Publications

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Ep 12 – AUSCERT2022 Review   In this episode, AUSCERT features the following guests: Rob Pope, CERT NZ David Stockdale, AUSCERT Anthony and co-host Bek open the final episode of Season One by chatting about the recent cyber security conference, AUSCERT2022. Highlights from the event include the simpatico of a large number of speakers with presentations focused on people. Also noted was the wonderful representation of women across the speakers, presenters, and, attendees. Anthony then sits down for a discussion with Rob Pope of CERT NZ and AUSCERT’s very own David Stockdale, about the current threat landscape in our region. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, National Reconciliation Week started today, May 27th, and runs until Friday, June 3rd. It’s a time for all Australians to learn about our shared histories, cultures, and achievements, and to explore how each of us can contribute to achieving reconciliation in Australia As a proud Torres Strait Islander Woman, Jasmine Woolley embodies this year’s theme of Reconciliation Week, “Be Brave. Make Change.” Taking on the challenge of public speaking for the first time at the recent AUSCERT2022 Cyber Security Conference, Jasmine shared her perspective about applying Indigenous (Australian) Philosophy to Cyber Security Strategies. Demonstrating wisdom beyond her years with an insightful and enlightening presentation, Jasmine provided a fresh perspective on emerging threats to Australia’s security and challenged all in attendance to think about how they can be change-makers. We congratulate Jasmine on this fantastic achievement and we look forward to seeing what’s next! National Hamburger Day – yes, it’s an actual thing – is tomorrow, May 28. From simplistic cheeseburgers to the towering stacks, layered with an array of scrumptious and odd ingredients, burgers have become a favourite food for many the world over. A recent episode of Burger Scholar Sessions on YouTube, shows how to construct the iconic Aussie burger consisting of fried egg, tinned beetroot, and pineapple, and also delves into the history of our beloved burger that confuses and repulses many from elsewhere in the world! Don’t forget, the AUSCERT podcast, Share Today, Save Tomorrow is available to stream now. Featuring eleven episodes that cover a broad range of subjects, and include fascinating discussions from sensational guests, there’s enough content to make your next run, walk, or daily commute more enjoyable! Malicious PyPI package opens backdoors on Windows, Linux, and Macs Date: 2022-05-21 Author: Bleeping Computer Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. PyPI is a repository of open-source packages that developers can use to share their work or benefit from the work of others, downloading the functional libraries required for their projects. On May 17, 2022, threat actors uploaded a malicious package named ‘pymafka’ onto PyPI. The name is very similar to PyKafka, a widely used Apache Kafka client that counts over four million downloads on the PyPI registry. Fake Windows exploits target infosec community with Cobalt Strike Date: 2022-05-23 Author: Bleeping Computer A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. Whoever is behind these attacks took advantage of recently patched Windows remote code execution vulnerabilities tracked as CVE-2022-24500 and CVE-2022-26809. When Microsoft patches a vulnerability, it is common for security researchers to analyze the fix and release proof-of-concept exploits for the flaw on GitHub. CISA adds 41 vulnerabilities to list of bugs used in cyberattacks Date: 2022-05-24 Author: Bleeping Computer The Cybersecurity & Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws over the past two days, including flaws for the Android kernel and Cisco IOS XR. The added vulnerabilities come from a wide range of years, with the oldest disclosed in 2016 and the most recent being a Cisco IOS XR vulnerability fixed last Friday. Quad countries to boost CERT cooperation Date: 2022-05-24 Author: itnews International cooperation over cyber security and telecommunications standards will be boosted after this week’s Quad conference in Tokyo. The White House has released a communique from the four-country leadership meeting, the first official duty of newly-elected prime minister Anthony Albanese. Action on cyber security is to include strengthened information sharing between the four countries’ Computer Emergency Response Teams (CERT), “including exchanges on lessons learned and best practices”, the communique stated. Is 100% Cybersecurity Readiness Possible? Medical Device Pros Weigh In Date: 2022-05-25 Author: Bleeping Computer As medical devices become more connected and reliant on software, their codebase grows both in size and complexity, and they are increasingly reliant on third-party and open source software components. This forces security pros to address today’s rapidly evolving threat landscape. In the hopes of helping security professionals better address cybersecurity and regulation, we conducted the 2022 Medical Device Cybersecurity: Trends and Predictions Survey Report, speaking to 150 senior decision makers who oversee product security or cybersecurity compliance in the medical device industry, to learn about their biggest challenges and how they plan to address them. ESB-2022.2513 – Firefox and Thunderbird: CVSS (Max): 7.5 Mozilla has released advisory to address 2 critical vulnerabilities in Firefox and Thunderbird ESB-2022.2556 – Google Chrome: CVSS (Max): None Google Chrome is also updated to version 102 patching multiple vulnerabilities ESB-2022.2568 – F5 Products: CVSS (Max): 7.3 F5 has released advisory to address Linux Kernel vulnerability accross multiple products ESB-2022.2570 – Drupal core: CVSS (Max): None A third party library used by Drupal Core could affect some contributed projects or custom code on Drupal sites ESB-2022.2607 – Nessus: CVSS (Max): 9.8 Multiple third party components used by Nessus were found to contain vulnerabilities. Tenable has released updates to Nessus to address those vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, With the Australian Federal election taking place tomorrow and many unsure of their ability to vote due to recent positive results for COVID-19, the argument around online or e-voting has again been raised. Whilst technology exists to allow for digital voting, as was done in the New South Wales elections in 2021 with the iVote system, the uncertainty over voter identity along with the risk of server outages, malware, and voter fraud remain key concerns for similar systems. Despite this, The Conversation presents alternatives that combine digital technology with human input. The combination provides transparency and efficiency whilst maintaining the most difficult aspect of politics, trust if done right. It’s hard to believe that it’s already been a week since AUSCERT2022 wrapped up for another year. The AUSCERT team has been overwhelmed with the kind words and positive responses to this year’s conference which are always welcome and appreciated. The event’s theme, Rethink, Reskill, Reboot, provided a great conversation starter, idea stimulator, and opportunity to delve into the past for some of the most cherished video games of decades gone by! You can read more about Australia’s premier cyber security conference in our recent blog that includes a gallery of photos taken throughout the week. Australian Taxation Office issues capital gains warning for crypto and NFT sellers Date: 2022-05-16 Author: ZDNet The Australian Taxation Office (ATO) has issued its four priorities for the upcoming tax season, with capital gains from crypto and work-related expenses being listed. On the crypto front, simply because you managed to make money before last week’s crash hit off a decentralised system, does not mean the tax office is not owed something, much like selling property or shares, selling crypto or NFTs can mean tax is due. Researchers devise iPhone malware that runs even when device is turned off Date: 2022-05-17 Author: Ars Technica When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down. It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off. Hackers target Tatsu WordPress plugin in millions of attacks Date: 2022-05-17 Author: Bleeping Computer Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites. Up to 50,000 websites are estimated to still run a vulnerable version of the plugin, although a patch has been available since early April. Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing. Critical VMware Bug Exploits Continue, as Botnet Operators Jump In Date: 2022-05-18 Author: Dark Reading Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell. That’s according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well. WA Health: No breaches of unencrypted COVID data means well managed and secure system Date: 2022-05-18 Author: ZDNet The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday. PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage. CISA warns not to install May Windows updates on domain controllers Date: 2022-05-16 Author: Bleeping Computer The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has removed a Windows security flaw from its catalog of known exploited vulnerabilities due to Active Directory (AD) authentication issues caused by the May 2022 updates that patch it. This security bug is an actively exploited Windows LSA spoofing zero-day tracked as CVE-2022-26925, confirmed as a new PetitPotam Windows NTLM Relay attack vector. Unauthenticated attackers abuse CVE-2022-26925 to force domain controllers to authenticate them remotely via the Windows NT LAN Manager (NTLM) security protocol and, likely, gain control over the entire Windows domain. Researchers find 134 flaws in the way Word, PDFs, handle scripts Date: 2022-05-13 Author: The Register Black Hat Asia Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it’s proven so effective they’ve found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000. The tool is named “Cooper” – a reference to the “Cooperative mutation” technique employed by the tool. Speaking at the Black Hat Asia conference in Singapore, PhD student Xu Peng of the Chinese Academy of Sciences – one of the tool’s co-authors – explained that the likes of Word and Acrobat accept input from scripting languages. Acrobat, for example, allows JavaScript to manipulate PDF files. Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning Date: 2022-05-14 Author: Dark Reading A brand-new attack vector lays open enterprise data lakes, threatening grave consequences for AI use cases like telesurgery or autonomous cars. Enterprise data lakes are filling up as organizations increasingly embrace artificial intelligence (AI) and machine learning — but unfortunately, these are vulnerable to exploitation via the Java Log4Shell vulnerability, researchers have found. Hackers are exploiting critical bug in Zyxel firewalls and VPNs Date: 2022-05-15 Author: Bleeping Computer Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell. ESB-2022.2376 – F5 Products: CVSS (Max): 7.1 F5 reports a vulnerability in F5 products that may cause a breach in data confidentiality, integrity, and availability. Please read the advisory for mitigation information. ESB-2022.2447 – F5 Products: CVSS (Max): 7.2 Eclipse Jetty vulnerability in F5 products could allow an authenticated user to cause a local privilege escalation if exploited. Please read the advisory for mitigation information. ESB-2022.2443 – VMware Products: CVSS (Max): 9.8 VMWare reports that remediations are available to fix multiple vulnerabilities in VMware Workspace ONE Access, Identity Manager and vRealize Automation. ESB-2022.2475 – Red Hat OpenShift GitOps: CVSS (Max): 10.0 An update is now available to fix multiple vulnerabilities in Red Hat OpenShift GitOps 1.5. Stay safe, stay patched and have a good weekend!

Greetings, What a week! AUSCERT2022 has officially come to an end and it’s safe to say that it was a resounding success! We saw a return of many faithful attendees along with many first-time delegates and presenters, including our first keynote speaker of this year’s conference, Kath Koschel. Kath has faced serious personal, mental and physical setbacks but her resilience has allowed her not only to overcome these challenges, but also see the good in the world when most others couldn’t. Sharing her story with the audience saw many with tears but also, smiles and a resolve to each do #OneSmallAct of kindness each and every day. Another standout was Jasmine Woolley who presented for the first time, anywhere, and had all in attendance singing her praises. Jasmine demonstrated skill and wisdom beyond her years, asking “How do people in this room help make this statistic better?” in reference to the lack of diversity and inclusion in our industry. The conference concluded with the crowd favourite Speed Debate. Six topics were discussed including whether people, not machines are the future of cyber security and that there’s no need to worry about ransomware when insurance will pay! Suffice it to say, there were some passionate arguments delivered with some humour, witty retorts, and the occasional fact! Hackers exploiting critical F5 BIG-IP bug, public exploits released Date: 2022-05-09 Author: Bleeping Computer Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads. F5 last week released patches for the security issue (9.8 severity rating), which affects the BIG-IP iControl REST authentication component. The company warned that the vulnerability enables an unauthenticated attacker on the BIG-IP system to run “arbitrary system commands, create or delete files, or disable services.” Cyberattacks on managed service providers increasing, US and allies warn Date: 2022-05-11 Author: The Record Cybersecurity agencies from the Five Eyes intelligence alliance warned of increased cyberattacks targeting managed service providers (MSPs) on Wednesday morning. The agencies from the U.S., U.K., Australia, Canada and New Zealand said to “expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks.” MSPs are companies paid to manage IT infrastructure and provide support. The companies typically provide remote IT services to smaller businesses lacking an IT department. Windows 11 KB5013943 update causes 0xc0000135 application errors Date: 2022-05-11 Author: Bleeping Computer Windows 11 users are receiving 0xc0000135 errors when attempting to launch applications after installing the recent Windows 11 KB5013943 cumulative update. Yesterday, Microsoft released new Windows cumulative updates to fix security vulnerabilities and bugs as part of the May 2022 Patch Tuesday. These updates include the Windows 11 KB5013943 update, which included a fix for a bug causing .NET Framework 3.5 apps not to open if they used the Windows Communication Foundation (WCF) and Windows Workflow (WWF) components. Beware: This cheap and ‘homemade’ malware is surprisingly effective Date: 2022-05-09 Author: ZDNet A powerful form of trojan malware that offers complete backdoor access to Windows systems is being sold on underground forums for the price of a cup of coffee – and it’s being developed and maintained by one person. Known as DCRat, the backdoor malware has existed since 2018 but has since been redesigned and relaunched. When malware is cheap it’s often associated with only delivering limited capabilities. But DCRat – offered online for as little as $5 – unfortunately comes equipped with a variety of a functions, including the ability to steal usernames, passwords, credit card details, browser history, Telegram login credentials, Steam accounts, Discord tokens, and more. LEAK: Commission to force scanning of communications to combat child pornography Date: 2022-05-11 Author: Euractiv The European Commission is to put forward a generalised scanning obligation for messaging services, according to a draft proposal obtained by EURACTIV. The text marks a victory for child advocates, but a setback for privacy activists. The European executive is to unveil on Wednesday (11 May) its proposal to fight the online circulation of child sexual abuse material – CSAM in short. “Providers of hosting services and providers of interpersonal communication services that have received a detection order shall execute it by installing and operating technologies to detect” CSAM upon request by the competent judicial authority or independent administrative authority, the draft regulation states. Microsoft May 2022 Patch Tuesday fixes 7 critical vulnerabilities, 67 others Date: 2022-05-11 Author: ZDNet Microsoft has released a total of 74 new security fixes for its software products. This includes one “important” flaw (a Windows LSA Spoofing Vulnerability) that was being actively exploited in the wild. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month on what is known as Patch Tuesday, Microsoft fixed the aforementioned active exploit, as well as seven other “critical” issues: five remote code execution (RCE) bugs and two elevation of privilege (EoP) flaws. The remaining list of 67 exploits are dominated by additional RCE and EoP bugs. A smattering of denial-of-service, information leaks, security feature bypasses, and spoofing issues were corrected as well. Security “mindset shift” needed to protect organisations Date: 2022-05-09 Author: iTnews More than half of IT decision-makers said security solution had failed at least once, survey finds. Manual investigation, third parties, customers and law enforcement are catching far more cybersecurity threats more than software solutions, says Chris Fisher, director of security engineering APJ at cybersecurity company Vectra. Google adds phishing protection to Workspace apps Date: 2022-05-12 Author: iTnews Zero trust for Slides, Docs and Sheets as well as Gmail. Google’s Workspace productivity apps will get the same phishing and malware protection that Gmail already has later this year, the company said at its annual I/O conference. ASB-2022.0122 – ALERT Windows: CVSS (Max): 9.8 Microsoft’s security patch update for the month of May 2022 resolved 28 vulnerabilities. According to Microsoft, the most dangerous vulnerability addressed is CVE-2022-26925, which is contained in the Windows Local Security Authority. ASB-2022.0121 – ALERT Windows: CVSS (Max): 9.8 Microsoft’s most recent update resolves 62 vulnerabilities across Windows, Windows RT and Windows Server. ESB-2022.2050.2 – UPDATED ALERT F5 BIG-IP Products: CVSS (Max): 9.8 F5 Networks has reported a remote code execution vulnerability in BIG-IP iControl REST tracked in CVE-2022-1388. This is a critical vulnerability with a 9.8 CVSS score. ESB-2022.2332 – Google Chrome: CVSS (Max): None Google has released updates for the Stable channel for Desktop. The updates fix 13 known issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Yesterday, May 5, was ‘World Password Day’ which was created in 2013 to help promote the use of good password habits online. As technology and cyber threats advance, log-in methods, such as multi-factor authentication, are developed to help us all be more secure. Microsoft recently implemented a service to reduce relying on passwords altogether, whilst still protecting accounts, along with some tips to help manage online security. Speaking of ways to improve your online security, the next round of courses in the AUSCERT training calendar is Cyber Security Risk Management which is being held on June 13 and 14. Delivered remotely via Microsoft Teams in two half-day sessions, the course will provide attendees with the confidence to perform a risk assessment of cyber security risks and the ability to rate and assess business risks rather than technical vulnerabilities. For more information on this course, and others, or, to book online visit the AUSCERT Education page on our website. Just four sleeps remain until AUSCERT2022 which is already generating a lot of buzz and excitement! The 21st Annual AUSCERT Cyber Security Conference has a sensational line-up of speakers, tutorials and events, along with a few surprises, that we can’t wait to share with attendees. Have a great weekend and we look forward to seeing a lot of you on the Gold Coast next week! NIST Issues Guidance for Addressing Software Supply-Chain Risk Date: 2022-05-06 Author: Darkreading The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders. Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cybercriminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware. Large amount of IoT gear menaced by unpatched DNS vulnerability Date: 2022-05-04 Author: Security iTnews Security researchers have found that it is possible to conduct domain name system (DNS) poisoning attacks against Internet of Things devices, thanks to a bug in the popular uClibc and uClibc-ng standard C libraries. Although the bug was disclosed last year, it remains unpatched as the maintainer has not been able to develop a fix for it. An attacker can predict transaction IDs in DNS requests that the libraries generate, allowing DNS poisoning attacks that can be used to redirect traffic and spoof legitimate websites. F5 warns of critical BIG-IP RCE bug allowing device takeover Date: 2022-05-04 Author: Bleeping Computer F5 has issued a security advisory warning about a flaw that may allow unauthenticated attackers with network access to execute arbitrary system commands, perform file actions, and disable services on BIG-IP. The vulnerability is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical. Its exploitation can potentially lead up to a complete system takeover. According to F5’s security advisory, the flaw lies in the iControl REST component and allows a malicious actor to send undisclosed requests to bypass the iControl REST authentication in BIG-IP. Aussie organisations succumbing to ransomware threat Date: 2022-05-02 Author: Cyber Security Connect Almost half of the 80 per cent of Australian organisations targeted by ransomware paid cyber criminals, according to new Sophos research. Global cyber security company Sophos has released its State of Ransomware 2022 report — which involves a survey of 5,600 mid-sized organisations in 31 countries — revealing 80 per cent of Australian organisations were hit with ransomware attacks over the course of 2021, up from 45 per cent in 2020. Of those targeted, 43 per cent paid cyber criminals between US$100,000 and US$499,999. Transport for NSW struck by cyber attack Date: 2022-05-04 Author: ZDNet Transport for NSW has confirmed its Authorised Inspection Scheme (AIS) online application was impacted by a cyber incident in early April. The AIS authorises examiners to inspect vehicles to ensure a minimum safety standard. To become an authorised examiner, online applications need to be submitted and requires applicants to share personal details including their full name, address, phone number, email address, date of birth, and driver’s licence number. Security through visibility: supporting Essential Eight cyber mitigation strategies Date: 2022-05-03 Author: iTnews How can you secure what you cannot see? Strong cybersecurity strategies have become mission critical – because interrupted business leads to financial loss, employee and customer dissatisfaction and subsequent lost relationships – as well as damage to your integrity and reputation. So, the question stands as: How can you reduce and mitigate cybersecurity risk? Security Stuff Happens: What Do You Do When It Hits the Fan? Date: 2022-05-03 Author: Dark Reading Breaches can happen to anyone, but a well-oiled machine can internally manage and externally remediate in a way that won’t lead to extensive damage to a company’s bottom line. Wise security professionals understand that threat actors aren’t sitting still, and they aren’t playing by the same rules as old-school groups. Lapsus$, for example, is gaining notoriety for its unpredictable behavior, using tactics like extortion and bribing insiders for initial access. It has left even the most experienced security pros scratching their heads. ESB-2022.2027 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 6.1* GitLab has released newer versions for both Community and Enterprise Editions to address multiple vulnerabilities ESB-2022.2029 – Firefox: CVSS (Max): 7.5* Mozilla Foundation has updated Firefox ESR with a new version 91.9 fixing several vulnerabilities ESB-2022.2043 – Cisco Enterprise NFVIS: CVSS (Max): 9.9 A critical Guest Escape vulnerability along with other critical vulnerabilities affects Cisco NFVIS in the default configuration. Cisco has released an advisory with a fixed version ESB-2022.2050 – ALERT F5 BIG-IP Products: CVSS (Max): 9.8 A vulnerability in the control plane of BIG-IP modules allows an unauthenticated remote attacker to execute commands and create/delete arbitrary files in the system. F5 has released patches for the affected versions. BIG-IP version 17.x is not affected Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Earlier this week, we released our eleventh episode of Share Today, Save Tomorrow. Ethics, trust and collaboration form part of the discussion this month with Jeroen van der Ham and Shawn Richardson feature, providing their insights and sharing their experiences with this developing area within our industry. Today, April 29 2022, is the 40th International Dance Day which has grown into a celebration for those who can see the value and importance in the art form that is dance. Whether it’s toddlers bopping along to their favourite song or the perennial favourite ‘foot shuffle/shoulder shrug’ combo most often seen at weddings, we all have a move or routine that gets us moving when the moment and music is right! To commemorate this occasion, there will be an online celebration featuring five dance productions, each from one region (Africa, Asia-Pacific, the Americas, Europe, and Arab Countries) that will be worth watching if you appreciate dance or, would like some tips! Not to alarm people, but next week we see the arrival of May! Not only does this signify our approach towards the halfway point of 2022 but, also the imminent commencement of AUSCERT2022! A little over a week remains to register for Australia’s premier cyber security conference. We have a few surprises in store, along with the fantastic program that you can check out online, so be sure to register today as you won’t want to miss out! Manage and monitor third-party identities to protect your organization Date: 2022-04-26 Author: Help Net Security SecZetta shared a research that demonstrates a clear misalignment between the strategies organizations currently use and what is actually required to protect them from cyberattacks due to third-party vulnerabilities. At a time when cyberattacks are increasing in size, frequency, and impact, this research found most organizations are not taking the necessary steps to manage and monitor the lifecycle of their third-party identities, making them more vulnerable to cyber incidents. To strengthen cybersecurity programs and better manage identity lifecycles, including third-party and non-human workers, organizations need stronger third-party identity management strategies and solutions. Quarterly Report: Incident Response trends in Q1 2022 Date: 2022-04-26 Author: Cisco Talos Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide. The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. Five Eyes nations reveal 2021’s fifteen most-exploited flaws Date: 2022-04-28 Author: The Register Security flaws in Log4j, Microsoft Exchange, and Atlassian’s workspace collaboration software were among the bugs most frequently exploited by “malicious cyber actors” in 2021 , according to a joint advisory by the Five Eyes nations’ cybersecurity and law enforcement agencies. It’s worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years’ lists often found miscreants exploiting the older vulns for which patches had been available for years. BlackCat Ransomware gang breached over 60 orgs worldwide Date: 2022-04-25 Author: Security Affairs The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November. “The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.” How Industry Leaders Should Approach Open Source Security Date: 2022-04-28 Author: Dark Reading Security has long been a point of concern in the open source community. If not managed carefully, the same openness that allows innovative code contributions from global users can also present vulnerable attack surfaces for malicious actors. In fact, when asked about roadblocks preventing their organizations’ use of open source, respondents to Anaconda’s 2021 State of Data Science report cited “Fear of CVEs, potential exposures, or risks” (41%) and “Open source software is deemed insecure, so it’s not allowed,” (26%) among other concerns. Yet open source drives innovation, and there are ways to dramatically decrease the potential risks that arise from the use of open source software. This is why many organizations take a “best of both worlds” approach, adopting open source while prioritizing security measures. ESB-2022.1792 – Tenable.sc third party components: CVSS (Max): 9.8 Tenable has provided a patch to address multiple vulnerable third party software used by Tenable ESB-2022.1870 – grafana: CVSS (Max): 9.8 Multiple vulnerabilities affecting Grafana has now been fixed under version 8.3.5 and 7.5.15 ESB-2022.1907 – Google Chrome: CVSS (Max): None Google Chrome 101 is available for users as a stable version fixing several vulnerabilities ASB-2022.0119 – Microsoft Edge (Chromium-based): CVSS (Max): 8.3* Microsoft has also addressed Chrome’s CVE in Microsoft Edge and added 2 additional CVEs in its upstream product Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Ep 11: Ethics   In this episode, AUSCERT features the following guests: Shawn Richardson, FIRST and Senior Manager, Product Security Incident Response at NVIDIA Jeroen van der Ham, FIRST and University of Twente Mark Carey-Smith, Principal Analyst, AUSCERT Anthony chats with Shawn and Jeroen, both Chairs of the FIRST (Forum of Incident Response and Security Teams) Ethics SIG, about ethics in incident response and their respective journeys into the cyber security arena. Also discussed is the need to develop and sustain trust and how a code of ethics can assist teams to positively contribute to and understand the changing world we all work within. Continuing with the theme of ethics, Mark and Bek revisit some of the key items raised in the previous chat, including not being able to apply a technical solution to ethical situations in addition to the growing focus on people. They then chat about the upcoming AUSCERT2022 cyber security conference with an overview of some of the tutorials being conducted. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Ep 10 – Security Orchestration, Automation and Response (SOAR)   In this episode, AUSCERT features the following guests: Virginia Calegare, RightSec, Founding Director, Cyber Security Adviser JP Haywood, Acumenis, Senior Security Consultant Dushyant Sattiraju, Deakin University, Manager, Cybersecurity Operations and Engineering Mike Holm, AUSCERT, Senior Manager Anthony chats with Virginia, JP and Dushyant about Security Orchestration, Automation, and Response – or SOAR – the topic for last year’s conference and how it can benefit organisational processes, automation and improving efficiencies – regardless of size. Later in the episode, Mike and Bek talk about the malicious URL feed and how it works with SOAR, Member Slack, AUSCERT’s AusISAC and how these can benefit members as well as a bit of a teaser for the upcoming cyber security conference. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, The commemoration of ANZAC Day has become entrenched in Australia and New Zealand’s identity, marking the anniversary of the first major military action fought by members of the Australian and New Zealand Army Corps (ANZAC). The Light Up The Dawn website, coordinated by RSL Australia, is the perfect place to learn about how you can commemorate those who are serving and those who have served. Lest We Forget. Sadly, the presence of war remains today with the conflict in Ukraine showing no signs of easing. Although Easter is being observed in Russia this Sunday, April 24th, The Cyber Wire update earlier this week stated that governments in the west shouldn’t let their guard down concerning potential cyber attacks. AUSCERT has seen a surge in registrations for this year’s conference over the past few days which is exciting news! With just over two weeks to go until Australia’s premier information security conference gets underway, we encourage anyone interested in coming along to check out our sensational line-up of speakers and tutorials and Register Today for AUSCERT2022! Lastly, AUSCERT is recruiting for two Software Developers with skills in Python on Linux platforms, and what an opportunity for developers with an interest in cyber security! As part of the AUSCERT team, you'd work along side Analysts and Infrastructure Engineers and, speaking of the AUSCERT Conference, you also get the chance to participate in the event too! CISA warns of attackers now exploiting Windows Print Spooler bug Date: 2022-04-19 Author: Bleeping Computer The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler. This high severity vulnerability (tracked as CVE-2022-22718) impacts all versions of Windows per Microsoft's advisory and it was patched during the February 2022 Patch Tuesday. The only information Microsoft shared about this security flaw is that threat actors can exploit it locally in low-complexity attacks without user interaction. Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021 Date: 2022-04-20 Author: The Hacker News Google Project Zero called 2021 a "record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said. US and allies warn of Russian hacking threat to critical infrastructure Date: 2022-04-20 Author: Bleeping Computer Today, Five Eyes cybersecurity authorities warned critical infrastructure network defenders of an increased risk that Russia-backed hacking groups could target organizations within and outside Ukraine's borders. The warning comes from cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom in a joint cybersecurity advisory with info on Russian state-backed hacking operations and Russian-aligned cybercrime groups. Hackers can infect >100 Lenovo models with unremovable malware. Are you patched? Date: 2022-04-20 Author: Ars Technica Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect. Attacker Dwell Times Down, But No Consistent Correlation to Breach Impact: Mandiant Date: 2022-04-19 Author: SecurityWeek.Com The good news is that median intruder dwell time is down again – down from 24 days in 2020 to 21 days in 2021. The bad news is the figure gives little indication of the true nature of successful intruder activity across the whole security ecosphere. Dwell time is the length of time between assumed initial intrusion and detection of an intrusion. The usual assumption is that the shorter the dwell time, the less damage can be done. This is not a valid assumption across all intrusions. The figures come from Mandiant’s M-Trends 2022 report, which is based on the firm’s breach investigations between October 1, 2020, and December 31, 2021. They show that the median dwell time figure has consistently declined over the last few years: from 205 days in 2014 through 78 (2018), 56 (2019), 24 (2020) to 21 (2021). The problem is that the dwell time has no consistent correlation to the breach effect. ESB-2022.1726 – Cisco Umbrella Virtual Appliance: CVSS (Max): 7.5 A vulnerability could allow an unauthenticated, remote attacker to impersonate a Virtual Appliance. One of many Cisco bulletins this week. ASB-2022.0113 – Oracle Communications Applications: CVSS (Max): 10.0 It was Oracle's 3-monthly patch day this week (Critical Patch Update). Some of the CVSS ratings reached 10.0. ASB-2022.0091 – Oracle Virtualization: CVSS (Max): 9.0 Another Oracle product affected was the popular VM VirtualBox. ESB-2022.1714 – Siemens OpenSSL Vulnerabilities in Industrial Products: CVSS (Max): 5.9 ICS-CERT published many advisories this week for Industrial Control Systems (ICS) including SCADA (Supervisory Control and Data Aquisition) systems. This OpenSSL issue affects many systems and devices. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Each week of 2022 seems to be moving at a faster pace than the one before and here we are, at Easter already! Four days to relax, rejoice, reframe – and indulge in far too many chocolate eggs, bunnies, and bilbies along with some hot cross buns of course! It’s also the first week of at least three (four if you’re in Queensland) that have one day less in the working week. Now, whilst that might be celebrated, it also means that we have fewer business days until AUSCERT2022! We have some fantastic Sponsors, Speakers, Tutorials and, some sensational surprises in store this year! Spots are filling fast so, to ensure you don’t miss out, Register today for Australia’s premier cyber security conference. AUSCERT will maintain minimal coverage for the Easter holidays from Friday 15 April to Monday 18 April. AUSCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Have a safe, enjoyable and relaxing Easter break everyone! Mandatory cyber security incident reporting now in force Date: 2022-04-12 Author: iTnews Home Affairs minister Karen Andrews has published the implementation of Australia’s critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors. Under the Security of Critical Infrastructure 2018 Act, multiple industry assets are deemed to be critical. Security Nihilism Is Putting Your Company and Its Employees at Risk Date: 2022-04-09 Author: Dark Reading When it comes to staying safe and secure in our digital worlds, sometimes it can feel like giving up is the only choice. This idea of “security nihilism” isn’t new. Security teams have always faced incredibly challenging problems while trying to enable safe and trustworthy experiences across all the technology we use. It can be a difficult trap to overcome for security practitioners, but it’s even more dangerous when employees start to feel it. Security nihilism creates new and worsens existing problems that put a company’s data — and the employees who are stewards of that data — at risk. GitHub can now alert of supply-chain bugs in new dependencies Date: 2022-04-08 Author: Bleeping Computer GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities. This is achieved by adding the new Dependency Review GitHub Action to an existing workflow in one of your projects. You can do it through your repository’s Actions tab under Security or straight from the GitHub Marketplace. It works with the help of an API endpoint that will help you understand the security impact of dependency changes before adding them to your repository at every pull request. Creating a Security Culture Where People Can Admit Mistakes Date: 2022-04-12 Author: Dark Reading Andy Ellis, advisory CISO for Orca Security and a longtime Akamai veteran, likes to tell a story about a potentially serious security incident. One of his team members was testing the email integration of a new incident tracking system. Unfortunately, the test email, titled “[TEST] Meteor strike destroys the headquarters,” went to everyone in the company and created a loop that crashed the mail servers. As Ellis recounts, “The next day the responsible employee tweeted a picture of themselves training for a 5K run, and I replied, ‘Preparing to outrun the meteor?'” New pilot program to help meet urgent demand for cyber security skills Date: 2022-04-12 Author: Riotact Cyber security may have been a big winner in the Federal Budget but finding the people to make the Federal Government’s ambitious plans a reality will be challenging. The ACT Government and Digital Skills Organisation (DSO) aims to help address the cyber skills shortage and meet the needs of the ACT’s growing tech sector with a new 12-month pilot program through the Canberra Cyber Hub. It will focus on developing a new National Skills Framework for cyber security in cooperation with industry. ESB-2022.1488.2 – UPDATED ALERT VMware products: CVSS (Max): 9.8 VMware has now confirmed the exploitation of CVE-2022-22954 has occurred in the wild ESB-2022.1560 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1 Adobe Commerce and Magento Open Source are vulnerable to Remote Code Execution. Adobe has released patches to address the issue ESB-2022.1623 – ALERT Cisco Wireless LAN Controller: CVSS (Max): 10.0 Cisco has released advisory regarding a critical authentication bypass vulnerability affecting several Wireless controllers ASB-2022.0085 – ALERT Microsoft Windows products: CVSS (Max): 9.8 Microsoft has addressed multiple vulnerabilities during Patch Tuesday in its upstream Windows products ASB-2022.0086.3 – UPDATE Nginx Zero-Day Multiple mitigation measures are available for the recent zero day vulnerability for nginx web server Stay safe, stay patched and have a good weekend! The AUSCERT team

BDO and AUSCERT say the federal government’s technology investment boost is a good first step to heighten the resilience of Australian businesses. However, there is a need for business guidance to avoid another ‘pink batts’ fiasco. The emergence of questionable ‘pop-up’ providers is a reality, say the industry experts. On 29 March 2022, as part of the 2022–23 Budget, the Australian Government announced it will support small business via the Small Business Technology Investment Boost and Small Business Skills and Training Boost. Small businesses with annual turnover of less than $50 million will be able to deduct 120% of eligible training and assets, such as cyber security systems or subscriptions to cloud-based services, in their 2022–23 tax return. AUSCERT and BDO are calling for guidance to be provided for SME’s looking to take advantage of the government incentives to mitigate the chance of inadequate governance. “AUSCERT recognises the significance of the latest federal government announcement and hope the promise will be matched equally by delivery,” said AUSCERT Director David Stockdale. “While it is easy for a government in the runup to an election to make promises, the true benefit is in recognising the needs of SME’s and then delivering the training that will lift the cyber security posture of these organisations. This is a huge task, and with additional pressures on the already stretched Australian Cyber Security Centre to be actively involved with additional critical infrastructure requirements amongst other things, it will fall to the private sector to fill the gap.” “Helping SMEs to understand the threats, assess their own risk landscape and implement proportional controls is critical, and is no easy task. Risk management and cybercrime awareness aren’t the core business of most SMEs, and history has shown that even large corporates can fall victim to wide scale breaches if inadequate governance is in place over contractors such as managed Cyber Security Operations Centres,” noted David. “Training, and regulation of the training, needs to address these knowledge gaps – let’s hope we do not see providers pedalling a “silver bullet” course and we find ourselves looking back and see another ‘pink batts’ fiasco.” The latest BDO and AUSCERT Cyber Security Survey found incidents requiring data recovery efforts also rose by 160% from 2020, suggesting that cyber attacks are becoming more destructive and laser focused. BDO Partner and National Cyber Security Leader Leon Fouche said, “The technology investment boost is a great first step to heighten the resilience of Australian businesses. However, the government announcements to help drive training creates a ripe environment for ineffective training and providers to pop up.” The BDO and AUSCERT survey found that 2021 saw a staggering 175% increase for data breaches caused by accidental emails, such as ‘CC’ing’ instead of ‘BCC’ing’, indicating that staff security awareness training may not be as robust as needed in the wake of remote working arrangements “With the steady increase in working remotely driven by the pandemic there is growing awareness of the need for training,” said Leon. “Indeed, our report showed that 1 in 4 organisations have invested in some form cyber awareness training. Yet most organisations don’t have a chief security officer, or specialist security contractor on speed dial to keep up with the rapidly changing landscape of cyber threats, so the government will need to be able to provide SME’s with a starting point and ongoing support to really help these incentives be impactful.” The BDO and AUSCERT Cyber Security Survey found that 60% of organisations use some form of cyber threat intelligence, meaning those who are not continually learning about new cyber threats are lagging behind their peers. The survey identified several steps business can take to significantly lessen cyber incidents, including onboarding Security Operations Centres, implementing Cyber Awareness Training, undertaking Supply Chain Risk Assessments, and creating Cyber Incident Response Plans. “No doubt the incentives announced by the government will drive SMEs signing on to training and purchasing assets,” commented Leon. “Whether this means a business’s first training course for their staff or upskilling of those employees who already have some awareness training. What is key is guidance on how business can best invest so their efforts are most effective, including avoiding investment in poor training or assets.” BDO forensic expert Stan Gallo said, “Rather than just handing money to the SME owners and leaving them to it, an alternative approach might be to first guide them to where they can discuss the possibilities and get advice on technology investment that can take their business to the next level. There is a lot more to digital evolution than a flashy website or a cloud subscription and throwing money at SME business. Stan noted that the Technology Investment Boost will be a great opportunity to enhance cybersecurity, but hardly revolutionary. “The Technology Investment Boost is terrific for innovative tech driven start-ups and entrepreneurial business, but mature SME’s looking to grow still need to understand the basics of how technology can enhance their business, in addition to standard backend operations. Many people that have laboured over the years and built up a successful business, particularly in traditionally non technology driven areas, still need assistance to understand technology investment and how it can add value to their business operations.” “There is an increased risk the money will be spent on standard IT support and lacklustre training provided by questionable ‘pop-up’ providers,” cautioned Stan. “The types of threats we are seeing continue to evolve in line with current events and technologies, but at their core, there remain many similarities. Phishing, ransomware encryption, business email compromise and data theft are still ever present,” noted Stan. “However, there has been some insidious countermovement. For example, on the back of a growing trend of heightened preparedness and recoverability, thereby denying ransom payments, the ‘standard’ ransomware attack is now regularly linked to an initial theft of data to provide two bites at the cherry. If the victim is not going to pay the ransom – then maybe, they will pay to get their confidential data back. As usual there are no guarantees either way.” You can view a copy of the BDO and AUSCERT Cyber Security Survey at the following link: Cyber Survey Report 2021