AUSCERT and the APCERT CYBER DRILL 2019   “Catastrophic Silent Draining in Enterprise Network”   Exactly a week a week ago, our team was involved in the 2019 APCERT Cyber Drill.    AUSCERT is proud to announce that we had some staff members as part of the running committee tasked with assisting the organization responsible for this drill and various other staff members as participants. Last but not least, AUSCERT will be running this drill next year in 2020 and the entire team is excited and looking forward to this opportunity.   Please see below for a copy of the official media release:      APCERT Secretariat: JPCERT/CCJapan Computer Emergency Response Team Coordination CenterContact: apcert-sec@apcert.orgURL: www.apcert.org   31 July 2019 MEDIA RELEASE The Asia Pacific Computer Emergency Response Team (APCERT) today has successfully completed its annual drill to test the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. The theme of this year’s APCERT Drill is “Catastrophic Silent Draining in Enterprise Network.” This exercise reflects real incidents and issues that exist on the Internet. This year’s scenario was inspired by a latest security attack on an organization, which relates to the vulnerability that could allow attackers to completely take over vulnerable websites to deliver malware backdoor and cryptocurrency miners. This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. Throughout the exercise, the participating teams activated and tested their incident handling arrangements.  This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. 26 CSIRTs from 20 economies of APCERT (Australia, Bhutan, Brunei Darussalam, People’s Republic of China, Chinese Taipei, Hong Kong, India, Indonesia, Japan, Korea, Lao People’s Democratic Republic, Macao, Malaysia, Mongolia, Myanmar, New Zealand, Singapore, Sri Lanka, Thailand, and Vietnam) participated in the drill. Original copy of this media release can be found HERE  

The Let's Encrypt CAA Code Bug – A Plain View What happened Let’s Encrypt recently found a bug in their CAA checking code and after remediating the bug [1] on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), announced they would revoke approximately 2.6% of their active certificates that were potentially affected by the bug, totalling approximately 3 million certificates [2]. Let’s Encrypt company engineers provided a technical update [1]: “ On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking. The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt. We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance. Our preliminary investigation suggests the bug was introduced on 2019-07-25. We will conduct a more detailed investigation and provide a postmortem when it is complete. “   Cert Revocation, Renewal and Replacement Let’s Encrypt report they are aiming to “complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST)”. Those affected should continue to renew and replace affected with new certificates. [3]   Impact Whilst this might not be seen as critical on the surface, a certificate is fundamentally used to establish and maintain site trustworthiness between two parties.  Essentially, certificates are used by browsers to ensure that the site we intended to visit is really the one we’ve arrived at. Leaving a revoked certificate in-place could trigger errors in browsers and other applications, cause loss availability and/or trust, all potentially causing harm to the companies that rely on them.   Impacted Customer Communications From Let’s Encrypt Let’s Encrypted reported they “have sent notification emails to affected subscribers who have registered an email address”, although believe some customers “may not have received an email if they did not provide an email address while registering” their ACME account. [3] In this latter scenario, Let’s Encrypt are directing customers with any need to re-subscribe to email notifications to https://letsencrypt.org/docs/expiration-emails/ . [3] It is worth considering that email delivery issues or spam filtering may also be the cause of missing the email which ultimately advises affected customers to renew their certificates. [3]   If you are looking for the missing email you can search for the following subject line within your mailbox or email gateway logs: “ACTION REQUIRED: Renew these Let’s Encrypt certificates by March 4”   If you are unsure whether your hostname is affected, use the checking tools described in this post.   Via AUSCERT As a passionate not-for-profit CERT organisation, we routinely monitor industry updates, news and other intel feeds. Due to this practice, we were promptly aware of the public bug announcement from Let’s Encrypt and following a proactive course of action, we identified AUSCERT Members with affected certificates and are currently working with them.   Identifying an affected certificate Let’s Encrypt have published a page hosting the list of affected serial numbers relating to the 2020.02.29 CAA Rechecking Incident [3].  That page details the downloadable file contains a list of all affected certs, sorted by account ID. [4] Checking Tools/methods There are several methods or tools providing a means to check for an affected certificate. Online Common Tools Curl OpenSSL Purpose built script   Online If you want to double check whether a given hostname still needs its certificate replaced, you can use the tool seen in the screenshot below available at: https://checkhost.unboundtest.com/ .   Common Tools Curl The curl command on a linux system can be used in conjunction with online tool https://checkhost.unboundtest.com/ against a target website to show its current certificate serial number. The following two example indicate affected and non-affected certificate responses. Response 1: Affected Certificate $ curl -XPOST -d ‘fqdn=www.REDACTED.au’ https://checkhost.unboundtest.com/checkhost The certificate currently available on www.REDACTED.au needs renewal because it is affected by the Let’s Encrypt CAA rechecking problem. Its serial number is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. See your ACME client documentation for instructions on how to renew a certificate. Response 2: Non-Affected Certificate $ curl -XPOST -d ‘fqdn=letsencrypt.org’ https://checkhost.unboundtest.com/checkhost The certificate currently available on letsencrypt.org is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 03a1c95bdaa36a8268327f2253cbd3ba2436   OpenSSL As seen in the following examples, the openssl command (linux) can be used against a target website to show its current certificate serial number: openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d : Response:         Serial Number             0fd078dd48f1a2bd4d0f2ba96b6038fe   openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d : Response:         Serial Number             03a1c95bdaa36a8268327f2253cbd3ba2436   Purpose-Built Script Github – Let’s Encrypt CAA (lecaa) checking scripts [5] A purpose-built script hosted on Github [5] and created by Hanno Böck [6] “…allows you to efficiently check affected hosts”. Hanno Böck advised on his github page that the script was created after “Let’s Encrypt announced a bug in their system’s CAA checks, which forced them to revoke 3 million certificates on very short notice”.   Let’s Encrypt credit the lecaa script as useful tool and refer customer to use it by advising “if you have a large list of domains you need to check, this tool will be more effective. [3]   Where certificates are found that are not affected, Let’s Encrypt said “even if you received an email, it’s possible that the affected certificates have been replaced by newer certs not affected by the bug. (Either due to being issued in the last few days since it was fixed, or simply by not meeting the specific timing criteria necessary for the bug to trigger.) In that case, it’s not necessary to renew them again”. [3]   Questions Anyone who has questions should review the Q & A’s seen on Let’s Encrypt’s FAQ [2], then should questions remain after such review, they should contact Let’s Encrypt directly.   References [1] 2020.02.29 CAA Rechecking Bug https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 [2] Revoking certain certificates on March 4 https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864 [3] Download affected certificate serials for 2020.02.29 CAA Rechecking Incidenthttps://letsencrypt.org/caaproblem/ [4] File containing serial number of the affected certificates https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz [5] Github – Purpose Built Checker (lecaa) https://github.com/hannob/lecaa [6] Hanno Böck https://hboeck.de/  

2019 Membership Annual Survey results We would like to take this opportunity to thank all members for their continued support and appreciate their contribution to the growth of the current cyber security practice and industry in the ANZ region. We are pleased to share some insights from the survey here and aim to drive our strategic plans and commitment for 2020/21 according to the various feedback provided by our members.  Key findings: Members gave us valuable feedback on potential new services with the top 3 being: Threat Intelligence Reports, Self Service URL Analysis and a Fixed-Scope Remote Service. Our members’ preferred method of hearing from us is via email and they would like us to introduce Slack as an additional form of communication. The majority of our members were either satisfied or very satisfied with their AUSCERT membership value and gave us an average score of 4.2/5.0

2019 Cyber Security Survey Complete the 2019 Cyber Security Survey The cyber landscape is constantly changing, and the number and level of sophistication of attacks are increasing.  Being aware of the latest cyber security threats and trends in the industry can help your organisation put the right measures in place to protect against cyber threats.  Is your organisation prepared to manage the impact of a significant cyber event?  How do your cyber practices stack up against other organisations in your industry? The fourth BDO and AUSCERT Cyber Security Survey is now open. This annual survey, aimed at key decision makers, identifies the current cyber security trends, issues and threats facing businesses in Australia and New Zealand. Participation gives you direct access to our survey report, allowing you to: Compare your organisation’s cyber maturity against peers Benchmark your business’ current cyber security efforts with trends in your industry Identify potential gaps in your organisation’s cyber security approach Determine ways to improve your organisation’s cyber security culture, planning and response measures. Take part now Don’t miss out on your chance to gain free insight into the maturity of your organisation’s cyber security approach. The survey closes at midnight on Friday 1 November. The survey is anonymous and takes less than 10 minutes to complete. The survey also offers the chance to win one of three Apple Watches.* For more information about this survey contact our team: membership@auscert.org.au * Refer to the survey competition terms and conditions.    

AUSCERT at the APCERT Conference 2019 AUSCERT was represented at the recent APCERT 2019 gathering in Singapore by Senior Information Security Analyst, Geoff Thonon and Senior Security System Administrator, Colby Prior.  Highlights of this work trip included the below initiatives.  _____________________________________________________________________________________________________________________________ APCERT-AGM 2019 Teams that are part of APCERT (Asia Pacific Computer Emergency Team)[1] took part in the APCERT Conference 2019 which kicked off on Sunday the 29th September.  This was Day One of the APCERT Annual General Meeting and like with all groups that meet once-a-year, the day was filled with reports on the years’ activities. Working Groups [2] were queued up and reported on the progress of various projects that makes the APCERT community more effective as a whole.  [1] http://www.apcert.org/[2] http://www.apcert.org/about/structure/groups.html   AUSCERT @ APCERT Drill-WG AUSCERT co-presented  with the convenor of ThaiCERT on the APCERT-Drill that took place in 2019 [1].  AUSCERT rallied the group to participate in and briefed them about the APCERT-Drill 2020, within a diverse set of roles.  Along with rallying the group for the coming Drill, some factors were highlighted in using the currently available platform(s) within APCERT in terms of communication and coordination, as well as using this event to further further promote cooperation with all new CERTs/CSIRTs in the Asia Pacific region.    [1] http://www.apcert.org/documents/pdf/APCERT_Drill2019_Press%20Release.pdf ______________________________________________________________________________________________________________________________ We look forward to hosting the APCERT-Drill in 2020 and to meeting our colleagues at the next APCERT annual conference!

Ryuk Ransomware and Action – Summary Information Hello! Welcome to my first blog post, today topic involves Ryuk Ransomware, which has had some press of late thought it might be useful to supply summary details about this ransomware variant to aid understanding and steps to aid mitigation. Written for quick absorption, without further ado, please find ready for consumption a non-exhaustive, best effort ‘Ryuk Ransomware and Action – Summary Information’ below the fold (popcorn optional).   ** Ryuk Ransomware and Action – Summary Information ** Meaning: “Gift of God”Highly complex ransomware, constantly under development Primary purpose: “Money Maker”Secondary purpose: Potential sald for further exploit (compromised host marketplace) Trojan Associations: – Emotet (modular malware, emerged in 2014, primarily used as downloader for other malware, i.e., trickbot & IcedID)– Trickbot (spyware, emerged 2016, mainly used to target banks, distributed via spam email or Emotet’s geo-based d/l function) *Highlevel Process Flow – Ryuk Ransomware (quick simple flow)*– Spam email /w malicious doc– Emotet and/or Trickbot malware installed– Credential theft– Create new Admin User– Lateral movement through network– Recon Active Directory– Attempts to disable host security protection and 3rd-party backup services– Deletes Windows VSS shadow copies– Ryuk ransomware deployed *Detail/Notes* Ryuk Stealth Aspect: – Dropper is deleted by payload– Encryption could occur days, weeks or year after infection– Activation delay presumed to be surveillance related / actors performing reconnaisance on their ‘big game’ – Known Anti-forensics include PowerShell anti-logging scripts, anti-analysis infinite loop Encrypted file extension: .RYK Ransom note filename: “RyukReadMe.txt”Ransom note includes: – Two private email addresses– In addition, variants observed, one includes payment related details, whilst another doesn’t and victim to make contact Lateral movement: – RDP Usage (via brute force and vulnerability exploit)– SMB exploit (MS17-010)– Continues until privileges recovered to reach DC. Makes use of any or all of following tools:– PsExec (free Microsoft sysinternals tool): To push Ryuk binary to individual hosts– PowerShell Empire: D/L and installed as a service, PowerShell agents and keyloggers– ‘pwgrab’ (Trickbot module) for recovering credentials– Mimikatz: Steal admin credentials and create persistent backdoors Persistence: – Early variants had persistence, – recent reports indicates newer variants do not persist after restart– be prepared for either Interesting: – TrickBot is leveraged for lateral movement and to infect as many machines as possible   (It then deploys Ryuk at a randomly determined time)– When TrickBot compromises a machine, it is bundled with a library of modules, used to:  – perform reconnaissance  – harvest credentials  – perform lateral movement – Ryuk:  – attempts to disable AV products and delete Windows VSS shadow copies before ransomware starts encryption procedure  – operates with a whitelist of three file extension types: exe, dll and hrmlog     (hrmlog believed to be a debug log filename created during development of Ryuk’s 2017 predecessor, Hermes ransomware)  – disables several 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz – PowerShell Empire, a well-known penetration-testing tool, is no longer maintained by its creators (respected members of the infosec community)   – its capabilities and behaviors closely resemble those used by current nation state advanced persistent threat actors   – evades security solutions, operating in a covert manner, and enabling attackers’ total control over compromised systems   – Empire’s use among cybercriminals grew exponentially and in 2018, the UK’s National Cyber Security Center included Empire on its shortlist of the five most dangerous publicly available hacking tools   – However, development of Empire framework stopped after creators said “project reached its initial goal” – Ryuk victims may have a small chance of getting free decryption through Security firm Emisoft’s free decrypt tools *Defending against Ryuk and other ransomware*Considerations that usual methods for delivering ransomware are rarely complicated, simply relying on tried and tested techniques such as:– exploiting vulnerabilities– sending spam and phishing emails– stealing user credentials (also consider obtained via credential stuffing) User/staff awareness!– enhance your user saviness and confidence in identifying and appropriately fielding suspicious emails– encourage users to be avid first line reporters ASD Essential 8 Mitigation Strategies:– preventing malware delivery and execution  – application whitelisting  – configure MS Office Macro setting  – patch Apps  – user app hardening– limiting the extent of cyber security incidents  – restrict administrative privileges  – MFA  – patch operating systems– recovering data and system availability  – daily backups Other Government produced advisories:– Follow ACSC “Guidelines for System Management” (October 2019), ensuring networks and systems are patched or appropriate measures are in place  – advice included under ‘When patches are not available’– Review NCSC guidance publication named “Mitigating Malware”, specifically section four titled (see references for url):  – “What to do if you (or your organisation) has been infected with malware” Enterprise deployment or configuration considerations include… Follow industry best practice wherever, or whenever possible, however specific recommendations as follows… Following good practice, non-exhaustive:– Restrict use of system administration tools, i.e., PsExec, do admins really need to use it?– Disable unnecessary services, i.e., RDP/terminal services Backups – you might have them, but recommend testing them during quiet times! Logging:– goes without saying, but logs are essential– ensure logging is enabled wherever possible (and you have capacity for it), inc PowerShell logging and security– sysmon is also a handy tool,   – free from MS sysinternals  – offers valuable capabilities, event collection, processes, netcons, hashes, registry mods, file creations and more!  – SIEM forwarding, i.e., a sysmon add-on for splunk exists Software Restriction Policy (SRP):– SRPs are a Group Policy-based feature that identifies software programs running on computers in a domain– controls the ability of those programs to run, including specific file path locations, e.g., %APPDATA% directory in the user profile – Software restriction policies are part of the Microsoft security and management strategy Perform annual policy reviews and enforce compliance Detecting Compromised Hosts:– review available Indicators of Compromise (IoCs)   – SIEM, security solution revews (searchable audit trail if not fed into SIEM), cloud analytic services (e.g., MS Defender ATP)– Email Security / Gateway reviews  – ID recipients of an identified phishing email, solutions such as Mimecast can track users interaction with rewritted urls, malware may not have activated yet– undertake appropriate scanning / log reviews   – outbound traffic f/w log reviews  – vulnerability scan assets within specified IP ranges to detect assets and associated vulns, especially SMB related, e.g., eternalblue    (shine your light in your network! did you know about all assets listed in results?)  – SCCM review, are you offering all appropriate patches?    – marry up what is listed vuln wise within your vulnerabilty scanning tool asset results, and what is offered by SCCM     – use automatic deployment rules (ADRs) rather than adding new updates to an existing software update group    – typically, you use ADRs to deploy monthly software updates Proactiveness:Configure alerting on detection of – anomalous command execution, e.g., “vssadmin.exe Delete Shadows /All /Quiet”– unusual administrative tool use within SIEM, e.g., PsExec, net commands – privileged and service account monitoring– obfuscated commands, see something obfucated? it can’t be good PsExec spotlight:– The service PSEXESVC will be installed on the remote system  – 4697 and/or 7045 event log entry    – Note, the 4697 event, if available, may also contain account information  – may also have 4624 and/or 4625 Windows Event log entries, capturing the logon events of the tool usage.– SIEM search Application Compatibility Cache / RecentFileCache.bcf– evidence of program execution in the Application Compatibility Cache (“AppCompat”) and/or Amcache,   – replaces the RecentFileCache.bcf in newer Windows operating systems Last note on the topic of ‘external providers’ or contractors, non-exhaustive considerations:– their need to following org policy– what access into Enterprise they have– their skill level *Reading List*https://resources.infosecinstitute.com/what-you-should-know-about-ryuk-ransomware/https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ryuk-ransomware-shows-diversity-in-targets-consistency-in-higher-payoutshttps://success.trendmicro.com/solution/1123892-ryuk-ransomware-informationhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/examining-ryuk-ransomware-through-the-lens-of-managed-detection-and-responsehttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbots-bigger-bag-of-tricks/https://blog.malwarebytes.com/cybercrime/malware/2019/01/ryuk-ransomware-attacks-businesses-over-the-holidays/https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.htmlhttps://www.wired.com/story/what-is-credential-stuffing/https://www.sentinelone.com/blog/ryuk-ransomware-targets-av-solutions-not-just-files/https://www.zdnet.com/article/development-stops-on-powershell-empire-framework-after-project-reaches-its-goal/https://arstechnica.com/information-technology/2019/01/new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy/https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow/https://news.sophos.com/en-us/2019/10/04/rolling-back-ryuk-ransomware/https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/https://www.emsisoft.com/ransomware-decryption-tools/https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-toolshttps://www.ncsc.gov.uk/guidance/mitigating-malwarehttps://www.secjuice.com/enterprise-powershell-protection-logging/https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policieshttps://4sysops.com/archives/application-whitelisting-software-restriction-policies-vs-applocker-vs-windows-defender-application-control/http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updateshttps://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdfhttps://www.splunk.com/blog/2019/06/12/defending-against-common-phishing-frameworks-kits-with-splunk-enterprise-security-content-updates.htmlhttps://www.splunk.com/blog/2019/06/12/monitor-for-investigate-and-respond-to-phishing-payloads-with-splunk-enterprise-security-content-update.htmlhttps://www.splunk.com/blog/2017/07/06/hellsbells-lets-hunt-powershells.htmlhttps://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-divehttps://medium.com/@bromiley/digging-into-sysinternals-psexec-64c783bace2bEmotet:   https://attack.mitre.org/software/S0367/Trickbot: https://attack.mitre.org/software/S0266/PsExec:   https://attack.mitre.org/software/S0029/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmonhttps://splunkbase.splunk.com/app/1914/https://github.com/MHaggis/sysmon-dfirhttps://www.zdnet.com/article/new-zealand-comcom-suffers-breach-after-laptop-theft/ *Further reading*https://www.cyber.gov.au/ism/guidelines-system-managementhttps://www.sans.org/reading-room/whitepapers/detection/disrupting-empire-identifying-powershell-empire-command-control-activity-38315https://www.cisco.com/c/dam/en/us/products/se/2019/2/Collateral/cybersecurity-series-threat.pdfhttps://www.staysmartonline.gov.au/   AUSCERT as a non-profit organisation aims to help all, and it is also my personal hope that this post will serve to empower Australians, even if in a small way.  Arriving during Stay Smart Online Week (7-13 October), it’s my pleasure to make this post to support the community, and their efforts in reversing or recovering from cybercrime.  For more information about Stay Smart Online week, please visit the dedicated Australian government website (see further reading). This post has been formed from a wide range of articles, blogs and publications (see reading list) and curious readers are encouraged to dig further if interested.  I will also highlight the important and informative efforts that those varying industry author groups or organisations have made, and continue to make. All efforts are critical in understanding the specific and evolving threats, and research made towards mitigation steps, or methodology formation.   Stay safe and stay smart! Colin Colin Chamberlain CISSP, GCFA, eCTHPSenior Information Security AnalystAUSCERT

AUSCERT: What’s next in 2019? It’s been a month since the wrap up of our annual AUSCERT Cyber Security Conference and we’re now at the start of the second half of 2019. To kick things off for the rest of the year, allow us to recap a few initiatives we’ve accomplished in the industry and goals that our team’s looking forward to achieve in the next six months:  “It’s Dangerous to Go Alone” In honouring the theme from our conference, we have joined forces with the Council of Australasian Directors of Information Technology (CAUDIT) and Australia’s Academic and Research Network (AARNet) to create the Australasian Higher Education Cybersecurity Service (AHECS). Together with CAUDIT and AARNet, we are working together to address the industry’s unique cyber security challenges, with an aim to develop coordinated services that are tailored to the Australasian higher education and research sectors. This AHECS initiative will span across several tertiary institutions to build group strength and a trusted community through engagement, advocacy, and support. In addition to this, we continue to work with the Department of Premier and Cabinet and all of the Victorian Government workforce, one of the largest and most diverse enterprises in Australia – both in delivering our member services as well as providing their team with an in-house training module on the topic of ‘Incident Response Planning’ Both of these examples showcase our commitment for our members to “Empower their People, Capabilities and Capacities” by providing an extension of their workforces and channelling the expertise gained from an AUSCERT membership directly into their business processes.  Training courses with AUSCERT  We are continuing with our training workshop offerings to our members and the wider information security community by providing the following options:  Incident Response PlanningBe equipped with the tools to write a bespoke incident response plan for your organisation  MISPSet-up, configure and integrate Malware Information Sharing Platform into your organisation’s cybersecurity defense strategy  Cyber Security Risk ManagementGain the confidence to perform a risk assessment of cyber security risks and the ability to rate and assess business risks rather than technical vulnerabilities Introduction to Cyber Security for IT professionals Understand information security principles, cyber security as a risk to business objectives; and cultivate an appreciation of the current cyber threat landscape Cost $990 for members $1980 for non-members Customised in-house or group training options At AUSCERT we are also able to develop tailored industry and/or government content with each of our members and clients to ensure that the resulting workshop meets their needs and objectives – P.O.A  To find out more on each of these training courses – let us know what topic(s) you’re interested in, number of people from your organisation and city/state location – please contact us via membership@auscert.org.au  New services: MISP feed (AusISAC) and ADIR Over the past couple of years, AUSCERT has coordinated and run a highly-successful information sharing group for the tertiary education sector, and we are pleased to announce the establishment of an AUSCERT Information Sharing and Analysis Center (AusISAC); now available to general members. Members who join will be given access to our MISP platform, where we share a curated feed of threat intelligence gathered from multiple sources, and our own malware and threat analysis.  Cost of service: $20,000 Sign up now and receive a complimentary half-day remote MISP training session (we will cap these sessions at a maximum of 5 participants in each class!). Please note that members who subscribe to this service cannot use it for commercial purposes.  We have also launched the AUSCERT Daily Intelligence Report (ADIR) service. ADIR is a daily summary of information security news, with a focus on the Australian cyberspace. To sign up, send us an email via membership@auscert.org.au. UQ Cyber Security Initiative  One of the most exciting projects we’ve been lucky to be involved in this year has been our relationship and collaboration with colleagues from UQ’s School of Information Technology and Electrical Engineering through their Cyber Security Initiative. In the next six months or so, our collaboration with this team will continue to evolve in a few different ways:  1 August, public seminar by Professor Corey Schou from Idaho State University   30 September to 4 October, (ISC)2 and CISSP CBK training ‘UQ Cyber Squad’ – allowing students from any field of studies and course level to represent the University at local and international cyber-security competition  Mike Holm AUSCERT Operations Manager   

AUSCERT celebrates launch of new website AUSCERT is Australia’s original, and one of the world’s longest-serving, Cyber Emergency Response Teams (CERT). This year marks 26 years since we launched our specialist cyber-security services through The University of Queensland in 1993. Business Team Leader, Bek Cheb, said “We’ve seen so much change in the cyber-security industry over the past two and a half decades. In particular, the technology and people skills essential to providing high-quality cyber safety, data security and data protection have evolved radically. To mark our 26-year milestone, AUSCERT has launched a new brand image and website to further enhance the service we provide to members. The new site is easier to navigate and provides better access to security information. Members can download PGP/GPG signed versions of Security Bulletins; access information about member meetups hosted by AUSCERT; and keep up to date with industry news and the latest in information security issues. AUSCERT is a member-based not-for-profit organisation, so offers one of the best value threat intelligence and incident response services available. We are trusted by 500+ clients, including every university in Australia, a number of government departments and a variety of private companies. The AUSCERT services are numerous but revolve around providing specialist security support to help prevent, detect, respond to and mitigate cyber-based attacks. AUSCERT members receive timely threat and vulnerability alerts and access to a range of services including: Incident Management Service The Incident Management Service includes coordination and handling, providing assistance and expertise to help detect, interpret and respond to attacks from around the globe. AUSCERT acts as a trusted intermediary, coordinating communication about incidents between affected parties. Phishing Take-Down Service AUSCERT’s Phishing Take-down service works to reduce brand damage by requesting the removal of fraudulent websites. The service puts the safety of your brand at the forefront by detecting and acting immediately if your organisation is affected. Security Bulletin Service AUSCERT Security Bulletins contain information about threats, vulnerabilities, patches and workarounds of an IT security nature that AUSCERT believes would be of interest to our members (and the public). AUSCERT provides up-to-date information on a range of software and hardware products, published in a standardised format with a consistent approach to classifications of vulnerabilities, impacts and related operating systems. Member Security Incident Notifications (MSINs) AUSCERT provides Member Security Incident Notifications (MSINs) to members. These notifications are relevant and customised security reports containing notifications for organisations’ domains and IP ranges. These notifications can include more than one incident, so you remain up-to-date on the latest threats and vulnerabilities. A full list of services can be found here.

AUSCERT at 2019 FIRST Conference I had the absolute pleasure of attending the 2019 FIRST Conference for the first time (no pun intended!) recently. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This year’s conference theme was “Defending the Castle” and there were approximately 1100 delegates, a very full program over 5 days and plenty of opportunities to meet other cyber security teams and share ideas across the board. One of the aspects I enjoyed thoroughly was my introduction to other CERTs from the Asia Pacific region and gaining a greater understanding of the role AUSCERT plays in this community.   (Photo credit: APCERT) I also wanted to take this opportunity to highlight a couple of my favourite speaker sessions here: “Waking up the Guards – Renewed Vigilance Needed to Regain Trust in Fundamental Building Blocks” by Merike Kaeo of Double Shot Security was my favourite keynote. Merike spoke about the days when trust was inherent and how we now see exploitation of fundamentals such as routing, DNS and certificates. She invoked the question of ‘How can we regain trust and control of where our data goes and by whom it is seen?’ and it really got me into thinking about the current cyber security landscape and how we can all do better in this space. The other speaker session I enjoyed was the talk presented by the Cisco Umbrella research team on the topic of “Detecting Covert Communication Channels via DNS”. I thought this was an absolutely fascinating subject and one that is worth further research within AUSCERT.  As the conference wrapped up at the end of last week, I walked away feeling very inspired about the fact that there is such a strong community spirit that fosters great collaboration within our industry. I am certain that AUSCERT and UQ can AND need to play an even more active role in the future! David Stockdale Director

AUSCERT2019: that’s a wrap! The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.   Sensational Keynotes AUSCERT2019 featured three legendary keynote speakers; Mikko Hypponen, Troy Hunt and Jessy Irwin. Each covered a different area within cyber security and shared their knowledge and expertise generously. Mikko is a globally-renowned tech security guru working as the CRO of F-Secure. He has written research for the New York Times, Wired and Scientific America also, frequently appearing on international TV. At the conference he spoke on ‘Computer Security: Yesterday, Today and Tomorrow’. A key takeaway from Mikko was on IoT devices. When observing data security, it is likely that in the future these devices will no longer tell you they are connecting to the internet, but will pass your data straight to the manufacturer. To view Mikko’s presentation, you can visit the AUSCERT YouTube channel here. Troy is an independent security trainer, speaker and Microsoft Regional Director. He’s most commonly recognised as the founder of the data breach monitoring and notification service ‘Have I Been Pwned’ (HIBP). Troy spoke on ‘The Data Breach Pipeline: How Our Data is Stolen, Distributed and Abused’. A key takeaway from his presentation was on password managers and how they can solve a lot of password-breach related issues. Changing your password regularly is no longer enough, you need more complex solutions. To find out more about Troy’s keynote, you can view his presentation here. Jessy is a security expert and Head of Security at Tendermint. Her role means she excels within translating complex cybersecurity problems into relatable terms and she also develops, maintains and delivers on comprehensive security strategy. Jessy spoke on ‘How Security Teams Can Evolve to Win Friends and Influence People’. Jessy’s intention was to challenge some standard ways of thinking within the cyber and information security industry and she certainly succeeded in doing so. To download a copy of Jessy’s presentation, please click here. Jessy’s presentation can be viewed here.   Networking Events The ‘Beers of the World’ session is the ceremonial welcome to all delegates attending AUSCERT2019. Attendees are encouraged to mingle with vendors, sponsors and other industry professionals while tasting an array of beers from around the globe. This is a great opportunity to connect with other industry professionals in a relaxing environment. On Thursday evening conference delegates were entertained at the venue’s poolside bar by the phenomenal crew from Jetpack Events who showcased their acrobatic prowess and delighted the audience with an amazing fireworks display. This year, the Gala Dinner theme ‘Legend of the Gala’ paid a subtle homage to our main conference theme and is derived from the ever popular Legend of Zelda video game franchise. We even saw a number of Zelda enthusiasts in full costume, kudos to them! Dinner guests were entertained by the talented speed painter Brad Blaze who wowed the audience with his Zelda inspired artworks.     Sponsors Booths Alongside the array of speakers were more than 50 sponsors and supporters of AUSCERT.. Each had their own designated booth space where they spoke to delegates and showcased their services. Some sponsors also engaged with delegates through interactive games and demos at their booth. There were hackathons, drone prizes and darts to name a few. A special shout-out to colleagues from Context Information Security who ran a PWNtoDrone CTF challenge which delegates enjoyed immensely. In between sessions, delegates were also able to engage in the annual lock-picking and lego building sessions. These interactive activities  provide a nice break for delegates to unleash their building and lock-picking skills; not to mention keeping the lego when you build it. Overall, AUSCERT2019 was huge success. We trust that all attendees enjoyed their time and ultimately learned new skills and strategies to keep their data and network safe in the new digital and mass-data era!

Malware threat indicators in AWS using MISP Every zero-day vulnerability is an attack vector that has existed before the day it was announced. When this happens we must vigilantly patch all of our vulnerable services while also ensuring that nothing has been compromised. We share threat indicators to limit the potential impact of attackers; however, when a new malware indicator has been identified in the wild, updating your firewall isn’t always enough. AWS GuardDuty is a great solution for parsing VPC flow logs and Route53 query logs with public threat feeds. Attacks targeted against specific industries are often underrepresented in public feeds. There are also delays from when the attack is first seen until when the data is pulled into a threat feed. Amazon Athena is a valuable tool we can use when it comes to searching for threat data in AWS accounts. Athena allows you to query large amounts of data from S3 using a SQL syntax. AWS has helpful guides for how to set up VPC flow logs to be queryable from Athena here. Searching over large amounts of flow log data quickly is very useful; however, we will want automatic integration with MISP to identify malicious traffic. We can pull out malicious IP addresses from the MISP API. Below is a screenshot of the MISP query builder. This example shows a search for all of the malicious IP addresses (ip-dst) over the last seven days with the intrusion detection system (IDS) flag set. The IDS flag lets security analysts highlight which attributes of an event are strong indicators of compromise. For example, if a malware package sends a DNS request to the google nameserver 8.8.8.8 it may help identify the malware family, though this by itself does not represent a host is compromised. Pulling the list of malicious IP addresses can be performed in a scheduled Lambda task running the MISP python API. This example shows how attributes can be pulled and dumped out as a CSV file. #!/usr/bin/env pythonfrom pymisp import PyMISPimport jsonmisp = PyMISP('https://misp.localhost/', '<api-key>', True, 'json')ret = ""result = misp.search('attributes', type_attribute = 'ip-dst', to_ids = True)for attribute in result['response']['Attribute']: ret += attribute['id'] + "," ret += attribute['event_id'] + "," ret += attribute['value'] + "n"print (ret)   This file can then be used to set up a new Athena database table. The example here shows the syntax to create a basic table for malicious IP addresses while retaining the MISP event ID. CREATE EXTERNAL TABLE IF NOT EXISTS misp_dest_indicators ( attributeid int, eventid int, destinationaddress string)PARTITIONED BY (dt string)ROW FORMAT DELIMITEDFIELDS TERMINATED BY ' 'LOCATION 's3://your_log_bucket/vpcflowlogs/';  Now we have all of the data to parse over our VPC flow logs with our MISP threat indicators. Joining these Athena tables, we can see if any of our MISP indicators show up in our VPC flow logs. SELECT v.account,  v.interfaceid,  v.sourceaddress,  v.destinationaddress,  v.action,  m.attributeid,  m.eventidFROM vpc_flow_logs v,  Misp_dest_indicators mWHERE v.destinationaddress = m.destinationaddress; If we want this in a more automated process we can execute this Athena query directly from Lambda. We could then trigger an alert with SNS if we find any matches on our hosts. For example: import boto3 session = boto3.Session()client = session.client('athena', region_name='ap-southeast-2') response = client.start_query_execution(    QueryString='select * from vpc_flow_logs limit 100;',    QueryExecutionContext={        'Database': 'vpc_logs'    },    ResultConfiguration={        'OutputLocation': 's3://<bucket>'    }) This solution allows us to search over large amounts of data when a new threat emerges. We also want to make sure these security events don’t happen in the future. AWS has a threat detection service called GuardDuty which will passively search for threats in VPC flow logs and Route 53 query logs. GuardDuty can use custom threat lists from S3 which allows us to provide another dump of MISP threat indicators in a text file. This will then alert any future events where hosts will try to route to any of these hosts to your security team. This will then alert your security team to any future events where hosts try to route to any malicious addresses.

An experience of APNIC Foundation's 3rd Regional CERT/CSIRT workshop for the Pacific.   I feel incomplete when I hear only one voice, and this blog is, in its form just that, one voice about an event I had the honor of being part of.   My preferred option, to make a story whole, is to take the different voices and listen other people tell the story of what happened.  This way I get a better picture of the impact and significance of an event or perhaps glimpse a pattern of directed effort. The event was the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop for the Pacific and the the glimpse of the effort was APNIC Foundation’s drive to impart skills, know-how, and cohesive trusted contacts, to as many Pacific nations as possible given APNIC Foundation’s engagement over the past few years.  These activities supports APNIC, in building human and community capacity for Internet development in the Asia-Pacific region. This workshop was organized by the APNIC Foundation with support from APNIC and Samoa’s Ministry of Communications and Information Technology, and funding from the Cyber Cooperation Program (Australia’s Department of Foreign Affairs and Trade – DFAT). Participants of APNIC Foundation’s 3rd CERT/CSIRT workshop for the Pacific My recollection of the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop was from the perspective of a guest assistant speaker, bringing only a splinter of expertise from AUSCERT along with its perspective of cyber security as a non-profit member-based CERT. I have been fortunate to join APNIC’s Adli Wahid, a veteran of delivering these types of courses, in facilitating the workshop.    Participant at one of the sessions of the 3-day workshop And so in delivering some of the material over the three days, I did get the chance to hear the perspective of cyber security from different Pacific nations, but not just at the national constituency level, but also at the level of Financial Institutions Universities Ministries Law Enforcement and Utilities. Every person that attended brought their own skill sets and perspectives on cyber security given to them by their opportunity and work environment.  Every Pacific nation that sent a delegate to the workshop brought their skills and perspectives, to be honed from a barrage of tools and techniques that could be fit in the time three days can offer.  Let’s be clear, these delegate were not empty vessels that were filled up with skills in three days but already had a solid foundation of process and techniques. The three days just brought in new tools and shared perspective.   This was evident, with a little coaxing, from the effective interaction on the final day’s table top exercise.  The participants were split up into five distinct teams with economy wide responsibilities.  One of the first questions that I was asked was, “…is this a competitive drill?…”,  where one team needs to outdo another.  Perhaps it should have been, but the purpose of this table top exercise, as is the case in solving internet borne issues,  is apply a collaborative effort to efficiently and effectively address cyber security.  At the end of the exercise, all triggers to take down malicious infrastructure were called out by various player-teams and a sense of empowerment from each team came out from the fact that each contributed a meaningful task in cleaning up the exercise’s scenario.   Each team with their set of expertise and their vision into the scenario, realised that in solving of cyber security issues, each had a very important piece of work to do in addressing the problem as a whole, and were by the end of the day, working together as one.  What filtered out as the best lesson out of the three days of the workshop, is that it is paramount to make an effort that internet connectivity be molded and protected, as a tool to bring out the best opportunity for economic growth at every level of society that the internet touches.   It’s been great to have seen APNIC Foundation’s take that effort of uniting skills and collaboration across the Pacific for the third time, and it is hoped that they will be given the tools to continue this effort far into the future.  For, although I was honored to be a guest speaker for the 3rd Regional CERT/CSIRT workshop, I feel I too learned a lot from the delegates and that I’m bringing back to AUSCERT able and trusted contacts that, should we see cyber security issues in the Pacific, we can all collaborate with them on making a safe, clean and reliable internet.   Geoffroy ThononSenior Information Security AnalystAUSCERT