AUSCERT Week in Review for 30th July 2021 Greetings, Thank you to those who were able to join us for our delayed NAIDOC event with team Baidam Solutions earlier this week. We are extremely grateful that in Brisbane we were able to meet and celebrate together (while of course following strict COVID guidelines). Of note this week, Apple released security updates to address a vulnerability (CVE-2021-30807) for macOS, iOS and iPadOS in which an application may be able to execute arbitrary code with kernel privileges. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Until next week everyone, have a great weekend. Apple releases fix for iOS and macOS zero-day, 13th this year Date: 2021-07-26 Author: The Record by Recorded Future [See ASB-2021.0165.] Apple has released patches today for iOS, iPadOS, and macOS to address a zero-day vulnerability that the company says has been exploited in the wild. Tracked as CVE-2021-30807, Apple said the zero-day impacts IOMobileFramebuffer, a kernel extension that allows developers to control how a device’s memory handles the screen display—the screen framebuffer, to be more exact. According to Apple, an application may exploit CVE-2021-30807 to execute arbitrary code with kernel privileges on a vulnerable and unpatched device. More than half of all Aussies continue to encounter forms of cyber scams in 2021 Date: 2021-07-23 Author: ZDNET Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam. The 2021 Global Tech Scam Research report showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018. Google announces new bug bounty platform Date: 2021-07-27 Author: ZDNet Google has announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program. The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards. A Controversial Tool Calls Out Thousands of Hackable Websites Date: 2021-07-27 Author: WIRED The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure. ASB-2021.0165 – Apple IOMobileFrameBuffer vulnerability Apple released security updates for macOS, iOS and iPadOS to address CVE-2021-30807, an arbitrary code execution vulnerability ESB-2021.2561 – Security update for qemu Multiple vulnerabilities identified in qemu with a security update released by SUSE ESB-2021.2548 – Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) SUSE security update for the Linux kernel, multiple vulnerabilities ESB-2021.2531 – USN-5022-1: MySQL vulnerabilities MySQL vulnerabilities discovered with with security fixes and bug patches released Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 23rd July 2021 Hi Folks Patch fatigue is definitely setting in, another big week for our analysts issuing bulletins from Adobe and Oracle particularly. This week we released our Quarter 2, 2021 Report with some great stats and updates for the period from 1 April to 30 June 2021. Reminder, there are only 8 days left to nominate for the Australian Women in Security Awards, such a great opportunity to recognise the amazing women in our industry. Hope everyone is keeping safe in these crazy times, have a great weekend. … Shriro Hacked, Feds Cyber Security Called In Date: 2021-07-19 Author: channelnews Sydney based appliance distributor Shriro Holdings has been hacked with the business impacted claims management. CEO Tim Hargraves claims that the distributor of Casio, Blanco, Omega and Everdure barbecues was subject to a cyber security incident involving unauthorised access to its operating systems last week. Microsoft takes down domains used to scam Office 365 users Date: 2021-07-19 Author: Bleeping Computer Microsoft’s Digital Crimes Unit has seized 17 malicious domains used by scammers in a business email compromise (BEC) campaign targeting the company’s customers. The domains taken down by Microsoft were so-called “homoglyph” domains registered to resemble those of legitimate business. This technique allowed the threat actors to impersonate companies when communicating with their clients. This password-stealing Windows malware is distributed via ads in search results Date: 2021-07-21 Author: ZDNet A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware. Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible. HiveNightmare aka SeriousSAM — anybody can read the registry in Windows 10 Date: 2021-07-21 Author: Double Pulsar This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it. Australian organisations are quietly paying hackers millions in a ‘tsunami of cyber crime’ Date: 2021-07-16 Author: ABC News It’s an open secret within the tight-lipped world of cybersecurity. For years, Australian organisations have been quietly paying millions in ransoms to hackers who have stolen or encrypted their data. This money has gone to criminal organisations and encouraged further attacks, creating a vicious cycle. Now experts say Australia and the rest of the world is facing a “tsunami of cyber crime”. MITRE – 2021 CWE Top 25 Most Dangerous Software Weaknesses Date: 2021-07-22 Author: MITRE The [CWE Top 25] is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. ASB-2021.0138 – ALERT MySQL products: Multiple vulnerabilities Oracle’s July Patch Update includes 41 new security patches to address multiple vulnerabilities in Oracle MySQL ASB-2021.0139 – ALERT PeopleSoft Enterprise products: Multiple vulnerabilities Oracle releases fixes to address multiple vulnerabilities in PeopleSoft Enterprise products ASB-2021.0140 – ALERT Oracle Systems: Multiple vulnerabilities The Critical Patch Update contains 11 new security patches for Oracle Systems ESB-2021.2515 – ALERT Tenable.sc Products: Multiple vulnerabilities Multiple third-party vulnerabilities identified in Tenable .sc 5.19.0 ASB-2021.0156 – ALERT Oracle Financial Services Applications: Multiple vulnerabilities Multiple vulnerabilities in Oracle Financial Services Applications are addressed in the Oracle’s most recent Patch Update ESB-2021.2463 – Google Chrome: Multiple vulnerabilities The Chrome team releases Chrome 92.0.4515.107 with a number of fixes and improvements ESB-2021.2447 – Adobe Photoshop: Multiple vulnerabilities Adobe’s updates for Photoshop for Windows and macOS resolve a critical and a moderate vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 16th July 2021 Greetings, Well doesn’t time fly, Patch Tuesday (Wednesday) we meet again. Microsoft released patches for 117 vulnerabilities, 13 of these critical. We also saw patch updates from Adobe, Chrome and Firefox. Of note this week, a new SolarWinds exploit was uncovered by Microsoft who discovered a remote code execution vulnerability in the SolarWinds Serv-U product. SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools, CVE-2021-35211. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Lastly, we are excited to share Episode 3 of the AUSCERT “Share today, save tomorrow” podcast series. Episode 3 features Jacqui Loustau, AWSN Founder and Pip Jenkinson, CEO of Baidam Solutions and is titled “Passion led us here”. Be sure to check it out. Our podcast is also available via Spotify, Apple Podcast and Google Podcast. Until next week everyone, have a great weekend. SolarWinds patches critical Serv-U vulnerability exploited in the wild Date: 2021-07-12 Author: Bleeping Computer SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday. Updated Essential Eight Maturity Model Date: 2021-07-12 Author: Australian Cyber Security Centre (ACSC) The Australian Cyber Security Centre (ACSC) has further strengthened the implementation guidance for the Essential Eight through changes that reflect its experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight. The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats. Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level. Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years Date: 2021-07-14 Author: The Conversation Australian organisations are a soft target for ransomware attacks, say experts who yesterday issued a fresh warning that the government needs to do more to stop agencies and businesses falling prey to cyber-crime. But in truth, the danger has been growing worldwide for more than three decades. Despite being a relatively new concept to the public, ransomware has roots in the late 1980s and has evolved significantly over the past decade, reaping billions of dollars in ill-gotten gains. With names like Bad Rabbit, Chimera and GoldenEye, ransomware has established a mythical quality with an allure of mystery and fascination. Unless, of course, you are the target. Strengthening Australia’s cyber security regulations and incentives Date: 2021-07-13 Author: Department of Home Affairs On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy. Interested stakeholders are invited to provide a submission to the discussion paper, Strengthening Australia’s cyber security regulations and incentives. Govts sign off on national data sharing agreement Date: 2021-07-12 Author: itnews Federal, state and territory leaders have signed off on an intergovernmental agreement aimed at making more data available across all jurisdictions for policy development and service delivery. National cabinet agreed to the intergovernmental agreement (IGA) on data sharing on Friday, formalising a plan that was first endorsed in April, in part to lay the foundations for linked-up government services. ESB-2021.2390 – ALERT HPE Edgeline Infrastructure Manager: Execute arbitrary code/commands – Remote/unauthenticated HPE has addressed a critical RCE vulnerability in Edgeline Infrastructure Manager. ESB-2021.2377 – Firefox and Firefox ESR : Multiple vulnerabilities Multiple security vulnerabilities have been fixed in Firefox 90. ASB-2021.0126 – ALERT Solarwinds Serv-U: Administrator compromise – Remote/unauthenticated CVE-2021-35211 is being exploited in the wild. Patch it to not catch it. ASB-2021.0135 – ALERT Microsoft Extended Security Update products: Multiple vulnerabilities And here we go again. Microsoft has released its monthly security patch update for the month of July 2021. ESB-2021.2374 – Adobe Acrobat and Reader: Multiple vulnerabilities Microsoft: We have critical vulnerabilities. Adobe: Hold my beer. Stay safe, stay patched and have a good weekend! Bek & Narayan on behalf of The AUSCERT team

AUSCERT Week in Review for 9th July 2021 Greetings, What a big week! A lot to get on top of this week between Kaseya and PrintNightmare. Of note, Microsoft released updated patches to address PrintNightmare. This is related to the Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527 and CVE-2021-1675. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. For those of you based in the Greater Brisbane area we are excited to announce a new date for our NAIDOC Week 2021 gathering. Hear more about the work done by colleagues at Baidam Solutions, come and join us on Monday 26 July, 2 – 4pm. For further details and to RSVP, visit the AUSCERT website here. Until next week everyone, have a great weekend. Kaseya supply-chain ransomware attack hits MSP customers Date: 2021-07-03 Author: iTnews A supply-chain attack on Kaseya, which provides management, monitoring and automation software for managed service providers (MSPs), has led to ransomware infections among the company’s customers around the world. Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw Date: 2021-07-04 Author: The Hacker News Microsoft is urging Azure users to update the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core. The issue, tracked as CVE-2021-26701 (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn’t impacted by the flaw. QNAP fixes critical bug in NAS backup, disaster recovery app Date: 2021-07-05 Author: Bleeping Computer Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security. The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution. The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization. Treasury revisits cyber terrorism insurance cover Date: 2021-07-05 Author: IT News Treasury will consider whether cyber terrorism that causes physical property damage should be added to the national terrorism insurance scheme for a second time in three years. Treasury said that like the 2018 review, the 2021 review will look at “whether a sufficient rationale has emerged to include cyber terrorism causing physical property damage within the scheme”. Email fatigue among users opens doors for cybercriminals Date: 2021-07-07 Author: Bleeping Computer Given the mass migration to remote work, more critical business data is being shared by email than ever before. Users can now receive hundreds of emails a day, and sifting through them is time-consuming and exhausting. Faced with that skyrocketing volume, it’s no wonder that there’s a growing email fatigue. Unfortunately, that fatigue makes it more likely users will click on a malicious email without knowing it – which explains why 94% of malware is now delivered via email. Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability Date: 2021-07-07 Author: Bleeping Computer [See related ALERT bulletin ASB-2021.0123.4 which AUSCERT updated on the 8th July] Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed. According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled. ASB-2021.0123.4 – UPDATE ALERT Microsoft Print Spooler: Multiple vulnerabilities Our update was made to draw attention to Microsoft’s revised advisory announcing patches are now available for additional Windows versions ESB-2021.2341 – apache2: Multiple vulnerabilities Several vulnerabilities have been found in the Apache HTTP server, which could result in remote code execution and denial of service. ESB-2021.2332 – Cisco Web Security Appliance: Multiple vulnerabilities This Cisco product was affected by vulnerabilities which prior to fix had provided attackers opportunity to execute remote code and compromise root. ESB-2021.2344 – MDT AutoSave: Multiple vulnerabilities A perfect 10.0 (CVSS 3.0), albeit appliance based. Successful exploitation of associated vulnerabilities could lead to full remote execution on the Remote MDT Server without an existing user or password. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 2 July 2021 Greetings, Folks, welcome to the second-half of 2021. The start of July marks a new financial year here in Australia – which means, tax time is here! We’re sharing this “Is it a scam?” piece by our AUSCERT2021 Member Organisation of the Year, the folks from Australian Taxation Office. Of note this week, Microsoft has released an out-of-band critical update to address a Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527. This vulnerability has received significant media attention in the past day or so. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Some mitigation notes and recommendations: Apply the latest security updates released on June 8, 2021 AND determining if the Print Spooler service is running; either disabling it or disabling inbound remote printing through Group Policy. Microsoft acknowledges this vuln is similar to but DISTINCT from the recent Print Spooler vuln reported as CVE-2021-1675 and addressed by the June 2021 Patch Tuesday updates. They are still investigating the issue and will update the page as more information becomes available. AUSCERT members, be sure to hop on our Slack space for some tips and notes regarding this issue from fellow AUSCERT members. It’s always an awesome space for information sharing! To sign in, please do so via our member portal here. And last but not least, for those of you based in the Greater Brisbane area and were intending to attend our proposed NAIDOC Week 2021 luncheon, please note we will be sharing a new date for this special event soon. In the meantime, please stay safe and continue to follow the latest Government advice. Until next week everyone, have a great weekend. CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability Date: 2021-06-29 Author: Tenable [CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. See related AUSCERT bulletin ASB-2021.0115. Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.] Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available. CISA releases new ransomware self-assessment security audit tool Date: 2021-06-30 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). RRA is a security audit self-assessment tool for organizations that want to understand better how well they are equipped to defend against and recover from ransomware attacks targeting their information technology (IT), operational technology (OT), or industrial control system (ICS) assets. This CSET module was tailored by RRA to assess varying levels of ransomware threat readiness to be helpful to all orgs regardless of their cybersecurity maturity. Microsoft Edge Bug Could’ve Let Hackers Steal Your Secrets for Any Site Date: 2021-06-28 Author: The Hacker News Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website. Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the browser’s built-in feature via Microsoft Translator. Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers Date: 2021-06-28 Author: ZDNet “According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice [paying ransom demands] isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.” Note: this article includes commentary stating that paying a ransomware extortion demand is not illegal. This may not be true in some jurisdictions and readers are encouraged to seek legal counsel. Cisco ASA vulnerability actively exploited after exploit released Date: 2021-07-27 Author: Bleeping Computer Hackers are scanning for and actively exploiting a vulnerability in Cisco ASA devices after a PoC exploit was published on Twitter. This Cisco ASA vulnerability is cross-site scripting (XSS) vulnerability that is tracked as CVE-2020-3580. Cisco first disclosed the vulnerability and issued a fix in October 2020. However, the initial patch for CVE-2020-3580 was incomplete, and a further fix was released in April 2021. ASB-2021-0123 – ALERT Windows Print Spooler: Execute arbitrary code/commands – Existing Zero-day Vulnerability (PrintNightmare) can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Proof of concept exploit code has reportedly been released. ESB-2021.2240 – Thunderbird: Multiple vulnerabilities Thunderbird contained a multitude of vulnerabilties causing reduced security including remote code execution and denial of service. ESB-2021.2279 – Nessus Agent: Administrator compromise – Existing account Nessus Agent versions 8.2.5 and earlier were found to contain a privilege escalation vulnerability which could lead to gaining administrator privileges on the Nessus host. ESB-2021.2297 – htmldoc: Multiple vulnerabilities A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code and denial of service. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 25th June 2021 Greetings, This week, we shared the final instalment of our blog articles highlighting the winners of our Annual AUSCERT Awards. This time, we featured the AUSCERT2021 Information Security Excellence Winner, Jacqui Loustau. Jacqui is a formidable figure in the Australian information security and cybersecurity community. Have a read of it here. We’re also pleased to share the following blog piece by Sean McIntyre, one of our Analysts – “I got 99 problems but a vuln ain’t one”, it’s a bit of a tongue-in-cheek one! And cheesy (revised) lyrics aside, Sean shared his top 3 observations from assisting our membership audience. For those of you based in the Greater Brisbane area and are wanting to hear more about the work done by colleagues at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AUSCERT website here. And last but not least, a big thank you to our AUSCERT2021 media partners at Source2Create for covering such a wide range of our talks and presentations from AUSCERT2021 in Issue 3 of their Women in Security Magazine. To subscribe and download a copy, hop on to their website here. Until next week everyone, have a great weekend. Labor Bill would force Aussie organisations to disclose when they pay ransoms Date: 2021-06-21 Author: ZDNet The Australian federal opposition has introduced a Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives on Monday by Shadow Assistant Minister for Cyber Security Tim Watts. According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”. MITRE releases D3FEND, defensive measures complimentary to its ATT&CK framework Date: 2021-06-23 Author: The Record by Recorded Future The MITRE Corporation, one of the most respected organizations in the cybersecurity field, has released today D3FEND, a complementary framework to its industry-recognized ATT&CK matrix. The not-for-profit organization, which also runs the CVE database of known vulnerabilities, received funding to create the D3FEND framework from the US National Security Agency (NSA). The basic idea behind D3FEND is that the framework will provide defensive techniques that system administrators can apply to counter the practices detailed in the ATT&CK matrix, a one-of-a-kind project that was set up in 2015 to catalog and index the most common offensive techniques used by threat actors in the real world. Tony googled his investment options. Two weeks later, he’d been scammed out of $200,000 Date: 2021-06-24 Author: ABC News It cost around $20 to set up and conned $200,000 from one victim alone. Here’s how investment scammers tricked Tony into handing over part of his life savings. Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks Date: 2021-06-18 Author: The Register Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA – short for Supply chain Levels for Software Artifacts and pronounced “salsa” for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process. Former ASIO boss warns on energy sector cyber Date: 2021-06-21 Author: InnovationAus Energy experts and a former ASIO chief have warned that Australia’s critical energy infrastructure was growing in complexity and vulnerability to cyber-attacks, but a commensurate uplift in resilience has not occurred. Former ASIO director general and current chair of the Foreign Investment Review Board David Irvine said energy was one of many Australian sectors lacking sufficient cyber resilience, and that most local organisations are not “caring enough” about the new “tool of warfare”. Progress is being made but not quickly enough, and Australia is vulnerable to sophisticated cyber attacks, Mr Irvine told an Australia Israel Chamber of Commerce Business lunch on Friday. ASB-2021.0121 – Microsoft Edge (Chromium-based): Execute arbitrary code/commands – Remote with user interaction Microsoft released an update for Edge, the default internet browser for Windows 10. A vulnerability that could lead to remote code execution was addressed. ESB-2021.2208 – wireshark: Multiple vulnerabilities 9 vulnerabilities were addressed in Wireshark, a commonly used packet analyser. ESB-2021.2212 – Thunderbird: Multiple vulnerabilities Multiple vulnerabilities were addressed in Mozilla Thunderbird, these could lead to cross-site scripting attacks and code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 18th June 2021 Greetings, This week, we shared our June 2021 edition of The Feed – the AUSCERT membership newsletter. Members, be sure to check your inbox(es) for a copy of this newsletter to catch up on all things related to your AUSCERT membership. We’re pleased to share the following blog piece by our AUSCERT2021 Diversity and Inclusion Champion – Phillip “Pip” Jenkinson from Baidam Solutions. Congratulations Pip, a well-deserved win! For those of you based in the Greater Brisbane area and are wanting to hear more about Pip and the work he does at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AUSCERT website here. Last but not least, we’re proud to announce that there are currently 11 NEW Member Security Incident Notifications (MISNs) reports generated in the pipeline by our team of analysts – all drawn from the expertise of our various threat intelligence partners and resources. This is a pertinent reminder for members to keep your organisation’s IPs and domains up to date on the AUSCERT member portal to make sure you’re able to receive these relevant MSINs as they come through! A recap of how this particular AUSCERT service assists our members with mitigating cyber-attacks can be found here “How AUSCERT helped its members tackle the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits.” Until next week everyone, have a great weekend. Thousands of VMware vCenter Servers Remain Open to Attack Over the Internet Date: 2021-06-16 Author: Dark Reading [See related ALERT bulletin ESB-2021.1805 which AUSCERT published on the 26th May] Thousands of instances of VMware vCenter Servers with two recently disclosed vulnerabilities in them remain publicly accessible on the Internet three weeks after the company urged organizations to immediately patch the flaws, citing their severity. The flaws, CVE-2021-21985 and CVE-2021-21986, basically give attackers a way to take complete control of systems running vCenter Server, a utility for centrally managing VMware vSphere virtual server environments. The vulnerabilities exist in vCenter Server versions 6.5, 6.7, and 7.0. Nationally-known Australian company lawyered up to resist ASD help Date: 2021-06-15 Author: ZDNet The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate, likening it to refusing to cooperate with an air crash investigation. One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security on Friday. “It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said. […] However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information. Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign Date: 2021-06-14 Author: Microsoft Security Intelligence Microsoft 365 Defender researchers recently uncovered and disrupted a large-scale business email compromise (BEC) infrastructure hosted in multiple web services. Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions. Qld govt stumps up $40m for cyber security, digital Date: 2021-06-16 Author: iTnews The Queensland government will invest almost $40 million in cyber security and digital service delivery over the next five years as the state’s Covid-19 recovery gets underway. Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Date: 2021-06-16 Author: Mandiant Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. ESB-2021.2130 – ImageMagick: Multiple vulnerabilities 34 vulnerabilities were addressed in ImageMagick, some of which could lead to code execution. ESB-2021.2141 – Nessus Agent: Increased privileges – Existing account Tenable released an update to address privilege escalation vulnerabilities in their Nessus Agent for Windows. ESB-2021.2173 – ALERT [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands – Remote with user interaction Another week, another zero-day in Google Chrome. Google reports that this been exploited in the wild so this should be patched as soon as possible. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 11th June 2021 Greetings, This week, we’re pleased to share the following blog piece by our AUSCERT2021 Member Organisation of the Year – team ATO (Australian Taxation Office). Congratulations ATO, and in particular to Cody and Daniel for their efforts and representation of the ATO team at the conference, a well-deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AUSCERT2021. On the topic of the AUSCERT2021 conference, as per tradition, we’re slowly releasing the various recordings of our annual conference presentations and talks on our YouTube channel, please feel free to view them here. We hope folks were able to get through all of June 2021’s Patch Tuesday fixes. Please refer to our highlighted bulletins and articles below. A quick shout out to our colleague Narayan who’d processed 74 security bulletins in a single day on Wednesday this week, no small feat. Well done Narayan! Last but not least, we’re excited to share Episode 2 of the AUSCERT “Share today, save tomorrow” podcast series. Episode 2 features Lukasz Gogolkiewicz, Head of Corporate Security at SEEK and is titled “Crossing Into The Blue Team In Cyber Security.” Be sure to check it out. Our podcast is also available via Spotify, Apple Podcast and Google Podcast. Until next week everyone, have a great weekend. Microsoft June 2021 Patch Tuesday fixes 6 exploited zero-days, 50 flaws Date: 2021-06-08 Author: Bleeping Computer [See related bulletins ASB-2021.0114 through to 119, of note is the ALERT for ASB-2021.0116.] Today is Microsoft’s June 2021 Patch Tuesday, and with it comes fixes for seven zero-day vulnerabilities and a total of 50 flaws, so Windows admins will be scrambling to get devices secured. Microsoft has fixed 50 vulnerabilities with today’s update, with five classified as Critical and forty-five as Important. Scammers capitalise on pandemic as Australians lose record $851 million to scams Date: 2021-06-07 Author: ACCC Australians lost over $851 million to scams in 2020, a record amount, as scammers took advantage of the pandemic to con unsuspecting people, according to the ACCC’s latest Targeting Scams report released today. The report compiles data from Scamwatch, ReportCyber, other government agencies and 10 banks and financial intermediaries, and is based on more than 444,000 reports. Investment scams accounted for the biggest losses, with $328 million, and made up more than a third of total losses. Romance scams were the next biggest category, costing Australians $131 million, while payment redirection scams resulted in $128 million of losses. Govt to mandate the Essential Eight cyber security controls Date: 2021-06-09 Author: iTnews The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed. The Attorney-General’s Department revealed the step change in government cyber security policy in its response to last year’s parliamentary committee report into cyber resilience. The hard truth about ransomware: we aren’t prepared, it’s a battle with new rules, and it hasn’t… Date: 2021-06-09 Author: Medium [Note: this is a lengthy read, approx. 20 minutes, but is considered by our Principal Analyst as a thoughtful and timely contribution to the conversation about the modern ransomware threat.] We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand. What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The turning circle to taking action is large. With this post, I hope to lay out the reality, and some harsh truths people need to hear. Australian Federal Police and FBI nab criminal underworld figures in worldwide sting using encrypted app Date: 2021-06-08 Author: ABC News More than 200 members of Australia’s mafia and bikie underworld have been charged in the nation’s largest-ever crime sting, police say. As part of a three-year collaboration between the Australian Federal Police (AFP) and Federal Bureau of Investigation (FBI), authorities say underworld figures were tricked into communicating via an encrypted app that had been designed by police. The app, known as AN0M, was used by organised crime gangs around the world to plan executions, mass drug importations and money laundering. Authorities say they were able to read up to 25 million messages in real-time. JBS paid $11 million to REvil ransomware, $22.5M first demanded Date: 2021-06-10 Author: Bleeping Computer JBS, the world’s largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million. On May 31, JBS was forced to shut down some of its food production sites after the REvil ransomware operators breached their network and encrypted some of its North American and Australian IT systems. ESB-2021.2019 – Intel Products: Multiple vulnerabilities Intel released firmware updates to address multiple vulnerabilities. ESB-2021.1994 – BIG-IP (all modules): Multiple vulnerabilities A flaw was found in Nettle Cryptographic Library which affects F5 BIG-IP modules. ESB-2021.1984 – Adobe Photoshop: Execute arbitrary code/commands – Remote with user interaction Adobe has released updates for Photoshop for Windows and macOS to resolve a critical RCE vulnerability. ASB-2021.0116 – ALERT Microsoft Windows: Multiple vulnerabilities Microsoft has released its monthly security patch update for the month of June 2021. ESB-2021.2097 – Apache HTTP Server: Multiple vulnerabilities Multiple vulnerabilities have been resolved in Apache HTTP server 2.4.48. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 4th June 2021 Greetings, National Reconciliation Week (NRW) 2021 concluded on the 3rd of June and AUSCERT would like to take this opportunity to recap this year’s theme which was “More than a word. Reconciliation takes action.” To find out more about how we can all be better allies of Australia’s First Nations people, please visit the NRW website here. Be sure to catch up on our highlighted summary of Security Bulletins and ADIR articles below. We’re also pleased to share the following blog piece by our AUSCERT2021 Member Individual of the Year Winner – Simon Coggins from CQUniversity. Congratulations Simon, well deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AUSCERT2021. Last but not least, excited to be sharing the news that AUSCERT is back in the swing of things with respect to our training options. Earlier this week, our Principal Analyst ran a pilot session of the Introduction to Cyber Security for School Professionals course. For those wanting to find out more about our training options, please visit our website for further information or send us an email. Until next week everyone, have a great weekend. New sophisticated email-based attack from NOBELIUM Date: 2021-05-27 Author: Microsoft Threat Intelligence Center (MSTIC) Microsoft Threat Intelligence Center has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. In this article, MSTIC have outlined attacker motives, malicious behavior, and best practices to protect against this attack. ASD using classified capabilities to warn local entities of impending ransomware hit Date: 2021-06-02 Author: ZDNet Speaking about the attack on Channel Nine in March, director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates that pre-warning organisations about any precursor activity on their networks or systems is part of ASD’s “value add”. “We were very engaged with [Channel Nine] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” Noble said. JBS resumes meat operations after cyber attack halts production Date: 2021-06-04 Author: ABC News Earlier this week, JBS USA confirmed the company was targeted by an organised cyber attack on Sunday, which paralysed its operations in North America and Australia. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia,” [JBS] said in the statement. There is no further information on the source of the attack which is believed to be a Russian crime gang. RBA to step up cyber resilience with new identity and access management system Date: 2021-06-02 Author: ZDNet The Reserve Bank of Australia said it is looking to modernise its identity and access management capabilities by introducing more automated controls to its existing platform. The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities. “Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request. “In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.” Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration. Countries are increasing their cyber response budgets — but spending still varies widely Date: 2021-05-28 Author: The Record by Recorded Future Nations around the world don’t seem to agree on the appropriate amount of money to earmark for cyber defense and incident response, according to an analysis by The Record. But in recent years, almost every country examined has boosted its cyber spending. ESB-2021.1884 – BIG-IQ Centralized Management: Multiple vulnerabilities F5 has released advisory to address remote code execution vulnerability in BIG-IQ Centralized Management module. ESB-2021.1897 – Firefox: Multiple vulnerabilities Mozilla has released Firefox 89 addressing multiple security vulnerabilities. ESB-2021.1905 – Cisco SD-WAN products: Root compromise – Existing account Cisco has addressed a privilege escalation vulnerability in SD-WAN software. ESB-2021.1908 – Cisco Webex Player: Multiple vulnerabilities A vulnerability in Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. ESB-2021.1935 – dhcp: Denial of service – Remote/unauthenticated A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 28th May 2021 Greetings, To kick things off, in conjunction with National Reconciliation week 2021, AUSCERT would like to take this opportunity to acknowledge the First Nations people as the Traditional Owners of the land on which we are on today. We acknowledge all Elders past, present and emerging. The theme this year is “More than a word. Reconciliation takes action.” To find out more about the week and what it means to our First Nations people, please visit the NRW website here. Our team issued an alert re: VMWare earlier this week, be sure to catch up on it below. For those of you keen to check out photos from the recent AUSCERT2021 conference, we’ve uploaded several albums to the AUSCERT Facebook page. We’re also pleased to announce that our podcast series “Share today, save tomorrow” is now listed on Spotify. Episode 2 will be released in mid-June. Last but not least, sharing a special request from our colleagues at UQ Cyber one final time. See below: Keen on helping the future generation of cyber and information security professionals? Here’s your chance! “Vignette Survey on Effectiveness of Place Managers in Preventing Ransomware” Folks from UQ Cyber are seeking assistance from the AUSCERT membership audience to participate in a cyber security survey that is investigating factors which can influence the effectiveness of cyber security professionals in preventing cyber security incidents such as ransomware within their respective organisations. The survey results will shed valuable insights and influence how organisations should channel their limited resources in preventing cyber security incidents more effectively. The survey will take approximately 20 minutes to complete. To participate, please click here. Surveys close on Monday 31 May. For further information, please feel free to get in touch with Heemeng Ho, the lead researcher of this project. Until next week everyone, have a great weekend. This massive phishing campaign delivers password-stealing malware disguised as ransomware Date: 2021-05-24 Author: ZDNet A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords and other information from victims. Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts to distribute messages claiming to be related to payments, alongside an image posing as a PDF attachment that looks like it has information about the supposed transfer. Apple fixes macOS zero-day abused by XCSSET malware Date: 2021-05-24 Author: The Record Apple has released today security updates for several of its products, including a patch for its macOS desktop operating system that includes a fix for a zero-day vulnerability that has been abused in the wild for almost a year by the XCSSET malware gang. Tracked as CVE-2021-30713, the zero-day was discovered by researchers at security firm Jamf during an analysis of XCSSET, a malware strain that was spotted in the wild in August 2020, hidden inside malicious Xcode projects hosted on GitHub. VMware says critical vCenter Server bug needs ‘immediate attention’ Date: 2021-05-26 Author: iTnews [See related bulletin ESB-2021.1805] VMware said three versions of its vCenter Server management software for controlling vSphere environments are susceptible to a critical security flaw that should be immediately patched. The vendor said in a blog post that the issue needs the “immediate attention” of administrators. “Given the severity, we strongly recommend that you act,” VMware said. Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises Date: 2021-05-25 Author: FireEye Mandiant has observed an increase in compromises of internet-accessible OT assets over the past several years. In this blog post we discuss previously undisclosed compromises and place them in context alongside publicly known incidents. Although none of these incidents have appeared to significantly impact the physical world, their increasing frequency and relative severity calls for analysis on their possible risks and implications.ols and techniques. Oracle Peddled Software Used for Spying on U.S. Protesters to China Date: 2021-05-26 Author: The Intercept [Context: In early May 2021, Twitter temporarily suspended an Oracle executive from posting after he used the social network to publicise the e-mail address and Signal phone number of the journalist who wrote this article – whose reporting he had personally found to be biased and inaccurate. This research-based article has been produced to counter this claim by Oracle.] Chicago police used CIA-backed Oracle software to surveil protesters and mine their Twitter feeds. Oracle then peddled that same software for police work in China. This is an article on global surveillance. ESB-2021.1794 – Big Sur, Catalina and Mojave: Multiple vulnerabilities Apple’s latest security updates include a patch for its macOS desktop operating system that fixes a zero-day vulnerability by the XCSSET malware gang. ESB-2021.1805 – ALERT VMWare Products: Multiple vulnerabilities VMware vCenter Server updates address remote code execution and authentication vulnerabilities. ASB-2021.0112 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft’s Security Update released on 27 May 2021 fixes multiple vulnerabilities in Microsoft Edge (Chromium-based). ESB-2021.1819 – linux kernel: Multiple vulnerabilities An update for the Linux Kernel 4.12.14-150_66 fixes three vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 21st May 2021 Greetings, To kick things off, we’d like to share the following wrap-up article on AUSCERT2021 which concluded last week. Again, heartfelt thanks to our colleagues, delivery partners, delegates, speakers and sponsors who came along to support our first ever hybrid endeavour. To those of you who registered to attend as a delegate, you can revisit the conference’s key learnings by re-watching the presentations on-demand. A personalised link to access these recordings has been shared by team GEMS Events so please keep an eye out for it in your inbox. To those who didn’t register as an AUSCERT2021 delegate, we will also be sharing these recordings via our YouTube channel in due time. Last but not least, sharing a special request from our colleagues at UQ Cyber. See below: Keen on helping the future generation of cyber and information security professionals? Here’s your chance! “Vignette Survey on Effectiveness of Place Managers in Preventing Ransomware” Folks from UQ Cyber are seeking assistance from the AUSCERT membership audience to participate in a cyber security survey that is investigating factors which can influence the effectiveness of cyber security professionals in preventing cyber security incidents such as ransomware within their respective organisations. The survey results will shed valuable insights and influence how organisations should channel their limited resources in preventing cyber security incidents more effectively. The survey will take approximately 20 minutes to complete. To participate, please click here. For further information, please feel free to get in touch with Heemeng Ho, the lead researcher of this project. Until next week everyone, have a great weekend. AFP using a squad of good boys to detect devices such as USBs and SIM cards Date: 2021-05-20 Author: ZDNet The Australian Federal Police (AFP) this week revealed some of its canine squad have been trained to sniff out devices, such as USBs and SIM cards, at crime scenes or during the execution of search warrants. In a Facebook post showing a video of one dog, Georgia, finding a phone hidden in a vacuum cleaner, the AFP said since 2019, its three AFP technology detection dogs have located more than 120 devices in support of investigations ranging from child protection investigations to counter terrorism operations. How to ‘Demystify’ Cybersecurity Date: 2021-05-14 Author: BankInfoSecurity [Jeremy Kirk was hosted at the AUSCERT2021 conference as a media representative.] To defend against cyberattacks, it’s important to “demystify” cybersecurity and break it into risks that can be managed by any organization, says Ciaran Martin, the former director of the U.K. National Cyber Security Center. “It’s very easy to be terrified of cybersecurity,” Martin said. “It’s very easy to be infantilized by cyber risks and the hype around cybersecurity.” In his keynote speech, Martin showed a slide listing key cybersecurity steps, including ensuring software is up to date, making sure partners and suppliers protect data and reviewing authentication methods used to access systems. An essential step, he said, is making sure an organization knows what data it holds and who may most likely try to target it so the right security controls can be deployed. Most organizations, for example, are not going to be targeted by nation-states, he said. “Just manage risk well enough,” Martin said. “You don’t need to have nation-state defenses.” “So understand the harms, have a risk-bask based approach – a realistic approach, and work with partners,” Martin said. “We can get on top of this problem.” Exploit released for wormable Windows HTTP vulnerability Date: 2021-05-17 Author: Bleeping Computer Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. The bug, tracked as CVE-2021-31166, was found in the HTTP Protocol Stack (HTTP.sys) used by the Windows Internet Information Services (IIS) web server as a protocol listener for processing HTTP requests. Microsoft has patched the vulnerability during this month’s Patch Tuesday, and it impacts ONLY Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2. Chrome now automatically fixes breached passwords on Android Date: 2021-05-18 Author: Bleeping Computer Google is rolling out a new Chrome on Android feature to help users change passwords compromised in data breaches with a single tap. Chrome already helped you check if your credentials were compromised and, with the rollout of the new automated password change feature, it will also allow you to change them automatically. Now, whenever checking for stolen passwords on supported sites and apps, Google Assistant will display a “Change password” button that will instruct Chrome to navigate to the website and go through the entire password change process on its own. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data Date: 2021-05-17 Author: WIRED Ransomeware groups have always taken a more-is-more approach. If a victim pays a ransom and then goes back to business as usual—hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.” ASB-2021.0111 – Microsoft Edge (based on Chromium): Multiple vulnerabilities Microsoft Edge, the default browser for Windows 10, contained multiple vulnerabilities that could lead to arbitrary code execution. ESB-2021.1721 – GNOME: Multiple vulnerabilities Patches were made available for GNOME to address multiple code execution vulnerabilities. ESB-2021.1702 – sudo: Multiple vulnerabilities Red Hat released patches for vulnerabilities that could lead to privilege escalation via sudo utilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 14th May 2021 Greetings, What a week! (although it certainly feels like we’ve been saying this a bit in 2021) To kick things off, we celebrated the 20th anniversary of our annual conference AUSCERT2021. It’s been a week of awesome catch-ups and learnings from the various presentation sessions on the conference program. Thank you so much for the support of our wonderful sponsors and delegates. We hope you enjoyed coming back together in-person as much as the AUSCERT team did. For those who couldn’t make it, we will be sharing the content from the conference in due time via our YouTube channel. We hope folks were able to get through all of May 2021’s Patch Tuesday fixes, please refer to our highlighted bulletins and articles below. Thrilled to announce that we’ve now officially launched our AUSCERT podcast, “Share today, save tomorrow” – a special shout out to our ex colleague Nick Soysa for coining this phrase. Episode 1 now available on our website here. Last but not least, thank you for supporting AUSCERT taking over the @WeAreBrisbane Twitter account this week, we hope that was an educational one for those who play in the Twitter space. Until next week everyone, have a wonderful weekend – to our colleagues and followers of Muslim faith, Happy Eid ul Fitr, Eid Mubarak! Microsoft’s May 2021 Patch Tuesday: 55 flaws fixed, four critical Date: 2021-05-11 Author: ZDNet Microsoft’s May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited. Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here. The fixed zero day bugs include: – CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability – CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability – CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader Date: 2021-05-11 Author: Threatpost A patch for Adobe Acrobat, the world’s leading PDF reader, fixes a vulnerability under active attack affecting both Windows and macOS systems that could lead to arbitrary code execution. Adobe is warning customers of a critical zero-day bug actively exploited in the wild that affects its ubiquitous Adobe Acrobat PDF reader software. A patch is available, as part of the company’s Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento. Attackers added thousands of Tor exit nodes to carry out SSL stripping attacks Date: 2021-05-10 Author: Security Affairs Starting from January 2020, a threat actor has been adding thousands of malicious exit relays to the Tor network to intercept traffic and carry out SSL stripping attacks on users while accessing mixing websites, The Record first reported. SSL Stripping (aka SSL Downgrade Attack) allows downgrading connection from secure HTTPS to HTTP which could expose the traffic to eavesdropping and data manipulation. In the case of the attacks against the Tor network, threat actors aimed at replacing the addresses of legitimate wallets with the ones under the control of the attackers to hijack transactions. In August 2020, the security researcher and Tor node operator “Nusenu” described this practice in an analysis on how malicious Tor Relays are exploiting users in 2020. Nusenu has published a new part of its research that reveals that threat actor are still active. US and Australia warn of escalating Avaddon ransomware attacks Date: 2021-05-10 Author: Bleeping Computer The Federal Bureau of Investigation and the Australian Cyber Security Centre are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations around the world. The ACSC expanded on the targeting information, saying that the ransomware gang’s affiliates are targeting entities from a wide range of sectors, including but not limited to government, finance, law enforcement, energy, information technology, and health. A Closer Look at the DarkSide Ransomware Gang Date: 2021-05-11 Author: Krebs on Security The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue. New York City-based cyber intelligence firm Flashpoint said its analysts assess with a moderate-strong degree of confidence that the attack was not intended to damage national infrastructure and was simply associated with a target which had the finances to support a large payment. “This would be consistent with DarkSide’s earlier activities, which included several ‘big game hunting’ attacks, whereby attackers target an organization that likely possesses the financial means to pay the ransom demanded by the attackers,” Flashpoint observed. The DarkSide of the Ransomware Pipeline Date: 2021-05-11 Author: Splunk If you want to quickly find out how to use Splunk to find activity related to the DarkSide Ransomware, skip to the “Detection and Remediation of DarkSide” section. Otherwise, read on for a quick breakdown of what happened to the Colonial Pipeline, how to detect the ransomware, and view MITRE ATT&CK mappings. ESB-2021.1611 – ALERT Adobe Acrobat & Adobe Reader: Multiple vulnerabilities Adobe reports that CVE-2021-28550 has been exploited in the wild that could lead to arbitrary code execution. ASB-2021.0101 – ALERT exim: Multiple vulnerabilities Serious vulnerabilities identified in the Exim mail server allowing remote attackers to gain complete root privileges. ASB-2021.0110 – ALERT Microsoft Extended Security Update products Microsoft releases its monthly security patch update for the month of May 2021 resolving 12 vulnerabilities. ESB-2021.1644 – ALERT libgetdata: Multiple vulnerabilities Multiple vulnerabilities in libgetdata are addressed by Debian’s security updates. ASB-2021.0108 – Microsoft Developer Tools : Multiple vulnerabilities Latest security patches for Microsoft fix multiple vulnerabilities in Developer Tools. Stay safe, stay patched and have a good weekend! The AUSCERT team