AUSCERT2020 MC: Adam Spencer Prior to the AUSCERT2020 Conference, we caught up with Adam Spencer to chat about his involvement with the conference, and hear his thoughts around cyber security and observations on the year of 2020.   Can you start by telling us about your professional career? I could say lawyer and mathematician, although neither of those career paths really worked out. I am probably better to lead with stand-up comedian, from where I then stumbled into the world of radio and television where I continue to be thoroughly unprofessional. I have also written and co-written approximately ten different books trying to popularise mathematics. These are written for people who do really get mathematics and have a talent for it and want to get better at it. When writing, I’ve had the pleasure of reaching out to smart, switched on nerdy kids from about the age 12 and above—and I absolutely love it.   You are a self-confessed lifelong number nerd. What is your favourite number? As a kid, my favourite number was four. This was the first number that realised you could break into two even groups. For example, you couldn’t break down five or seven, but you could break down nine into three groups of three. It was from here that I started to get the concept of prime numbers and composite numbers just from breaking down the number four. I have now been fascinated by multiples of four for the rest of my life. For example, if we were to go for a drive and you turned the volume up to 31, I would need to change it to 32 so it could be a multiple of four.   How do numbers and maths play a role in cyber security? The basis of all computing and code of any sort is beautifully mathematical. I was lucky enough to interview Steve Wozniak who wrote the original Apple Source Code, back when it was just ones and zeros. Now, I’m not a specialist in that field, but from what I understand, no one has ever found a single error in Wozniak’s original programming and coding. Which is beyond belief for something as complicated as that not to have mistypes. The genius that underpins a system like that is incredible. Furthermore, the basis of the systems that we use to exchange credit card details online and not being hacked by a third party through the RSA algorithm, is just beautifully mathematical. Cyber security is a great example of how maths is still relevant. Mathematics permeates everything and we are just blissfully unaware.   You have been part of the AUSCERT conference for a few years now. What is it that first prompted you to be a part of it? The thing that I enjoy about my line of work as a professional MC and facilitator is that I’m rarely the smartest guy in the room on any given topic. But to learn anything, you need to expose yourself to the absolute best people in those fields. I’m a strong believer that if you speak to those passionate and informed about something, almost any topic can be interesting. For almost a decade I have been able to surround myself with people who are the best in the business (of Cyber Security) and hear about what’s on their mind about the cutting edge trends is incredible.  I remember first hearing mutterings about ransomware in the AUSCERT community years ago, and now it’s something that people have to deal with all the time. I feel like I am in the presence of people who really understand cyber security and having discussions that are ahead of the general population, is just so exciting.   Tell me about your most recent book, Numberland. I filled it with a bunch of stuff that blew my mind at the time. Looking back at it, I think I can best describe it as a compilation of stuff that I hope intrigues the ‘number curious’ amongst us. For AUSCERT members who are interested in my book, they can use the promo code ‘HOME’ to receive 20% off. Visit adamspencer.com.au to grab a signed copy.   Do you have any advice for someone who is passionate about maths or cyber security? Mathematicians will build this century—this is the century that will be built on ones and zeros. I think of many cyber security experts as mathematicians. So, for people with a passion in the area of cyber security, coding, app design, software, or statistics will have a role to play in building our future. It has never made more sense to find your passion in mathematics or cyber security, and take whatever skillset you have and maximise it. For young people coming out of high school and into the job market, my advice would be, if you can show that you have experience and knowledge in Mathematics, you’ll end up writing your own cheques in the workplace. There is no denying that mathematical thinking is going to underpin and build this century.      

AUSCERT2020 Member Organisation of the Year Winner AUSCERT2020 Interview: Leigh Vincent from Federation University Australia We recently had the pleasure of chatting with Leigh Vincent from Federation University Australia who won the AUSCERT Member Organisation of the Year for 2020. Leigh opened up about what it is like to be an AUSCERT member and how Federation University is dealing with new cyber security issues. Can you start by telling us about your professional career? I have been at Federation University Australia (formally known as the University of Ballarat) for about 16 years in a cyber security role. This role has developed over the years and last year, we officially doubled our team, so now there are two of us!  While working at Federation University, I have gone through extensive training in incident handling and response, web application, penetration testing, and digital forensics and analysis. Having been a one-person team for so long, I was often in the position where I needed to provide the resources and support to University staff myself. There have been many years where the University’s budget just did not have enough room to stretch when it came to security. During this time, we could not justify hiring support from outside organisations when I could upskill and undergo training myself. I’m sure many would agree that cyber security in the university sector is a very interesting beast to work with. This was actually my first role working in security as I had previously worked in a system network administrator role. Since moving into security, I’ve enjoyed almost every moment. How long has Federation University been an AUSCERT Member? Federation University has been a member for as long as I have worked there, so at least 16 years. Personally, I have attended several of AUSCERT’s conferences since 2004. The highlight is always having the opportunity to network and catch up with people over the conference period.  What value do you get out of the on-going AUSCERT membership? In my experience, I would say the advice that the AUSCERT team and other members provide is invaluable and having people there that you can bounce ideas off makes resolving an issue much easier. Back when I was a one-man-team, I went on long-service leave and AUSCERT acted as the primary point of contact for the University if issues popped up. So both at a personal and professional level, the AUSCERT membership has been very beneficial. Speaking of your membership… Congratulations on winning the Member Organisation Of The Year award! What does winning this award mean to you? It was a complete surprise! I had to read over the email a couple of times before I realised that we had won. Winning this award is not something we had thought about, we often just continue to go about our work every day, but the acknowledgement means a lot. Receiving that recognition, especially as a two-person cyber security team just shows that people really do take notice of you and how you contribute to the industry. If you had some advice for some other AUSCERT members, what would you say? The biggest piece of advice I could give would be get involved. Take the time to interact with AUSCERT and its members—it is a valuable industry tool. As the ‘good guys’ in cyber security, we need to work on communicating more. We know the ‘bad guys’ are great at communicating and that is why they are always one step ahead of us. Ultimately we are all fighting the same fight so use the tools provided by AUSCERT (such as the Slack channels) to get involved, communicate and most of all keep an ear to the ground. Have you had any cyber security challenges this year, and how have you addressed this? Money has certainly been the biggest challenge, there is no denying that the education sector has taken a huge financial hit recently. We have also had to alter our focus to keeping tabs on all the remote workers and moving the University’s systems online very quickly. By making these quick changes, we have had to reassess some of our security restrictions to ensure a smooth and easy transition to working online for staff and students. Our focus has had to be on delivering quickly and trying to keep everyone safe when they are not inside our walls anymore. We control less when people are working from home, so we have had to encourage people to ask questions relating to their home security and support them where possible. Because we have made the switch to online for all course material, the push is now that we should keep it all online and maintain those platforms. However the challenge is ensuring that security can be enhanced and maintained to meet what will become a permanent method of content delivery to students and capabilities for staff to work from home as required going forward. Alternatively, we could also create something parallel that is safe and secured correctly, not just a platform that can ‘make it work’. What do you see as some of the main cyber threats in today’s society and their accompanying risks? Personally, I see social engineering as one of the biggest risks in cyber security today. It is a very real issue and we see it constantly. However, we can only overcome it by increasing user awareness and education—without this it can be very difficult to fight. Until we can get on top of that and educate users to make decisions themselves, it will inevitably remain a problem.  What is some advice you would give to organisations and other IT cyber security professionals? Talk and share with one another. We are all fighting the same fight and facing the same challenges. We might be from different organisations and have different technology, but ultimately, we are all fighting the same enemy.

AUSCERT2020 Information Security Excellence Winner Congratulations to Michelle Price for being given the AUSCERT2020 “Information Security Excellence” award. During AUSCERT2020 we had a chat with her to learn more about her role as CEO at AustCyber, and her vision for the cyber security industry.   Tell us a little about your professional career? My first job was working in a small business that my family owned, that focused on food safety consulting and training. We also ran international conferences and created a lot of thought-leadership on the topic of food safety. Food safety in the mid-to-late 90s was an emerging issue in Australia; there were no standard practices. In the end, there were three companies (owned by my parents) that focused on risk, and the upside and downside of risk. I worked there for 10 years, starting in marketing and communications roles, and ending up doing food safety audits and strategy. I then moved into the advertising industry for a short stint, before moving into the federal government, with the majority of my time in National Security. The common thing across all the agencies I worked in at the government was risk and strategy. What was your role in the Prime Minister’s Department? When I was working in the Prime Minister’s Department, my first job was to work across all of national security, and I ended up running the National Security Budget and developing the world’s first national security strategic risk framework, and developing a framework of how to prioritise national security issues. That was under the Gillard government. Then when Prime Minister Abbot came in, I switched roles and moved across from high-level strategy on national security to focus on the cyber security area, and that’s how I ended up penning the 2016 National Cyber Security Strategy. How did you end up at AustCyber? After the strategy was launched, I was fortunate enough to have quite a few opportunities. I chose to focus on helping the Australian National University stand up a cyber policy function and to be able to better coordinate the growing area of cyber research across different disciplines. I didn’t stay there for as long as I thought I would, because I then got asked to come to AustCyber, and AustCyber was one of the initiatives in the Cyber Security Strategy that I had worked very hard on, so it was a no-brainer. Being born into a house of entrepreneurs it felt like a natural extension for me to end up running an organisation that is trail blazing around how to do the business of cyber security, and while we are doing that, is also creating an industry. That is the mission of AustCyber: To create an industry that is globally competitive and has impact for the country. Congratulations on winning the Information Security Excellent award. What does winning this award mean to you? Every time I think about it, I still get tingles. Partly because, cyber security is often a closed environment, but that is changing a lot. So, when someone like me turns up and writes a national strategy on something that I don’t have years of experience in, who am I to advocate for, and educate the country on a topic that is not natively my own. To have a community like the AUSCERT community that is dominated by traditional security leaders, that is composed of technical practitioners, to have someone like me recognised by them, and by AUSCERT, is so special to me. That’s why in my acceptance speech, I accepted it for the whole industry. We’ve started to mature, to grow up, and have so much to offer, and people outside of our industry have so much to offer as well. We are the enablers of the entire economy. To me this is an example of how our industry is shifting and changing for the better.   If you could give a piece of advice for organisations and security professionals, what would it be? Understanding other people’s context helps us work together. ‘Collaboration’ is a bit of an overused word, but it’s the right word, if we come together and work together to a common outcome. ‘Outcome’ is also an important word—it’s not just about outputs. If we continue to focus on outputs, we will never win the battle. Output is important, but to be able to achieve outcomes, we have to work together, and to work together, we need to understand contexts.  If we take a few moments in the day to understand who we are working with and what their context is helps us have a more open mind. We spend too much time focusing on the battle with each other, rather than coming together to focus on battling with our adversaries. They’re the ones who are ripping off the economy. They’re the ones who are affecting the physical and emotional lives of Australians. We all want the same outcome, and we can do better at collaborating. I know we can do this. #GAMEON  

AUSCERT at the 2020 ASEAN CERT Incident Drill AUSCERT is proud to have been involved in this drill earlier this week, alongside colleagues in the ASEAN and various neighbouring regions. Thank you to colleagues from the Cyber Security Agency of Singapore (CSA) for organising. The theme was especially pertinent this year – “Malware Campaign Leveraging the Pandemic Situation” – and we look forward to further collaborations with the wider group in the future. +++++ 15th iteration of ASEAN CERT Incident Drill tests CERTs’ preparedness against opportunistic COVID-19-related campaigns The Cyber Security Agency of Singapore (CSA) organised the 15th iteration of the ASEAN Computer Emergency Response Team (CERT) Incident Drill (ACID) on 7 October 2020. This was held in conjunction with the fifth Singapore International Cyber Week (SICW), the region’s most established annual cybersecurity event. An annual drill hosted by Singapore since 2006, ACID tests incident response procedures and strengthens cybersecurity preparedness and cooperation among CERTs in ASEAN Member States (AMS) and Dialogue Partners. This year’s theme, “Malware Campaign Leveraging the Pandemic Situation”, was chosen in view of the proliferation of malicious campaigns leveraging the ongoing COVID-19 pandemic as lures across multiple sectors, in many countries in the earlier part of the year. During a brief pre-drill dialogue, the participants also agreed that it was an opportune time to raise awareness and preparedness against opportunistic campaigns. The scenario injects are based on the Emotet malware campaign, given its prevalence, and the range of cybersecurity events that may occur following a successful Emotet malware infection. All the CERTs from the 10 AMS and five key Dialogue Partners from Australia, China, India, Japan, and South Korea, were represented in this year’s ACID. They were required to investigate, analyse, and recommend remediation and mitigation measures to a series of scenarios injects with varying levels of complexity. The drill this year was well-received and the participating CERTs provided positive feedback. Leading the exercise is Ms Goh Yan Kim, Deputy Director, SingCERT, CSA. Ms Goh said, “With the pandemic resulting in a heavier reliance on the internet, cybersecurity is now more important than ever. These exercises are essential to foster trust and preparedness among CERTs in ASEAN and our Dialogue Partners to respond to current and emerging threats. We look forward to conducting more of these exercises in future.” A copy of the original article can be found here: https://www.csa.gov.sg/news/news-articles/15th-asean-cert-incident-drill

2020 Cyber Security Survey Complete the 2020 Cyber Security Survey Since launching the BDO and AUSCERT Cyber Security survey in 2016, one thing is clear – many Australian and New Zealand organisations overestimate their ability to deal with the evolving cyber threat risk landscape. Getting a handle on this in 2020 is vital. With more people working, learning and teaching from home, the transition from office or school-based network access to remote/home access creates new operational and cyber security challenges.  Get on the front foot Understanding your organisation’s cyber threat risk posture is the essential first step to reducing the likelihood and impact of a cyber incident. This is why we continue to conduct the annual BDO and AUSCERT Cyber Security survey. For five years, it has provided key decision-makers with the information they need about current cyber security trends, issues and threats. Do not miss your chance to take part and gain free insight into the maturity of your organisation’s cyber security approach.  TAKE PART NOW The anonymous survey closes at midnight on Friday, 30 October 2020 and takes less than 10 minutes to complete. By taking part you will be offered the chance to win one of two Apple Watches.  * Refer to the survey competition terms and conditions.

AUSCERT at the forefront of Cybersecurity and AUSCERT2020 "We Can be Heroes" [Editor’s notes: an edited version of this article features in the CyberAustralia Magazine 2020-2021] AUSCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, AUSCERT delivers 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy. The Australian Government Department of Home Affairs released their report on Australia’s 2020 Cyber Security Strategy recently and AUSCERT is very proud to have been involved in the consultation process late last year. The report included 60 recommendations to bolster Australia’s critical cyber defenses which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT: Deterrence: Any infrastructure reported by our members that proves to be malicious will be subject to persistent and escalating takedown notices. Prevention: The initiative of providing Indicators of Compromise, Indicators of Vulnerability, security advisories and bulletins provides strong proactive preventative information.    Detection: Bi-directional threat intelligence gathering through open source platforms where members are given real-time intel that help to automatically detect and block potential attacks. Resilience: AUSCERT partakes and assists to organise Asia Pacific regional cyber drills, as well as provide webinars to members to maintain cyber security awareness as front-of-mind. Investment: AUSCERT being a non-profit organisation reinvests all of our membership proceeds into service deliveries, improvements and the building of our membership cyber security capabilities.   Clear benefits for members AUSCERT leverages the resources provided by its membership base and The University of Queensland Australia. Our reach with international CERTS as well as other Australian organisations, increases the effectiveness of our action for malicious infrastructure take-downs, abuse advisory and this international co-operation enables an internationally recognised norm of incident response. With a 24/7 member incident hotline, AUSCERT enables our members to keep their incident response effective by providing assistance that complements existing capabilities. Cyber risks are owned by those best positioned to manage them Assistance in establishing risk assessment as well as an incident response plan are covered through AUSCERT education where an understanding of these concepts allows for efficient use of resources in preventing, mitigating the transfer of or avoiding cyber risks. AUSCERT members practice cyber security at home and at work With the increase in remote-working, AUSCERT assists our members no matter the physical location of their work setting may be. AUSCERT is a cyber security incident response team exemplar AUSCERT takes incident response seriously and trains its staff body to be able to handle incidents whenever they arise. This is done not only through internal training; all staff are also encouraged to attain industry certification(s) in line with their job requirement. This experience is then reinvested back to members in the form of advice publication, blog article(s) and educational events such as webinar sessions. Additionally, Indications of Vulnerabilities and Indications of Compromises are streamed to members on a daily basis, thus keeping our members aware of vulnerabilities, leaked credentials, misconfigurations as well as the availability of remedial advice. Trusted services, nationally and internationally AUSCERT as a trusted entity in cyber security is handed information on incidents and vulnerabilities from national and international sources.  AUSCERT2020 “We Can Be Heroes”  AUSCERT2019 “It’s Dangerous to Go Alone” gave delegates the tools to build knowledge within their teams. This year, the emphasis lies on the fact that anyone in your organisation can be your champion, your cyber security hero. Not only is it vital that you have a strong team behind you, but it is also equally important that you equip and encourage every individual in your organisation to assist in cyber and data security.  AUSCERT2020 will be held across 4-days; packed with world-class tutorials and presentations delivered by over 60 speakers from around the globe. With an audience of around 1000 delegates, this year’s confererence will be the largest held in recent years.  We’re especially proud to feature a number of AUSCERT content and speakers, namely – Colby Prior and his tutorial on the topic of “Running your own honeypot: An Introduction”, Mike Holm and his co-presentation with Leon Fouche from BDO on the topic of the “Joint AUSCERT and BDO Annual Cyber Security Survey Report 2019” and last but not least, Geoff Thonon on the topic of “Could Phishing be nastier by any other name?”. In addition to these AUSCERT presentations, UQ will also be represented by Mandy Turner from the SOC team, speaking on the topic of “Cybercrime” and the team from UQ Cyber from the EAIT Faculty will also be hosting a virtual booth at the conference.  The format of the conference delivery may be different this year, but AUSCERT is as committed as ever to providing you with meaningful and rich content – all from the comfort of your office or home environment. “Cyber security has never been more important”. The cyber security landscape is ever-changing, and AUSCERT is passionate about engaging with members to empower their people, capabilities and capacities. For more information on AUSCERT, please contact membership@auscert.org.au or +61 7 3365 4417. For further information on the AUSCERT2020 conference, please contact conference@auscert.org.au.     

AUSCERT investigating a data dump claimed to be from the Department of Education 3:40pm 03/09/20 AEST Updated below to clarify that first and last name are also included in the data. This doesn’t change our assessment. Unless further developments occur, we believe no further research is required. Please notify us if you find that your staff or students have used the service and you have concerns.   4:30pm 02/09/20 AEST Working with Cosive, we’ve found signs that this is a re-publish of a dataset published in March 2020 or earlier, relating to a service called “K7 Maths”. The TLS on their site also correlates with what seems to be their Australian presence. It’s likely that the data came from an exposed Elasticsearch instance. There are no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort. Members concerned that their staff may have used this tool and may be included in the full dump should, where possible: Check with teaching and admin staff for usage of the service. Check mailboxes for sign-up emails from schoolcentre.com.au, k7maths.com or schoolcentre.com before that date. If usage is found, we recommend: Consider that that credential may be compromised, and anywhere the password was re-used, may now be exploited. A password reset for internal services is usually worthwhile, but consider your environment before applying this advice. Monitor staff accounts for suspicious logins – email, VPN, etc. This can lead to business email compromise (BEC), unauthorised access to the network, malware being sent between users, and more. Notify AUSCERT. There’s a mitigating factor: the password hashes use the standard bcrypt algorithm, with a “cost factor” of ten rather than eight, which makes it four times harder than usual to crack. We think that the only personal information in the dump is email address and country (edit: as well as first and last name) which would likely not count as a notifiable data breach. Our investigation there is incomplete. Consult your usual legal team if you have concerns.   4:00pm 02/09/20 AEST We have a suspected source for the data, which is not a government agency. More information to follow.   9:50am 02/09/20 AEST The dump refers to “the Australian Department of Education (edu.au)”, and no such organisation exists. We’ve reached out to likely candidates for comment.   9:15am 02/09/20 AEST We’ve seen reports that an Australian educated-related data set of unknown origin has been published. We’re looking into it now and will update this post as we get more information. We’ll also be posting updates on Twitter and LinkedIn. The claim is that it’s from the Australian Department of Education, and was retrieved in 2019. The claimed fields are: country_id created_at email encrypted_password (may be a bcrypt hash?) first_name id is_admin is_guest last_mail_at last_name last_sign_in_at newsletter region_id tags subscription orders  

AUSCERT mailout: ProctorU breach An apparent data breach of the ProctorU service, apparently published by a user named ShinyHunters, has been making news in the last week, including an article yesterday in the Sydney Morning Herald. AUSCERT has acquired a copy of the data and notified affected members. ProctorU gave us the following comment: On Monday July 27, 2020, we were made aware that some information purporting to come from ProctorU.com was posted to an internet message board. Although we are still investigating, none of the data analyzed so far from that posted data was from our active production servers and all of it was at least five years old. Therefore, we currently have no reason to believe that our active production servers or data of current clients and students from the last five years was implicated. We are continuing to investigate and will update you should that understanding change or with any additional information pertinent to you. How bad is it? You will need to assess it in the context of your own organisation. It appears that none of the data is newer than 2016. It includes personal information of ProctorU users, as well as institutional email addresses, and password digests. We’re not sure of the severity of the password digests – digests can be very easy or very difficult to crack depending what they incorporate. There are reports that they are bcrypt hashes.   Was my organisation affected? It affects mainly educational institutions who used ProctorU prior to approximately Q3 of 2016. We’ve notified affected members through their normal incident email alias. An administrator for your organisation can check in the member portal what that’s set to; if it’s current, and you haven’t heard from us, then you’re clear. Not all our educational members are affected.   I’ve received a file and don’t know how to decrypt it Please log in to the member portal and consult this page for the passphrase. You’ll need a program like Kleopatra for Windows or GPG for Linux/Mac. If using the command-line, enter this and type the passphrase: gpg --output your-domain.tsv --decrypt your-domain.tsv.gpg   I’m encountering a GPG error when decrypting the file GPG has some quirks. Please check the directory containing the encrypted file to see whether the decrypted file was created despite the error message. If it’s not there, please double-check the passphrase, and if that doesn’t work, reach out to us at auscert@auscert.org.au and we’ll assist.   How do I view a TSV file? We suggest opening it in Excel or another spreadsheet program, choosing “My file is delimited”, ensuring that it uses the “Tab” as a delimiter, and ensuring that columns are of type “general”. Excel will default to all of these. You’re also welcome to use a command-line utility to split on tab characters.

There's a hole in the boot Introduction Responsible disclosure from Eclypsium has enabled the patches to the GRand Unified Boot Loader (GRUB) to be coordinated on the night of the 29th July 2020. Impact Modifications to the GRUB configuration file can result in the the execution of arbitrary code which can also allow UEFI Secure Boot restrictions to be bypassed.  Subsequently it is then possible to load further arbitrary executable code as well as drivers. To be able to exploit this vulnerability you first must have administrator or physical access to the target machine.  System affected The vulnerability affects Microsoft as well as Linux based distributions as it affect UEFI Secure Boot DBX, along with GRUB2. A non-exhaustive list of operating systems affected has been compiled by Eclypsium being: Microsoft UEFI Security Response Team (USRT) Oracle Red Hat (Fedora and RHEL) Canonical (Ubuntu) SuSE (SLES and openSUSE) Debian Citrix VMware Various OEMs … and others … Mitigation It is recommended that an organisation undertakes their own risk assessment, addressing the severity of the impact of administrative/root control with the need for the attacker to already have administrator or physical access to the target.  Microsoft notes that it is possible to detect this vulnerability using either Key Attestation or Defender ATP Eclypsium has outlined steps to mitigate this vulnerability as follows: Updates to GRUB2 to address the vulnerability. Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims. New shims will need to be signed by the Microsoft 3rd Party UEFI CA. Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot. Advisories AUSCERT has issued out an AUSCERT Security Bulletins (ASB) [ASB-2020.135] and will be issuing out External Security Bulletins (ESB) as they come to hand. Below are excerpts of the Product Security Incident Response Teams (PSIRT) advisory that describe in brief the Impact and vectors of these vulnerabilities. Microsoft Tag Description ADV200011 To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.   Linux Distribution Tag Description CVE-2020-10713 Crafted grub.cfg file can lead to arbitrary code execution during boot process CVE-2020-14308 grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow.6.4 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14309 Integer overflow in grub_squash_read_symlink may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14310 Integer overflow in read_section_from_string may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14311 Integer overflow in grub_ext2_read_link leads to heap based buffer overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-15705 Failure to validate kernel signature when booted without shim6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15706 Use-after-free in grub_script_function_create6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15707 Integer overflows in efilinux grub_cmd_initrd and grub_initrd_init leads to heap based buffer overflow5.7 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H   Sources Media reports Forbes : https://www.forbes.com/sites/daveywinder/2020/07/29/boothole-secure-boot-threat-confirmed-in-most-every-linux-distro-windows-8-and-10-microsoft-ubuntu-redhat-suse-debian-citrix-oracle-vmware/#2537b652666e ZDNet : https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot/ Threatpost : https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/ Further information Key Attestation : https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation Defender ATP: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection UEFI Forum: https://uefi.org/revocationlistfile Canonical : https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass PSIRT Information Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 Canonical: https://ubuntu.com/security/notices/USN-4432-1 Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot HPE: www.hpe.com/info/security-alerts Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ VMware: https://kb.vmware.com/s/article/80181  

How to use the YARA rules for the "Copy-paste compromises" advisory Regarding today’s “copy-paste compromises” advisory from the ACSC, we’ve had a lot of enquiries on how to download and consume the indicators of compromise (IoCs) provided. This is a how-to guide for YARA rules you may have received. Here is our full commentary on the alert. Downloading the files Feel free to download them from the original source; however, we’ve had some enquiries asking for assistance with this, so have re-published the public files in CloudStor, as well as imported them directly into our member MISP instances for members of the CAUDIT-ISAC and AusMISP agreements. Original ACSC source on cyber.gov.au AUSCERT CAUDIT-ISAC MISP on CAUDIT MISP AUSCERT AusMISP on AusMISP The files comprise a list of IoCs in CSV (comma-separated values) format, plus source code for a web shell in .txt (text) format, as well as PDF and Word versions of the advisory. You may also have received a list of YARA rules under the green level of the Traffic Light Protocol, in which case here’s how to use them. The green level does not permit us to redistribute them. Indicators of compromise in CSV We’re not aware of a single simple way to consume these. You can massage them into a suitable format or formats to search for them, but YARA rules are the standard automated way to do this, and are the focus of this guide. YARA rules YARA rules are a widely-used way to format IoCs in a way which can be used by scanning engines. Some more info, and the official source, and the official documentation. How to use Yara rules on your entire fleet (if you’re prepared and lucky) Many Endpoint Detection and Response (EDR) solutions provide Yara support. If you have one deployed, you can import the Yara rules and run it, which will be relatively quick and easy. If not, you could try using your existing fleet management system to deploy Yara and run a scan. E.g. for Windows, perhaps push out an installation via SCCM or Group Policy and then some kind of group policy background script to run the scan and deliver results. If you try this, we’d love to hear how it goes, and we’d also love any info or scripts you can provide that might help other members. Consider whether this is worth doing for your fleet. Otherwise, keep reading. How to use Yara rules on Windows Official binaries are available so you’re in good shape. Head to their Releases page and grab the latest binary for your architecture (at time of writing, yara-v4.0.1-1323-win32.zip or yara-v4.0.1-1323-win64.zip). Once in, you can scan individual directories or drives, ideally in an admin shell: yara64.exe -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" C: (the yarac.exe binary is for compiling rules, which you probably don’t need to do.) How to use Yara rules on Linux Your distribution’s package manager will likely have a version available. Give that a try first. However, the YARA project notes that the version available in some distros’ repositories is out of date and may contain security vulnerabilities, so check the version – the latest release at time of writing is v4.0.1, updated mid-May 2020. yum install yara apt install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null You may wish to run this as a privileged user to ensure maximum access, but balance this with the security risk of older versions. If your distribution’s version is unacceptable, the Yara project has some information on compiling from source. Compiling from source is an often time-consuming and fiddly process. How to use Yara rules on macOS Homebrew (an unofficial but very widely-used package manager) seems to be the best way other than compiling from source. It has the very latest release, v4.0.1, without the known security issues of older versions. brew install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null  Or only scan specific parts: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /path/to/likely/folders/or/mounts What to do if you find something Firstly, any rule matches starting with “heuristic” are just that – heuristics. You may wish to investigate them in closer detail, but there will be plenty of false positives, so don’t panic when you see them, and don’t start by investigating them. Consider advising the ACSC that you need assistance. Copying their advice here for convenience: If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371). If you are an AUSCERT member, you can call the 24/7 Member Hotline (login required) for advice. It’s also worth noting that the ACSC’s advisory states that this has been a ramping up of events over time, and our interpretation of that is that most organisations will not need to spend all weekend frantically digging – just make it a priority on Monday.

Business Email Compromise June 2020 update Here at AUSCERT, we’ve again seen an increase in instances of business email compromise and would like to take this opportunity to update the list of useful resources on this topic.  Scammers will take advantage of any opportunity to steal your money, personal information, or both. Right now, they are using the uncertainties surrounding the COVID-19 pandemic and remote working.  You may find the following articles useful:  Advice from the ACSC (cyber.gov.au): Understanding and preventing BECScamwatch: The cost of BEC (report from 2019)Threatpost: General advice from Threatpost on issues caused by working from home, including BEC_____ We’ve blogged about this before, but instances of business email compromise (BEC) are increasing. The FBI is warning potential victims of a dramatic increase in the BEC scam, with a 270% increase in identified victims and exposed loss since January 2015. From October 2013 through February 2016, losses have exceeded USD 2.3 billion. BEC scams work because they target specific employees of an organisation with email that appears to be from their CEO, asking for a wire transfer of funds to a nominated recipient. Criminals either compromise the CEO’s email account through phishing, or they use a very similar domain to the targeted organisation to send the message from. Often, the fraud targets organisations that regularly perform wire transfer payments. The emails avoid being caught as spam because they are not mass-mailed and address specific individuals. There are some actions you can take to combat this threat: Educate users, particularly those that handle payments, of the nature of the attack. Follow up email requests with a telephone call to verify their veracity. Implement appropriate checking of financial transactions. Implement Sender Policy Framework (SPF) to prevent attackers from impersonating your domain; and to help detect and block emails sent to your organisation that use forged domains. Don’t click on links or open attachments in unsolicited emails. Keep desktop anti-malware up to date. Don’t use your computer day-to-day with an administrator account. https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scamshttps://www.ic3.gov/media/2015/150827-1.aspx

AUSCERT commentary "major cyber attack on Australian governments and business" Friday 19 June 2020 11.45am AEST This morning Prime Minister Scott Morrison and Minister for Defence Linda Reynolds announced that Australian organisations, including governments and businesses, are currently being targeted by a sophisticated foreign “state-based” actor. [1] The Prime Minister says there does not appear to have been any large scale breaches of people’s personal information but described the attacks as malicious.  “It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.” As an initial step, we encourage everyone to follow the Government’s latest advisory from the ACSC and ASD. [2]  Echoing the words of the Minister for Defence Linda Reynolds, we recommend members promptly patch internet-facing software, devices and operating systems and to implement multifactor authentication across all remote services. [2] In addition to the above, this most recent advisory from the ACSC has identified that threat actors are using exploits that are publicly known to have patches or mitigations available.The following vulnerabilities CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access.  AUSCERT strongly encourages members to ensure that all Microsoft Sharepoint, Citrix ADC, Citrix Gateway and Telerik UI are kept up to date. Members, this is the time to review the vectors of vulnerability and see if any indicators of compromise can be found attempting to access your network or has left traces of their activity within your networks.   After the IoCs have been verified not to have affected your network, it will be beneficial to then review and apply ASD’s Essential 8 where applicable. [3] With respect to the IoCs shared on [2], our team has taken the steps to consume this into our MISP instance and are happy to coordinate the sharing of relevant information with our members. As always, members are welcome to contact us for any further information and assistance via auscert@auscert.org.au.  Last but not least, AUSCERT is working with our international counterparts in cyber security to handle the indicators of compromise (IoC). [1] https://www.abc.net.au/news/2020-06-19/foreign-cyber-hack-targets-australian-government-and-business/12372470 [2] https://www.cyber.gov.au/news/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks [3] https://www.cyber.gov.au/publications/essential-eight-explained Additional references: Recent ACSC Advisories via https://www.cyber.gov.au/ Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks (18 June 2020) Advisory 2020-006: Active exploitation of vulnerability in Microsoft Internet Information Services last updated 22nd May 2020 Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors last updated 22nd may 2020  Recent NIST Advisories via https://www.nist.gov/ https://nvd.nist.gov/vuln/detail/CVE-2019-18935 https://nvd.nist.gov/vuln/detail/CVE-2019-19781 https://nvd.nist.gov/vuln/detail/CVE-2019-0604   Our own guidance on consuming YARA rules https://wordpress-admin.auscert.org.au/blog/2020-06-19-how-to-use-yara-rules-copy-paste-compromises-advisory