AUSCERT Week in Review for 29th May 2020 Greetings, This week, we participated in the launch of National Reconciliation Week 2020 virtually by sharing an Acknowledgement of Country on our various social media platforms. To find out more about this initiative and to get involved for the remainder of the week, please visit the following page shared by the folks at Reconciliation Australia. In other news, we announced an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. Last but not least, we’re pleased to announce that the program details of our Virtual AUSCERT2020 conference will be launched next week. Most of you will recall that the 2nd to 5th of June were the original dates for our annual conference. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September! Until next time, we hope everyone enjoys a safe and restful weekend. eBay port scans visitors’ computers for remote access programs Date: 2020-05-24 Author: Bleeping Computer When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications. Over the weekend, Jack Rhysider of DarkNetDiaries discovered that when visiting eBay.com, the site performed a port scan of his computer for 14 different ports. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. Bots hit up Australian Red Cross 900 times for bushfire donations Date: 2020-05-26 Author: iTnews The Australian Red Cross is being targeted by bots that have so far made almost 900 fraudulent applications for financial assistance from a $216 million bushfire relief fund. Australian programs director Noel Clement told the Royal Commission into National Natural Disaster Arrangements on Tuesday that his organisation had seen “very significant cyber activity from the outset”. The Australian Red Cross raised a total of $216 million in donations for the victims of devastating bushfires over the summer of 2019-20, of which $83 million has so far been distributed. GitLab Hacks Own Remote-Working Staff In Phishing Test Date: 2020-05-25 Author: Silicon UK Company finds 20 percent of its all-remote staff responds to phishing message by exposing user credentials, raising fears about the work-from-home future Software development tools start-up GitLab has carried out a targeted phishing campaign on its own remote-working staff, finding that one-fifth of those targeted exposed their corporate login credentials. The study comes at a time when more employees are working from home during coronavirus shutdowns around the world. Shadowserver, an Internet Guardian, Finds a Lifeline Date: 2020-05-27 Author: WIRED The internet security group Shadowserver has a vital behind-the-scenes role; it identifies online attacks and wrests control of the infrastructure behind them. In March, it learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. On Wednesday, the IT security company Trend Micro will commit $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. The nonprofit Internet Society is also announcing a one-time donation of $400,000 to the organization. Combined with other funding that’s come in, these large contributions make it possible for the the group to continue in a more sustainable way without becoming dependent on a single funder again. It also keeps the internet at large that much safer. Apple responds to false Facebook claims about contact tracing update in iOS 13.5 Date: 2020-05-27 Author: iMore Hysterical myths regarding Apple’s exposure notification have started appearing on Facebook. Some users have taken to sharing screenshots of iOS 13.5, warning friends that it will automatically allow authorities to track their locations and who they meet. The posts have been fact-checked by Facebook, and Apple has released a response to Reuters. ESB-2020.1884 – [ALERT] Cisco CML and VIRL-PE: Multiple vulnerabilities A patch for RCE and authentication bypass vulnerabilities has been released and marked as critical by Cisco. This includes a ‘perfect’ 10.0 CVSSv3 score, which is the maximum possible. ESB-2020.1859 – macOS Catalina, Mojave & High Sierra: Multiple vulnerabilities Apple update fixes 45 macOS vulnerabilities, including a root compromise from the PackageKit component. ESB-2020.1855 – iOS and iPadOS: Multiple vulnerabilities A similar number of vulnerabilities were patched in iOS and ipadOS, with similar impacts. Reports online indicate that even the latest version is susceptible to a jailbreak by Unc0ver. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 22nd May 2020 Greetings, This week, we shared a couple of important and useful advisories with members. Namely, the joint statement from DFAT and the ACSC regarding Unacceptable malicious cyber activity by cyber actors who are seeking to exploit the pandemic for their own gain as well as the Toolkit for Universities by eSafety and Universities Australia. This toolkit contains some useful resources that assists universities and their communities have tools to help keep safe online. We are pleased to announce an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June – save the date and invitations will be sent out shortly. We hope you can join us. Last but not least, we shared news of our revised Virtual AUSCERT2020 sponsorship prospectus with various stakeholders last week. Feel free to reach out to us via conference@auscert.org.au for more information on our various options to get involved as a conference sponsor! Until next time, we hope everyone enjoys a lovely and restful weekend. Norway’s Wealth Fund Loses $10m in Data Breach Date: 2020-05-16 Author: Infosecurity Magazine Norway’s state-owned investment fund Norfund has halted all payments after losing $10m in an “advanced data breach.” On May 13, Norfund announced that it was “cooperating closely with the police and other relevant authorities” after “a series of events” allowed fraudsters to make off with $10m. The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. My Health Record system hit by hack attempt Date: 2020-05-19 Author: iTnews The My Health Record system was the subject of an attempted hack over the past 11 months, the Australian Digital Health Agency has revealed. National health chief information officer Ronan O’Connor told a parliamentary inquiry into cyber resilience the cyber incident was one of two “potential data breaches” to occur since July 2019. Nefilim ransomware gang leaks Toll documents on dark web Date: 2020-05-20 Author: iTWire The attackers behind an ongoing ransomware attack on Australian logistics and transport provider Toll Holdings has released some documents which it claims to have exfiltrated from the company when it staged the attack. News of the attack, the second this year, was announced by Toll on 5 May, with the company saying at the time that it had shut down some of its systems as a precaution. The documents released on Wednesday on the dark web include statements about company financials in plain text and a zipped file. This indicates that the ransom demand by the group has not been met by Toll. The attackers claim to have more than 200GB of company data. ESB-2020.1785 – Wireshark: Denial of service The Wireshark maintainers will be diligently patching minor crashes on crafted network traffic until after the sun burns out. I applaud their dedication to making the most resilient security tool possible. ESB-2020.1781 – IBM Security Access Manager – Unauthorised access A user-manipulable claim wasn’t validated properly, so users could forge additional access. ESB-2020.1762 – Dovecot: Multiple vulnerabilities Possible RCE and confirmed DoS in the popular Dovecot email server. ESB-2020.1754 – OpenConnect: Denial of service It’s a good time of year to be patching VPN clients, with the increased work from home arrangements. Stay safe, stay patched and have a good weekend! David & Vishaka

AUSCERT Week in Review for 15th May 2020 Greetings, This week, we announced to our members that we have doubled their member token registration eligibility for Virtual AUSCERT2020 as a gesture of appreciation for their support. Be sure to check your inbox(es) for further details. We can’t wait to see you in September. Also for our members – we have generated a new PGP/GPG Key to use for signing, and receiving encrypted data. This key will come into effect as of today (Friday 15th May 2020) and further details can be found on our website here. Last but not least, we shared this news on our social channels this week “FIRST aims to update the Traffic Light Protocol standard to increase global adoption” but if you would like get involved directly, please refer to the following press release: https://www.first.org/newsroom/releases/20200513 Until next time, we hope everyone enjoys a safe and restful weekend. Microsoft Addresses 111 Bugs for May Patch Tuesday Date: 2020-05-12 Author: Threatpost Microsoft has released fixes for 111 security vulnerabilities in its May Patch Tuesday update, including 16 critical bugs and 96 that are rated important. Unlike other recent monthly updates from the computing giant this year, none of the flaws are publicly known or under active attack at the time of release. US govt shares list of most exploited vulnerabilities since 2016 Date: 2020-05-12 Author: Bleeping Computer US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader US Government issued the AA20-133A alert through the National Cyber Awareness System to make it easier for organizations from the public and private sector to prioritize patching in their environments. Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking Date: 2020-05-10 Author: WIRED Security paranoiacs have warned for years that any laptop left alone with a hacker for more than a few minutes should be considered compromised. Now one Dutch researcher has demonstrated how that sort of physical access hacking can be pulled off in an ultra-common component: The Intel Thunderbolt port found in millions of PCs. Cisco, others, shine a light on VPN split-tunnelling Date: 2020-05-13 Author: ARN As the work-from-home trend grows due to the Covid-19 pandemic, the need for secure access to enterprise resources continues to grow and with it the demand for ever-more VPN. For example demand for commercial virtual private networks in the US jumped by 41 per cent between March 13 and March 23, according to research from Top10VPN.com, a VPN research and testing company in the UK. The VPN market will hit $70 billion by 2026, according to market research and management consulting company Global Market Insights. In an April blog AT&T pointed to a 700 per cent increase in connections to its cloud-based SD-WAN Static Network Based (ANIRA) VPN service. ASB-2020.0095 – Windows: Multiple vulnerabilities   ASB-2020.0101 – Microsoft Office, Microsoft Office Services and Web Apps: Multiple vulnerabilities   ESB-2020.1698 – McAfee ePolicy Orchestrator: Multiple vulnerabilities   ESB-2020.1705 – GlobalProtect App: Access confidential data – Existing account   Stay safe, stay patched and have a good weekend! AUSCERT Team

AUSCERT Week in Review for 8th May 2020 Greetings, This week, we launched our long-awaited AUSCERT – Members Slack. An email was sent out to members earlier this week, Tuesday 5 May to be specific; detailing the necessary steps to join us and other AUSCERT members in conversation. Be sure to check your inbox(es) for further details. Many of our members informed us through the 2019 Annual Survey that they would like to stay connected through a quicker, more effective (but secure) communication platform and we’ve delivered! Also for our members – keep an eye out for an email from our conference team early next week. This communication will provide you with some updates on member token details for Virtual AUSCERT2020. We can’t wait to see you in September. Last but not least, this week has seen us supporting the team from the Office of the Australian Information Commissioner in their Privacy Awareness Week 2020 campaign initiative to promote the importance of privacy and keeping your personal information safe. We’ve shared a number of posts on our social media channels using the following hashtags #PAW2020 #RebootYourPrivacy so please do check them out. In summary, Privacy Awareness Week 2020 is an important reminder to reboot your privacy: > Check and update your privacy controls > Consider the alternative when giving or asking for personal information > Delete any data from old devices and securely destroy or de-identify personal information if it’s no longer needed for a legal purpose. Again, well done Australia for staying home. We hope that everyone has some lovely plans lined up with the ease of Covid-19 restrictions in most parts of the country – just in time for Mother’s Day on Sunday. Until next week. New Kaiji Botnet Targets IoT, Linux Devices Date: 2020-05-05 Author: Threatpost The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language. A new botnet has been infecting internet of things (IoT) devices and Linux-based servers, to then leverage them in distributed denial-of-service (DDoS) attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today. Samsung patches 0-click vulnerability impacting all smartphones sold since 2014 Date: 2020-05-06 Author: ZDNet South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014. Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device. Toll Group suffers second ransomware attack this year Date: 2020-05-05 Author: iTnews Toll Group has revealed it is suffering its second ransomware attack this year, attributing the current infection to a type of malware known as Nefilim. The admission comes less than a day after iTnews reported exclusively that the logistics giant had shut down its IT systems after detecting “unusual activity” on an undisclosed number of servers. New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into Speakers Date: 2020-05-04 Author: The Hacker News Cybersecurity researcher Mordechai Guri from Israel’s Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices. Dubbed ‘POWER-SUPPLaY,’ the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal, optical covert channels, and even power cables to exfiltrate data from non-networked computers. GoDaddy notifies users of breached hosting accounts Date: 2020-05-04 Author: Bleeping Computer GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH. The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts’ hosting. Maze Ransomware Operators Step Up Their Game Date: 2020-05-06 Author: Dark Reading Investigations show Maze ransomware operators leave “nothing to chance” when putting pressure on victims to pay. Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves. ESB-2020.1614 – Cisco Firepower: Multiple vulnerabilities Multiple high severity vulnerabilities which could result in information disclosure, root compromise, denial of service or unauthorized access to Cisco Firepower appliances. ESB-2020.1624 – Google Chrome: Multiple vulnerabilities Two Remote code execution and denial of service vulnerabilities. ESB-2020.1607.2 – Salt: Multiple vulnerabilities Execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. Stay safe, stay patched and have a good weekend! Patch

AUSCERT Week in Review for 1st May 2020 Greetings, Well done Australia for staying home! We hope that everyone has some nice and creative plans lined up with the ease of Covid-19 restrictions in certain parts of our country. This week, the most talked-about topic around town is the launch of the COVIDSafe app. As an organisation, we have been sharing a number of resources, posts and articles on this topic via our Twitter channel so members and readers can make their own judgement calls around whether or not to download this app. For many, if not all of us, this week marks the 6th week of working from home due to the pandemic. Whilst we’re all used to the various different remote working platforms by now, it’s worth re-visiting some best practices as a reminder to ensure that everyone is keeping security front of mind. It is important to have a proper read through the safety policies of your web conferencing and sharing platform(s) of choice to make sure that you’ve maintained your privacy settings accordingly. Last but not least, next week (4-10 May) will see us supporting the team from the Office of the Australian Information Commissioner in their Privacy Awareness Week 2020 campaign initiative to promote the importance of privacy and keeping your personal information safe. Look out for our posts on social media with the following hashtags: #PAW2020 #RebootYourPrivacy Until next time. Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk Date: 2020-04-28 Author: Microsoft Blog At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations. In this blog, we share our in-depth analysis of these ransomware campaigns. The coronavirus tracing app has been released. Here’s what it looks like and what it wants to do Date: 2020-04-27 Author: ABC News The Government’s coronavirus tracing app has been released, and its uptake will play a large part in helping ease restrictions. It has been called COVIDSafe and will allow authorities to quickly notify people if they have been in contact with someone who has been infected with coronavirus. Federal Police investigate hoax involving users of COVIDSafe coronavirus app Date: 2020-05-28 Author: ABC News The Australian Federal Police are investigating allegations of a hoax targeting the Government’s new coronavirus app. The allegations concern images of an apparently fraudulent message, shared on social media, that told the recipient the COVIDSafe app had alerted the Government they are more than 20km from their home, and were required to phone the Government. Consumers benefit as video call vendors scramble to revamp security in a COVID-19 world Date: 2020-04-28 Author: ZDNet As many of us grapple with the transition to working from home due to the coronavirus outbreak, video conferencing platforms suddenly experiencing a surge in user numbers are, on the whole, meeting the security challenges associated with uptake. Houseparty, Discord, and Doxy.me, however, fail to meet basic security standards, new research suggests. When in Doubt: Hang Up, Look Up, & Call Back Date: 2020-05-20 Author: Krebs on Security Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse. ESB-2020.1457 – VMware ESXi patches address Stored Cross-Site Scripting VM user can inject script to browser of ESXi host client. ESB-2020.1516 – Security Updates Available for Magento Important updates for Magento users. ASB-2020.0092 – Google Chrome for Desktop version 81.0.4044.129 released Google releases latest Chrome version. Stay safe, stay patched and have a good long weekend! Regards, AUSCERT Team

AUSCERT Week in Review for 24th April 2020 Greetings, Hoping everyone’s had a good week, and that the parents amongst us are managing the juggle of work-life balance, with the Term 2 remote learning of school-aged children commencing this week. This week, we announced that our annual conference will be taking on a different spin! Given the current ever-evolving situation with COVID-19 and the advice from our Chief Information Officer, it is with a mixture of nervous energy and excitement that we announce the fact that AUSCERT2020 will now go virtual in September. The dates will remain as previously discussed: 15 – 18 September. While we understand that a virtual event isn’t quite the same as an in-person one, we are still committed as ever to featuring world-class tutorials and presentations from leading experts in the cyber and information security industry. Speaker details can be found here. In other news this week, we shared the fact that our friends from ENISA (the EU Agency for Cybersecurity) have just published some new training materials on the topic of “Orchestration of CSIRT Tools”. It includes practical usages of MISP, The Hive Project and IntelMQ; these are very SOAR-relevant, and definitely worth a read. Please refer to their website. Have a great weekend, and thank you for staying home. Until next time. Microsoft releases OOB security updates for Microsoft Office Date: 2020-04-21 Author: Bleeping Computer [This has been published as AUSCERT bulletin ASB-2020.0090] Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications. Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files. An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations. Critical bug in Google Chrome – get your update now Date: 2020-04-17 Author: Sophos [This has been published as AUSCERT bulletin ASB-2020.0088] The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix. … [Sophos] recommends going through the update process as as soon as you can. Go to the About Chrome menu option (or About Chromium if you use the non-proprietary flavour of the browser) and check that you have 81.0.4044.113 or later. Hackers have breached 60 ad servers to load their own malicious ads Date: 2020-04-22 Author: ZDNet A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites. This clever hacking campaign was discovered last month by cyber-security firm Confiant and appears to have been running for at least nine months, since August 2019. Confiant says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads. Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files – usually disguised as Adobe Flash Player updates. Who’s Behind the “Reopen” Domain Surge? Date: 2020-04-20 Author: Krebs on Security The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created […] urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains. [A neat demo of threat hunting in DomainTools, albeit without the usual phishing/malware bent we focus on at AUSCERT.] ASB-2020.0088- Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google has issued an update addressing a critical CVE for Chrome Stable Channel for Desktop. ASB-2020.0090 – Microsoft products utilising the Autodesk FBX library: Multiple vulnerabilities Microsoft out-of-band security update fixing remote code execution vulnerabilities in Autodesk FBX library. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 17th April 2020 Greetings, Hoping everyone’s come off the sugar rush that was the Easter long weekend! This week, we announced that our member newsletter; circulated every other month – will now be called The Feed. We think this better reflects our mission, readers and the content we share. The April 2020 edition was sent in the mail yesterday (Thursday 16.04) so be sure to check your inbox to stay up-to-date with the on goings at AUSCERT. In other news this week, we’ve published a snapshot of our services stats for Quarter 1 2020. To find this information, please visit the Blogs & Publications section of our website. This report provides an overview of the cyber security incidents reported by members, from 1 January – 31 March 2020. Last but not least, a final reminder that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. Affected members have been emailed directly. Feel free to reach out to us should you require further assistance or clarification regarding this change. Stay well (and thank you for staying home), until next time. Microsoft April 2020 Patch Tuesday comes with fixes for three zero-days Date: 2020-04-14 Author: ZDNet [Please refer to the following AUSCERT Security Bulletins for more information: ASB-2020.0077 to 86] Microsoft has published today its monthly roll-up of security updates known as Patch Tuesday. This month’s updates are a bulky release. The OS maker has made available patches today for 113 vulnerabilities across 11 products, including three zero-day bugs that were being actively exploited in the wild. As always, details remain scant for the time being. Details about zero-day attacks are usually kept under wraps for days or weeks, to give users time to patch and prevent attackers from developing proof-of-concept code. When corporate communications smell phishy: Why customers don’t trust your emails Date: 2020-04-08 Author: The Daily Swig We are constantly urged to stay vigilant to spam and malicious emails. Threat actors’ increasingly sophisticated tactics and mimicry of organizations poses a serious problem for businesses attempting to engage with their customers without appearing to be scammers. However, some of the tactics employed by phishers are also used by genuine companies to promote consumer engagement or simply within the workplace between teams, which can lead to confusion and legitimate emails being reported as fraudulent. Coronavirus tracing tech policy ‘more significant’ than the war on encryption Date: 2020-04-15 Author: ZDNet COVID-19 apps that track individuals’ movements and report them to a government server? What could possibly go wrong? Digital rights activists are starting to push back. Tech-savvy individuals and firms have been eager to apply their skills to the coronavirus pandemic, as they should be. Some of them are working with governments who have flexed their “special powers” and public health muscles, as governments should do. Much of this tech effort, from all sides, has been put into contact tracing, which aims to find out who might have been exposed to the virus from an infectious person. ASB-2020.0082 – Microsoft Patch Tuesday update for Windows for April 2020 Microsoft’s Patch Tuesday included updates to resolve 66 vulnerabilities from Windows products. ASB-2020.0076 – Oracle CPU April 2020 for Java SE Oracle Java SE had a critical patch update with 15 new security patches made available. Stay safe, stay patched and have a good weekend! Mal.

AUSCERT Week in Review for 9th April 2020 Greetings, How glad are we that it’s a short week? Our member incident hotline continues to operate 24/7 over the long weekend (this one in particular will be fuelled by chocolate!). Details can be found on our website by logging in to our member portal. Also, a reminder that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. To find out if any of your email addresses are going to be affected, please see below: a) If you currently receive our AUSCERT Bulletins with the acronym “AMPBE” in the email subject line, then you/your organisation is not affected. b) If the above acronym is missing, then be prepared to see it included in the subject line from Monday 20th April 2020 onwards. You will then be able to see that email address though the member portal in the Bulletins subscription section, when logged in as a privileged user. Be sure to check your email filters if you fall into category b). Feel free to reach out to us via auscert@auscert.org.au should you require further assistance or clarification. Last but not least, it’s been brought to our attention that 80% of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability. Please apply this patch if you haven’t done so already. Our related bulletin info can be found here. We hope everyone stays safe and are being creative with their long weekend plans. 80% of all exposed Exchange servers still unpatched for critical flaw Date: 2020-04-06 Author: Bleeping Computer Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions. This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials. “There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,” Rapid7 Labs senior manager Tom Sellers further explained. Beyond Zoom: How Safe Are Slack and Other Collaboration Apps? Date: 2020-04-06 Author: Threatpost COVID-19’s effect on work footprints has created an unprecedented challenge for IT and security staff. Many departments are scrambling to enable collaboration apps for all — but without proper security they can be a big risk. As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention. Australia on the cyber offence to bring down COVID-19 scammers Date: 2020-04-06 Author: ZDNet Australia has launched a cyber offence against offshore criminals, targeting those responsible for scams related to the COVID-19 outbreak. Minister for Defence Linda Reynolds said in a statement that the Australian Signals Directorate (ASD) had mobilised its offensive cyber capabilities to disrupt the foreign cyber criminals behind the spate of malicious activities that have come out of the global pandemic. “Cyber criminals that are using the cover of cyberspace and international borders to target Australians are not beyond our reach,” Reynolds said. Atlassian issues advice on how to keep your IT service desk secure… after hundreds of portals found facing the internet amid virus lockdown Date: 2020-04-07 Author: The Register As companies move their staff to remote working amid the COVID-19 coronavirus pandemic, some IT teams have made internal platforms, such as tech support desks, face the public internet. The hope, presumably, is that this ensures employees can easily reach these services from their homes, allowing them to raise support tickets and the like. However, organizations are leaving themselves open to mischief or worse by miscreants, we’re told, because the portals are not fully secured. Strangers on the internet can create new accounts, impersonate staff, submit requests for bogus work, potentially access sensitive information, such as payroll details and documentation, and so on. NASA under ‘significantly increasing’ hacking, phishing attacks Date: 2020-04-07 Author: Bleeping Computer NASA has seen “significantly increasing” malicious activity from both nation-state hackers and cybercriminals targeting the US space agency’s systems and personnel working from home during the COVID-19 pandemic. Mitigation tools and measures set in place by NASA’s Security Operations Center (SOC) successfully blocked a wave of cyberattacks, the agency reporting double the number of phishing attempts, an exponential increase in malware attacks, and double the number of malicious sites being blocked to protect users from potential malicious attacks. ESB-2020.1208 – ALERT Firefox & ESR: Multiple vulnerabilities Security vulnerabilities that are being exploited by targeted attacks have been fixed in Firefox 74.0.1 and Firefox ESR 68.6.1. ESB-2020.1218 – telnet: Multiple vulnerabilities Telnet is affected by a RCE & DOS vulnerability across multiple Red Hat versions; it is possible this also affects other OSes. Red Hat have addressed this via updates. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 3rd April 2020 Greetings, We’ve (safely) made it through another week. For many, if not all of us, mastering remote work is all about finding the right tools to stay productive and connected. As we try to stay connected with colleagues remotely, we think it is also important to remind everyone to keep security front of mind. We took the opportunity this week to remind folks that it is important to have a proper read through the safety policies of your web conferencing and sharing platform(s) of choice – make sure you’ve set yours up appropriately! In other news this week, we reached out to a number of AUSCERT2019 delegates that were potentially affected by the recent Marriott International data breach incident. In short, if you were personally affected by this breach, you would have received an email from Marriott International by now. For those wanting to find out more, Marriott International has set up a dedicated website here where guests can find more information about this incident. Lastly, a reminder that we are here for you; it is business as usual for our team, and our member incident hotline continues to operate 24/7 in these extraordinary times. Details can be found on our website by logging in to our member portal. Zoom Client Leaks Windows Login Credentials to Attackers Date: 2020-03-31 Author: BleepingComputer The Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link. Morrison: No anonymous tracking of people to enforce COVID-19 rules Date: 2020-03-30 Author: iTWire Australian Prime Minister Scott Morrison says the government would not be looking to use location data to track people anonymously in order to find out if they are following the rules which have been put in place to keep the coronavirus pandemic in check within the country. New email phishing scam exploits Coronavirus fears Date: 2020-03-31 Author: iTWire A new type of email phishing scam has been discovered which warns people that they’ve come into contact with a friend/colleague/family member who has been infected with the coronavirus, according to one global security firm. According to security awareness training and simulated phishing platform provider KnowBe4, the email instructs people to download a malicious attachment and proceed immediately to the hospital, with the particular “social engineering scheme” appearing to come from a legitimate hospital, “which is why it’s so alarming and could trick even a cautious end user”. If you’re working from home, you’ve probably used Zoom. The FBI says you should be careful Date: 2020-04-02 Author: ABCNews Zoom has had a surge in popularity during the coronavirus pandemic, but some businesses are backing away from the videoconferencing app over concerns about security flaws. It topped charts worldwide in February and March, according to TechCrunch, after swathes of companies moved their core functions online with workers sent home. But Elon Musk’s rocket company SpaceX and NASA have both banned employees from using Zoom, with SpaceX citing “significant privacy and security concerns”. SpaceX’s ban came just days after a warning from the FBI urging users not to make meetings public or share links widely. Meet ‘Sara’, ‘Sharon’ and ‘Mel’: why people spreading coronavirus anxiety on Twitter might actually be bots Date: 2020-04-01 Author: The Conversation Recently Facebook, Reddit, Google, LinkedIn, Microsoft, Twitter and YouTube committed to removing coronavirus-related misinformation from their platforms. COVID-19 is being described as the first major pandemic of the social media age. In troubling times, social media helps distribute vital knowledge to the masses. Unfortunately, this comes with myriad misinformation, much of which is spread through social media bots. ESB-2020.1189 – haproxy: Multiple vulnerabilities Code execution and DOS vulnerability patched in multiple versions of HAProxy. ESB-2020.1095 – PAN-OS log daemon (logd): Multiple vulnerabilities Patch for arbitrary code execution and privilege escalation vulnerability in PAN-OS 8.1. ESB-2020.1096 – PAN-OS CLI: Multiple vulnerabilities Patch for a shell injection vulnerability in PAN-OS CLI that allows execution of shell commands. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 27th March 2020 Greetings, Hoping this lands in your inbox while you’re reading it in the comfort of your home office. A reminder that we are here for you; it is business as usual for our team, and our member incident hotline continues to operate 24/7 in these extraordinary times. Details can be found on our website by logging in to our member portal. In other news this week, we wanted to let you know that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. To find out if any of your email addresses are going to be affected, please see below: a) If you currently receive our AUSCERT Bulletins with the acronym “AMPBE” in the email subject line, then you/your organisation is not affected. b) If the above acronym is missing, then be prepared to see it included in the subject line from Monday 20th April 2020 onwards. You will then be able to see that email address though the member portal in the Bulletins subscription section, when logged in as a privileged user. Be sure to check your email filters if you fall into category b). Feel free to reach out to us via auscert@auscert.org.au should you require further assistance or clarification. Windows code-execution zero-day is under active exploit, Microsoft warns Date: 2020-03-24 Author: Ars Technica Attackers are actively exploiting a Windows zero-day vulnerability that can execute malicious code on fully updated systems, Microsoft warned on Monday. The font-parsing remote code-execution vulnerability is being used in “limited targeted attacks,” the software maker said in an advisory published on Monday morning. The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane. [AUSCERT published this alert the same day in ASB-2020.0066.] Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps Date: 2020-03-23 Author: Bleeping Computer A new cyber attack is hijacking router’s DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO). After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers. Cybercrime and Social Engineering Threats – COVID-19 Date: 2020-03-25 Author: Brian Hay Criminals thrive during tough fiscal times because they’re adept and skilled at exploiting people’s emotions who desire a better life, wish for better times, or are seeking a solution to the troubles they’re currently facing. They know how to take advantage of the confusion, the breakdown of “normal” procedures, the proliferation of “misinformation” and they also understand the hunger for people to know more about what is going on – so more people are likely to click on a link to find out the latest “news”. Appealing to people’s sense of curiosity is a powerful weapon and it is a difficult behavioural pattern for many of us to control. Three More Ransomware Families Create Sites to Leak Stolen Data Date: 2020-03-24 Author: ZDNet Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. Ever since Maze created their “news” site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow. Minister backflips on myGov DDoS attack claim Date: 2020-03-23 Author: iT News Government services minister Stuart Robert has quickly walked back his claim that the online services portal myGov suffered a “significant distributed-denial-of-service attack”. ASB-2020.0066.2 – Windows: RCE – Remote with user interaction A critical vulnerability in Windows’ font handling was announced out of the usual cycle. At time of writing, no fix is available, and versions of Windows below 10 are strongly recommended to configure the provided mitigations. ESB-2020.1042 – macOS: Multiple vulnerabilities Apple released multiple security updates this week, including some spicy-looking vulnerabilities in macOS. ESB-2020.1057 – Adobe Creative Cloud Desktop for Windows: Arbitrary file deletion – Remote with user interaction Adobe called this critical; users opening a crafted file could find other files deleted. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 20th March 2020 Greetings, Given the current ever-evolving situation with COVID-19 and the advice from our State and Federal Governments; in support of the health and wellbeing of our stakeholders we wanted to let you know that the AUSCERT2020 Conference has now been postponed. The Conference will now take place on 15th – 18th September 2020. A reminder that our member incident hotline continues to operate 24/7 and details can be found on our website by logging in to our member portal. In other news this week, our Principal Analyst wrote a blog on the various COVID-19 cyber threats we’re seeing out there. It’s unfortunate that this happens at a time when the community is already vulnerable! Read more about it here and be sure to check out his recommendations. Last but not least, we are pleased to share with you a copy of our 2019 Year in Review publication which provides members (and the general public) with a summary of our state-of-the-union, statistics from our range of services, achievements and milestones as well as details of our goals for 2020 and beyond. COVID-19 Cyber Threats: Observations, OSINT and Safety Recommendations Date: 2020-03-18 Author: AUSCERT AUSCERT have been made aware from either direct reports or via OSINT research that related threats have been seen relating to emails, mobile apps, web-applications; and social engineering scams. The purpose of this blog post is to: – Remind readers that it is common for threat actors to use the most compelling or big news topics of the times to be used in malspam attacks to incite their targets to open a crafted attachment linked to a website. – Inform readers of the various vectors or attack angles that threat actors have deployed using COVID-19 as their theme so they (organisations) can make informed decisions and take appropriate actions. A Critical Internet Safeguard Is Running Out of Time Date: 2020-03-16 Author: WIRED Keeping the internet safe may sometimes feel like a game of Whac-A-Mole, reacting to attacks as they arise, then moving on to the next. In reality, though, it’s an ongoing process that involves not just identifying threats but grabbing and retaining control of the infrastructure behind them. For years a small nonprofit called Shadowserver has quietly carried out a surprisingly large portion of that work. But now the organization faces permanent extinction in a matter of weeks. There’s a pivotal scene in Ghostbusters in which Environmental Protection Agency inspector Walter Peck marches into the group’s headquarters, armed with a cease and desist order. “Shut this off,” Peck tells the utility worker accompanying him. “Shut this all off.” They cut power to the Ghostbusters’ protection grid, and all the ghosts are released. Think of Shadowserver as the internet’s protection grid. For more than 15 years, Shadowserver has been funded by Cisco as an independent organization. But thanks to budget restructuring, the group now has to go out on its own. Rather than seek a new benefactor, founder Richard Perlotto says the goal is for Shadowserver to become a fully community-funded alliance that doesn’t rely on any one contributor to survive. The group needs to raise $400,000 in the next few weeks to survive the transition, and then it will still need $1.7 million more to make it through 2020—an already Herculean fundraising effort coinciding with a global pandemic. They’ve set up a page for both large corporate donations and smaller individual contributions. Exploring Various Ways in Which Hackers Are Milking the COVID-19 Scare Date: 2020-03-13 Author: Cyware Hackers have a history of sabotaging and manipulating public emergencies for their own gains. Imagine how tempting an epidemic like Coronavirus disease (COVID-19) would be for the crooks. Recently, hackers have run several attack campaigns across various countries, taking advantage of the spread of the disease. Microsoft releases patches for leaked, wormable ‘SMBGhost’ flaw Date: 2020-03-13 Author: IT News Microsoft has rushed out security updates for a remotely exploitable vulnerability in the Windows System Message Block version 3 file sharing protocol that researchers said could be abused to create self-spreading “worms” like the 2017 WannaCry malware. Adobe Fixes Nine Critical Vulnerabilities in Reader, Acrobat Date: 2020-03-17 Author: Bleeping Computer Adobe has released security updates for Adobe Acrobat and Adobe Reader that fix numerous vulnerabilities ranging from information disclosure to arbitrary code execution. Adobe usually releases security updates in conjunction with Microsoft’s Patch Tuesday security updates, but this month nothing was released at that time. ESB-2020.0975 – Security Bulletin for Adobe Acrobat and Reader | APSB20-13 Security updates for Adobe Acrobat and Adobe Reader for vulnerabilities ranging from information disclosure to arbitrary code execution. ESB-2020.0942.2 – VMware Security Advisories – VMSA 2020-0005 VMware security updates to address privilege escalation and denial-of-service (DoS) in the VMware Workstation, Fusion, VMware Remote Console and Horizon Client. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 13th March 2020 Greetings, We understand that this is a worrying time for many in our community and wanted to broach the subject of how COVID-19 (Coronavirus) impacts AUSCERT. Our team will continue to support our members through our range of services. A reminder that our member incident hotline continues to operate 24/7 and details can be found on our website by logging in to our member portal.  Because we are a part of The University of Queensland, we are aligning ourselves with the University by responding to the situation as it evolves and are also planning for contingencies to continue delivering our services. In other news this week, AUSCERT took part as the leading team in the annual Asia Pacific Computer Emergency Response Team (APCERT) drill. This drill tests the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. To find out more about this annual endeavour, please visit our site here. Last but not least, we are pleased to announce that our conference website is now updated with a list of speakers and program details will be announced soon. Microsoft emits SMBv3 worm-cure crisis patch Date: 2020-03-12 Author: The Register Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw designated CVE-2020-0796. The bug can be exploited by an unauthenticated attacker to execute malicious code, at administrator level, on an un-patched system simply by sending the targeted system specially crafted compressed data packets. Systems running 32 and 64-bit Windows 10 v1903, Windows 10 v1909, Windows Server v1903 (Server Core), and Windows Server v1909 (Server Core) – and just those versions – need to get patched right now. Coronavirus map used to spread malware Date: 2020-03-09 Author: Graham Cluley Be careful about which websites you trust. A malicious site appears to have copied the look-and-feel of a legitimate Coronavirus map from Johns Hopkins University. Security researchers at Malwarebytes say that they have found malicious code hiding behind the fake website that claimed to show an up-to-date global heatmap of Coronavirus reports. The malicious code skims for passwords and payment card details, as a variant of the AzorUlt spyware. Be careful what programs you install and run on your computers folks… or you might be putting yourself at risk. Coronavirus: How hackers are preying on fears of Covid-19 Date: 2020-03-13 Author: BBC News Cyber-criminals are targeting individuals as well as industries, including aerospace, transport, manufacturing, hospitality, healthcare and insurance. Phishing emails written in English, French, Italian, Japanese, and Turkish languages have been found. The BBC has tracked five of the campaigns. March 2020 Patch Tuesday: Microsoft fixes 115 vulnerabilities, Adobe none Date: 2020-03-10 Author: Help Net Security It’s March 2020 Patch Tuesday, Adobe seems to have skipped releasing any patches, whilst Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The 26 critical flaws all allow remote code execution, but some are more easily exploited than others. The good news is that no active attacks have been observed for any of the vulnerabilities at this time. Preparing for Covid-19 and beyond Date: 2020-03-06 Author: Beta News The threat of a global pandemic is alarming, but at least in this case, IT has some advance notice to prepare for the worst-case scenario. You do not want to be caught without a plan if local governments institute a quarantine or local schools are closed for several weeks. And even if we avoid a pandemic — fingers crossed — the planning you did won’t be in vain. It’s important for every organization to always have a plan to deal with disasters large and small, whether it’s flooding, inclement winter weather or a particularly bad cold that sends half your team home. Here are the steps you should take to put together your plan and prepare for a potential pandemic. ESB-2020.0862.2 – UPDATED ALERT SMBv3: Execute arbitrary code/commands – Remote/unauthenticated Microsoft released an out-of-bounds emergency patch today for a vulnerability identified as wormable. See article above. ESB-2020.0868 – Firefox ESR: Multiple vulnerabilities Firefox update patches Airpod information disclosure vulnerability. ASB-2020.0054 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday resolves 78 vulnerabilities for Windows. Stay safe, stay patched and have a good weekend! Sean