Blogs

AUSCERT2019: thatโ€™s a wrap!

9 Jul 2019

AUSCERT2019: thatโ€™s a wrap! The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.   Sensational Keynotes AUSCERT2019 featured three legendary keynote speakers; Mikko Hypponen, Troy Hunt and Jessy Irwin. Each covered a different area within cyber security and shared their knowledge and expertise generously. Mikko is a globally-renowned tech security guru working as the CRO of F-Secure. He has written research for the New York Times, Wired and Scientific America also, frequently appearing on international TV. At the conference he spoke on ‘Computer Security: Yesterday, Today and Tomorrow’. A key takeaway from Mikko was on IoT devices. When observing data security, it is likely that in the future these devices will no longer tell you they are connecting to the internet, but will pass your data straight to the manufacturer. To view Mikko’s presentation, you can visit the AUSCERT YouTube channel here. Troy is an independent security trainer, speaker and Microsoft Regional Director. He’s most commonly recognised as the founder of the data breach monitoring and notification service ‘Have I Been Pwned’ (HIBP). Troy spoke on ‘The Data Breach Pipeline: How Our Data is Stolen, Distributed and Abused’. A key takeaway from his presentation was on password managers and how they can solve a lot of password-breach related issues. Changing your password regularly is no longer enough, you need more complex solutions. To find out more about Troy’s keynote, you can view his presentation here. Jessy is a security expert and Head of Security at Tendermint. Her role means she excels within translating complex cybersecurity problems into relatable terms and she also develops, maintains and delivers on comprehensive security strategy. Jessy spoke on ‘How Security Teams Can Evolve to Win Friends and Influence People’. Jessy’s intention was to challenge some standard ways of thinking within the cyber and information security industry and she certainly succeeded in doing so. To download a copy of Jessy’s presentation, please click here. Jessy’s presentation can be viewed here.   Networking Events The ‘Beers of the World’ session is the ceremonial welcome to all delegates attending AUSCERT2019. Attendees are encouraged to mingle with vendors, sponsors and other industry professionals while tasting an array of beers from around the globe. This is a great opportunity to connect with other industry professionals in a relaxing environment. On Thursday evening conference delegates were entertained at the venue’s poolside bar by the phenomenal crew from Jetpack Events who showcased their acrobatic prowess and delighted the audience with an amazing fireworks display. This year, the Gala Dinner theme ‘Legend of the Gala’ paid a subtle homage to our main conference theme and is derived from the ever popular Legend of Zelda video game franchise. We even saw a number of Zelda enthusiasts in full costume, kudos to them! Dinner guests were entertained by the talented speed painter Brad Blaze who wowed the audience with his Zelda inspired artworks.     Sponsors Booths Alongside the array of speakers were more than 50 sponsors and supporters of AUSCERT.. Each had their own designated booth space where they spoke to delegates and showcased their services. Some sponsors also engaged with delegates through interactive games and demos at their booth. There were hackathons, drone prizes and darts to name a few. A special shout-out to colleagues from Context Information Security who ran a PWNtoDrone CTF challenge which delegates enjoyed immensely. In between sessions, delegates were also able to engage in the annual lock-picking and lego building sessions. These interactive activities  provide a nice break for delegates to unleash their building and lock-picking skills; not to mention keeping the lego when you build it. Overall, AUSCERT2019 was huge success. We trust that all attendees enjoyed their time and ultimately learned new skills and strategies to keep their data and network safe in the new digital and mass-data era!

Learn more

Blogs

AUSCERT at 2019 FIRST Conference

9 Jul 2019

AUSCERT at 2019 FIRST Conference I had the absolute pleasure of attending the 2019 FIRST Conference for the first time (no pun intended!) recently. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This year’s conference theme was “Defending the Castle” and there were approximately 1100 delegates, a very full program over 5 days and plenty of opportunities to meet other cyber security teams and share ideas across the board. One of the aspects I enjoyed thoroughly was my introduction to other CERTs from the Asia Pacific region and gaining a greater understanding of the role AUSCERT plays in this community.   (Photo credit: APCERT) I also wanted to take this opportunity to highlight a couple of my favourite speaker sessions here: “Waking up the Guards – Renewed Vigilance Needed to Regain Trust in Fundamental Building Blocks” by Merike Kaeo of Double Shot Security was my favourite keynote. Merike spoke about the days when trust was inherent and how we now see exploitation of fundamentals such as routing, DNS and certificates. She invoked the question of ‘How can we regain trust and control of where our data goes and by whom it is seen?’ and it really got me into thinking about the current cyber security landscape and how we can all do better in this space. The other speaker session I enjoyed was the talk presented by the Cisco Umbrella research team on the topic of “Detecting Covert Communication Channels via DNS”. I thought this was an absolutely fascinating subject and one that is worth further research within AUSCERT.  As the conference wrapped up at the end of last week, I walked away feeling very inspired about the fact that there is such a strong community spirit that fosters great collaboration within our industry. I am certain that AUSCERT and UQ can AND need to play an even more active role in the future! David Stockdale Director

Learn more

Week in review

AUSCERT Week in Review for 5th July 2019

5 Jul 2019

AUSCERT Week in Review for 5th July 2019 AUSCERT Week in Review05 July 2019 Greetings, I hope you are all enjoying the holiday period, whether it be having abreak, less students/customers, or quieter roads. This week we again saw a wide variety of vulnerabilities revealed andpatches released, including several root compromises and numerous remotelyexploitable issues. — Here are some of this week’s noteworthy security bulletins (in no particularorder): Germany to publish standard on modern secure browsers Author: Catalin CimpanuDate:   01-07-2019 Excerpt: “Germany’s cyber-security agency is working on a set of minimum rules thatmodern web browsers must comply with in order to be considered secure.The new guidelines are currently being drafted by the German FederalOffice for Information Security (or the Bundesamt fur Sicherheit in derInformationstechnik — BSI), and they’ll be used to advise governmentagencies and companies from the private sector on what browsers are safeto use.” Morrison sells Australia’s terrorism video streaming plan to the G20 Author: StilgherrianDate:   01-07-2019 Excerpt: Led by Australia, the G20 nations have urged online platforms to “meet ourcitizens’ expectations” to prevent terrorist and violent extremism conduciveto terrorism (VECT) content from being streamed, uploaded, or re-uploaded.“Platforms have an important responsibility to protect their users,”read the Leaders’ Statement [PDF] issued in Osaka on Saturday. Poison certs imperils GnuPG checking of Linux software Author: Juha SaarinenDate:   01-07-2019 Excerpt: “An attack has been unleashed against the global synchronising keyserver(SKS) network used by the popular OpenPGP encryption standard, withdevelopers saying there is currently no mitigations available and thatthe problem is likely to get worse.” China Is Forcing Tourists to Install Text-Stealing Malware at its Border Author: Joseph CoxDate:   03-07-2019 Excerpt: “The malware downloads a tourist’s text messages, calendar entries,and phone logs, as well as scans the device for over 70,000 different files.” US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks Author: Catalin CimpanuDate:   02-07-2019 Excerpt: The idea is to use “retro” technology to isolate the grid’s most importantcontrol systems, to limit the reach of a catastrophic outage.“Specifically, it will examine ways to replace automated systems withlow-tech redundancies, like manual procedures controlled by human operators,” YouTube mystery ban on hacking videos has content creators puzzled Author: Thomas ClaburnDate:   03-07-2019 Excerpt: It forbids: “Instructional hacking and phishing: Showing users how tobypass secure computer systems or steal user credentials and personal data.” First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol Author: Catalin CimpanuDate:   03-07-2019 Excerpt: “The DoH (DNS) request is encrypted and invisible to third-party observers,including cyber-security software that relies on passive DNS monitoringto block requests to known malicious domains.” — Here are some of this week’s noteworthy security bulletins (in no particularorder): 1. ESB-2019.1280 – [Linux][OSX] Webkit: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79038“Processing maliciously crafted web content may lead to arbitrary codeexecution.” 1. ESB-2019.2443 – [Appliance] Cisco IP Phone 7800 and 8800 Series: Denialof service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2443/“A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800Series and 8800 Series could allow an unauthenticated, remote attacker tocause a denial of service (DoS) condition on an affected phone.” 2. ESB-2019.2433 – [Virtual] VMware Products: Denial of service –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2433/“Several vulnerabilities in the Linux kernel implementation of TCPSelective Acknowledgement (SACK) have been disclosed. These issues mayallow a malicious entity to execute a Denial of Service attack againstaffected products.” 3. ESB-2019.2413 – [Appliance] F5 Products: Denial of service –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2413/“An attacker may exhaust file descriptors available to the named process;as a result, network connections and the management of log files or zonejournal files may be affected.” 4. ESB-2019.2370 – [Win][Mac] Symantec Endpoint Encryption: Increasedprivileges – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2370/“Symantec Endpoint Encryption and Symantec Encryption Desktop may besusceptible to a privilege escalation vulnerability” 5. ESB-2019.2474 – [FreeBSD] cd_ioctl: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2474/“A user in the operator group can make use of this interface to gain rootprivileges on a system with a cd(4) device when some media is present inthe device.” — Stay safe, stay patched and have a great weekend,Marcus.

Learn more

Week in review

AUSCERT Week in Review for 28th June 2019

2 Jul 2019

AUSCERT Week in Review for 28th June 2019 AUSCERT Week in Review for 28th June 2019 Greetings,  As the week ending Friday 28th June comes to a close, we take a look at some articles from this week that highlight constant tug-of-war between the bad guys (them!) and the good guys (us!). From Angler phishing to using RasPis to hack into a national US space agency, the bad guys are constantly trying to break through our defences. On the flip side the Algorithm Vaccination article highlights the defenders’ equal determination to overcome their adversaries. Don’t give up the fight! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: What is angler phishing? Date published: 24/06/2019  Author: Luke Irwin Excerpt: “Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts. This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.” Raspberry Pi Used in JPL Breach Date published: 24/06/2019 Author: Staff, Dark Reading Excerpt: “Auditors’ reports tend to make for dry reading. But NASA’s Inspector General has delivered a report on “Cybersecurity Management and Oversight at the Jet Propulsion Laboratory” that includes twists and turns — like a hacker using a vulnerable, unapproved Raspberry Pi as a doorway into JPL systems. That Raspberry Pi was responsible for 500 megabytes of NASA Mars mission data leaving JPL servers. The intrusion resulted in an advanced persistent threat (APT) that was active in JPL’s network for more than a year before being discovered. This was the most recent breach listed in the report. Other breaches noted date back to 2009 and include exfiltration totaling more than 100 gigabytes of information. Several of the intrusions feature command-and-control servers with IP addresses located in China, though the responsibility for the latest attack was not assigned to any country or actor.” Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory Date published: 25/06/2019 Author: Pierluigi Paganini Excerpt: ““This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.   One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.” Researchers develop a technique to vaccinate algorithms against adversarial attacks Date published: 24/06/2019 Author: Helpnet Security Excerpt: “Dr Richard Nock, machine learning group leader at CSIRO’s Data61 said that by adding a layer of noise (i.e. an adversary) over an image, attackers can deceive machine learning models into misclassifying the image. “Adversarial attacks have proven capable of tricking a machine learning model into incorrectly labelling a traffic stop sign as speed sign, which could have disastrous effects in the real world. “Our new techniques prevent adversarial attacks using a process similar to vaccination,” Dr Nock said.”   Here are this week’s noteworthy security bulletins: 1) F5 BIG-IP Controller for Cloud Foundry: Root compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/ESB-2019.2286/ F5 released an update for its BIG-IP Controller for Cloud Foundry, which addressed a vulnerability in Alpine Docker Images (version 3.3 and up), which led to systems deployed using those versions to accept a NULL ‘root’ user password. The vulnerability had been introduced in December 2015! 2) Tenable Nessus: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ASB-2019.0168/ Tenable issued an update for its Nessus Vulnerability Assessment solution to fix XSS vulnerability. 3) McAfee Enteprise Security Manager (ESM): Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0169/ McAfee updated its Enteprise Security Manager (ESM) SIEM product to address a number of vulnerabilities. 4) Medtronic MiniMed 508 and Paradigm Series Insulin pumps – Multiple impactshttps://portal.auscert.org.au/bulletins/ESB-2019.2351/ Yet again, vulnerabilities in medical equipment allow bad people to play with lives by manipulating insulin doses or provided incorrect information to those devices. Stay safe, stay patched and have a good weekend!  Nick

Learn more

Week in review

AUSCERT Week in Review for 21st June 2019

21 Jun 2019

AUSCERT Week in Review for 21st June 2019 Greetings, This week the Australian government performed an rm -rf to a top government cyber security position and zero days for both Firefox and Oracle Weblogic were dropped.Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Mozilla patches Firefox zero-day abused in the wildDate Published: 18 June 2019Author: Catalin CimpanuExcerpt: “The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, Mozilla engineers wrote in a security advisory posted today. ‘This can allow for an exploitable crash,’ they added. ‘We are aware of targeted attacks in the wild abusing this flaw.'” —–Title: Oracle patches another actively-exploited WebLogic zero-dayDate Published:  June 19, 2019URL: Author: Catalin CimpanuExcerpt: “Oracle released an out-of-band security update to fix a vulnerability in WebLogic servers that was being actively exploited in the real world to hijack users’ systems. Attacks using this vulnerability were first reported by Chinese security firm Knownsec 404 Team on June 15, last Saturday. The initial report from Knownsec claimed the attacks exploited a brand new WebLogic bug to bypass patches for a previous zero-day tracked as CVE-2019-2725 — which was also exploited in the wild for days in April before Oracle released an emergency security patch for that one as well.” —–Title: Home Affairs deletes top govt cyber advisor positionDate Published: 21 June 2019Author: MSRC TeamExcerpt:“Australia’s top government cyber security policy job has quietly disappeared from the Department of Home Affairs following the shock departure of former cyber tsar Alastair MacGibbon. The department’s most recently issued organisation chart reveals the national cyber security advisor role has been shredded and the wider cyber security policy function absorbed within its policy directorate. Orignally established as the Prime Minister’s special advisor on cyber security, the high profile  public-facing role was established within the PM’s department as part of the heavily publicised May 2016 national cyber security strategy.” —–Title: Critical Vulnerabilities Patched in Cisco SD-WAN, DNA Center ProductsDate Published: June 20, 2019 Author: Eduard Kovacs Excerpt: “Cisco on Wednesday released patches for several critical and high-severity vulnerabilities affecting its SD-WAN, DNA Center, TelePresence, StarOS, RV router, Prime Service Catalog, and Meeting Server products. According to Cisco, the Digital Network Architecture (DNA) Center is affected by a critical vulnerability that allows a network attacker to bypass authentication and access critical internal services. The company’s SD-WAN solution, specifically its command-line interface (CLI), is affected by a critical flaw that can be exploited by a local attacker to elevate privileges to root and change the system configuration.” —–Title: Samba Vulnerability Can Crash Active Directory ComponentsDate Published: 20 June 2019Author: Lonut LlascuExcerpt: “A couple of bugs in some versions of Samba software can help an attacker crash key processes on the network in charge of providing directory, application, and other services. The two vulnerabilities can be leveraged separately to crash the LDAP (Lightweight Directory Access Protocol) and the RPC (remote procedural call) server processes in Samba Active Directory Domain Controller, supported since version 4.0 of the software.” —– Here are this week’s noteworthy security bulletins:1) [ESB-2019.2230] Apache Tomcat: Denial of service – Remote/unauthenticated     Clients are able to cause server-side threads to block, eventually leading to thread exhaustion and a denial of service. 2) [ESB-2019.2225] Bind: Denial of service – Remote/unauthenticated   Bind could be made to crash if it received specially crafted network traffic. 3) [ESB-2019.2220] libvirt: Multiple vulnerabilities   Mulitple denial of service and code execution vulnerabilities found in libvirt.   Stay safe, stay patched and have a great weekend,Rameez Agnew

Learn more

Week in review

AUSCERT Week in Review for 14th June 2019

14 Jun 2019

AUSCERT Week in Review for 14th June 2019 Greetings, Happy Microsoft patch week!  An updated Windows computer is a happy Windows computer (and will make us happy too!) In other news, if you recall the Exim vulnerability we mentioned last week, it’s now being exploited in the wild so please patch as soon as you can! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Exim email servers are now under attackDate Published: 14/06/2019https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/ Excerpt: “Exim servers, estimated to run nearly 57% of the internet’s email servers, are now under a heavy barrage of attacks from hacker groups trying to exploit a recent security flaw in order to take over vulnerable servers, ZDNet has learned. At least two hacker groups have been identified carrying out attacks, one operating from a public internet server, and one using a server located on the dark web.” —–RAMBleed (CVE-2019-0174)Date Published: 12/06/2019https://rambleed.com/ Excerpt: “RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.” —–Google decloaks Win-DoS bug before patch is releasedDate Published: 12/06/2019https://www.itnews.com.au/news/google-decloaks-win-dos-bug-before-patch-is-released-526549 Excerpt: “Google’s Project Zero security team has decided to reveal the details of a denial of service (DoS) bug in Windows, after Microsoft said it would provide a patch outside the 90-day disclosure deadline. Project Zero lifted the veil on the flaw, 91 days after it was disclosed to Microsoft. The bug is found in the Windows cryptographic application programming interface, affecting the SymCrypt library arithmetic routines, Project Zero researcher Tavis Ormandy said.” —– 8.4TB in email metadata exposed in university data leakDate Published: 10/06/2019https://www.zdnet.com/article/8-4tb-in-email-metadata-exposed-in-university-data-leak/ Excerpt: “An exposed database belonging to Shanghai Jiao Tong University exposed 8.4TB in email metadata after failing to implement basic authentication demands. As described on the Rainbowtabl.es security blog, Paine found the ElasticSearch database through a Shodan search. The open database contained 9.5 billion rows of data and was active at the time of discovery, given that its size increased from 7TB on May 23 to 8.4TB only a day later.” —-Project Svalbard: The Future of Have I Been PwnedDate Published: 11/06/2019https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/ Excerpt: “Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I’ve met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day. It wasn’t a hard decision to make – I needed help and theyhad the right experience and the right expertise.” Here are this week’s noteworthy security bulletins: 1) ASB-2019.0156 – Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0156/ 2) ESB-2019.2084 – vim: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2084/ 3) ESB-2019.2090 – Adobe Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2090/ 4) ESB-2019.2101 – Intel Microprocessors: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2101/ 5) ESB-2019.2102 – Cisco IOS XE Software Web UI: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2102/ Stay safe, stay patched and have a good weekend! Charelle

Learn more

Blogs

Malware threat indicators in AWS using MISP

13 Jun 2019

Malware threat indicators in AWS using MISP Every zero-day vulnerability is an attack vector that has existed before the day it was announced. When this happens we must vigilantly patch all of our vulnerable services while also ensuring that nothing has been compromised. We share threat indicators to limit the potential impact of attackers; however, when a new malware indicator has been identified in the wild, updating your firewall isn’t always enough. AWS GuardDuty is a great solution for parsing VPC flow logs and Route53 query logs with public threat feeds. Attacks targeted against specific industries are often underrepresented in public feeds. There are also delays from when the attack is first seen until when the data is pulled into a threat feed. Amazon Athena is a valuable tool we can use when it comes to searching for threat data in AWS accounts. Athena allows you to query large amounts of data from S3 using a SQL syntax. AWS has helpful guides for how to set up VPC flow logs to be queryable from Athena here. Searching over large amounts of flow log data quickly is very useful; however, we will want automatic integration with MISP to identify malicious traffic. We can pull out malicious IP addresses from the MISP API. Below is a screenshot of the MISP query builder. This example shows a search for all of the malicious IP addresses (ip-dst) over the last seven days with the intrusion detection system (IDS) flag set. The IDS flag lets security analysts highlight which attributes of an event are strong indicators of compromise. For example, if a malware package sends a DNS request to the google nameserver 8.8.8.8 it may help identify the malware family, though this by itself does not represent a host is compromised. Pulling the list of malicious IP addresses can be performed in a scheduled Lambda task running the MISP python API. This example shows how attributes can be pulled and dumped out as a CSV file. #!/usr/bin/env pythonfrom pymisp import PyMISPimport jsonmisp = PyMISP('https://misp.localhost/', '<api-key>', True, 'json')ret = ""result = misp.search('attributes', type_attribute = 'ip-dst', to_ids = True)for attribute in result['response']['Attribute']: ret += attribute['id'] + "," ret += attribute['event_id'] + "," ret += attribute['value'] + "n"print (ret)   This file can then be used to set up a new Athena database table. The example here shows the syntax to create a basic table for malicious IP addresses while retaining the MISP event ID. CREATE EXTERNAL TABLE IF NOT EXISTS misp_dest_indicators ( attributeid int, eventid int, destinationaddress string)PARTITIONED BY (dt string)ROW FORMAT DELIMITEDFIELDS TERMINATED BY ' 'LOCATION 's3://your_log_bucket/vpcflowlogs/';  Now we have all of the data to parse over our VPC flow logs with our MISP threat indicators. Joining these Athena tables, we can see if any of our MISP indicators show up in our VPC flow logs. SELECT v.account,  v.interfaceid,  v.sourceaddress,  v.destinationaddress,  v.action,  m.attributeid,  m.eventidFROM vpc_flow_logs v,  Misp_dest_indicators mWHERE v.destinationaddress = m.destinationaddress; If we want this in a more automated process we can execute this Athena query directly from Lambda. We could then trigger an alert with SNS if we find any matches on our hosts. For example: import boto3 session = boto3.Session()client = session.client('athena', region_name='ap-southeast-2') response = client.start_query_execution(    QueryString='select * from vpc_flow_logs limit 100;',    QueryExecutionContext={        'Database': 'vpc_logs'    },    ResultConfiguration={        'OutputLocation': 's3://<bucket>'    }) This solution allows us to search over large amounts of data when a new threat emerges. We also want to make sure these security events don’t happen in the future. AWS has a threat detection service called GuardDuty which will passively search for threats in VPC flow logs and Route 53 query logs. GuardDuty can use custom threat lists from S3 which allows us to provide another dump of MISP threat indicators in a text file. This will then alert any future events where hosts will try to route to any of these hosts to your security team. This will then alert your security team to any future events where hosts try to route to any malicious addresses.

Learn more

Week in review

AUSCERT Week in Review for 7th June 2019

7 Jun 2019

AUSCERT Week in Review for 7th June 2019 Greetings, Another fun week has been and gone. Great to see many of you last week at the conference, and we hope you’ve settled back in to your daily roles. Notable news this week includes a critical vulnerability in the Exim mail transfer agent and the disclosure of a second major hack of the Australian National University. It’s an unconventional story: the bug in Exim was patched entirely by accident back in February, and so the release notes at the time did not include a security notice. Researchers from Qualys have since disclosed the vulnerability. If you run Exim (which roughly half of mail servers on the internet do), we advise updating to Exim 4.92. The fix will also be backported to minor versions down to 4.87 and made available by your OS providers in time. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: AUSCERT2019: that’s a wrap!https://wordpress-admin.auscert.org.au/blog/2019-06-07-auscert2019-s-wrapDate published: 07/06/2019Author: Bek of AUSCERT“The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.” New RCE vulnerability impacts nearly half of the internet’s email servershttps://www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/Date published: 05/06/2019Author: Catalin Cimpanu of ZDNet“A critical remote command execution (RCE) security flaw impacts over half of the Internet’s email servers, security researchers from Qualys have revealed today. The vulnerability was patched with the release of Exim 4.92, on February 10, 2019, but at the time the Exim team released v4.92, they didn’t know they fixed a major security hole.” ANU suffers second ‘significant’ hack in a yearhttps://www.itnews.com.au/news/anu-suffers-second-significant-hack-in-a-year-526123Date published: 04/06/2019Author: iTnews“The Australian National University has suffered a massive data breach with about 19 years of data accessed by an unknown attacker. It’s the second major attack against the ANU, which was also hit in mid-July last year. The university at the time blamed an advanced persistent threat but said the “significant” damage from that incident had been contained.” United States visa applicants now required to hand over social media usernameshttps://www.abc.net.au/news/2019-06-03/us-visa-applicants-to-hand-over-social-media-usernames/11172086Date published: 03/06/2019Author: ABC News“The State Department is now requiring nearly all applicants for US visas to submit their social media usernames, previous email addresses and phone numbers. It’s a vast expansion of the Trump administration’s enhanced screening of potential immigrants and visitors. The department says it has updated its immigrant and non-immigrant visa forms to request the additional information, including “social media identifiers”.” Google Cloud goes down, taking YouTube, Gmail, Snapchat and others with ithttps://www.zdnet.com/google-amp/article/google-cloud-goes-down-taking-youtube-gmail-snapchat-and-others-with-it/Date published: 03/06/2019Author: ZDNetExcerpt: “A mysterious outage has hit Google Cloud, one of the biggest cloud service providers on the internet, and thousands of sites have gone down as a result, including both Google and non-Google services. Affected companies include some of the biggest names around, such as Snapchat, Vimeo, Shopify, Discord, Pokemon GO; but also most of Google’s own services, like YouTube, Gmail, Google Search, G Suite, Hangouts, Google Drive, Google Docs, Google Nest, and others. In an extreme case of irony, according to a Google employee, the outage was so severe that it also took down internal tools Google engineers were using to communicate among each other about the outage, making recovery efforts even more difficult.” Noteworthy bulletins of the week: 1) ESB-2019.2018.2 – exim: Execute arbitrary commands – Remote/unauthenticated.https://portal.auscert.org.au/bulletins/ESB-2019.2018.2/ The above-mentioned exim vulnerability. 2) ESB-2019.2033 – IBM WebSphere Application Server: Multiple vulnerabilities.https://portal.auscert.org.au/bulletins/ESB-2019.2033/ IBM Java SDK is in many of their products, and so is WebSphere. Expect a steady trickle of other IBM products updating their internal WebSphere version. 3) ESB-2019.2017 – Python Django: Cross-site scripting.https://portal.auscert.org.au/bulletins/ESB-2019.2017/ We love Django and are glad to see it’s kept up to date from pesky human errors. 4) ASB-2019.0153 – Android: Multiple vulnerabilities.https://portal.auscert.org.au/bulletins/ASB-2019.0153/ You can expect Android patch level 2019-06-05 to reach your phone, tablet or ICS controller in two to infinity months. Stay safe, stay patched and have a good weekend! David

Learn more

Week in review

AUSCERT Week in Review for 31st May 2019

31 May 2019

AUSCERT Week in Review for 31st May 2019 Greetings, As you may be aware, this week marked our 18th annual AUSCERT conference. It’s been another great week of talks, tutorials, events, meeting new people, and catching up with familiar faces. A big thank you to our membership team for another successful year – we get a behind-the-scenes view of just how much work they put in to make this all happen. Another big thank you to everyone who came to join us, it makes all the hard work in the lead up worthwhile. If you couldn’t make it this year, we’re sorry to have missed you, but don’t worry – there’s always AUSCERT2020! And not to detract from the celebrations, but just a friendly reminder to make sure your systems are patched against BlueKeep.   Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Almost one million Windows systems vulnerable to BlueKeep (CVE-2019-0708)Date published: 28/05/2019 Author: ZDNetExcerpt: “Nearly one million Windows PCs are vulnerable to BlueKeep, a vulnerability in the Remote Desktop Protocol (RDP) service impacting older versions of the Windows OS. This number comes to put initial fears into context — that over seven million devices were in danger — although the danger remains present, as one million devices are still nothing to joke about.” Unpatched Flaw Affects All Docker Versions, Exploits Ready Date published: 28/05/2019Author: Bleeping ComputerExcerpt: “All versions of Docker are currently vulnerable to a race condition that could give an attacker both read and write access to any file on the host system. Proof-of-concept code has been released. The flaw is similar to CVE-2018-15664 and it offers a window of opportunity for hackers to modify resource paths after resolution but before the assigned program starts operating on the resource. This is known as a time-to-check-time-to-use (TOCTOU) type of bug.” How to protect your business against cyber crimeDate published: 28/05/2019Author: In DailyExcerpt: “The 2018/2019 BDO and AUSCERT Cyber Security Survey found data loss/theft of confidential information incidents rose by 78.68 per cent in 2018 compared to 2017. While this could be partially explained by the February 2018 introduction of mandatory reporting through the Notifiable Data Breaches (NDB) scheme, BDO Technology Advisory Partner Nick Kervin said cyber attacks continued to increase across the board and were changing in their form.” Australian tech unicorn Canva suffers security breachDate published: 24/05/2019Author: ZDNetExcerpt: “Canva, a Sydney-based startup that’s behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned. Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet. Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.”   Here are this week’s noteworthy security bulletins: 1) ESB-2019.1894.2 – sqlite3: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.1894.2/ sqlite3 is vulnerable to a use-after-free remote execution via a crafted SQL statement. 2) ESB-2019.1941 – drupal plugins multiple security vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1941/ A number of Drupal modules have updated to fix a swath of vulnerabilities. 3) ESB-2019.1905 – gnome-desktop: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1905/ GNOME has patched a vulnerability where maliciously crafted images could execute code when thumbnailed. Stay safe, stay patched and have a good weekend! Tim

Learn more

Blogs

An experience of APNIC Foundation's 3rd Regional CERT/CSIRT workshop for the Pacific.

30 May 2019

An experience of APNIC Foundation's 3rd Regional CERT/CSIRT workshop for the Pacific.   I feel incomplete when I hear only one voice, and this blog is, in its form just that, one voice about an event I had the honor of being part of.   My preferred option, to make a story whole, is to take the different voices and listen other people tell the story of what happened.  This way I get a better picture of the impact and significance of an event or perhaps glimpse a pattern of directed effort. The event was the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop for the Pacific and the the glimpse of the effort was APNIC Foundation’s drive to impart skills, know-how, and cohesive trusted contacts, to as many Pacific nations as possible given APNIC Foundation’s engagement over the past few years.  These activities supports APNIC, in building human and community capacity for Internet development in the Asia-Pacific region. This workshop was organized by the APNIC Foundation with support from APNIC and Samoa’s Ministry of Communications and Information Technology, and funding from the Cyber Cooperation Program (Australia’s Department of Foreign Affairs and Trade – DFAT). Participants of APNIC Foundation’s 3rd CERT/CSIRT workshop for the Pacific My recollection of the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop was from the perspective of a guest assistant speaker, bringing only a splinter of expertise from AUSCERT along with its perspective of cyber security as a non-profit member-based CERT. I have been fortunate to join APNIC’s Adli Wahid, a veteran of delivering these types of courses, in facilitating the workshop.    Participant at one of the sessions of the 3-day workshop And so in delivering some of the material over the three days, I did get the chance to hear the perspective of cyber security from different Pacific nations, but not just at the national constituency level, but also at the level of Financial Institutions Universities Ministries Law Enforcement and Utilities. Every person that attended brought their own skill sets and perspectives on cyber security given to them by their opportunity and work environment.  Every Pacific nation that sent a delegate to the workshop brought their skills and perspectives, to be honed from a barrage of tools and techniques that could be fit in the time three days can offer.  Let’s be clear, these delegate were not empty vessels that were filled up with skills in three days but already had a solid foundation of process and techniques. The three days just brought in new tools and shared perspective.   This was evident, with a little coaxing, from the effective interaction on the final day’s table top exercise.  The participants were split up into five distinct teams with economy wide responsibilities.  One of the first questions that I was asked was, “…is this a competitive drill?…”,  where one team needs to outdo another.  Perhaps it should have been, but the purpose of this table top exercise, as is the case in solving internet borne issues,  is apply a collaborative effort to efficiently and effectively address cyber security.  At the end of the exercise, all triggers to take down malicious infrastructure were called out by various player-teams and a sense of empowerment from each team came out from the fact that each contributed a meaningful task in cleaning up the exercise’s scenario.   Each team with their set of expertise and their vision into the scenario, realised that in solving of cyber security issues, each had a very important piece of work to do in addressing the problem as a whole, and were by the end of the day, working together as one.  What filtered out as the best lesson out of the three days of the workshop, is that it is paramount to make an effort that internet connectivity be molded and protected, as a tool to bring out the best opportunity for economic growth at every level of society that the internet touches.   It’s been great to have seen APNIC Foundation’s take that effort of uniting skills and collaboration across the Pacific for the third time, and it is hoped that they will be given the tools to continue this effort far into the future.  For, although I was honored to be a guest speaker for the 3rd Regional CERT/CSIRT workshop, I feel I too learned a lot from the delegates and that I’m bringing back to AUSCERT able and trusted contacts that, should we see cyber security issues in the Pacific, we can all collaborate with them on making a safe, clean and reliable internet.   Geoffroy ThononSenior Information Security AnalystAUSCERT

Learn more

Week in review

AUSCERT Week in Review for 24th May 2019

24 May 2019

AUSCERT Week in Review for 24th May 2019 AUSCERT Week in Review24 May 2019 Greetings! Discussion still raged this week about the potential threat of theMicrosoft BlueKeep vulnerability revealed last week. That Microsofttook the incredibly unusual decision of issuing patches for operatingsystems long ago end-of-lifed indicated how serious they considered thisissue. A number of researchers have suggested that it’s only a matter oftime until this vulnerability could be extensively exploited. If you haveany old Windows systems potentially exposed now is the time to patch them! And for everyone attending the AUSCERT conference next week we lookforward to seeing you there. We have fewer than 10 tickets left for theconference, so if you were thinking of coming, you better decide soon! Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week:   Title: BlueKeep Remote Desktop Exploits Are Coming, Patch Now!Date Published: 20/05/2019Author: Bleeping ComputerExcerpt: “Security researchers have created exploits for the remote codeexecution vulnerability in Microsoft’s Remote Desktop Services, trackedas CVE-2019-0708 and dubbed BlueKeep, and hackers may not be far behind.While the vulnerability inspired some playful users to create fakeproof-of-concept code intended for rickrolling, it is no joke. As RemoteDesktop Services is commonly exposed to the public so that users cangain remote access to their internal computers, successful exploitationcould allow access to an entire network.” Title: ‘What he’s achieved is spectacular’: Worker wins landmark case over fingerprinting on the jobDate Published: 21/05/2019Author: ABC NewsExcerpt: “When Queensland sawmill worker Jeremy Lee refused to givehis fingerprints to his employer as part of a new work sign-in, hewasn’t just thinking about his privacy. It was a matter of ownership.“It’s my biometric data. It’s not appropriate for them to have it,” hetells RN’s The Law Report. For not agreeing to the new system, Mr Leewas sacked. What followed was a legal battle that delivered the firstunfair dismissal decision of its kind in Australia.” Title: Two more Microsoft zero-days uploaded on GitHubDate Published: 22/05/2019Author: ZDNETExcerpt: “A security researcher going online by the pseudonym ofSandboxEscaper has published today demo exploit code for two moreMicrosoft zero-days after releasing a similar fully-working exploit theday before. These two mark the sixth and seventh zero-days impactingMicrosoft products this security researcher has published in the pastten months, with the first four being released last year, and three overthe past two days.”   Alerts, Advisories and Updates:——————————-Title: ASB-2019.0152 – [Solaris] Xerox FreeFlow Print Server v8: Multiple vulnerabilitiesDate: 24 May 2019 Title: ASB-2019.0151 – [Win] Xerox FreeFlow Print Server v2(Windows 7): Multiple vulnerabilitiesDate: 24 May 2019 Title: ASB-2019.0150 – [Win][UNIX/Linux] Wireshark: Denial of service – Remote with user interactionDate: 23 May 2019 Title: ASB-2019.0149 – [Win] Intel Graphics Driver for Windows: Denial of service – Existing accountDate: 23 May 2019 Title: ASB-2019.0148 – [Win][UNIX/Linux] Intel CSME: Multiple vulnerabilitiesDate: 22 May 2019 Stay safe, stay patched, and have a good weekend! Eric.

Learn more

Week in review

AUSCERT Week in Review for 17th May 2019

17 May 2019

AUSCERT Week in Review for 17th May 2019 AUSCERT Week in Review17 May 2019 Greetings, Hoo boy, what a week! – This patch Tuesday, Microsoft gave us CVE-2019-0708, a remote code execution vulnerability in remote desktop services. An exploit could potentially propagate like a worm, so this was severe enough for Microsoft to release free updates to Windows XP and Server 2003. – Not to be outdone, Cisco released a flock of advisories this week, including a vulnerability which allows a persistent backdoor without physical access to the device. – WhatsApp has provided an update due to a vulnerability that allows spyware to be injected onto your phone. – And the pièce de résistance, Intel have announced four new microprocessor flaws which could allow unauthorised access to cached data. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Prevent a worm by updating Remote Desktop ServicesDate published: 14/05/2019 URL: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/Author: MSRC TeamExcerpt: “Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” Title: MDS – Microarchitectural Data Sampling – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 Date published: 14/05/2019URL: https://access.redhat.com/security/vulnerabilities/mdsAuthor: Red HatExcerpt: “Four new microprocessor flaws have been discovered, the most severe of which is rated by Red Hat Product Security as having an Important impact. These flaws, if exploited by an attacker with local shell access to a system, could allow data in the CPU’s cache to be exposed to unauthorized processes. While difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance, or the underlying host system. Red Hat has mitigations prepared for affected systems and has detailed steps customers should take as they evaluate their exposure risk and formulate their response.” Title: Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gearDate published: 13/05/2019URL: https://www.zdnet.com/article/thrangrycat-flaw-lets-attackers-plant-persistent-backdoors-on-cisco-gear/Author: Catalin CimpanuExcerpt: “A vulnerability disclosed today allows hackers to plant persistent backdoors on Cisco gear, even over the Internet, with no physical access to vulnerable devices. Named Thrangrycat, the vulnerability impacts the Trust Anchor module (TAm), a proprietary hardware security chip part of Cisco gear since 2013.” Title: WhatsApp urges users to update app after discovering spyware vulnerability Date published: 14/05/2019 URL: https://www.theguardian.com/technology/2019/may/13/whatsapp-urges-users-to-upgrade-after-discovering-spyware-vulnerabilityAuthor: Julia Carrie WongExcerpt: “WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function. The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.” Title: Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code ExecutionDate published: 13/05/2019URL: https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/Author: Sergiu GatlanExcerpt: “Linux machines running distributions powered by kernels prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free, related to net namespace cleanup, exposing vulnerable systems to remote attacks” Here are this week’s noteworthy security bulletins: 1) ASB-2019.0137 – ALERT [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0137 Microsoft has released its monthly security patch update for the month of May 2019. 2) ASB-2019.0138 – ALERT [Win][UNIX/Linux][Appliance][Virtual] Intel CPU Microcode: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/ASB-2019.0138 Intel has published a security advisory disclosing RIDL and Fallout, new speculative-execution side-channel vulnerabilities in the vein of Spectre and Meltdown. 3) ESB-2019.1721 – [Win][Mac] Adobe Acrobat and Reader : Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1721 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. 4) ESB-2019.1749 – [Win] Cisco Webex Players for Microsoft Windows: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.1749 Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. Stay safe, stay patched and have a good weekend! Charelle.

Learn more