Publications

Podcast Ep 7: The future of the cyber security pipeline and education in Australia LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Ep 7 The future of the cyber security pipeline and education in Australia   In this episode, AUSCERT features the following guests: > Professor Ryan Ko, Chair & Director, UQ Cyber Security > Ivano Bongiovanni, Lecturer at The University of Queensland > Mike Holm, AUSCERT Senior Manager > Mark Carey-Smith, AUSCERT Principal Analyst   Ryan and Ivano talked about how UQ Cyber Security is helping build a pipeline of cybersecurity talent and the different approach their masters program takes to deliver a more diverse offering to the industry. Mark provided insight into how AUSCERT is supporting UQ Cyber Security through lectures as well as supervising student capstone and research projects. Mike talked about the recent AUSCERT Quarter 3 report findings as well as the recent launch of the Incident Reportal. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.  

AUSCERT Week in Review for 12th November 2021 Greetings, This Saturday, November 13, is World Kindness Day which aims to help everyone understand that compassion for others is what binds us together. The Kindness Factory is on a mission it is to make the world a kinder place! This not-for-profit organisation was founded by former elite cricketer, Kath Koschel, following a series of events that saw her life spiral into despair and darkness without warning. But Kath fought through her ordeal and emerged with a new passion for life and complete understanding of how powerful kindness can be. The Kindness Log is a platform for anyone to log an act of kindness allowing people to share experiences that demonstrate how one small act of kindness can make a really big difference. Remember, the world is full of kind people. If you can’t find one, be one! Earlier this week, AUSCERT Director, Dr David Stockdale, was a guest speaker at the UQ School of IT and Electrical Engineering Cybersecurity Workshop. The topics discussed covered Cyber Incidence Response within Critical Infrastructure and how to uplift our resilience. The session was one of four conducted throughout the day that also discussed diversity in the cybersecurity workforce, upskilling and inter-disciplinary cyber education, to name a few. The experiences, insights and knowledge sharing by the speakers is just one of the many ways AUSCERT collaborates, informs and helps those within the field. But with the strong held belief that cyber security is everyone’s problem, particularly with the shift to remote working over the past eighteen months, what is being done to counter the growing cyber threat? A recent article on Cyber Security Connect discusses what businesses should be doing to help employees, and themselves, tackle the issue. Beyond the Basics: Tips for Building Advanced Ransomware Resiliency Date: 2021-11-05 Author: Threatpost The rate at which ransomware attacks occur is rapidly increasing. Not only have we witnessed the rise in the frequency of these attacks, but have also seen them evolve into more sophisticated, successful and damaging events. The potential monetary gain from a ransomware attack is now so lucrative that many ransomware developers have established affiliate programs for their tools and expertise, offering ransomware-as-a-service. Ransomware demands also continue to skyrocket as more than 80 percent of victim organizations admit to paying ransom demands. Op-Ed: What a house cat can teach us about cybersecurity Date: 2021-11-07 Author: Los Angeles Times The news today often contains reports about cybersecurity breaches that steal our data or threaten our national security. The nation spends billions of dollars on cybersecurity measures, and yet we seem unable to get ahead of this problem. Why are our computers so hard to protect? Recent experience with a house cat provided insights into the nature of this problem. I am allergic to cats. My daughter came home, cat in hand, for an extended stay, and I had to find a way of confining Pounce to a limited area. However, as many cat parents would have known — though I did not — this was doomed to be a losing battle. Businesses don’t know how to manage VPN security properly – and cyber criminals are taking advantage Date: 2021-11-11 Author: ZDNet Cyber attacks targeting vulnerabilities in virtual private networks (VPN) are on the rise, and many organisations are struggling to protect their networks. The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time. While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks. Queensland water supplier Sunwater targeted by hackers in months-long undetected cyber security breach Date: 2021-11-11 Author: ABC News It has been revealed that hackers left suspicious files on a webserver to redirect visitor traffic to an online video platform last year. Queensland’s largest regional water supplier, Sunwater, says it was targeted by hackers in a cyber security breach that went undetected for nine months. Sunwater admitted the cyber breach after the tabling of a Queensland’s Audit Office report into the state’s water authorities, which mentioned the incident but did not say which authority was targeted. Microsoft November 2021 Patch Tuesday: 55 bugs squashed, two under active exploit Date: 2021-11-10 Author: ZDNet Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender. Vagabon PhishKit – An Example of Shared Code Modularity Date: 2021-11-03 Author: RiskIQ In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself “Vagabon”, looks to collect PayPal login credentials, as well as complete credit card information from the victim. While the kit itself doesn’t display many unique characteristics, it does contain bits and pieces of other known, familiar phish kits. This “Frankenstein” technique of piecing together modular, free or readily available kits and services has become increasingly popular. ASB-2021.0236 – Microsoft Apps: Execute arbitrary code/commands – Existing account Microsoft has released its monthly security patch update for the month of November 2021 ESB-2021.3714 – docker.io: Access confidential data – Remote/unauthenticated An information disclosure issue was discovered in the command line interface of docker.io ESB-2021.3716.2 – UPDATE Adobe Creative Cloud Desktop Application: Multiple vulnerabilities Adobe has released an update for the Creative Cloud Desktop for Windows and macOS ESB-2021.3818 – tcpdump: Denial of service – Remote/unauthenticated Denial of Service vulnerability found on tcpdump network traffic tool and an update is now available ESB-2021.3856 – postgresql: Multiple vulnerabilities Two vulnerabilities discovered in the PostgreSQL database system, which could result in man-in-the-middle attacks Stay safe, stay patched and have a good weekend! The AUSCERT team

Q3 2021 Report We would like to take this opportunity to thank our Members for your continued support and share with you the following snapshot of our services stats for Quarter 3 2021. This report provides an overview of the cyber security incidents reported by members, from 1 July – 30 September 2021 and includes a summary of other key achievements this quarter.   https://auscert.shorthandstories.com/quarter-3-2021/index.html

AUSCERT Week in Review for 1st October 2021 Greetings, Today is International Coffee Day, an opportunity to celebrate the tasty brew that provides a kickstart to get us going or provides a boost to sustain us when needed. How do you prefer your coffee? Earlier in the week, it was revealed that almost 10 million Android devices globally had been infected with malware delivered via GriftHorse apps. The Register reported on the Trojan code that has already netted millions of dollars. ZDNet advised many experts, including VMware and CISA, have been begging people to address the CVE-2021-22005 issue, a vulnerability with VMware vCenter, by updating their systems as soon as possible. Microsoft rolled out a new feature to Exchange that will automatically install temporary mitigations that block active security flaws until an official patch is released by Microsoft. The Record wrote about the proactive move by Microsoft with its first-of-its-kind security feature. Lastly, we wanted to advise of some upcoming training that is being held in the last quarter of 2021, delivered remotely via Zoom. The courses will focus on Cyber Security Risk Management and Introduction to Cyber for IT Professionals. Dates and further information can be found on the online booking portal or, by contacting us via email at training@auscert.org.au Emergency Google Chrome update fixes zero-day exploited in the wild Date: 2021-09-24 Author: Bleeping Computer Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild. “Google is aware that an exploit for CVE-2021-37973 exists in the wild,” the browser vendor revealed in Friday’s security advisory. Victoria launches five-year, AU$50 million cyber strategy Date: 2021-09-20 Author: ZDNet The Victorian government has launched a new five-year cyber strategy that will see over AU$50 million be allocated towards bolstering the state’s cybersecurity resilience. The cyber strategy will focus on three core missions that government has described as providing safe and reliable delivery of government services, creating a cyber safe place, and creating a “vibrant” cyber economy. The strategy will be implemented through the state’s chief information security officer releasing annual mission delivery plans that outline specific activities associated with the three core missions. The CISO will develop this plan in consultation with relevant stakeholders across government, industry, and the community. Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes Date: 2021-09-27 Author: The Record Microsoft will soon roll out a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years. Called the Microsoft Exchange Emergency Mitigation service, the new feature works by automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches. The Emergency Mitigation service will be enabled by default for all Exchange servers once they install the September 2021 Cumulative Updates for Exchange servers, which are shipping out soon, after Microsoft delayed their release last week to have more time to work on it. Wide-ranging BEC scam underscores dangers of doing business with (un)trusted suppliers Date: 2021-09-27 Author: SC Media Such schemes, referred to as “business email compromise,” often don’t get nearly the amount of attention or public awareness as ransomware and other forms of cybercrime, but the cumulative losses to businesses and individuals every year often dwarf what is seen in almost all other areas of digital crime. According to the latest annual internet crime report from the FBI, they helped fuel a record account of complaints reported to authorities by the American public in 2020, with 19,369 complaints and adjusted losses of $1.8 billion attributed to BEC schemes alone. Govt cyber incident intervention powers likely to be rushed in Date: 2021-09-30 Author: iTnews ‘Last resort’ powers that would allow the government to intervene to contain a cyber attack on critical infrastructure should be “swiftly legislated”, a parliamentary committee says. ESB-2021.3226 – ALERT Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google Chrome has released updates to fix an actively exploited zero-day vulnerability tracked as CVE-2021-37973. ASB-2021.0187 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft last week rolled out updates for its Chromium based Edge browser addressing multiple vulnerabilities including the zero day CVE-2021-37973. ESB-2021.3214 – Traffix SDC: Denial of service – Remote/unauthenticated F5 is yet to release the fix for Traffix SDC to address use-after-free vulnerability in glibc. ESB-2021.3262 – GitLab Community Edition and GitLab Enterprise Edition: Multiple vulnerabilities GitLab addresses numerous vulnerabilities in latest security release including stored XSS, DNS rebinding, and a bunch of permission mishaps. ESB-2021.3162.2 – UPDATE ALERT VMware vCenter Server & Cloud Foundation : Multiple vulnerabilities VMware has updated their security advisory to confirm that CVE-2021-22005 is being exploited in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 15th October 2021 Greetings, This week’s image, the captivating and vibrant Jacaranda, is an iconic tree in Australia but is in fact, native to Central and South America. Here at The University of Queensland, they’re even part of local lore, signifying the end of year exams, colloquially known as ‘purple panic’. The idea of panic, isolation and anxiety has been an all too common one of late with this year’s Mental Health Week (October 9 – 17) reminding us of the need to ‘Take time – for mental health’. We can all take steps to promote better health for ourselves and others by engaging in the building blocks of wellbeing. Just remember PERMA: Positive emotion Engagement Relationships Meaning Accomplishments Earlier in the week, the Australian Cyber Security Centre released an update to the Essential 8 (or, E8) which are key mitigation strategies that can save organisations considerable time, money, effort, and reputational damage. The most recent evolution of the E8 has been assessed by CyberSecurity Connect as heightening the baseline for cyber security in Australia. With the growing sophistication of malicious events that target individuals and corporates through phishing, SMS malware, trojan viruses and more, it’s important to understand the value of cyber security. CyberExperts.com delves into the impact a cyber-attack can have. In an ever-changing technological landscape that sees growing inter-connectivity with more Internet of Things (IoT) devices connected globally and cybercrime becoming more sophisticated, cyber security is increasingly important to defend against hackers and other online threats. Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed Date: 2021-10-13 Author: ZDNet Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public. Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. 150 Million Google Users To Get 7 Days’ Notice Before Bold Security Change Date: 2021-10-09 Author: Davey Winder Google has confirmed that it will be pushing forward, on an ‘automatic enrollment’ basis, with a bold security update for some 150 million users before the year-end. The confirmation from Google came by way of an official safety and security blog posting this week. Yes, we are talking about two-factor authentication (2FA) here, or two-step verification (2SV) in the case of Google. What matters most here is that Google is bringing additional protection to your login credentials. Important because, as recent research into credential stuffing showed, the use of compromised login details is on the up. One significant report even pegs 61% of data breaches as involving credential misuse. Emergency Apple iOS 15.0.2 update fixes zero-day used in attacks Date: 2021-10-11 Author: Bleeping Computer Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks targeting Phones and iPads. This vulnerability, tracked as CVE-2021-30883, is a critical memory corruption bug in the IOMobileFrameBuffer allowing an application to execute commands on vulnerable devices with kernel privileges. Microsoft Azure fends off huge DDoS Attack Date: 2021-10-13 Author: ZDNet Distributed Denial of Service attacks are happening ever more often and growing ever bigger. At 2.4 terabits per second, the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date. What we know for certain is it’s the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020’s Azure 1 Tbps attack, and Microsoft reported it was “higher than any network volumetric event previously detected on Azure.” Who was targeted? We don’t know. Microsoft isn’t talking. The attack itself came from over 70,000 sources. Student finds zero-days in Exterity devices while rick-rolling school district Date: 2021-10-13 Author: The Record An Illinois teenager has found a zero-day vulnerability in Exterity IPTV systems during a rick-roll prank he pulled off on his school district before graduation. On April 30, this year, Minh Duong and a group of close friends took over all networked TVs and other displays inside the six high-schools part of the Illinois Township High School District 214 to play Rick Astley’s infamous “Never Gonna Give You Up” song disguised as an important announcement. The hack, detailed in a step-by-step blog post published last week, involved scanning the school network for connected devices, analyzing their firmware for bugs, and deploying a payload for a carefully timed attack that took over school TV and displays during a recess to prevent interfering with classes or other exams. ASB-2021.0193 – Microsoft Patch Tuesday update for Microsoft Extended Security Update (ESU) products for October 2021 It’s that time of month where Microsoft scare us again – there is the usual assortment of serious vulnerabilities worthy of updates. Keep your systems up to date! ESB-2021.3357 – apache2 security update Apache2 living up to its name, in that the denial of service and data leak risks should be enough for you to, uh, patch it too. ESB-2021.3364 – firefox security update Firefox fraught with fire after felonious fellows find fatal flaw with various flagshi… Actually code execution, DoS and information disclosure are no joking matter, you should pay attention to this one. ESB-2021.3401 – MFSA 2021-46 and MFSA 2021-47 Security Vulnerabilities fixed in Thunderbird Do you like computers? How would you like to use emails to gain control of someone else’s computer? Wait, no, we’re the good guys… If you DON’T want to lose your servers, we recommend checking these vulnerabilities out. ESB-2021.3415 – wordpress security update Word press cross site scripting sending you cross eyed this week, which won’t help the double vision you get when your users are impersonating each other as well. Patch time! Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 5th November 2021 Greetings, Last year’s BDO and AUSCERT Cyber Security Survey found that data breaches doubled and organisations were overconfident in their cyber controls. To challenge this trend, now is the time to review your approach to cyber security. The annual BDO and AUSCERT Cyber Security Survey identifies the current cyber security trends, issues and threats facing organisations across Australia and New Zealand. We invite you to take our 10-minute survey which provides the opportunity to sense check your organisation’s approach to cyber risk. By taking part, you will gain access to valuable data, allowing you to benchmark your organisation’s cyber security efforts and gain insights into the cyber threats faced by your industry peers. Survey respondents will go in the draw to win an Apple Watch. The survey closes at midnight on Friday, 3 December 2021. A recent article by ZDNet revealed that a significant number of people have accepted that remote working may be accompanied by being monitored by the companies they work for. Based on a survey of 11,000 consumers across eleven countries, the article also points out that only a small number of respondents were familiar with cyber security issues or, where to report scams should they be targeted, highlighting the potential risk for organisations in a hybrid working environment. It’s Movember again, a global campaign which quite simply asks you to pay attention to, talk about, raise funds and, most importantly, raise awareness for men’s cancers and other men’s health issues. The traditional way to get involved is to “Grow a Mo” but anyone can show their support by taking part in “Move for Movember”, “Host a Mo-ment” and “Mo Your Own Way”. The campaign runs for the entire month so there’s plenty of time to get involved and create your very own mo-ments to support men’s health issues. Building sovereign resilience into Australian technology supply chains Date: 2021-10-28 Author: Cyber Security Connect Proofpoint threat researchers have identified a new, highly active cyber criminal threat actor TA2722, and have colloquially named the cyber threat group as the ‘Balikbayan Foxes’. The cyber criminal group impersonates Philippine health, labour and customs organisations as well as other entities based in the Philippines. A series of campaigns impersonated multiple Philippine government entities including the Department of Health, the Philippine Overseas Employment Administration and the Bureau of Customs. ‘Trojan Source’ Bug Threatens the Security of All Code Date: 2021-11-01 Author: Krebs on Security Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode […]. Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right). “By placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.” Microsoft: This macOS flaw could have let attackers install undetectable malware Date: 2021-11-01 Author: ZDNet Apple has patched a security flaw in macOS that Microsoft researchers found could be used to install a malicious kernel driver, otherwise known as a ‘rootkit’. The flaw resided within macOS System Integrity Protection (SIP). The glitch allowed a potential attacker to install a hardware interface that allows them to “overwrite system files, or install persistent, undetectable malware”. FBI: Ransomware groups tying attacks to ‘significant financial events’ Date: 2021-11-03 Author: ZDNet The FBI has released a new report saying ransomware groups are increasingly using “significant financial events” as leverage during their attacks. According to the FBI, ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms. “Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material non-public information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI wrote. EU to adopt new cybersecurity rules for smartphones, wireless, IoT devices Date: 2021-11-01 Author: The Record The European Commission has ordered an update to the Radio Equipment Directive in order to introduce new cybersecurity guidelines for radio and wireless equipment sold on the EU market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices. The new standards, which are currently scheduled to enter into effect by mid-2024, were adopted following a delegated act to the Radio Equipment Directive, a piece of 2014 EU legislation that acts as the regulatory framework that equipment vendors must follow in order to sell electronic equipment on the EU market. Google wants every account to use 2FA, starts auto-enrolling users Date: 2021-11-04 Author: Ars Technica Google announced earlier this year that it is planning to forcefully transition as many of its users as possible to two-factor authentication. The company elaborated further in October, saying it was planning to auto-enroll 150 million Google accounts in 2FA by the end of the year. Now, with just two months left in the year, Android Police has found a few reports showing that the process has started, with some users finally being auto-enrolled in 2FA. ESB-2021.3668 – ALERT Catalyst Passive Optical Network (PON) Series Switches: Multiple vulnerabilities Cisco has released software updates that address vulnerabilities in Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) ESB-2021.3667 – ALERT Policy Suite: Root compromise – Remote/unauthenticated Cisco has released free software updates that address the vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite which could lead to root compromise ASB-2021.0229.2 – UPDATED ALERT Unicode Directional Formatting: Multiple Vulnerabilities An attacker could exploit Unicode Standards to deceive a human code reviewer and hide unexpected and potentially dangerous behavior ESB-2021.3666 – GitLab: Multiple vulnerabilities This critical vulnerability is the result of improper validation of image files by a 3rd-party file parser, resulting in a remote command execution vulnerability ESB-2021.3684 – Firefox: Multiple vulnerabilities Firefox could be made to crash or run programs as your login if it opened a malicious website Stay safe, stay patched and have a good weekend! The AUSCERT team

Setting up MISP as a threat information source for Splunk Enterprise By Nicholas Soysa, AUSCERT Disclaimer: The following information is only relevant to AUSCERT members who are formally part of the CAUDIT-ISAC or AUSCERT-ISAC. For more info on this optional add-on service, please refer to the following page   1. Get a license or free trial account. If you’re an existing Splunk customer, then you should already have the credentials to access Splunk. If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.   2. Install and run Splunk Enterprise. Download the appropriate installer for your platform (32- or 64-bit)  and follow the installation steps. Launch the Splunk Enterprise search head Log into your Splunk Administrator account   IMPORTANT: MISP42Splunk 4.3.0 has been merged to the master branch. The information in section 3 is no longer relevant. You can now update misp42splunk using the “Upgrade App” (exisitng app) or “Install” option (fresh installs), as usual.   3. Install and setup MISP42Splunk MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch, Until then, download the file from the github repo at: https://github.com/remg427/misp42splunk/tree/2.2.0 Extract the ZIP archive. Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line. Return to the Splunk app and navigate to “Apps” Select the “Install App from file” option Select the archive misp42splunk.tar.gz which you created and click Upload Restart Splunk when prompted   4. Add MISP instance Create a MISP instance name. For example: “AUSCERTMISP” MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au) For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles. Untick the “Check SSL certificate of MISP server” box. We no longer require client certificate to authenticate. Untick the “Use a client certificate” if ticked. Press “Save”. Once the save is completed, you will be returned to the Apps page.   5. Check it works Navigate to the MISP42 apps (Apps dropdown -> MISP42) In the MISP42 app page, select Reports Then select, for example, mispgetioc misp_instance=AUSCERTMISP last=1d If the app works, then you should see Attributes from MISP event returned in the report It is suggested to store the feeds in an index which can be then queried in future if needed.     6. Resources        CAUDIT-ISAC users can access the PDF version at: https://wordpress-admin.auscert.org.au/publications/2018-08-22-misp-integration (Member portal login required) AUSCERT-ISAC users can access the document at: https://wordpress-admin.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)   7. Credits       Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.  

AUSCERT Week in Review for 29th October 2021 Greetings, AUSCERT is always looking for ways to increase our value to our members. We know that data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. As part of this, we would like to hear your feedback on the idea of us delivering data governance advisory services. We are seeking expressions of interest for services such as these and would welcome feedback via our online survey. All submissions are confidential and will assist us evaluate the need for this service to your organisation. The Women in Security Magazine explores different journeys of women in security, gains career perspectives from industry experts, and offers different technology perspectives, includes insights from industry greats on diversity and inclusion, and so much more! Issue 5 explores the misconception concerning the shortage of skilled women in the security industry which includes an interview with AUSCERT team member, Vishaka, about her journey into the field of cyber security. As we celebrate Cyber Security Awareness Month, it’s important to ensure you have access to the right information and tools you need to make informed decisions about your cyber risk tolerance. Overview of Malware Hosted on Discord’s Content Delivery Network Date: 2021-10-20 Author: RiskIQ RiskIQ’s Research team has begun analyzing Discord’s Content Delivery Network links with files ending in certain extensions (like exe, dll, compressed and document file extensions) to identify malware files posted to Discord servers. Through this research, we can identify the Discord channel ID to pivot off of in the RiskIQ platform. Overall, since mid-September 2021, RiskIQ was able to identify over 100 Discord URLs delivering malicious content, such as AsyncRAT, Raccoon Stealer, Agent Tesla, and many other Backdoors, Password Stealers, and Trojans. Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom, gaming platforms Date: 2021-10-25 Author: ZDNet The federal government has released an exposure draft for what it has labelled an Online Privacy Bill that it hopes will enhance online privacy protections for Australians through an expansion of the nation’s Privacy Act. “The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy,” the federal government wrote in the Bill’s explanatory paper. Under current legislation, the federal government can only make two kinds of binding privacy codes, which are the Australian Privacy Principle code (APP) and a credit reporting code. The Bill is seeking to expand the Privacy Act to allow government to create a third code specifically for regulating three classes of organisations: Social media platforms, data brokers, and large online platforms. Mozilla Firefox cracks down on malicious add-ons used by 455,000 users Date: 2021-10-26 Author: ZDNet Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities. These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords Date: 2021-10-27 Author: ZDNet Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns. Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. 1,000,000 Sites Affected by OptinMonster Vulnerabilities Date: 2021-10-27 Author: Wordfence On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021. ESB-2021.3563 – ALERT macOS Big Sur: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Apple macOS Big Sur, the most severe of which could allow root compromise ESB-2021.3602 – Junos OS and Junos OS Evolved: Multiple vulnerabilities Juniper has released new software versions for Juno OS to address multiple vulnerabilities which could lead to root compromise ESB-2021.3605 – salt: Root compromise – Existing account An issue was discovered in SaltStack Salt which allows a user who has control of the source, and source_hash URLs to gain full file system access as root ESB-2021.3599 – Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Multiple vulnerabilities Cisco has released updates for multiple vulnerabilities identified in Cisco ASA and Cisco FTD software ESB-2021.3608 – GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): Multiple vulnerabilities Gitlab has released security updates to fix multiple vulnerabilities identified in Community Edition and Enterprise Edition Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 22nd October 2021 Greetings, With the announcement of the new slate of Apple products this week that include MacBooks and AirPods, which now looks to be an annual occurrence, questions arise as to whether some of the newer versions are a needed evolution of technology or simply a tactic to increase sales. A recent article from ZDNet discusses if the drive to incorporate new and untested elements (with the goal to create the need for consumers to upgrade) come at the cost of functionality. Red Teaming, social engineering and stolen identities – war stories from the field is the topic of Episode 6 of AUSCERT’s podcast series, “Share today, save tomorrow”. It features co-Founder and CEO of Hacktive, Chris Gatford who has been responsible for delivering Attack and Penetration and Technical Security Assessments and reviewed countless IT environments and has directed and been responsible for numerous security assessments for a variety of corporations and government departments. Mike Holm returns to discuss a recent Apache Vulnerability and AUSCERT’s response, notifying member’s that were potentially susceptible to the vulnerability in a very timely manner as well as the expansion of services to include advisory on Data Governance and running Tabletop exercises. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts. We’re excited to announce the release a snapshot of our service stats for Quarter 3, 2021 in an overview of the cyber security incidents reported by members, from 1 July – 30 September 2021 and includes a summary of other key achievements this quarter. We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 3 2021. Microsoft asks admins to patch PowerShell to fix WDAC bypass Date: 2021-10-18 Author: Bleeping Computer Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October. ACCC warns phone users to be aware of evolving Flubot scams Date: 2021-10-17 Author: ABC News A text message scam that contacts thousands of Australians a day has evolved to entice phone users to install software security — to protect against its own malicious malware. Since August, Australians have received text messages purporting to be an unopened voicemail notification, with a link encouraging users to download the scam “voicemail”. Cyber security experts are warning the scam has morphed into an elaborate scheme that plays on users’ security fears. In a strange twist, the scam is enticing phone users to download extra security to protect their phone — from their own scam. Australia’s Ransomware Action Plan – What does it mean for you? Date: 2021-10-14 Author: Willis Towers Watson Will Australia introduce a mandatory ransomware incident reporting regime? The government’s Ransomware Action Plan seeks to create a cultural shift in the way Australia responds to this cyber threat. On 13 October 2021, the Minister for Home Affairs Karen Andrews announced the Ransomware Action Plan which is intended to support Australian individuals, businesses, and critical infrastructure. The plan responds to significant public concern around rising losses to business and the community caused by malicious cyber extortion attacks and the worrying increase in financial and identity frauds perpetrated following ransomware attacks. It also provides key insights into the Australian Government’s wider cyber security objectives. Supply chain attacks are the hacker’s new favourite weapon. And the threat is getting bigger Date: 2021-10-20 Author: ZDNet Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it’s possible to find a potential way into thousands of targets at once. Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies. Female Cybersecurity Leaders: Who Wants Them? Date: 2021-10-20 Author: LinkedIn [Spoilers: many organisations can benefit from the female CISO’s point of view.] Last year, the world witnessed one of the greatest industrial changes in living memory with the pandemic igniting rapid, exponential growth. Caught off guard, and now in our post-pandemic reflective reality, one thing has become crystal clear. The world seeks a new kind of leader – one who must not only embrace change but become an instigator of it and renown for it. The era of the fast follower – a company that quickly imitates the innovations of its competitors – is over. Thanks to technology, continual rapid change is here to stay. For years we’ve known it was coming, what with Industry 4.0 on the horizon. And that’s why effective leaders must become experts of change. The first mover advantage is back! Google unmasks two-year-old phishing & malware campaign targeting YouTube users Date: 2021-10-21 Author: The Record by Recorded Future Almost two years after a wave of complaints flooded Google’s support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google’s security team has finally tracked down the root cause of these attacks. In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to “a group of hackers recruited in a Russian-speaking forum.” TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. ASB-2021.022 – ALERT Oracle Insurance Applications: Multiple vulnerabilities Oracle has released a critical patch update that fixes multiple vulnerabilities in Oracle Insurance Applications ASB-2021.0212 – ALERT Oracle Communications products: Multiple vulnerabilities Oracle’s most recent patch update includes fixes for 71 new security patches and additional third party patches for Oracle Communication products ASB-2021.0203 – ALERT Oracle Fusion Middleware Products: Multiple vulnerabilities Oracle released 38 new security patches for multiple vulnerabilities in Oracle Fusion Middleware. 30 of these vulnerabilities may be exploited over a network without requiring user credentials ASB-2021.0198 – ALERT MySQL products: Multiple vulnerabilities Multiple vulnerabilities identified in Oracle MySQL have been addressed by Oracle’s October patch update ASB-2021.0225 – Microsoft Surface Pro 3: Reduced security – Existing account Microsoft encourages its customers to practice good security habits to address bypass vulnerability that affects Microsoft Surface Pro 3 Stay safe, stay patched and have a good weekend! The AUSCERT team

Podcast Ep6: Red Teaming, social engineering and stolen identities – war stories from the field In this episode, AUSCERT features the following guests: > Chris Gatford, Hacktive > Mike Holm, AUSCERT Senior Manager LISTEN HERE: “Share today, save tomorrow” Ep6 Red Teaming, social engineering and stolen identities – war stories from the field This episode will provide fascinating insights, great stories from the field and lessons you can take back to your workplace. Co-Founder and CEO of Hacktive, Chris has been responsible for delivering Attack and Penetration and Technical Security Assessments for a broad range of government and corporate bodies. Chris has also taught the art of professional hacking to hundreds of students from global organisations. Mike and Bek discussed a recent Apache Vulnerability and AUSCERT’s response, notifying member’s that were potentially susceptible to the vulnerability in a very timely manner. Another topic of discussion is the effort to connect Data Governance and Cyber Security and how our members can help shape services such as these. This episode was hosted by Anthony Caruana and Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

AUSCERT Week in Review for 8th October 2021 Greetings, The global outage of Facebook, Instagram and WhatsApp earlier in the week highlighted the impact a small error can have on an entire network. It’s believed that the outage was caused by a routine maintenance job that unintentionally resulted in Facebook’s data centres being disconnected from the internet, making Facebook, WhatsApp and Instagram inaccessible. With over 3.5 billion users around the planet, MIT Technology Review writes on how dependant people have become on one company’s data centre and the impact an outage on this scale has. Earlier in the week, AUSCERT team members participated in a multi-national drill that saw their skills tested with a simulated malware attack. Of the eight tasks they were asked to complete, the most challenging required the duo to analyse, evaluate and re-assess their response to what they correctly deduced was a ransomware attack. Fifteen teams took part with both AUSCERT team members expressing they enjoyed the challenge that tested abilities from file decryption to port scanning to gain an understanding of how the attack occurred. Exercises such as this provide our team with current, real-world scenarios that reinforce, add-to and enhance their skillset to ensure AUSCERT remains at the forefront of cyber security defence. Lastly, October is Cybersecurity Awareness Month, the perfect time to remind individuals and organizations of the importance of cybersecurity and to encourage active use of measures that foster vigilance and offer protection. There are many ways to improve protection against common online threats and cybercrime. At AUSCERT, we’re passionate about data security and keeping your information safe. That’s why we deliver 24/7 service to our members alongside a range of comprehensive tools to strengthen your cyber security strategy. To stay up-to-date with the latest cyber information, security alerts and more, simply head to our website, scroll to the bottom and subscribe! Legislation expanding digital identity scheme to private sector finally unveiled Date: 2021-10-04 Author: Innovation Aus The federal government has finally unveiled exposure legislation expanding its digital identity program to state governments and the private sector, with a whirlwind consultation period commencing before it is soon introduced to Parliament. The legislation will introduce two voluntary schemes to accredit companies and governments as service providers or relying partners in the digital identity program, as well as enshrining extra privacy safeguards in law and establishing a permanent oversight authority for the scheme. The digital identity scheme, a whole-of-government federal program aiming to provide identity verification across a range of government services and private sector offering, has been in the works for six years at a cost of more than $450 million, but legislation is required to expand it to the private sector. Understanding How Facebook Disappeared from the Internet Date: 2021-10-05 Author: Cloudflare “Facebook can’t be down, can it?”, we thought, for a second. Today at 1651 UTC, we opened an internal incident entitled “Facebook DNS lookup returning SERVFAIL” because we were worried that something was wrong with our DNS resolver 1.1.1.1. But as we were about to post on our public status page we realized something else more serious was going on. Social media quickly burst into flames, reporting what our engineers rapidly confirmed too. Facebook and its affiliated services WhatsApp and Instagram were, in fact, all down. Their DNS names stopped resolving, and their infrastructure IPs were unreachable. It was as if someone had “pulled the cables” from their data centres all at once and disconnected them from the Internet. Why Windows 11’s security is such a big deal Date: 2021-10-05 Author: TechRepublic The hardware requirements for Windows 11 have led to a lot of debate about exactly what changes in newer PCs and processors; they’ve also led to enterprises thinking about what security features they need in hardware. Microsoft’s second Security Signals report shows that enterprise security decision-makers are concerned about the security impact of hybrid work, and they expect PC hardware to help, said Dave Weston, director of OS security at Microsoft. Twitch source code, creator earnings exposed in 125GB leak Date: 2021-10-07 Author: Ars Technica Live video broadcasting service Twitch has been hit by a massive hack that exposed 125GB of the company’s data. In a 4chan thread posted (and removed) Wednesday, an anonymous user posted a torrent file of the data dump. The dump contains the company’s source code and details of money earned by Twitch creators. ESB-2021.3341 – Security update for apache2 Apache has another vulnerability! Here we have an SSRF via a specially crafted uri – not a fun combination. You also get a DoS for free as well. Patch your systems! ESB-2021.3321 – firefox-esr security update Extending the exhaustive list of Firefox memory corruption bugs, more have been discovered which were capable of resulting in execution of code. We use past tense, but if you don’t update, it could be present tense for you! ESB-2021.3294 – USN-5104-1: Squid vulnerability Black hat sharks have begun to encircle at-risk-squids, threatening them with DoS and confidential data disclosures. Update your systems to save the squids! ESB-2021.3287 – Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) Two for the price of one, an alert was put out for Apache systems this week, after a vulnerability allowing an attacker to link to urls outside of the expected document root was “fixed” (spoiler: not quite the first time around)… Needless to say, we recommend patching this immediately. ESB-2021.3276 – USN-5101-1: MongoDB vulnerability A DoS vulnerability discovered in MongoDB puts many home movie collections at risk. Probably some other more important services too, but think about the movies… Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 24th September 2021 Greetings, We wanted to remind everyone that it’s worth having a look to be sure that you’re not affected by the VMware vCenter vulnerability related to CVE-2021-22005 – a patch is available and so is a quicker (but temporary) mitigation. We notified a small number of members yesterday of internet-exposed servers. More information can be found in this Bleeping Computer article. Bleeping Computer also reported on a vulnerability in macOS Finder that makes it possible for attackers to run commands on Macs running any macOS version up the most recent release, Big Sur. With the unveiling of Apple’s IOS 15 this week, there has been a lot of focus on their increased efforts to offer consumers greater control over who sees their data. MacRumors released a guide on the new privacy and security features that have seen mixed reactions concerning Apple’s handling of user data. Lastly, to all the parents, guardians and family members experiencing school holidays, remember, this too shall pass so enjoy the family time and/or look forward to the end… good luck! DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public Date: 2021-09-17 Author: The Record Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub. Discovered over the summer by cloud security firm Wiz, the vulnerability resides in an app called Open Management Infrastructure (OMI), which Microsoft has been silently installing by default on most Azure Linux virtual machines. Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials Date: 2021-09-22 Author: The Record Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world. Based on his finding, Serper said he registered a series of Autodiscover-based top-level domains that were still available online. […] For more than four months, between April 16, 2021, and August 25, 2021, Serper said these servers received hundreds of requests, complete with thousands of credentials, from users that were trying to set up their email clients, but their email clients were failing to find their employer’s proper Autodiscover endpoint. Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation Date: 2021-09-22 Author: The Hacker News Microsoft has opened the lid on a large-scale phishing-as-a-service operation that’s involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. “With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report. Researchers compile list of vulnerabilities abused by ransomware gangs Date: 2021-09-18 Author: Bleeping Computer Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks. All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT, on Twitter over the weekend. Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors. ESB-2021-3190 – Cisco IOS XE Software multiple vulnerabilities Cisco IOS XE is currently experiencing technical difficulties – those difficulties? A range of quite serious vulnerabilities, ranging from unauthenticated code execution to DoS, all warranting a patch. ESB-2021-3162 – VMSA-2021-0020 – VMware vCenter Server updates address Security bugs in VCenter server that were privately disclosed to VMWare have been classified as “critical” after it was discovered they were, in fact, critical. ASB-2021-0183-2 – Microsoft Patch Tuesday update for Azure for September 2021 It was good to see Microsoft stay consistent this week – both in the sense patch Tuesday came and went, and that we were spoiled with an assortment of privilege escalation and code execution vulnerabilities. ESB-2021-3099-2 – Apple security update for iOS 14.8 and iPadOS 14.8 Apple announced some not-so-fun vulnerabilities for iOS and iPadOS this week – malicious applications are capable of executing code with kernel privileges, and interestingly one vulnerability permitted this over a Bluetooth connection. ESB-2021-3212 – iOS 12.5.5 Vulnerabilities Apple’s at it again with the vulnerabilities, having identified a number of serious issues with iOS 12.5.5 that are actively being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team