Week in review

AUSCERT Week in Review for 17th September 2021

17 Sep 2021

AUSCERT Week in Review for 17th September 2021 Greetings, Apple issued a series of security updates earlier in the week to patch two critical vulnerabilities that the company says were “actively exploited” in the wild. Further information is available in this CISA article. ZDNet reported that Microsoft issued over 60 security fixes of their own with the latest round of patches to resolve issues that impacted a range of products including Azure Sphere, Microsoft Windows DNS, among other software. Following on from the release of AUSCERT’s most recent podcast last week, it has been highlighted in VMware’s latest Global incident Response Threat Report that an increasing number of cyber security professionals experienced “extreme stress or burnout” due to the surging attacks of cyber criminals during the COVID19 pandemic. Links to the report, along with tools to help identify and assist with such occurrences can be found in the report from ACS Information Age. Lastly, ARS Technica reported on what has been dubbed an “embarrassing ‘security bulletin’” from Travis CI along with the handling of the vulnerability disclosure process following the potential exposure of the information of over 600,000 users. Windows MSHTML exploits shared on hacking forums Date: 2021-09-12 Author: Bleeping Computer Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation. These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer. However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations. Google patches 10th Chrome zero-day exploited in the wild this year Date: 2021-09-13 Author: Bleeping Computer Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix eleven security vulnerabilities, two of them being zero-days exploited in the wild. “Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” the company revealed in the release notes for the new Chrome version. The update is currently rolling out worldwide in the Stable desktop channel, and Google states it will become available to everyone over the next few days. Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide Date: 2021-09-13 Author: The Hacker News Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that’s actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed “Vermilion Strike” — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a “threat emulation software,” with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed Date: 2021-09-14 Author: ZDNet Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution flaw in MSHTML and other critical bugs. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14. Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software. Ransomware crims saying ‘We’ll burn your data if you get a negotiator’ can’t be legally paid off anyway Date: 2021-09-15 Author: The Register A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools. Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator. You Can Now Ditch the Password on Your Microsoft Account Date: 2021-09-15 Author: WIRED Though a completely passwordless future is still a ways off, you’ll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone. Securing Netflix Studios At Scale Date: 2021-09-14 Author: Netflix TechBlog In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation. The vision was to create a “Studio in the Cloud”, with applications supporting every part of the business from pitch to play. The security team was working diligently to support this effort, faced with two apparently contradictory priorities: 1) streamline any security processes so that we could get applications built and deployed to the public internet faster 2) raise the overall security bar so that the accumulated risk of this giant and growing portfolio of newly internet-facing, high-sensitivity assets didn’t exceed its value ASB-2021.0177.2 – UPDATE ALERT MSHTML: Execute arbitrary code/commands – Remote with user interaction Microsoft’s Patch Tuesday includes fixes for a remote code execution vulnerability in Windows that is being exploited in the wild ESB-2021.3099 – ALERT iOS and iPadOS: Execute arbitrary code/commands – Remote with user interaction Apple releases iOS 14.8 and iPadOS 14.8 to address remote code execution vulnerability in iOS and iPadOS ESB-2021.3102 – ALERT macOS Catalina: Execute arbitrary code/commands – Remote with user interaction Apple is aware of a remote code execution vulnerability in macOS Catalina that may have been actively exploited ESB-2021.3103 – ALERT macOS Catalina and macOS Mojave: Execute arbitrary code/commands – Remote with user interaction Apple’s most recent security patch for Safari fixes remote code execution vulnerability ESB-2021.3107 – ALERT Siemens APOGEE and TALON: Multiple vulnerabilities Unauthenticated root access available thanks to what MITRE calls a ‘classic buffer overflow’. Affects certain building automation systems from Siemens ASB-2021.0185 – ALERT Microsoft Extended Security Update: Multiple vulnerabilities Microsoft releases its monthly security patch update to resolve 25 vulnerabilities across Windows and Windows Server Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 10th September 2021

10 Sep 2021

AUSCERT Week in Review for 10th September 2021 Greetings, Earlier this week, Microsoft issued a warning to Windows 10 users about a previously unknown security vulnerability, CVE-2021-40444, potentially being exploited by cybercriminals. Microsoft is advising users to execute mitigation action until an official patch becomes available. An update on the situation in this Bleeping Computer article. After reports this week that a threat actor had collected and published credentials for Fortinet’s SSL-VPN devices, we fetched a copy of the data set and yesterday we notified included members. Fortinet have today published an advisory which we’ve sent out as ASB-2021.0179. The exploited vulnerability was originally fixed in May 2019 – a sterling reminder to keep up with patching (or to ask your manager to allocate time for it!). ZDNet reported on another recent Microsoft vulnerability, a bug in its Azure Container Instances. Microsoft confirmed it had mitigated the vulnerability and advised that there hadn’t been any indications of unauthorised access to customer data. AUSCERT released our latest podcast (Episode 5), ‘Creating a culture of care’ featuring Mental Well Being Consultant, Julie Gillespie. Julie shares her insights and ideas, borne from her personal experiences, to help develop a culture that identifies and supports those experiencing challenges and difficulties that also benefits the workplace. The podcast was timely as it preceded this year’s R U OK Day which took place on Thursday, September 9. This year’s message focused on asking friends, families and colleagues if they’re really ok. Because of the volume of people experiencing isolation, frustration and helplessness, everyday is an opportunity to consider, “What can I do to make a positive influence on my own mental wellbeing and/or for the people in my life more often?”. Here at AUSCERT, we gathered in our HQ for a morning tea to reconnect and then took a stroll after lunch along some scenic walking paths nearby for a good chat and some fresh air. If you’re feeling depressed, angry, stressed, fearful, anxious or alone, visit: ruok.org.au/findhelp Hackers leak passwords for 500,000 Fortinet VPN accounts Date: 2021-09-08 Author: Bleeping Computer A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs Date: 2021-09-06 Author: iTnews Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn. ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication. Cybersecurity is tough work, so beware of burnout Date: 2021-09-06 Author: ZDNet Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout. All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. Ransomware: Take these three steps to protect yourself from attacks and make it easier to recover Date: 2021-09-08 Author: ZDNet Microsoft has shared three key steps organizations can take to ensure a ransomware attack doesn’t cripple their entire network in an attempt to extract a multimillion dollar ransom or leak sensitive corporate data on the internet. Microsoft developed the three-step advice as part of its feedback to the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST)’s recent call for expert approaches to preventing and recovering from ransomware and other destructive cyberattacks. Protecting yourself from phone porting and SIM card scams Date: 2021-09-07 Author: ABC Everyday To get around the increased restrictions on SIM porting, scammers may impersonate your telco to get the verification code. “To port the number, for example, some telcos might require an authentication code. The criminal knows that. They also know the number of the person they’re trying to exploit.” “They’ll arrange for that code to be sent via text, then the criminal will call the victim and impersonate the telco and say, ‘Look, I noticed that there has been some unauthorised access on your account. We’ve sent you a verification code, can you confirm that to me?” ESB-2021-3048 – WordPress 5.8.1 Security and Maintenance Release Plethora of security patches for new WordPress release. ESB-2021.3045 – firefox-esr security update Mozilla Firefox abritrary code execution vulnerabilities. ASB-2021.0179 – FortiGate SSL-VPN Credentials Leaked by a Malicious Actor SSL-VPN data leaked for FortiGate by malicious actor this week. ASB-2021.0177 – Microsoft MSHTML Remote Code Execution Vulnerability Actively exploited RCE vulnerability in MSHTML, with mitigation recommendations. ESB-2021.2994 – squashfs-tools security update Vulnerability in squashfs allowing attackers to overwrite arbitrary files. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 3rd September 2021

3 Sep 2021

AUSCERT Week in Review for 3rd September 2021 Greetings, Last week, AUSCERT alerted members regarding a remote code execution vulnerability present in certain versions of Atlassian Confluence (CVE-2021-26084). Where it was possible to identify internet facing Confluence instances of our members, notifications were sent last Friday, August 27. We published ESB-2021.2901 on the same day. Read more in this Bleeping Computer article. Members, we need you! AUSCERT is always looking for ways to increase our value to you and would like your feedback. Specifically, your thoughts regarding AUSCERT delivering Cyber Tabletop Exercises as a paid service, like we currently do for cyber security training. If you’d like to get involved, please complete this survey so that we can evaluate the need for this service and what would suit your organisation. A recent spate of unsolicited text messages has offered a timely reminder that SMS is often used by scammers. Unidentified texts that don’t have an option to unsubscribe are key identifiers of potential scams, often seeking personal information and in some cases, containing electronic viruses that can compromise your phone’s security. Scammers like to disguise their deceit by using shortened URLs that hide the original domain names and, in some instances, malware that can download and execute once the link has been clicked. There are many ways this method is being used, with examples seen in this We Live Security article. Have a great weekend! NPM package with 3 million weekly downloads had a severe vulnerability Date: 2021-09-03 Author: Ars Technica Popular NPM package “pac-resolver” has fixed a severe remote code execution (RCE) flaw. The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy. Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported Date: 2021-08-19 Author: Cloudflare Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems automatically detected and mitigated a 17.2 million request-per-second (rps) DDoS attack, an attack almost three times larger than any previous one that we’re aware of. For perspective on how large this attack was: Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic. ACSC cyber security challenge Date: 2021-08-31 Author: Cyber.gov.au The ACSC has released a simulated cyber incident challenge so anyone can test or improve their cyber response ability and forensic skills. Organisations may wish to use the challenge as a group training exercise for cyber security staff. The challenge was originally run at the BSides Canberra conference in April 2021. Data privacy, governance and insights are all important obligations for businesses Date: 2021-08-31 Author: TechRepublic TechRepublic’s Karen Roby spoke with Kon Leong, CEO and co-founder of ZL Technologies, a data management company, about data privacy and governance. […] for the last seven decades or more, IT has focused on data that was primarily all siloed. Siloed applications generating siloed data. And now here comes a slew of legislative initiatives that say, “OK, we’re looking at privacy, and by the way, no data is exempt. Therefore, we don’t make exemptions for silos. So to manage it, you have to de-silo effectively.” And are you kidding me? You’re going to undo 70 years of IT infrastructure? So we’re still kind of scratching our heads and saying, how do we get this done?” Maths, encryption, and quantum computing Date: 2021-08-18 Author: COSMOS Magazine “Factorisation, which is used for the current classical public key cryptography, is easy [to break] on quantum computers. Factorisation is simple. You can factor long integers and break RSA on Quantum. It’s quite easy. So now we are trying to design the cryptography, which will be resistant against quantum computing.” Instead of using integer factorisation, other mathematical approaches need to be used to circumvent the sheer ‘brain’ power quantum computers will possess. One of mathematical tools that are being used to construct quantum-resistant encryption is Geometry of Numbers or Lattice Theory. ASB-2021.0176 – Microsoft Security Update Release for Microsoft Edge (Chromium-based) Fixes for multiple critical vulnerabilities for Microsoft Edge, most of which first appeared in Chrome a couple of days earlier. ESB-2021.2981 – qemu security update Various bugs in the qemu emulator leading to DoS and code execution from malicious guests. ESB-2021.2968 – USN-5051-4: OpenSSL regression OpenSSL on Ubuntu 14.04 ESM, and only 14.04, introduced a regression while fixing CVE-2021-3712. ESB-2021.2953 – sssd security update The System Security Services Daemon (SSSD) allowed shell command injection, permitting root escalation if a root user was tricked into running a specially crafted command. ESB-2021.2949 – Security update for mysql-connector-java This patch prevents unauthenticated attackers compromising the Java connector for MySQL. Stay safe, stay patched and have a good weekend! Bek, Tom & David

Learn more

Blogs

APCERT CYBER DRILL 2021

1 Sep 2021

APCERT CYBER DRILL 2021 The progression toward a growing reliance on the e-economy within the Asia Pacific region requires ongoing protection of the various infrastructures, integral to the political and economic stability and security. The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. This year’s theme, “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”, reflects real-world incidents and issues, experienced globally. As a founding member, AUSCERT has participated in every drill since their inception with Operations Manager, Geoff Thonon stating that the drill is “More important than ever”. “Whilst there is a time limit, the purpose of the drill isn’t to identify the fastest (CERT) team but rather, to work collaboratively to challenge and develop everyone’s skills”, Geoff continued. The experiences and tasks conducted by each participating team allows for knowledge sharing with no CERT typically experiencing the same issues or providing like for like services. The APCERT drill aims to maintain and progress internet security and safety with the exercise providing participants the chance to improve communication protocols, technical responses and the overall quality of incident responses. Although undertaken in a few hours, the lessons learned from the experience can continue long after. Analysing the challenges, choices and responses of teams provides an insight into the various perspectives of other participants. “The information available to each team from the drill provides a greater understanding of the how and why that can lead to year-round training and development for staff”, Geoff stated. With 26 CERTs from 20 economies within the Asia Pacific region taking part, there is a wealth of knowledge and experience to draw upon in the quest for ongoing learning and growth within the sector. As each drill typically requires six to eight months of planning and preparation, the 2022 APCERT Cyber Drill will soon be underway – the ongoing need for education and skill enhancement a reflection of the rapid development of the digital world we now reside in! 

Learn more

Week in review

AUSCERT Week in Review for 27th August 2021

27 Aug 2021

AUSCERT Week in Review for 27th August 2021 Greetings, Hot topic of the week is the recently passed bill which will allow the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to access the computers and networks of those suspected of conducting criminal activity online, which raises the question: ‘How do we as a CERT tell the difference between a hacked system and a legally compromised one?’ You can read more through these articles from ZDNet and InnovationAus. This week AUSCERT joined teams from 21 other countries to take part in the annual APCERT Drill, designed to improve regional responses to emerging cyber security threats. The theme of this year’s APCERT Drill was “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”. This exercise reflected real incidents and issues that exist on the Internet. The participants handled a case of a supply chain attack triggered by spear phishing. Narayan and Vishaka represented team AUSCERT and did an outstanding job, especially considering it was their first time. We are proud of the contribution by Geoffroy Thonon, our Operations Manager who was part of the planning committee who worked tirelessly to deliver the drill. Great news for Members! You can now opt to receive AUSCERT Bulletins as a daily digest issued at the end of each business day. Subscribe now through the Member Portal, instructions can be found here. Alternatively, you can send an email to the membership team. Today is Wear it Purple Day which is a way to show young LGBTIQ+ members of the community that they have a right to be proud of who they are. The aim is to create safe spaces in schools, universities, workplaces and public areas to show LGBTIQ+ they are supported and belong. Have a great weekend! T-Mobile breach hits 53 million customers Date: 2021-08-23 Author: iTnews Cellular operator T-Mobile US said an ongoing investigation into a data breach revealed that hackers accessed personal information of an additional 5.3 million customers, bringing the total number of people affected to more than 53 million. The third largest US wireless carrier had earlier said that personal data of more than 40 million former and prospective customers was stolen along with data from 7.8 million existing T-Mobile wireless customers. COVID vaccine certificates can be forged within 10 minutes due to ‘obvious’ security flaw Date: 2021-08-23 Author: ABC News Near-perfect forgeries of the federal government’s COVID-19 vaccine digital certificate can be made in 10 minutes using free software, a member of the public has discovered. Richard Nelson, a software engineer in Sydney, has found an “obvious” security flaw in the Express Plus Medicare app allowing him to make vaccine certificates with any name and date of birth and featuring the background animations meant to prevent forgery. The Prime Minister has previously said the certificates are a “credible and effective” way for states to administer exemptions from aspects of lockdowns. Australian businesses stop reporting ransomware attacks over exfiltration doubts Date: 2021-08-23 Author: iTnews Australian businesses are incorrectly relying on what they think is a loophole in notifiable data breach laws to avoid reporting ransomware infections. The Office of the Australian Information Commissioner (OAIC) warned that “a number of entities” in the six months to June 2021 didn’t report ransomware attacks because they could not prove whether or not data was accessed or stolen. 38 million records exposed by misconfigured Microsoft Power Apps. Redmond’s advice? RTFM Date: 2021-08-23 Author: The Register Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant’s Power Apps, a low-code service that promises an easy way to build professional applications. Security biz UpGuard said that in May one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal details. That led the security shop to look at other Power Apps portals and its researchers found over one thousand apps configured to make data available to anyone who asked. Microsoft warns thousands of cloud customers of exposed databases Date: 2021-08-27 Author: Reuters Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. [NB: This is separate from the Power Apps issue above.] Atlassian warns of critical Confluence flaw Date: 2021-08-26 Author: The Register Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. The company’s not saying a lot about CVE-2021-26084, besides describing it as a “Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.” The bug scores 9.8 on the ten-point Common Vulnerability Scoring System. ASB-2021.0175 – Microsoft Edge (Chromium-based): Reduced security – Remote with user interaction Please update Microsoft Edge to 92.0.902.78 to address multiple CVEs. ESB-2021.2865 – F5 BIG-IP Products: Multiple vulnerabilities Multiple vulnerabilities in BIG-IP Products have been patched by F5. ESB-2021.2871 – Application Policy Infrastructure Controller: Multiple vulnerabilities Cisco has released multiple advisories to patch against different vulnerabilties. ESB-2021.2901 – Atlassian Confluence Server and Data Center: Execute arbitrary code/commands – Remote/unauthenticated Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 20th August 2021

20 Aug 2021

AUSCERT Week in Review for 20th August 2021 Greetings, Yesterday the ACSC issued an alert about cybercriminals targeting the Microsoft Exchange ProxyShell exploit chain. Patches were issued for these vulnerabilities in April and May 2021 so a timely reminder to stay on top of patch updates. Our Operations Team conducted a Shodan search of the involved CVEs which produced 136 records affecting 42 of our member organisations who had servers exposed to the internet reporting software versions that were potentially vulnerable. These members have all been contacted today to ensure they are protected. Our latest blog post on Using threat intelligence to produce a cyber defence strategy was published today by our Senior Manager, Mike Holm. Have a great weekend everyone. One big ransomware threat just disappeared. Now another one has jumped up to fill the gap Date: 2021-08-13 Author: ZDNet The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world. It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. Secret terrorist watchlist with 2 million records exposed online Date: 2021-08-16 Author: Bleeping Computer A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. Linux glibc security fix created a nastier Linux bug Date: 2021-08-16 Author: ZDNet The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something! The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. Fortinet slams Rapid7 for disclosing vulnerability before end of 90-day window Date: 2021-08-17 Author: ZDNet A dispute broke out on Tuesday after cybersecurity company Rapid7 released a report about a vulnerability in a Fortinet product before the company had time to release a patch addressing the issue. Rapid7 said one of its researchers, William Vu, discovered an OS command injection vulnerability in version 6.3.11 and prior of FortiWeb’s management interface. The vulnerability allows remote, authenticated attackers to execute arbitrary commands on the system through the SAML server configuration page. Rapid7 said the vulnerability was related to CVE-2021-22123, which was addressed in FG-IR-20-120. The company added that in the absence of a patch, users should “disable the FortiWeb device’s management interface from untrusted networks, which would include the internet.” Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices Date: 2021-08-17 Author: Mandiant Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. Reducing the threat of day one exploits Date: 2021-08-10 Author: APNIC Blog Cyber hygiene and patching are key measures towards protecting data and systems. However, it’s not always possible or practical to patch when vulnerabilities and associated patches are announced. This problem gives rise to day one exploits. Day one exploits are responsible for attacks such as the recent Microsoft Exchange attack that compromised hundreds of thousands of organizations. That attack began as a zero-day exploit and was followed by numerous day one exploits once the vulnerabilities were announced. Day one exploits were also used by Iranian threat actors about a year ago to gain access to financial sector networks via published VPN vulnerabilities. Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan Date: 2021-08-17 Author: The Hacker News A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser. ASB-2021.0136.2 – UPDATE ALERT Microsoft Print Spooler: Increased privileges – Existing account Microsoft’s out-of-band critical update addresses a Windows Print Spooler Elevation of Privilege Vulnerability ESB-2021.2739 – MozillaFirefox: Multiple vulnerabilities Mozilla releases an update that fixes 6 vulnerabilities in Firefox ESB-2021.1489.2 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities Initial advisory released on 30 April 2021 updated to include newly disclosed details about vulnerable Blackberry QNX-based products ESB-2021.2808 – ALERT Small Business RV series routers: Multiple vulnerabilities A vulnerability in Cisco’s Small Business RV series routers allows Remote Command Execution and Denial of Service ESB-2021.2777 – Adobe Photoshop: Execute arbitrary code/commands – Existing account Adobe’s updates for Photoshop for Windows and macOS resolve multiple critical vulnerabilities ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account Microsoft has released an out-of-band update to address a Windows Print Spooler Remote Code Execution Vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Using threat intelligence to produce a cyber defence strategy

20 Aug 2021

Using threat intelligence to produce a cyber defence strategy Very few practitioners need to be told of contemporary cyber threats such as ransomware, it has found its way into the common language of risk assessments, disaster recovery plans and mainstream media alike. But what can be done other than writing playbooks and practicing response plans, following the Essential 8 and blocking known malicious indicators? Those organisations with a strategic approach to cyber defence will more likely survive a ransomware attack, and consideration of an attacker’s motive may be key towards mounting a successful defence. For example, if the motive is purely financial and the attacker causes significant business disruption if the ransom demand is not met, what controls can prevent this? However, if the motive is to hold to ransom the intellectual property, customer database or another information asset, should priority instead be given to controls which detect and mitigate data exfiltration? Whilst senior management’s risk tolerance level may be “we must implement all possible countermeasures,” few organisations will have the luxury of doing so. Utilising available data sets to form operational “cyber threat intelligence” can help mitigate harmful events such as ransomware attacks. Most importantly, to do so is within the reach of most organisations following the explosion of available open-source tools and data sets. Such “tactical” cyber threat intelligence usually consists of Indicators of Compromise (IoCs) – technical data such as known bad IP addresses, URLs, emails and file hashes. Here is where the value proposition of CERTs (Cyber Emergency Response Teams) pays off: not-for-profit organisations providing open source and member-funded services, passionate teams consisting of analyst, dev-ops and engagement functions, CERTs are trustworthy due to their independent status. CIRCL from Luxembourg famously produce the Malware Information Sharing Platform (MISP) and tactical data feeds, used worldwide by other CERTs including AUSCERT, governments and private enterprise. Many organisations do not have resources beyond the tactical level, however simply using tactical feeds of IoCs has shown to be effective detecting or even preventing the initial stages of a ransomware attack. Relevant and concise IoCs may be used in content filters, centralised logging, SIEM or even custom-scripted solutions to hunt or block threats. AUSCERT’s Malicious URL Feed is an example of a high-confidence, low-volume feed, usually consumed in an automated fashion but also suitable for manual threat hunting, depending upon the consumer’s available resources. Members of AUSCERT’s MISP community can study operational intelligence such as attackers’ tools, techniques and procedures, even visually. A “mind map” connects similar events and data, allowing members to correlate campaigns and understand the techniques used in incidents such as ransomware attacks, for example. Organisations can then form strategic plans regarding the risks associated with cyber threats. Most importantly of all, a collaborative approach must be foremost in discussions regarding cyber defence strategy. A common misconception is that sharing threat information may compromise competitive advantage, however a particular strength of CERTs is coordinating, anonymising and analysing incident data, and then providing operational intelligence to members – even entire sectors. Have you included your local CERT in your IR (Incident Response) plans? Mike HolmSenior Manager, AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 13th August 2021

13 Aug 2021

AUSCERT Week in Review for 13th August 2021 Greetings, Anyone else feel like we are stuck in Groundhog Day? Another Patch Tuesday and PrintNightmare refuses to leave us. Microsoft released updates for at least 44 security vulnerabilities including another Print Spooler flaw. Since the update earlier this week, another bug has been identified with no patch yet released. For more details and a work around check out this great write up from ZDNet. Following on from the Apple Announcement last week about about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content, check out the Schneier on Security blog for a great collation of articles and information. We are excited to share Episode 4 of the AUSCERT “Share today, save tomorrow” podcast series! Episode 4 titled “Cyber security awareness and team culture” features Brian Hay from Cultural Cyber Security and Tracey Weeks from Queensland Health. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts Have a great weekend everyone. Microsoft Exchange servers scanned for ProxyShell vulnerability; patch now Date: 2021-08-07 Author: Bleeping Computer [See ASB-2021.0127 and 0103] Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together. […] While both CVE-2021-34473 and CVE-2021-34523 were first disclosed in July, they were actually quietly patched in April’s Microsoft Exchange KB5001779 cumulative update. Threat actors are actively trying to exploit this vulnerability, with little success so far. However, it is only a matter of time until successful exploitation is achieved in the wild. Microsoft fixes Windows Print Spooler PrintNightmare vulnerability Date: 2021-08-10 Author: Bleeping Computer Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers. In June, a security researcher accidentally disclosed a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges. Microsoft soon released a security update that fixed the remote code execution component but not the local elevation of privileges portion. However, researchers quickly found that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed low-privileged users to gain SYSTEM privileges in Windows. Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so. Opinion: Why Australia’s Online Safety Act is an abdication of responsibility Date: 2021-08-12 Author: ZDNet The Australian government reckons the internet is full of bad things and bad people, so it must therefore surveil everyone all the time in case anyone sees the badness — but someone else can figure out the details and make it work. This brain package always includes two naive and demonstrably false beliefs. One is that safe backdoors exist so that all the good guys can come and go as they please without any of the bad guys being able to do the same. The other is that everyone will be nice to each other if we know their names. This big bad box of baloney blipped up again this week as part of the government’s consultation for the Online Safety (Basic Online Safety Expectations) Determination 2021 (BOSE) — the more detailed rules for how the somewhat rushed new Online Safety Act 2021 will work. FlyTrap Android Malware Used to Compromise Facebook Accounts Date: 2021-08-10 Author: PCMag Australia Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store. FlyTrap masqueraded as a variety of mobile apps dedicated to “free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player,” Zimperium said, and “tricked users into downloading and trusting the application with high-quality designs and social engineering” before attempting to gain access to their Facebook accounts. Hacker is returning $600M in crypto, claiming theft was just “for fun” Date: 2021-08-13 Author: Ars Technica The hacker who breached the Poly Network crypto platform says the theft was just “for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker’s own wallets to “keep it safe.” ESB-2021.2679 – MISP: Cross-site scripting – Remote with user interaction MISP 2.4.148 released including many bugs fixed along with security fixes. ASB-2021.0168 – Microsoft Office Products & Services and Web App Products: Multiple vulnerabilities SOC analyst: Are you going to fix PrintNightmare Microsoft? Microsoft: No sir! but here is something you also need to worry about. ASB-2021.0173 – Azure Products: Multiple vulnerabilities SOC analyst: *finally finished with the update of Office Products* Microsoft: Excuse me sir! This one too. ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account SOC Analyst: OK! I have patched the Office and Azure products. PrintNightmare: Did you miss me? ESB-2021.2686 – Firefox: Multiple vulnerabilities Chrome: We have released multiple patches this month. Firefox: Hold my beer! ESB-2021.2705 – Intel Ethernet Linux Driver: Multiple vulnerabilities Potential security vulnerabilities in some Intel Ethernet Controllers have been addressed in the recent update. Win/Mac users: Oh no! Anyway! Stay safe, stay patched and have a good weekend! Bek and Narayan on behalf of The AUSCERT team

Learn more

Podcast

Podcast Ep 4: Cyber security awareness and team culture

13 Aug 2021

Podcast Ep 4: Cyber security awareness and team culture In this episode, AUSCERT features the following guests: > Tracey Weeks, Manager of Cyber Security (Training and Awareness) in the Cyber Security Group at eHealth Queensland – Queensland Health > Brian Hay, Executive Director at Cultural Cyber Security > Dr David Stockdale, AUSCERT Director LISTEN HERE: “Share today, save tomorrow” Ep 4: Cyber security awareness and team culture Tracey Weeks has a career spanning 27 years in Queensland Health and 10 years’ experience in the field of cyber security in the healthcare sector, she leads her team within the Cyber Security Group driving cultural change across the state in cyber security awareness with the focus on the workforce being the key to ensuring the protection of Queensland Health information and service delivery. Brian Hay has a rare blend of cyber security skills and business attributes. Long considered a Thought Leader in the world of Cyber Security he learned his craft not from the technical demands of the industry but rather by focusing on the activities of organised crime and cyber criminals. David provided a current update on what has been happening at AUSCERT since episode 3 of this podcast series. In particular, AUSCERT’s new training offering aimed at increasing cyber awareness for school professionals, our recent event and partnership with Baidam Solutions and trends from the recent AUSCERT Quarter 2, 2021 Report. This episode was hosted by Anthony Caruana and Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

Learn more

Week in review

AUSCERT Week in Review for 6th August 2021

6 Aug 2021

AUSCERT Week in Review for 6th August 2021 Greetings, A hot topic at the moment is the announcement from Apple about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content. There is a lot of concern in the industry about the potential for misuse as well as mission creep; the team at Stanford Internet Observatory have a great discussion on the topic and The Register has a great article if you’d like to learn more. The next episode of our podcast “Share Today, Save Tomorrow” will launch soon; this is a great time to jump on and listen to our first 3 episodes. Great stories from our cyber community as well as up to date news from the AUSCERT team. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts. With so much of the country in lockdown (including the AUSCERT team) we hope everyone is keeping well and finding ways to keep spirits up. Our team has been sharing their coping techniques as well music and book recommendations which is keeping us all connected as well as entertained. Have a great weekend everyone. ACSC survey for Australian critical infrastructure organisations Date: 2021-08-02 Author: cyber.gov.au The Australian Cyber Security Centre is asking Australian critical infrastructure providers and operators to take part in a confidential survey to help identify operational technologies used by their organisation. Cisco fixes critical, high severity pre-auth flaws in VPN routers Date: 2021-08-04 Author: Bleeping Computer [See ESB-2021.2626 and 2627.] Cisco has addressed pre-auth security vulnerabilities impacting multiple Small Business VPN routers and allowing remote attackers to trigger a denial of service condition or execute commands and arbitrary code on vulnerable devices. The two security flaws tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively. How the Dark Web enables access to corporate networks Date: 2021-07-28 Author: TechRepublic The Dark Web is home to a thriving marketplace for cybercriminals who want to buy or sell illegal and malicious goods and services. Advertisements and forum messages hawk everything from credit cards and bank accounts to medical records to account credentials to fake IDs to counterfeit products. But one of the most lucrative items up for sale is network access. Getting the keys to an organization’s entire network can easily pave the way for a host of attacks, including malware, data exfiltration, corporate espionage, and ransomware. A report released Wednesday by security provider Positive Technologies looks at the selling of network access on the Dark Web and examines how this threat continues to grow. How data-driven patch management can defeat ransomware Date: 2021-08-02 Author: VentureBeat Ransomware attacks are increasing because patch management techniques lack contextual intelligence and historical data needed to model threats based on previous breach attempts. As a result, CIOs, CISOs, and the teams they lead need a more data-driven approach to patch management that can deliver adaptive intelligence reliably at scale. Ivanti’s acquisition of RiskSense, announced today, highlights the new efforts to close the data-driven gap in patch management. What covid apps can teach us about privacy, utility and trust in app design Date: 2021-08-03 Author: Salinger Privacy The release last week of the report into the first 12 months of the federal government’s beleaguered ‘COVIDSafe’ app got me thinking about the importance of Privacy by Design – and in particular, how the ‘design’ part of the equation is not just about the technology. With the release of the evaluation report – months late and only after a heavily redacted version was released after a concerted FOI push – we now know that the COVIDSafe app has been a terribly expensive flop. ASB-2021.0166 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft Edge has been updated to 92.0.902.67 that addresses multiple vulnerabilities. ESB-2021.2607 – Google Chrome: Multiple vulnerabilities The stable channel update for Google Chrome has been released to address multiple vulnerabilities. ESB-2021.2626 – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers: Multiple vulnerabilities Multiple vulnerabilities in the web-based management interface of the Cisco Small Business Dual WAN Gigabit VPN Routers could lead to Remote Code Execution. ESB-2021.2640 – wordpress: Multiple vulnerabilities Object injection vulnerability in PHPMailer affects WordPress. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 30th July 2021

30 Jul 2021

AUSCERT Week in Review for 30th July 2021 Greetings, Thank you to those who were able to join us for our delayed NAIDOC event with team Baidam Solutions earlier this week. We are extremely grateful that in Brisbane we were able to meet and celebrate together (while of course following strict COVID guidelines). Of note this week, Apple released security updates to address a vulnerability (CVE-2021-30807) for macOS, iOS and iPadOS in which an application may be able to execute arbitrary code with kernel privileges. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Until next week everyone, have a great weekend. Apple releases fix for iOS and macOS zero-day, 13th this year Date: 2021-07-26 Author: The Record by Recorded Future [See ASB-2021.0165.] Apple has released patches today for iOS, iPadOS, and macOS to address a zero-day vulnerability that the company says has been exploited in the wild. Tracked as CVE-2021-30807, Apple said the zero-day impacts IOMobileFramebuffer, a kernel extension that allows developers to control how a device’s memory handles the screen display—the screen framebuffer, to be more exact. According to Apple, an application may exploit CVE-2021-30807 to execute arbitrary code with kernel privileges on a vulnerable and unpatched device. More than half of all Aussies continue to encounter forms of cyber scams in 2021 Date: 2021-07-23 Author: ZDNET Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam. The 2021 Global Tech Scam Research report showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018. Google announces new bug bounty platform Date: 2021-07-27 Author: ZDNet Google has announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program. The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards. A Controversial Tool Calls Out Thousands of Hackable Websites Date: 2021-07-27 Author: WIRED The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure. ASB-2021.0165 – Apple IOMobileFrameBuffer vulnerability Apple released security updates for macOS, iOS and iPadOS to address CVE-2021-30807, an arbitrary code execution vulnerability ESB-2021.2561 – Security update for qemu Multiple vulnerabilities identified in qemu with a security update released by SUSE ESB-2021.2548 – Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) SUSE security update for the Linux kernel, multiple vulnerabilities ESB-2021.2531 – USN-5022-1: MySQL vulnerabilities MySQL vulnerabilities discovered with with security fixes and bug patches released Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more