20 May 2022

Week in review

Greetings,

With the Australian Federal election taking place tomorrow and many unsure of their ability to vote due to recent positive results for COVID-19, the argument around online or e-voting has again been raised.

Whilst technology exists to allow for digital voting, as was done in the New South Wales elections in 2021 with the iVote system, the uncertainty over voter identity along with the risk of server outages, malware, and voter fraud remain key concerns for similar systems.

Despite this, The Conversation presents alternatives that combine digital technology with human input. The combination provides transparency and efficiency whilst maintaining the most difficult aspect of politics, trust if done right.

It’s hard to believe that it’s already been a week since AUSCERT2022 wrapped up for another year. The AUSCERT team has been overwhelmed with the kind words and positive responses to this year’s conference which are always welcome and appreciated.

The event’s theme, Rethink, Reskill, Reboot, provided a great conversation starter, idea stimulator, and opportunity to delve into the past for some of the most cherished video games of decades gone by!

You can read more about Australia’s premier cyber security conference in our recent blog that includes a gallery of photos taken throughout the week.


Australian Taxation Office issues capital gains warning for crypto and NFT sellers
Date: 2022-05-16
Author: ZDNet

The Australian Taxation Office (ATO) has issued its four priorities for the upcoming tax season, with capital gains from crypto and work-related expenses being listed.
On the crypto front, simply because you managed to make money before last week’s crash hit off a decentralised system, does not mean the tax office is not owed something, much like selling property or shares, selling crypto or NFTs can mean tax is due.

Researchers devise iPhone malware that runs even when device is turned off
Date: 2022-05-17
Author: Ars Technica

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.
It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

Hackers target Tatsu WordPress plugin in millions of attacks
Date: 2022-05-17
Author: Bleeping Computer

Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites.
Up to 50,000 websites are estimated to still run a vulnerable version of the plugin, although a patch has been available since early April.
Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing.

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In
Date: 2022-05-18
Author: Dark Reading

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.
That’s according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

WA Health: No breaches of unencrypted COVID data means well managed and secure system
Date: 2022-05-18
Author: ZDNet

The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday.
PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage.

CISA warns not to install May Windows updates on domain controllers
Date: 2022-05-16
Author: Bleeping Computer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has removed a Windows security flaw from its catalog of known exploited vulnerabilities due to Active Directory (AD) authentication issues caused by the May 2022 updates that patch it.
This security bug is an actively exploited Windows LSA spoofing zero-day tracked as CVE-2022-26925, confirmed as a new PetitPotam Windows NTLM Relay attack vector.
Unauthenticated attackers abuse CVE-2022-26925 to force domain controllers to authenticate them remotely via the Windows NT LAN Manager (NTLM) security protocol and, likely, gain control over the entire Windows domain.

Researchers find 134 flaws in the way Word, PDFs, handle scripts
Date: 2022-05-13
Author: The Register

Black Hat Asia Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it’s proven so effective they’ve found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000.
The tool is named “Cooper” – a reference to the “Cooperative mutation” technique employed by the tool.
Speaking at the Black Hat Asia conference in Singapore, PhD student Xu Peng of the Chinese Academy of Sciences – one of the tool’s co-authors – explained that the likes of Word and Acrobat accept input from scripting languages. Acrobat, for example, allows JavaScript to manipulate PDF files.

Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning
Date: 2022-05-14
Author: Dark Reading

A brand-new attack vector lays open enterprise data lakes, threatening grave consequences for AI use cases like telesurgery or autonomous cars.
Enterprise data lakes are filling up as organizations increasingly embrace artificial intelligence (AI) and machine learning — but unfortunately, these are vulnerable to exploitation via the Java Log4Shell vulnerability, researchers have found.

Hackers are exploiting critical bug in Zyxel firewalls and VPNs
Date: 2022-05-15
Author: Bleeping Computer

Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell.


ESB-2022.2376 – F5 Products: CVSS (Max): 7.1

F5 reports a vulnerability in F5 products that may cause a breach in data confidentiality, integrity, and availability. Please read the advisory for mitigation information.

ESB-2022.2447 – F5 Products: CVSS (Max): 7.2

Eclipse Jetty vulnerability in F5 products could allow an authenticated user to cause a local privilege escalation if exploited. Please read the advisory for mitigation information.

ESB-2022.2443 – VMware Products: CVSS (Max): 9.8

VMWare reports that remediations are available to fix multiple vulnerabilities in VMware Workspace ONE Access, Identity Manager and vRealize Automation.

ESB-2022.2475 – Red Hat OpenShift GitOps: CVSS (Max): 10.0

An update is now available to fix multiple vulnerabilities in Red Hat OpenShift GitOps 1.5.


Stay safe, stay patched and have a good weekend!