AUSCERT Week in Review for 6th September 2019 Greetings, Ask yourself this question. “Should I always believe what you see (or hear)?” As the week comes to a close, here are some articles that may help ease you into the weekend. Privacy concerns mount over Chinese face-swap app Zao Date published: 03/09/2019  Author: Mark Wycislik-Wilson Excerpt: “Zao — a Chinese face-swapping app with the potential to be used to create deepfakes — went viral over the weekend, shooting to the top of the App Store download charts. But concerns have been raised not only over the potential for the app to be abused, but also over its privacy policies. Of particular concern are clauses which grant the developers “free, irrevocable, permanent, transferable, and relicense-able” rights over users’ photos. Zao responded by tweaking its privacy policy, but complaints are still flooding in.” Nemty Ransomware Gets Distribution from RIG Exploit Kit Date published: 03/09/2019 Author: Ionut Ilascu Excerpt: “BleepingComputer saw that the post-encryption ransom demand was around $1,000 in bitcoin. Unfortunately, there is no free decryption tool available at the moment and the malware makes sure to remove the file shadows created by Windows. Security researcher Mol69 noticed that the file-encrypting malware is now a payload in malvertising campaigns from RIG exploit kit (EK). The malware used the .nemty extension for the encrypted files but the variant observed by Mol69 adds ‘._NEMTY_Lct5F3C_’ at the end of the processed files.” Scammer Successfully Deepfaked CEO’s Voice To Fool Underling Into Transferring $243,000 Date published: 03/09/2019 Author: Jennings Brown Excerpt: “The CEO of an energy firm based in the UK thought he was following his boss’s urgent orders in March when he transferred funds to a third-party. But the request actually came from the AI-assisted voice of a fraudster.” Threat Actor behind Astaroth is now using Cloudflare Workers to bypass your Security Solutions. Date published: 01/09/2019 Author: Marcel Afrahim Excerpt: “You might have seen the recently published report about a widespread fileless campaign called Astaroth by Microsoft Research Team that completely “lived off the land”: it only ran system tools throughout a complex attack chain. If you haven’t, you SHOULD definitely read the details of the research article done by the Microsoft team here. Following the report, the group behind the Astaroth attack campaign changed tactics and they ran a similar campaign again earlier in august with few changes, notably use of Cloudflare Workers. In this article I will try to show highlight the changes and show a clear chain of attack from the delivery till infection, something Microsoft research article failed to do.”   Here are this week’s noteworthy-ish security bulletins: 1) Firefox and Firefox ESR: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0252/ Mozilla released updates for Firefox and Firefox ESR that addressed a large number of vulnerabilties, the most severe being a remote code execution vulnerability stemming from poor sanitization of logging related command line parameters. Luckily, this issue only affects Windows and not many people use that! 2) Cisco Small Business RV160, 260, and 340 Series VPN Routers: Root compromise – Existing account https://portal.auscert.org.au/bulletins/ESB-2019.3369/ A number of Cisco small business VPN routers have been identified as being affected by a number of vulnerabilities. The most important of these deal with hardcoded password hashes stored for the root user stored in the firmware and the ability to view undocumented user accounts, which includes the “root” account! If you own any of these, please read the bulletin and update! 3) Cisco Identity Services Engine: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.3364/ More from Cisco! Cisco fixed a reflected XSS vulnerability in web-based management interface of its ISE product. 4) Cisco Content Security Management Appliance – Access confidential data –Existing account https://portal.auscert.org.au/bulletins/ESB-2019.3362/ Just one more Cisco bulletin. Cisco released a fix for an information disclosure vulnerability in its CCSM appliance, which originates from a role permissions implementation error allowing unauthorised access to other users spam folders, for example. Stay safe, stay patched, keep your eyes peeled and have a great weekend free of paranoia!  Nick

AUSCERT Week in Review for 20th September 2019 Greetings, This week’s big headline is the findings of the AFP and ASIC’s investigation into a cybercrime syndicate targeting Australian superannuation accounts. Also, Reuters (normally a relatively credible source) have published a story attributing the Australian parliament hack, albeit without official sources. More after the jump. China blamed for Australian parliament hackDate: 16 SeptemberAuthor: iTnews Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, five people with direct knowledge of the matter told Reuters.The Australian Signals Directorate concluded in March that China’s Ministry of State Security was responsible for the attack, the five people said. Cyber fraud hits superannuation, share accountsDate: 17 SeptemberAuthor: iTnews Millions of dollars have allegedly been stolen from personal superannuation and share trading accounts using hijacked identity credentials that were obtained on the dark net.The Australian Federal Police and on Tuesday revealed the “multi-layered cybercrime activity” after a 12-month investigation into a major fraud and identity theft syndicate with the Australian Securities and Investment Commission. 400 Million Medical Radiological Images Exposed on the InternetDate: 18 SeptemberAuthor: Bleeping Computer An analysis of medical image storage systems exposed to the public web reveals that almost 600 servers in 52 countries are completely unprotected against unauthorized access.Audited systems were unpatched against thousands of vulnerabilities, more than 500 of them having the highest severity score. A Guide on 5 Common LinkedIn ScamsDate: 19 SeptemberAuthor: Tripwire The fact that scammers haunt Facebook and Twitter is not surprising. Even so, digital criminals don’t stop with just those two platforms. They’re also known to stalk users on LinkedIn where connections carry greater professional gravity.Fortunately, users can stay alert of such activity by familiarizing themselves with the most common types of LinkedIn scams. Here are five ruses, in particular, that should be on their radar. Here are some noteworthy bulletins from the week: 1. ESB-2019.3511 – Norton Password Manager information disclosureUnspecified information disclosure vulnerability in Symantec’s password manager for Android. 2. ESB-2019.3519 – IBus access control vulnerabilityUnintentional keylogger for different users on the same machine. 3. ESB-2019.3541 – Werkzeug cross-container accessThe debugger security PIN was not unique per Docker container. 4. ASB-2019.0268 – Mozilla Thunderbird web view fixesThunderbird’s email view disables scripting, but if the program is used “in browser or browser-like contexts”, it could be abused. Stay safe, stay patched, and have a good weekend!David

AUSCERT Week in Review for 30th August 2019 Greetings, As they say, out with the old, in with the new. Or should it be “out with the deprecated, in with the supported”?End-of-life is approaching for both Windows 7 and Python 2. But since they also say what goes around, comes around. So whilst “retro” can be considered cool in some circumstances, it cannot be considered so when retro to run with outdated IOS XE so go ahead and pick up your hardened version of the IOS XE software from Cisco today whilst stocks last. Monopoly is one retro game that seems to forever stay young. Community Chest: Drive past Jail and pick up iOS 12.4.1. Winner! As the week draws to a close, many webservers with HTTP/2 vulnerabilities have been patched over the last two weeks since they were reported by a Netflix researcher, so it’s good to hear of patching wins.   In the news this week: Windows 7 end of life: Months from patch cut-off, millions still haven’t upgradedAuthor: ZDNetDate published: 2019-08-28 With just under five months until Microsoft stops issuing free patches for Windows 7, millions of PCs are still relying on it, leaving them exposed to new bugs that will probably never be patched. Microsoft has been nagging Windows 7 users to upgrade to Windows 10 for years now, yet a huge number of consumers and smaller businesses have either resisted those calls or missed them. Cisco Fixes Critical Bug in Virtual Service Container for IOS XEAuthor: BleepingComputerDate published: 2019-08-28 Cisco today published an update for its IOS XE operating system to patch a critical vulnerability that could allow a remote attacker to bypass authentication on devices running an outdated version of virtual service containers. Exploitation is possible if specific conditions are met by simply sending malicious HTTP requests to a target device. If an administrator is into the REST API interface, an adversary can get their ‘token-id’ and run commands with elevated privileges. Time to shed Python 2Author: National Cyber Security Centre (UK)Date published: 2019-08-22 The end of life (EOL) date for Python 2 has been a long time coming, but it’s finally in sight. As of the 1st of January 2020, Python 2 will no longer be supported. There will be no more bug fixes, or security updates, from Python’s core developers. So, if you’re still using 2.x, it’s time to port your code to Python 3. If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing. Cyber security a key focus for Uni foreign interference taskforceAuthor: iTnewsDate published: 2019-08-29 The cyber resilience of Australia’s universities will be a key focus of a new federal government taskforce aimed at addressing foreign interference concerns in the higher education sector. Education minister Dan Tehan announced the creation of the University Foreign Interference Taskforce on Wednesday to assess the level of foreign interference in universities. Noteworthy bulletins this week: 1. Symantec Reporter: Access confidential data The Australian Taxation Office is credited as the source for this advisory. 2. Cisco IOS XE: Execute arbitrary code/commands A CVSSv3 score of 10/10 for a full authentication bypass. 3. h2o web server: Denial of Service – Remote/Unauthenticated The HTTP/2 vulnerabilities from a Netflix researcher have been patched in many webservers in the last fortnight, including h2o. 4. Apple iOS, macOS and tvOS: Root compromise – Existing Account Regression of a bugfix for a vulnerability used in jailbreaks in iOS 12.4 led to the hasty release of 12.4.1 with the jailbreak patched out. Reward yourself tonight or this weekend by putting up your feet, catching your favourite retro or modern show, or if books are more your thing, pick a good one. Stay safe, stay patched and have a great weekend!Colin

AUSCERT Week in Review for 2nd August 2019 Greetings, This week we’ve seen a few noteworthy stories in the Information Security world. Over in the USA, the Capital One banking corporation suffered from a massive data breach, as millions of customers’ data were downloaded from an AWS S3 bucket with inappropriate permissions. In their notification, Capital One were quick to point out that “No bank account numbers or Social Security numbers were compromised, other than […] About 140,000 Social Security numbers […] About 80,000 linked bank account numbers”. Several Information Security pundits were quick to point out the audacity and dishonesty of this statement. AUSCERT recommends, and has always recommended, clarity and honesty when communicating data breaches. In other news, the Equifax credit reporting firm reached a settlement with the Federal Trade Commission last week, and any victims of the 2017 Equifax data breach can apply for reimbursement for any costs or losses incurred resulting from the breach, including the costs of applying for credit monitoring. Affected people may also make a claim for a cash settlement, which has been set at US$127 per person. Some might say this is small compensation for having your financial information leaked online, and I would agree with them. Closer to home, the AUSCERT office appears to be experiencing virus attacks of a more traditional nature – more than half of our staff have called in sick over this week. We hope you’re staying healthy by sanitising your inputs (air!), installing the latest (vitamin) updates, and quarantining any infected machines (family members) in an isolated environment! Here are some of the week’s noteworthy security stories (in no particular order): Title: Apple iMessage Flaw Lets Remote Attackers Read Files on iPhonesAuthor: Sergiu GatlanDate: July 29, 2019 Excerpt: “An iMessage vulnerability patched by Apple as part of the 12.4 iOS updateallows potential attackers to read contents of files stored on iOS devicesremotely with no user interaction, as user mobile with no sandbox.” —- Title: Capital One Says Breach Hit 100 Million Individuals in U.S.Author:  Christian Berthelsen, Matt Day, and William TurtonDate: July 30, 2019 Excerpt: “Capital One Financial Corp. said data from about 100 million people inthe U.S. was illegally accessed after prosecutors accused a Seattle womanidentified by Amazon.com Inc. as one of its former cloud service employeesof breaking into the bank’s server. While the complaint doesn’t identify the cloud provider that stored theallegedly stolen data, the charging papers mention information stored inS3, a reference to Simple Storage Service, Amazon Web Services’ populardata storage software.” —- Title: 200 million devices–some mission-critical–vulnerable to remote takeoverAuthor: Dan GoodinDate: July 30, 2019 Excerpt: “…Researchers with security firm Armis identified 11 vulnerabilities invarious versions of VxWorks, a slimmed-down operating system that runs onmore than 2 billion devices worldwide. Billed collectively as Urgent 11, the vulnerabilities consist of six remotecode flaws and five less-severe issues… None of the vulnerabilitiesaffects the most recent version of VxWorks–which was released lastweek–or any of the certified versions of the OS, including VxWorks 653or VxWorks Cert Edition.” —- Here are some of this week’s noteworthy security bulletins (in no particularorder): 1. ASB-2019.0226 – [Win][Linux] GitLab: Multiple vulnerabilities 2. ASB-2019.0224 – ALERT [Appliance] VxWorks: Multiple vulnerabilities 3. ESB-2019.2872 – [Win][UNIX/Linux][Ubuntu] Subversion: Denial of service – Remote/unauthenticated Stay safe, stay patched, and have a good weekend. Anthony

AUSCERT Week in Review for 23rd August 2019 Greetings,“Buy the rumor, sell the news”.  Looks like media has gotten hold on to the fact that phisher’s are trying the best they can to add legitimacy of their phish sites any way they can. This instance is by using services that, when conducting a WHOIS, returns signs that the site “belongs” to the service being phished, trying to reduce the likelyhood of it being detected. Well, we have seen various versions of this tactic, for a while now, landing in AUSCERT triage.  It did provide for a change, but they get processed none-the-less. Although phishers are changing tactics, one thing does not change, users need to be aware when clicking links in emails.   As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——- Phishing Attacks Scrape Branded Microsoft 365 Login PagesAuthor: Sergiu GatlanDate: August 21st, 2019 Excerpt: “An unusual new phishing campaign is probing email inboxes via attacks using the targets’ company-branded Microsoft 365 tenant login pages to add more legitimacy to the scam.  The attackers are also using Microsoft’s Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages, a common tactic used by phishers to trick their targets into thinking that they’re seeing an official Microsoft login page.  Using Azure Blob Storage object storage solution to host their phishing pages allows them to take advantage of the fact that they will automatically get signed with an SSL certificate from Microsoft.” ——- npm Pulls Malicious Package that Stole Login PasswordsAuthor: Ionut IlascuDate: August 21st, 2019 Excerpt: “A malicious package was removed today from the npm repository after it was discovered that it stole login information from the computers it was installed on.  The npm repository is a popular online database for open-source packages that are often used as dependencies in Node.js projects. Critical severity. Earlier today, npm pulled the package ‘bb-builder’ from the repository, marking it as malicious and having critical severity.” ——- Identifying Evasive Threats Hiding Inside the NetworkAuthor: Matt LockDate: August 22nd, 2019 Excerpt:“There is no greater security risk to an organization than a threat actor that knows how to operate under the radar.  Malicious insiders and external cybercriminals are getting savvier. They are better at blending in without tripping any alerts. They skip over tools and techniques that trigger standard security systems. How can a company tell them apart from the noise created by legitimate logins to the network that day?  The answer lies in context. It is not enough to monitor and log activity throughout the network – organizations need to be able to combine multiple sources of data to spot the subtle signs of a stealthy attacker at work.” ——- The Cost of Dealing With a Cybersecurity Attack in These 4 IndustriesAuthor: Pierluigi PaganiniDate: August 21st, 2019 Excerpt:“A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.  It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors. 1. Health Care, 2. Retail, 3. Manufacturing, 4. Finance.” ——- Update Now! Microsoft Patches Its Android RDP App to Fix FlawAuthor: John E DunnDate: August 22nd, 2019 Excerpt: “Microsoft has added its Android Remote Desktop Protocol (RDP) app to the list of client software that needs updating to fix a security flaw first made public as part of July’s Patch Tuesday.  The flaw, tracked as CVE-2019-1108, was described as an information disclosure issue that could allow an attacker “to connect remotely to an affected system and run a specially crafted application.”  Although the rating made it sound less urgent, attackers are known to be very interested in RDP weaknesses, hence Microsoft’s caution that that exploitation was “more likely.” The fix? To apply the relevant patch for the Windows version in question (KB4507453 in the case of Windows 10 64-bit version 1903).” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2019.3212 – [Cisco] Cisco Systems & Cisco UCS Direct: Multiple vulnerabilities“CVE-2019-1936 …authenticated, remote attacker to execute arbitrary commands on the underlying Linux shell as the root user” 2. ESB-2019.3208 – [Appliance] IBM Netezza Host Management: Multiple vulnerabilities“CVE-2019-10161 …obtain arbitrary file information, cause a denial of service or execute arbitrary programs withroot privileges.” 3. ESB-2019.3210 – [Win][Linux][AIX] IBM InfoSphere Optim High Performance Unload: Root Compromise – Existing Account“CVE-2019-4447 …low privilege user full access to root…” 4. ESB-2019.3190 – [UNIX/Linux][Ubuntu] Zstandard: Multiple vulnerabilities“CVE-2019-11922 …execute arbitrary code if it received specially crafted input…” 5. ESB-2019.3189 – [Ubuntu] OpenJPEG: Multiple vulnerabilities“CVE-2017-17480 Certain PGX files could possibly cause a denial of service or possibly remote code execution.” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 16th August 2019 Greetings, Windows’ Remote Desktop Services is in the spotlight this week, with two separate announcements. Firstly, the ACSC issued a warning on Monday night that May’s “BlueKeep” vulnerability was being exploited in the wild. Then, Microsoft warned on Patch Tuesday (or Wednesday for us antipodeans) that it had found two more similar vulnerabilities, with patches available immediately. In other news, F-Secure have written up a novel injection attack. While injection attacks are famously seen in carelessly-written SQL and shell scripts, this week brought a blog post documenting how vendor F5’s own example configuration code often contained vulnerable Tcl. While F5 released an advisory in May to this effect, F-Secure’s post brings greater notoriety to the issue. While scripting languages are on your mind, consider ShellCheck. Yours truly will always recommend an extra pair of eyes on any shell scripts being written. ASD upgrades BlueKeep Win. RDP warning, 50K Aust. devices at riskAuthor: iTnewsDate published: 2019-08-13 The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a late evening warning to business and government that a recently revealed legacy Windows exploit has jumped ‘research’ quarantine and is expected to start fanging victims imminently. New Bluetooth KNOB Flaw Lets Attackers Manipulate TrafficAuthor: BleepingComputerDate published: 2019-08-13 A new Bluetooth vulnerability named “KNOB” has been disclosed that allows attackers to more easily brute-force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. ‘Cyber paramedics’ keep Vic agencies safeAuthor: Government NewsDate published: 2019-08-12 When David Cullen took up the job of Principal Advisor of Cyber Incidents and Emergency Management at the Victorian Department of Premier and Cabinet a year ago he was told there had been just 13 cyber-attacks in the history of the organisation.“I scratched my head and thought, ‘what a ripping job I’ve landed in’,” he told delegates at a Technology in Government conference in Canberra last week.He soon found out those 13 attacks weren’t “even close to the tip of the iceberg”.After conducting a whole of government survey it became apparent that hackers were attempting to breach government systems every 45 seconds and that nine in 10 Victorian government organisations had experienced a cyber incident. WordPress team working on daring plan to forcibly update old websitesAuthor: ZDNetDate published: 2019-08-08 The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases.The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Hidden Injection Flaws Found in BIG-IP Load BalancersAuthor: SecurityWeekDate published: 2019-08-09 The issue cannot be patched. “This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code,” explained F5 in its advisory. The effect, however, could give an attacker access to the load balancer and its hosting device, the ability to read passing traffic (including user credentials), and the potential to use this as a beachhead for gaining access to the internal network. The inability to patch the problem and the difficulty for companies to know whether their own code exposes the problem, prompted the flaw finder, F-Secure’s senior security consultant Christoffer Jerkeby, to publish a paper on his findings. ShellCheck This free tool is available online and as a binary, and scours your shell scripts for common mistakes. It’s also available as a plug-in for your favourite editor. This week’s noteworthy bulletins: 1. ESB-2019.3059 – [Appliance] FortiOSJavaScript files used in the appliance’s web UI would reveal OS version information even to unauthenticated users. 2. ASB-2019.0238 – [Windows] Microsoft Windows (login wall)Microsoft’s Patch Tuesday included two “wormable” RCEs in Remote Desktop Services, similar to the BlueKeep bug patched in May.Two more RCEs were also patched in the Windows DHCP client. 3. ESB-2019.3092 – [Windows] [macOS] Adobe Acrobat and ReaderOpening a crafted file could execute arbitrary code. A good reminder not to open suspicious files. 4. ESB-2019.3116 – [Windows] [UNIX/Linux] nginxMultiple DoS vulnerabilities were found in HTTP/2 servers by a researcher at Netflix.Nginx happens to be the first to release a fix. Stay safe, stay patched, try out ShellCheck, and have a great weekend!David

AUSCERT Week in Review for 9th August 2019 Greetings, Two sagas continue this week, and neither one is Star Wars. The Spectre family tree has gained a new member called SWAPGS. It was announced at Black Hat and allows access to protected data in the CPU cache. Another two vulnerabilities have also been added to the Dragonblood family, affecting the cutting-edge WPA 3 WiFi standard. A million-dollar email should serve as a reminder to your staff to always consider whether BCC is a better tool for mass-mail than CC. ——————————————————————————– SWAPGS Vulnerability in Modern CPUs Fixed in Windows, Linux, ChromeOSAuthor: BleepingComputerDate published: 06/08/2019 At BlackHat today, Bitdefender disclosed a new variant of the Spectre 1 speculative execution side channel vulnerabilities that could allow a malicious program to access and read the contents of privileged memory in an operating system.This SWAPGS vulnerability allows local programs, like malware, to read data from memory that is should normally not have access to, such as the Windows or Linux kernel memory.During the July 2019 Patch Tuesday security updates, Microsoft secretly patched the new SWAPGS speculative vulnerability using software mitigations.  [Red Hat and Google have also released advisories and patches.] App that patients use to book GP appointments now facing millions in fines for selling health dataAuthor: ABC NewsDate published: 07/08/2019 Australia’s biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling users’ personal health information to law firms. The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege. New Dragonblood vulnerabilities found in WiFi WPA3 standardAuthor: ZDNetDate published: 03/08/2019 Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance’s recently launched WPA3 WiFi security and authentication standard. Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard. The two researchers — Mathy Vanhoef and Eyal Ronen — found these two new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks. When ‘CC’ should have been ‘BCC’: How an email gaffe cost one Australiancompany dearlyAuthor: The AgeDate published: 02/08/2019 It started as a simple oversight, but quickly ended as a six-figure mistake. At the heart of the tale is a global real estate company, where one marketing email sent by an employee to just 300 customers exposed a major gap in the firm’s cyber security governance.The problem began when the employee mistakenly pasted 300 email addresses in the “carbon copy” or “CC” email field, instead of the “blind copy” or “BCC” field, a technological misstep familiar to almost anyone using email in 2019. ——————————————————————————– This week’s noteworthy bulletins: 1. [ALERT] Cisco Enterprise NFV Infrastructure Software: Multiple vulnerabilitiesAuthentication bypass and command injection attacks leading to anunauthenticated administrator compromise. 2.  keycloak-httpd-client-install: Multiple vulnerabilitiesInstall scripts can have significant vulnerabilities too! This one usedinsecure temp files to enable privilege escalation. 3. LibreOffice: Execute arbitrary code/commands – Remote with user interactionNooo don’t open that file! 4. IBM Business Automation Workflow: Access confidential data – Remote/unauthenticated“Reverse tabnabbing” is a little-seen web vulnerability. Stay safe, stay patched and have a great weekend!David

AUSCERT Week in Review for 26th July 2019 AUSCERT Week in Review26 July 2019 Greetings, Concerns continue about development of exploits for the Windows RDP vulnerability (BlueKeep) which has the potential to become a self replicating worm. This week more information become available which closes the gap towards successful exploitation of this vulnerability. For more info see: https://www.theregister.co.uk/2019/07/24/bluekeep_code_release/ If you still haven’t patched this yet note the time to successful exploitation with remote code execution is drawing ever closer! This week also saw a warning from the ACSC about a class of scams being called “freight forwarding scams”. A number of AUSCERT members have been hit by this and ACSC note some businesses have closed due to the losses. See: https://www.cyber.gov.au/news/business-email-compromise-freight-forwarding-scam Here are some of the week’s noteworthy security stories (in no particular order): Australia’s Consumer Data Right to finally make its way through ParliamentAuthor: Asha BarbaschowDate: 2019-07-23 Excerpt: “The federal government this week plans to introduce legislation ithas touted as opening up competition between banks, utilities, andtelecommunications providers, as well as allowing consumers to easilyswitch between providers. The Consumer Data Right (CDR) — through the passage of the Treasury LawsAmendment (Consumer Data Right) Bill — will allow individuals to “own”their data by granting them open access to their banking, energy, phone,and internet transactions, in addition to gaining the right to controlwho can have it and who can use it.” Law Council wants warrants and crime threshold for metadata retention schemeAuthor: Chris DuckettDate: 2019-07-23 Excerpt: “The Law Council of Australia has called for the introduction of warrantswhen the nation’s enforcement agencies seek to access metadata stored inthe data retention systems of Australia’s telcos. Currently, enforcement agencies have access to two years’ worth of customers’call records, location information, IP addresses, billing information,and other data stored by carriers without the need for a warrant.” BEC Scammers Trick Employees Into Giving Away Customer InfoAuthor: Sergiu GatlanDate: 2019-07-23 Excerpt: “Business email compromise (BEC) scammers are now targeting a company’scustomers using a new indirect attack method designed to collectinformation on future scam targets by asking for aging reports fromcollections personnel.”   Hundreds of Australians have been fleeced over bogus tax debtsAuthor: Sian Johnson, et alDate: 2019-07-24 Excerpt: “Ms Wilson is one of hundreds of Australians taken in by dodgy phone callsdemanding payment for bogus tax debts, with a record number of more than800 Australians fleeced of a total of $3 million in 2018 alone.” Microsoft to Improve Office 365 Malicious Email AnalysisAuthor: Sergiu GatlanDate: 2019-07-24 Excerpt: “Microsoft is currently in the process of developing significantly bettermanual threat hunting features for the Office 365 Threat Explorer, to berolled out to all environments during August.”

AUSCERT Week in Review for 19th July 2019 AUSCERT Week in Review19 July 2019 Greetings, Oracle’s Critical Patch Update for July landed on Wednesday. Check outour bulletins to see if you’re running anything in need of a fix. Credential stuffing even made it into prominent webcomic xkcd this week,in a very easy-to-follow way (https://xkcd.com/2176/) Here are some of the week’s noteworthy security stories (in no particularorder): NCSC Issues Alert About Active DNS Hijacking AttacksAuthor: Ionut IlascuDate: 2019-07-15 Excerpt: “Following recent reports about mass-scale attacks aimed at modifyingDomain Name System records, UK’s National Cyber Security Centre (NCSC)released an advisory with mitigation options for organizations to defendagainst this type of threat.” FBI Releases Master Decryption Keys for GandCrab RansomwareAuthor: Lawrence AbramsDate: 2019-07-17 Excerpt: “In an FBI Flash Alert, the FBI has released the master decryption keysfor the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Usingthese keys, any individual or organization can create and release theirvery own GandCrab decryptor.” Home Affairs could tap telcos for MAC and IP addresses, port numbersAuthor: Ry Crozier Excerpt: “The Department of Home Affairs has raised the prospect of forcing Australiantelcos to capture an expanded range of user data including MAC addresses,IP addresses and port numbers under mandatory data retention laws.” Oracle’s July 2019 CPU Includes 319 FixesAuthor: Ionut ArghireDate: 2019-07-17 Excerpt: “Oracle this week published its July 2019 Critical Patch Update (CPU),which brings a total of 319 security fixes across numerous product families. While fewer than 200 of these vulnerabilities can be exploited remotelywithout authentication, over 50 of them are rated Critical severity,almost all of them featuring a CVSS score of 9.8.”

AUSCERT Week in Review for 12th July 2019 AUSCERT Week in Review12 July 2019 Greetings, This week we saw numerous Microsoft vulnerability reports and fixes as part of Patch Tuesday.We also saw a larger than normal collection of advisories from Juniper and ICS-CERT this week. There are a number of events occuring in our neighbourhood in the next few weeks that may be of interest: “Celebrating Diversity and Inclusion in Queensland’s ICT security sector”https://wordpress-admin.auscert.org.au/events/2019-07-18-naidoc-week-2019-auscert-and-baidam-solutions-event “Cyber Security Public Lecture with Corey Schou”https://www.eait.uq.edu.au/cyber-security-public-lecture-corey-schou — Here are some of this week’s noteworthy security bulletins (in no particular order): ACSC Releases Updated Essential Eight Maturity ModelAuthor: US-CERTDate: 05-07-2019 Excerpt: “The Australian Cyber Security Centre (ACSC) has released updates to its Essential Eight Maturity Model. The model assists organizationsin determining the maturity of their implementation of the Essential Eight–ACSC’s list of the top mitigation strategies to help organizationsprotect their systems against adversary threats.” British Airways faces record-breaking GDPR fine after data breachAuthor: Jon PorterDate: 08-07-2019 Excerpt: “The UK’s data watchdog has announced plans to fine the airline British Airways a record ?183 million over last year’s data breach.” Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!Author: Jonathan LeitschuhDate: 09-07-2019 Excerpt: “A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes upto 750,000 companies around the world that use Zoom to conduct day-to-day business.” Patch Tuesday Lowdown, July 2019 EditionAuthor: Brian KrebsDate: 09-07-2019 Excerpt: “Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them arefixes for two zero-day flaws that are actively being exploited in the wild” German banks are moving away from SMS one-time passcodesAuthor: Catalin CimpanuDate: 11-07-2019 Excerpt: “Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transactionverification method.” — Here are some of this week’s noteworthy security bulletins (in no particular order): Title: ASB-2019.0190 – [Win][UNIX/Linux] Mozilla Firefox and MozillaFirefox ESR: Multiple vulnerabilitiesDate: 10 July 2019URL: http://www.auscert.org.au/84211 “Mozilla advises upgrading to Firefox 68 or Firefox ESR 60.8 to address this vulnerability.” Title: ASB-2019.0187 – ALERT [Win] Microsoft Windows: MultiplevulnerabilitiesDate: 10 July 2019URL: http://www.auscert.org.au/84193 “CVE-2019-1132 is has been seen exploited in the wild” Title: ESB-2019.2574 – [Win] Siemens SIMATIC WinCC and PCS7: Multiple vulnerabilitiesDate: 12 July 2019URL: http://www.auscert.org.au/84331 “The SIMATIC WinCC DataMonitor web application of the affected products allows an authenticated user with network access to the WinCC DataMonitorapplication to upload arbitrary ASPX code.” Title: ESB-2019.2572 – [Win][UNIX/Linux] Jenkins: Multiple vulnerabilitiesDate: 12 July 2019URL: http://www.auscert.org.au/84327 “Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master.” Title: ESB-2019.2563 – [Juniper] Junos OS: Multiple vulnerabilitiesDate: 12 July 2019URL: http://www.auscert.org.au/84309 “Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow” — Stay safe, stay patched and have a great weekend,Marcus. —

AUSCERT Week in Review for 5th July 2019 AUSCERT Week in Review05 July 2019 Greetings, I hope you are all enjoying the holiday period, whether it be having abreak, less students/customers, or quieter roads. This week we again saw a wide variety of vulnerabilities revealed andpatches released, including several root compromises and numerous remotelyexploitable issues. — Here are some of this week’s noteworthy security bulletins (in no particularorder): Germany to publish standard on modern secure browsers Author: Catalin CimpanuDate:   01-07-2019 Excerpt: “Germany’s cyber-security agency is working on a set of minimum rules thatmodern web browsers must comply with in order to be considered secure.The new guidelines are currently being drafted by the German FederalOffice for Information Security (or the Bundesamt fur Sicherheit in derInformationstechnik — BSI), and they’ll be used to advise governmentagencies and companies from the private sector on what browsers are safeto use.” Morrison sells Australia’s terrorism video streaming plan to the G20 Author: StilgherrianDate:   01-07-2019 Excerpt: Led by Australia, the G20 nations have urged online platforms to “meet ourcitizens’ expectations” to prevent terrorist and violent extremism conduciveto terrorism (VECT) content from being streamed, uploaded, or re-uploaded.“Platforms have an important responsibility to protect their users,”read the Leaders’ Statement [PDF] issued in Osaka on Saturday. Poison certs imperils GnuPG checking of Linux software Author: Juha SaarinenDate:   01-07-2019 Excerpt: “An attack has been unleashed against the global synchronising keyserver(SKS) network used by the popular OpenPGP encryption standard, withdevelopers saying there is currently no mitigations available and thatthe problem is likely to get worse.” China Is Forcing Tourists to Install Text-Stealing Malware at its Border Author: Joseph CoxDate:   03-07-2019 Excerpt: “The malware downloads a tourist’s text messages, calendar entries,and phone logs, as well as scans the device for over 70,000 different files.” US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks Author: Catalin CimpanuDate:   02-07-2019 Excerpt: The idea is to use “retro” technology to isolate the grid’s most importantcontrol systems, to limit the reach of a catastrophic outage.“Specifically, it will examine ways to replace automated systems withlow-tech redundancies, like manual procedures controlled by human operators,” YouTube mystery ban on hacking videos has content creators puzzled Author: Thomas ClaburnDate:   03-07-2019 Excerpt: It forbids: “Instructional hacking and phishing: Showing users how tobypass secure computer systems or steal user credentials and personal data.” First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol Author: Catalin CimpanuDate:   03-07-2019 Excerpt: “The DoH (DNS) request is encrypted and invisible to third-party observers,including cyber-security software that relies on passive DNS monitoringto block requests to known malicious domains.” — Here are some of this week’s noteworthy security bulletins (in no particularorder): 1. ESB-2019.1280 – [Linux][OSX] Webkit: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79038“Processing maliciously crafted web content may lead to arbitrary codeexecution.” 1. ESB-2019.2443 – [Appliance] Cisco IP Phone 7800 and 8800 Series: Denialof service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2443/“A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800Series and 8800 Series could allow an unauthenticated, remote attacker tocause a denial of service (DoS) condition on an affected phone.” 2. ESB-2019.2433 – [Virtual] VMware Products: Denial of service –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2433/“Several vulnerabilities in the Linux kernel implementation of TCPSelective Acknowledgement (SACK) have been disclosed. These issues mayallow a malicious entity to execute a Denial of Service attack againstaffected products.” 3. ESB-2019.2413 – [Appliance] F5 Products: Denial of service –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2413/“An attacker may exhaust file descriptors available to the named process;as a result, network connections and the management of log files or zonejournal files may be affected.” 4. ESB-2019.2370 – [Win][Mac] Symantec Endpoint Encryption: Increasedprivileges – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2370/“Symantec Endpoint Encryption and Symantec Encryption Desktop may besusceptible to a privilege escalation vulnerability” 5. ESB-2019.2474 – [FreeBSD] cd_ioctl: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2474/“A user in the operator group can make use of this interface to gain rootprivileges on a system with a cd(4) device when some media is present inthe device.” — Stay safe, stay patched and have a great weekend,Marcus.

AUSCERT Week in Review for 28th June 2019 AUSCERT Week in Review for 28th June 2019 Greetings,  As the week ending Friday 28th June comes to a close, we take a look at some articles from this week that highlight constant tug-of-war between the bad guys (them!) and the good guys (us!). From Angler phishing to using RasPis to hack into a national US space agency, the bad guys are constantly trying to break through our defences. On the flip side the Algorithm Vaccination article highlights the defenders’ equal determination to overcome their adversaries. Don’t give up the fight! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: What is angler phishing? Date published: 24/06/2019  Author: Luke Irwin Excerpt: “Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts. This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.” Raspberry Pi Used in JPL Breach Date published: 24/06/2019 Author: Staff, Dark Reading Excerpt: “Auditors’ reports tend to make for dry reading. But NASA’s Inspector General has delivered a report on “Cybersecurity Management and Oversight at the Jet Propulsion Laboratory” that includes twists and turns — like a hacker using a vulnerable, unapproved Raspberry Pi as a doorway into JPL systems. That Raspberry Pi was responsible for 500 megabytes of NASA Mars mission data leaving JPL servers. The intrusion resulted in an advanced persistent threat (APT) that was active in JPL’s network for more than a year before being discovered. This was the most recent breach listed in the report. Other breaches noted date back to 2009 and include exfiltration totaling more than 100 gigabytes of information. Several of the intrusions feature command-and-control servers with IP addresses located in China, though the responsibility for the latest attack was not assigned to any country or actor.” Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory Date published: 25/06/2019 Author: Pierluigi Paganini Excerpt: ““This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.   One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.” Researchers develop a technique to vaccinate algorithms against adversarial attacks Date published: 24/06/2019 Author: Helpnet Security Excerpt: “Dr Richard Nock, machine learning group leader at CSIRO’s Data61 said that by adding a layer of noise (i.e. an adversary) over an image, attackers can deceive machine learning models into misclassifying the image. “Adversarial attacks have proven capable of tricking a machine learning model into incorrectly labelling a traffic stop sign as speed sign, which could have disastrous effects in the real world. “Our new techniques prevent adversarial attacks using a process similar to vaccination,” Dr Nock said.”   Here are this week’s noteworthy security bulletins: 1) F5 BIG-IP Controller for Cloud Foundry: Root compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/ESB-2019.2286/ F5 released an update for its BIG-IP Controller for Cloud Foundry, which addressed a vulnerability in Alpine Docker Images (version 3.3 and up), which led to systems deployed using those versions to accept a NULL ‘root’ user password. The vulnerability had been introduced in December 2015! 2) Tenable Nessus: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ASB-2019.0168/ Tenable issued an update for its Nessus Vulnerability Assessment solution to fix XSS vulnerability. 3) McAfee Enteprise Security Manager (ESM): Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0169/ McAfee updated its Enteprise Security Manager (ESM) SIEM product to address a number of vulnerabilities. 4) Medtronic MiniMed 508 and Paradigm Series Insulin pumps – Multiple impactshttps://portal.auscert.org.au/bulletins/ESB-2019.2351/ Yet again, vulnerabilities in medical equipment allow bad people to play with lives by manipulating insulin doses or provided incorrect information to those devices. Stay safe, stay patched and have a good weekend!  Nick