AUSCERT Week in Review for 21st June 2019 Greetings, This week the Australian government performed an rm -rf to a top government cyber security position and zero days for both Firefox and Oracle Weblogic were dropped.Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Mozilla patches Firefox zero-day abused in the wildDate Published: 18 June 2019Author: Catalin CimpanuExcerpt: “The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, Mozilla engineers wrote in a security advisory posted today. ‘This can allow for an exploitable crash,’ they added. ‘We are aware of targeted attacks in the wild abusing this flaw.'” —–Title: Oracle patches another actively-exploited WebLogic zero-dayDate Published:  June 19, 2019URL: Author: Catalin CimpanuExcerpt: “Oracle released an out-of-band security update to fix a vulnerability in WebLogic servers that was being actively exploited in the real world to hijack users’ systems. Attacks using this vulnerability were first reported by Chinese security firm Knownsec 404 Team on June 15, last Saturday. The initial report from Knownsec claimed the attacks exploited a brand new WebLogic bug to bypass patches for a previous zero-day tracked as CVE-2019-2725 — which was also exploited in the wild for days in April before Oracle released an emergency security patch for that one as well.” —–Title: Home Affairs deletes top govt cyber advisor positionDate Published: 21 June 2019Author: MSRC TeamExcerpt:“Australia’s top government cyber security policy job has quietly disappeared from the Department of Home Affairs following the shock departure of former cyber tsar Alastair MacGibbon. The department’s most recently issued organisation chart reveals the national cyber security advisor role has been shredded and the wider cyber security policy function absorbed within its policy directorate. Orignally established as the Prime Minister’s special advisor on cyber security, the high profile  public-facing role was established within the PM’s department as part of the heavily publicised May 2016 national cyber security strategy.” —–Title: Critical Vulnerabilities Patched in Cisco SD-WAN, DNA Center ProductsDate Published: June 20, 2019 Author: Eduard Kovacs Excerpt: “Cisco on Wednesday released patches for several critical and high-severity vulnerabilities affecting its SD-WAN, DNA Center, TelePresence, StarOS, RV router, Prime Service Catalog, and Meeting Server products. According to Cisco, the Digital Network Architecture (DNA) Center is affected by a critical vulnerability that allows a network attacker to bypass authentication and access critical internal services. The company’s SD-WAN solution, specifically its command-line interface (CLI), is affected by a critical flaw that can be exploited by a local attacker to elevate privileges to root and change the system configuration.” —–Title: Samba Vulnerability Can Crash Active Directory ComponentsDate Published: 20 June 2019Author: Lonut LlascuExcerpt: “A couple of bugs in some versions of Samba software can help an attacker crash key processes on the network in charge of providing directory, application, and other services. The two vulnerabilities can be leveraged separately to crash the LDAP (Lightweight Directory Access Protocol) and the RPC (remote procedural call) server processes in Samba Active Directory Domain Controller, supported since version 4.0 of the software.” —– Here are this week’s noteworthy security bulletins:1) [ESB-2019.2230] Apache Tomcat: Denial of service – Remote/unauthenticated     Clients are able to cause server-side threads to block, eventually leading to thread exhaustion and a denial of service. 2) [ESB-2019.2225] Bind: Denial of service – Remote/unauthenticated   Bind could be made to crash if it received specially crafted network traffic. 3) [ESB-2019.2220] libvirt: Multiple vulnerabilities   Mulitple denial of service and code execution vulnerabilities found in libvirt.   Stay safe, stay patched and have a great weekend,Rameez Agnew

AUSCERT Week in Review for 14th June 2019 Greetings, Happy Microsoft patch week!  An updated Windows computer is a happy Windows computer (and will make us happy too!) In other news, if you recall the Exim vulnerability we mentioned last week, it’s now being exploited in the wild so please patch as soon as you can! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Exim email servers are now under attackDate Published: 14/06/2019https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/ Excerpt: “Exim servers, estimated to run nearly 57% of the internet’s email servers, are now under a heavy barrage of attacks from hacker groups trying to exploit a recent security flaw in order to take over vulnerable servers, ZDNet has learned. At least two hacker groups have been identified carrying out attacks, one operating from a public internet server, and one using a server located on the dark web.” —–RAMBleed (CVE-2019-0174)Date Published: 12/06/2019https://rambleed.com/ Excerpt: “RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.” —–Google decloaks Win-DoS bug before patch is releasedDate Published: 12/06/2019https://www.itnews.com.au/news/google-decloaks-win-dos-bug-before-patch-is-released-526549 Excerpt: “Google’s Project Zero security team has decided to reveal the details of a denial of service (DoS) bug in Windows, after Microsoft said it would provide a patch outside the 90-day disclosure deadline. Project Zero lifted the veil on the flaw, 91 days after it was disclosed to Microsoft. The bug is found in the Windows cryptographic application programming interface, affecting the SymCrypt library arithmetic routines, Project Zero researcher Tavis Ormandy said.” —– 8.4TB in email metadata exposed in university data leakDate Published: 10/06/2019https://www.zdnet.com/article/8-4tb-in-email-metadata-exposed-in-university-data-leak/ Excerpt: “An exposed database belonging to Shanghai Jiao Tong University exposed 8.4TB in email metadata after failing to implement basic authentication demands. As described on the Rainbowtabl.es security blog, Paine found the ElasticSearch database through a Shodan search. The open database contained 9.5 billion rows of data and was active at the time of discovery, given that its size increased from 7TB on May 23 to 8.4TB only a day later.” —-Project Svalbard: The Future of Have I Been PwnedDate Published: 11/06/2019https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/ Excerpt: “Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I’ve met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day. It wasn’t a hard decision to make – I needed help and theyhad the right experience and the right expertise.” Here are this week’s noteworthy security bulletins: 1) ASB-2019.0156 – Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0156/ 2) ESB-2019.2084 – vim: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2084/ 3) ESB-2019.2090 – Adobe Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2090/ 4) ESB-2019.2101 – Intel Microprocessors: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2101/ 5) ESB-2019.2102 – Cisco IOS XE Software Web UI: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2102/ Stay safe, stay patched and have a good weekend! Charelle

AUSCERT Week in Review for 7th June 2019 Greetings, Another fun week has been and gone. Great to see many of you last week at the conference, and we hope you’ve settled back in to your daily roles. Notable news this week includes a critical vulnerability in the Exim mail transfer agent and the disclosure of a second major hack of the Australian National University. It’s an unconventional story: the bug in Exim was patched entirely by accident back in February, and so the release notes at the time did not include a security notice. Researchers from Qualys have since disclosed the vulnerability. If you run Exim (which roughly half of mail servers on the internet do), we advise updating to Exim 4.92. The fix will also be backported to minor versions down to 4.87 and made available by your OS providers in time. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: AUSCERT2019: that’s a wrap!https://wordpress-admin.auscert.org.au/blog/2019-06-07-auscert2019-s-wrapDate published: 07/06/2019Author: Bek of AUSCERT“The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.” New RCE vulnerability impacts nearly half of the internet’s email servershttps://www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/Date published: 05/06/2019Author: Catalin Cimpanu of ZDNet“A critical remote command execution (RCE) security flaw impacts over half of the Internet’s email servers, security researchers from Qualys have revealed today. The vulnerability was patched with the release of Exim 4.92, on February 10, 2019, but at the time the Exim team released v4.92, they didn’t know they fixed a major security hole.” ANU suffers second ‘significant’ hack in a yearhttps://www.itnews.com.au/news/anu-suffers-second-significant-hack-in-a-year-526123Date published: 04/06/2019Author: iTnews“The Australian National University has suffered a massive data breach with about 19 years of data accessed by an unknown attacker. It’s the second major attack against the ANU, which was also hit in mid-July last year. The university at the time blamed an advanced persistent threat but said the “significant” damage from that incident had been contained.” United States visa applicants now required to hand over social media usernameshttps://www.abc.net.au/news/2019-06-03/us-visa-applicants-to-hand-over-social-media-usernames/11172086Date published: 03/06/2019Author: ABC News“The State Department is now requiring nearly all applicants for US visas to submit their social media usernames, previous email addresses and phone numbers. It’s a vast expansion of the Trump administration’s enhanced screening of potential immigrants and visitors. The department says it has updated its immigrant and non-immigrant visa forms to request the additional information, including “social media identifiers”.” Google Cloud goes down, taking YouTube, Gmail, Snapchat and others with ithttps://www.zdnet.com/google-amp/article/google-cloud-goes-down-taking-youtube-gmail-snapchat-and-others-with-it/Date published: 03/06/2019Author: ZDNetExcerpt: “A mysterious outage has hit Google Cloud, one of the biggest cloud service providers on the internet, and thousands of sites have gone down as a result, including both Google and non-Google services. Affected companies include some of the biggest names around, such as Snapchat, Vimeo, Shopify, Discord, Pokemon GO; but also most of Google’s own services, like YouTube, Gmail, Google Search, G Suite, Hangouts, Google Drive, Google Docs, Google Nest, and others. In an extreme case of irony, according to a Google employee, the outage was so severe that it also took down internal tools Google engineers were using to communicate among each other about the outage, making recovery efforts even more difficult.” Noteworthy bulletins of the week: 1) ESB-2019.2018.2 – exim: Execute arbitrary commands – Remote/unauthenticated.https://portal.auscert.org.au/bulletins/ESB-2019.2018.2/ The above-mentioned exim vulnerability. 2) ESB-2019.2033 – IBM WebSphere Application Server: Multiple vulnerabilities.https://portal.auscert.org.au/bulletins/ESB-2019.2033/ IBM Java SDK is in many of their products, and so is WebSphere. Expect a steady trickle of other IBM products updating their internal WebSphere version. 3) ESB-2019.2017 – Python Django: Cross-site scripting.https://portal.auscert.org.au/bulletins/ESB-2019.2017/ We love Django and are glad to see it’s kept up to date from pesky human errors. 4) ASB-2019.0153 – Android: Multiple vulnerabilities.https://portal.auscert.org.au/bulletins/ASB-2019.0153/ You can expect Android patch level 2019-06-05 to reach your phone, tablet or ICS controller in two to infinity months. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 31st May 2019 Greetings, As you may be aware, this week marked our 18th annual AUSCERT conference. It’s been another great week of talks, tutorials, events, meeting new people, and catching up with familiar faces. A big thank you to our membership team for another successful year – we get a behind-the-scenes view of just how much work they put in to make this all happen. Another big thank you to everyone who came to join us, it makes all the hard work in the lead up worthwhile. If you couldn’t make it this year, we’re sorry to have missed you, but don’t worry – there’s always AUSCERT2020! And not to detract from the celebrations, but just a friendly reminder to make sure your systems are patched against BlueKeep.   Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Almost one million Windows systems vulnerable to BlueKeep (CVE-2019-0708)Date published: 28/05/2019 Author: ZDNetExcerpt: “Nearly one million Windows PCs are vulnerable to BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) service impacting older versions of the Windows OS. This number comes to put initial fears into context — that over seven million devices were in danger — although the danger remains present, as one million devices are still nothing to joke about.” Unpatched Flaw Affects All Docker Versions, Exploits Ready Date published: 28/05/2019Author: Bleeping ComputerExcerpt: “All versions of Docker are currently vulnerable to a race condition that could give an attacker both read and write access to any file on the host system. Proof-of-concept code has been released. The flaw is similar to CVE-2018-15664 and it offers a window of opportunity for hackers to modify resource paths after resolution but before the assigned program starts operating on the resource. This is known as a time-to-check-time-to-use (TOCTOU) type of bug.” How to protect your business against cyber crimeDate published: 28/05/2019Author: In DailyExcerpt: “The 2018/2019 BDO and AUSCERT Cyber Security Survey found data loss/theft of confidential information incidents rose by 78.68 per cent in 2018 compared to 2017. While this could be partially explained by the February 2018 introduction of mandatory reporting through the Notifiable Data Breaches (NDB) scheme, BDO Technology Advisory Partner Nick Kervin said cyber attacks continued to increase across the board and were changing in their form.” Australian tech unicorn Canva suffers security breachDate published: 24/05/2019Author: ZDNetExcerpt: “Canva, a Sydney-based startup that’s behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned. Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet. Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.”   Here are this week’s noteworthy security bulletins: 1) ESB-2019.1894.2 – sqlite3: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.1894.2/ sqlite3 is vulnerable to a use-after-free remote execution via a crafted SQL statement. 2) ESB-2019.1941 – drupal plugins multiple security vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1941/ A number of Drupal modules have updated to fix a swath of vulnerabilities. 3) ESB-2019.1905 – gnome-desktop: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1905/ GNOME has patched a vulnerability where maliciously crafted images could execute code when thumbnailed. Stay safe, stay patched and have a good weekend! Tim

AUSCERT Week in Review for 24th May 2019 AUSCERT Week in Review24 May 2019 Greetings! Discussion still raged this week about the potential threat of theMicrosoft BlueKeep vulnerability revealed last week. That Microsofttook the incredibly unusual decision of issuing patches for operatingsystems long ago end-of-lifed indicated how serious they considered thisissue. A number of researchers have suggested that it’s only a matter oftime until this vulnerability could be extensively exploited. If you haveany old Windows systems potentially exposed now is the time to patch them! And for everyone attending the AUSCERT conference next week we lookforward to seeing you there. We have fewer than 10 tickets left for theconference, so if you were thinking of coming, you better decide soon! Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week:   Title: BlueKeep Remote Desktop Exploits Are Coming, Patch Now!Date Published: 20/05/2019Author: Bleeping ComputerExcerpt: “Security researchers have created exploits for the remote codeexecution vulnerability in Microsoft’s Remote Desktop Services, trackedas CVE-2019-0708 and dubbed BlueKeep, and hackers may not be far behind.While the vulnerability inspired some playful users to create fakeproof-of-concept code intended for rickrolling, it is no joke. As RemoteDesktop Services is commonly exposed to the public so that users cangain remote access to their internal computers, successful exploitationcould allow access to an entire network.” Title: ‘What he’s achieved is spectacular’: Worker wins landmark case over fingerprinting on the jobDate Published: 21/05/2019Author: ABC NewsExcerpt: “When Queensland sawmill worker Jeremy Lee refused to givehis fingerprints to his employer as part of a new work sign-in, hewasn’t just thinking about his privacy. It was a matter of ownership.“It’s my biometric data. It’s not appropriate for them to have it,” hetells RN’s The Law Report. For not agreeing to the new system, Mr Leewas sacked. What followed was a legal battle that delivered the firstunfair dismissal decision of its kind in Australia.” Title: Two more Microsoft zero-days uploaded on GitHubDate Published: 22/05/2019Author: ZDNETExcerpt: “A security researcher going online by the pseudonym ofSandboxEscaper has published today demo exploit code for two moreMicrosoft zero-days after releasing a similar fully-working exploit theday before. These two mark the sixth and seventh zero-days impactingMicrosoft products this security researcher has published in the pastten months, with the first four being released last year, and three overthe past two days.”   Alerts, Advisories and Updates:——————————-Title: ASB-2019.0152 – [Solaris] Xerox FreeFlow Print Server v8: Multiple vulnerabilitiesDate: 24 May 2019 Title: ASB-2019.0151 – [Win] Xerox FreeFlow Print Server v2(Windows 7): Multiple vulnerabilitiesDate: 24 May 2019 Title: ASB-2019.0150 – [Win][UNIX/Linux] Wireshark: Denial of service – Remote with user interactionDate: 23 May 2019 Title: ASB-2019.0149 – [Win] Intel Graphics Driver for Windows: Denial of service – Existing accountDate: 23 May 2019 Title: ASB-2019.0148 – [Win][UNIX/Linux] Intel CSME: Multiple vulnerabilitiesDate: 22 May 2019 Stay safe, stay patched, and have a good weekend! Eric.

AUSCERT Week in Review for 17th May 2019 AUSCERT Week in Review17 May 2019 Greetings, Hoo boy, what a week! – This patch Tuesday, Microsoft gave us CVE-2019-0708, a remote code execution vulnerability in remote desktop services. An exploit could potentially propagate like a worm, so this was severe enough for Microsoft to release free updates to Windows XP and Server 2003. – Not to be outdone, Cisco released a flock of advisories this week, including a vulnerability which allows a persistent backdoor without physical access to the device. – WhatsApp has provided an update due to a vulnerability that allows spyware to be injected onto your phone. – And the pièce de résistance, Intel have announced four new microprocessor flaws which could allow unauthorised access to cached data. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Prevent a worm by updating Remote Desktop ServicesDate published: 14/05/2019 URL: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/Author: MSRC TeamExcerpt: “Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” Title: MDS – Microarchitectural Data Sampling – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 Date published: 14/05/2019URL: https://access.redhat.com/security/vulnerabilities/mdsAuthor: Red HatExcerpt: “Four new microprocessor flaws have been discovered, the most severe of which is rated by Red Hat Product Security as having an Important impact. These flaws, if exploited by an attacker with local shell access to a system, could allow data in the CPU’s cache to be exposed to unauthorized processes. While difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance, or the underlying host system. Red Hat has mitigations prepared for affected systems and has detailed steps customers should take as they evaluate their exposure risk and formulate their response.” Title: Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gearDate published: 13/05/2019URL: https://www.zdnet.com/article/thrangrycat-flaw-lets-attackers-plant-persistent-backdoors-on-cisco-gear/Author: Catalin CimpanuExcerpt: “A vulnerability disclosed today allows hackers to plant persistent backdoors on Cisco gear, even over the Internet, with no physical access to vulnerable devices. Named Thrangrycat, the vulnerability impacts the Trust Anchor module (TAm), a proprietary hardware security chip part of Cisco gear since 2013.” Title: WhatsApp urges users to update app after discovering spyware vulnerability Date published: 14/05/2019 URL: https://www.theguardian.com/technology/2019/may/13/whatsapp-urges-users-to-upgrade-after-discovering-spyware-vulnerabilityAuthor: Julia Carrie WongExcerpt: “WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function. The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.” Title: Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code ExecutionDate published: 13/05/2019URL: https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/Author: Sergiu GatlanExcerpt: “Linux machines running distributions powered by kernels prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free, related to net namespace cleanup, exposing vulnerable systems to remote attacks” Here are this week’s noteworthy security bulletins: 1) ASB-2019.0137 – ALERT [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0137 Microsoft has released its monthly security patch update for the month of May 2019. 2) ASB-2019.0138 – ALERT [Win][UNIX/Linux][Appliance][Virtual] Intel CPU Microcode: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/ASB-2019.0138 Intel has published a security advisory disclosing RIDL and Fallout, new speculative-execution side-channel vulnerabilities in the vein of Spectre and Meltdown. 3) ESB-2019.1721 – [Win][Mac] Adobe Acrobat and Reader : Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1721 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. 4) ESB-2019.1749 – [Win] Cisco Webex Players for Microsoft Windows: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.1749 Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. Stay safe, stay patched and have a good weekend! Charelle.

AUSCERT Week in Review for 10th May 2019 AUSCERT Week in Review10 May 2019 Greetings, The week kicked off with a certificate chain issue in Firefox, resulting inadd-ons being disabled and prevented new add-ons being installed. Mozillapromptly released a hotfix and have now corrected the issue in Firefox66.0.5 for Desktop and Android, and Firefox ESR 60.6.3. This week Red Hat released RHEL 8, so we’ve already started publishing thosebulletins for the early adopters. Finally to round out the week, an issue was found in the official Alpine LinuxDocker images. Since Dec 2015, a NULL password was set for the root account.Alpine Linux is popular for creating small linux containers. Users shouldexplicitly disable the root account for containers using the affected Dockerimages. Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Alpine Linux Docker Image root User Hard-Coded Credential Vulnerabilityhttps://talosintelligence.com/vulnerability_reports/TALOS-2019-0782Published: May 8th, 2019Author: Cisco Talos “Versions of the Official Alpine Linux Docker images (since v3.3) contain aNULL password for the root user. This vulnerability appears to be the resultof a regression introduced in December 2015. Due to the nature of this issue,systems deployed using affected versions of the Alpine Linux container thatutilize Linux PAM, or some other mechanism that uses the system shadow fileas an authentication database, may accept a NULL password for the root user.” —– Add-ons disabled or failing to install in Firefoxhttps://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/Published: May 4th, 2019Author: Kev Needham “Late on Friday May 3rd, we became aware of an issue with Firefox thatprevented existing and new add-ons from running or being installed. Weare very sorry for the inconvenience caused to people who use Firefox.” —– CIA sets up shop on the anonymous, encrypted Tor networkhttps://www.cnet.com/news/cia-sets-up-shop-on-the-anonymous-encrypted-tor-network/Published: May 7th, 2019Author: Justin Jaffe “The CIA’s global mission requires that “individuals can access us securelyfrom anywhere,” the intelligence agency said in a press release. “Creatingan onion site is just one of many ways we’re going where people are.” The onion site (Tor address) features secure links for reporting informationand applying for a job, and will mirror all of the content currentlyavailable at www.cia.gov.” —– How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attackshttps://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.htmlPublished: May 6th, 2019Author: Nicole Perlroth, David E. Sanger and Scott Shane “Chinese intelligence agents acquired National Security Agency hackingtools and repurposed them in 2016 to attack American allies and privatecompanies in Europe and Asia, a leading cybersecurity firm has discovered.” —– AusPost builds tool to plug cloud security gaps in 30 secondshttps://www.itnews.com.au/news/auspost-builds-tool-to-plug-cloud-security-gaps-in-30-seconds-524841Published: May 9th, 2019Author: Justin Hendry “In addition to improved security coverage across its cloud landscape, thegovernment-owned corporation with Australia’s largest retail footprinthas seen a significant reduction in remediation time since since rollingout the solution. “We’re talking about 30 to 45 seconds to remediate a particularcondition, and that is magnitudes better than what we’d be able toachieve if we were using a more traditional approach” “ —– Here are this week’s noteworthy security bulletins: 1) ASB-2019.0136 – Alpine Linux Docker Image: Root compromise –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/80582 “Versions of the Official Alpine Linux Docker images (since v3.3) containa NULL password for the root user. Due to the nature of this issue, systemsdeployed using affected versions of the Alpine Linux container that utilizeLinux PAM, or some other mechanism that uses the system shadow file as anauthentication database, may accept a NULL password for the root user.” 2) ESB-2019.1642 – [Linux] Gemalto DS3 Authentication Server / Ezio Server:Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/80614 “SEC Consult identified multiple vulnerabilities within the DS3Authentication Server (now called Gemalto Ezio Server, part of the ThalesGroup) which can be chained together to allow a low-privileged applicationuser to upload a JSP web shell with the access rights of a low privilegedLinux system user.” 3) ASB-2019.0135 – [Android] Android: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/80398 “Multiple security vulnerabilities have been identified in the Androidoperating system prior to the 2019-05-05 patch level.” 4) ESB-2019.1589 – [Win][UNIX/Linux][Debian] firefox-esr: Reduced security– Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/80394 “We’ve released Firefox 66.0.5 for Desktop and Android, and FirefoxESR 60.6.3,which include the permanent fix for re-enabling add-ons that were disabledstarting on May 3rd. The initial, temporary fix that was deployed May 4ththrough the Studies system is replaced by these updates, and we recommendupdating as soon as possible.” 5) ESB-2019.1625 – [SUSE] samba: Create arbitrary files – Existing accounthttps://portal.auscert.org.au/bulletins/80542 “SUSE has patched a flaw in the way samba implemented an RPC endpointemulating the Windows registry service API. An unprivileged attacker coulduse this flaw to create a new registry hive file anywhere they have unixpermissions which could lead to creation of a new file in the Samba share.” Stay safe, stay patched and have a good weekend! Charelle.

AUSCERT Week in Review for 3rd May 2019 Greetings, Updates to protect against a remote code execution with administration privilege vulnerability in Dell’s SupportAssist were announced this week (CVE-2019-3719). SupportAssist ,which checks software and hardware status, is typically preinstalled on Dell systems running Windows and therefore affects numerous systems. As Proof-of-Concept code has been made available, patching vulnerable Dell systems is critical. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: 2018/2019 Cyber Security Survey Results Date Published: 1/5/2019 Author: AUSCERT and BDO Australia Excerpt: “For the third year running, AUSCERT has teamed up with BDO to conduct an industry-wide survey on the state of cybersecurity. The results of our most recent survey have just been published. AUSCERT has long supported the concept of mandatory breach notification, and it is heartening to see evidence that organisations expected to comply with at least one data breach regulation (GDPR, AU NDB) spend approximately 20% more on information security controls. It is also encouraging to observe the Cyber Security Survey’s finding that leadership awareness has increased. This concurs with AUSCERT’s own experience of more regular engagement at higher levels within organisations, such as CISOs and CIOs at other universities, and Principal Advisors / CISOs within state governments.” — Title: Docker Hub Database Hack Exposes Sensitive Data of 190K Users Date Published: 26/4/2019 Author: Bleeping Computer Excerpt: “An unauthorized person gained access to a Docker Hub database that exposed sensitive information for approximately 190,000 users. This information included some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories.” Title: Dell laptops and computers vulnerable to remote hijacks Date Published: 1/5/2019 Author: ZDNet Excerpt: “A vulnerability [CVE-2019-3719] in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.” Stay safe, stay patched and have a good weekend, Eric

AUSCERT Week in Review for 26th April 2019 Greetings, For a 3-day week, this week has still been quite busy for anyone in InfoSec. We hope that you all have layers of mitigations in place for the Oracle WebLogic zero-day otherwise; you may come back with even more work on Monday! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: New Oracle WebLogic zero-day discovered in the wildDate Published: 25/4/2019Author: ZDNetExcerpt: “Security researchers have spotted a new zero-day vulnerability impacting the Oracle WebLogic server that is currently being targeted in the wild. Oracle has been notified of the zero-day, but the software maker just released its quarterly security patches four days before this zero-day’s discovery.” —– Title: Marcus Hutchins, slayer of WannaCry worm, pleads guilty to malware chargesDate Published: 19/4/2019Author: Ars TechnicaExcerpt: “Marcus Hutchins, the security researcher who helped neutralize the virulent WannaCry ransomware worm, has pleaded guilty to federal charges of creating and distributing malware used to break into online bank accounts. “I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote in a short post. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.””—– Title: Another dark web marketplace bites the dust — Wall Street MarketDate Published: 23/4/2019Author: ZDNetExcerpt: “Less than a month after the oldest and biggest dark web marketplace announced plans to shut down, another dark web market has “exit scammed” after the site’s admins ran away with over $14.2 million in user funds. Some of the market’s customer support staff are now blackmailing WSM customers. Staffers are asking for 0.05 Bitcoin (~$280) from vendors and customers who shared their Bitcoin address in support requests, threatening to share the address with law enforcement unless users pay the requested fee. And just as we were writing this article, the same moderator who was extorting WSM users took things to another level by sharing their mod account credentials online, allowing anyone – including law enforcement – to access the WSM backend, which may contain details about buyers and sellers’ real identities.”—– Title: Windows 7 Now Showing End of Support WarningsDate Published: 22/4/2019Author: BleepingComputerExcerpt: “Microsoft has started to display alerts in Windows 7 stating that the operating system will reach end of support on January 14, 2020. This alert links to a page that then recommends users upgrade to Windows 10. On January 14th, 2020, Windows 7 will officially reach end of support and Microsoft will no longer offer free security updates and technical support for the operating system.”—– Title: Another European manufacturer crippled by ransomwareDate Published: 25/4/2019Author: HelpNet SecurityExcerpt: ““Due to an IT system failure, the Aebi Schmidt Group can temporarily neither receive nor send emails,” the company announced on Thursday. “The IT system failure is due to an attempt by third parties to infiltrate malware into our systems. More and more companies worldwide are being affected by such attacks.””—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.1408 – [Win][UNIX/Linux] BIND: Denial of service – Remote/unauthenticated Multiple Denial of Service vulnerabilities have been patched in BIND. 2) ESB-2019.1412 – [Win][UNIX/Linux] Atlassian Confluence Server and Data Center: Multiple vulnerabilities Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. Stay safe, stay patched and have a great weekend,Ananda

AUSCERT Week in Review for 18th April 2019 Greetings,Easter is here again, so hopefully some of us will get a few days’ breakfrom work. If travelling, please take care on the roads.This week Oracle released vulnerability details and patches for itswide-ranging product list.For those using their products, there are many fixes to apply (up to 297)!As for other news, here is a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week:– —Oracle Releases 297 Fixes in April 2019 Critical Patch UpdateURL:https://www.securityweek.com/oracle-releases-297-fixes-april-2019-critical-patch-updateAuthor:  Ionut ArghireDate:  17-04-2019Excerpt:“Oracle this week announced the release of 297 new security fixes as partof its April 2019 Critical Patch Update (CPU), two-thirds of which areremotely exploitable without authentication.”– —The web’s infrastructure is under attack from a global hacking spreeURL:  https://www.wired.co.uk/article/dns-hijacking-hack-seaturtle-ciscoAuthor:  Matt BurgessDate:  17-04-2019Excerpt:“Hackers have been conducting a large scale attack on the websites ofgovernments and intelligence agencies around the world. Security expertsclaim the attackers are being backed by an unnamed government and theiractions threaten to undermine the systems that keep the web functioning.Startling new research from Cisco’s Talos security group says that a corepart of the internet’s infrastructure has been targeted as the hackersattempt to steal confidential information. Here’s what we know.”– —Fifth of Web Traffic Comes from Malicious BotsURL:https://www.infosecurity-magazine.com/news/fifth-of-web-traffic-comes-from-1/Author:  Phil MuncasterDate:  17-04-2019Excerpt:“Around a fifth of all web traffic last year was linked to maliciousbot activity, with financial services hit more than any other sector,according to Distil Networks.”– —Wipro hacked, internal systems used to attack customers: reportURL:https://www.itnews.com.au/news/wipro-hacked-internal-systems-used-to-attack-customers-report-523956Author:  Juha SaarinenDate:  16-04-2019Excerpt:“Wipro is currently investigating what appears to be a serious breachof its networks and systems, which are apparently being used to launchattacks on customers, forcing the outsourcing giant to build a privateemail service to replace compromised corporate system.”– —Big Companies Thought Insurance Covered a Cyberattack. They MayBe Wrong.URL:https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.htmlAuthor:  Adam Satariano and Nicole PerlrothDate:  15-04-2018Excerpt:“Mondelez, owner of dozens of well-known food brands like Cadbury chocolateand Philadelphia cream cheese, was one of the hundreds of companies struckby the so-called NotPetya cyberstrike in 2017.”…“Mondelez’s insurer, Zurich Insurance, said it would not be sendinga reimbursement check. It cited a common, but rarely used, clause ininsurance contracts: the “war exclusion,” which protects insurers frombeing saddled with costs related to damage from war.Mondelez was deemed collateral damage in a cyberwar.”– —Here are some of this week’s noteworthy security bulletins (in no particularorder):1. ESB-2019.1280 – [Linux][OSX] Webkit: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79038“Processing maliciously crafted web content may lead to arbitrary codeexecution.”2. ESB-2019.1345 – [Win][UNIX/Linux] Drupal: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79366“Service IDs derived from unfiltered user input could result in theexecution of any arbitrary code”3.  ESB-2019.1353 – [SUSE] python: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79430“blacklist bypass in URIs by using the ‘local-file:’ scheme”4.  ESB-2019.1329 – [Cisco] Aironet access points: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79278Denial of Service and Root Compromise vulnerabilities.5. ASB-2019.0110 – [Win][UNIX/Linux] Oracle Construction and EngineeringSuite: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79254Remote code execution, Denial of Service, and other vulnerabilities.– —Stay safe, stay patched and have a great weekend,Marcus.

AUSCERT Week in Review for 12th April 2019 With less than 2 months to go until the AUSCERT 2019 conference, we hope youhave your tickets ready! Our Early Bird rate and Member Tokens expire thisSunday, so please send off those applications as soon as possible. You can purchase tickets and redeem tokens here:https://gems.eventsair.com/auscert2019/register/ We’re looking forward to seeing you all at the Marriot in May! Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: ASD confirms data stolen in Parliament IT breachDate Published: 10 April 2019Author: Justin HendryExcerpt: “Australian Signals Directorate chief Mike Burgess has confirmed data wasstolen by a state-sponsored actor during February’s malicious attackagainst Parliament House.In what appears to be the first public admission of the data exfiltration,Burgess told senate estimates last week that a limited amount ofnon-confidential data had made its way into the hands of attackers.It was revealed during the agency’s damage assessment of the securitybreach, which has now been wrapped up and handed to government forconsideration.”—– Title: Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal RecordsDate Published: 8 April 2019Author: Scott IkedaExcerpt: “The size and scope of data breaches continues to grow. The new worldrecord has been set by email marketing service Verifications.io, thanksto some unsecured public-facing databases containing what appears to bejust about all of their customer information. Passwords were not exposedin the email data breach, but quite a bit of personal information usefulfor identity theft and scamming was.”—– Title: WikiLeaks founder Julian Assange arrested by policeDate Published: 11 April 2019Author: ITnews Staff WritersExcerpt: “Police said they arrested Assange after being “invited into the embassyby the Ambassador, following the Ecuadorean government’s withdrawalof asylum.”Assange took refuge in Ecuador’s London embassy in 2012 to avoid beingextradited to Sweden, where authorities wanted to question him as part ofa sexual assault investigation.That probe was later dropped, but Assange fears he could be extraditedto face charges in the United States, where federal prosecutors areinvestigating WikiLeaks.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.1237 – [Win][UNIX/Linux][Ubuntu] wpa_supplicant and hostapd:Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1237 Several vulnerabilities have been found in wpa, a widely-used wifiauthentication utility. 2) ESB-2019.1200 – [Win][UNIX/Linux][SUSE] sqlite3: Execute arbitrarycode/commands – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.1200 A plugin in sqlite3 could be exploited to achieve remote code execution. 3) ESB-2019.1163 – [Win][UNIX/Linux][SUSE] Salt: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1163 Salt, a popular configuration management software, could be exploitedto achieve remote code execution.   Stay safe, stay patched and have a good weekend! Anthony

AUSCERT Week in Review for 5th April 2019 Greetings, This week, MISP released an update to patch a CVE in itself and China managed to top the cake by leaving over 590 million resumes sitting in an open-database. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: NIST cybersecurity resources for smaller businessesDate Published: 4 April 2019Author:  Lysa Myers     Excerpt: “There are a lot of challenges to being a small-business owner, including safely managing technology. Every risk can have an outsized effect on your ability to stay in business. And resources for protecting your business are often geared towards much larger organizations. The National Institute of Standards and Technology (NIST) aims to change that, with the release of their Small Business Cybersecurity Corner.”—– SamSam outbreak led to FBI restructuring, top official saysDate Published: 4 April 2019Author: Sean LyngaasExcerpt: “The notorious SamSam ransomware — which extracted over $6 million in payments from more than 200 victim organizations — forced the FBI to adjust its model for handling cyberattack investigations, a senior bureau official said Thursday.Nearly all 56 of the FBI’s field offices responded to SamSam incidents — an inefficient way of keeping up with the malware, said Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division.”—– Chinese companies have leaked over 590 million resumes via open databasesDate Published: April 4 2019Author: Catalin Cimpanu Excerpt: “Chinese companies have leaked a whopping 590 million resumes in the first three months of the year, ZDNet has learned from multiple security researchers.Most of the resume leaks have occurred because of poorly secured MongoDB databases and ElasticSearch servers that have been left exposed online without a password, or have ended up online following unexpected firewall errors.”—– 540 Mllion Facebook Records Leaked by Public Amazon S3 BucketsDate Published: 3 April 2019Author: Sergiu GatlanExcerpt: “More than 540 million records of Facebook users were exposed by publicly accessible Amazon S3 buckets used by two third-party apps to store user data such as plain text app passwords, account names, user IDs, interests, relationship status, and more.As discovered by the UpGuard Cyber Risk team, Mexico-based media company Cultura Colectiva stored the records of roughly 540 million of its users within a 146 GB database called “cc-datalake,” stored in a misconfigured Amazon S3 bucket which gave anyone download permissions.”—– Hacker group has been hijacking DNS traffic on D-Link routers for three monthsDate Published: April 4 2019Author: Catalin Cimpanu Excerpt: “For the past three months, a cybercrime group has been hacking into home routers –mostly D-Link models– to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration, changes that most users won’t ever notice.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.1082 – [Linux] MISP: Cross-site scripting – Remote with user interaction       A new version of MISP (2.4.105) has been released to fix a cross-site scripting vulnerability (CVE-2019-10254) in addition to some minor improvements and fixes. 2) ESB-2019.1148 – [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilities       72 CVE’s published for various different Jenkins plugins. 3) ESB-2019.1139 – [Win][UNIX/Linux] drupal7: Multiple vulnerabilities       A Drupal7 update to resolve an access bypass vulnerability.    Stay safe, stay patched and have a great weekend, Rameez Agnew