Publications

AUSCERT at the forefront of Cybersecurity and AUSCERT2020 "We Can be Heroes" [Editor’s notes: an edited version of this article features in the CyberAustralia Magazine 2020-2021] AUSCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, AUSCERT delivers 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy. The Australian Government Department of Home Affairs released their report on Australia’s 2020 Cyber Security Strategy recently and AUSCERT is very proud to have been involved in the consultation process late last year. The report included 60 recommendations to bolster Australia’s critical cyber defenses which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT: Deterrence: Any infrastructure reported by our members that proves to be malicious will be subject to persistent and escalating takedown notices. Prevention: The initiative of providing Indicators of Compromise, Indicators of Vulnerability, security advisories and bulletins provides strong proactive preventative information.    Detection: Bi-directional threat intelligence gathering through open source platforms where members are given real-time intel that help to automatically detect and block potential attacks. Resilience: AUSCERT partakes and assists to organise Asia Pacific regional cyber drills, as well as provide webinars to members to maintain cyber security awareness as front-of-mind. Investment: AUSCERT being a non-profit organisation reinvests all of our membership proceeds into service deliveries, improvements and the building of our membership cyber security capabilities.   Clear benefits for members AUSCERT leverages the resources provided by its membership base and The University of Queensland Australia. Our reach with international CERTS as well as other Australian organisations, increases the effectiveness of our action for malicious infrastructure take-downs, abuse advisory and this international co-operation enables an internationally recognised norm of incident response. With a 24/7 member incident hotline, AUSCERT enables our members to keep their incident response effective by providing assistance that complements existing capabilities. Cyber risks are owned by those best positioned to manage them Assistance in establishing risk assessment as well as an incident response plan are covered through AUSCERT education where an understanding of these concepts allows for efficient use of resources in preventing, mitigating the transfer of or avoiding cyber risks. AUSCERT members practice cyber security at home and at work With the increase in remote-working, AUSCERT assists our members no matter the physical location of their work setting may be. AUSCERT is a cyber security incident response team exemplar AUSCERT takes incident response seriously and trains its staff body to be able to handle incidents whenever they arise. This is done not only through internal training; all staff are also encouraged to attain industry certification(s) in line with their job requirement. This experience is then reinvested back to members in the form of advice publication, blog article(s) and educational events such as webinar sessions. Additionally, Indications of Vulnerabilities and Indications of Compromises are streamed to members on a daily basis, thus keeping our members aware of vulnerabilities, leaked credentials, misconfigurations as well as the availability of remedial advice. Trusted services, nationally and internationally AUSCERT as a trusted entity in cyber security is handed information on incidents and vulnerabilities from national and international sources.  AUSCERT2020 “We Can Be Heroes”  AUSCERT2019 “It’s Dangerous to Go Alone” gave delegates the tools to build knowledge within their teams. This year, the emphasis lies on the fact that anyone in your organisation can be your champion, your cyber security hero. Not only is it vital that you have a strong team behind you, but it is also equally important that you equip and encourage every individual in your organisation to assist in cyber and data security.  AUSCERT2020 will be held across 4-days; packed with world-class tutorials and presentations delivered by over 60 speakers from around the globe. With an audience of around 1000 delegates, this year’s confererence will be the largest held in recent years.  We’re especially proud to feature a number of AUSCERT content and speakers, namely – Colby Prior and his tutorial on the topic of “Running your own honeypot: An Introduction”, Mike Holm and his co-presentation with Leon Fouche from BDO on the topic of the “Joint AUSCERT and BDO Annual Cyber Security Survey Report 2019” and last but not least, Geoff Thonon on the topic of “Could Phishing be nastier by any other name?”. In addition to these AUSCERT presentations, UQ will also be represented by Mandy Turner from the SOC team, speaking on the topic of “Cybercrime” and the team from UQ Cyber from the EAIT Faculty will also be hosting a virtual booth at the conference.  The format of the conference delivery may be different this year, but AUSCERT is as committed as ever to providing you with meaningful and rich content – all from the comfort of your office or home environment. “Cyber security has never been more important”. The cyber security landscape is ever-changing, and AUSCERT is passionate about engaging with members to empower their people, capabilities and capacities. For more information on AUSCERT, please contact membership@auscert.org.au or +61 7 3365 4417. For further information on the AUSCERT2020 conference, please contact conference@auscert.org.au.     

AUSCERT Week in Review for 4th September 2020 Greetings, This week, the team made headlines with our research piece on a data dump claimed to be from the Department of Education, which turned out to be low-threat info from a third-party company. Members, don’t forget that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to 5.00pm AEST on Friday 18th September. Every completed survey will go in the draw to win Nintendo Switch Lite console, valued at AU$299. As promised, we announced our AUSCERT2020 partnership with LIVIN.org, an organisation focussed on “Breaking the stigma of mental health.” In 2020, all revenue raised through our general admission registration sales for AUSCERT2020 will be donated directly to a chosen charity. As an organisation, AUSCERT has always felt strongly about the effects of mental health in the cyber and information security industry and are proud to utilise this opportunity to contribute towards a very worthy cause. Word on the street also has it that our various delegate swag bags are making their way this week to the first 600 registered delegates with an Australian address. We hope you love the items included in the swag bag and have to thank our wonderful sponsors. Until next week, take care – don’t forget to spoil your awesome dads (Father’s Day on Sunday 6 September!) and have a great weekend everyone. David Lord, former team lead: On another note, I’m leaving AUSCERT today. I’m ADIR’s original creator and editor, although in recent times our comms expert Laura has taken the helm. It has been a pleasure to build and shape this service. Members sometimes send notes of thanks for our emphasis on concise but informative summaries, and that’s high praise indeed. I’ll certainly be staying subscribed 😉 Large Australian education data leak traced to third-party service Date: 2020-09-02 Author: iTnews An online maths resource with a large Australian user base appears to be behind a large-scale leak of data touted online as a dataset belonging to the “Australian department of education”. Images of the dataset purporting to contain the data of an unknown number of individuals, including those with vic.edu.au and wa.edu.au email addresses, emerged on Tuesday night. Alon Gal, chief technology officer at cyber security intelligence firm Hudson Rock, claimed the dataset belonged to the “Australian Department of Education”, which does not exist. AUSCERT says alleged DoE hack came from a third-party Date: 2020-09-02 Author: ZDNet In a statement posted on its website, AUSCERT said that after analyzing the data with cyber-security firm Cosive, it determined that the leaked data originated from K7Maths, an online service providing school e-learning solutions. AUSCERT is now urging Australian schools to check if their staff are using the K7Maths service for their daily activities, and take appropriate measures, such as resetting the teacher and students’ password, in case they had re-used passwords across other internal applications. SendGrid under siege from hacked accounts Date: 2020-08-29 Author: Krebs on Security Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid’s parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime. [AUSCERT can empirically confirm that we see this daily.] Over 54,000 scanned NSW driver’s licences found in open cloud storage Date: 2020-08-28 Author: iTnews Tens of thousands of scanned NSW driver’s licenses and completed tolling notice statutory declarations were left exposed on an open Amazon Web Services storage instance, but Transport for NSW doesn’t know how the sensitive personal data ended up in the cloud. The open AWS S3 bucket was found by Bob Diachenko of Security Discovery, as part of an investigation into another data breach. “All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data,” Diachenko told iTnews. ESB-2020.3001 – Django: Multiple vulnerabilities Filesystem permissions meant that a malicious local user had more access than they should. ESB-2020.2976 – Bacula: Denial of service It’s just a cool name for a backup service. ESB-2020.3028 – GitLab: Access confidential data GitLab’s packaging woes continued as they released another security release which excluded the security fixes, and then another hasty release to include them. If you’re using v13.3.3, v13.2.7 or v13.1.9, you should update. ESB-2020.3006 – Ansible: Multiple vulnerabilities (RCE) Another user/admin can manipulate the package store, and ansible will install packages that have been altered but won’t know or report it – so the deployment/config/ansible workflow/admin will not be aware of the compromise. Stay safe, stay patched and have a good weekend! David

AUSCERT investigating a data dump claimed to be from the Department of Education 3:40pm 03/09/20 AEST Updated below to clarify that first and last name are also included in the data. This doesn’t change our assessment. Unless further developments occur, we believe no further research is required. Please notify us if you find that your staff or students have used the service and you have concerns.   4:30pm 02/09/20 AEST Working with Cosive, we’ve found signs that this is a re-publish of a dataset published in March 2020 or earlier, relating to a service called “K7 Maths”. The TLS on their site also correlates with what seems to be their Australian presence. It’s likely that the data came from an exposed Elasticsearch instance. There are no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort. Members concerned that their staff may have used this tool and may be included in the full dump should, where possible: Check with teaching and admin staff for usage of the service. Check mailboxes for sign-up emails from schoolcentre.com.au, k7maths.com or schoolcentre.com before that date. If usage is found, we recommend: Consider that that credential may be compromised, and anywhere the password was re-used, may now be exploited. A password reset for internal services is usually worthwhile, but consider your environment before applying this advice. Monitor staff accounts for suspicious logins – email, VPN, etc. This can lead to business email compromise (BEC), unauthorised access to the network, malware being sent between users, and more. Notify AUSCERT. There’s a mitigating factor: the password hashes use the standard bcrypt algorithm, with a “cost factor” of ten rather than eight, which makes it four times harder than usual to crack. We think that the only personal information in the dump is email address and country (edit: as well as first and last name) which would likely not count as a notifiable data breach. Our investigation there is incomplete. Consult your usual legal team if you have concerns.   4:00pm 02/09/20 AEST We have a suspected source for the data, which is not a government agency. More information to follow.   9:50am 02/09/20 AEST The dump refers to “the Australian Department of Education (edu.au)”, and no such organisation exists. We’ve reached out to likely candidates for comment.   9:15am 02/09/20 AEST We’ve seen reports that an Australian educated-related data set of unknown origin has been published. We’re looking into it now and will update this post as we get more information. We’ll also be posting updates on Twitter and LinkedIn. The claim is that it’s from the Australian Department of Education, and was retrieved in 2019. The claimed fields are: country_id created_at email encrypted_password (may be a bcrypt hash?) first_name id is_admin is_guest last_mail_at last_name last_sign_in_at newsletter region_id tags subscription orders  

AUSCERT Week in Review for 28th August 2020 Greetings, Members, this week we informed everyone that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to 5.00pm AEST on Friday 18th September. Every completed survey will go in the draw to win a Nintendo Switch Lite console, valued at AU$299. As we approach the AUSCERT2020 conference, we would like to take this opportunity to remind everyone of our program offerings, speakers list as well as all the interactive activities that will be on offer during the conference. Registrations for the conference are still open but with very limited spaces remaining so be sure to spread the word amongst your professional network so they don’t miss out. In 2020, all revenue raised through our general admission registration sales will be donated directly to a chosen charity. We will be announcing this charity early next week. We’re very much looking forward to catching up with as many of you as possible in mid-September – albeit virtually! Until next week, take care and have a great weekend everyone. ASIC sues financial services company for repeated hacks Date: None Author: iTnews The Australian Securities and Investments Commission today said it has taken RI Advice Group to court for cyber security failings that led to its systems being hacked for months on end, and on multiple occasions. In its notice of filing, the regulator says RI is required to establish and maintain compliance measures, as an Australian financial services licence holder. The unknown hacker obtained access via an FFG staff account, and spent more than 155 hours logged into the file server that contained senstiive financial information and client identification documents. MITRE Releases ‘Shield’ Active Defense Framework Date: None Author: Dark Reading MITRE Corp. has released a new guide cataloging measures that organizations can take to actively engage with and counter intruders on their networks. Like MITRE’s widely used ATT&CK framework, which offers a comprehensive listing of attacker behavior, the federally funded organization’s new Shield is a publicly availably knowledge base, this time of tactics and techniques for proactive defense. NZ stock exchange suffers outages due to DDoS attacks Date: None Author: iTWire New Zealand’s stock exchange has been hit by a distributed denial of service attack on Wednesday morning which forced the exchange to go offline for about an hour. The New Zealand Herald reported that the exchange had gone down at 11.24am local time (9.24am AEDT) on Wednesday and resumed operations at 12.20pm. On Tuesday evening, the exchange could not operate during its last hour, due to a similar reason. This outage happened as the exchange was approaching a record closing. Elon Musk confirms Russian hacking plot targeted Tesla factory Date: None Author: ZDNet Earlier this week, US authorities arrested and charged a Russian national for traveling to the US to recruit and convince an employee of a Nevada company to install malware on their employer’s network in exchange for $1 million. While no court indictment named the targeted company, several news outlets specialized in covering the electric cars scene speculated today that the attack had very likely targeted US carmaker Tesla, which operates a mega-factory in Sparks, a town new Reno, Nevada. While Tesla had not returned requests for comment on the topic, in a tweet earlier today, Tesla CEO Elon Musk officially confirmed that the hacking plot did, indeed, target his company. New Zealand bourse crashes for fourth day after cyber attacks Date: None Author: iTnews New Zealand’s stock exchange crashed for a fourth day on Friday, due to network connectivity issues relating to two cyber attacks targeted at the bourse this week, bourse operator NZX said. There is no clarity on who is behind these “offshore” attacks and why New Zealand was targeted. ASB-2020.0148 – AUSCERT member survey: security bulletins If you only read one bulletin this week, read this one. Tell us what you want from the service and we’ll enter you in the draw for a Nintendo Switch Lite, which will make you very cool with people in the 8-12yr age bracket. ESB-2020.2898 – MongoDB: Denial of service – existing account An authorised user could misuse the function to compare two geographic points. ESB-2020.2899 – QEMU: Multiple vulnerabilities Everyone’s favourite free and open-source hardware virtualiser. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 21st August 2020 Greetings, Members, keep an eye out for a copy of the August edition of our membership newsletter “The Feed” landing in your inbox today. This week we supported the National Scams Awareness Week 2020 as a campaign partner and shared the various messages through our social media channels, don’t forget to visit this campaign page for further details and tips on how to protect yourself against scams. In lieu of the various member meet-ups we have been unable to host this year, our team hosted a series of webinars featuring our range of services with the focus on how to maximise the utilisation of these services. Topics covered: Malicious URL Feed, Security Bulletins and Phishing Take-Down. To catch up on the recordings of these sessions, visit our YouTube channel here. Last but not least, we’d previously shared this on our LinkedIn page – the Australian Department of Home Affairs is inviting you to have your say on the Protecting Critical Infrastructure and Systems of National Significance Package 2020. This initiative is particularly relevant to members from the following critical infrastructure sectors: Banking and Finance Communications Data and the Cloud Defence industry Education, Research and Innovation Energy Food and Grocery Health Space Transport Water Until next week, take care and have a great weekend everyone. Over 25% of all UK universities were attacked by ransomware Date: None Author: Bleeping Computer A third of the universities in the United Kingdom responding to a freedom of information request admitted to being a victim of a ransomware attack. These represent more than 25% of the universities and colleges in the country. The incidents occurred in the past decade, most of them between 2015 and 2017. Several educational institutions suffered at least two file-encrypting attacks over the past decade, one of them recording more than 40 since 2013. Digital PR and SEO agency TopLine Comms on June 29 submitted an FOI request to 134 universities in the U.K., asking if they had recorded a ransomware attack, when it happened, if they paid a ransom or not, and what the amount was if they did pay. University of Utah pays $450K ransom to stop leak of stolen data Date: 2020-08-20 Author: Bleeping Computer The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack. Since the end of 2019, ransomware operators have started stealing unencrypted files before deploying their ransomware. The ransomware gang then threatens the victims by saying they will publicly leak the stolen files if a ransom is not paid. ACT Education blocks student Gmail access after spam email storm Date: 2020-08-14 Author: ITNews ACT’s Education Directorate has blocked all public school students from accessing their Google email accounts after they were spammed en masse on Friday. The spam campaign emerged on Friday afternoon with an undisclosed number of students receiving dozens of emails, resulting in a reply-all “email storm”. iTnews understands some of the emails link to lewd websites and Instagram accounts, while other messages tried to solicit inappropriate images. World’s largest cruise line operator Carnival hit by ransomware Date: None Author: Bleeping Computer Cruise line operator Carnival Corporation has disclosed that one of their brands suffered a ransomware attack over the past weekend. Carnival Corporation is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn. In an 8-K form filed with the Securities and Exchange Commission, Carnival Corporation has disclosed that one of its brands suffered a ransomware attack on August 15th, 2020. As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach. ESB-2020.2832 – GitLab: Access confidential data – remote/unauthenticated GitLab released new versions to fix a critical issue with deploy token access control, but owing to a packaging error, they didn’t contain the fix. A second set of versions was released soon after. ESB-2020.2809 – Jenkins core and plugins: Multiple vulnerabilities Sentences like these really show the complexity of software: “Jenkins […] does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability.” ESB-2020.2852 – Cisco vWAAS: Administrator compromise – remote/unauthenticated “A vulnerability in vWAAS … could allow an unauthenticated, remote attacker to log into the CLI … by using accounts that have a default, static password.” Cisco have rooted out countless issues like these in recent years. ESB-2020.2680.2 – Cisco AnyConnect for Windows: Multiple vulnerabilities This was updated with Cisco’s advice that proof-of-concept exploit code has been published. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 14th August 2020 Greetings, If you were part of the first 600 delegates who registered for AUSCERT2020, you would have received an email earlier this week with details confirming your entitlement to a complimentary Conference Swag Bag. We trust that you’re as excited as we are that the conference is only 5 weeks away. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise usage of these within our membership group. Our last session pre AUSCERT2020 is detailed below: 19th August – Phishing Takedowns (register HERE) Last but not least, next week marks the National Scams Awareness Week 2020 and as a campaign partner, AUSCERT will be sharing the various messages from this campaign through our social media channels. Until next week, take care and have a great weekend everyone. Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft Date: 2020-08-11 Author: Threatpost [Refer to AUSCERT related bulletins ASB-2020.0139, ASB-2020.0140 and ASB-2020.0145. Member portal login required.] Two Microsoft vulnerabilities are under active attack, according the software giant’s August Patch Tuesday Security Updates. Patches for the flaws are available for the bugs, bringing this month’s total number of vulnerabilities to 120. One of the flaws being exploited in the wild is CVE-2020-1464, a Windows-spoofing bug tied to the validation of file signatures on Windows 10, 7 8.1 and versions of Windows Server. Rated “important,” the flaw allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said. A second zero-day is a remote code-execution bug rated “critical,” which is tied to the Internet Explorer web browser. Tracked as CVE-2020-1380, this is a scripting engine memory-corruption problem. A successful hack gives the attacker same user rights as the current user, the company wrote. NSW govt agencies to face cyber security inquiry Date: 2020-08-12 Author: iTnews A parliamentary inquiry will scrutinise the NSW government’s handling of cyber security incidents, as well as its measures to protect digital infrastructure more generally, following a spate of cyber attacks. The NSW upper house premier and finance committee quietly opened the probe by self-referral earlier this month, just weeks after Labor public services minister Sophie Cotsis called for such an inquiry. The inquiry will look into “cyber security and digital information management in NSW”, including the number of cyber incidents and data breaches experienced by government agencies and the financial cost of those incidents. Upgraded Agent Tesla malware steals passwords from browsers, VPNs Date: 2020-08-10 Author: Bleeping Computer New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014. Travelex Forced into Administration After Ransomware Attack Date: 2020-08-10 Author: Infosecurity Magazine Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed joint administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK. PwC remained upbeat about the future of the company, following its £84 million restructuring. ESB-2020.2680.2 – Cisco AnyConnect client for Windows: Increased privileges Cisco updated last week’s advisory to add that proof-of-concept exploit code is now available. ESB-2020.2803 – Apache Struts: Multiple vulnerabilities Apache Struts is one of those libraries deployed more widely than you’d think, and a previous vulnerability contributed to the infamous Equifax breach. ESB-2020.2780 – Citrix Endpoint Management aka XenMobile Server: Unspecified critical vulnerabilities Citrix released a patch assessed as critical severity without providing detail on the vulnerabilities involved, which is a fun mystery. ESB-2020.2802 – Microsoft Dynamics 365: Remote code execution Microsoft released a separate advisory the day after Patch Tuesday to warn of this RCE and its corresponding patch, also assessed as critical. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 7th August 2020 Greetings, This week we wanted to highlight the blog we’ve written on the topic of the ProctorU breach. Key takeaways include: members are encouraged to assess it in the context of their own organisation, this breach mainly affects educational institutions who used ProctorU (prior to approximately Q3 of 2016) and AUSCERT has notified affected members through their normal incident email alias. Thank you to those who attended our Malicious URL Feed and Security Bulletins webinars. To catch up on the content we’d presented for these, drop by our YouTube channel. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Our last session pre AUSCERT2020 is detailed below: • 19th August – Phishing Takedowns (register HERE) Last but not least, further to the Prime Minister’s press conference with Home Affairs Minister Peter Dutton yesterday, we wanted to share the official launch details of Australia’s 2020 Cyber Security Strategy. The Strategy outlines Australia’s approach to protecting Australians from growing cyber threats and has committed an investment of $1.67 billion over 10 years to achieve this vision. We hope you find this document a useful resource. Until next week, take care and have a restful weekend everyone. Australia’s Cyber Security Strategy 2020 Date: 2020-08-06 Author: Australian Department of Home Affairs The Australian Government has today launched Australia’s Cyber Security Strategy 2020. The Strategy outlines Australia’s approach to keeping families, vulnerable Australians, critical infrastructure providers and business secure online. It is a strategy for all Australians and Australian businesses. Security is a whole-of-community effort, in which we all have a role to play. The Strategy will invest $1.67 billion to build new cyber security and law enforcement capabilities, assist industry to protect themselves and raise the community’s understanding of how to be secure online. This includes the $1.35 billion Cyber Enhanced Situational Awareness and Response (CESAR) package. We encourage all Australians to read the Cyber Security Strategy 2020 and play your part in creating a more secure online world. INTERPOL report shows alarming rate of cyberattacks during COVID-19 Date: 2020-08-04 Author: INTERPOL An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure. With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption. In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners. Hacker leaks passwords for 900+ enterprise VPN servers Date: 2020-08-04 Author: ZDNet A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. According to a review, the list includes: IP addresses of Pulse Secure VPN servers Pulse Secure VPN server firmware version SSH keys for each server A list of all local users and their password hashes Admin account details Last VPN logins (including usernames and cleartext passwords) VPN session cookies Phishing campaigns, from first to last victim, take 21h on average Date: 2020-08-01 Author: ZDNet A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University has spent an entire year analyzing the phishing landscape and how users interact with phishing pages. In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work. “We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit,” the research team wrote in a report they are scheduled to present at the USENIX security conference this month. ESB-2020.2699 – Cisco Identity Services Engine: Access confidential data – Existing account There was a large batch of Cisco bulletins released this week. ESB-2020.2679 – GRUB2: Multiple vulnerabilities Further grub2 patches were released by many linux distros, including fixes for regressions. ESB-2020.2661 – Android: Multiple vulnerabilities Android patches released. ESB-2020.2672 – Whoopsie: Multiple vulnerabilities Isn’t that just a great product name! Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT mailout: ProctorU breach An apparent data breach of the ProctorU service, apparently published by a user named ShinyHunters, has been making news in the last week, including an article yesterday in the Sydney Morning Herald. AUSCERT has acquired a copy of the data and notified affected members. ProctorU gave us the following comment: On Monday July 27, 2020, we were made aware that some information purporting to come from ProctorU.com was posted to an internet message board. Although we are still investigating, none of the data analyzed so far from that posted data was from our active production servers and all of it was at least five years old. Therefore, we currently have no reason to believe that our active production servers or data of current clients and students from the last five years was implicated. We are continuing to investigate and will update you should that understanding change or with any additional information pertinent to you. How bad is it? You will need to assess it in the context of your own organisation. It appears that none of the data is newer than 2016. It includes personal information of ProctorU users, as well as institutional email addresses, and password digests. We’re not sure of the severity of the password digests – digests can be very easy or very difficult to crack depending what they incorporate. There are reports that they are bcrypt hashes.   Was my organisation affected? It affects mainly educational institutions who used ProctorU prior to approximately Q3 of 2016. We’ve notified affected members through their normal incident email alias. An administrator for your organisation can check in the member portal what that’s set to; if it’s current, and you haven’t heard from us, then you’re clear. Not all our educational members are affected.   I’ve received a file and don’t know how to decrypt it Please log in to the member portal and consult this page for the passphrase. You’ll need a program like Kleopatra for Windows or GPG for Linux/Mac. If using the command-line, enter this and type the passphrase: gpg --output your-domain.tsv --decrypt your-domain.tsv.gpg   I’m encountering a GPG error when decrypting the file GPG has some quirks. Please check the directory containing the encrypted file to see whether the decrypted file was created despite the error message. If it’s not there, please double-check the passphrase, and if that doesn’t work, reach out to us at auscert@auscert.org.au and we’ll assist.   How do I view a TSV file? We suggest opening it in Excel or another spreadsheet program, choosing “My file is delimited”, ensuring that it uses the “Tab” as a delimiter, and ensuring that columns are of type “general”. Excel will default to all of these. You’re also welcome to use a command-line utility to split on tab characters.

AUSCERT Week in Review for 31st July 2020 Greetings, This Thursday started out with a surprise, with a responsible disclosure of GRUB2 vulnerabilities by Eclypsium. A supporting write-up and ASB have been issued by AUSCERT to help you wade through the original advisories. In other news, we are excited to announce our 3rd keynote speaker for AUSCERT2020 – Julie Inman-Grant – Australia’s eSafety Commissioner. In this role, Julie leads the world’s first government agency committed to keeping its citizens safer online. We look forward to hosting her on Friday 18th September. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Details below: • 5th August – Security Bulletins (register HERE) • 19th August – Phishing Takedowns (register HERE) And last but not least, another quick reminder for members to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback, thank you in advance for your time and support. Until next week, have a great weekend and remember to keep washing your hands and stay 1.5m apart in public areas! Billions of Devices Impacted by Secure Boot Bypass Date: 2020-07-29 Author: Threatpost [Refer to AUSCERT bulletin ASB-2020.0135 and blog post on the AUSCERT website “There’s a hole in the boot”] The “BootHole” bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks. Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning. GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel. Hacker leaks 386 million user records from 18 companies for free Date: 2020-07-28 Author: Bleeping Computer A threat actor is flooding a hacker forum with databases exposing over 386 million user records that they claim were stolen from eighteen companies during data breaches. Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data. ShinyHunters has been involved in or responsible for a wide assortment of data breaches this past year, including Wattpad, Dave, Chatbooks, Promo.com, Mathway, HomeChef, and the breach of Microsoft private GitHub repository. Of the databases released since July 21st, nine of them were already disclosed in some manner in the past. The other nine, including Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha, have not been previously disclosed. CISO concern grows as ransomware plague hits close to home Date: 2020-07-28 Author: ZDNet Ransomware is on a roll. Garmin is currently wrestling with a ransomware-induced outage, and locally in Australia, 2020 has seen ransomware take out major companies and threaten beer supplies when it hit logistics giant Toll and beverage company Lion. Toll has only recently recovered from its second dose of the year. These sorts of attacks are starting to ring alarm bells, with APAC CISO of JLL Mark Smink telling ZDNet on Tuesday the ransomware plague has evolved a long way from where it was four or five years ago. Mystery actor disrupts Emotet malware distribution botnet Date: 2020-07-25 Author: iTnews Malware payloads replaced with animated GIFs. Security researchers are watching the infrastructure of malware delivery botnet Emotet being compromised by an unknown actor, and disrupting the criminals’ activities in the process. Microsoft cyber security researcher Kevin Beaumont wrote that someone is currently replacing the malware files distributed by Emotet with animated GIF images. The images include one of Hackerman, who starred in the internet cult classic Kung Fury. ASB-2020.0135 – Linux and Windows: Multiple vulnerabilities Summary of the GRUB2 bootloader vulnerability “BootHole” which made headlines late this week. ESB-2020.2587 – APSB20-47 Security updates available for Magento Adobe issued an out-of-band patch for 2 critical and 2 important vulnerabilities in the Magento e-commerce system, which has been famously targeted by MageCart malware in the past. ESB-2020.2599 – Cisco SD-WAN Solution Software Buffer Overflow Vulnerability Cisco’s updates this week included an unauthenticated root compromise. Quelle surprise. ESB-2020.2561 – SQLite: Multiple impacts SQLite is one of those core software projects – few people think about it, but everybody uses it. This issue was in the query optimisation engine. Stay safe, stay patched and have a good weekend! The AUSCERT team

There's a hole in the boot Introduction Responsible disclosure from Eclypsium has enabled the patches to the GRand Unified Boot Loader (GRUB) to be coordinated on the night of the 29th July 2020. Impact Modifications to the GRUB configuration file can result in the the execution of arbitrary code which can also allow UEFI Secure Boot restrictions to be bypassed.  Subsequently it is then possible to load further arbitrary executable code as well as drivers. To be able to exploit this vulnerability you first must have administrator or physical access to the target machine.  System affected The vulnerability affects Microsoft as well as Linux based distributions as it affect UEFI Secure Boot DBX, along with GRUB2. A non-exhaustive list of operating systems affected has been compiled by Eclypsium being: Microsoft UEFI Security Response Team (USRT) Oracle Red Hat (Fedora and RHEL) Canonical (Ubuntu) SuSE (SLES and openSUSE) Debian Citrix VMware Various OEMs … and others … Mitigation It is recommended that an organisation undertakes their own risk assessment, addressing the severity of the impact of administrative/root control with the need for the attacker to already have administrator or physical access to the target.  Microsoft notes that it is possible to detect this vulnerability using either Key Attestation or Defender ATP Eclypsium has outlined steps to mitigate this vulnerability as follows: Updates to GRUB2 to address the vulnerability. Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims. New shims will need to be signed by the Microsoft 3rd Party UEFI CA. Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot. Advisories AUSCERT has issued out an AUSCERT Security Bulletins (ASB) [ASB-2020.135] and will be issuing out External Security Bulletins (ESB) as they come to hand. Below are excerpts of the Product Security Incident Response Teams (PSIRT) advisory that describe in brief the Impact and vectors of these vulnerabilities. Microsoft Tag Description ADV200011 To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.   Linux Distribution Tag Description CVE-2020-10713 Crafted grub.cfg file can lead to arbitrary code execution during boot process CVE-2020-14308 grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow.6.4 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14309 Integer overflow in grub_squash_read_symlink may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14310 Integer overflow in read_section_from_string may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14311 Integer overflow in grub_ext2_read_link leads to heap based buffer overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-15705 Failure to validate kernel signature when booted without shim6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15706 Use-after-free in grub_script_function_create6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15707 Integer overflows in efilinux grub_cmd_initrd and grub_initrd_init leads to heap based buffer overflow5.7 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H   Sources Media reports Forbes : https://www.forbes.com/sites/daveywinder/2020/07/29/boothole-secure-boot-threat-confirmed-in-most-every-linux-distro-windows-8-and-10-microsoft-ubuntu-redhat-suse-debian-citrix-oracle-vmware/#2537b652666e ZDNet : https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot/ Threatpost : https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/ Further information Key Attestation : https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation Defender ATP: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection UEFI Forum: https://uefi.org/revocationlistfile Canonical : https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass PSIRT Information Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 Canonical: https://ubuntu.com/security/notices/USN-4432-1 Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot HPE: www.hpe.com/info/security-alerts Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ VMware: https://kb.vmware.com/s/article/80181  

AUSCERT Week in Review for 24th July 2020 Greetings, A slightly less hectic one this week. A quick reminder to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback; thank you in advance for your time and support. Thank you also to those members who attended our Malicious URL Feed webinar which took place on Wednesday 22 July; we trust that you benefitted from the session. The good news is, we will be hosting a couple more of these sessions on different topics: 5th August – Security Bulletins (register HERE) 19th August – Phishing Takedowns (registration details TBC) And last but not least, in case you haven’t stumbled across this already, the Australian Government Department of Home Affairs have released their report on Australia’s 2020 Cyber Security Strategy. AUSCERT is very proud to have been involved in the consultation process through our parent organisation, The University of Queensland, late last year. The report included 60 recommendations to bolster Australia’s critical cyber defences which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT. “Cyber security has never been more important” – we hope you find this report useful. Until next week, have a great weekend everyone! New ‘Shadow Attack’ can replace content in digitally signed PDF files Date: 2020-07-23 Author: ZDNet [The researchers disclosed this in early March, Adobe released a patch in mid-May which we published as ESB-2020.1693, and the researchers have gone public this week with information proofs of concept. This raises the public profile of the vulnerability and increases the chance that it will be exploited; patch your PDF viewer applications!] Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany. Companies should update their PDF viewer apps to make sure the PDF documents they sign can’t be tampered with via a Shadow Attack. 20,000+ new vulnerability reports predicted for 2020, shattering previous records Date: 2020-07-22 Author: Help Net Security Over 9,000 new vulnerabilities have been reported in the first six months of 2020, and we are on track to see more than 20,000 new vulnerability reports this year — a new record, Skybox Security reveals. Why the internet went haywire last week Date: 2020-07-20 Author: ZDNET It was another end of the work week; what could possibly go wrong? Sure, Outlook had failed for a few hours earlier in the week and Twitter lost control of some big-name accounts, but surely nothing else could go awry? Right? Wrong. Bad things come in threes. Starting on Friday afternoon, Cloudflare, the major content delivery network (CDN) and Domain Name System (DNS) service, had a major DNS failure, and tens of millions users found their internet services failing. ESB-2020.2480 – [Win][Mac] Photoshop: Multiple vulnerabilities Adobe’s patch day included arbitrary code execution upon opening a crafted file. ESB-2020.2460 – [Win][UNIX/Linux] Python: Execute arbitrary code/commands – Remote with user interaction Insecure linked library loading in the pliable language led to potential privilege escalation. ESB-2020.2260.7 – UPDATED ALERT [Appliance] F5 Networks: Multiple vulnerabilities F5’s fix for a critical unauthenticated RCE in their Traffic Manager User Interface has received a lot more information this week, including a warning that the Viprion B2250 Blade may have problems with the provided patch. ESB-2020.2464 – [Win][UNIX/Linux] Moodle: Multiple vulnerabilities Moodle released three advisories marked “serious” and one marked “minor”, including teachers for a course being able to assign themselves as a manager of that course and increase their own privileges. ESB-2020.2541 – [Linux] QRadar Advisor: Access confidential data – Console/Physical Just for a change of pace, here’s a simple one: IBM accidentally didn’t obscure the password field in a login form, so someone could read it over your shoulder. CVE-2020-4408. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th July 2020 Greetings, Have we been busy! This week has been another tough one for networking vendors. SAP NetWeaver, Windows Server and Cisco’s RV-series routers have all had critical vulnerabilities this week, enabling unauthenticated remote code execution. See the highlighted articles bulletins below for more information, and if you’re affected, we advise applying patches or mitigations ASAP. And last but not least, an AUSCERT membership email would have landed in your inbox this week containing some important updates for July 2020: An invitation to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August. We look forward to collating our member thoughts and feedback, thank you in advance for your time and support! An update regarding our Quarter 2; an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. An invitation to attend our Malicious URL Feed webinar taking place next Wednesday 22 July. Until next week, wishing everyone a restful weekend. Critical SAP Recon flaw exposes thousands of systems to attacks Date: 2020-07-13 Author: Bleeping Computer [Refer to AUSCERT bulletin ESB-2020.2381] SAP patched a critical vulnerability affecting over 40,000 systems and found in the SAP NetWeaver Java versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments. The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team. Microsoft urges patching severe-impact, wormable server vulnerability Date: 2020-07-15 Author: Ars Technica [Refer to AUSCERT bulletin ASB-2020.0120; member portal login required] Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer. The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday. Cyber experts urge Australia to develop local capability to defend against hackers Date: 2020-07-12 Author: Sydney Morning Herald Cyber experts have urged the federal government to become less reliant on overseas businesses, technologies and expertise for its defences against hackers as it puts the finishing touches on the nation’s new cyber security strategy. Foreign providers are responsible for most of the cyber security products and services in Australia, with no local companies among the 15 largest software providers in the local market. Thousands of shop, bank, and government websites shut down by EV revocation Date: 2020-07-13 Author: Netcraft More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge. On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked. SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework Date: 2020-07-13 Author: CISION PR Newswire [SANS Institute will be speaking and are a sponsor at AUSCERT2020.] A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Outlook down? How to fix it Date: 2020-07-15 Author: ZDNet It was just another morning at work on July 15, 2020, for many Windows users. They turned on their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook… Suddenly their day took a turn for the worst. For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem. ESB-2020.2381.2 – UPDATE [ALERT] SAP NetWeaver AS Java: Multiple Vulnerabilities A critical Vulnerability in SAP NetWeaver AS Java is identified and applying critical patches as soon as possible is recommended. ASB-2020.0120 – [ALERT] Windows: Multiple vulnerabilities Microsoft security update resolves the wormable vulnerability “SIGRed” in Windows servers acting as a DNS server. ASB-2020.0121 – Extended Support Update products: Multiple vulnerabilities Windows Server 2008 Extended Support Update (ESU) also gets a SIGRed patch. ESB-2020.2417 – [ALERT] Cisco RV-series routers: Multiple vulnerabilities Cisco update fixes a vulnerability in the web-based management interface of its RV-series routers, leading to unauthenticated root compromise of the device. Stay safe, stay patched and have a good weekend! Vishaka