APCERT 2017 AGM and Conference: A Window into the CERT community Introduction This year’s APCERT Annual General Meeting and conference has just concluded, being hosted by CERT-In in New Delhi, India. Each year AUSCERT sends a representative to the APCERT conference to collaborate and cooperate with the rest of the APCERT community. This year, I was lucky enough to be selected to attend. APCERT is a community of CERT and CSIRT organisations located in the Asia-Pacific area. Originally formed in 2003, its membership has now grown to 30 organisations representing 21 economies, as well as a number of supporting partner organisations. APCERT’s goals include information sharing and cooperation between its members and the public. Arriving in New Delhi This was my first visit to India, and although I had some knowledge of Indian culture and life, I was amazed to experience it first-hand. I arrived one day before the conference began, and spent the day shopping and taking in the local sights. The bustling streets, chaotic traffic, and the sheer scale of the country are a sight to see, and offer a sharp contrast to the quiet suburban life I am used to back in Brisbane. Delhi itself is a massive city, with a population that rivals that of all of Australia. The conference itself was hosted at the Ashok hotel, in Chanakyapuri, New Delhi. This five-star hotel is located in the heart of a diplomatic and government district, close to many foreign embassies, and as a result is very accommodating to foreign guests. The APCERT Community When the conference registration opened on Sunday morning, I began meeting delegates from other APCERT members. I noticed immediately that everyone was friendly, relaxed, and very welcoming. The APCERT community is small and close-knit, and for some long-time members, the conferences are just as much of a catch-up session as they are a business trip. Apparently some of AUSCERT’s staff are quite famous in the APCERT community, as I received quite a few queries regarding some of my colleagues! All of the APCERT members are working towards the same goal – to protect their economies or industry sectors from new and existing cyber threats. As we are largely government-funded or non-profit organisations, there is no pressure to create profits or sell products, and the focus is entirely on providing the best possible service to our jurisdictions. Some of the teams that participate in APCERT are quite small and do not have the resources to analyse all new threats, so collaboration amongst teams is extremely beneficial. In addition to the welcoming atmosphere among APCERT members, the hospitality and kindness shown by CERT-In was second-to-none. This year was the first time they had hosted the APCERT conference, but the experience was extremely smooth and well-thought out. During the afternoon of the first day, we were taken on a guided tour of local sights by the CERT-In staff, before being presented with a welcome dinner. Having helped run the AUSCERT conference in the past, I know how difficult and stressful it can be to run such an event, and I commend CERT-In on their performance. Conference Proceedings and Talks The conference began with updates from the various working groups within APCERT. This is a great way to share progress with other members, and some of the work presented by teams this year was extremely impressive. One such example is the TSUBAME project, which collects network traffic data from passive “sensors” situated in many networks across the Asia-Pacific region, and compiles that data into statistics that can be used to observe trends in network scans across the internet. Other talks focused on issues such as automated malware analysis, in particular the need for non-commercial options that can be used with potentially sensitive information. A talk given by Wen-Ling Lo from TWCERT/CC brought up an excellent point: many people use services such as VirusTotal or VirScan to check suspicious email attachments, but if the attachment is legitimate and contains confidential information, uploading it to a commercial company’s services could result in an information leak. TWCERT/CC are currently developing a tool that can be used by businesses and governments in Taiwan to examine files without fear that samples will be sent to external or commercial companies. AUSCERT is very impressed with their efforts and will be tracking their progress closely. Not all talks were technical, though, and an unexpectedly impactful presentation by Nurul Husna of MyCERT, the national CERT for Malaysia, described the governance and management workflows required to operate a CERT efficiently. As a technical person, it was refreshing to see a presentation on governance that made sense and showed real value. There is a real need for efficient management of resources at CERTs, due to the quick turnaround time required in order to serve our jurisdictions effectively. Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process. On the final day of the conference, attendance was opened to external members of the IT industry, and the National Minister for IT & Electronics gave an address to the audience. During the conference I began to see just how large and important the IT industry in India is. With a population of over 1 billion people, internet-based solutions are essential to interacting with the government and businesses, and ensuring these interactions are protected and non-fraudulent is a problem at the forefront of the industry. The conference also served as a focus point for the local government to draw attention to emerging threats, especially as they begin to move towards more digital payment solutions. The full schedule for the APCERT Annual General Meeting and Conference may be found here: https://apcert2017.in/schedule.html The APCERT AGM Another important part of the conference is the Annual General Meeting, or AGM. At the AGM, proposals for changes and amendments to APCERT frameworks and guidelines are put forward and voted upon by members. Proposals for new working groups are also heard, and lastly, the membership of the steering committee and leadership positions are voted upon. This year, CERT-In was accepted as a new member of the steering committee, and after recognising the hard work of JPCERT/CC, MyCERT, and CERT Australia in their positions as Secretariat, Deputy Chair, and Chair respectively, the members of APCERT voted to re-appoint them to their previous positions. AUSCERT would like to thank the steering committee and leadership positions for their hard work in the past year, and congratulate them on their continued appointments. We also welcome CERT-In to the steering committee and look forward to their input in the future! Closing Remarks Attending the APCERT conference and AGM was an eye-opening experience. In the fast-moving world of Information Security, we are facing attacks in greater numbers and greater complexity. It can be difficult to sift through the vast amounts of information distributed throughout the internet, trying to find advice that is truthful, accurate, and relevant to your organisation. CERT and CSIRT organisations offer an increasingly important role in these times, distributing threat intelligence efficiently and with the goal of national/sectorial security in mind. As well, the challenges faced by each CERT are often similar, and there is great value in being able to speak freely with other organisations that share your goals. I would like to thank all of the members, partners, and guests at the conference, for welcoming me to the APCERT community. I’ve made many new friends over the last week, and hearing other analysts describe their experiences, challenges and achievements has re-invigorated my love for information security. I hope AUSCERT can continue to provide value to other APCERT members and look forward to some new collaborations in the future.I would also like to offer a special thank-you to the staff of CERT-In, for being such hospitable hosts. My first stay in India was a great experience, and I hope to return in the future.   Anthony Vaccaroanthony@auscert.org.au

AUSCERT in Korea for the 2017 APISC/TRANSITS Security Training Course AUSCERT participated in the APISC Security Training Course [1], organised by KrCERT/CC [2], operated by the Korea Internet & Security Agency [3] in the last week of July 2017.  AUSCERT sent a team member to join three (3) other instructors to facilitate the TRANSITS I [4] material to twenty-one (21) recipients CERT/CSIRT from across the globe. Along with the instruction of TRANSITS I material, there were also other CERT/CSIRT exercises and economy reports of CERT/CSIRT operations, that helped share experience in organising and operating CERT/CSIRT.  AUSCERT is honored to have been part of the APISC Security Training Course organised by KrCERT. [1] APISC Security Training Course – Asia Pacific Internet Security Conference Security Training Course. A yearly CERT capacity building initiative from South Korea that is run in conjunction to a yearly conference that bears the same name APISC.  [2] KrCERT/CC – Korean Computer Emergency Response Team / Coordination Centre. KrCERT/CC, created in 2010 and operates as the National CERT for South Korea. KrCERT is managed by KISA. https://www.krcert.or.kr/krcert/intro.do [3] KISA – Korean Internet & Security Agency. KISA sponsored by the South Korean Ministry of Science and ICT, commenced operation in 2009 and is responsible for the private sector of the Internet in South Korea. http://www.kisa.or.kr/eng/main.jsp [4] TRANSITS I. TRANSITS I course, created in 2001 is maintained by members of European CERTs with modules that deal with the Organization, Operation Legal and Technical aspect of CERT/CSIRT operation. https://www.terena.org/activities/transits/transits-i/

How to check if your site is vulnerable to a POODLE attack How to check if your site is vulnerable to a POODLE attack Following the introduction of AUSCERT’s new Member Security Incident Notifications (MSINs), some members have asked us how they can confirm the accuracy of the POODLE reports. This is the incident type with the highest occurrence rate among AUSCERT members. The Padding Oracle On Downgraded Legacy Encryption or POODLE attack can lead to decryption of HTTPS connections between clients and servers by exploiting a weakness in SSL 3.0 with cipher-block chaining (CBC) mode ciphers enabled. While we’re confident that our data sources are high quality, you can use the methods below to manually check your publicly facing services for poodle exposure if you wish. If you believe the information we have provided in the report is incorrect then please let us know. Manual methods for testing poodle exposure Qualys SSL Labs test Note that as at 23 September 2015, the information contained in the SSL Labs report requires careful analysis to interpret correctly. The “Summary” section may indicate “This server uses SSL 3, which is obsolete and insecure” when a poodle attack is possible. Later in the report a line entry may indicate “poodle (SSLv3): No, mitigated” if the service supports a secure protocol upgrade.  However, since this relies upon the client correctly negotiating one of the secure protocols, the service should still be considered vulnerable to poodle attacks. OpenSSL and nmap Use the command-line OpenSSL client and an nmap scan to attempt connection using SSL 3.0 and enumerate available ciphers.  The OpenSSL command just checks if SSLv3 is enabled; nmap returns all possible ciphers with SSL v3, TLS1.0, TLS1.1 or TLS1.2. OpenSSL can be used to check each individual cipher but it would take more time. ~$ openssl s_client -ssl3 -connect your.domain.here:443 A successful connection indicates that SSL 3.0 is enabled and that a poodle attack is possible. ~$ nmap --script ssl-enum-ciphers -p 443 your.domain.here A server should be considered vulnerable to a poodle attack if CBC ciphers are offered while using SSLv3.  Please note that CBC ciphers, AES128-SHA and AES256-SHA, often don’t mention CBC in their names, but their presence does indicate a poodle vulnerable service. If no CBC ciphers are offered then it wouldn’t be vulnerable to a poodle attack (but most other ciphers are vulnerable to different attacks like RC4:BEAST). As you’ll already be aware, there is currently no fix for the vulnerability SSL 3.0 itself therefore disabling SSL 3.0 support is the most viable solution currently available. This means that even with up-to-date patches applied, it is possible to fail a poodle vulnerability scan if SSL 3.0 is still enabled. References and additional information https://www.us-cert.gov/ncas/alerts/TA14-290A https://www.openssl.org/~bodo/ssl-poodle.pdf https://www.ssllabs.com/ssltest https://www.tinfoilsecurity.com/blog/how-to-fix-poodle-and-why-you-are-probably-still-vulnerable

Phone scams targeting a variety of organisations in the Health industry AUSCERT has recently received numerous reports of phone scams targeting a variety of organisations in the Health industry. The exact nature of the unsolicited calls varies but has included conference and event invites, training sessions, and attempts to confirm personal details of the callee or others in the organisation.  The callers have claimed to be associated with varied groups including GE Healthcare (who have been alerted to this), NEOH and the called organisation itself. Organisations should also be aware that fraudsters claiming to be from various GE businesses (including public reports of criminals using the name of GE Healthcare) often commit recruitment fraud and may do so as part of this activity. While phone scams such as these are ever present this recent spate of reports we have received specifically from the Health industry suggests the current need for increased awareness amongst Health industry organisatons. AUSCERT encourages members to review their current security awareness of their staff in relation to phone scams and consider alerting staff to this current activity. Guidelines for staff would include what steps to take when receiving unsolicited calls, the type of information that can and can not be provided, and any reporting guidelines. AUSCERT recommends staff are encouraged to report unsolicited or suspicious calls so that organisations can monitor for concerted attacks. AUSCERT has received reports of numerous calls to the same organisation (and individual) over a very short period of time. Information on what to do should also be provided for staff that have been defrauded or provided personal or organisational information. Useful resources include: https://www.scamwatch.gov.au/ https://www.staysmartonline.gov.au/ http://www.fairtrading.nsw.gov.au/ftw/Businesses/Scams/Business_scams To help gauge how wide spread this activity is AUSCERT would appreciate any feedback from organisations that have been targeted.  

Ongoing ransomware campaign with worm capabilities | Petya For the latest AUSCERT updates on NotPetya / GoldenEye see our bulletin. We will keep it updated as more information becomes available.   ALERT [Win] Ongoing ransomware campaign with worm capabilities “Petya”

DDoS Mitigation Denial of service (DoS) attacks have hit the news in Australia, yet again. But what is a DoS attack? A DoS attack is designed to deny access to a computing resource from its intended users. A distributed DoS (or DDoS) attack is conducted by numerous (could be in the tens of thousands) computers against a single host or network. It’s not possible to prevent DDoS attacks, we can only be prepared to mitigate them. Types of DDoS attacks An attacker may use a stateless protocol like ICMP or UDP with spoofed source addresses, but it is also common for an attack to be carried out with legitimate network traffic (like HTTP GET requests). In the latter case it can be difficult to block malicious traffic without impacting legitimate traffic. A DDoS is commonly directed at a web site, with a sufficiently large number of requests to overwhelm the capacity of the web server to handle them. In extreme cases, the site’s network equipment may be made unavailable by the volume of traffic they are attempting to filter. Preparing for a DDoS attack There are a number of steps that you can take to prepare for a DDoS attack, including: Ensure that senior management is aware of the impact of a DDoS attack and will support your steps to mitigate one Understand your network – knowing what is normal for your network will enable a threshold of activity that indicates the start of a DDoS Keep your OS up to date and hardened – disable any unneeded services Implement firewall measures on your host – an example for linux Implement application protection, like ModSecurity web application firewall and mod_evasive for Apache – note that a large DDoS attack will quickly overwhelm these measures Run a dedicated network firewall that is able to handle a greater load than the one on the host itself Set up your border router with ACLs to allow only valid traffic into your network eg filter bogons and unused protocols Establish contact details for your upstream network provider so that they may be readily contacted in an emergency. Containing a DDoS attack The scale of the attack will determine the effectiveness of mitigation measures. It may be possible to contain the attack on the affected host itself, or it may require upstream filtering. Implement filtering based on the attack eg blocking UDP packets Consider disabling the targeted application until the attack stops Implement rate limiting for network traffic to the target Contact your ISP for traffic filtering Other resources are available; these are recommended reading – Factsheet Technical measures for the continuity of online services, Mitigation Guidelines for Denial-of-Service Attacks and Network DDoS Incident Response Cheat Sheet List of useful links from the blog + one more 1 https://javapipe.com/iptables-ddos-protection2 https://www.modsecurity.org/3 https://www.zdziarski.com/blog/?page_id=442 (andhttps://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7)4 https://www.ncsc.nl/english/current-topics/factsheets/factsheet-technical-measures-for-the-continuity-of-online-services.html5 https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-en.aspx6 https://zeltser.com/ddos-incident-cheat-sheet/