Week in review

AUSCERT Week in Review for 21st August 2020

21 Aug 2020

AUSCERT Week in Review for 21st August 2020 Greetings, Members, keep an eye out for a copy of the August edition of our membership newsletter “The Feed” landing in your inbox today. This week we supported the National Scams Awareness Week 2020 as a campaign partner and shared the various messages through our social media channels, don’t forget to visit this campaign page for further details and tips on how to protect yourself against scams. In lieu of the various member meet-ups we have been unable to host this year, our team hosted a series of webinars featuring our range of services with the focus on how to maximise the utilisation of these services. Topics covered: Malicious URL Feed, Security Bulletins and Phishing Take-Down. To catch up on the recordings of these sessions, visit our YouTube channel here. Last but not least, we’d previously shared this on our LinkedIn page – the Australian Department of Home Affairs is inviting you to have your say on the Protecting Critical Infrastructure and Systems of National Significance Package 2020. This initiative is particularly relevant to members from the following critical infrastructure sectors: Banking and Finance Communications Data and the Cloud Defence industry Education, Research and Innovation Energy Food and Grocery Health Space Transport Water Until next week, take care and have a great weekend everyone. Over 25% of all UK universities were attacked by ransomware Date: None Author: Bleeping Computer A third of the universities in the United Kingdom responding to a freedom of information request admitted to being a victim of a ransomware attack. These represent more than 25% of the universities and colleges in the country. The incidents occurred in the past decade, most of them between 2015 and 2017. Several educational institutions suffered at least two file-encrypting attacks over the past decade, one of them recording more than 40 since 2013. Digital PR and SEO agency TopLine Comms on June 29 submitted an FOI request to 134 universities in the U.K., asking if they had recorded a ransomware attack, when it happened, if they paid a ransom or not, and what the amount was if they did pay. University of Utah pays $450K ransom to stop leak of stolen data Date: 2020-08-20 Author: Bleeping Computer The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack. Since the end of 2019, ransomware operators have started stealing unencrypted files before deploying their ransomware. The ransomware gang then threatens the victims by saying they will publicly leak the stolen files if a ransom is not paid. ACT Education blocks student Gmail access after spam email storm Date: 2020-08-14 Author: ITNews ACT’s Education Directorate has blocked all public school students from accessing their Google email accounts after they were spammed en masse on Friday. The spam campaign emerged on Friday afternoon with an undisclosed number of students receiving dozens of emails, resulting in a reply-all “email storm”. iTnews understands some of the emails link to lewd websites and Instagram accounts, while other messages tried to solicit inappropriate images. World’s largest cruise line operator Carnival hit by ransomware Date: None Author: Bleeping Computer Cruise line operator Carnival Corporation has disclosed that one of their brands suffered a ransomware attack over the past weekend. Carnival Corporation is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn. In an 8-K form filed with the Securities and Exchange Commission, Carnival Corporation has disclosed that one of its brands suffered a ransomware attack on August 15th, 2020. As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach. ESB-2020.2832 – GitLab: Access confidential data – remote/unauthenticated GitLab released new versions to fix a critical issue with deploy token access control, but owing to a packaging error, they didn’t contain the fix. A second set of versions was released soon after. ESB-2020.2809 – Jenkins core and plugins: Multiple vulnerabilities Sentences like these really show the complexity of software: “Jenkins […] does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability.” ESB-2020.2852 – Cisco vWAAS: Administrator compromise – remote/unauthenticated “A vulnerability in vWAAS … could allow an unauthenticated, remote attacker to log into the CLI … by using accounts that have a default, static password.” Cisco have rooted out countless issues like these in recent years. ESB-2020.2680.2 – Cisco AnyConnect for Windows: Multiple vulnerabilities This was updated with Cisco’s advice that proof-of-concept exploit code has been published. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 14th August 2020

14 Aug 2020

AUSCERT Week in Review for 14th August 2020 Greetings, If you were part of the first 600 delegates who registered for AUSCERT2020, you would have received an email earlier this week with details confirming your entitlement to a complimentary Conference Swag Bag. We trust that you’re as excited as we are that the conference is only 5 weeks away. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise usage of these within our membership group. Our last session pre AUSCERT2020 is detailed below: 19th August – Phishing Takedowns (register HERE) Last but not least, next week marks the National Scams Awareness Week 2020 and as a campaign partner, AUSCERT will be sharing the various messages from this campaign through our social media channels. Until next week, take care and have a great weekend everyone. Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft Date: 2020-08-11 Author: Threatpost [Refer to AUSCERT related bulletins ASB-2020.0139, ASB-2020.0140 and ASB-2020.0145. Member portal login required.] Two Microsoft vulnerabilities are under active attack, according the software giant’s August Patch Tuesday Security Updates. Patches for the flaws are available for the bugs, bringing this month’s total number of vulnerabilities to 120. One of the flaws being exploited in the wild is CVE-2020-1464, a Windows-spoofing bug tied to the validation of file signatures on Windows 10, 7 8.1 and versions of Windows Server. Rated “important,” the flaw allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said. A second zero-day is a remote code-execution bug rated “critical,” which is tied to the Internet Explorer web browser. Tracked as CVE-2020-1380, this is a scripting engine memory-corruption problem. A successful hack gives the attacker same user rights as the current user, the company wrote. NSW govt agencies to face cyber security inquiry Date: 2020-08-12 Author: iTnews A parliamentary inquiry will scrutinise the NSW government’s handling of cyber security incidents, as well as its measures to protect digital infrastructure more generally, following a spate of cyber attacks. The NSW upper house premier and finance committee quietly opened the probe by self-referral earlier this month, just weeks after Labor public services minister Sophie Cotsis called for such an inquiry. The inquiry will look into “cyber security and digital information management in NSW”, including the number of cyber incidents and data breaches experienced by government agencies and the financial cost of those incidents. Upgraded Agent Tesla malware steals passwords from browsers, VPNs Date: 2020-08-10 Author: Bleeping Computer New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014. Travelex Forced into Administration After Ransomware Attack Date: 2020-08-10 Author: Infosecurity Magazine Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed joint administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK. PwC remained upbeat about the future of the company, following its £84 million restructuring. ESB-2020.2680.2 – Cisco AnyConnect client for Windows: Increased privileges Cisco updated last week’s advisory to add that proof-of-concept exploit code is now available. ESB-2020.2803 – Apache Struts: Multiple vulnerabilities Apache Struts is one of those libraries deployed more widely than you’d think, and a previous vulnerability contributed to the infamous Equifax breach. ESB-2020.2780 – Citrix Endpoint Management aka XenMobile Server: Unspecified critical vulnerabilities Citrix released a patch assessed as critical severity without providing detail on the vulnerabilities involved, which is a fun mystery. ESB-2020.2802 – Microsoft Dynamics 365: Remote code execution Microsoft released a separate advisory the day after Patch Tuesday to warn of this RCE and its corresponding patch, also assessed as critical. Stay safe, stay patched and have a good weekend! David

Learn more

Week in review

AUSCERT Week in Review for 7th August 2020

7 Aug 2020

AUSCERT Week in Review for 7th August 2020 Greetings, This week we wanted to highlight the blog we’ve written on the topic of the ProctorU breach. Key takeaways include: members are encouraged to assess it in the context of their own organisation, this breach mainly affects educational institutions who used ProctorU (prior to approximately Q3 of 2016) and AUSCERT has notified affected members through their normal incident email alias. Thank you to those who attended our Malicious URL Feed and Security Bulletins webinars. To catch up on the content we’d presented for these, drop by our YouTube channel. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Our last session pre AUSCERT2020 is detailed below: • 19th August – Phishing Takedowns (register HERE) Last but not least, further to the Prime Minister’s press conference with Home Affairs Minister Peter Dutton yesterday, we wanted to share the official launch details of Australia’s 2020 Cyber Security Strategy. The Strategy outlines Australia’s approach to protecting Australians from growing cyber threats and has committed an investment of $1.67 billion over 10 years to achieve this vision. We hope you find this document a useful resource. Until next week, take care and have a restful weekend everyone. Australia’s Cyber Security Strategy 2020 Date: 2020-08-06 Author: Australian Department of Home Affairs The Australian Government has today launched Australia’s Cyber Security Strategy 2020. The Strategy outlines Australia’s approach to keeping families, vulnerable Australians, critical infrastructure providers and business secure online. It is a strategy for all Australians and Australian businesses. Security is a whole-of-community effort, in which we all have a role to play. The Strategy will invest $1.67 billion to build new cyber security and law enforcement capabilities, assist industry to protect themselves and raise the community’s understanding of how to be secure online. This includes the $1.35 billion Cyber Enhanced Situational Awareness and Response (CESAR) package. We encourage all Australians to read the Cyber Security Strategy 2020 and play your part in creating a more secure online world. INTERPOL report shows alarming rate of cyberattacks during COVID-19 Date: 2020-08-04 Author: INTERPOL An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure. With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption. In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners. Hacker leaks passwords for 900+ enterprise VPN servers Date: 2020-08-04 Author: ZDNet A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. According to a review, the list includes: IP addresses of Pulse Secure VPN servers Pulse Secure VPN server firmware version SSH keys for each server A list of all local users and their password hashes Admin account details Last VPN logins (including usernames and cleartext passwords) VPN session cookies Phishing campaigns, from first to last victim, take 21h on average Date: 2020-08-01 Author: ZDNet A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University has spent an entire year analyzing the phishing landscape and how users interact with phishing pages. In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work. “We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit,” the research team wrote in a report they are scheduled to present at the USENIX security conference this month. ESB-2020.2699 – Cisco Identity Services Engine: Access confidential data – Existing account There was a large batch of Cisco bulletins released this week. ESB-2020.2679 – GRUB2: Multiple vulnerabilities Further grub2 patches were released by many linux distros, including fixes for regressions. ESB-2020.2661 – Android: Multiple vulnerabilities Android patches released. ESB-2020.2672 – Whoopsie: Multiple vulnerabilities Isn’t that just a great product name! Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 31st July 2020

31 Jul 2020

AUSCERT Week in Review for 31st July 2020 Greetings, This Thursday started out with a surprise, with a responsible disclosure of GRUB2 vulnerabilities by Eclypsium. A supporting write-up and ASB have been issued by AUSCERT to help you wade through the original advisories. In other news, we are excited to announce our 3rd keynote speaker for AUSCERT2020 – Julie Inman-Grant – Australia’s eSafety Commissioner. In this role, Julie leads the world’s first government agency committed to keeping its citizens safer online. We look forward to hosting her on Friday 18th September. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Details below: • 5th August – Security Bulletins (register HERE) • 19th August – Phishing Takedowns (register HERE) And last but not least, another quick reminder for members to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback, thank you in advance for your time and support. Until next week, have a great weekend and remember to keep washing your hands and stay 1.5m apart in public areas! Billions of Devices Impacted by Secure Boot Bypass Date: 2020-07-29 Author: Threatpost [Refer to AUSCERT bulletin ASB-2020.0135 and blog post on the AUSCERT website “There’s a hole in the boot”] The “BootHole” bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks. Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning. GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel. Hacker leaks 386 million user records from 18 companies for free Date: 2020-07-28 Author: Bleeping Computer A threat actor is flooding a hacker forum with databases exposing over 386 million user records that they claim were stolen from eighteen companies during data breaches. Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data. ShinyHunters has been involved in or responsible for a wide assortment of data breaches this past year, including Wattpad, Dave, Chatbooks, Promo.com, Mathway, HomeChef, and the breach of Microsoft private GitHub repository. Of the databases released since July 21st, nine of them were already disclosed in some manner in the past. The other nine, including Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha, have not been previously disclosed. CISO concern grows as ransomware plague hits close to home Date: 2020-07-28 Author: ZDNet Ransomware is on a roll. Garmin is currently wrestling with a ransomware-induced outage, and locally in Australia, 2020 has seen ransomware take out major companies and threaten beer supplies when it hit logistics giant Toll and beverage company Lion. Toll has only recently recovered from its second dose of the year. These sorts of attacks are starting to ring alarm bells, with APAC CISO of JLL Mark Smink telling ZDNet on Tuesday the ransomware plague has evolved a long way from where it was four or five years ago. Mystery actor disrupts Emotet malware distribution botnet Date: 2020-07-25 Author: iTnews Malware payloads replaced with animated GIFs. Security researchers are watching the infrastructure of malware delivery botnet Emotet being compromised by an unknown actor, and disrupting the criminals’ activities in the process. Microsoft cyber security researcher Kevin Beaumont wrote that someone is currently replacing the malware files distributed by Emotet with animated GIF images. The images include one of Hackerman, who starred in the internet cult classic Kung Fury. ASB-2020.0135 – Linux and Windows: Multiple vulnerabilities Summary of the GRUB2 bootloader vulnerability “BootHole” which made headlines late this week. ESB-2020.2587 – APSB20-47 Security updates available for Magento Adobe issued an out-of-band patch for 2 critical and 2 important vulnerabilities in the Magento e-commerce system, which has been famously targeted by MageCart malware in the past. ESB-2020.2599 – Cisco SD-WAN Solution Software Buffer Overflow Vulnerability Cisco’s updates this week included an unauthenticated root compromise. Quelle surprise. ESB-2020.2561 – SQLite: Multiple impacts SQLite is one of those core software projects – few people think about it, but everybody uses it. This issue was in the query optimisation engine. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 24th July 2020

24 Jul 2020

AUSCERT Week in Review for 24th July 2020 Greetings, A slightly less hectic one this week. A quick reminder to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback; thank you in advance for your time and support. Thank you also to those members who attended our Malicious URL Feed webinar which took place on Wednesday 22 July; we trust that you benefitted from the session. The good news is, we will be hosting a couple more of these sessions on different topics: 5th August – Security Bulletins (register HERE) 19th August – Phishing Takedowns (registration details TBC) And last but not least, in case you haven’t stumbled across this already, the Australian Government Department of Home Affairs have released their report on Australia’s 2020 Cyber Security Strategy. AUSCERT is very proud to have been involved in the consultation process through our parent organisation, The University of Queensland, late last year. The report included 60 recommendations to bolster Australia’s critical cyber defences which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT. “Cyber security has never been more important” – we hope you find this report useful. Until next week, have a great weekend everyone! New ‘Shadow Attack’ can replace content in digitally signed PDF files Date: 2020-07-23 Author: ZDNet [The researchers disclosed this in early March, Adobe released a patch in mid-May which we published as ESB-2020.1693, and the researchers have gone public this week with information proofs of concept. This raises the public profile of the vulnerability and increases the chance that it will be exploited; patch your PDF viewer applications!] Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany. Companies should update their PDF viewer apps to make sure the PDF documents they sign can’t be tampered with via a Shadow Attack. 20,000+ new vulnerability reports predicted for 2020, shattering previous records Date: 2020-07-22 Author: Help Net Security Over 9,000 new vulnerabilities have been reported in the first six months of 2020, and we are on track to see more than 20,000 new vulnerability reports this year — a new record, Skybox Security reveals. Why the internet went haywire last week Date: 2020-07-20 Author: ZDNET It was another end of the work week; what could possibly go wrong? Sure, Outlook had failed for a few hours earlier in the week and Twitter lost control of some big-name accounts, but surely nothing else could go awry? Right? Wrong. Bad things come in threes. Starting on Friday afternoon, Cloudflare, the major content delivery network (CDN) and Domain Name System (DNS) service, had a major DNS failure, and tens of millions users found their internet services failing. ESB-2020.2480 – [Win][Mac] Photoshop: Multiple vulnerabilities Adobe’s patch day included arbitrary code execution upon opening a crafted file. ESB-2020.2460 – [Win][UNIX/Linux] Python: Execute arbitrary code/commands – Remote with user interaction Insecure linked library loading in the pliable language led to potential privilege escalation. ESB-2020.2260.7 – UPDATED ALERT [Appliance] F5 Networks: Multiple vulnerabilities F5’s fix for a critical unauthenticated RCE in their Traffic Manager User Interface has received a lot more information this week, including a warning that the Viprion B2250 Blade may have problems with the provided patch. ESB-2020.2464 – [Win][UNIX/Linux] Moodle: Multiple vulnerabilities Moodle released three advisories marked “serious” and one marked “minor”, including teachers for a course being able to assign themselves as a manager of that course and increase their own privileges. ESB-2020.2541 – [Linux] QRadar Advisor: Access confidential data – Console/Physical Just for a change of pace, here’s a simple one: IBM accidentally didn’t obscure the password field in a login form, so someone could read it over your shoulder. CVE-2020-4408. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 17th July 2020

17 Jul 2020

AUSCERT Week in Review for 17th July 2020 Greetings, Have we been busy! This week has been another tough one for networking vendors. SAP NetWeaver, Windows Server and Cisco’s RV-series routers have all had critical vulnerabilities this week, enabling unauthenticated remote code execution. See the highlighted articles bulletins below for more information, and if you’re affected, we advise applying patches or mitigations ASAP. And last but not least, an AUSCERT membership email would have landed in your inbox this week containing some important updates for July 2020: An invitation to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August. We look forward to collating our member thoughts and feedback, thank you in advance for your time and support! An update regarding our Quarter 2; an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. An invitation to attend our Malicious URL Feed webinar taking place next Wednesday 22 July. Until next week, wishing everyone a restful weekend. Critical SAP Recon flaw exposes thousands of systems to attacks Date: 2020-07-13 Author: Bleeping Computer [Refer to AUSCERT bulletin ESB-2020.2381] SAP patched a critical vulnerability affecting over 40,000 systems and found in the SAP NetWeaver Java versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments. The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team. Microsoft urges patching severe-impact, wormable server vulnerability Date: 2020-07-15 Author: Ars Technica [Refer to AUSCERT bulletin ASB-2020.0120; member portal login required] Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer. The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday. Cyber experts urge Australia to develop local capability to defend against hackers Date: 2020-07-12 Author: Sydney Morning Herald Cyber experts have urged the federal government to become less reliant on overseas businesses, technologies and expertise for its defences against hackers as it puts the finishing touches on the nation’s new cyber security strategy. Foreign providers are responsible for most of the cyber security products and services in Australia, with no local companies among the 15 largest software providers in the local market. Thousands of shop, bank, and government websites shut down by EV revocation Date: 2020-07-13 Author: Netcraft More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge. On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked. SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework Date: 2020-07-13 Author: CISION PR Newswire [SANS Institute will be speaking and are a sponsor at AUSCERT2020.] A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Outlook down? How to fix it Date: 2020-07-15 Author: ZDNet It was just another morning at work on July 15, 2020, for many Windows users. They turned on their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook… Suddenly their day took a turn for the worst. For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem. ESB-2020.2381.2 – UPDATE [ALERT] SAP NetWeaver AS Java: Multiple Vulnerabilities A critical Vulnerability in SAP NetWeaver AS Java is identified and applying critical patches as soon as possible is recommended. ASB-2020.0120 – [ALERT] Windows: Multiple vulnerabilities Microsoft security update resolves the wormable vulnerability “SIGRed” in Windows servers acting as a DNS server. ASB-2020.0121 – Extended Support Update products: Multiple vulnerabilities Windows Server 2008 Extended Support Update (ESU) also gets a SIGRed patch. ESB-2020.2417 – [ALERT] Cisco RV-series routers: Multiple vulnerabilities Cisco update fixes a vulnerability in the web-based management interface of its RV-series routers, leading to unauthenticated root compromise of the device. Stay safe, stay patched and have a good weekend! Vishaka

Learn more

Week in review

AUSCERT Week in Review for 10th July 2020

10 Jul 2020

AUSCERT Week in Review for 10th July 2020 Greetings, This week saw us starting the week with a critical alert for members to urgently patch the multiple vulnerabilities found within F5’s BIG-IP products: CVE-2020-5902. We trust that all necessary steps have been undertaken within your organisation. This week we also learned about CVE-2020-2034, a critical vulnerability in Palo Alto’s PAN-OS. And CVE-2020-1654 affecting Juniper’s SRX Series devices. It’s been a tough week for networking vendors. Having observed a substantial increase in the number of followers within our social media platforms, we thought it was pertinent to share our Glossary of InfoSec Terms & Acronyms again with our readers. This is a resource we’ve had plenty of positive feedback about and hopefully it comes in handy for you too. Keep an eye out for a copy of our member Security Bulletins survey landing in your inbox next week. This survey has been prepared by our team, and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. We look forward to collating our member thoughts and feedback! Until next week, we hope everyone has a restful weekend ahead – and to our friends and colleagues in Victoria, we’re thinking of you. Please stay safe and thank you for staying home. Critical F5 BIG-IP vulnerability made public Date: 2020-07-06 Author: ITNEWS [See also AUSCERT bulletin ESB-2020.2260.5.] Users of F5 enterprise and data centre BIG-IP network products are warned to patch the devices as soon as possible to handle a critical, easy to exploit remote code execution vulnerability that has now been made public. Examples of the exploit have now been posted on social media, one of which uses a single line of code that calls a JavaServer Page function to reveal the passwords stored on BIG-IP devices. The vulnerability rates as 10 out 10 on the Common Vulnerabilities Scoring System, and lies in lack of proper access control for the Traffic Management User Interface (TMUI) configuration utility for the devices. Citrix Bugs Allow Unauthenticated Code Injection, Data Theft Date: 2020-07-07 Author: Threatpost [Refer to AUSCERT bulletin ESB-2020.2310] Admins should patch their Citrix ADC and Gateway installs immediately. Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker. The Citrix products ?(formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies. Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO. Exploit developed for critical Palo Alto authentication flaw Date: 2020-07-06 Author: The Daily Swig (Portswigger) Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks. The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale. Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods. “Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises. “They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.” Microsoft takes down domains used in COVID-19-related cybercrime Date: 2020-07-07 Author: Bleeping Computer Microsoft took control of domains used by cybercriminals as part of the infrastructure needed to launch phishing attacks designed to exploit vulnerabilities and public fear resulting from the COVID-19 pandemic. The threat actors who controlled these domains were first spotted by Microsoft’s Digital Crimes Unit (DCU) while attempting to compromise Microsoft customer accounts in December 2019 using phishing emails designed to help harvest contact lists, sensitive documents, and other sensitive information, later to be used as part of Business Email Compromise (BEC) attacks. The attackers baited their victims (more recently using COVID-19-related lures) into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps. $2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise Date: 2020-07-06 Author: The Conversation Last year, Australians reported more than A$634 million lost to fraud, a significant jump from $489.7 million the year before. The Australian Competition and Consumer Commission has released its latest annual Targeting Scams report. But despite increased awareness, scam alerts and targeted education campaigns, more Australians are being targeted than ever before. Mozilla suspends Firefox Send service while it addresses malware abuse Date: 2020-07-07 Author: ZDNet Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism. Windows 10’s Microsoft Store Codecs patches are confusing users Date: 2020-07-05 Author: BleepingComputer On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library [known as the HEVC packages]. They stated that they affected both Windows 10 and Windows Server at the time. Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store. Even more confusing, the advisories did not explain what Microsoft Store apps would be updated to resolve the vulnerabilities, leaving users in the dark as to whether they were affected and patched by an update. Microsoft Defender ATP web content filtering is now free Date: 2020-07-06 Author: BleepingComputer The new Microsoft Defender Advanced Threat Protection Web Content Filtering feature will be provided for free to all enterprise customers without the need for an additional partner license. Web Content Filtering is part of Microsoft Defender ATP’s Web protection capabilities and it allows security admins to design and deploy custom web usage policies across their entire organizations, making it simple to track and control access to websites based on their content category. The feature is available on all major web browsers, with blocks performed by Network Protection (on Chrome and Firefox) and SmartScreen (on Edge). ESB-2020.2310 – Citrix: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. These vulnerabilities could result in a number of security issues. ESB-2020.2260.5 – UPDATED ALERT F5 Networks: Multiple vulnerabilities A new mitigation has been developed and published to address an RCE vulnerability in the TMUI. ESB-2020.2339 – Citrix Hypervisor products: Multiple vulnerabilities Hotfixes have been released by Citrix to address two issues in Citrix Hypervisor. ESB-2020.2309 – Android: Multiple vulnerabilities Multiple security vulnerabilities identified affecting Android devices. Security patch levels of 2020-07-05 or later address all of these issues. ESB-2020.2305 – firefox: Multiple vulnerabilities An update has been released to address multiple vulnerabilities in Firefox. ESB-2020.2297 – thunderbird: Multiple vulnerabilities Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. ESB-2020.2296 – php7.0: Multiple vulnerabilities Multiple security issues were found in PHP, which could result in information disclosure, denial of service or potentially the execution of arbitrary code. Stay safe, stay patched and have a good weekend! Vishaka

Learn more

Week in review

AUSCERT Week in Review for 03rd July 2020

3 Jul 2020

AUSCERT Week in Review for 03rd July 2020 Greetings, This week we welcomed the announcement of a record $1.35 billion investment in cyber security by the Australian Government. Hopefully this funding package will mean more Australian organisations can identify the ever-present cyber threats and protect themselves against these challenges. As always, AUSCERT is supportive of both the ASD and ACSC in their vital work within this industry and hope to leverage their expertise in our mission to help members prevent, detect, respond to and mitigate cyber-based attacks. Following the discovery of the Palo Alto vulnerability, we wanted to take this opportunity to remind members to update us with all relevant domains and IP ranges – via our member portal – that you want to receive alerts for. In this particular instance, affected members were contacted directly with a tailored email and it would have been a shame to be left off this list. And last but not least, a reminder that tutorial and workshop registrations for Virtual AUSCERT2020 is now open and priority access will be granted to all AUSCERT members. Spots are filling up fast so be sure to get in quick! Until next week, wishing everyone a restful weekend, especially the parents amongst us who are in the midst of or about to start their school holiday breaks. … Inside the hacking attacks bombarding Australia Date: 2020-06-29 Author: ABC News Who are these people? Who is directing them? What are they after? And most important of all — how can they be stopped? Questions like these have been asked more urgently since Scott Morrison announced that a “sophisticated state-based cyber actor” had launched attacks earlier this month on “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”. Craig Valli, who left a teaching career 20 years ago for academia and is now Professor of Digital Forensics at Perth’s Edith Cowan University, has many of the answers. It is a complex world that he explains with the sort of patience and relatability learnt from time corralling kids in a classroom. Microsoft releases urgent security updates for Windows 10 Codecs bugs Date: 2020-07-30 Author: Bleeping Computer [Refer to AUSCERT Bulletin ASB-2020.0117, which is member-only content.] Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. Both desktop and server platforms affected. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. Beware “secure DNS” scam targeting website owners and bloggers Date: 2020-06-29 Author: Naked Security If you run a website or a blog, watch out for emails promising “DNSSEC upgrades” – these scammers are after your whole site. The psychology of social engineering—the “soft” side of cybercrime Date: 2020-07-30 Author: Microsoft Security Blog Forty-eight percent of people will exchange their password for a piece of chocolate, 91 percent of cyberattacks begin with a simple phish, and two out of three people have experienced a tech support scam in the past 12 months. What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business. Over 82,000 Aussies’ details leaked in crypto scam Date: 2020-07-01 Author: ITNews Personal details of tens of thousands of Australians who fell for a fraudulent cryptocurrency investment scheme that used fake media sites and celebrity endorsements have been leaked onto the web. Singaporean security vendor Group-IB discovered 248,926 sets of personally identifable information, of which 82,263 records were from Australian users, leaked by an unknown party. Details leaked include names, email addresses and phone numbers. ESB-2020.2239 – misp: Multiple vulnerabilities A new version of MISP released with a significant refactoring of the STIX import/export along with many improvements. ESB-2020.2234 – chromium-browser: Multiple vulnerabilities An important update for Chromium has been released that fixes a bug in Use After Free in extensions. ESB-2020.2208 – McAfee Enterprise Appliance : Multiple vulnerabilities McAfee Security Bulletin – Enterprise Appliance updates address two vulnerabilities ESB-2020.2271 – Cisco Systems: Multiple Vulnerabilities Cisco has released software updates that address Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability Stay safe, stay patched and have a good weekend! Vishaka

Learn more

Week in review

AUSCERT Week in Review for 26th June 2020

26 Jun 2020

AUSCERT Week in Review for 26th June 2020 Greetings, This week we’ve observed an increase in business email compromise cases so we thought it was pertinent to share this updated blog post here. Our top 3 tips to combat this threat are listed below; please help us spread this message along to your colleagues: Educate users, particularly those that handle payments, of the nature of the attack Follow up email requests with a telephone call to verify their veracity Implement appropriate checking of financial transactions Following on from the ACSC advisory issued on Friday last week, we would like to feature (and reiterate again) the following blog post containing practical tips on “How to use the YARA rules for the copy-paste compromises”. If you’ve received YARA rules, then this will help you use them. If not, we aren’t able to share them with you. And last but not least, members, a reminder that with the effective establishment of Slack, our member IRC channel will be decommissioned from Wednesday 1st July, 2020. For those of you wanting to join us on Slack, please do so by logging in with your member portal credentials here. We hope that everyone enjoys a safe and restful weekend. NVIDIA patches high severity flaws in Windows, Linux drivers Date: 2020-06-24 Author: Bleeping Computer NVIDIA has released security updates to address security vulnerabilities found in GPU Display and CUDA drivers and Virtual GPU Manager software that could lead to code execution, denial of service, escalation of privileges, and information disclosure on both Windows and Linux machines. Although all the flaws patched today require local user access and cannot be exploited remotely, with attackers having to first get a foothold on the exposed machines to launch attacks designed to abuse these bugs. Once that is achieved, they could take exploit them by remotely planting malicious code or tools targeting one of these issues on devices running vulnerable NVIDIA drivers. Twitter is “very sorry” for a security breach that exposed private data of business accounts Date: 2020-06-24 Author: The Tech Portal Twitter is back in cybersecurity news, as the company reports yet another data breach via its platform. In an email sent to its business users, Twitter said that there is a “possible” data breach that may have exposed private information of these accounts. Business users are generally those accounts which advertise on the platform. Australian security cameras hacked, streamed on a Russian-based website Date: 2020-06-24 Author: ABC News Australians are being filmed through private security cameras that are being streamed on a website based in Russia. Key points: * The Insecam website broadcasts live streams of compromised web-connected security cameras and webcams * The site allows people to control the cameras by zooming in and out and moving the camera around * The group behind the website denied it hacked the cameras Hackers use Google Analytics to steal credit cards, bypass CSP Date: 2020-06-22 Author: Bleeping Computer Hackers are using Google’s servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. New taskforce to push cyber security standards Date: 2020-06-22 Author: iTnews A cross-sector taskforce of experts from the defence, energy, health and financial services sectors has been created to accelerate the adoption of industry cyber security standards across Australia. The taskforce, which held its first meeting on Monday, is the result of an “Australian-first” collaboration between the NSW government, AustCyber and Standards Australia. It follows earlier reports on Monday that the federal government is crafting minimum cyber security standards for businesses, including critical infrastructure, as part of its next cyber security strategy. ESB-2020.2191 – telnet multiple vulnerabilities A serious remote code execution vulnerability found in Cisco IOS XE Software. ESB-2020.2116.2 – Cisco Webex Meetings Desktop App multiple vulnerabilities Another code execution vulnerability was patched in the Cisco Webex Meetings Desktop App. ESB-2020.2206 – kernel multiple vulnerabilities Multiple Nvidia code execution vulnerabilities patched on Ubuntu. Stay safe, stay patched and have a good weekend! The AUSCERT Team

Learn more

Week in review

AUSCERT Week in Review for 19th June 2020

19 Jun 2020

AUSCERT Week in Review for 19th June 2020 Greetings, Another busy week for everyone, no doubt. A couple of emails would have landed in your inbox this week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. Be sure to catch up on these details and let us know if you have any further queries and such. A few important advisories we wanted to highlight for this week: The ACSC has issued threat advice relating to the targeting of Australian governments and companies by a sophisticated state-based actor.. We’ve provided further commentary on this via our blog HERE. Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack (known as the Ripple20), our AUSCERT bulletin below. Adobe has released out-of-band security updates to address 18 critical flaws, see highlighted bulletins below. And with that, we hope that everyone implements these latest patches and start enforcing multi-factor authentication across all areas of your business. We hope everyone enjoys a safe and restful weekend, until our next Week in Review edition! … Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks Date: 2020-06-19 Author: ACSC | Cyber.gov.au The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. Active ransomware campaign leveraging remote access technologies Date: 2020-06-16 Author: CERT-NZ We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched. The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup. Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks Date: 2020-06-16 Author: SecurityWeek [See AUSCERT bulletin ESB-2020.2090] Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday. Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20. The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet. Privacy confusion over COVID Safe Checklist rules for hospitality venues Date: 2020-06-14 Author: ABC News Notebooks, spreadsheets and paper forms used to collect personal information at cafes and restaurants are creating fears about privacy breaches and safety concerns. Queensland Council of Civil Liberties president Michael Cope says State Government guidelines about how businesses must collect and store information about customers are not clear enough. The COVID Safe Checklist for businesses requires that they keep contact information for all customers, workers and contractors, including names, addresses and mobile phone numbers for at least 56 days. This information is to be “captured and stored confidentially and securely”. No, that wasn’t a DDoS attack, just a cellular outage Date: 2020-06-16 Author: CyberScoop Neville Ray, chief technology officer at T-Mobile, said Tuesday that the company had fixed the issues. Security experts quickly pinned the issue on T-Mobile network configuration issues which resulted in the hours of downtime for customers, rather than a malicious DDoS meant to knock services offline by flooding them with internet traffic. Instead of acknowledging the more complicated reality, Anonymous amplified screenshots of a DDoS attack map that the security firm Arbor Networks uses as marketing to create interest in its product. ESB-2020.2077 – APSB20-37 Security update available for Adobe Illustrator Adobe released updates for multiple products this week. ESB-2020.2090 – ICS Advisory (ICSA-20-168-01) Treck TCP/IP Stack Possibly millions of systems affected. ESB-2020.2116 – Cisco Webex Meetings Desktop App Vulnerabilities Cisco released numerous updates this week. ESB-2020.2104 – New BIND releases are available The recent BIND vulnerabilities affect multiple products. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

Learn more

Week in review

AUSCERT Week in Review for 12th June 2020

12 Jun 2020

AUSCERT Week in Review for 12th June 2020 Greetings, The winter chill has certainly set in as we head into the 3rd week of June. Thank you to those who participated in our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar took place on Wednesday 10th June. To view a recording of this session, please visit our YouTube channel here. Members, keep an eye out for a couple of emails landing in your inbox next week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. And last but not least, we shared the news that the Microsoft June 2020 Patch Tuesday was the largest ever with 129 fixes so don’t forget to action these items and patch those vulnerabilities. A great reference point is of course our very own Security Bulletins page. Until next time, we hope everyone enjoys a safe and restful weekend. … Microsoft June 2020 Patch Tuesday: largest ever with 129 fixes Date: 2020-06-09 Author: Bleeping Computer Today is Microsoft’s June 2020 Patch Tuesday, and as many Windows administrators will be routinely screaming at computers, please be nice to them! With the release of the June 2020 Patch Tuesday security updates, Microsoft has released one advisory for an Adobe Flash Player update and fixes for 129 vulnerabilities in Microsoft products. Of these vulnerabilities, 11 are classified as Critical, 109 as Important, 7 as Moderate, and 2 as Low. This is the largest Patch Tuesday update ever released by Microsoft, with the second-largest being 115 fixes in March 2020, and the third-largest with 113 fixes in April 2020. Fisher & Paykel Appliances struck by Nefilim ransomware Date: 2020-06-10 Author: IT News Fisher & Paykel Appliances is the latest big brand name to be struck down by ransomware, shutting down its operations while it recovered following the attack. The whitegoods manufacturer’s spokesperson Andrew Luxmoore confirmed the attack to iTnews, saying it took place early last week. “The attempt was identified quickly and, as a result, we locked down our IT ecosystem immediately,” he said. Drinks maker Lion shuts IT systems after ‘cyber incident’ Date: 2020-06-09 Author: IT News Fast moving consumer goods giant Lion has shut down its IT systems after a “cyber incident” on Tuesday. The attack was first reported by the Sydney Morning Herald, which said the attack had “disrupted” manufacturing and remote access to systems. “Lion has experienced a cyber incident and has taken the precaution of shutting down our IT systems, causing some disruption to our suppliers and customers,” the company said in a brief statement on its website. Because things aren’t bad enough already: COVID-19 is going to mess up election security assumptions too Date: 2020-06-08 Author: The Register The social distancing measures brought about by the COVID-19 pandemic will weaken election security in the US, according to a non-profit’s security check. A report from New York University’s Brennan Center for Justice warns that as election workers and local officials are forced to do their jobs remotely, the risk of attack skyrockets. We have Huawei to make the internet more secure: Dump TCP/IP to make folks safer says Chinese mobe slinger Date: 2020-06-04 Author: The Register Chinese telecom companies and the Middle Kingdom government contend that the TCP/IP protocol stack is ill-suited for future networking needs and have proposed reworking the internet’s technical architecture with new, more secure internet protocols. Huawei, China Mobile, China Unicom, and China Ministry of Industry and Information Technology are backing a plan titled “New IP, Shaping Future Network.” The specifics have not been made public but Huawei – currently subject to US trade sanctions for allegedly engaging in activities contrary to national security interests – has described the goals of the initiative as an attempt to improve the flexibility, privacy, and security of the internet. ASB-2020.0107 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday updates (login required). ESB-2020.1990 – 2020.1 IPU BIOS Advisory Intel advisory of new firmware vulnerabilities. ESB-2020.1991 – 2020.1 IPU Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory Intel advisory of new management subsystem vulnerabilities. ESB-2020.2008.2 – linux security update Many linux distros released kernel and microcode patches for the Special Register Buffer Data Sampling (SRBDS) attack [CVE-2020-0543] alongside other fixes. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

Learn more

Week in review

AUSCERT Week in Review for 5th June 2020

5 Jun 2020

AUSCERT Week in Review for 5th June 2020 Greetings, This week, we are pleased to announce that the program details of our Virtual AUSCERT2020 conference has been launched. Details on this can be found here. Members, don’t forget to use your member tokens by Monday 3 August for free access to our conference registration. Please note that registrations for our tutorial sessions will open shortly and AUSCERT members will have priority access. Questions? We’ve addressed a few of these on our conference site here. Members who are on Slack are most welcome to send us your queries on that platform. Didn’t quite find what you were after? Drop us a line. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September. In other news, don’t forget to come along to our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. And last but not least, we shared the June update of the Australian Government Information Security Manual which helps organisations manage their cyber security risks on our Twitter channel but here it is for reference. Until next time, we hope everyone enjoys a safe and restful weekend. VMware Cloud Director flaw lets hackers take over virtual datacenters Date: 2020-06-02 Author: Bleeping Computer [Refer to AUSCERT Bulletin ESB-2020.1769] Organizations offering trial accounts for versions of VMware Cloud Director lower than 10.1.0 risk exposing private clouds on their virtualized infrastructure to complete takeover attacks from a threat actor. A code injection vulnerability exists in VMware Cloud Director (vCloud Director) 10.0.0.2, 9.7.0.5, 9.5.0.6, and 9.1.0.4 that may lead to remote code execution, VMware says in its security advisory. Cloud Director software allows cloud-service providers around the world to deploy, automate, and manage virtual infrastructure resources in a cloud environment. Office 365 to give detailed info on malicious email attachments Date: 2020-05-31 Author: Bleeping Computer Microsoft will provide Office 365 Advanced Threat Protection (ATP) users with more details on malware samples and malicious URLs discovered following detonation. “We’re working to reveal more of the details that led to a malicious verdict when URLs or files are detonated in Office 365 ATP,” the new feature’s Microsoft 365 roadmap entry reads. “In addition to the detonation chain (the series of detonations that were necessary to reach a verdict for this entity), we’ll also share a detonation summary, with details such as detonation time range, verdict of the file or URL, related entities (other entities called or used during the detonation), screenshots, and more.” Apple pushes fix across ALL devices for “unc0ver” jailbreak flaw Date: 2020-06-02 Author: Bleeping Computer These past few days have been quite busy for Apple on the security front. As reported by BleepingComputer, the company recently patched a critical flaw in its “Sign in with Apple” service. What follows now is a mega update across all its major operating systems and devices. Last year we provided details on the Sock Puppet jailbreak exploit that targeted the use-after-free kernel vulnerability, CVE-2019-8605. Yesterday, Apple pushed an update across all its OSes to fix the “unc0ver” jailbreak flaw, tracked as CVE-2020-9859 (note: a MITRE/NVD entry has not yet been published for this CVE). Rooting, colloquially known as ‘jailbreaking,’ refers to the concept of obtaining root access to a device that lets oneself install third-party apps and tweaks which would otherwise be restricted by the official app store and manufacturer policies. Loopholes like unc0ver allow someone to “break out of this jail” and, therefore, the moniker. Because the flaw impacted all previous versions of iOS, including 13.5, users are encouraged to update to iOS 13.5.1 and iPadOS 13.5.1 immediately. Of course, that also means the jailbreak functionality that lets users install custom tweaks and apps would be gone. MyBudget hackers threaten on dark web to release data stolen during cyberattack Date: 2020-06-03 Author: ABC News Cybercriminals are threatening to publish data they claim to have stolen from financial management group MyBudget online, an internet security expert has warned. The Adelaide-based company was hit with a ransomware attack early last month that left 13,000 customers in financial limbo for two weeks. Thousands of customers took to social media to vent their frustration at the outage and also their concerns about the security of their data. Google Faces $5B Lawsuit for Tracking Users in Incognito Mode Date: 2020-06-03 Author: Dark Reading A proposed class-action lawsuit accuses Google of collecting browser data from people who used “private” mode. A proposed class-action lawsuit filed earlier this week accuses Google of violating users’ privacy by collecting their data while they searched the Web in “incognito mode,” or private browsing. The lawsuit seeks at least $5 billion, Reuters reports. A complaint filed in federal court alleges Google collects data via Google Analytics and Google Ad Manager, along with other applications and plug-ins, to learn more about where people browse and what they view on the Web. This data collection occurs whether or not someone clicks a Google-supported ad, the report notes. ESB-2020.1935 – Cisco IOS Software for Cisco Industrial Routers: Multiple vulnerabilities Multiple advisories were released by Cisco. The most major of which was marked as critical and affected multiple Cisco routers. If exploited this vulnerability could result in a complete system compromise. ESB-2020.1909 – iOS & iPadOS: Execute arbitrary code/commands – Unknown/unspecified Apple has released iOS and ipadOS version 13.5.1. Installing this update patches the vulnerability exploited by the “unc0ver” jailbreak and also patches a potential RCE vulnerability. Stay safe, stay patched and have a good weekend! Sean

Learn more