – both in the sense patch Tuesday came and went, and that we were spoiled with an assortment of privilege escalation and code execution vulnerabilities. ESB-2021-3099-2 – Apple security update for iOS 14.8 and iPadOS 14.8 Apple announced some not-so-fun vulnerabilities for iOS and iPadOS this week – malicious applications are capable of executing code with kernel privileges, and interestingly one vulnerability permitted this over a Bluetooth connection. ESB-2021-3212 – iOS 12.5.5 Vulnerabilities Apple’s at it again with the vulnerabilities, having identified a number of serious issues with iOS 12.5.5 that are actively being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th September 2021 Greetings, Apple issued a series of security updates earlier in the week to patch two critical vulnerabilities that the company says were “actively exploited” in the wild. Further information is available in this CISA article. ZDNet reported that Microsoft issued over 60 security fixes of their own with the latest round of patches to resolve issues that impacted a range of products including Azure Sphere, Microsoft Windows DNS, among other software. Following on from the release of AUSCERT’s most recent podcast last week, it has been highlighted in VMware’s latest Global incident Response Threat Report that an increasing number of cyber security professionals experienced “extreme stress or burnout” due to the surging attacks of cyber criminals during the COVID19 pandemic. Links to the report, along with tools to help identify and assist with such occurrences can be found in the report from ACS Information Age. Lastly, ARS Technica reported on what has been dubbed an “embarrassing ‘security bulletin’” from Travis CI along with the handling of the vulnerability disclosure process following the potential exposure of the information of over 600,000 users. Windows MSHTML exploits shared on hacking forums Date: 2021-09-12 Author: Bleeping Computer Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation. These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer. However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations. Google patches 10th Chrome zero-day exploited in the wild this year Date: 2021-09-13 Author: Bleeping Computer Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix eleven security vulnerabilities, two of them being zero-days exploited in the wild. “Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” the company revealed in the release notes for the new Chrome version. The update is currently rolling out worldwide in the Stable desktop channel, and Google states it will become available to everyone over the next few days. Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide Date: 2021-09-13 Author: The Hacker News Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that’s actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed “Vermilion Strike” — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a “threat emulation software,” with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed Date: 2021-09-14 Author: ZDNet Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution flaw in MSHTML and other critical bugs. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14. Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software. Ransomware crims saying ‘We’ll burn your data if you get a negotiator’ can’t be legally paid off anyway Date: 2021-09-15 Author: The Register A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools. Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator. You Can Now Ditch the Password on Your Microsoft Account Date: 2021-09-15 Author: WIRED Though a completely passwordless future is still a ways off, you’ll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone. Securing Netflix Studios At Scale Date: 2021-09-14 Author: Netflix TechBlog In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation. The vision was to create a “Studio in the Cloud”, with applications supporting every part of the business from pitch to play. The security team was working diligently to support this effort, faced with two apparently contradictory priorities: 1) streamline any security processes so that we could get applications built and deployed to the public internet faster 2) raise the overall security bar so that the accumulated risk of this giant and growing portfolio of newly internet-facing, high-sensitivity assets didn’t exceed its value ASB-2021.0177.2 – UPDATE ALERT MSHTML: Execute arbitrary code/commands – Remote with user interaction Microsoft’s Patch Tuesday includes fixes for a remote code execution vulnerability in Windows that is being exploited in the wild ESB-2021.3099 – ALERT iOS and iPadOS: Execute arbitrary code/commands – Remote with user interaction Apple releases iOS 14.8 and iPadOS 14.8 to address remote code execution vulnerability in iOS and iPadOS ESB-2021.3102 – ALERT macOS Catalina: Execute arbitrary code/commands – Remote with user interaction Apple is aware of a remote code execution vulnerability in macOS Catalina that may have been actively exploited ESB-2021.3103 – ALERT macOS Catalina and macOS Mojave: Execute arbitrary code/commands – Remote with user interaction Apple’s most recent security patch for Safari fixes remote code execution vulnerability ESB-2021.3107 – ALERT Siemens APOGEE and TALON: Multiple vulnerabilities Unauthenticated root access available thanks to what MITRE calls a ‘classic buffer overflow’. Affects certain building automation systems from Siemens ASB-2021.0185 – ALERT Microsoft Extended Security Update: Multiple vulnerabilities Microsoft releases its monthly security patch update to resolve 25 vulnerabilities across Windows and Windows Server Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 10th September 2021 Greetings, Earlier this week, Microsoft issued a warning to Windows 10 users about a previously unknown security vulnerability, CVE-2021-40444, potentially being exploited by cybercriminals. Microsoft is advising users to execute mitigation action until an official patch becomes available. An update on the situation in this Bleeping Computer article. After reports this week that a threat actor had collected and published credentials for Fortinet’s SSL-VPN devices, we fetched a copy of the data set and yesterday we notified included members. Fortinet have today published an advisory which we’ve sent out as ASB-2021.0179. The exploited vulnerability was originally fixed in May 2019 – a sterling reminder to keep up with patching (or to ask your manager to allocate time for it!). ZDNet reported on another recent Microsoft vulnerability, a bug in its Azure Container Instances. Microsoft confirmed it had mitigated the vulnerability and advised that there hadn’t been any indications of unauthorised access to customer data. AUSCERT released our latest podcast (Episode 5), ‘Creating a culture of care’ featuring Mental Well Being Consultant, Julie Gillespie. Julie shares her insights and ideas, borne from her personal experiences, to help develop a culture that identifies and supports those experiencing challenges and difficulties that also benefits the workplace. The podcast was timely as it preceded this year’s R U OK Day which took place on Thursday, September 9. This year’s message focused on asking friends, families and colleagues if they’re really ok. Because of the volume of people experiencing isolation, frustration and helplessness, everyday is an opportunity to consider, “What can I do to make a positive influence on my own mental wellbeing and/or for the people in my life more often?”. Here at AUSCERT, we gathered in our HQ for a morning tea to reconnect and then took a stroll after lunch along some scenic walking paths nearby for a good chat and some fresh air. If you’re feeling depressed, angry, stressed, fearful, anxious or alone, visit: ruok.org.au/findhelp Hackers leak passwords for 500,000 Fortinet VPN accounts Date: 2021-09-08 Author: Bleeping Computer A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs Date: 2021-09-06 Author: iTnews Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn. ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication. Cybersecurity is tough work, so beware of burnout Date: 2021-09-06 Author: ZDNet Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout. All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. Ransomware: Take these three steps to protect yourself from attacks and make it easier to recover Date: 2021-09-08 Author: ZDNet Microsoft has shared three key steps organizations can take to ensure a ransomware attack doesn’t cripple their entire network in an attempt to extract a multimillion dollar ransom or leak sensitive corporate data on the internet. Microsoft developed the three-step advice as part of its feedback to the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST)’s recent call for expert approaches to preventing and recovering from ransomware and other destructive cyberattacks. Protecting yourself from phone porting and SIM card scams Date: 2021-09-07 Author: ABC Everyday To get around the increased restrictions on SIM porting, scammers may impersonate your telco to get the verification code. “To port the number, for example, some telcos might require an authentication code. The criminal knows that. They also know the number of the person they’re trying to exploit.” “They’ll arrange for that code to be sent via text, then the criminal will call the victim and impersonate the telco and say, ‘Look, I noticed that there has been some unauthorised access on your account. We’ve sent you a verification code, can you confirm that to me?” ESB-2021-3048 – WordPress 5.8.1 Security and Maintenance Release Plethora of security patches for new WordPress release. ESB-2021.3045 – firefox-esr security update Mozilla Firefox abritrary code execution vulnerabilities. ASB-2021.0179 – FortiGate SSL-VPN Credentials Leaked by a Malicious Actor SSL-VPN data leaked for FortiGate by malicious actor this week. ASB-2021.0177 – Microsoft MSHTML Remote Code Execution Vulnerability Actively exploited RCE vulnerability in MSHTML, with mitigation recommendations. ESB-2021.2994 – squashfs-tools security update Vulnerability in squashfs allowing attackers to overwrite arbitrary files. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 3rd September 2021 Greetings, Last week, AUSCERT alerted members regarding a remote code execution vulnerability present in certain versions of Atlassian Confluence (CVE-2021-26084). Where it was possible to identify internet facing Confluence instances of our members, notifications were sent last Friday, August 27. We published ESB-2021.2901 on the same day. Read more in this Bleeping Computer article. Members, we need you! AUSCERT is always looking for ways to increase our value to you and would like your feedback. Specifically, your thoughts regarding AUSCERT delivering Cyber Tabletop Exercises as a paid service, like we currently do for cyber security training. If you’d like to get involved, please complete this survey so that we can evaluate the need for this service and what would suit your organisation. A recent spate of unsolicited text messages has offered a timely reminder that SMS is often used by scammers. Unidentified texts that don’t have an option to unsubscribe are key identifiers of potential scams, often seeking personal information and in some cases, containing electronic viruses that can compromise your phone’s security. Scammers like to disguise their deceit by using shortened URLs that hide the original domain names and, in some instances, malware that can download and execute once the link has been clicked. There are many ways this method is being used, with examples seen in this We Live Security article. Have a great weekend! NPM package with 3 million weekly downloads had a severe vulnerability Date: 2021-09-03 Author: Ars Technica Popular NPM package “pac-resolver” has fixed a severe remote code execution (RCE) flaw. The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy. Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported Date: 2021-08-19 Author: Cloudflare Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems automatically detected and mitigated a 17.2 million request-per-second (rps) DDoS attack, an attack almost three times larger than any previous one that we’re aware of. For perspective on how large this attack was: Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic. ACSC cyber security challenge Date: 2021-08-31 Author: Cyber.gov.au The ACSC has released a simulated cyber incident challenge so anyone can test or improve their cyber response ability and forensic skills. Organisations may wish to use the challenge as a group training exercise for cyber security staff. The challenge was originally run at the BSides Canberra conference in April 2021. Data privacy, governance and insights are all important obligations for businesses Date: 2021-08-31 Author: TechRepublic TechRepublic’s Karen Roby spoke with Kon Leong, CEO and co-founder of ZL Technologies, a data management company, about data privacy and governance. […] for the last seven decades or more, IT has focused on data that was primarily all siloed. Siloed applications generating siloed data. And now here comes a slew of legislative initiatives that say, “OK, we’re looking at privacy, and by the way, no data is exempt. Therefore, we don’t make exemptions for silos. So to manage it, you have to de-silo effectively.” And are you kidding me? You’re going to undo 70 years of IT infrastructure? So we’re still kind of scratching our heads and saying, how do we get this done?” Maths, encryption, and quantum computing Date: 2021-08-18 Author: COSMOS Magazine “Factorisation, which is used for the current classical public key cryptography, is easy [to break] on quantum computers. Factorisation is simple. You can factor long integers and break RSA on Quantum. It’s quite easy. So now we are trying to design the cryptography, which will be resistant against quantum computing.” Instead of using integer factorisation, other mathematical approaches need to be used to circumvent the sheer ‘brain’ power quantum computers will possess. One of mathematical tools that are being used to construct quantum-resistant encryption is Geometry of Numbers or Lattice Theory. ASB-2021.0176 – Microsoft Security Update Release for Microsoft Edge (Chromium-based) Fixes for multiple critical vulnerabilities for Microsoft Edge, most of which first appeared in Chrome a couple of days earlier. ESB-2021.2981 – qemu security update Various bugs in the qemu emulator leading to DoS and code execution from malicious guests. ESB-2021.2968 – USN-5051-4: OpenSSL regression OpenSSL on Ubuntu 14.04 ESM, and only 14.04, introduced a regression while fixing CVE-2021-3712. ESB-2021.2953 – sssd security update The System Security Services Daemon (SSSD) allowed shell command injection, permitting root escalation if a root user was tricked into running a specially crafted command. ESB-2021.2949 – Security update for mysql-connector-java This patch prevents unauthenticated attackers compromising the Java connector for MySQL. Stay safe, stay patched and have a good weekend! Bek, Tom & David

AUSCERT Week in Review for 27th August 2021 Greetings, Hot topic of the week is the recently passed bill which will allow the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to access the computers and networks of those suspected of conducting criminal activity online, which raises the question: ‘How do we as a CERT tell the difference between a hacked system and a legally compromised one?’ You can read more through these articles from ZDNet and InnovationAus. This week AUSCERT joined teams from 21 other countries to take part in the annual APCERT Drill, designed to improve regional responses to emerging cyber security threats. The theme of this year’s APCERT Drill was “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”. This exercise reflected real incidents and issues that exist on the Internet. The participants handled a case of a supply chain attack triggered by spear phishing. Narayan and Vishaka represented team AUSCERT and did an outstanding job, especially considering it was their first time. We are proud of the contribution by Geoffroy Thonon, our Operations Manager who was part of the planning committee who worked tirelessly to deliver the drill. Great news for Members! You can now opt to receive AUSCERT Bulletins as a daily digest issued at the end of each business day. Subscribe now through the Member Portal, instructions can be found here. Alternatively, you can send an email to the membership team. Today is Wear it Purple Day which is a way to show young LGBTIQ+ members of the community that they have a right to be proud of who they are. The aim is to create safe spaces in schools, universities, workplaces and public areas to show LGBTIQ+ they are supported and belong. Have a great weekend! T-Mobile breach hits 53 million customers Date: 2021-08-23 Author: iTnews Cellular operator T-Mobile US said an ongoing investigation into a data breach revealed that hackers accessed personal information of an additional 5.3 million customers, bringing the total number of people affected to more than 53 million. The third largest US wireless carrier had earlier said that personal data of more than 40 million former and prospective customers was stolen along with data from 7.8 million existing T-Mobile wireless customers. COVID vaccine certificates can be forged within 10 minutes due to ‘obvious’ security flaw Date: 2021-08-23 Author: ABC News Near-perfect forgeries of the federal government’s COVID-19 vaccine digital certificate can be made in 10 minutes using free software, a member of the public has discovered. Richard Nelson, a software engineer in Sydney, has found an “obvious” security flaw in the Express Plus Medicare app allowing him to make vaccine certificates with any name and date of birth and featuring the background animations meant to prevent forgery. The Prime Minister has previously said the certificates are a “credible and effective” way for states to administer exemptions from aspects of lockdowns. Australian businesses stop reporting ransomware attacks over exfiltration doubts Date: 2021-08-23 Author: iTnews Australian businesses are incorrectly relying on what they think is a loophole in notifiable data breach laws to avoid reporting ransomware infections. The Office of the Australian Information Commissioner (OAIC) warned that “a number of entities” in the six months to June 2021 didn’t report ransomware attacks because they could not prove whether or not data was accessed or stolen. 38 million records exposed by misconfigured Microsoft Power Apps. Redmond’s advice? RTFM Date: 2021-08-23 Author: The Register Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant’s Power Apps, a low-code service that promises an easy way to build professional applications. Security biz UpGuard said that in May one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal details. That led the security shop to look at other Power Apps portals and its researchers found over one thousand apps configured to make data available to anyone who asked. Microsoft warns thousands of cloud customers of exposed databases Date: 2021-08-27 Author: Reuters Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. [NB: This is separate from the Power Apps issue above.] Atlassian warns of critical Confluence flaw Date: 2021-08-26 Author: The Register Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. The company’s not saying a lot about CVE-2021-26084, besides describing it as a “Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.” The bug scores 9.8 on the ten-point Common Vulnerability Scoring System. ASB-2021.0175 – Microsoft Edge (Chromium-based): Reduced security – Remote with user interaction Please update Microsoft Edge to 92.0.902.78 to address multiple CVEs. ESB-2021.2865 – F5 BIG-IP Products: Multiple vulnerabilities Multiple vulnerabilities in BIG-IP Products have been patched by F5. ESB-2021.2871 – Application Policy Infrastructure Controller: Multiple vulnerabilities Cisco has released multiple advisories to patch against different vulnerabilties. ESB-2021.2901 – Atlassian Confluence Server and Data Center: Execute arbitrary code/commands – Remote/unauthenticated Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 20th August 2021 Greetings, Yesterday the ACSC issued an alert about cybercriminals targeting the Microsoft Exchange ProxyShell exploit chain. Patches were issued for these vulnerabilities in April and May 2021 so a timely reminder to stay on top of patch updates. Our Operations Team conducted a Shodan search of the involved CVEs which produced 136 records affecting 42 of our member organisations who had servers exposed to the internet reporting software versions that were potentially vulnerable. These members have all been contacted today to ensure they are protected. Our latest blog post on Using threat intelligence to produce a cyber defence strategy was published today by our Senior Manager, Mike Holm. Have a great weekend everyone. One big ransomware threat just disappeared. Now another one has jumped up to fill the gap Date: 2021-08-13 Author: ZDNet The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world. It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. Secret terrorist watchlist with 2 million records exposed online Date: 2021-08-16 Author: Bleeping Computer A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. Linux glibc security fix created a nastier Linux bug Date: 2021-08-16 Author: ZDNet The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something! The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. Fortinet slams Rapid7 for disclosing vulnerability before end of 90-day window Date: 2021-08-17 Author: ZDNet A dispute broke out on Tuesday after cybersecurity company Rapid7 released a report about a vulnerability in a Fortinet product before the company had time to release a patch addressing the issue. Rapid7 said one of its researchers, William Vu, discovered an OS command injection vulnerability in version 6.3.11 and prior of FortiWeb’s management interface. The vulnerability allows remote, authenticated attackers to execute arbitrary commands on the system through the SAML server configuration page. Rapid7 said the vulnerability was related to CVE-2021-22123, which was addressed in FG-IR-20-120. The company added that in the absence of a patch, users should “disable the FortiWeb device’s management interface from untrusted networks, which would include the internet.” Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices Date: 2021-08-17 Author: Mandiant Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. Reducing the threat of day one exploits Date: 2021-08-10 Author: APNIC Blog Cyber hygiene and patching are key measures towards protecting data and systems. However, it’s not always possible or practical to patch when vulnerabilities and associated patches are announced. This problem gives rise to day one exploits. Day one exploits are responsible for attacks such as the recent Microsoft Exchange attack that compromised hundreds of thousands of organizations. That attack began as a zero-day exploit and was followed by numerous day one exploits once the vulnerabilities were announced. Day one exploits were also used by Iranian threat actors about a year ago to gain access to financial sector networks via published VPN vulnerabilities. Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan Date: 2021-08-17 Author: The Hacker News A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser. ASB-2021.0136.2 – UPDATE ALERT Microsoft Print Spooler: Increased privileges – Existing account Microsoft’s out-of-band critical update addresses a Windows Print Spooler Elevation of Privilege Vulnerability ESB-2021.2739 – MozillaFirefox: Multiple vulnerabilities Mozilla releases an update that fixes 6 vulnerabilities in Firefox ESB-2021.1489.2 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities Initial advisory released on 30 April 2021 updated to include newly disclosed details about vulnerable Blackberry QNX-based products ESB-2021.2808 – ALERT Small Business RV series routers: Multiple vulnerabilities A vulnerability in Cisco’s Small Business RV series routers allows Remote Command Execution and Denial of Service ESB-2021.2777 – Adobe Photoshop: Execute arbitrary code/commands – Existing account Adobe’s updates for Photoshop for Windows and macOS resolve multiple critical vulnerabilities ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account Microsoft has released an out-of-band update to address a Windows Print Spooler Remote Code Execution Vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 13th August 2021 Greetings, Anyone else feel like we are stuck in Groundhog Day? Another Patch Tuesday and PrintNightmare refuses to leave us. Microsoft released updates for at least 44 security vulnerabilities including another Print Spooler flaw. Since the update earlier this week, another bug has been identified with no patch yet released. For more details and a work around check out this great write up from ZDNet. Following on from the Apple Announcement last week about about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content, check out the Schneier on Security blog for a great collation of articles and information. We are excited to share Episode 4 of the AUSCERT “Share today, save tomorrow” podcast series! Episode 4 titled “Cyber security awareness and team culture” features Brian Hay from Cultural Cyber Security and Tracey Weeks from Queensland Health. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts Have a great weekend everyone. Microsoft Exchange servers scanned for ProxyShell vulnerability; patch now Date: 2021-08-07 Author: Bleeping Computer [See ASB-2021.0127 and 0103] Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together. […] While both CVE-2021-34473 and CVE-2021-34523 were first disclosed in July, they were actually quietly patched in April’s Microsoft Exchange KB5001779 cumulative update. Threat actors are actively trying to exploit this vulnerability, with little success so far. However, it is only a matter of time until successful exploitation is achieved in the wild. Microsoft fixes Windows Print Spooler PrintNightmare vulnerability Date: 2021-08-10 Author: Bleeping Computer Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers. In June, a security researcher accidentally disclosed a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges. Microsoft soon released a security update that fixed the remote code execution component but not the local elevation of privileges portion. However, researchers quickly found that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed low-privileged users to gain SYSTEM privileges in Windows. Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so. Opinion: Why Australia’s Online Safety Act is an abdication of responsibility Date: 2021-08-12 Author: ZDNet The Australian government reckons the internet is full of bad things and bad people, so it must therefore surveil everyone all the time in case anyone sees the badness — but someone else can figure out the details and make it work. This brain package always includes two naive and demonstrably false beliefs. One is that safe backdoors exist so that all the good guys can come and go as they please without any of the bad guys being able to do the same. The other is that everyone will be nice to each other if we know their names. This big bad box of baloney blipped up again this week as part of the government’s consultation for the Online Safety (Basic Online Safety Expectations) Determination 2021 (BOSE) — the more detailed rules for how the somewhat rushed new Online Safety Act 2021 will work. FlyTrap Android Malware Used to Compromise Facebook Accounts Date: 2021-08-10 Author: PCMag Australia Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store. FlyTrap masqueraded as a variety of mobile apps dedicated to “free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player,” Zimperium said, and “tricked users into downloading and trusting the application with high-quality designs and social engineering” before attempting to gain access to their Facebook accounts. Hacker is returning $600M in crypto, claiming theft was just “for fun” Date: 2021-08-13 Author: Ars Technica The hacker who breached the Poly Network crypto platform says the theft was just “for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker’s own wallets to “keep it safe.” ESB-2021.2679 – MISP: Cross-site scripting – Remote with user interaction MISP 2.4.148 released including many bugs fixed along with security fixes. ASB-2021.0168 – Microsoft Office Products & Services and Web App Products: Multiple vulnerabilities SOC analyst: Are you going to fix PrintNightmare Microsoft? Microsoft: No sir! but here is something you also need to worry about. ASB-2021.0173 – Azure Products: Multiple vulnerabilities SOC analyst: *finally finished with the update of Office Products* Microsoft: Excuse me sir! This one too. ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account SOC Analyst: OK! I have patched the Office and Azure products. PrintNightmare: Did you miss me? ESB-2021.2686 – Firefox: Multiple vulnerabilities Chrome: We have released multiple patches this month. Firefox: Hold my beer! ESB-2021.2705 – Intel Ethernet Linux Driver: Multiple vulnerabilities Potential security vulnerabilities in some Intel Ethernet Controllers have been addressed in the recent update. Win/Mac users: Oh no! Anyway! Stay safe, stay patched and have a good weekend! Bek and Narayan on behalf of The AUSCERT team

AUSCERT Week in Review for 6th August 2021 Greetings, A hot topic at the moment is the announcement from Apple about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content. There is a lot of concern in the industry about the potential for misuse as well as mission creep; the team at Stanford Internet Observatory have a great discussion on the topic and The Register has a great article if you’d like to learn more. The next episode of our podcast “Share Today, Save Tomorrow” will launch soon; this is a great time to jump on and listen to our first 3 episodes. Great stories from our cyber community as well as up to date news from the AUSCERT team. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts. With so much of the country in lockdown (including the AUSCERT team) we hope everyone is keeping well and finding ways to keep spirits up. Our team has been sharing their coping techniques as well music and book recommendations which is keeping us all connected as well as entertained. Have a great weekend everyone. ACSC survey for Australian critical infrastructure organisations Date: 2021-08-02 Author: cyber.gov.au The Australian Cyber Security Centre is asking Australian critical infrastructure providers and operators to take part in a confidential survey to help identify operational technologies used by their organisation. Cisco fixes critical, high severity pre-auth flaws in VPN routers Date: 2021-08-04 Author: Bleeping Computer [See ESB-2021.2626 and 2627.] Cisco has addressed pre-auth security vulnerabilities impacting multiple Small Business VPN routers and allowing remote attackers to trigger a denial of service condition or execute commands and arbitrary code on vulnerable devices. The two security flaws tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively. How the Dark Web enables access to corporate networks Date: 2021-07-28 Author: TechRepublic The Dark Web is home to a thriving marketplace for cybercriminals who want to buy or sell illegal and malicious goods and services. Advertisements and forum messages hawk everything from credit cards and bank accounts to medical records to account credentials to fake IDs to counterfeit products. But one of the most lucrative items up for sale is network access. Getting the keys to an organization’s entire network can easily pave the way for a host of attacks, including malware, data exfiltration, corporate espionage, and ransomware. A report released Wednesday by security provider Positive Technologies looks at the selling of network access on the Dark Web and examines how this threat continues to grow. How data-driven patch management can defeat ransomware Date: 2021-08-02 Author: VentureBeat Ransomware attacks are increasing because patch management techniques lack contextual intelligence and historical data needed to model threats based on previous breach attempts. As a result, CIOs, CISOs, and the teams they lead need a more data-driven approach to patch management that can deliver adaptive intelligence reliably at scale. Ivanti’s acquisition of RiskSense, announced today, highlights the new efforts to close the data-driven gap in patch management. What covid apps can teach us about privacy, utility and trust in app design Date: 2021-08-03 Author: Salinger Privacy The release last week of the report into the first 12 months of the federal government’s beleaguered ‘COVIDSafe’ app got me thinking about the importance of Privacy by Design – and in particular, how the ‘design’ part of the equation is not just about the technology. With the release of the evaluation report – months late and only after a heavily redacted version was released after a concerted FOI push – we now know that the COVIDSafe app has been a terribly expensive flop. ASB-2021.0166 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft Edge has been updated to 92.0.902.67 that addresses multiple vulnerabilities. ESB-2021.2607 – Google Chrome: Multiple vulnerabilities The stable channel update for Google Chrome has been released to address multiple vulnerabilities. ESB-2021.2626 – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers: Multiple vulnerabilities Multiple vulnerabilities in the web-based management interface of the Cisco Small Business Dual WAN Gigabit VPN Routers could lead to Remote Code Execution. ESB-2021.2640 – wordpress: Multiple vulnerabilities Object injection vulnerability in PHPMailer affects WordPress. Stay safe, stay patched and have a good weekend! The AUSCERT team