12 Mar 2021

Week in review

AUSCERT Week in Review for 12th March 2021

Greetings,

What a week it has been for the folks in our sector!

With admins already struggling with Microsoft Exchange updates and hacked servers – along comes Microsoft’s March 2021 Patch Tuesday, and not to forget, celebrating and honouring the many women in our lives for International Women’s Day.

We wanted to start by highlighting a “HAFNIUM special report” courtesy of the team from Shadowserver. Members, please note that the AUSCERT team has conducted an analysis based on this information and those of you who’d been affected would have been contacted by our analyst team. Please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal.

We kicked off things this week by releasing this piece on the “The heroes of AUSCERT2020 … the women in security who made it happen.” which was first featured on Edition 1 of the Women in Security magazine by Source2Create.

Be sure to catch up on our summary of critical vulnerabilities and advice on SEVERAL issues this week, all highlighted below: BIG-IP, F5, Microsoft and Adobe Creative Cloud.

Last but not least, our team’s elated to announce that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” To find out more, please visit our conference website here.

Until next week, have a good and restful weekend everyone.


March 2021 Patch Tuesday: Microsoft fixes yet another actively exploited IE zero-day
Date: 2021-03-09
Author: Help Net Security

[With admins already struggling with Microsoft Exchange updates and hacked servers – along comes Microsoft’s March 2021 Patch Tuesday, and releases from Adobe and Apple too! Please refer to the multiple AUSCERT security bulletin alerts in-line below.]
Microsoft has fixed 89 CVEs. Among those are the seven Microsoft Exchange flaws fixed last week, one Internet Explorer memory corruption flaw that’s being exploited in the wild, and one Windows Win32k EoP flaw that is publicly known.
[See related AUSCERT bulletins ASB-2021.0050 51, 53, 54 and 56, which we marked as “alerts”. CVE-2021-26411 and 26897 are considered critical by Microsoft and covered in these bulletins. We also published other MS bulletins 55 and 57, which are not alerts.]
Adobe has delivered security updates for Connect, Creative Cloud Desktop Application, and Framemaker […]
[See ESB-2021.0860. These are ranked by Adobe as critical, but aren’t as urgent as some of Microsoft’s.]
Apple has pushed out security updates to fix a critical RCE flaw in WebKit.
[ESBs 821, 825, 826 and 827.]

HAFNIUM targeting Exchange Servers with 0-day exploits
Date: 2021-03-02
Author: Microsoft Security Blog

[Please see AUSCERT bulletin ASB-2021.0048.3 for further information. See also https://github.com/microsoft/CSS-Exchange/tree/main/Security for information on some security scripts that automate all four of the commands listed on the blog below.]
“Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, we are sharing the following resources.”

F5 urges customers to patch critical BIG-IP pre-auth RCE bug
Date: 2021-03-10
Author: Bleeping Computer

[See related AUSCERT bulletin ESB-2021.0872.]
F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions.
F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that “48 of the Fortune 50 rely on F5.”
The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (CVE-2021-22986) which allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices:
– CVE-2021-22986 iControl REST unauthenticated RCE
– CVE-2021-22987 Appliance Mode TMUI authenticated RCE
– CVE-2021-22991 TMM buffer-overflow
– CVE-2021-22992 Advanced WAF/ASM buffer-overflow

Adobe Critical Code-Execution Flaws Plague Windows Users
Date: 2021-03-09
Author: Threatpost

[See related AUSCERT bulletin ESB-2021.0860 for further information.]
Adobe has issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.
While these vulnerabilities are classified as critical-severity flaws, it’s important to note that they were given “priority 3” ratings by Adobe. This means that the update “resolves vulnerabilities in a product that has historically not been a target for attackers,” and that administrators are urged to “install the update at their discretion.”

Peter Dutton launches Cyber Security Industry Advisory Committee Ransomware Paper
Date: 2021-03-11
Author: iTWire

The Federal Minister for Home Affairs, Peter Dutton, and his office say that “ransomware continues to be a prevalent global threat, and cyber criminals pose a significant risk to Australians and Australian businesses.”
To build awareness about the ransomware threat, the Minister for Home Affairs, Peter Dutton, and Chair of the Cyber Security Industry Advisory Committee, Telstra CEO Andrew Penn, have released the Committee’s first paper: “Locked out: Tackling the ransomware threat.”


ASB-2021.0048.4 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated

Microsoft have released a major revision increment of the CVEs to address Exchange Server vulnerabilities.

ESB-2021.0870 – ALERT F5 Products: Multiple vulnerabilities

F5 have released updates for critical vulnerabilities in BIG-IP components. F5 recommends that all customers install a fixed software version as soon as possible.

ESB-2021.0860 – Creative Cloud Desktop Application: Multiple vulnerabilities

Adobe has released patches for widely-used Creative Cloud Desktop Application for Windows resolving multiple critical vulnerabilities.

ASB-2021.0051 – ALERT Windows: Multiple vulnerabilities

Microsoft released its monthly security patch update for March 2021 which resolves 59 vulnerabilities.


Stay safe, stay patched and have a good weekend!

The AUSCERT team