3 Dec 2021

Week in review

AUSCERT Week in Review for 3rd December 2021

Greetings,

This Saturday marks three weeks until Christmas Day, a date that seems to be rapidly approaching!

The festive season can often feel as though you’re being pulled in multiple directions. Some organisations slow down whilst others maintain and increase their activity as the year nears its end.

Whatever the industry or however busy you may be, the following article provides Twelve Tips for Christmas Cybersecurity that apply to both our personal, and professional lives.

There has been growing belief that nobody should have the ability to hide behind anonymous social media accounts, engaging in inappropriate commentary and conduct.

As a result, the Australian government this week drafted anti-trolling legislation that will aim to clarify who is responsible for content published online.

Requirements such as a mandatory complaints processes and a mandate for social media companies to provide names and contact details, are just some of the suggested laws that could be introduced as soon as early 2022.

The scheduled rollout of mandatory two-factor authentication (2FA) by tech giant Google, will be activated automatically next Thursday, November 9.

You can customize your 2FA, for either personal and business accounts with the options available on the Google Workspace Admin page that also contains additional information about the 2FA requirements, processes and support.

Lastly, The University of Queensland and BLUE Inc. (Tokyo) are partnering to offer two half-day workshop seminars to address complex cyber security challenges, engage researchers, industry experts and students.

Industry professionals from both countries will be presenting across four themes aimed at promoting and sharing game-changing interdisciplinary research between Australia and Japan.

The workshops will be held in-person and online via Zoom on Wednesday 8 December and Wednesday 15 December. Click on your preferred date to learn more and register.


Microsoft Exchange servers hacked to deploy BlackByte ransomware
Date: 2021-12-01
Author: Bleeping Computer

The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities.
ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together.

Panasonic confirms cyberattack and data breach
Date: 2021-11-30
Author: ZDNet

Tech manufacturing giant Panasonic has confirmed that it’s network was accessed illegally this month during a cyberattack.
In a statement released on Friday, the Japanese company said it was attacked on November 11 and determined that “some data on a file server had been accessed during the intrusion.”
“After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network,” Panasonic said in a statement.
“In addition to conducting its own investigation, Panasonic is currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers’ personal information and/or sensitive information related to social infrastructure.”

CISA Releases Guidance on Securing Enterprise Mobile Devices
Date: 2021-11-29
Author: SecurityWeek

The United States Cybersecurity and Infrastructure Security Agency (CISA) last week published a Capacity Enhancement Guide to help organizations secure mobile devices and their access to enterprise resources.
The Enterprise Mobility Management system checklist is meant to help businesses mitigate vulnerabilities and increase overall enterprise protections by implementing a series of best practices for securing enterprise-managed mobile devices.

Microsoft Defender scares admins with Emotet false positives
Date: 2021-11-30
Author: Bleeping Computer

Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload.
Windows system admins are reporting that this is happening since updating Microsoft’s enterprise endpoint security platform (previously known as Microsoft Defender ATP) definitions to version 1.353.1874.0.
When triggered, Defender for Endpoint will block the file from opening and throw an error mentioning suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC.

Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts
Date: 2021-12-01
Author: ZDNet

Beijing-backed hackers might soon start trying to steal encrypted data — such as biometric info, the identities of covert spies, and weapons designs — with a view to decrypting it with a future quantum computer, according to analysts at US tech consultancy Booz Allen Hamilton (BAH).
“In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations,” the analysts write in the report Chinese Threats in the Quantum Era.
At risk are data protected by the current algorithms underpinning public-key cryptography, which some fear may be rendered useless for protecting data once quantum computers become powerful enough.

Prediction Season: What’s in Store for Cybersecurity in 2022?
Date: 2021-12-01
Author: Security Week

The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.

More than 300,000 Play Store users infected with Android banking trojans
Date: 2021-11-29
Author: The Record

More than 300,000 Android users were infected with banking trojans after installing apps from the official Google Play Store over the past few months, mobile security firm ThreatFabric said today.
The malicious code was hidden inside fully functional apps that operated as QR code scanners, PDF scanners, security tools, fitness apps, and two-factor authenticators.
But besides the legitimate functionality they offered, these apps also included a special module called a “loader.” In the cybersecurity field, loaders are small pieces of malware that are hidden inside an app. They typically contain very little and very benign functionality, such as the ability to connect to a remote server to download and run additional code.

IKEA email systems hit by ongoing cyberattack
Date: 2021-11-26
Author: Bleeping Computer

IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails.
A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients’ devices.
As the reply-chain emails are legitimate emails from a company and are commonly sent from compromised email accounts and internal servers, recipients will trust the email and be more likely to open the malicious documents.


ESB-2021.1489.3 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities

ICS-CERT updated the affected products and mitigation details on the advisory tilted “ICS Advisory (ICSA-21-119-04) Multiple RTOS” issued on 30 November 2021

ESB-2021.4031 – kernel and kernel -rt: Multiple vulnerabilities

RedHat advised that an update was released to fix multiple vulnerabilities found in Kernel and Kernel RT

ESB-2021.4065 – Network Security Services : Multiple vulnerabilities

Mozilla Foundation Security Advisory 2021-51 reported critical issues affecting Network Security Services versions prior to 3.73 or 3.68.This vulnerability impacts email clients and PDF viewers that use NSS

ESB-2021.4062 – Thunderbird: Multiple vulnerabilities

Issues in Network Security Services can cause Thunderbird to crash, resulting in a denial of service or execution of arbitrary code. The problem can be corrected by applying the updates


Stay safe, stay patched and have a good weekend!

The AUSCERT team