Safer Internet Day 2021 — how you can #StartTheChat This blog was originally published via Medium here. This year, Orange Digital has joined forces with our friends at AUSCERT to raise further awareness about ‘Safer Internet Day 2021’ on Tuesday, February 9th. This year marks the 18th anniversary of this very important day and is all about bringing the global community together with the purpose of making online experiences better for everyone. Over the last 12+ months, we can all agree that the internet has been critical in connecting people for work, learning, socialising, and more. If you told us at the beginning of 2020 that remote work and education would be a ‘new kind of normal’, chances are you wouldn’t have believed it. A recent study from The Economic Times revealed that most HR managers (42%) said their organisations will continue to operate with remote work, with almost 40% of respondents saying they will follow a hybrid work structure alternating between WFH and in-office days. Furthermore, this study identified that these organisations will continue to work from home in 2021 and operate under a hybrid model for the next 5 years. Facebook further supports these trends, with recent data predicting over half of the Australian workforce will be fully remote in the next 10 years. With these stats in mind, it’s clear that we’re moving towards a large majority of jobs becoming location-agnostic. This leads me to the 2021 Safer Internet Day theme: “Together for a better Internet”… At a time where online communication and connection is at an all-time high, we each have a part to play in the chat about online safety at home, school, work, and within the community. AUSCERT, Australia’s pioneer Cyber Security Response Team, is on the front foot in the realm of online safety and recently shared a very handy resource from their colleagues at UQ ITS to raise awareness for Safer Internet Day and share advice on how to protect your data and your family. You can read the full article here.  “As we know, cyber-criminals are adept at exploiting people via the Internet, so it’s important to know what to look out for…” At last year’s AUSCERT2020 conference, Australian eSafety Commissioner Julie Inman-Grant also spoke on the topic of “Online Safety during & after Covid-19”. As we gear ourselves for the year ahead, this topic of conversation remains extremely pertinent. When we approached AUSCERT to discuss Safer Internet Day, Mike Holm; AUSCERT Senior Manager, shared that AUSCERT is actively encouraging members and the greater public to #StartTheChat. As Australia’s pioneer Cyber Security Response Team, AUSCERT is focused on helping its members prevent, detect, respond and mitigate cyber-based attacks, while also engaging members by empowering their people, capabilities, and capacities. To #StartTheChat within your workplace, eSafety provides a range of online safety information and resources to share with your colleagues. Check it out here. There are also plenty of free resources and activities to help you #StartTheChat with students, family, friends, and the community during 2021.  

Emotet, now neutralised, may have friends you'll want to clean off your systems. April 25th 2021[1] is now going to be on everyone’s mind in the Cyber Security industry. This is the day the Emotet botnet, as we know it, would be “reset”[2]. However, the method of the reset is interesting and places CERTs, the police forces and criminals[3] in a strange interaction that may create friction within their shared end-goal of protecting end-users. Emotet is arguably a botnet that deserves the attention it has gotten – to be taken down. It seems that it has gained that attention from operation “Ladybird”[4] in neutering the botnet as it now stands. But what now? And what about the efforts to protect end-users by parties from the various non “law enforcement agencies”. The amount of attention that the Emotet botnet has congregated the effort of some amazing groups of people to be able to feed details to the information security industry about what domain and connections should be deemed indicative of infected end-points. Cryptolaemus[5] is one such a group that comes to mind that provides such information. Under normal circumstances, information such as this – about indicators of compromise (IoC), are sent to the security team who then most likely blocks connections and identify affected end-points. But this very action of trying to block connection(s) may now be working against the actions taken to neuter the Emotet botnet. The controlling servers that distribute updates of the botnet, have been seized and are now controlled by the Dutch Police[2], and the Emotet code has been altered and allowed to then have that new code distributed[4]. This new code is said to include a kill-switch, which is controlled by a date, and that date is April 25th 2021 at 12:00 and the new code is now being delivered[6]. So now we have an industry that protects by not letting end-points to connect or interact with command and control servers, and another industry hoping that there will be further interactions so that the latest version of Emotet will be downloaded that will contain the kill-switch code! If this does not sound as complementary efforts then you may have a point for conversation. Also add to this mix – the signal sent to management and leadership teams around the world – that the botnet is neutered, may provide a false sense of security. It’s worth noting and reiterating at this point that Emotet is not a be-all and end-all malware but rather more of a platform that allows other malware to be installed[4][7][8]. Threat hunting should not be halted, rather it should be given more resources due a piece of contrarian fact. If you did not block connections with Emotet’s C2[9] then you may now have a neutered, kill-switched version of Emotet from the Dutch police – otherwise it is still lingering in its present active form. As for anything Emotet has downloaded before that neutered version is installed, the additional malware may still remain active on end-points. Now that it is clear that threat hunting has no break from this botnet takeover, there are a few twists to this event that needs to be investigated. Although this blog piece may not be able to provide all the answers, here are some questions a takeover of a botnet raises and possible reasons behind it.  Why the choice of April 25th 2021 at 12:00?[1][10] for the kill-switch and why should the sector wait so long?[11][12].The idea behind such a long wait is now that the botnet has been neutered[13] there is a window to look for “…Emotet malware and see if other gangs used it to deploy other threats…” as stated by Randy Pargman to ZDNet[2]. In essence, the use of Emotet as a beacon to find other installed malware may work. What also works is that media attention on Emotet botnet takeover may incite management and leaders to provide threat hunting teams with extra resource(s) over the next two months in chasing Emotet infected end-points. What will the kill-switch do?The name of the sub-routine “uninstall_emotet()” [1][10] looks promising. Beyond that any service call implication of a software having a self-destruct code written by extra-judiciary entities and distributed by a botnet is beyond the scope of this article. It may be safe to say that one should get ready for service calls in case there are issues. Looking on the positive side, there are two months lee-way to find the infected end-points. Will using a kill-switch, which alters the end-point behaviour without the owner consenting to the change, have any legal ramifications?You may have to talk to your lawyers about any issues that deals with advice around the law of the jurisdiction within which you are operating in. Note that altering software code on an end-point without the owner’s consent may find this action foul to some regulations around some jurisdictions. Even if the nations involved in the coordinated action are in agreement to waive responsibilities; Emotet knows no boundaries. And last but not least …  What about the seized data from the C2’s?Yes, the Dutch police may now possibly have all your data that the Emotet botnet exfiltrated. The Dutch police has set up a function where the entry of an email address on their site will invoke an email back to the email address tested about whether it is in the data set seized[14]. This may work for savvy individuals but enterprises may need to consider enterprise questions such as the deliberation of all email addresses of the organisation to an extra-jurisdiction law enforcement agency. Also, the collation of response(s) from that agency needs to be considered, before it gets flagged as spam or received by the user of the email account. No matter how the enterprise wants to re-route or act on the response, there will be lots of thinking and planning to be done! The takeover of the Emotet botnet by law enforcement agency may signal the end of one botnet. Yet, today only means that this botnet is no longer a threat, but all the damage and installs it has made over time is still a clear and present threat. The clean-up process on one of the most prominent botnets of this decade has only just started. It is hoped that after such media attention, organisations will take this opportunity to inject a bit more resources in cleaning affected end-points, and possible compromised accounts. Perhaps after the clean-up there are some resources still allocated to implement well deserved preventative and detective measures. After all – an “Ounce of prevention is worth a pound of cure!”[15]. REFERENCES:  [1] https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/[2] https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-march-25-2021/[3] CERTs, cops, and criminals Peter Zinn Sr. High Tech Crime Advisor,KLPD (National Crime Squad), NL on Monday 13th June 2011 https://www.first.org/conference/2011/program/index.html[4] International police operation LadyBird: global botnet Emotet 27th Jan 2021 dismantled https://translate.google.com/translate?sl=auto&tl=en&u=https://www.politie.nl/nieuws/2021/januari/27/11-internationale-politieoperatie-ladybird-botnet-emotet-wereldwijd-ontmanteld.html[5] https://paste.cryptolaemus.com/[6] https://twitter.com/milkr3am/status/1354459859912192002[7] https://twitter.com/Cryptolaemus1/status/1354521918775427072[8] https://twitter.com/MalwareTechBlog/status/1354411804747681793[9] https://twitter.com/milkr3am/status/1354473617145409545[10] https://twitter.com/milkr3am/status/1354459859912192002[11] https://twitter.com/t15_v/status/1354519818226032642 [12] https://twitter.com/cyberadelaide/status/1354489619795083269[13] https://team-cymru.com/blog/2021/01/27/taking-down-emotet/[14] https://2yx7ciusygbulydqop52nqwfpe–www-politie-nl.translate.goog/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html[15] https://www.ushistory.org/franklin/philadelphia/fire.htm  

AUSCERT statement “QuoVadis Global SSL ICA G3” issue impacting multiple customers Update 3: 12:00pm AEST 22 January 2021Update 2: 12:30pm AEST 18 January 2021 Update 1: 2:00pm AEST 16 January 2021Initial statement release: 12:00pm AEST 15 January 2021  “QuoVadis Global SSL ICA G3” issue impacting multiple AUSCERT  DigiCert + QuoVadis customers Update 3 (12:00pm AEST 22-1-2021) Further to our last update, DigiCert + QuoVadis have provided AUSCERT with a RCA for AUSCERT Members. At 11:51am AEST the RCA was distributed by the AUSCERT Team to AUSCERT Members via email.   Update 2 (12:30pm AEST 18-1-2021) Further to our last update, DigiCert + QuoVadis have today provided further details of three possible practices which may have caused this issue for impacted certificates. 1. The organisation has pinned their application to the retired ICA –  DigiCert + QuoVadis advises that this is bad practice.2. The organisation has configured their server to only trust that specific ICA, which forces the client to use it. Then, when the ICA is changed, the chain of trust is broken.3. The organisation operates a trust store which includes the old versions of the ICAs. All certificates that are using the Global G2 or G3 ICAs have a potential impact, as these were both retired. The new ICAs were made available from September 2020 and from November 2020 all certificates issued from Trust Link will have been issued from these new ICAs. Impacted customers may simply need to install the new ICA on their server to resolve the issues. Also sharing these two external resources here: A DigiCert + QuoVadis’ statement regarding ICA replacements can be found here: https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html Last but not least, a corporate statement from  DigiCert + QuoVadis regarding this issue can also be found on their website here:  https://www.quovadisglobal.ch/Unternehmen/NewsAndEvents/Begrenzte%20Systemverfuegbarkeit.aspx [NOTE: this same statement was covered by AUSCERT in the initial publication of our statement (blog post) with the exception of the signing service instructions found at the bottom of this page.] Update 1 (2:00pm AEST 16-1-2021) As a part of initial correspondence with DigiCert + QuoVadis we were informed that their teams were working to gather a report of all certificates impacted by the ICA changes on Friday, 15 January 2021. However, we were discouraged to receive an update today, 16 January 2021, that the DigiCert + QuoVadis teams are unable to report the certificates which were impacted by this ICA change. The DigiCert + QuoVadis team largely believe the impacted certificates are receiving errors due to applications being pinned to the serial number of the revoked ICA. Here is more information on certificate pinning: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/ As we continue to work with DigiCert + QuoVadis regarding this incident, please be assured we will continue to urge they provide further assistance for remediation.    Initial statement (12:00pm AEST 15-1-2021)  The AUSCERT team was made aware that a number of our Certificate Services clients have been experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST. Following this notification, the team acted immediately and got in touch with the team from DigiCert + QuoVadis for clarification. An internal investigation was then conducted by the DigiCert + QuoVadis compliance team and following this, we can now confirm that the QuoVadis Global SSL ICA G3 intermediate certificate (ICA) was revoked earlier today. An action which AUSCERT was unaware of prior to it taking place. The new version was made available to QuoVadis users last year and can be downloaded from the following repositories: Repository: https://www.quovadisglobal.nl/Repository/DownloadRootsAndCRL.aspx Direct download of new ICA: http://trust.quovadisglobal.com/qvsslg3.crt The replacement is also in Trust Link.The certificate does not need to be replaced as it has the same chain. Impacted users will have to configure the server with the new ICA, replacing the old version. Again, please refer to the above repository for the new ICA details.The rotation of ICAs is a policy DigiCert has introduced in order to prevent non best practise habits from occurring, such as certificate pinning. Further information on certificate pinning can be found here: https://www.digicert.com/dc/blog/certificate-pinning-what-is-certificate-pinning/  Again, the AUSCERT team was not made aware of the revocation and had worked on investigating this problem as soon as we were alerted by members. DigiCert + QuoVadis  apologises that significant notice hasn’t been provided to those impacted members. Does this impact all certificates? No, this has only impacted one of several ICAs QuoVadis use. The AUSCERT team has now been in contact (via email) with all those members whom we are aware have been impacted by this issue.  If you are an affected member requiring further assistance with regards to this issue, please contact:  AUSCERT Membership Team 07 3365 4417 cs@auscert.org.au   

AUSCERT: What to Expect in 2021 Membership matters – optimising and elevating our services As we bid goodbye to our members at the end of last year, we delivered a sneak preview of what the team hopes to achieve in the new year. While there are doubtless many unknowns awaiting us in 2021, here are some key issues on the AUSCERT agenda:  IMAGE: AUSCERT Strategic Plans 2021   Expand and enhance our delivery of threat intelligence   As a team, we aim to form and publish a Cyber Threat Intelligence (CTI) strategy document to help us align with our members’ needs – and in tandem with developing this CTI strategy – our goal is to also publish IoCs to members in STIX format.   To complement this initiative, our team is looking to introduce some enhanced functionalities on the AUSCERT Member Portal; such as an Incident Portal with file upload facility which includes analysis and feedback.  The team is aiming to rebrand, reinvigorate and relaunch the CAUDIT-ISAC initiative as “The AHECS-ISAC, powered by AUSCERT”.   And last but not least, in tandem with the CTI strategy and CAUDIT-ISAC relaunch, the team aims to launch MISP access for all members.  Remain a trusted incident response partner, both locally and globally   As a team, we aim to broaden our incident response capability with consistent training and drills – especially through our strong relationship with the APCERT community as witnessed in 2020, 2019 and in previous years; as well as maintain our standing within the worldwide CERT community through FIRST.   Continue to foster a strong relationship with the local Australian cyber security sector “key players”; especially the ASD via Australian Cyber Security Centre, AustCyber and IDCare et. al.   Consistent and useful engagement with our members   As a team, we will be celebrating the 20th anniversary of our annual cyber security conference; Australia’s oldest and premier cyber security conference. The AUSCERT2021 conference theme will be “SOARing with cyber” and this annual event provides our members with the optimum opportunity for professional development and upskilling.  AUSCERT will continue to maintain, uphold and explore State-government memberships.   The team will aim to increase the number of blog articles and publications targeting senior to mid-level members.   And last but not least, the AUSCERT team will focus on continuous improvements across all membership services.  The cyber security landscape is ever-changing, and AUSCERT continues to be passionate about engaging our members to empower your people, capabilities and capacities.

Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software Image: SUNBURST Malware Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software Update: 21:30 AEST December 20 2020 Update: 21:30 AEST December 19 2020 Update: 10:00 AEST December 18 2020 Update: 22:30 AEST December 15 2020 Update: 15:00 AEST December 15 2020Update: 14:00 AEST December 15 2020 Initial Publication : 09:00 AEST December 15 2020     Update (21:30 AEST 20-12-2020) US-CERT CISA announces [14] and made available, at the time of writing, an update to their advisory [12] which “… provides new mitigation guidance and revises the indicators of compromise table…” [14].  The emergency directive from the U.S. Department of Homeland Security (DHS) has also updated their directive to include supplementary guidance.[15]   Update (21:30 AEST 19-12-2020) It has been confirmed that at the moment of writing of this update, the US-CERT CISA advisory, that was public as at (10:00 AEST 18-12-2020) is now returning “Access Denied”. As it was a public advisory at that time it may be possible to find a copy of this advisory, whilst it is still available, in archives[13].   Update (10:00 AEST 18-12-2020) SolarWinds states that Orion was their only product affected by the breach [10].  Also recently a joint statement was released by the U.S. Government [11] that heralds actions and updates from US-CERT CISA about the events surrounding and leverage of the SolarWinds Orion breach and recommended mitigation steps [12].   Update (22:30 AEST 15-12-2020) Additional IoC and TTP information from research organisations Volexity[9]   Update (15:00 AEST 15-12-2020)The headline of an earlier version of this article incorrectly attributed the vulnerable software to FireEye. FireEye is a third-party research firm. We apologise for any confusions caused by our initial publication. A new subject headline is now in place to better reflect the incident.  Update (14:00 AEST 15-12-2020) A set of IoCs have been published by Talos[7] and the number of affected clients is expected to be “fewer than 18,000” world wide according to the SEC filing of the incident[8]. The hotfix is expected to be made available “on or prior to 15th December 2020” [8] (date and time as per U.S.A. time zone)   Initial (09:00 AEST 15-12-2020) Introduction: FireEye has discovered a supply chain attack against SolarWinds which has resulted in trojanised versions of SolarWinds Orion being distributed. These trojanised versions, being distributed through their supply chain, meant that the code was correctly signed.   Multiple trojanised updates were digitally signed from March to May 2020 and posted to the SolarWinds Orion updates website, including those listed here: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp [1]   The trojanised version of the update has remained dormant for 2 weeks and FireEye has released counter measures [2] as malicious activity can now be traced with the following released IoC. [3]   RECOMMENDED ACTION: It is highly advised that the advisories from FireEye[1] and SolarWinds[6] be reviewed where actionable steps to detect and protect your network are suggested.   This includes the following steps:   1. It is highly recommended to download the latest software of SolarWinds Orion and apply the relevant version.   2. If you are a SolarWinds Orion client, please check the downloading of any updates between the months of March to May 2020.   3. If at all possible and relevant, apply detection rules released by FireEye to determine whether or not malicious activity is currently in your network.   4. If at all possible, check network logs for Indicators of Compromise (IoC) for any signs of activity that may have occurred in your network.   The US-CERT has notified members of the public about the current issue via a briefing document [4] and the media is also focusing and disseminating information on this event swiftly. [5]   For AUSCERT’s constituents using AUSCERT managed MISP the list of IoCs have been published on December 14. AUSCERT is currently contacting its constituents about possible installations of SolarWinds Orion on their network perimeter(s).      [1] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html [2] Github – Fireeye – Sunburst countermeasures https://github.com/fireeye/sunburst_countermeasures [3] Github – Fireeye – Sunburst IoC https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release [4] US-CERT CISA Active Exploitation of SolarWinds Software https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software [5] Bleeping Computer – US govt, FireEye breached after SolarWinds supply-chain attack https://www.bleepingcomputer.com/news/security/us-govt-fireeye-breached-after-solarwinds-supply-chain-attack/ [6] SolarWinds Security Advisory https://www.solarwinds.com/securityadvisory [7] Threat Advisory: SolarWinds supply chain attack https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html  [8] US-SEC – CURRENT REPORT – SOLARWINDS CORPORATION (001-38711) https://sec.report/Document/0001628280-20-017451/  [9] Dark Halo Leverages SolarWinds Compromise to Breach Organizations https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/  [10] SolarWinds said no other products were compromised in recent hack https://www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/ [11] Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-intelligence-odni [12] Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations https://us-cert.cisa.gov/ncas/alerts/aa20-352a  [13] Internet Archives – Wayback Machine https://archive.org/ [14] CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise https://us-cert.cisa.gov/ncas/current-activity/2020/12/19/cisa-updates-alert-and-releases-supplemental-guidance-emergency [15] Emergency Directive 21-01 https://cyber.dhs.gov/ed/21-01/#supplemental-guidance 

AUSCERT at the 2020 FIRST Conference: virtual edition We’ve all heard the story – 2020 has been a year marked with exceptional challenges and without a doubt, one of the most affected sectors from the Covid-19 pandemic has been the events and conferences industry. With travel restrictions in place for the foreseeable future, conference organisers have had to be creative in the delivery of their events.  In my role at AUSCERT, this meant having to pivot our very own annual conference into an entirely virtual format. I’ve posted my personal thoughts on working behind the scenes in delivering (a successful) AUSCERT2020 conference via LinkedIn here. Despite the challenges faced, the learnings I have taken away from this experience; coupled with my witnessing of our delegates, speakers and colleagues who all rose to the occasion in the spirit of camaraderie and innovation – will be something I’ll never forget or take for granted again in my career!  That aside, I had the pleasure of being on the “flipside” recently and was fortunate enough to participate as a delegate at the 2020 FIRST Conference: virtual edition. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This is FIRST’ 32nd annual conference and the theme was “Where Defenders Share”, highly relevant to the work that we do at AUSCERT. I tuned into all the keynotes and really enjoyed how they’d each varied from each other!Keynote 1Tracking Targeted Digital Threats: A View from the Citizen Lab by Ron Deibert, Director of  Citizen Lab (Munk School of Global Affairs, University of Toronto) In his presentation, Ron presented some super interesting evidence-based info from the work done at Citizen Lab. Their projects shed light on some increasingly critical issues at the intersection of race, surveillance, free expression, privacy, and power. My personal key take-away from his presentation was this message ‘not all high-end spyware, whatever does the trick!’ – a reminder that some of the biggest security issues we face don’t necessarily stem from high-end technology.  Keynote 2 Project Zero’s Disclosure Philosophy by Ben Hawkes, Project Zero Team Lead at Google ‘Untangling the vulnerability disclosure debate’ – before tuning into Ben’s presentation, I was extremely intrigued by his one-line premise and the content certainly delivered! In his presentation, it was made clear that Google’s Project Zero was of the opinion that the best way to combat the exploitation of zero-day vulnerabilities is by predicting attackers’ movements. Ben also revealed that Google’s elite bug-hunting team is looking to build a “crystal ball” for forecasting miscreants’ behaviour based on expert forecasts from cybersecurity professionals. His keynote was also covered by the team from PortSwigger here. Keynote 3Transforming Security: Optimizing Five Trends to Enable Security for Businesses of all Sizes by Kathleen Moriarty, CTO at Center for Internet Security Last but certainly not least, I tuned into the final conference keynote by Kathleen Moriarty who was recently appointed CTO at the Center for Internet Security. The key message from her presentation was that, in order to combat cyber threats, including those that impact SMEs that are part of the supply chain – we need to rethink how information security is delivered and managed. For me personally, this presentation really tied in to the concept of “3-Ps” of comprehensive cybersecurity – products, policies and people, an important reminder to get the basics right within every organisation and one that I thought was great session to tune into for the management folks in our sector.  As most of us are aware, conferences are a great way to learn new skills and access the latest trends and insight in the sector. For me personally, being a delegate at FIRSTCON20 allowed me to achieve greater awareness and understanding of both existing (mature) and emergent technologies – especially from the perspective of someone who doesn’t possess a technical background in the sector.  I have been informed that the conference recordings will be moved to permanent FIRST hosting and will be made publicly available via their website and YouTube channel shortly. Congratulations team FIRST, 1600 registrations from nearly 100 countries – that was an incredible feat, job extremely well done in 2020!Laura Jiew AUSCERT Events and Marketing Communications Specialist 

AUSCERT case study: an insight into our Incident Management service November 2020  AUSCERT case study: an insight into our Incident Management service Featuring Sean McIntyre, AUSCERT Senior Info Security AnalystYou recently assisted a client who came to us via Chris Gatford, a long-time AUSCERT supporter and contributor to our annual conference. Can you tell us a little bit more about the incident and what service category/categories did this fall under? Sure thing! A few weeks ago AUSCERT was called upon to assist Chris with a cyber security incident he was dealing with on behalf of a client. We won’t be able to disclose too many specific details out of respect for the client; but basically, the incident  involved a new threat actor that has popped up – Egregor (we recently shared an article about this on our ADIR) – a Sekhmet ransomware spin-off, also linked to the Maze threat actor group. We started off without knowing too much information on this particular ransomware nor its threat vectors; but with some research and a thorough scan of our various OSINT resources, I was able to find samples of the malware and some IOCs proved useful in assisting this client.  Another channel we tapped into was our connection with the various CERTs around the world. In particular, the APAC region – thanks to our international liaison expert, Geoff Thonon, who is also our Operations Manager here at AUSCERT.  Quite a few Egregor malicious URLs were discovered over this period of investigation and Chris had also provided a few more to be taken down. These requests were sent off to a number of  hosting and domain providers as per our routine Phishing Take-Down service procedure. And last but not least, we added these URLs to our Malicious URL Feed and IOCs to our MISP instance as a way of sharing the details with (i.e. protecting) our members.  I would say that this particular request falls under our Incident Management (although on the “lighter” side of a scale), Phishing Take-Down and Malicious URL Feed service categories.  Between receiving this request and to the time that the incident was resolved, can you outline the time it took our incident response team to resolve the issue? What do you think sets AUSCERT apart from a service delivery point of view? From AUSCERT’s perspective, we always initiate action on any request that comes through as soon as possible and definitely within a 24-hour period. In this instance, our expertise was sought after in regards to this new ransomware/threat actor. We were able to provide Chris with some of this threat intelligence and information over a couple business days of research work. Take-down requests for the initial URLs that were provided to us by Chris were submitted instantaneously, with follow-ups done whenever additional URLs were submitted on behalf of his client.   Even though these take-down requests were actioned promptly on our end, it’s important to note that we were reliant on the hosting providers to action them. Thankfully, most of the URLs seemed to stop functioning/existing within 1 business day or so after the request(s) was/were submitted.  I think what sets AUSCERT apart is our reach and connection with the CERT community, and also the fact that our member incident hotline is open 24/7. There’s a saying here at AUSCERT, “We exist for the greater good” – and we really try and showcase this with our members. Sean, what do you think are the 3 key takeaways from this incident, what can members or clients do to avoid something similar happening to them in the future?  Review your operating system (OS) compliance. It is super important to make sure unmaintained OSs such as Windows XP are taken off the network where possible. If an outdated OS is supplied by a vendor on a core system/endpoint – please work with them to upgrade all products. This is a super simple yet most effective way to avoid such incidents from happening within your SME. Ingest IOCs of known malware into firewalls/SIEM. These can be found via various OSINT sources or via a trusted partner such as AUSCERT. If you’re a member, utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au. Where possible, implement the “Essential 8” as outlined by the ACSC. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

AUSCERT2020 interview with Chris Gatford AUSCERT2020 Conference Interview: Chris Gatford from Hacktive.io Leading up to the AUSCERT2020 conference, we sat down with Chris Gatford from Hacktive.io about his involvement in the conference and the recent work he has done for the SBS. Tell us about your professional career? I was the type of kid that would take my toys apart and put them back together with less parts, and then terrorise my sister. Looking back, I would like to think that this was the start of my hacking passion. I think it’s important to remember that hacking is not just about breaking into computer systems. It’s a way of thinking, and a method for approaching problems such as out-of-the-box thinking and solving problems by doing things differently. I was introduced to the IT industry as a child and after creating my own computer out of a cardboard box and motherboard, I soon realised I had a knack for this. After school, I completed a business computing degree and became a system administrator. I was responsible for looking after computer networks and had to draw on out-of-the-box thinking whenever an issue arose. During this role, my interest in security began to grow. After several years, I eventually jumped into The Big Four and got involved in IT consulting and testing computer security. You are the founder and Director of Hacktive.io, what does your company do? Hacktive.io is actually my second business. My first business venture was founded in 2008 and I sold it soon after. I learnt a lot from this experience and started my second business Hacktive.io. At Hacktive.io, we engage with organisations across the world and test their physical security and computer/network security. We focus on helping our clients understand the security vulnerabilities of their networks, applications, premises, and their people. Can you expand further on social engineering tests and how these tests are completed?  Often a customer will approach Hacktive.io and request that their company’s environment (a building or third party site) get tested. Firstly, we obviously get permission from the company. Then we will conduct the social engineering tests on the physical environment, the people/employees of the company, and their IT department. Following the social engineering test, we teach the company how they can better defend themselves against hackers. More so now, than ever before, individuals and employees are getting targeted by hackers. We equip businesses with common and useful tools that are available to everyone. What made you want to be a part of the AUSCERT2020 Conference? I have been a long believer and supporter of AUSCERT, and have attended every conference since 2003. The fact that it’s the oldest IT security conference, and it’s still going strong after all these years, is a huge testament to the company. To be among so many professionals who share information on staying secure is a huge honour. Can you tell us more about the tutorial you ran at the conference?  My tutorial was on “How to build a security awareness training program” and demonstrated how Hacktive had infiltrated and extracted sensitive information from organisations, and the mechanics involved in an attack. I discussed how to reverse the process and understand the mechanisms involved in breaking into the organisation. I am also a strong believer in computer-based training, while also reflecting on how to excite and energise a workforce to be interested in computer security again. You were recently interviewed on SBS, can you tell us more about this?  I was very lucky to have the SBS team alongside a Red Teaming Pen Test. SBS was able to capture the reasons behind our testing and record us walking away with a company’s equipment. We were able to show how easy it was to use a company’s own devices to hack back into their network.  What do you see as some of the biggest cyber threats in today’s society? The first cyber threat that comes to mind is that information security is hard, and breaking into systems can be a very easy job. However, it is really difficult to build systems, maintain them and in the long-term keep them secure. So it’s critical to have the right tools in place to monitor security, because ultimately ransomware is still an effective attacker. The second cyber threat that comes to mind is invoice fraud. I often hear instances of ‘customers’ pretending to change their bank account details and then the invoices are getting paid out to the wrong bank account. The financial fraud impact on business is massive and businesses must recognise that fraud is still alive and well.  

AUSCERT2020 MC: Adam Spencer Prior to the AUSCERT2020 Conference, we caught up with Adam Spencer to chat about his involvement with the conference, and hear his thoughts around cyber security and observations on the year of 2020.   Can you start by telling us about your professional career? I could say lawyer and mathematician, although neither of those career paths really worked out. I am probably better to lead with stand-up comedian, from where I then stumbled into the world of radio and television where I continue to be thoroughly unprofessional. I have also written and co-written approximately ten different books trying to popularise mathematics. These are written for people who do really get mathematics and have a talent for it and want to get better at it. When writing, I’ve had the pleasure of reaching out to smart, switched on nerdy kids from about the age 12 and above—and I absolutely love it.   You are a self-confessed lifelong number nerd. What is your favourite number? As a kid, my favourite number was four. This was the first number that realised you could break into two even groups. For example, you couldn’t break down five or seven, but you could break down nine into three groups of three. It was from here that I started to get the concept of prime numbers and composite numbers just from breaking down the number four. I have now been fascinated by multiples of four for the rest of my life. For example, if we were to go for a drive and you turned the volume up to 31, I would need to change it to 32 so it could be a multiple of four.   How do numbers and maths play a role in cyber security? The basis of all computing and code of any sort is beautifully mathematical. I was lucky enough to interview Steve Wozniak who wrote the original Apple Source Code, back when it was just ones and zeros. Now, I’m not a specialist in that field, but from what I understand, no one has ever found a single error in Wozniak’s original programming and coding. Which is beyond belief for something as complicated as that not to have mistypes. The genius that underpins a system like that is incredible. Furthermore, the basis of the systems that we use to exchange credit card details online and not being hacked by a third party through the RSA algorithm, is just beautifully mathematical. Cyber security is a great example of how maths is still relevant. Mathematics permeates everything and we are just blissfully unaware.   You have been part of the AUSCERT conference for a few years now. What is it that first prompted you to be a part of it? The thing that I enjoy about my line of work as a professional MC and facilitator is that I’m rarely the smartest guy in the room on any given topic. But to learn anything, you need to expose yourself to the absolute best people in those fields. I’m a strong believer that if you speak to those passionate and informed about something, almost any topic can be interesting. For almost a decade I have been able to surround myself with people who are the best in the business (of Cyber Security) and hear about what’s on their mind about the cutting edge trends is incredible.  I remember first hearing mutterings about ransomware in the AUSCERT community years ago, and now it’s something that people have to deal with all the time. I feel like I am in the presence of people who really understand cyber security and having discussions that are ahead of the general population, is just so exciting.   Tell me about your most recent book, Numberland. I filled it with a bunch of stuff that blew my mind at the time. Looking back at it, I think I can best describe it as a compilation of stuff that I hope intrigues the ‘number curious’ amongst us. For AUSCERT members who are interested in my book, they can use the promo code ‘HOME’ to receive 20% off. Visit adamspencer.com.au to grab a signed copy.   Do you have any advice for someone who is passionate about maths or cyber security? Mathematicians will build this century—this is the century that will be built on ones and zeros. I think of many cyber security experts as mathematicians. So, for people with a passion in the area of cyber security, coding, app design, software, or statistics will have a role to play in building our future. It has never made more sense to find your passion in mathematics or cyber security, and take whatever skillset you have and maximise it. For young people coming out of high school and into the job market, my advice would be, if you can show that you have experience and knowledge in Mathematics, you’ll end up writing your own cheques in the workplace. There is no denying that mathematical thinking is going to underpin and build this century.      

AUSCERT2020 Member Organisation of the Year Winner AUSCERT2020 Interview: Leigh Vincent from Federation University Australia We recently had the pleasure of chatting with Leigh Vincent from Federation University Australia who won the AUSCERT Member Organisation of the Year for 2020. Leigh opened up about what it is like to be an AUSCERT member and how Federation University is dealing with new cyber security issues. Can you start by telling us about your professional career? I have been at Federation University Australia (formally known as the University of Ballarat) for about 16 years in a cyber security role. This role has developed over the years and last year, we officially doubled our team, so now there are two of us!  While working at Federation University, I have gone through extensive training in incident handling and response, web application, penetration testing, and digital forensics and analysis. Having been a one-person team for so long, I was often in the position where I needed to provide the resources and support to University staff myself. There have been many years where the University’s budget just did not have enough room to stretch when it came to security. During this time, we could not justify hiring support from outside organisations when I could upskill and undergo training myself. I’m sure many would agree that cyber security in the university sector is a very interesting beast to work with. This was actually my first role working in security as I had previously worked in a system network administrator role. Since moving into security, I’ve enjoyed almost every moment. How long has Federation University been an AUSCERT Member? Federation University has been a member for as long as I have worked there, so at least 16 years. Personally, I have attended several of AUSCERT’s conferences since 2004. The highlight is always having the opportunity to network and catch up with people over the conference period.  What value do you get out of the on-going AUSCERT membership? In my experience, I would say the advice that the AUSCERT team and other members provide is invaluable and having people there that you can bounce ideas off makes resolving an issue much easier. Back when I was a one-man-team, I went on long-service leave and AUSCERT acted as the primary point of contact for the University if issues popped up. So both at a personal and professional level, the AUSCERT membership has been very beneficial. Speaking of your membership… Congratulations on winning the Member Organisation Of The Year award! What does winning this award mean to you? It was a complete surprise! I had to read over the email a couple of times before I realised that we had won. Winning this award is not something we had thought about, we often just continue to go about our work every day, but the acknowledgement means a lot. Receiving that recognition, especially as a two-person cyber security team just shows that people really do take notice of you and how you contribute to the industry. If you had some advice for some other AUSCERT members, what would you say? The biggest piece of advice I could give would be get involved. Take the time to interact with AUSCERT and its members—it is a valuable industry tool. As the ‘good guys’ in cyber security, we need to work on communicating more. We know the ‘bad guys’ are great at communicating and that is why they are always one step ahead of us. Ultimately we are all fighting the same fight so use the tools provided by AUSCERT (such as the Slack channels) to get involved, communicate and most of all keep an ear to the ground. Have you had any cyber security challenges this year, and how have you addressed this? Money has certainly been the biggest challenge, there is no denying that the education sector has taken a huge financial hit recently. We have also had to alter our focus to keeping tabs on all the remote workers and moving the University’s systems online very quickly. By making these quick changes, we have had to reassess some of our security restrictions to ensure a smooth and easy transition to working online for staff and students. Our focus has had to be on delivering quickly and trying to keep everyone safe when they are not inside our walls anymore. We control less when people are working from home, so we have had to encourage people to ask questions relating to their home security and support them where possible. Because we have made the switch to online for all course material, the push is now that we should keep it all online and maintain those platforms. However the challenge is ensuring that security can be enhanced and maintained to meet what will become a permanent method of content delivery to students and capabilities for staff to work from home as required going forward. Alternatively, we could also create something parallel that is safe and secured correctly, not just a platform that can ‘make it work’. What do you see as some of the main cyber threats in today’s society and their accompanying risks? Personally, I see social engineering as one of the biggest risks in cyber security today. It is a very real issue and we see it constantly. However, we can only overcome it by increasing user awareness and education—without this it can be very difficult to fight. Until we can get on top of that and educate users to make decisions themselves, it will inevitably remain a problem.  What is some advice you would give to organisations and other IT cyber security professionals? Talk and share with one another. We are all fighting the same fight and facing the same challenges. We might be from different organisations and have different technology, but ultimately, we are all fighting the same enemy.

AUSCERT2020 Information Security Excellence Winner Congratulations to Michelle Price for being given the AUSCERT2020 “Information Security Excellence” award. During AUSCERT2020 we had a chat with her to learn more about her role as CEO at AustCyber, and her vision for the cyber security industry.   Tell us a little about your professional career? My first job was working in a small business that my family owned, that focused on food safety consulting and training. We also ran international conferences and created a lot of thought-leadership on the topic of food safety. Food safety in the mid-to-late 90s was an emerging issue in Australia; there were no standard practices. In the end, there were three companies (owned by my parents) that focused on risk, and the upside and downside of risk. I worked there for 10 years, starting in marketing and communications roles, and ending up doing food safety audits and strategy. I then moved into the advertising industry for a short stint, before moving into the federal government, with the majority of my time in National Security. The common thing across all the agencies I worked in at the government was risk and strategy. What was your role in the Prime Minister’s Department? When I was working in the Prime Minister’s Department, my first job was to work across all of national security, and I ended up running the National Security Budget and developing the world’s first national security strategic risk framework, and developing a framework of how to prioritise national security issues. That was under the Gillard government. Then when Prime Minister Abbot came in, I switched roles and moved across from high-level strategy on national security to focus on the cyber security area, and that’s how I ended up penning the 2016 National Cyber Security Strategy. How did you end up at AustCyber? After the strategy was launched, I was fortunate enough to have quite a few opportunities. I chose to focus on helping the Australian National University stand up a cyber policy function and to be able to better coordinate the growing area of cyber research across different disciplines. I didn’t stay there for as long as I thought I would, because I then got asked to come to AustCyber, and AustCyber was one of the initiatives in the Cyber Security Strategy that I had worked very hard on, so it was a no-brainer. Being born into a house of entrepreneurs it felt like a natural extension for me to end up running an organisation that is trail blazing around how to do the business of cyber security, and while we are doing that, is also creating an industry. That is the mission of AustCyber: To create an industry that is globally competitive and has impact for the country. Congratulations on winning the Information Security Excellent award. What does winning this award mean to you? Every time I think about it, I still get tingles. Partly because, cyber security is often a closed environment, but that is changing a lot. So, when someone like me turns up and writes a national strategy on something that I don’t have years of experience in, who am I to advocate for, and educate the country on a topic that is not natively my own. To have a community like the AUSCERT community that is dominated by traditional security leaders, that is composed of technical practitioners, to have someone like me recognised by them, and by AUSCERT, is so special to me. That’s why in my acceptance speech, I accepted it for the whole industry. We’ve started to mature, to grow up, and have so much to offer, and people outside of our industry have so much to offer as well. We are the enablers of the entire economy. To me this is an example of how our industry is shifting and changing for the better.   If you could give a piece of advice for organisations and security professionals, what would it be? Understanding other people’s context helps us work together. ‘Collaboration’ is a bit of an overused word, but it’s the right word, if we come together and work together to a common outcome. ‘Outcome’ is also an important word—it’s not just about outputs. If we continue to focus on outputs, we will never win the battle. Output is important, but to be able to achieve outcomes, we have to work together, and to work together, we need to understand contexts.  If we take a few moments in the day to understand who we are working with and what their context is helps us have a more open mind. We spend too much time focusing on the battle with each other, rather than coming together to focus on battling with our adversaries. They’re the ones who are ripping off the economy. They’re the ones who are affecting the physical and emotional lives of Australians. We all want the same outcome, and we can do better at collaborating. I know we can do this. #GAMEON  

AUSCERT at the 2020 ASEAN CERT Incident Drill AUSCERT is proud to have been involved in this drill earlier this week, alongside colleagues in the ASEAN and various neighbouring regions. Thank you to colleagues from the Cyber Security Agency of Singapore (CSA) for organising. The theme was especially pertinent this year – “Malware Campaign Leveraging the Pandemic Situation” – and we look forward to further collaborations with the wider group in the future. +++++ 15th iteration of ASEAN CERT Incident Drill tests CERTs’ preparedness against opportunistic COVID-19-related campaigns The Cyber Security Agency of Singapore (CSA) organised the 15th iteration of the ASEAN Computer Emergency Response Team (CERT) Incident Drill (ACID) on 7 October 2020. This was held in conjunction with the fifth Singapore International Cyber Week (SICW), the region’s most established annual cybersecurity event. An annual drill hosted by Singapore since 2006, ACID tests incident response procedures and strengthens cybersecurity preparedness and cooperation among CERTs in ASEAN Member States (AMS) and Dialogue Partners. This year’s theme, “Malware Campaign Leveraging the Pandemic Situation”, was chosen in view of the proliferation of malicious campaigns leveraging the ongoing COVID-19 pandemic as lures across multiple sectors, in many countries in the earlier part of the year. During a brief pre-drill dialogue, the participants also agreed that it was an opportune time to raise awareness and preparedness against opportunistic campaigns. The scenario injects are based on the Emotet malware campaign, given its prevalence, and the range of cybersecurity events that may occur following a successful Emotet malware infection. All the CERTs from the 10 AMS and five key Dialogue Partners from Australia, China, India, Japan, and South Korea, were represented in this year’s ACID. They were required to investigate, analyse, and recommend remediation and mitigation measures to a series of scenarios injects with varying levels of complexity. The drill this year was well-received and the participating CERTs provided positive feedback. Leading the exercise is Ms Goh Yan Kim, Deputy Director, SingCERT, CSA. Ms Goh said, “With the pandemic resulting in a heavier reliance on the internet, cybersecurity is now more important than ever. These exercises are essential to foster trust and preparedness among CERTs in ASEAN and our Dialogue Partners to respond to current and emerging threats. We look forward to conducting more of these exercises in future.” A copy of the original article can be found here: https://www.csa.gov.sg/news/news-articles/15th-asean-cert-incident-drill