Publications

AUSCERT Week in Review for 11th December 2020 Greetings, Well done to all who’ve implemented the latest set of patches from the last batch of Patch Tuesday of 2020! Be sure to read our concise list of our most notable security bulletins below. With two weeks remaining until the Christmas and New Year holidays, we would like to inform you of the scheduled shutdown of our membership and operations teams: Membership: Will be closed from Saturday 19th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. Operations: Will be closed from Friday 25th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. This week saw us releasing a joint Cyber Threat Signal 2021 publication with fellow CERT colleagues: KrCERT/CC, CERT-In and Sri Lanka CERT|CC. This publication is a joint prediction of the most pertinent cyber threats that 2021 may deliver. Perhaps to no one’s surprise, ransomware attacks is expected to dominate the sector in 2021 in both volume and its impact. Be sure to read up on how to protect yourselves, as the publication contains a summary list of observations from 2020 that is extended into 2021 along with point-form mitigation advice. And last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is still open with exactly one month to go to the first initial deadline for our committee feedback. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. Do you or someone you know have a great story to tell? We would like to hear it, help us spread the word on Cyber Security! Until next week, have a wonderful and restful weekend everyone. Microsoft December 2020 Patch Tuesday fixes 58 vulnerabilities Date: None Author: ZDNet [AUSCERT ASBs 2020-0216 through 224 relate to this Patch Tuesday, member portal login required. 217 and 219 are related to RCE vulnerabilities.] Microsoft has published today 58 security fixes across 10+ products and services, as part of the company’s monthly batch of security updates, known as Patch Tuesday. There’s a smaller number of fixes this December compared with the regular 100+ fixes that Microsoft ships each month, but this doesn’t mean the bugs are less severe. More than a third of this month’s patches (22) are classified as remote code execution (RCE) vulnerabilities. These are security bugs that need to be addressed right away as they are more easily exploitable, with no user interaction, either via the internet or from across a local network. Pfizer/BioNTech vaccine docs hacked from European Medicines Agency Date: None Author: BBC News The European Medicines Agency (EMA) says it has been hit by a cyber-attack and documents relating to a Covid-19 vaccine have been accessed. BioNTech, which makes one of the vaccines in partnership with Pfizer, said its regulatory submission was accessed during the attack. The EMA is working on approval of two Covid-19 vaccines, which it expects to conclude within weeks. The cyber-attack was not expected to impact that timeline, BioNTech said. The EMA did not provide any details on the nature of the cyber-attack in a brief statement on its website, beyond saying a full investigation had been launched. A spokesperson for the agency said it was still “functional”. National interest plan could drive local cyber sector Date: None Author: InnovationAus The launch of an Australian national interest strategy could help propel the growth of the local cybersecurity sector and assist the economic recovery from COVID-19, according to AustCyber chief executive Michelle Price. Ms Price, along with Australian National University National Security College head Professor Rory Medcalf, delivered a National Press Club address on Wednesday on the need for a national interest strategy, and the crucial role cybersecurity will play in the coming years. There have been a number of government policies this year focused on national security and interest, Professor Medcalf said, and now a more cohesive strategy is needed around this. U.S. cybersecurity firm FireEye discloses breach, theft of internal hacking tools Date: None Author: Reuters FireEye, one of the largest cybersecurity companies in the United States, said on Tuesday that it has been hacked, possibly by a government, leading to the theft of an arsenal of internal hacking tools typically reserved to privately test the cyber defenses of their own clients. The hack of FireEye, a company with an array of business contracts across the national security space both in the United States and its allies, is among the most significant breaches in recent memory. Cyber attack could bring down entire financial system: IMF Date: None Author: Sydney Morning Herald The world’s financial system could collapse and create an economic downturn as disastrous as the coronavirus recession or the global financial crisis if growing fears of a devasting cyber-security hack are realised. Research from the International Monetary Fund released on Tuesday found the reliance of the financial system and consumers on digital services was increasingly at risk from cyber attacks that were being fuelled by falling prices for hacking tools and a target-rich environment. ESB-2020.4347 – Adobe Acrobat and Reader: Access confidential data – Remote with user interaction A vulnerability for multiple Adobe Acrobat products was patched. If successfully exploited it could lead to remote information disclosure. Adobe marked this as important. ASB-2020.0217 – ALERT Windows: Multiple vulnerabilities Microsoft patch Tuesday was this week and 23 vulnerabilities across Windows operating systems were patched. ASB-2020.0220 – Microsoft Office, Microsoft Office Services and Web Apps: Multiple vulnerabilities Another Microsoft patch Tuesday release, 15 vulnerabilities were patched across the Microsoft Office suite of applications. Stay safe, stay patched and have a good weekend! The AUSCERT team

Cyber Threat Signal 2021 Cyber Threat Signal 2021 Proud to have worked and collaborated alongside a number of fellow CERT colleagues from CERT-In, KrCERT/CC and Sri Lanka CERT|CC on this publication. Today (Monday 7 December 2020) we released a joint prediction of the most pertinent cyber threats that 2021 may deliver. Perhaps to no one’s surprise, ransomware attacks is expected to dominate the sector in 2021 in both volume and its impact. This joint publication follows a diagram and summary points of observations from 2020 that is extended into 2021 along with point-form mitigation advice. To read and download a copy of this publication, see link provided below. Contributors: CERT-In Indian Computer Emergency Response Team is the National Incident Response Centre for major computer security incidents in its constituency. i.e. Indian cyber community. KrCERT/CC KrCERT/CC is the National Computer Emergency Response Team in Korea.  KrCERT/CC takes the lead in raising technical capability for the protection of Critical Network Infrastructure, Internet communication networks and for reinforcement of prediction and alarm systems. Sri Lanka CERT|CC Sri Lanka Computer Emergency Readiness Team | Coordination Centre (Sri Lanka CERT) is the single trusted source of advice about the latest threats and vulnerabilities affecting computer systems and networks, and a source of expertise to assist the nation and member organizations, in responding to and recovering from cyber-attacks. AUSCERT AUSCERT is a not-for-profit Cyber Emergency Response Team based in Australia. AUSCERT delivers 24/7 service to its members and helps them prevent, detect, respond and mitigate cyber-based attacks. Attached Documents cyber_threat_signal_2021-full-report.pdf

AUSCERT Week in Review for 4th December 2020 Greetings, It’s officially summer season here in Australia, we hope that everyone’s taking care of themselves as we embrace the change in weather. We would like to begin this week by commending our colleague Mal Parkinson who was a panel member on a session hosted by the by the Australian Women in Security Network (AWSN) for their AWSN Cadets “Security Sessions” initiative. The panel discussed the topic of “Life before Cyber Security, how did you start?” and we’ve summarised some key advice from this session via our LinkedIn page here. Some sage tips for all those wanting to move into the cyber security sector or are simply starting out as a new graduate. This week also saw us supporting the team from AustCyber as they launched the 2020 Update to Australia’s Cyber Security Competitiveness Plan (SCP). A copy of their media release can be found here. In summary, the launch and panel discussion events held by the team from AustCyber highlighted the plethora of start-ups and initiatives in the cyber security sector across the states and territories within Australia. The gamut of activities certainly places our country in a position to gain an outstanding posture on cyber security in the coming decade and beyond! Exciting times ahead for our sector. And last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is now open and will remain so until late January 2021. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. Do you or someone you know have a great story to tell? We would like to hear it, help us spread the word on Cyber Security. Until next week, have a wonderful and restful weekend everyone. FBI warns of email forwarding rules being abused in recent hacks Date: 2020-12-01 Author: ZDNet The US Federal Bureau of Investigation says that cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts. Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day — and be at risk of triggering a security warning for a suspicious login. FBI officials say that the technique is still making victims in corporate environments because some companies don’t forcibly sync email settings for the web-based accounts with desktop clients. Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them Date: 2020-11-30 Author: Microsoft Security Blog The threat actor BISMUTH, which has been running increasingly complex targeted attacks, deployed coin miners in campaigns from July to August 2020. Learn how the group tried to stay under the radar using threats perceived to be less alarming. New rules to detect, trace and block scam calls Date: 2020-12-02 Author: The Australian Communications and Media Authority (ACMA) ACMA has today registered new rules that require telcos to detect, trace and block scam calls. The Reducing Scam Calls Code, developed by the telco industry, was a direct recommendation of the ACMA’s Combating Scams Action Plan. The ACMA has worked closely with telcos and peak body Communications Alliance to develop the new rules and successfully pilot initiatives to reduce the scale and impact on Australians of scam calls. Major telcos report blocking over 30 million scam calls across the last 12 months as they undertook work to trial the identification and reduction of scam calls. APRA targets cyber hygiene and board oversight with new security strategy Date: None Author: iTnews The Australian Prudential Regulation Authority (APRA) has unveiled a new cyber security strategy and flagged it will step up its review of current cyber compliance, holding boards accountable for shortfalls. The prudential regulator’s cyber security strategy for 2020 to 2024 seeks to lift cyber security standards and introduce heightened accountability where companies fail to meet their legally binding requirements. 7 Simple Ways to Make Your Android Phone More Secure Date: 2020-12-01 Author: WIRED There are a couple of different ways to think about privacy when it comes to your phone. There’s the data that it collects about your actions and interests, and then there are the protections you can put in place to stop people around you from accessing the physical device. Both are important, and there are easy things you can do to improve each of them. ESB-2020.4227 – MozillaFirefox: Multiple vulnerabilities Mozilla Firefox releases an update that fixes 12 issues ESB-2020.4274 – Thunderbird: Reduced security – Remote with user interaction Security vulnerabilities fixed in Thunderbird 78.5.1. ESB-2020.4286 – Red Hat JBoss Enterprise Application Platform 7.3.4: Multiple vulnerabilities An update has been released that fixes multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.3. ESB-2020.4284 – Linux Kernel: Multiple vulnerabilities New Ubuntu packages fix several security issues identified in the Linux kernel. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 27th November 2020 Greetings, Would you believe it, it’s less than a month away ‘til Christmas and end of year holidays for most folks around the country. We would like to begin this week by congratulating colleagues in Victoria for their tremendous effort in achieving 28-days without any cases of Covid-19. A job very well done! As we begin to creep closer to the merry and festive season, it is a timely reminder for everyone to stay safe online. For cyber criminals, this is also perceived as the season for exploitation. We’ve shared a couple of handy tips through our ADIR articles this week – so be sure to have a read of them below. Next week, one of our very own Senior Information Security Analysts, Mal Parkinson, will be presenting on a panel session hosted by the by the Australian Women in Security Network (AWSN). The panel will be discussing the topic of “Life before Cyber Security, how did you start?” on Thursday evening 3 December. To tune in, please register via the following page. And last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is now open and will remain so until late January 2021. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. Do you or someone you know have a great story to tell? We would like to hear it, help us spread the word on Cyber Security. Until next week, have a wonderful and restful weekend everyone. Law In Order hit by ransomware attack Date: 2020-11-24 Author: iTnews Law In Order, an Australian supplier of document and digital services to law firms, suffered a ransomware infection over the weekend that is believed to be the Netwalker malware. After detecting the attack, Law In Order said it halted many of its business operations and called in cyber security advisers to assist in the investigation and incident response. Law In Order said it had alerted authorities including the Australian Federal Police and the Australian Cyber Security Centre to the attack. Online shoppers warned to be on alert as scams increase, losses climb to $7 million Date: 2020-11-24 Author: iTWire Australians have been warned to be careful when buying gifts this holiday season as losses to online shopping scams have already increased 42% this year as the country enters the busy Christmas-New Year period. The warning from the consumer watchdog ACCC’s Scamwatch service reports that it has received over 12,000 reports of online shopping scams so far this year, with almost $7 million in reported losses. Don’t give too much away this Christmas! Date: 2020-11-24 Author: Data at UQ – The University of Queensland [AUSCERT is proudly a part of The University of Queensland.] For most of us, Christmas is a time of merriment. For cyber criminals however, it’s also the season for exploitation. Did you know that Australians lost over $14 million through scams last December? Common Christmas scams include fake email gift certificates, e-cards and parcel delivery notifications which request either confirmation of delivery addresses or payment to collect or hold a parcel. In these scams, criminals use email, mobile apps, social networking and online forums to siphon money from victims. Don’t be a scam statistic this silly season. Give presents, not data this Christmas. Be careful with the information you share online and follow the tips listed here to protect your data. Microsoft gives Linux a security boost with these new attack detection tools Date: 2020-11-19 Author: TechRepublic Endpoint detection and response (EDR) capabilities for Microsoft Defender for Endpoint on Linux are now available in public preview. Linux EDR will help Defender for Endpoint customers better protect Linux servers and networks and quickly take action against threats, Microsoft said. Microsoft Defender for Endpoint on Linux supports recent versions of the six most common Linux server distributions supported by Microsoft, which includes RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher, SLES 12+, Debian 9+ and Oracle Linux 7.2. Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs Date: 2020-11-22 Author: Bleeping Computer A hacker has posted a list of one-line exploits to steal VPN credentials from almost 50,000 Fortinet VPN devices. Present on the list of vulnerable targets are domains belonging to high street banks and government organizations from around the world. ASB-2020.0214 – Chromium Security Updates for Microsoft Edge Microsoft Edge update has addressed multiple vulnerabilities. Edge is also now available on Linux platforms. ESB-2020.4160 – VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities VMware released patches for critical vulnerabilities across numerous products. Local admin privileges are required for this to be exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT at the 2020 FIRST Conference: virtual edition We’ve all heard the story – 2020 has been a year marked with exceptional challenges and without a doubt, one of the most affected sectors from the Covid-19 pandemic has been the events and conferences industry. With travel restrictions in place for the foreseeable future, conference organisers have had to be creative in the delivery of their events.  In my role at AUSCERT, this meant having to pivot our very own annual conference into an entirely virtual format. I’ve posted my personal thoughts on working behind the scenes in delivering (a successful) AUSCERT2020 conference via LinkedIn here. Despite the challenges faced, the learnings I have taken away from this experience; coupled with my witnessing of our delegates, speakers and colleagues who all rose to the occasion in the spirit of camaraderie and innovation – will be something I’ll never forget or take for granted again in my career!  That aside, I had the pleasure of being on the “flipside” recently and was fortunate enough to participate as a delegate at the 2020 FIRST Conference: virtual edition. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This is FIRST’ 32nd annual conference and the theme was “Where Defenders Share”, highly relevant to the work that we do at AUSCERT. I tuned into all the keynotes and really enjoyed how they’d each varied from each other!Keynote 1Tracking Targeted Digital Threats: A View from the Citizen Lab by Ron Deibert, Director of  Citizen Lab (Munk School of Global Affairs, University of Toronto) In his presentation, Ron presented some super interesting evidence-based info from the work done at Citizen Lab. Their projects shed light on some increasingly critical issues at the intersection of race, surveillance, free expression, privacy, and power. My personal key take-away from his presentation was this message ‘not all high-end spyware, whatever does the trick!’ – a reminder that some of the biggest security issues we face don’t necessarily stem from high-end technology.  Keynote 2 Project Zero’s Disclosure Philosophy by Ben Hawkes, Project Zero Team Lead at Google ‘Untangling the vulnerability disclosure debate’ – before tuning into Ben’s presentation, I was extremely intrigued by his one-line premise and the content certainly delivered! In his presentation, it was made clear that Google’s Project Zero was of the opinion that the best way to combat the exploitation of zero-day vulnerabilities is by predicting attackers’ movements. Ben also revealed that Google’s elite bug-hunting team is looking to build a “crystal ball” for forecasting miscreants’ behaviour based on expert forecasts from cybersecurity professionals. His keynote was also covered by the team from PortSwigger here. Keynote 3Transforming Security: Optimizing Five Trends to Enable Security for Businesses of all Sizes by Kathleen Moriarty, CTO at Center for Internet Security Last but certainly not least, I tuned into the final conference keynote by Kathleen Moriarty who was recently appointed CTO at the Center for Internet Security. The key message from her presentation was that, in order to combat cyber threats, including those that impact SMEs that are part of the supply chain – we need to rethink how information security is delivered and managed. For me personally, this presentation really tied in to the concept of “3-Ps” of comprehensive cybersecurity – products, policies and people, an important reminder to get the basics right within every organisation and one that I thought was great session to tune into for the management folks in our sector.  As most of us are aware, conferences are a great way to learn new skills and access the latest trends and insight in the sector. For me personally, being a delegate at FIRSTCON20 allowed me to achieve greater awareness and understanding of both existing (mature) and emergent technologies – especially from the perspective of someone who doesn’t possess a technical background in the sector.  I have been informed that the conference recordings will be moved to permanent FIRST hosting and will be made publicly available via their website and YouTube channel shortly. Congratulations team FIRST, 1600 registrations from nearly 100 countries – that was an incredible feat, job extremely well done in 2020!Laura Jiew AUSCERT Events and Marketing Communications Specialist 

AUSCERT Week in Review for 20th November 2020 Greetings, This week saw us supporting a couple of initiatives. We attended the 32nd Annual FIRST Conference which was held virtually. Despite the time difference, we were able to catch up on a number of presentations delivered at the conference on-demand. Most if not all of you would be familiar with FIRST which is the global Forum of Incident Response and Security Teams. As a proud member of FIRST for the past 24 years, AUSCERT is grateful to have been able to participate again in 2020. The other initiatives we supported this week were the International Fraud Awareness Week campaign which is an initiative run by the International Association of Certified Fraud Examiners (ACFE) – mainly on our social media platforms. We also supported the Australian Security Intelligence Organisation (ASIO) information campaign called Think Before You Link. The aim of the campaign is to raise awareness of the threat of foreign spies that are actively undertaking espionage and foreign interference in Australia, as well as to provide advice on how to reduce risk and respond to suspicious approaches. We shared this through our ADIR earlier in the week, please feel free to share it with colleagues. And last but not least, don’t forget – we’ve launched our AUSCERT2021 Call for Papers initiative. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. AUSCERT members, we would love to see YOUR submissions containing stories, whether it be one of success or failure! The “heart” of our conference has always been about knowledge sharing and collaboration, so if you’ve got a story to share, AUSCERT may be able to provide you a stage. Feel free to share this with your network Until next week, have a wonderful weekend everyone. Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted Date: 2020-11-14 Author: Bleeping Computer [Egregor continues to make waves in the sector, the AUSCERT team recently presented a case study on our Incident Management service which can be found on our website under Blogs & Publications. Be sure to note our 3-takeaways.] Chilean-based multinational retail company Cencosud has suffered a cyberattack by the Egregor ransomware operation that impacts services at stores. Cencosud is one of the largest retail companies in Latin America, with over 140,000 employees and $15 billion in revenue for 2019. Cencosud manages a wide variety of stores in Argentina, Brazil, Chile, Colombia, and Peru, including Easy home goods, Jumbo supermarkets, and the Paris department stores. Chrome 87 released with fix for NAT Slipstream attacks, broader FTP deprecation Date: 2020-11-17 Author: ZDNet [Refer to AUSCERT security bulletin ESB-2020.4090.] Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol. Chrome 87 also comes with a fix for a new attack disclosed at the end of October by Samy Kamkar, a famous security researcher and computer hacker. Cisco fixes WebEx bugs allowing ‘ghost’ attackers in meetings Date: 2020-11-18 Author: Bleeping Computer [Refer to AUSCERT security bulletin ESB-2020.4095.2 on our website.] Cisco has fixed today three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants. Cisco Webex is an online meeting and video conferencing software that can be used to schedule and join meetings. It also provides users with presentation, screen sharing, and recording capabilities. Threat actors abusing the now patched flaws could become ‘ghost’ users capable of joining a meeting without being detected as IBM researchers discovered while analyzing Cisco’s collaboration tool for vulnerabilities. Cyberattacks targeting health care must stop Date: 2020-11-13 Author: Microsoft On The Issues Blog [We are sharing this as an additional read to the alert issued by the ACSC (cyber.gov.au) on Friday 13 Nov regarding the observed increased activity by threat actors using the SDBBot Remote Access Tool (RAT) against the Australian health sector.] Two global issues will help shape people’s memories of this time in history – Covid-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic. We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act. Ticketmaster Scores Hefty Fine Over 2018 Data Breach Date: 2020-11-13 Author: Threatpost Ticketmaster’s UK division has been slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4 million customers. The fine (£1.25million) has been levied after the ICO found that the company “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” – a failure which violates the E.U.’s General Data Protection Regulation (GDPR). ESB-2020.4090 – Google Chrome: Multiple vulnerabilities Multiple fixes for the world’s most popular browser ESB-2020.4082 – Mozilla Firefox: Multiple vulnerabilities Multiple fixes for another popular browser ESB-2020.4095.2 – UPDATE Cisco Webex Meetings and Cisco Webex Meetings Server: Multiple vulnerabilities Fixes released to address ‘ghost’ attackers in webex meetings ESB-2020.4128 – postgresql12: Multiple vulnerabilities PostgreSQL database issues patched Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 13th November 2020 Greetings, This week we launched our AUSCERT2021 Call for Papers initiative. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. AUSCERT members, we would love to see YOUR submissions containing stories – whether they’re of success or failure! The “heart” of our conference has always been about knowledge sharing and collaboration, so if you’ve got a story to share, AUSCERT may be able to provide you a stage. Feel free to share this with your network. This week we also celebrated NAIDOC Week 2020 with friends from Baidam Solutions. We were proud to host a panel session and an online screening of the film “In My Blood It Runs”. This film is an observational feature documentary following 10-yr-old Arrernte Aboriginal boy Dujuan as he grows up in Alice Springs, Australia. The work we do in terms of reconciliation in this country is ongoing, the producers of this film have shared a resource of First Nations-led solutions we can all explore here. With November 2020’s Patch Tuesday taking place this week, be sure to note our Security Bulletins highlighted below. And last but not least, we would like to quickly highlight the following alert issued by the ACSC (cyber.gov.au) just this morning on the SDBBot targeting our country’s health sector. For those of you who celebrate – Happy Diwali, may it be filled with light despite the year we’ve all had. Until next week, have a wonderful weekend everyone. Intel fixes 95 vulnerabilities in November 2020 Platform Update Date: 2020-11-11 Author: Bleeping Computer [AUSCERT issued an alert on CVE-2020-12321 and 12322 yesterday, please refer to ESB-2020.3962] Intel addressed 95 vulnerabilities as part of the November 2020 Patch Tuesday, including critical ones affecting Intel Wireless Bluetooth products and Intel Active Management Technology (AMT). The issues were detailed in the 40 security advisories published by Intel on its Product Security Center, with the company having delivered security and functional updates to users through the Intel Platform Update (IPU) process. Microsoft, Amazon, Cisco, Salesforce alarmed at security incident response takeover by govt Date: 2020-11-09 Author: iTnews Microsoft, AWS, Telstra, Cisco and Salesforce reacted with alarm at the prospect of direct administrative intervention by Australian authorities to counter cyber security threats against certain customers. Draft laws proposed by Home Affairs include “last resort” government assistance powers that, in “exceptional circumstances”, would allow the government to intervene in a particularly threatening attack scenario. The powers are broad – allowing the government to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from premises, according to an exposure draft of the bill published today. IoT security is a mess. These guidelines could help fix that. Date: 2020-11-10 Author: ZDNet The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organisations open to cyber attacks via vulnerabilities they’re not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development. New guidelines from European Union Agency for Cybersecurity (ENISA) recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure. Chinese hacking competition cracks Chrome, ESXi, Windows 10, iOS 14, Galaxy 20, Qemu, and more Date: 2020-11-09 Author: The Register VMware has taken the unusual step of warning about an imminent security advisory after a Chinese team successfully popped its flagship product. News of the crack came from Tianfu Cup, a hacking contest staged in China over the weekend and modelled on events like “Pwn2Own” where vendors allow teams to take down their wares under controlled conditions. The targets for the competition included the iPhone 11 running the new iOS 14, and the big four browsers – Chrome, Safari, Firefox and Edge. Cup organisers said 11 of the attacks succeeded. Play Store identified as main distribution vector for most Android malware Date: 2020-11-11 Author: ZDNet The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date. Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019. In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps. ESB-2020.4051 – Apache OpenOffice: Execute arbitrary code/commands – Remote with user interaction A malicious document can contain links to any executable on the system triggered via a single click. ESB-2020.4043 – MISP: Multiple vulnerabilities An important SSRF vulnerability fixed, and numerous improvements. ESB-2020.3962 – Intel Wireless Bluetooth products: Multiple vulnerabilities One of around 40 Intel advisories released this week. This wireless issue is remotely exploitable. ASB-2020.0206 – Microsoft Windows: Multiple vulnerabilities Microsoft released numerous fixes for many products this week as part of its monthly ‘Patch Tuesday’. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 6th November 2020 Greetings, This week, our team enjoyed participating in the Inaugural AHECS Cybersecurity Summit “Bridging the Gap”. Well done to all partners involved: AARNet, Australian Access Federation (AAF), REANNZ and especially to the team from CAUDIT. Several great takeaways from the presentations delivered over the 2.5 days which focussed on the various cybersecurity threats and safeguard measurements we should be adopting in order to protect the reputation of Australasia’s universities. We also sat down with Sean, an analyst in our team, to put together a case study on AUSCERT’s Incident Management service; one that is integral to our organisation as a CERT. Coincidentally, this week marks our 24th anniversary as part of FIRST, very proud of our rich history as a CERT! Next week will see us celebrating NAIDOC Week 2020 with friends from Baidam Solutions. We are pleased to invite you to an online screening of the film “In My Blood It Runs” on Thursday 12 November. This film is an observational feature documentary following 10-yr-old Arrernte Aboriginal boy Dujuan as he grows up Alice Springs, Australia. Preceding this screening will be a 20-minute panel discussion. For further details and to RSVP, please visit our website here. Last but not least, we must apologise – due to unforeseen circumstances, we have had to delay the launch of our AUSCERT2021 Call for Papers initiative. We’re confident this will be announced early next week though. So please keep an eye out for details on this launch on our communication channels. Until next week, have a wonderful weekend everyone. UK cyber-threat agency confronts Covid-19 attacks Date: 2020-11-03 Author: BBC News [The NCSC Annual Review 2020 was released on 03 Nov; to find out more, please refer to their website directly.] More than a quarter of the incidents which the UK’s National Cyber Security Centre (NCSC) responded to were Covid-related, according to its latest annual report. The review covers the period from September 2019 to August 2020, so the pandemic occupied an even higher proportion of the agency’s efforts after the first lockdown began. In total there were 723 incidents of all kinds, marking close to a 10% rise on the previous period. Of those, 194 were Covid-related. Sustained targeting of the health sector Date: 2020-10-30 Author: ACSC (cyber.gov.au) [Further resources can also be found on the AUSCERT LinkedIn page] The Australian Signals Directorate’s Australian Cyber Security Centre has identified a sustained campaign by sophisticated cybercrime actors impacting the Australian health sector. We continue to see activity against the health sector similar to the increase of identified Emotet activity in Advisory 2020-17: Resumption of Emotet malware campaign. This type of campaign is not limited to Australia, with the United States of America Cybersecurity and Infrastructure Security Agency (CISA) recently issuing a cyber security alert. This alert identifies a campaign, with Emotet and TrickBot being used to further deploy Conti or Ryuk ransomware variants. The alert also provides detection and mitigation advice. While this campaign is targeted at the health sector, the ACSC recommends that all Australian organisations read the two documents linked above and follow their recommended mitigation advice. Google patches second Chrome zero-day in two weeks Date: 2020-11-02 Author: ZDNet Google has released a security update today for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability [identified as CVE-2020-16009] that is currently actively exploited in the wild. In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day. Govt kicks off long-awaited Privacy Act review Date: 2020-10-30 Author: iTnews The federal government has kicked off its review of the Privacy Act, which will consider whether Australians should have the right to have their personal information erased like in the European Union, among other reforms. Attorney-General Christian Porter on Friday released the terms of reference for the wide-ranging review that the government committed to undertake in response to the digital platforms inquiry in December 2019. The review will consider whether the Privacy Act, which has not been amended since the introduction of the Australian Privacy Principles (APP) in 2012, remains fit for purpose in the digital economy. The energy-sector threat: How to address cybersecurity vulnerabilities Date: 2020-11-03 Author: McKinsey & Company Electric-power and gas companies are especially vulnerable to cyberattacks, but a structured approach that applies communication, organizational, and process frameworks can significantly reduce cyber-related risks. ESB-2020.3893 – gnome: Multiple vulnerabilities Gnome vulnerabilities offered attackers opportunity to complete remote code execution, denial of service, cross-site scripting, and privileged & confidential data access. ESB-2020.3833.2 – Cisco IOS XR Software: Multiple vulnerabilities Cisco’s enhanced Preboot eXecution Environment (PXE) boot loader for Cisco IOS XR 64-bit Software allowed an unauthenticated, remote attacker to execute unsigned code during the PXE boot process on an affected device. ESB-2020.3818 – Cisco Identity Services Engine: Multiple vulnerabilities Cisco Identity Services Engine (ISE) web-based management interface vulnerabilities allows an authenticated, remote attacker with administrative credentials to conduct cross-site scripting, remote code execution attacks, and compromise root. ESB-2020.3598.2 – UPDATE VMware Products: Multiple vulnerabilities VMware have updated patch version details associated with their earlier advisory after release of ESXi patches that completed the incomplete fix for CVE-2020-3992, which carries a 9.8 Critical CVSS3 score. ESB-2020.3789 – ALERT wordpress: Multiple vulnerabilities Multiple vulnerabilites reported against WordPress, permitting opportunity for remote code execution, privilege escalation, cross-site request forgery, denial of service and cross-site scripting attacks. ESB-2020.3777 – BIG-IP Products: Multiple vulnerabilities BIG-IP Products affected by Administrator compromise, remote code execution and cross-site Scripting vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2020 interview with Chris Gatford AUSCERT2020 Conference Interview: Chris Gatford from Hacktive.io Leading up to the AUSCERT2020 conference, we sat down with Chris Gatford from Hacktive.io about his involvement in the conference and the recent work he has done for the SBS. Tell us about your professional career? I was the type of kid that would take my toys apart and put them back together with less parts, and then terrorise my sister. Looking back, I would like to think that this was the start of my hacking passion. I think it’s important to remember that hacking is not just about breaking into computer systems. It’s a way of thinking, and a method for approaching problems such as out-of-the-box thinking and solving problems by doing things differently. I was introduced to the IT industry as a child and after creating my own computer out of a cardboard box and motherboard, I soon realised I had a knack for this. After school, I completed a business computing degree and became a system administrator. I was responsible for looking after computer networks and had to draw on out-of-the-box thinking whenever an issue arose. During this role, my interest in security began to grow. After several years, I eventually jumped into The Big Four and got involved in IT consulting and testing computer security. You are the founder and Director of Hacktive.io, what does your company do? Hacktive.io is actually my second business. My first business venture was founded in 2008 and I sold it soon after. I learnt a lot from this experience and started my second business Hacktive.io. At Hacktive.io, we engage with organisations across the world and test their physical security and computer/network security. We focus on helping our clients understand the security vulnerabilities of their networks, applications, premises, and their people. Can you expand further on social engineering tests and how these tests are completed?  Often a customer will approach Hacktive.io and request that their company’s environment (a building or third party site) get tested. Firstly, we obviously get permission from the company. Then we will conduct the social engineering tests on the physical environment, the people/employees of the company, and their IT department. Following the social engineering test, we teach the company how they can better defend themselves against hackers. More so now, than ever before, individuals and employees are getting targeted by hackers. We equip businesses with common and useful tools that are available to everyone. What made you want to be a part of the AUSCERT2020 Conference? I have been a long believer and supporter of AUSCERT, and have attended every conference since 2003. The fact that it’s the oldest IT security conference, and it’s still going strong after all these years, is a huge testament to the company. To be among so many professionals who share information on staying secure is a huge honour. Can you tell us more about the tutorial you ran at the conference?  My tutorial was on “How to build a security awareness training program” and demonstrated how Hacktive had infiltrated and extracted sensitive information from organisations, and the mechanics involved in an attack. I discussed how to reverse the process and understand the mechanisms involved in breaking into the organisation. I am also a strong believer in computer-based training, while also reflecting on how to excite and energise a workforce to be interested in computer security again. You were recently interviewed on SBS, can you tell us more about this?  I was very lucky to have the SBS team alongside a Red Teaming Pen Test. SBS was able to capture the reasons behind our testing and record us walking away with a company’s equipment. We were able to show how easy it was to use a company’s own devices to hack back into their network.  What do you see as some of the biggest cyber threats in today’s society? The first cyber threat that comes to mind is that information security is hard, and breaking into systems can be a very easy job. However, it is really difficult to build systems, maintain them and in the long-term keep them secure. So it’s critical to have the right tools in place to monitor security, because ultimately ransomware is still an effective attacker. The second cyber threat that comes to mind is invoice fraud. I often hear instances of ‘customers’ pretending to change their bank account details and then the invoices are getting paid out to the wrong bank account. The financial fraud impact on business is massive and businesses must recognise that fraud is still alive and well.  

AUSCERT case study: an insight into our Incident Management service November 2020  AUSCERT case study: an insight into our Incident Management service Featuring Sean McIntyre, AUSCERT Senior Info Security AnalystYou recently assisted a client who came to us via Chris Gatford, a long-time AUSCERT supporter and contributor to our annual conference. Can you tell us a little bit more about the incident and what service category/categories did this fall under? Sure thing! A few weeks ago AUSCERT was called upon to assist Chris with a cyber security incident he was dealing with on behalf of a client. We won’t be able to disclose too many specific details out of respect for the client; but basically, the incident  involved a new threat actor that has popped up – Egregor (we recently shared an article about this on our ADIR) – a Sekhmet ransomware spin-off, also linked to the Maze threat actor group. We started off without knowing too much information on this particular ransomware nor its threat vectors; but with some research and a thorough scan of our various OSINT resources, I was able to find samples of the malware and some IOCs proved useful in assisting this client.  Another channel we tapped into was our connection with the various CERTs around the world. In particular, the APAC region – thanks to our international liaison expert, Geoff Thonon, who is also our Operations Manager here at AUSCERT.  Quite a few Egregor malicious URLs were discovered over this period of investigation and Chris had also provided a few more to be taken down. These requests were sent off to a number of  hosting and domain providers as per our routine Phishing Take-Down service procedure. And last but not least, we added these URLs to our Malicious URL Feed and IOCs to our MISP instance as a way of sharing the details with (i.e. protecting) our members.  I would say that this particular request falls under our Incident Management (although on the “lighter” side of a scale), Phishing Take-Down and Malicious URL Feed service categories.  Between receiving this request and to the time that the incident was resolved, can you outline the time it took our incident response team to resolve the issue? What do you think sets AUSCERT apart from a service delivery point of view? From AUSCERT’s perspective, we always initiate action on any request that comes through as soon as possible and definitely within a 24-hour period. In this instance, our expertise was sought after in regards to this new ransomware/threat actor. We were able to provide Chris with some of this threat intelligence and information over a couple business days of research work. Take-down requests for the initial URLs that were provided to us by Chris were submitted instantaneously, with follow-ups done whenever additional URLs were submitted on behalf of his client.   Even though these take-down requests were actioned promptly on our end, it’s important to note that we were reliant on the hosting providers to action them. Thankfully, most of the URLs seemed to stop functioning/existing within 1 business day or so after the request(s) was/were submitted.  I think what sets AUSCERT apart is our reach and connection with the CERT community, and also the fact that our member incident hotline is open 24/7. There’s a saying here at AUSCERT, “We exist for the greater good” – and we really try and showcase this with our members. Sean, what do you think are the 3 key takeaways from this incident, what can members or clients do to avoid something similar happening to them in the future?  Review your operating system (OS) compliance. It is super important to make sure unmaintained OSs such as Windows XP are taken off the network where possible. If an outdated OS is supplied by a vendor on a core system/endpoint – please work with them to upgrade all products. This is a super simple yet most effective way to avoid such incidents from happening within your SME. Ingest IOCs of known malware into firewalls/SIEM. These can be found via various OSINT sources or via a trusted partner such as AUSCERT. If you’re a member, utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au. Where possible, implement the “Essential 8” as outlined by the ACSC. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

AUSCERT Week in Review for 30th October 2020 Greetings, This week, our team enjoyed participating in the range of initiatives that took place for AU CyberWeek2020, well done to colleagues from AustCyber for their wonderful work in pulling this event off. Next week sees us supporting the Inaugural AHECS Cybersecurity Summit “Bridging the Gap”. Coby Prior, our infrastructure Engineer Lead will be presenting on the topic of Honeypots of Threat Intelligence. We look forward to connecting with you at this Summit. Keep an eye out for the launch of our AUSCERT2021 Call for Papers initiative by following AUSCERT on social media Twitter, LinkedIn and Facebook. Do YOU or someone YOU KNOW have a great story to tell? We would like to hear it! At AUSCERT2021, we want to see you dusting off your playbooks: Security, Orchestration, Automation, and Response will see us SOARing with cyber. Last but not least, don’t forget to complete the 2020 BDO in Australia and AUSCERT Cyber Security Survey by COB today! Do not miss your chance to gain insight into the maturity of your organisation’s cyber security approach. This annual survey will allow you to benchmark your organisation’s current cyber security efforts with industry trends and determine ways to improve its cyber security culture, planning and response measures. Until next week, have a wonderful weekend everyone. Don’t dose up on too much Halloween sugar and Queenslanders – enjoy the state election weekend and last but not least, congratulations again to our friends in Melbourne and the wider Victorian region for their tremendous effort in tackling the Covid curve! Emotet malware now wants you to upgrade Microsoft Word Date: 2020-10-24 Author: Bleeping Computer Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature. Emotet is a malware infection that spreads through emails containing Word documents with malicious macros. When opening these documents, their contents will try to trick the user into enabling macros so that the Emotet malware will be downloaded and installed on the computer Attackers finding new ways to exploit and bypass Office 365 defenses Date: 2020-10-26 Author: Help Net Security Over the six-month period from March to August 2020, over 925,000 malicious emails managed to bypass Office 365 defenses and well-known secure email gateways (SEGs), an Area 1 Security study reveals. Attackers increasingly use highly sophisticated, targeted campaigns like business email compromise to evade traditional email defenses, which are based on already-known threats. Attackers also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication (DMARC, SPF, DKIM). Business Email Compromise Date: 2020-10-27 Author: ACSC (cyber.gov.au) [Members, feel free to reach out via our 24/7 Incident Hotline for any BEC related assistance] The Australian Cyber Security Centre (ACSC) has released a new publication – Protecting Against Business Email Compromise (BEC) – to help Australians defend against these deceptive and expensive scams. Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo Date: 2020-10-28 Author: Krebs on Security In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems. Massive Nitro data breach impacts Microsoft, Google, Apple, more Date: 2020-10-26 Author: Bleeping Computer A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank. Claimed to be used by over 10 thousand business customers and 1.8 million licensed users, Nitro is an application used to create, edit, and sign PDFs and digital documents. ESB-2020.3750 – Junos OS: Multiple vulnerabilities Appliances running Junos OS affected by serious Administrator Compromise and Cross-site Scripting vulnerabilities. ESB-2020.3709 – python-django: Multiple vulnerabilities Contained multiple vulnerabilities which would grant attackers abilities to modify arbitrary files, cause denial of service and access confidential data. ESB-2020.3701 – thunderbird: Multiple vulnerabilities Thunderbird hosted multiple vulnerabilities including remote code execution and denial of service. ESB-2020.3669 – linux kernel: Multiple vulnerabilities World-wide user of the Linux kernel were affected by multiple vulnerabilities including Root Compromise. ESB-2020.3662 – ALERT phpmyadmin: Multiple vulnerabilities Popula phpmyadmin contained remote code execution, cross-site scripting and confidential data access vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2020 MC: Adam Spencer Prior to the AUSCERT2020 Conference, we caught up with Adam Spencer to chat about his involvement with the conference, and hear his thoughts around cyber security and observations on the year of 2020.   Can you start by telling us about your professional career? I could say lawyer and mathematician, although neither of those career paths really worked out. I am probably better to lead with stand-up comedian, from where I then stumbled into the world of radio and television where I continue to be thoroughly unprofessional. I have also written and co-written approximately ten different books trying to popularise mathematics. These are written for people who do really get mathematics and have a talent for it and want to get better at it. When writing, I’ve had the pleasure of reaching out to smart, switched on nerdy kids from about the age 12 and above—and I absolutely love it.   You are a self-confessed lifelong number nerd. What is your favourite number? As a kid, my favourite number was four. This was the first number that realised you could break into two even groups. For example, you couldn’t break down five or seven, but you could break down nine into three groups of three. It was from here that I started to get the concept of prime numbers and composite numbers just from breaking down the number four. I have now been fascinated by multiples of four for the rest of my life. For example, if we were to go for a drive and you turned the volume up to 31, I would need to change it to 32 so it could be a multiple of four.   How do numbers and maths play a role in cyber security? The basis of all computing and code of any sort is beautifully mathematical. I was lucky enough to interview Steve Wozniak who wrote the original Apple Source Code, back when it was just ones and zeros. Now, I’m not a specialist in that field, but from what I understand, no one has ever found a single error in Wozniak’s original programming and coding. Which is beyond belief for something as complicated as that not to have mistypes. The genius that underpins a system like that is incredible. Furthermore, the basis of the systems that we use to exchange credit card details online and not being hacked by a third party through the RSA algorithm, is just beautifully mathematical. Cyber security is a great example of how maths is still relevant. Mathematics permeates everything and we are just blissfully unaware.   You have been part of the AUSCERT conference for a few years now. What is it that first prompted you to be a part of it? The thing that I enjoy about my line of work as a professional MC and facilitator is that I’m rarely the smartest guy in the room on any given topic. But to learn anything, you need to expose yourself to the absolute best people in those fields. I’m a strong believer that if you speak to those passionate and informed about something, almost any topic can be interesting. For almost a decade I have been able to surround myself with people who are the best in the business (of Cyber Security) and hear about what’s on their mind about the cutting edge trends is incredible.  I remember first hearing mutterings about ransomware in the AUSCERT community years ago, and now it’s something that people have to deal with all the time. I feel like I am in the presence of people who really understand cyber security and having discussions that are ahead of the general population, is just so exciting.   Tell me about your most recent book, Numberland. I filled it with a bunch of stuff that blew my mind at the time. Looking back at it, I think I can best describe it as a compilation of stuff that I hope intrigues the ‘number curious’ amongst us. For AUSCERT members who are interested in my book, they can use the promo code ‘HOME’ to receive 20% off. Visit adamspencer.com.au to grab a signed copy.   Do you have any advice for someone who is passionate about maths or cyber security? Mathematicians will build this century—this is the century that will be built on ones and zeros. I think of many cyber security experts as mathematicians. So, for people with a passion in the area of cyber security, coding, app design, software, or statistics will have a role to play in building our future. It has never made more sense to find your passion in mathematics or cyber security, and take whatever skillset you have and maximise it. For young people coming out of high school and into the job market, my advice would be, if you can show that you have experience and knowledge in Mathematics, you’ll end up writing your own cheques in the workplace. There is no denying that mathematical thinking is going to underpin and build this century.