Week in review

AUSCERT Week in Review for 10th July 2020

10 Jul 2020

AUSCERT Week in Review for 10th July 2020 Greetings, This week saw us starting the week with a critical alert for members to urgently patch the multiple vulnerabilities found within F5’s BIG-IP products: CVE-2020-5902. We trust that all necessary steps have been undertaken within your organisation. This week we also learned about CVE-2020-2034, a critical vulnerability in Palo Alto’s PAN-OS. And CVE-2020-1654 affecting Juniper’s SRX Series devices. It’s been a tough week for networking vendors. Having observed a substantial increase in the number of followers within our social media platforms, we thought it was pertinent to share our Glossary of InfoSec Terms & Acronyms again with our readers. This is a resource we’ve had plenty of positive feedback about and hopefully it comes in handy for you too. Keep an eye out for a copy of our member Security Bulletins survey landing in your inbox next week. This survey has been prepared by our team, and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. We look forward to collating our member thoughts and feedback! Until next week, we hope everyone has a restful weekend ahead – and to our friends and colleagues in Victoria, we’re thinking of you. Please stay safe and thank you for staying home. Critical F5 BIG-IP vulnerability made public Date: 2020-07-06 Author: ITNEWS [See also AUSCERT bulletin ESB-2020.2260.5.] Users of F5 enterprise and data centre BIG-IP network products are warned to patch the devices as soon as possible to handle a critical, easy to exploit remote code execution vulnerability that has now been made public. Examples of the exploit have now been posted on social media, one of which uses a single line of code that calls a JavaServer Page function to reveal the passwords stored on BIG-IP devices. The vulnerability rates as 10 out 10 on the Common Vulnerabilities Scoring System, and lies in lack of proper access control for the Traffic Management User Interface (TMUI) configuration utility for the devices. Citrix Bugs Allow Unauthenticated Code Injection, Data Theft Date: 2020-07-07 Author: Threatpost [Refer to AUSCERT bulletin ESB-2020.2310] Admins should patch their Citrix ADC and Gateway installs immediately. Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker. The Citrix products ?(formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies. Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO. Exploit developed for critical Palo Alto authentication flaw Date: 2020-07-06 Author: The Daily Swig (Portswigger) Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks. The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale. Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods. “Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises. “They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.” Microsoft takes down domains used in COVID-19-related cybercrime Date: 2020-07-07 Author: Bleeping Computer Microsoft took control of domains used by cybercriminals as part of the infrastructure needed to launch phishing attacks designed to exploit vulnerabilities and public fear resulting from the COVID-19 pandemic. The threat actors who controlled these domains were first spotted by Microsoft’s Digital Crimes Unit (DCU) while attempting to compromise Microsoft customer accounts in December 2019 using phishing emails designed to help harvest contact lists, sensitive documents, and other sensitive information, later to be used as part of Business Email Compromise (BEC) attacks. The attackers baited their victims (more recently using COVID-19-related lures) into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps. $2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise Date: 2020-07-06 Author: The Conversation Last year, Australians reported more than A$634 million lost to fraud, a significant jump from $489.7 million the year before. The Australian Competition and Consumer Commission has released its latest annual Targeting Scams report. But despite increased awareness, scam alerts and targeted education campaigns, more Australians are being targeted than ever before. Mozilla suspends Firefox Send service while it addresses malware abuse Date: 2020-07-07 Author: ZDNet Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism. Windows 10’s Microsoft Store Codecs patches are confusing users Date: 2020-07-05 Author: BleepingComputer On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library [known as the HEVC packages]. They stated that they affected both Windows 10 and Windows Server at the time. Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store. Even more confusing, the advisories did not explain what Microsoft Store apps would be updated to resolve the vulnerabilities, leaving users in the dark as to whether they were affected and patched by an update. Microsoft Defender ATP web content filtering is now free Date: 2020-07-06 Author: BleepingComputer The new Microsoft Defender Advanced Threat Protection Web Content Filtering feature will be provided for free to all enterprise customers without the need for an additional partner license. Web Content Filtering is part of Microsoft Defender ATP’s Web protection capabilities and it allows security admins to design and deploy custom web usage policies across their entire organizations, making it simple to track and control access to websites based on their content category. The feature is available on all major web browsers, with blocks performed by Network Protection (on Chrome and Firefox) and SmartScreen (on Edge). ESB-2020.2310 – Citrix: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. These vulnerabilities could result in a number of security issues. ESB-2020.2260.5 – UPDATED ALERT F5 Networks: Multiple vulnerabilities A new mitigation has been developed and published to address an RCE vulnerability in the TMUI. ESB-2020.2339 – Citrix Hypervisor products: Multiple vulnerabilities Hotfixes have been released by Citrix to address two issues in Citrix Hypervisor. ESB-2020.2309 – Android: Multiple vulnerabilities Multiple security vulnerabilities identified affecting Android devices. Security patch levels of 2020-07-05 or later address all of these issues. ESB-2020.2305 – firefox: Multiple vulnerabilities An update has been released to address multiple vulnerabilities in Firefox. ESB-2020.2297 – thunderbird: Multiple vulnerabilities Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. ESB-2020.2296 – php7.0: Multiple vulnerabilities Multiple security issues were found in PHP, which could result in information disclosure, denial of service or potentially the execution of arbitrary code. Stay safe, stay patched and have a good weekend! Vishaka

Learn more

Week in review

AUSCERT Week in Review for 03rd July 2020

3 Jul 2020

AUSCERT Week in Review for 03rd July 2020 Greetings, This week we welcomed the announcement of a record $1.35 billion investment in cyber security by the Australian Government. Hopefully this funding package will mean more Australian organisations can identify the ever-present cyber threats and protect themselves against these challenges. As always, AUSCERT is supportive of both the ASD and ACSC in their vital work within this industry and hope to leverage their expertise in our mission to help members prevent, detect, respond to and mitigate cyber-based attacks. Following the discovery of the Palo Alto vulnerability, we wanted to take this opportunity to remind members to update us with all relevant domains and IP ranges – via our member portal – that you want to receive alerts for. In this particular instance, affected members were contacted directly with a tailored email and it would have been a shame to be left off this list. And last but not least, a reminder that tutorial and workshop registrations for Virtual AUSCERT2020 is now open and priority access will be granted to all AUSCERT members. Spots are filling up fast so be sure to get in quick! Until next week, wishing everyone a restful weekend, especially the parents amongst us who are in the midst of or about to start their school holiday breaks. … Inside the hacking attacks bombarding Australia Date: 2020-06-29 Author: ABC News Who are these people? Who is directing them? What are they after? And most important of all — how can they be stopped? Questions like these have been asked more urgently since Scott Morrison announced that a “sophisticated state-based cyber actor” had launched attacks earlier this month on “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”. Craig Valli, who left a teaching career 20 years ago for academia and is now Professor of Digital Forensics at Perth’s Edith Cowan University, has many of the answers. It is a complex world that he explains with the sort of patience and relatability learnt from time corralling kids in a classroom. Microsoft releases urgent security updates for Windows 10 Codecs bugs Date: 2020-07-30 Author: Bleeping Computer [Refer to AUSCERT Bulletin ASB-2020.0117, which is member-only content.] Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. Both desktop and server platforms affected. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. Beware “secure DNS” scam targeting website owners and bloggers Date: 2020-06-29 Author: Naked Security If you run a website or a blog, watch out for emails promising “DNSSEC upgrades” – these scammers are after your whole site. The psychology of social engineering—the “soft” side of cybercrime Date: 2020-07-30 Author: Microsoft Security Blog Forty-eight percent of people will exchange their password for a piece of chocolate, 91 percent of cyberattacks begin with a simple phish, and two out of three people have experienced a tech support scam in the past 12 months. What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business. Over 82,000 Aussies’ details leaked in crypto scam Date: 2020-07-01 Author: ITNews Personal details of tens of thousands of Australians who fell for a fraudulent cryptocurrency investment scheme that used fake media sites and celebrity endorsements have been leaked onto the web. Singaporean security vendor Group-IB discovered 248,926 sets of personally identifable information, of which 82,263 records were from Australian users, leaked by an unknown party. Details leaked include names, email addresses and phone numbers. ESB-2020.2239 – misp: Multiple vulnerabilities A new version of MISP released with a significant refactoring of the STIX import/export along with many improvements. ESB-2020.2234 – chromium-browser: Multiple vulnerabilities An important update for Chromium has been released that fixes a bug in Use After Free in extensions. ESB-2020.2208 – McAfee Enterprise Appliance : Multiple vulnerabilities McAfee Security Bulletin – Enterprise Appliance updates address two vulnerabilities ESB-2020.2271 – Cisco Systems: Multiple Vulnerabilities Cisco has released software updates that address Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability Stay safe, stay patched and have a good weekend! Vishaka

Learn more

Blogs

How to use the YARA rules for the "Copy-paste compromises" advisory

26 Jun 2020

How to use the YARA rules for the "Copy-paste compromises" advisory Regarding today’s “copy-paste compromises” advisory from the ACSC, we’ve had a lot of enquiries on how to download and consume the indicators of compromise (IoCs) provided. This is a how-to guide for YARA rules you may have received. Here is our full commentary on the alert. Downloading the files Feel free to download them from the original source; however, we’ve had some enquiries asking for assistance with this, so have re-published the public files in CloudStor, as well as imported them directly into our member MISP instances for members of the CAUDIT-ISAC and AusMISP agreements. Original ACSC source on cyber.gov.au AUSCERT CAUDIT-ISAC MISP on CAUDIT MISP AUSCERT AusMISP on AusMISP The files comprise a list of IoCs in CSV (comma-separated values) format, plus source code for a web shell in .txt (text) format, as well as PDF and Word versions of the advisory. You may also have received a list of YARA rules under the green level of the Traffic Light Protocol, in which case here’s how to use them. The green level does not permit us to redistribute them. Indicators of compromise in CSV We’re not aware of a single simple way to consume these. You can massage them into a suitable format or formats to search for them, but YARA rules are the standard automated way to do this, and are the focus of this guide. YARA rules YARA rules are a widely-used way to format IoCs in a way which can be used by scanning engines. Some more info, and the official source, and the official documentation. How to use Yara rules on your entire fleet (if you’re prepared and lucky) Many Endpoint Detection and Response (EDR) solutions provide Yara support. If you have one deployed, you can import the Yara rules and run it, which will be relatively quick and easy. If not, you could try using your existing fleet management system to deploy Yara and run a scan. E.g. for Windows, perhaps push out an installation via SCCM or Group Policy and then some kind of group policy background script to run the scan and deliver results. If you try this, we’d love to hear how it goes, and we’d also love any info or scripts you can provide that might help other members. Consider whether this is worth doing for your fleet. Otherwise, keep reading. How to use Yara rules on Windows Official binaries are available so you’re in good shape. Head to their Releases page and grab the latest binary for your architecture (at time of writing, yara-v4.0.1-1323-win32.zip or yara-v4.0.1-1323-win64.zip). Once in, you can scan individual directories or drives, ideally in an admin shell: yara64.exe -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" C: (the yarac.exe binary is for compiling rules, which you probably don’t need to do.) How to use Yara rules on Linux Your distribution’s package manager will likely have a version available. Give that a try first. However, the YARA project notes that the version available in some distros’ repositories is out of date and may contain security vulnerabilities, so check the version – the latest release at time of writing is v4.0.1, updated mid-May 2020. yum install yara apt install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null You may wish to run this as a privileged user to ensure maximum access, but balance this with the security risk of older versions. If your distribution’s version is unacceptable, the Yara project has some information on compiling from source. Compiling from source is an often time-consuming and fiddly process. How to use Yara rules on macOS Homebrew (an unofficial but very widely-used package manager) seems to be the best way other than compiling from source. It has the very latest release, v4.0.1, without the known security issues of older versions. brew install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null  Or only scan specific parts: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /path/to/likely/folders/or/mounts What to do if you find something Firstly, any rule matches starting with “heuristic” are just that – heuristics. You may wish to investigate them in closer detail, but there will be plenty of false positives, so don’t panic when you see them, and don’t start by investigating them. Consider advising the ACSC that you need assistance. Copying their advice here for convenience: If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371). If you are an AUSCERT member, you can call the 24/7 Member Hotline (login required) for advice. It’s also worth noting that the ACSC’s advisory states that this has been a ramping up of events over time, and our interpretation of that is that most organisations will not need to spend all weekend frantically digging – just make it a priority on Monday.

Learn more

Week in review

AUSCERT Week in Review for 26th June 2020

26 Jun 2020

AUSCERT Week in Review for 26th June 2020 Greetings, This week we’ve observed an increase in business email compromise cases so we thought it was pertinent to share this updated blog post here. Our top 3 tips to combat this threat are listed below; please help us spread this message along to your colleagues: Educate users, particularly those that handle payments, of the nature of the attack Follow up email requests with a telephone call to verify their veracity Implement appropriate checking of financial transactions Following on from the ACSC advisory issued on Friday last week, we would like to feature (and reiterate again) the following blog post containing practical tips on “How to use the YARA rules for the copy-paste compromises”. If you’ve received YARA rules, then this will help you use them. If not, we aren’t able to share them with you. And last but not least, members, a reminder that with the effective establishment of Slack, our member IRC channel will be decommissioned from Wednesday 1st July, 2020. For those of you wanting to join us on Slack, please do so by logging in with your member portal credentials here. We hope that everyone enjoys a safe and restful weekend. NVIDIA patches high severity flaws in Windows, Linux drivers Date: 2020-06-24 Author: Bleeping Computer NVIDIA has released security updates to address security vulnerabilities found in GPU Display and CUDA drivers and Virtual GPU Manager software that could lead to code execution, denial of service, escalation of privileges, and information disclosure on both Windows and Linux machines. Although all the flaws patched today require local user access and cannot be exploited remotely, with attackers having to first get a foothold on the exposed machines to launch attacks designed to abuse these bugs. Once that is achieved, they could take exploit them by remotely planting malicious code or tools targeting one of these issues on devices running vulnerable NVIDIA drivers. Twitter is “very sorry” for a security breach that exposed private data of business accounts Date: 2020-06-24 Author: The Tech Portal Twitter is back in cybersecurity news, as the company reports yet another data breach via its platform. In an email sent to its business users, Twitter said that there is a “possible” data breach that may have exposed private information of these accounts. Business users are generally those accounts which advertise on the platform. Australian security cameras hacked, streamed on a Russian-based website Date: 2020-06-24 Author: ABC News Australians are being filmed through private security cameras that are being streamed on a website based in Russia. Key points: * The Insecam website broadcasts live streams of compromised web-connected security cameras and webcams * The site allows people to control the cameras by zooming in and out and moving the camera around * The group behind the website denied it hacked the cameras Hackers use Google Analytics to steal credit cards, bypass CSP Date: 2020-06-22 Author: Bleeping Computer Hackers are using Google’s servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. New taskforce to push cyber security standards Date: 2020-06-22 Author: iTnews A cross-sector taskforce of experts from the defence, energy, health and financial services sectors has been created to accelerate the adoption of industry cyber security standards across Australia. The taskforce, which held its first meeting on Monday, is the result of an “Australian-first” collaboration between the NSW government, AustCyber and Standards Australia. It follows earlier reports on Monday that the federal government is crafting minimum cyber security standards for businesses, including critical infrastructure, as part of its next cyber security strategy. ESB-2020.2191 – telnet multiple vulnerabilities A serious remote code execution vulnerability found in Cisco IOS XE Software. ESB-2020.2116.2 – Cisco Webex Meetings Desktop App multiple vulnerabilities Another code execution vulnerability was patched in the Cisco Webex Meetings Desktop App. ESB-2020.2206 – kernel multiple vulnerabilities Multiple Nvidia code execution vulnerabilities patched on Ubuntu. Stay safe, stay patched and have a good weekend! The AUSCERT Team

Learn more

Blogs

Business Email Compromise

24 Jun 2020

Business Email Compromise June 2020 update Here at AUSCERT, we’ve again seen an increase in instances of business email compromise and would like to take this opportunity to update the list of useful resources on this topic.  Scammers will take advantage of any opportunity to steal your money, personal information, or both. Right now, they are using the uncertainties surrounding the COVID-19 pandemic and remote working.  You may find the following articles useful:  Advice from the ACSC (cyber.gov.au): Understanding and preventing BECScamwatch: The cost of BEC (report from 2019)Threatpost: General advice from Threatpost on issues caused by working from home, including BEC_____ We’ve blogged about this before, but instances of business email compromise (BEC) are increasing. The FBI is warning potential victims of a dramatic increase in the BEC scam, with a 270% increase in identified victims and exposed loss since January 2015. From October 2013 through February 2016, losses have exceeded USD 2.3 billion. BEC scams work because they target specific employees of an organisation with email that appears to be from their CEO, asking for a wire transfer of funds to a nominated recipient. Criminals either compromise the CEO’s email account through phishing, or they use a very similar domain to the targeted organisation to send the message from. Often, the fraud targets organisations that regularly perform wire transfer payments. The emails avoid being caught as spam because they are not mass-mailed and address specific individuals. There are some actions you can take to combat this threat: Educate users, particularly those that handle payments, of the nature of the attack. Follow up email requests with a telephone call to verify their veracity. Implement appropriate checking of financial transactions. Implement Sender Policy Framework (SPF) to prevent attackers from impersonating your domain; and to help detect and block emails sent to your organisation that use forged domains. Don’t click on links or open attachments in unsolicited emails. Keep desktop anti-malware up to date. Don’t use your computer day-to-day with an administrator account. https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scamshttps://www.ic3.gov/media/2015/150827-1.aspx

Learn more

Blogs

AUSCERT commentary "major cyber attack on Australian governments and business"

21 Jun 2020

AUSCERT commentary "major cyber attack on Australian governments and business" Friday 19 June 2020 11.45am AEST This morning Prime Minister Scott Morrison and Minister for Defence Linda Reynolds announced that Australian organisations, including governments and businesses, are currently being targeted by a sophisticated foreign “state-based” actor. [1] The Prime Minister says there does not appear to have been any large scale breaches of people’s personal information but described the attacks as malicious.  “It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.” As an initial step, we encourage everyone to follow the Government’s latest advisory from the ACSC and ASD. [2]  Echoing the words of the Minister for Defence Linda Reynolds, we recommend members promptly patch internet-facing software, devices and operating systems and to implement multifactor authentication across all remote services. [2] In addition to the above, this most recent advisory from the ACSC has identified that threat actors are using exploits that are publicly known to have patches or mitigations available.The following vulnerabilities CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access.  AUSCERT strongly encourages members to ensure that all Microsoft Sharepoint, Citrix ADC, Citrix Gateway and Telerik UI are kept up to date. Members, this is the time to review the vectors of vulnerability and see if any indicators of compromise can be found attempting to access your network or has left traces of their activity within your networks.   After the IoCs have been verified not to have affected your network, it will be beneficial to then review and apply ASD’s Essential 8 where applicable. [3] With respect to the IoCs shared on [2], our team has taken the steps to consume this into our MISP instance and are happy to coordinate the sharing of relevant information with our members. As always, members are welcome to contact us for any further information and assistance via auscert@auscert.org.au.  Last but not least, AUSCERT is working with our international counterparts in cyber security to handle the indicators of compromise (IoC). [1] https://www.abc.net.au/news/2020-06-19/foreign-cyber-hack-targets-australian-government-and-business/12372470 [2] https://www.cyber.gov.au/news/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks [3] https://www.cyber.gov.au/publications/essential-eight-explained Additional references: Recent ACSC Advisories via https://www.cyber.gov.au/ Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks (18 June 2020) Advisory 2020-006: Active exploitation of vulnerability in Microsoft Internet Information Services last updated 22nd May 2020 Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors last updated 22nd may 2020  Recent NIST Advisories via https://www.nist.gov/ https://nvd.nist.gov/vuln/detail/CVE-2019-18935 https://nvd.nist.gov/vuln/detail/CVE-2019-19781 https://nvd.nist.gov/vuln/detail/CVE-2019-0604   Our own guidance on consuming YARA rules https://wordpress-admin.auscert.org.au/blog/2020-06-19-how-to-use-yara-rules-copy-paste-compromises-advisory

Learn more

Week in review

AUSCERT Week in Review for 19th June 2020

19 Jun 2020

AUSCERT Week in Review for 19th June 2020 Greetings, Another busy week for everyone, no doubt. A couple of emails would have landed in your inbox this week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. Be sure to catch up on these details and let us know if you have any further queries and such. A few important advisories we wanted to highlight for this week: The ACSC has issued threat advice relating to the targeting of Australian governments and companies by a sophisticated state-based actor.. We’ve provided further commentary on this via our blog HERE. Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack (known as the Ripple20), our AUSCERT bulletin below. Adobe has released out-of-band security updates to address 18 critical flaws, see highlighted bulletins below. And with that, we hope that everyone implements these latest patches and start enforcing multi-factor authentication across all areas of your business. We hope everyone enjoys a safe and restful weekend, until our next Week in Review edition! … Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks Date: 2020-06-19 Author: ACSC | Cyber.gov.au The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. Active ransomware campaign leveraging remote access technologies Date: 2020-06-16 Author: CERT-NZ We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched. The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup. Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks Date: 2020-06-16 Author: SecurityWeek [See AUSCERT bulletin ESB-2020.2090] Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday. Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20. The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet. Privacy confusion over COVID Safe Checklist rules for hospitality venues Date: 2020-06-14 Author: ABC News Notebooks, spreadsheets and paper forms used to collect personal information at cafes and restaurants are creating fears about privacy breaches and safety concerns. Queensland Council of Civil Liberties president Michael Cope says State Government guidelines about how businesses must collect and store information about customers are not clear enough. The COVID Safe Checklist for businesses requires that they keep contact information for all customers, workers and contractors, including names, addresses and mobile phone numbers for at least 56 days. This information is to be “captured and stored confidentially and securely”. No, that wasn’t a DDoS attack, just a cellular outage Date: 2020-06-16 Author: CyberScoop Neville Ray, chief technology officer at T-Mobile, said Tuesday that the company had fixed the issues. Security experts quickly pinned the issue on T-Mobile network configuration issues which resulted in the hours of downtime for customers, rather than a malicious DDoS meant to knock services offline by flooding them with internet traffic. Instead of acknowledging the more complicated reality, Anonymous amplified screenshots of a DDoS attack map that the security firm Arbor Networks uses as marketing to create interest in its product. ESB-2020.2077 – APSB20-37 Security update available for Adobe Illustrator Adobe released updates for multiple products this week. ESB-2020.2090 – ICS Advisory (ICSA-20-168-01) Treck TCP/IP Stack Possibly millions of systems affected. ESB-2020.2116 – Cisco Webex Meetings Desktop App Vulnerabilities Cisco released numerous updates this week. ESB-2020.2104 – New BIND releases are available The recent BIND vulnerabilities affect multiple products. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

Learn more

Week in review

AUSCERT Week in Review for 12th June 2020

12 Jun 2020

AUSCERT Week in Review for 12th June 2020 Greetings, The winter chill has certainly set in as we head into the 3rd week of June. Thank you to those who participated in our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar took place on Wednesday 10th June. To view a recording of this session, please visit our YouTube channel here. Members, keep an eye out for a couple of emails landing in your inbox next week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. And last but not least, we shared the news that the Microsoft June 2020 Patch Tuesday was the largest ever with 129 fixes so don’t forget to action these items and patch those vulnerabilities. A great reference point is of course our very own Security Bulletins page. Until next time, we hope everyone enjoys a safe and restful weekend. … Microsoft June 2020 Patch Tuesday: largest ever with 129 fixes Date: 2020-06-09 Author: Bleeping Computer Today is Microsoft’s June 2020 Patch Tuesday, and as many Windows administrators will be routinely screaming at computers, please be nice to them! With the release of the June 2020 Patch Tuesday security updates, Microsoft has released one advisory for an Adobe Flash Player update and fixes for 129 vulnerabilities in Microsoft products. Of these vulnerabilities, 11 are classified as Critical, 109 as Important, 7 as Moderate, and 2 as Low. This is the largest Patch Tuesday update ever released by Microsoft, with the second-largest being 115 fixes in March 2020, and the third-largest with 113 fixes in April 2020. Fisher & Paykel Appliances struck by Nefilim ransomware Date: 2020-06-10 Author: IT News Fisher & Paykel Appliances is the latest big brand name to be struck down by ransomware, shutting down its operations while it recovered following the attack. The whitegoods manufacturer’s spokesperson Andrew Luxmoore confirmed the attack to iTnews, saying it took place early last week. “The attempt was identified quickly and, as a result, we locked down our IT ecosystem immediately,” he said. Drinks maker Lion shuts IT systems after ‘cyber incident’ Date: 2020-06-09 Author: IT News Fast moving consumer goods giant Lion has shut down its IT systems after a “cyber incident” on Tuesday. The attack was first reported by the Sydney Morning Herald, which said the attack had “disrupted” manufacturing and remote access to systems. “Lion has experienced a cyber incident and has taken the precaution of shutting down our IT systems, causing some disruption to our suppliers and customers,” the company said in a brief statement on its website. Because things aren’t bad enough already: COVID-19 is going to mess up election security assumptions too Date: 2020-06-08 Author: The Register The social distancing measures brought about by the COVID-19 pandemic will weaken election security in the US, according to a non-profit’s security check. A report from New York University’s Brennan Center for Justice warns that as election workers and local officials are forced to do their jobs remotely, the risk of attack skyrockets. We have Huawei to make the internet more secure: Dump TCP/IP to make folks safer says Chinese mobe slinger Date: 2020-06-04 Author: The Register Chinese telecom companies and the Middle Kingdom government contend that the TCP/IP protocol stack is ill-suited for future networking needs and have proposed reworking the internet’s technical architecture with new, more secure internet protocols. Huawei, China Mobile, China Unicom, and China Ministry of Industry and Information Technology are backing a plan titled “New IP, Shaping Future Network.” The specifics have not been made public but Huawei – currently subject to US trade sanctions for allegedly engaging in activities contrary to national security interests – has described the goals of the initiative as an attempt to improve the flexibility, privacy, and security of the internet. ASB-2020.0107 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday updates (login required). ESB-2020.1990 – 2020.1 IPU BIOS Advisory Intel advisory of new firmware vulnerabilities. ESB-2020.1991 – 2020.1 IPU Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory Intel advisory of new management subsystem vulnerabilities. ESB-2020.2008.2 – linux security update Many linux distros released kernel and microcode patches for the Special Register Buffer Data Sampling (SRBDS) attack [CVE-2020-0543] alongside other fixes. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

Learn more

Week in review

AUSCERT Week in Review for 5th June 2020

5 Jun 2020

AUSCERT Week in Review for 5th June 2020 Greetings, This week, we are pleased to announce that the program details of our Virtual AUSCERT2020 conference has been launched. Details on this can be found here. Members, don’t forget to use your member tokens by Monday 3 August for free access to our conference registration. Please note that registrations for our tutorial sessions will open shortly and AUSCERT members will have priority access. Questions? We’ve addressed a few of these on our conference site here. Members who are on Slack are most welcome to send us your queries on that platform. Didn’t quite find what you were after? Drop us a line. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September. In other news, don’t forget to come along to our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. And last but not least, we shared the June update of the Australian Government Information Security Manual which helps organisations manage their cyber security risks on our Twitter channel but here it is for reference. Until next time, we hope everyone enjoys a safe and restful weekend. VMware Cloud Director flaw lets hackers take over virtual datacenters Date: 2020-06-02 Author: Bleeping Computer [Refer to AUSCERT Bulletin ESB-2020.1769] Organizations offering trial accounts for versions of VMware Cloud Director lower than 10.1.0 risk exposing private clouds on their virtualized infrastructure to complete takeover attacks from a threat actor. A code injection vulnerability exists in VMware Cloud Director (vCloud Director) 10.0.0.2, 9.7.0.5, 9.5.0.6, and 9.1.0.4 that may lead to remote code execution, VMware says in its security advisory. Cloud Director software allows cloud-service providers around the world to deploy, automate, and manage virtual infrastructure resources in a cloud environment. Office 365 to give detailed info on malicious email attachments Date: 2020-05-31 Author: Bleeping Computer Microsoft will provide Office 365 Advanced Threat Protection (ATP) users with more details on malware samples and malicious URLs discovered following detonation. “We’re working to reveal more of the details that led to a malicious verdict when URLs or files are detonated in Office 365 ATP,” the new feature’s Microsoft 365 roadmap entry reads. “In addition to the detonation chain (the series of detonations that were necessary to reach a verdict for this entity), we’ll also share a detonation summary, with details such as detonation time range, verdict of the file or URL, related entities (other entities called or used during the detonation), screenshots, and more.” Apple pushes fix across ALL devices for “unc0ver” jailbreak flaw Date: 2020-06-02 Author: Bleeping Computer These past few days have been quite busy for Apple on the security front. As reported by BleepingComputer, the company recently patched a critical flaw in its “Sign in with Apple” service. What follows now is a mega update across all its major operating systems and devices. Last year we provided details on the Sock Puppet jailbreak exploit that targeted the use-after-free kernel vulnerability, CVE-2019-8605. Yesterday, Apple pushed an update across all its OSes to fix the “unc0ver” jailbreak flaw, tracked as CVE-2020-9859 (note: a MITRE/NVD entry has not yet been published for this CVE). Rooting, colloquially known as ‘jailbreaking,’ refers to the concept of obtaining root access to a device that lets oneself install third-party apps and tweaks which would otherwise be restricted by the official app store and manufacturer policies. Loopholes like unc0ver allow someone to “break out of this jail” and, therefore, the moniker. Because the flaw impacted all previous versions of iOS, including 13.5, users are encouraged to update to iOS 13.5.1 and iPadOS 13.5.1 immediately. Of course, that also means the jailbreak functionality that lets users install custom tweaks and apps would be gone. MyBudget hackers threaten on dark web to release data stolen during cyberattack Date: 2020-06-03 Author: ABC News Cybercriminals are threatening to publish data they claim to have stolen from financial management group MyBudget online, an internet security expert has warned. The Adelaide-based company was hit with a ransomware attack early last month that left 13,000 customers in financial limbo for two weeks. Thousands of customers took to social media to vent their frustration at the outage and also their concerns about the security of their data. Google Faces $5B Lawsuit for Tracking Users in Incognito Mode Date: 2020-06-03 Author: Dark Reading A proposed class-action lawsuit accuses Google of collecting browser data from people who used “private” mode. A proposed class-action lawsuit filed earlier this week accuses Google of violating users’ privacy by collecting their data while they searched the Web in “incognito mode,” or private browsing. The lawsuit seeks at least $5 billion, Reuters reports. A complaint filed in federal court alleges Google collects data via Google Analytics and Google Ad Manager, along with other applications and plug-ins, to learn more about where people browse and what they view on the Web. This data collection occurs whether or not someone clicks a Google-supported ad, the report notes. ESB-2020.1935 – Cisco IOS Software for Cisco Industrial Routers: Multiple vulnerabilities Multiple advisories were released by Cisco. The most major of which was marked as critical and affected multiple Cisco routers. If exploited this vulnerability could result in a complete system compromise. ESB-2020.1909 – iOS & iPadOS: Execute arbitrary code/commands – Unknown/unspecified Apple has released iOS and ipadOS version 13.5.1. Installing this update patches the vulnerability exploited by the “unc0ver” jailbreak and also patches a potential RCE vulnerability. Stay safe, stay patched and have a good weekend! Sean

Learn more

Week in review

AUSCERT Week in Review for 29th May 2020

29 May 2020

AUSCERT Week in Review for 29th May 2020 Greetings, This week, we participated in the launch of National Reconciliation Week 2020 virtually by sharing an Acknowledgement of Country on our various social media platforms. To find out more about this initiative and to get involved for the remainder of the week, please visit the following page shared by the folks at Reconciliation Australia. In other news, we announced an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. Last but not least, we’re pleased to announce that the program details of our Virtual AUSCERT2020 conference will be launched next week. Most of you will recall that the 2nd to 5th of June were the original dates for our annual conference. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September! Until next time, we hope everyone enjoys a safe and restful weekend. eBay port scans visitors’ computers for remote access programs Date: 2020-05-24 Author: Bleeping Computer When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications. Over the weekend, Jack Rhysider of DarkNetDiaries discovered that when visiting eBay.com, the site performed a port scan of his computer for 14 different ports. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. Bots hit up Australian Red Cross 900 times for bushfire donations Date: 2020-05-26 Author: iTnews The Australian Red Cross is being targeted by bots that have so far made almost 900 fraudulent applications for financial assistance from a $216 million bushfire relief fund. Australian programs director Noel Clement told the Royal Commission into National Natural Disaster Arrangements on Tuesday that his organisation had seen “very significant cyber activity from the outset”. The Australian Red Cross raised a total of $216 million in donations for the victims of devastating bushfires over the summer of 2019-20, of which $83 million has so far been distributed. GitLab Hacks Own Remote-Working Staff In Phishing Test Date: 2020-05-25 Author: Silicon UK Company finds 20 percent of its all-remote staff responds to phishing message by exposing user credentials, raising fears about the work-from-home future Software development tools start-up GitLab has carried out a targeted phishing campaign on its own remote-working staff, finding that one-fifth of those targeted exposed their corporate login credentials. The study comes at a time when more employees are working from home during coronavirus shutdowns around the world. Shadowserver, an Internet Guardian, Finds a Lifeline Date: 2020-05-27 Author: WIRED The internet security group Shadowserver has a vital behind-the-scenes role; it identifies online attacks and wrests control of the infrastructure behind them. In March, it learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. On Wednesday, the IT security company Trend Micro will commit $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. The nonprofit Internet Society is also announcing a one-time donation of $400,000 to the organization. Combined with other funding that’s come in, these large contributions make it possible for the the group to continue in a more sustainable way without becoming dependent on a single funder again. It also keeps the internet at large that much safer. Apple responds to false Facebook claims about contact tracing update in iOS 13.5 Date: 2020-05-27 Author: iMore Hysterical myths regarding Apple’s exposure notification have started appearing on Facebook. Some users have taken to sharing screenshots of iOS 13.5, warning friends that it will automatically allow authorities to track their locations and who they meet. The posts have been fact-checked by Facebook, and Apple has released a response to Reuters. ESB-2020.1884 – [ALERT] Cisco CML and VIRL-PE: Multiple vulnerabilities A patch for RCE and authentication bypass vulnerabilities has been released and marked as critical by Cisco. This includes a ‘perfect’ 10.0 CVSSv3 score, which is the maximum possible. ESB-2020.1859 – macOS Catalina, Mojave & High Sierra: Multiple vulnerabilities Apple update fixes 45 macOS vulnerabilities, including a root compromise from the PackageKit component. ESB-2020.1855 – iOS and iPadOS: Multiple vulnerabilities A similar number of vulnerabilities were patched in iOS and ipadOS, with similar impacts. Reports online indicate that even the latest version is susceptible to a jailbreak by Unc0ver. Stay safe, stay patched and have a good weekend! Sean

Learn more

Week in review

AUSCERT Week in Review for 22nd May 2020

22 May 2020

AUSCERT Week in Review for 22nd May 2020 Greetings, This week, we shared a couple of important and useful advisories with members. Namely, the joint statement from DFAT and the ACSC regarding Unacceptable malicious cyber activity by cyber actors who are seeking to exploit the pandemic for their own gain as well as the Toolkit for Universities by eSafety and Universities Australia. This toolkit contains some useful resources that assists universities and their communities have tools to help keep safe online. We are pleased to announce an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June – save the date and invitations will be sent out shortly. We hope you can join us. Last but not least, we shared news of our revised Virtual AUSCERT2020 sponsorship prospectus with various stakeholders last week. Feel free to reach out to us via conference@auscert.org.au for more information on our various options to get involved as a conference sponsor! Until next time, we hope everyone enjoys a lovely and restful weekend. Norway’s Wealth Fund Loses $10m in Data Breach Date: 2020-05-16 Author: Infosecurity Magazine Norway’s state-owned investment fund Norfund has halted all payments after losing $10m in an “advanced data breach.” On May 13, Norfund announced that it was “cooperating closely with the police and other relevant authorities” after “a series of events” allowed fraudsters to make off with $10m. The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. My Health Record system hit by hack attempt Date: 2020-05-19 Author: iTnews The My Health Record system was the subject of an attempted hack over the past 11 months, the Australian Digital Health Agency has revealed. National health chief information officer Ronan O’Connor told a parliamentary inquiry into cyber resilience the cyber incident was one of two “potential data breaches” to occur since July 2019. Nefilim ransomware gang leaks Toll documents on dark web Date: 2020-05-20 Author: iTWire The attackers behind an ongoing ransomware attack on Australian logistics and transport provider Toll Holdings has released some documents which it claims to have exfiltrated from the company when it staged the attack. News of the attack, the second this year, was announced by Toll on 5 May, with the company saying at the time that it had shut down some of its systems as a precaution. The documents released on Wednesday on the dark web include statements about company financials in plain text and a zipped file. This indicates that the ransom demand by the group has not been met by Toll. The attackers claim to have more than 200GB of company data. ESB-2020.1785 – Wireshark: Denial of service The Wireshark maintainers will be diligently patching minor crashes on crafted network traffic until after the sun burns out. I applaud their dedication to making the most resilient security tool possible. ESB-2020.1781 – IBM Security Access Manager – Unauthorised access A user-manipulable claim wasn’t validated properly, so users could forge additional access. ESB-2020.1762 – Dovecot: Multiple vulnerabilities Possible RCE and confirmed DoS in the popular Dovecot email server. ESB-2020.1754 – OpenConnect: Denial of service It’s a good time of year to be patching VPN clients, with the increased work from home arrangements. Stay safe, stay patched and have a good weekend! David & Vishaka

Learn more