Publications

Safer Internet Day 2021 — how you can #StartTheChat This blog was originally published via Medium here. This year, Orange Digital has joined forces with our friends at AUSCERT to raise further awareness about ‘Safer Internet Day 2021’ on Tuesday, February 9th. This year marks the 18th anniversary of this very important day and is all about bringing the global community together with the purpose of making online experiences better for everyone. Over the last 12+ months, we can all agree that the internet has been critical in connecting people for work, learning, socialising, and more. If you told us at the beginning of 2020 that remote work and education would be a ‘new kind of normal’, chances are you wouldn’t have believed it. A recent study from The Economic Times revealed that most HR managers (42%) said their organisations will continue to operate with remote work, with almost 40% of respondents saying they will follow a hybrid work structure alternating between WFH and in-office days. Furthermore, this study identified that these organisations will continue to work from home in 2021 and operate under a hybrid model for the next 5 years. Facebook further supports these trends, with recent data predicting over half of the Australian workforce will be fully remote in the next 10 years. With these stats in mind, it’s clear that we’re moving towards a large majority of jobs becoming location-agnostic. This leads me to the 2021 Safer Internet Day theme: “Together for a better Internet”… At a time where online communication and connection is at an all-time high, we each have a part to play in the chat about online safety at home, school, work, and within the community. AUSCERT, Australia’s pioneer Cyber Security Response Team, is on the front foot in the realm of online safety and recently shared a very handy resource from their colleagues at UQ ITS to raise awareness for Safer Internet Day and share advice on how to protect your data and your family. You can read the full article here.  “As we know, cyber-criminals are adept at exploiting people via the Internet, so it’s important to know what to look out for…” At last year’s AUSCERT2020 conference, Australian eSafety Commissioner Julie Inman-Grant also spoke on the topic of “Online Safety during & after Covid-19”. As we gear ourselves for the year ahead, this topic of conversation remains extremely pertinent. When we approached AUSCERT to discuss Safer Internet Day, Mike Holm; AUSCERT Senior Manager, shared that AUSCERT is actively encouraging members and the greater public to #StartTheChat. As Australia’s pioneer Cyber Security Response Team, AUSCERT is focused on helping its members prevent, detect, respond and mitigate cyber-based attacks, while also engaging members by empowering their people, capabilities, and capacities. To #StartTheChat within your workplace, eSafety provides a range of online safety information and resources to share with your colleagues. Check it out here. There are also plenty of free resources and activities to help you #StartTheChat with students, family, friends, and the community during 2021.  

AUSCERT Week in Review for 5th February 2021 Greetings, This week we’re thrilled to announce our 2nd keynote for AUSCERT2021 – Maddie Stone from Google’s Project Zero. Maddie will be joining us virtually from the USA. Her work as a Security Researcher where she focuses on 0-days actively exploited in-the-wild will be of tremendous value to our conference delegates. We look forward to welcoming her to our stage in May! A reminder that we will be hosting our very first event for the year, a joint webinar session with the folks from Digital Shadows. The topic of this webinar will be “Automation when you can’t automate – the human process journey”, further details and the link to register can be found here. Members, look out for a copy of our membership newsletter aka The Feed landing in your inbox early next week. Our first edition for the year will be a bumper one with updates on our strategy for the year, how to optimise your engagement with our team, an update on the AUSCERT2021 conference and a section featuring AUSCERT in the media. Last but not least, be sure to catch up on our summary of critical vulnerabilities and patches affecting SonicWall and Apple. The list of relevant bulletins and further details can be found below. Until next week, have a good weekend. SonicWall fixes actively exploited SMA 100 zero-day vulnerability Date: 2021-02-03 Author: Bleeping Computer SonicWall has released a patch for the zero-day vulnerability used in attacks against the SMA 100 series of remote access appliances. On January 22nd, SonicWall disclosed that their internal systems were attacked using a zero-day vulnerability in the SMA 100 series of SonicWall networking devices. A little over a week later, cybersecurity firm NCC Group discovered a zero-day vulnerability for the SonicWall SMA 100 that was actively being exploited in the wild. SonicWall later confirmed the zero-day vulnerability and announced that owners could use the built-in Web Application Firewall (WAF) to neutralize the vulnerability. As WAF requires a paid license, SonicWall has added a free 60 day WAF license to all registered SMA 100 series devices with 10.X code. Today, SonicWall has released an SMA 100 series firmware 10.2.0.5-29sv update that fixes the actively exploited zero-day vulnerability in the SMA 100 series of devices. Apple releases macOS Big Sur 11.2 plus security updates for Catalina and Mojave Date: 2021-02-02 Author: iTWire [See related AUSCERT Security Bulletin ESB-2021.0349.] Apple has released macOS Big Sur 11.2 along with corresponding security updates for Catalina and Mojave. Two of the security issues they address are reportedly being actively exploited. Between them, Big Sur 11.2 and this year’s first security updates for Catalina and Mojave address more than 60 vulnerabilities. Apple’s notes state that two of the vulnerabilities are reportedly being actively exploited. One allows arbitrary code execution, the other enables privilege escalation. Emotet, now neutralised, may have friends you’ll want to clean off your systems. Date: 2021-02-01 Author: AUSCERT News broke last week regarding an internationally coordinated action against Emotet, known as the “world’s most dangerous malware”. Via Europol: “This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT). “ Our team has written a blog piece and shared our thoughts on the initiative. A Second SolarWinds Hack Deepens Third-Party Software Fears Date: 2021-02-02 Author: Wired It’s been more than two months since revelations that alleged Russia-backed hackers broke into the IT management firm SolarWinds and used that access to launch a massive software supply chain attack. It now appears that Russia wasn’t alone; Reuters reports that suspected Chinese hackers independently exploited a different flaw in SolarWinds products last year at around the same time, apparently hitting the US Department of Agriculture’s National Finance Center. Ransomware gangs made at least $350 million in 2020 Date: 2021-02-02 Author: ZDNet Ransomware gangs made at least $350 million in ransom payments last year, in 2020, blockchain analysis firm Chainalysis said in a report last week. The figure was compiled by tracking transactions to blockchain addresses linked to ransomware attacks. Although Chainalysis possesses one of the most complete sets of data on cryptocurrency-related cybercrime, the company said its estimate was only a lower bound of the true total due. The company blamed this on the fact that not all victims disclosed their ransomware attacks and subsequent payments last year, with the real total being many times larger than what the company was able to view. ESB-2021.0349 – ALERT macOS Big Sur, macOS Catalina & macOS Mojave: Multiple vulnerabilities Apple released new updates for macOS. Quite a few vulnerabilities this time around including possible exploits in the wild. ESB-2021.0352 – ALERT iOS & iPadOS: Multiple vulnerabilities The possible active exploits mentioned above were also present in Apple’s iOS and iPadOS advisory. Get those mobile devices updated as well. ASB-2021.0037.2 – SonicWall Confirms SMA 100 Series 10.X Zero-Day Vulnerability SonicWall have released firmware updates to fix the zero-day vulnerability in its SMA 100 product. It is recommended that users patch ASAP. Stay safe, stay patched and have a good weekend! The AUSCERT team

Emotet, now neutralised, may have friends you'll want to clean off your systems. April 25th 2021[1] is now going to be on everyone’s mind in the Cyber Security industry. This is the day the Emotet botnet, as we know it, would be “reset”[2]. However, the method of the reset is interesting and places CERTs, the police forces and criminals[3] in a strange interaction that may create friction within their shared end-goal of protecting end-users. Emotet is arguably a botnet that deserves the attention it has gotten – to be taken down. It seems that it has gained that attention from operation “Ladybird”[4] in neutering the botnet as it now stands. But what now? And what about the efforts to protect end-users by parties from the various non “law enforcement agencies”. The amount of attention that the Emotet botnet has congregated the effort of some amazing groups of people to be able to feed details to the information security industry about what domain and connections should be deemed indicative of infected end-points. Cryptolaemus[5] is one such a group that comes to mind that provides such information. Under normal circumstances, information such as this – about indicators of compromise (IoC), are sent to the security team who then most likely blocks connections and identify affected end-points. But this very action of trying to block connection(s) may now be working against the actions taken to neuter the Emotet botnet. The controlling servers that distribute updates of the botnet, have been seized and are now controlled by the Dutch Police[2], and the Emotet code has been altered and allowed to then have that new code distributed[4]. This new code is said to include a kill-switch, which is controlled by a date, and that date is April 25th 2021 at 12:00 and the new code is now being delivered[6]. So now we have an industry that protects by not letting end-points to connect or interact with command and control servers, and another industry hoping that there will be further interactions so that the latest version of Emotet will be downloaded that will contain the kill-switch code! If this does not sound as complementary efforts then you may have a point for conversation. Also add to this mix – the signal sent to management and leadership teams around the world – that the botnet is neutered, may provide a false sense of security. It’s worth noting and reiterating at this point that Emotet is not a be-all and end-all malware but rather more of a platform that allows other malware to be installed[4][7][8]. Threat hunting should not be halted, rather it should be given more resources due a piece of contrarian fact. If you did not block connections with Emotet’s C2[9] then you may now have a neutered, kill-switched version of Emotet from the Dutch police – otherwise it is still lingering in its present active form. As for anything Emotet has downloaded before that neutered version is installed, the additional malware may still remain active on end-points. Now that it is clear that threat hunting has no break from this botnet takeover, there are a few twists to this event that needs to be investigated. Although this blog piece may not be able to provide all the answers, here are some questions a takeover of a botnet raises and possible reasons behind it.  Why the choice of April 25th 2021 at 12:00?[1][10] for the kill-switch and why should the sector wait so long?[11][12].The idea behind such a long wait is now that the botnet has been neutered[13] there is a window to look for “…Emotet malware and see if other gangs used it to deploy other threats…” as stated by Randy Pargman to ZDNet[2]. In essence, the use of Emotet as a beacon to find other installed malware may work. What also works is that media attention on Emotet botnet takeover may incite management and leaders to provide threat hunting teams with extra resource(s) over the next two months in chasing Emotet infected end-points. What will the kill-switch do?The name of the sub-routine “uninstall_emotet()” [1][10] looks promising. Beyond that any service call implication of a software having a self-destruct code written by extra-judiciary entities and distributed by a botnet is beyond the scope of this article. It may be safe to say that one should get ready for service calls in case there are issues. Looking on the positive side, there are two months lee-way to find the infected end-points. Will using a kill-switch, which alters the end-point behaviour without the owner consenting to the change, have any legal ramifications?You may have to talk to your lawyers about any issues that deals with advice around the law of the jurisdiction within which you are operating in. Note that altering software code on an end-point without the owner’s consent may find this action foul to some regulations around some jurisdictions. Even if the nations involved in the coordinated action are in agreement to waive responsibilities; Emotet knows no boundaries. And last but not least …  What about the seized data from the C2’s?Yes, the Dutch police may now possibly have all your data that the Emotet botnet exfiltrated. The Dutch police has set up a function where the entry of an email address on their site will invoke an email back to the email address tested about whether it is in the data set seized[14]. This may work for savvy individuals but enterprises may need to consider enterprise questions such as the deliberation of all email addresses of the organisation to an extra-jurisdiction law enforcement agency. Also, the collation of response(s) from that agency needs to be considered, before it gets flagged as spam or received by the user of the email account. No matter how the enterprise wants to re-route or act on the response, there will be lots of thinking and planning to be done! The takeover of the Emotet botnet by law enforcement agency may signal the end of one botnet. Yet, today only means that this botnet is no longer a threat, but all the damage and installs it has made over time is still a clear and present threat. The clean-up process on one of the most prominent botnets of this decade has only just started. It is hoped that after such media attention, organisations will take this opportunity to inject a bit more resources in cleaning affected end-points, and possible compromised accounts. Perhaps after the clean-up there are some resources still allocated to implement well deserved preventative and detective measures. After all – an “Ounce of prevention is worth a pound of cure!”[15]. REFERENCES:  [1] https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/[2] https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-march-25-2021/[3] CERTs, cops, and criminals Peter Zinn Sr. High Tech Crime Advisor,KLPD (National Crime Squad), NL on Monday 13th June 2011 https://www.first.org/conference/2011/program/index.html[4] International police operation LadyBird: global botnet Emotet 27th Jan 2021 dismantled https://translate.google.com/translate?sl=auto&tl=en&u=https://www.politie.nl/nieuws/2021/januari/27/11-internationale-politieoperatie-ladybird-botnet-emotet-wereldwijd-ontmanteld.html[5] https://paste.cryptolaemus.com/[6] https://twitter.com/milkr3am/status/1354459859912192002[7] https://twitter.com/Cryptolaemus1/status/1354521918775427072[8] https://twitter.com/MalwareTechBlog/status/1354411804747681793[9] https://twitter.com/milkr3am/status/1354473617145409545[10] https://twitter.com/milkr3am/status/1354459859912192002[11] https://twitter.com/t15_v/status/1354519818226032642 [12] https://twitter.com/cyberadelaide/status/1354489619795083269[13] https://team-cymru.com/blog/2021/01/27/taking-down-emotet/[14] https://2yx7ciusygbulydqop52nqwfpe–www-politie-nl.translate.goog/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html[15] https://www.ushistory.org/franklin/philadelphia/fire.htm  

AUSCERT Week in Review for 29th January 2021 Greetings, Thank you to those of you who submitted to our AUSCERT2021 Call for Papers initiative. Our team is looking forward to the review process and will be looking at launching our program by early March. This week also saw a number of critical vulnerabilities affecting SonicWall, sudo and Apple. The list of relevant bulletins and further details can be found below. Our team is excited to announce our very first event for the year – a joint webinar session with the folks from Digital Shadows. The topic of this webinar will be “Automation when you can’t automate – the human process journey”, further details and the link to register can be found here. And last but not least, we would like to bring your attention to the upcoming Safer Internet Day initiative which we will be supporting as an organisation. The theme for its 18th edition will once again be “Together for a better Internet” and we look forward to sharing further resources around maintaining a better online world. Until next week folks, have a good weekend. New Linux SUDO flaw lets local users gain root privileges Date: 2021-01-26 Author: Bleeping Computer [See related AUSCERT security bulletin ASB-2021.0036, login not required.] A now-fixed Sudo vulnerability allowed any local user to gain root privileges on Unix-like operating systems without requiring authentication. The Sudo privilege escalation vulnerability tracked as CVE-2021-3156 (aka Baron Samedit) was discovered by security researchers from Qualys, who disclosed it on January 13th and made sure that patches are available before going public with their findings. SonicWall Breach Date: 2021-01-25 Author: Australian Cyber Security Centre (ACSC) On 22 January 2021, cyber security vendor SonicWall identified an internal systems breach using a likely zero-day in the SonicWall NetExender VPN client and Secure Mobile Access (SMA) products. On 23 January 2021, SonicWall provided an updated stating that only the SMA 100 Series is potentially vulnerable and customers may continue to use the NetExtender component for remote access as it is not susceptible to exploitation. Insurers ‘funding organised crime’ by paying ransomware claims Date: 2021-01-25 Author: The Guardian [Ciaran Martin will be presenting as a keynote at AUSCERT2021.] Insurers are inadvertently funding organised crime by paying out claims from companies who have paid ransoms to regain access to data and systems after a hacking attack, Britain’s former top cybersecurity official has warned. Ciaran Martin, who ran the National Cyber Security Centre until last August, said he feared that so-called ransomware was “close to getting out of control” and that there was a risk that NHS systems could be hit during the pandemic. The problem, he said, is being fuelled because there is no legal barrier to companies paying ransoms to cyber gangs – typically from Russia and some other former Soviet states – and claiming back on insurance. “People are paying bitcoin to criminals and claiming back cash,” Martin said. Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021 Date: 2021-01-27 Author: ZDNet Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021. The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet. Apple fixes another three iOS zero-days exploited in the wild Date: 2021-01-26 Author: ZDNet [See related AUSCERT security bulletin ESB-2021.0298.] Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS. However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days. Apple also declined to comment further. ASB-2021.0036 – ALERT sudo: Root compromise – Existing account Affects most Linux and Unix-based systems. ESB-2021.0298 – Apple iOS and iPadOS: Multiple vulnerabilities These zero-days have been reportedly exploited in the wild. ESB-2021.0319 – IBM QRadar SIEM: Multiple vulnerabilities This report collates 8 IBM advisories. ESB-2021.0272 – vlc: Multiple vulnerabilities Remote Code Execution issues in vlc. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 22nd January 2021 Greetings Don’t forget – our AUSCERT2021 Call for Papers initiative is still open; this is your LAST CHANCE to submit as we will be closing the portal on Tuesday 26th January. We welcome submissions in line with this year’s theme which focuses on automation of the cyber security response, whether these stories are big or small. We also issued a couple of alerts in relation to Cisco products: further details can be found below. And last but not least, a call-out from our team seeking voluntary feedback on the preliminary stages regarding upcoming changes to the AUSCERT Security Bulletins. As a result of the feedback AUSCERT gathered via a member survey, it was concluded that: Members showed overwhelming support to migrate to CVSS replacing the current Impact/Access statements. The AUSCERT team is currently exploring suitable formats in order to enable the transition from Impact/Access to CVSS. If you’re a member who would like to be a part of this preliminary assessment team, feel free to reach out to membership@auscert.org.au by 31 January 2021. Until next week, folks. Have a good weekend. Critical Cisco SD-WAN Bugs Allow RCE Attacks Date: 2021-01-20 Author: Threatpost [See related AUSCERT security bulletins ESB-2021.0240, ESB-2021.0241 and ESB-2021.0243.] Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks solutions for business users. Cisco issued patches addressing eight buffer-overflow and command-injection SD-WAN vulnerabilities. The most serious of these flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected system with root privileges. Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Date: 2021-01-20 Author: Microsoft Security Blog More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence. We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec. AUSCERT statement on “QuoVadis Global SSL ICA G3” issue impacting multiple customers Date: 2021-01-15 Author: AUSCERT The AUSCERT team was made aware that a number of our Certificate Services clients were and continue to be experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST on Friday 15 January 2021. A statement (blog post) was released to assist with this issue. AUSCERT is continuing to work with DigiCert + QuoVadis to ensure that they provide all required further assistance for full remediation with our clients and members. Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Date: 2021-01-19 Author: Malwarebytes While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments. ESB-2021.0240 – Cisco Smart Software Manager Satellite: Multiple vulnerabilities Critical web UI injection vulnerabilities ESB-2021.0241 – Cisco SD-WAN: Multiple vulnerabilities Critical bugger overflow and command injection vulnerabilities ESB-2021.0243 – Cisco DNA Center: Multiple vulnerabilities Critical command injection and CSRF vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT statement “QuoVadis Global SSL ICA G3” issue impacting multiple customers Update 3: 12:00pm AEST 22 January 2021Update 2: 12:30pm AEST 18 January 2021 Update 1: 2:00pm AEST 16 January 2021Initial statement release: 12:00pm AEST 15 January 2021  “QuoVadis Global SSL ICA G3” issue impacting multiple AUSCERT  DigiCert + QuoVadis customers Update 3 (12:00pm AEST 22-1-2021) Further to our last update, DigiCert + QuoVadis have provided AUSCERT with a RCA for AUSCERT Members. At 11:51am AEST the RCA was distributed by the AUSCERT Team to AUSCERT Members via email.   Update 2 (12:30pm AEST 18-1-2021) Further to our last update, DigiCert + QuoVadis have today provided further details of three possible practices which may have caused this issue for impacted certificates. 1. The organisation has pinned their application to the retired ICA –  DigiCert + QuoVadis advises that this is bad practice.2. The organisation has configured their server to only trust that specific ICA, which forces the client to use it. Then, when the ICA is changed, the chain of trust is broken.3. The organisation operates a trust store which includes the old versions of the ICAs. All certificates that are using the Global G2 or G3 ICAs have a potential impact, as these were both retired. The new ICAs were made available from September 2020 and from November 2020 all certificates issued from Trust Link will have been issued from these new ICAs. Impacted customers may simply need to install the new ICA on their server to resolve the issues. Also sharing these two external resources here: A DigiCert + QuoVadis’ statement regarding ICA replacements can be found here: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html Last but not least, a corporate statement from  DigiCert + QuoVadis regarding this issue can also be found on their website here:  https://www.quovadisglobal.ch/Unternehmen/NewsAndEvents/Begrenzte%20Systemverfuegbarkeit.aspx [NOTE: this same statement was covered by AUSCERT in the initial publication of our statement (blog post) with the exception of the signing service instructions found at the bottom of this page.] Update 1 (2:00pm AEST 16-1-2021) As a part of initial correspondence with DigiCert + QuoVadis we were informed that their teams were working to gather a report of all certificates impacted by the ICA changes on Friday, 15 January 2021. However, we were discouraged to receive an update today, 16 January 2021, that the DigiCert + QuoVadis teams are unable to report the certificates which were impacted by this ICA change. The DigiCert + QuoVadis team largely believe the impacted certificates are receiving errors due to applications being pinned to the serial number of the revoked ICA. Here is more information on certificate pinning: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/ As we continue to work with DigiCert + QuoVadis regarding this incident, please be assured we will continue to urge they provide further assistance for remediation.    Initial statement (12:00pm AEST 15-1-2021)  The AUSCERT team was made aware that a number of our Certificate Services clients have been experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST. Following this notification, the team acted immediately and got in touch with the team from DigiCert + QuoVadis for clarification. An internal investigation was then conducted by the DigiCert + QuoVadis compliance team and following this, we can now confirm that the QuoVadis Global SSL ICA G3 intermediate certificate (ICA) was revoked earlier today. An action which AUSCERT was unaware of prior to it taking place. The new version was made available to QuoVadis users last year and can be downloaded from the following repositories: Repository: https://www.quovadisglobal.nl/Repository/DownloadRootsAndCRL.aspx Direct download of new ICA: http://trust.quovadisglobal.com/qvsslg3.crt The replacement is also in Trust Link.The certificate does not need to be replaced as it has the same chain. Impacted users will have to configure the server with the new ICA, replacing the old version. Again, please refer to the above repository for the new ICA details.The rotation of ICAs is a policy DigiCert has introduced in order to prevent non best practise habits from occurring, such as certificate pinning. Further information on certificate pinning can be found here: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/  Again, the AUSCERT team was not made aware of the revocation and had worked on investigating this problem as soon as we were alerted by members. DigiCert + QuoVadis  apologises that significant notice hasn’t been provided to those impacted members. Does this impact all certificates? No, this has only impacted one of several ICAs QuoVadis use. The AUSCERT team has now been in contact (via email) with all those members whom we are aware have been impacted by this issue.  If you are an affected member requiring further assistance with regards to this issue, please contact:  AUSCERT Membership Team 07 3365 4417 cs@auscert.org.au   

AUSCERT Week in Review for 15th January 2021 Greetings As promised, we released details on our Strategic Plans for 2021 earlier this week. We’ve outlined this via the following “AUSCERT: What to Expect in 2021” blog post. Here are some key issues on the AUSCERT agenda this year: Expand and enhance our delivery of threat intelligence Remain a trusted incident response partner, both locally and globally Consistent and useful engagement with our members With 2021’s first Patch Tuesday taking place this week, be sure to note our Security Bulletins highlighted below. For those handing Cisco patches, we hope you got through them all. We would also like to share the following statement re: a QuoVadis Global SSL ICA G3 issue which impacted some of our members today. The AUSCERT team was not made aware of the revocation and began investigating this problem as soon as we were alerted by affected members. DigiCert + QuoVadis apologise that significant notice had not been provided with regards to this change, and for any inconvenience caused to AUSCERT members. Last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is still open until the end of this month and we welcome submissions in line with this year’s theme which focuses on the automation of the cyber security response, whether these stories are big or small. Until next week folks, have a good weekend. Are Australians at a ‘turning point’ on cybersecurity or still unprepared? Date: 2021-01-11 Author: ABC News Australians are on high alert about the threat of cyber attacks following Prime Minister Scott Morrison’s warning in June that Australia was targeted by a sophisticated “state-based” cyber-attack. Key points: – An average of 164 cybercrime reports are made by Australians every day according to the Australian Cyber Security Centre – Ransomware has become the biggest threat, used by criminals to lock up people’s systems and data and then demand a ransom in return for their release – The ACSC has launched a cybersecurity campaign that provides easy-to-follow advice for all Australians to prepare against cyber attacks Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day Date: 2021-01-12 Author: Bleeping Computer [Related AUSCERT security bulletins can be found on our website; accessing these will require a member portal login.] With the January 2021 Patch Tuesday security updates release, Microsoft has released fixes for 83 vulnerabilities, with ten classified as Critical and 73 as Important. There is also one zero-day and one previously disclosed vulnerabilities fixed as part of the January 2021 updates. Accellion hack behind Reserve Bank of NZ data breach Date: 2021-01-12 Author: iTnews The Reserve Bank of New Zealand, which yesterday disclosed it had suffered a data breach, now says it was caught up in a hack of enterprise data protection provider Accellion. Accellion’s file transfer appliance (FTA) was accessed illegally, RBNZ said in a statement. “We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised,” RBNZ governer Adrian Orr said. The FTA system, which was used to store and share sensitive information, has been secured and taken offline, RBNZ said. Third malware strain discovered in SolarWinds supply chain attack Date: 2021-01-12 Author: ZDNet Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack. Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains. ASB-2021.0011 – Microsoft Patch Tuesday update for Microsoft System Center for January 2021 This zero-day RCE vulnerability has been reportedly exploited in the wild. ASB-2021.0010 – Microsoft Patch Tuesday update for Windows for January 2021 Many important Windows updates to apply ASAP. ESB-2021.0135 – Cisco Webex Meetings Open Redirect Vulnerability Phishing via Webex. ESB-2021.0119 – APSB21-01 Security update available for Adobe Photoshop Adobe released a raft of updates this week also. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT: What to Expect in 2021 Membership matters – optimising and elevating our services As we bid goodbye to our members at the end of last year, we delivered a sneak preview of what the team hopes to achieve in the new year. While there are doubtless many unknowns awaiting us in 2021, here are some key issues on the AUSCERT agenda:  IMAGE: AUSCERT Strategic Plans 2021   Expand and enhance our delivery of threat intelligence   As a team, we aim to form and publish a Cyber Threat Intelligence (CTI) strategy document to help us align with our members’ needs – and in tandem with developing this CTI strategy – our goal is to also publish IoCs to members in STIX format.   To complement this initiative, our team is looking to introduce some enhanced functionalities on the AUSCERT Member Portal; such as an Incident Portal with file upload facility which includes analysis and feedback.  The team is aiming to rebrand, reinvigorate and relaunch the CAUDIT-ISAC initiative as “The AHECS-ISAC, powered by AUSCERT”.   And last but not least, in tandem with the CTI strategy and CAUDIT-ISAC relaunch, the team aims to launch MISP access for all members.  Remain a trusted incident response partner, both locally and globally   As a team, we aim to broaden our incident response capability with consistent training and drills – especially through our strong relationship with the APCERT community as witnessed in 2020, 2019 and in previous years; as well as maintain our standing within the worldwide CERT community through FIRST.   Continue to foster a strong relationship with the local Australian cyber security sector “key players”; especially the ASD via Australian Cyber Security Centre, AustCyber and IDCare et. al.   Consistent and useful engagement with our members   As a team, we will be celebrating the 20th anniversary of our annual cyber security conference; Australia’s oldest and premier cyber security conference. The AUSCERT2021 conference theme will be “SOARing with cyber” and this annual event provides our members with the optimum opportunity for professional development and upskilling.  AUSCERT will continue to maintain, uphold and explore State-government memberships.   The team will aim to increase the number of blog articles and publications targeting senior to mid-level members.   And last but not least, the AUSCERT team will focus on continuous improvements across all membership services.  The cyber security landscape is ever-changing, and AUSCERT continues to be passionate about engaging our members to empower your people, capabilities and capacities.

AUSCERT Week in Review for 08th January 2021 Greetings, Welcome to 2021. We hope all our readers enjoyed a well-deserved break over the Christmas and New Year period. We would like to highlight the following article from colleagues at Data @ UQ “What’s your (cyber and data safety) New Year’s resolution” – a relevant read to kick off the year! This week we’re thrilled to announce the first keynote speaker at our annual conference AUSCERT2021. Ciaran Martin, founding CEO of the National Cyber Security Centre and now a Professor at the University of Oxford will be joining us virtually from the UK. We look forward to hearing him speak at the conference and his thoughts on the future of our sector and conference theme “SOARing with cyber.” Don’t forget – our AUSCERT2021 Call for Papers initiative is still open until the end of this month. Those wanting feedback from our committee are encouraged to submit by Monday 11 January. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference! And last but not least, keep your eyes peeled as we announce our Strategic Plans for 2021. The team is also working hard on our 2020 Year in Review document and look forward to sharing this in the next few weeks. Until next week folks, have a good weekend. Stay safe and let’s remember to keep washing our hands and practise those good Covid-safe habits. Set up your own malware analysis pipeline with Karton – CERT Polska Date: 2020-12-30 Author: CERT Polska [CERT Polska is a fellow member of the international forum of response teams – FIRST – and is the first Polish computer emergency response team.] What is Karton? Karton is a robust framework for lightweight and flexible analysis backends. It can be used to connect malware analysis systems into a robust pipeline with very little effort. CISA Releases Free Detection Tool for Azure/M365 Environment Date: 2020-12-24 Author: Cybersecurity and Infrastructure Security Agency (CISA) CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors. China’s APT hackers move to ransomware attacks Date: 2021-01-04 Author: Bleeping Computer Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse. ANU uses new security capabilities to help other Unis fend off attacks Date: 2021-01-05 Author: iTnews The Australian National University says it has been able to help other unnamed universities “fend off attacks” using new capabilities it set up in the early part of a five-year information security program. The program, described at a high level in a parliamentary submission released at the end of last year, comes after ANU was targeted by an advanced persistent threat (APT) actor that led to two data breaches. Beware: PayPal phishing texts state your account is ‘limited’ Date: 2021-01-03 Author: Bleeping Computer A PayPal text message phishing campaign is underway that attempts to steal your account credentials and other sensitive information that can be used for identity theft. When PayPal detects suspicious or fraudulent activity on an account, the account will have its status set to “limited,” which will put temporary restrictions on withdrawing, sending, or receiving money. WhatsApp: Share your data with Facebook or delete your account Date: 2021-01-06 Author: Bleeping Computer After WhatsApp updated its Privacy Policy and Terms of Service on Monday with additional info on how it handles users’ data, the company is now notifying users through the mobile app that, starting February, they will be required to share their data with Facebook. ESB-2021.0024 – chromium: Multiple vulnerabilities Multiple security issues were discovered in the Chromium web browser, which could result in the execution of arbitrary code, denial of service or information disclosure. ESB-2021.0011 – MozillaThunderbird: Multiple vulnerabilities A security update for MozillaThunderbird fixes 9 vulnerabilities in Mozilla Thunderbird 78.6 and Mozilla Thunderbird 78.5.1. ASB-2021.0001 – Google Android devices: Multiple vulnerabilities Multiple vulnerabilities have been identified in Google Android devices which can be fixed by updating to the latest versions. ESB-2021.0067 – Firefox & Firefox ESR: Multiple vulnerabilities Multiple security vulnerabilities fixed in Firefox 84.0.2, Firefox for Android 84.1.3 and Firefox ESR 78.6.1 ESB-2021.0064 – pacemaker: Multiple vulnerabilities Several security vulnerabilities were addressed in pacemaker, a cluster resource manager Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 24th December 2020 Greetings, This week the SolarWinds attack continues to make headlines. A reminder to check out our blog on the topic “Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software”. We will continue to update this with any important developments. With that said, it comes as no surprise to everyone that 2020 has been a particularly challenging year. As the year comes to an end, we would like to thank each and every one of you for your support. In a year where the basic tenets of the working world changed, YOU (our members) helped us get through it. We would like to share our reflections on the year through the following piece we wrote “The Year that was 2020”. A reminder of our scheduled shutdown over the Christmas and New Year period: Membership Will be closed from Saturday 19th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. Operations Will be closed from Friday 25th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. And last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is still open over the holiday season. Perhaps some writing to help break up the routine? Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. Until next year folks. Have a wonderful and very well deserved break over the holiday season, you have all earned it. Stay safe and let’s remember to keep washing our hands and practice those good Covid-safe habits! NSW Health, Rio Tinto, Serco named as victims of massive global SolarWinds hack attack Date: 2020-12-23 Author: ABC News NSW Health has been named in a growing list of victims of a major global cyber attack by Russian hackers — although it says patient information was not stolen. Key points: – Australian organisations were named in a list of potential victims of a global attack by Russian hackers – Dubbed the ‘SolarWinds’ attack, it has infected thousands of systems worldwide with malware – NSW Health may have been infected since June But while the health agency says its system was not “compromised”, cybersecurity experts said it appeared to be infected with malware. In a worst-case scenario, this could have allowed the hackers to escalate the attack and steal information. Cyber security left out of cabinet reshuffle Date: 2020-12-18 Author: iTnews Prime Minister Scott Morrison has not appointed a dedicated minister for cyber security in Friday’s cabinet reshuffle. Last month, The Australian reported that Morrison planned to create a cyber security role in his cabinet that would be added to the Home Affairs­ portfolio. There were no changes made to the Home Affairs portfolio in today’s announcement, meaning Home Affairs minister Peter Dutton will retain responsibility for Australia’s cyber security policy and coordination. The Cybersecurity Stories We Were Jealous of in 2020 Date: 2020-12-22 Author: Vice Motherboard The end of the year is usually a good time for retrospection and one of our favorite traditions: digging into the archives and recognizing the best cybersecurity stories of the year. Stories so good, we wish we had written them ourselves. Without further ado, here’s the annual Motherboard’s Cyber Jealousy list. 2020: The year in malware Date: 2020-12-21 Author: Cisco Talos To recap this crazy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware. Apple: Here’s how to secure an iPhone or Apple ID ‘when personal safety is at risk’ Date: 2020-12-19 Author: ZDNet [Stalking is a crime in all states and territories in Australia. If you’re spending time with family and friends over the holidays and believe they might be victims of cyber-stalking, this guide may be of use.] This document highlights the steps that an Apple user can work through if they believe that their Apple ID has been compromised, or they want to rescind someone’s access to information that they previously allowed to have access, such as an ex or a family member. ESB-2020.4513 – Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update Whilst only marked as moderate by Red Hat this advisory contained a whopping 121 CVEs, the most major of which included RCE. ESB-2020.4537 – Security update for slurm_20_02 This advisory for the powerful Linux resource manager Slurm was marked as important by SUSE and contained a RCE vulnerability. Stay safe, stay patched and have a good weekend! The AUSCERT team

Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software Image: SUNBURST Malware Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software Update: 21:30 AEST December 20 2020 Update: 21:30 AEST December 19 2020 Update: 10:00 AEST December 18 2020 Update: 22:30 AEST December 15 2020 Update: 15:00 AEST December 15 2020Update: 14:00 AEST December 15 2020 Initial Publication : 09:00 AEST December 15 2020     Update (21:30 AEST 20-12-2020) US-CERT CISA announces [14] and made available, at the time of writing, an update to their advisory [12] which “… provides new mitigation guidance and revises the indicators of compromise table…” [14].  The emergency directive from the U.S. Department of Homeland Security (DHS) has also updated their directive to include supplementary guidance.[15]   Update (21:30 AEST 19-12-2020) It has been confirmed that at the moment of writing of this update, the US-CERT CISA advisory, that was public as at (10:00 AEST 18-12-2020) is now returning “Access Denied”. As it was a public advisory at that time it may be possible to find a copy of this advisory, whilst it is still available, in archives[13].   Update (10:00 AEST 18-12-2020) SolarWinds states that Orion was their only product affected by the breach [10].  Also recently a joint statement was released by the U.S. Government [11] that heralds actions and updates from US-CERT CISA about the events surrounding and leverage of the SolarWinds Orion breach and recommended mitigation steps [12].   Update (22:30 AEST 15-12-2020) Additional IoC and TTP information from research organisations Volexity[9]   Update (15:00 AEST 15-12-2020)The headline of an earlier version of this article incorrectly attributed the vulnerable software to FireEye. FireEye is a third-party research firm. We apologise for any confusions caused by our initial publication. A new subject headline is now in place to better reflect the incident.  Update (14:00 AEST 15-12-2020) A set of IoCs have been published by Talos[7] and the number of affected clients is expected to be “fewer than 18,000” world wide according to the SEC filing of the incident[8]. The hotfix is expected to be made available “on or prior to 15th December 2020” [8] (date and time as per U.S.A. time zone)   Initial (09:00 AEST 15-12-2020) Introduction: FireEye has discovered a supply chain attack against SolarWinds which has resulted in trojanised versions of SolarWinds Orion being distributed. These trojanised versions, being distributed through their supply chain, meant that the code was correctly signed.   Multiple trojanised updates were digitally signed from March to May 2020 and posted to the SolarWinds Orion updates website, including those listed here: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp [1]   The trojanised version of the update has remained dormant for 2 weeks and FireEye has released counter measures [2] as malicious activity can now be traced with the following released IoC. [3]   RECOMMENDED ACTION: It is highly advised that the advisories from FireEye[1] and SolarWinds[6] be reviewed where actionable steps to detect and protect your network are suggested.   This includes the following steps:   1. It is highly recommended to download the latest software of SolarWinds Orion and apply the relevant version.   2. If you are a SolarWinds Orion client, please check the downloading of any updates between the months of March to May 2020.   3. If at all possible and relevant, apply detection rules released by FireEye to determine whether or not malicious activity is currently in your network.   4. If at all possible, check network logs for Indicators of Compromise (IoC) for any signs of activity that may have occurred in your network.   The US-CERT has notified members of the public about the current issue via a briefing document [4] and the media is also focusing and disseminating information on this event swiftly. [5]   For AUSCERT’s constituents using AUSCERT managed MISP the list of IoCs have been published on December 14. AUSCERT is currently contacting its constituents about possible installations of SolarWinds Orion on their network perimeter(s).      [1] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html [2] Github – Fireeye – Sunburst countermeasures https://github.com/fireeye/sunburst_countermeasures [3] Github – Fireeye – Sunburst IoC https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release [4] US-CERT CISA Active Exploitation of SolarWinds Software https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software [5] Bleeping Computer – US govt, FireEye breached after SolarWinds supply-chain attack https://www.bleepingcomputer.com/news/security/us-govt-fireeye-breached-after-solarwinds-supply-chain-attack/ [6] SolarWinds Security Advisory https://www.solarwinds.com/securityadvisory [7] Threat Advisory: SolarWinds supply chain attack https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html  [8] US-SEC – CURRENT REPORT – SOLARWINDS CORPORATION (001-38711) https://sec.report/Document/0001628280-20-017451/  [9] Dark Halo Leverages SolarWinds Compromise to Breach Organizations https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  [10] SolarWinds said no other products were compromised in recent hack https://www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/ [11] Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-intelligence-odni [12] Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations https://us-cert.cisa.gov/ncas/alerts/aa20-352a  [13] Internet Archives – Wayback Machine https://archive.org/ [14] CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise https://us-cert.cisa.gov/ncas/current-activity/2020/12/19/cisa-updates-alert-and-releases-supplemental-guidance-emergency [15] Emergency Directive 21-01 https://cyber.dhs.gov/ed/21-01/#supplemental-guidance 

AUSCERT Week in Review for 18th December 2020 Greetings, This week saw the sector abuzz with the news regarding FireEye’s Discovery of the Trojanised SolarWinds Software (aka “Sunburst” malware). Our team has blogged about this trending topic here. Please revisit the blog periodically as updates do get posted as relevant. This holiday season, many of us will be purchasing gifts for loved ones online. This is a timely reminder to be wary of online shopping scams and increased exploitation by cyber criminals. We’d like to take this opportunity to re-share the following “Don’t give too much away this Christmas!” article. A reminder of our scheduled shutdown over the Christmas and New Year period: Membership – will be closed from Saturday 19th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. Operations – will be closed from Friday 25th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. And last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is still open over the holiday season. Perhaps some writing to help break up the routine? Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. Until next week, have a wonderful and restful weekend. Stay safe and let’s remember to keep washing our hands and practise those good Covid-safe habits! Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor Date: None Author: FireEye Inc FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security. Healthcare security woes: More than 45 million medical images openly accessible online Date: None Author: The Daily Swig Millions of medical images such as X-rays, MRIs, and CT scans are available unsecured on the open web, an investigation by threat intelligence firm CybelAngel has revealed. The research team says it found unprotected connected storage devices with ties to hospitals and medical centers worldwide that were leaking more than 45 million unique imaging files. “It’s important to remember that no hacking tools were used,” David Sygula, senior cybersecurity analyst at CybelAngel, told The Daily Swig. “Millions of images were unencrypted and could be accessed without password protection. “We were surprised to see the extent to which sensitive images were left unprotected, despite the regulations governing health data.” Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems Date: None Author: ZDNet Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card. Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems. Scam bitcoin ads using unauthorised Australian celebrity images traced to Moscow addresses Date: None Author: The Guardian Scam bitcoin ads trading off unauthorised images of Dick Smith, Andrew Forrest and other celebrities, which have taken in tens of thousands of Australians, are part of a highly organised global business that uses five addresses in the centre of Moscow, a Guardian investigation has found. The sheer scale of the scam has made it difficult for Google to block them, and for Australian regulators to take action. The fake celebrity ads have run on news websites since at least 2018, but with people stuck at home during the Covid-19 pandemic, many more have been caught out by the scams. IDCare, a registered charity that offers support to people scammed online, has been hearing from a victim every business hour since March, its managing director told Guardian Australia. Service NSW finds cyber attack impacted 80,000 fewer customers Date: None Author: iTNews Service NSW has revised down the number of customers impacted by an email compromise attack against 47 staff members earlier this year, but not before wrongly notifying 25,000 people. In September, the one-stop shop for NSW government services revealed – after a four-month long investigation – that 186,000 customers had their information stolen by unknown attackers. The breach, which took place in March, exposed 736GB of data, encompassing 3.8 million documents such as handwritten notes, forms, scans and records of transaction applications. ESB-2020.4474 – Thunderbird: Multiple vulnerabilities Thunderbird, Mozilla’s email client, was host to multiple vulnerabilities including remote code execution and denial of service. ESB-2020.4464 – Red Hat Fuse 7.8.0: Multiple vulnerabilities Contained a multitude of vulnerabilties including remote code execution, denial of service, cross-site scripting, privilege escalation, and unauthorised access to both confidential and privileged data. ESB-2020.4447 – Firefox: Multiple vulnerabilities Popular browser contained multiple vulnerabilities which granted attackers abilities to execute remote code, cause denial of service, and have unauthorised access to confidential data. ESB-2020.4436 – Samba: Multiple vulnerabilities Samba was affected by vulnerabilities which prior to fix had provided unauthorised access, denial of service and Root compromise. Stay safe, stay patched and have a good weekend! The AUSCERT team