1 Apr 2022

Week in review

Greetings,

The latest episode of our podcast is here!

We discuss Security Orchestration, Automation, and Response, or SOAR, the topic for last year’s conference and how it can benefit organisational processes, automation and improving efficiencies – regardless of size.

You’ll also hear from the AUSCERT team about the malicious URL feed and how it works with SOAR, Member Slack, AUSCERT’s AusISAC and how these can benefit members as well as a bit of a teaser for the upcoming cyber security conference.

AUSCERT is gearing up to deliver a range of training sessions, aimed at anyone that looks after their organisation’s cyber security.

Our next course, Incident Response Planning, is being held next week on April 5 & 6. The courses are delivered virtually and in two half-day sessions from 9 am to 12:30 pm each day.

Learning outcomes for participants:
Understand the NIST IR (incident response) process;
Self-assess IR process maturity; Design and implement a Cyber Security Incident Response Plan;
Create and customise cyber security incident playbooks;
Understand the usefulness of cyber security policies and frameworks to IR;
Gain awareness of the most common cyber security attacks; and,
Appreciate the role of tabletop discussion exercises in IR planning and improvement

Places are limited so be sure to secure your spot and book now.

Lastly, today is April Fool’s Day when pranks and jokes are played for laughs, as long as they don’t go too far!

What we all need right now, is some joy and laughter so why not take a moment to browse some of the great April Fools pranks from history that includes the Left-Handed Whopper, Smell-o-vision and Gmail Motion, a new technology that would allow people to write emails using only hand gestures!


IoT warning: Hackers are gaining access to UPS devices. Here’s how to protect yours
Date: 2022-03-30
Author: ZDNet

Change the default user name and password settings on your internet-connected uninterruptible power supply (UPS) units, the US government has warned.
UPS units are meant to provide power backup to keep devices, appliances and applications connected to the internet by supplying off-grid power to places like a data center during a power outage. But hackers have been targeting internet-connected UPS units to disrupt the backup power supply.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) said they “are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices.”

Russia facing internet outages due to equipment shortage
Date: 2022-03-28
Author: Bleeping Computer

Russia’s RSPP Commission for Communications and IT, the country’s largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment.
To raise awareness, the commission has compiled a document that reflects the practical challenges facing the industry in Russia at this time and also presents a set of proposals specifically crafted to alleviate them.
Russian media that have seen the document in question say that the warning is dire, as the commission highlights the reserves of telecom operator equipment will only last for another six months.

Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show
Date: 2022-03-29
Author: TechCrunch

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported.
Customers only learned of Okta’s January security breach on March 22 after the Lapsus$ hacking group published screenshots revealing it had accessed Okta’s internal apps and systems some two months earlier. Okta admitted the compromise in a blog post, and later confirmed 366 of its corporate customers are affected by the breach, or about 2.5% of its customer base.

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware
Date: 2022-03-28
Author: The Hacker News

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers.
“The emails use a social engineering technique of conversation hijacking (also known as thread hijacking),” Israeli company Intezer said in a report shared with The Hacker News. “A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate.”
The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors.

Critical Sophos Firewall vulnerability allows remote code execution
Date: 2022-03-27
Author: Bleeping Computer

Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE).
Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.
On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for.

Zero-Day Vulnerability Discovered in Java Spring Framework
Date: 2022-03-31
Author: Dark Reading

A zero-day vulnerability found in the popular Java Web application development framework Spring likely puts a wide variety of Web apps at risk of remote attack, security researchers disclosed on March 30.
The vulnerability — dubbed Spring4Shell and SpringShell by some security firms — has caused a great deal of confusion over the past 24 hours as researchers struggled to determine if the issue was new, or related to older vulnerabilities. Researchers with cybersecurity services firm Praetorian and threat intelligence firm Flashpoint independently confirmed that the exploit attacks a new vulnerability, which could be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration.

Google: Russian phishing attacks target NATO, European military
Date: 2022-03-30
Author: Bleeping Computer

The Google Threat Analysis Group (TAG) says more and more threat actors are now using Russia’s war in Ukraine to target Eastern European and NATO countries, including Ukraine, in phishing and malware attacks.
The report’s highlight are credential phishing attacks coordinated by a Russian-based threat group tracked as COLDRIVER against a NATO Centre of Excellence and Eastern European militaries.
The Russian hackers also targeted a Ukrainian defense contractor and several US-based non-governmental organizations (NGOs) and think tanks.

Okta: “We made a mistake” delaying the Lapsus$ hack disclosure
Date: 2022-03-27
Author: Bleeping Computer

Okta has admitted that it made a mistake delaying the disclosure of hack from the Lapsus$ data extortion group that took place in January.
Additionally, the company has provided a detailed timeline of the incident and its investigation activities.
On Friday, Okta expressed regret for not disclosing details about the Lapsus$ hack sooner and shared a detailed timeline of the incident and its investigation.

Australian Budget 2022 delivers AU$9.9 billion for spicy cyber
Date: 2022-03-29
Author: ZDNet

The federal government has released its 2022-23 federal Budget, containing a AU$9.9 billion kitty for bolstering cybersecurity and intelligence capabilities in the midst of a growing cyberthreat landscape around the world. The near-AU$10 billion will be spent across a decade under a program called Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers (REDSPICE).
“This is the biggest ever investment in Australia’s cyber preparedness,” said Treasurer Josh Frydenburg, who announced the Budget on Tuesday night.

Hive ransomware shuts down California health care organization
Date: 2022-03-30
Author: The Record

Partnership HealthPlan of California, a nonprofit that helps hundreds of thousands of people access health care in California, is in the midst of being attacked by the Hive ransomware group.
The organization is one of the largest Medi-Cal Managed Care Plan providers in Northern California and serves more than 610,000 Medi-Cal beneficiaries in 14 northern California counties.
It is unclear when the attack began and Partnership HealthPlan of California is currently unable to respond to requests for comment, but local California newspaper The Press Democrat was the first to report on March 24 that the organization was facing technical issues.


ASB-2022.0075 – Spring Boot and Spring Cloud: CVSS (Max): 9.8

AUSCERT released an advisory to its members which includes information on Spring Framework vulnerability. AUSCERT encourages the affected members to review mitigation information and act accordingly.

ESB-2022.1346.3 – UPDATE vCenter Server and Cloud Foundation: CVSS (Max): 5.5

Updates have been released to remediate information disclosure vulnerability in VMware vCenter Server.

ESB-2022.1310 – chromium: CVSS (Max): None

The users are encouraged to upgrade their chromium packages to fix a security issue that could result in the
execution of arbitrary code if a malicious website is visited.

ESB-2022.1411 – Google Chrome: CVSS (Max): None

Google has addressed multiple vulnerabilities with the release of Chrome version 100.


Stay safe, stay patched and have a good weekend!

The AUSCERT team