Week in review

AUSCERT Week in Review for 15th July 2022

Greetings, Last week in our blog, Staying aware this tax time, we looked at potential risks for individuals in relation to phishing and smishing, specific to Australian tax processes. A recent article from The Conversation expands upon this growing trend, providing examples of methods used by scammers to gain an insight into the lives of potential targets, with their age and social status key data. It goes on to explain that information from social media is making it easier for scammers to create phishing attacks specifically targeting people, due to the abundance of personal information available about them. Increasing global connectivity and our growing reliance on technology are factors that have fuelled the growth of IT/OT convergence. This area is a perpetual work in progress and is discussed in the first episode of Season 2 of our podcast series. Episode 13, features a chat between Anthony Caruana and Lesley Carhart who discuss the intersection between cyber security and operational technology, including the increased risk and vulnerability throughout the industry. Microsoft's July Patch Tuesday fixes actively exploited bug Date: 2022-07-12 Author: The Register [See also: ASB-2022.0137] No, Windows Autopatch didn't kill the monthly patchapalooza PATCH TUESDAY Despite worries that Patch Tuesday may not be as exciting now that Microsoft's Windows Autopatch is live — with a slew of caveats — the second Tuesday of this month arrived with 84 security fixes, including 4 critical bugs and one that's under active exploit. Let's start with the one that miscreants have already found and exploited. CVE-2022-22047 is an elevation of privilege vuln in Windows' Client Server Runtime Subsystem (CSRSS). Microsoft deemed it an "important" security issue, with low complexity and low privileges required to exploit. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," the security advisory explained. Ransomware gang now lets you search their stolen data Date: 2022-07-11 Author: Bleeping Computer Two ransomware gangs and a data extortion group have adopted a new strategy to force victim companies to pay threat actors to not leak stolen data. The new tactic consists in adding a search function on the leak site to make it easier to find victims or even specific details. At least two ransomware operations and a data extortion gang have adopted the strategy recently and more threat actors are likely to do the same. Deakin University reveals breach of 47,000 students' details Date: 2022-07-13 Author: iTnews Subset targeted with smish sent via officially-used SMS channel. Deakin University has revealed a data breach impacting almost 47,000 current and past students, along with a ‘smishing’ attempt that compromised a legitimate communications channel to target 10,000 current students The Victorian university said it had been “targeted in a cyber attack” where a single staff member’s login credentials were compromised. Microsoft details massive phishing operation Date: 2022-07-13 Author: IT News A phishing campaign that has been active since September 2021 has so far attempted to target more than 10,000 organisations, Microsoft security researchers said. The campaign uses what Microsoft calls Adversary in the Middle (AitM) attacks which involves setting up a proxy server that sits between victims and the websites they wish to visit. With a proxy server that intercepts hyper text transfer protocol (HTTP) packets from users, attackers don't need create sites that impersonate legitimate ones, as per traditional phishing campaigns. Australia's major banks look to dynamic CVV to combat payment fraud Date: 2022-07-11 Author: IT News Three of the 'Big Four' Australian banks have turned to dynamic card verification value (CVV) functionality to combat online payment fraud and boost digital consumer protections. The CVC or CVV is traditionally a static, three-digit number found on the back of a physical debit or credit card that acts as an additional layer of verification or security when a customer is transacting online. Vulnerability Spotlight: Adobe Acrobat DC use-after-free issues could lead to arbitrary code execution Date: 2022-07-13 Author: Talos Website [See also ESB-2022.3409] Cisco Talos recently discovered two use-after-free vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code. Acrobat is one of the most popular PDF reader software options available currently. It includes the ability to read and process JavaScript to give PDFs greater interactivity and customization options for users. This vulnerability exists in the way Acrobat Reader processes JavaScript. 1 in 3 untrained employees will click on a phishing link Date: 2022-07-13 Author: Security Brief One in three untrained employees will click on a phishing link, according to a new report from KnowBe4. The security awareness training and simulated phishing platform has released the new 2022 Phishing by Industry Benchmarking Report, which measures an organisation’s Phish-proneTM Percentage (PPP), which indicates how many of their employees are likely to fall for phishing or a social engineering scam. Tech giants want to kill off passwords. Here's why they think passkeys will change the world, and what that means for you Date: 2022-07-14 Author: ABC News Last year, a password management company and a group of researchers found that the most common password in the world was 123456 — they said it showed up more than 103 million times. Second was 123456789. Third was 12345 ASB-2022.0139 – ALERT Windows 7 and Windows Server 2008: CVSS (Max): 8.8* Microsoft's Patch Tuesday included fixes for Windows 7 and Windows Server 2008 ASB-2022.0137 – ALERT Windows: CVSS (Max): 8.8* Microsoft Patch Tuesday updates included a fix for the CVE-2022-22047 actively exploited vulnerability ESB-2022.3409 – Adobe Acrobat DC and Adobe Acrobat Reader DC: CVSS (Max): 7.8 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS which addressed multiple critical, and important vulnerabilities that could lead to arbitrary code execution and memory leak ESB-2022.3381 – CVSS (Max): 9.8 An update was released for two security issues in the Debian PHP package which could result an denial of service or potentially the execution of arbitrary code Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for July 8th 2022

Greetings, The second half of 2022 has commenced with a mix of chilly temperatures and wet weather for most of Australia and news that a third wave of the COVID pandemic is increasingly likely. Not wanting to add to the woes of many, we at AUSCERT felt it prudent to share our insights into another potential threat; tax-related scams. In our recent blog, Stay alert this tax time, we highlight two of the more widely used tactics, Phishing and Smishing. By providing examples and what to look out for, we hope to increase awareness and, reduce the success of would-be attackers. Perhaps the Shanghai Police could have been more vigilant in this regard with reports stating the recent attack that resulted in the data of almost one billion people being leaked because of poor security. It is alleged that the system wasn’t hacked but rather, it simply didn’t have a password for over a year. CNN delves into this situation, providing insights into what currently appears to be the largest leak of public information seen. Closer to home, NAIDOC Week 2022 continues and has the theme ‘Get up! Stand up! Show up!’ encourages us all to acknowledge, and celebrate the histories, cultures, and achievements of Aboriginal and Torres Strait Islander people. It is an important annual event where everyone’s invited to join in the celebrations with official celebrations held from July 3-10. Visit the NAIDOC website for news, stories, and information on how you can show your support and help bridge the gap. Verified Twitter accounts hacked to send fake suspension notices Date: 2022-07-02 Author: Bleeping Computer Threat actors are hacking verified Twitter accounts to send fake but well-written suspension messages that attempt to steal other verified users’ credentials. Twitter verifies accounts if they are considered notable influencers, celebrities, politicians, journalists, activists, and government and private organizations. To receive the verified ‘blue badge,’ Twitter users must apply for verification and submit supporting documentation to show why their account is ‘notable.’ Australia offers cyber-security assistance to Ukraine Date: 2022-07-04 Author: Cyber Security Connect Strengthening the cyber resilience of Ukraine’s Border Guard Service forms part of a new assistance package from the Australian government. In response to a request from President Volodymyr Zelenskyy, the Commonwealth government has committed $99.5 million in additional military assistance to Ukraine, including the delivery of 14 M113 armoured personnel carriers and 20 Thales-built Bushmaster protected mobility vehicles. The value of Australia’s military assistance to Ukraine now totals approximately $388 million. Notably, $8.7 million has been pledged to assist Ukraine’s Border Guard Service, tipped to fund upgrades to border management equipment, improvements to cyber security, and enhancements to border operations in the field. Australian businesses lose $227 million to BEC-like scams Date: 2022-07-04 Author: ITnews Australian businesses were scammed out of $227 million in “payment redirection” cons – which includes business email compromise or BEC – over the course of 2021. Payment redirection, as the ACCC groups these scams, caused the highest losses to businesses out of any scam type, according to commission’s latest scam report. Facebook 2FA phish arrives just 28 minutes after scam domain created Date: 2022-07-01 Author: Naked Security We’ll tell this story primarily through the medium of images, because a picture is worth 1024 words. This cybercrime is a visual reminder of three things: It’s easy to fall for a phishing scam if you’re in a hurry. Cybercriminals don’t waste any time getting new scams going. 2FA isn’t a cybersecurity panacea, so you still need your wits about you. Google patches new Chrome zero-day flaw exploited in attacks Date: 2022-07-04 Author: Bleeping Computer [See also ESB-2022.3254] Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022. “Google is aware that an exploit for CVE-2022-2294 exists in the wild.,” the browser vendor explained in a security advisory published on Monday. Poor patching creates easy zero-day vulnerability reuse Date: 2022-07-01 Author: iTnews Google’s elite Project Zero security researchers are again warning that insufficient patching of vulnerabilities means threat actors can vary their methodologies, and reuse software bugs. Project Zero’s Maddie Stone posted a half year report on the zero-day vulnerabilities that are being exploited with no patches available for 2022. Fortinet patch batch remedies multiple path traversal vulnerabilities | The Daily Swig Date: 2022-07-07 Author: Port Swigger Fortinet has addressed a raft of security vulnerabilities affecting several of its endpoint security products. The California-headquartered cybersecurity giant, which accounts for more than a third of all firewall and unified threat management shipments worldwide, released a huge number of firmware and software updates on Tuesday (July 5). Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: ‘Lives at Stake’ Date: 2022-07-07 Author: Dark Reading A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector. The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru. ESB-2022.3250 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.9 Gitlab released critical security update on versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) ESB-2022.3315 – MozillaFirefox: CVSS (Max): 7.5 MozillaFirefox has released an update that fixes 9 new vulnerabilities ESB-2022.3331 – PHP: CVSS (Max): 9.8 USN-5479-1 fixed vulnerabilities in PHP. Unfortunately that update for CVE-2022-31625 was incomplete for Ubuntu 18.04 LTS. This update fixes the problem ESB-2022.3325 – Traffix SDC: CVSS (Max): 8.6 A remote attacker may be able to exploit this vulnerability to compromise the data confidentiality, integrity, and availability of the affected system Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for July 1st 2022

Greetings, Today sees us enter the second half of 2022 which, for many of us, seems to have arrived sooner than expected. Something else that has landed quickly is the second season of our podcast series, ‘Share Today, Save Tomorrow’. The first episode of the season features the amazing Lesley Carhart, known to many by her Twitter handle @hacks4Pancakes. Lesley, an industry leader in incident response, chats to Anthony Caruana about the intersection between cyber security and operational technology, including the increased risk and vulnerability throughout the industry. There’s more from our very own Bek and Mike in the episode so be sure to take the time to listen to Episode 13 – ITOT Convergence. Mike and Bek look back at some of their highlights from this year’s conference, AUSCERT2022, which is made a little easier with the recorded sessions from this year’s conference now available! Emails were sent to attendees with the login details so be sure to check your inbox. The OnAir portal will remain open until Friday, 29th July 2022 which should allow plenty of time to revisit your own highlights or, perhaps watch a session that you may have missed. Excitingly, the merchandise from this year’s conference has also been shipped to attendees! As most of us have experienced, shipment times are a tad longer nowadays so, please be patient. We assure you, the wait will be worth it! Lastly, some would say most importantly, next Thursday, July 7, 2022, is World Chocolate Day. From their discovery and use by the Olmecs over 2,500 years ago, cacao beans have been used as currency, turned into a bitter drink and of course, used to make the most popular tasty treat consumed the world over today. Chocolate contains antioxidants and can improve your cardiovascular health and can be enjoyed in seemingly endless ways. So, please do your part and support World Chocolate Day with something made from, dipped in or containing some chocolate! New report finds 101% spike in email threats Date: 2022-07-24 Author: Cyber Security Connect Trend Micro reports that it blocked over 33.6 million cloud email threats in 2021, a 101 per cent increase on the previous year. Trend Micro’s research on the mounting number of cyber risks highlighted that 48 per cent of local organisations don’t believe their method of assessing risk exposure is sophisticated enough, underlining the vulnerability of Australia’s corporate sector to increasingly insidious email threats. Email remains a top point of entry for cyber attacks as demonstrated by this massive increase. Many Australian businesses faced spear-phishing, business email compromise (BEC) and email-based ransomware attacks in 2021. RansomHouse claims AMD hack, 450GB data stolen Date: 2022-07-29 Author: Cyber Security Connect Semiconductor manufacturer AMD is investigating a cyber attack after the RansomHouse gang claimed to have stolen 450GB of data from the company last year. RansomHouse, an extortion group, claims to have stolen 450GB of data from AMD, announcing on Telegram that they would be “selling the data for a well-known three-letter company that starts with the letter A”. The extortion group also added AMD to their data leak site, claiming to have stolen 450GB of data. According to Satnam Narang, senior staff research engineer at Tenable, there has been a renaissance of pure-play extortion groups in recent months. ACSC warns Aussie businesses of tax-time email hacking campaigns Date: 2022-07-28 Author: Cyber Security Connect The Australian Cyber Security Centre (ACSC) is urging Aussies and Australian businesses to strengthen their email security practices to protect their private information and that of their customers in the lead up to tax time. As tax time approaches, the ACSC is encouraging individuals, businesses and organisations to be alert, and aware of business email compromise (BEC) threats. BEC occurs when cyber criminals access email accounts aiming to steal sensitive and financial information or commit fraud by impersonating employees or company email accounts to obtain money or data. Clever phishing method bypasses MFA using Microsoft WebView2 apps Date: 2022-07-26 Author: Bleeping Computer A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. With the large number of data breaches, remote access trojan attacks, and phishing campaigns, stolen login credentials have become abundant. However, the increasing adoption of multi-factor authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also has access to the target’s one-time MFA passcodes or security keys. This co-worker does not exist: FBI warns of deepfakes interviewing for tech jobs Date: 2022-07-29 Author: TechCrunch A lot of people are worried about the prospect of competing with AI for their jobs, but this probably isn’t what they were expecting. The FBI has warned of an uptick in cases where “deepfakes” and stolen personal information are being used to apply for jobs in the U.S. — including faking video interviews. Don’t dust off the Voight-Kampff test just yet, though. The shift to remote work is great news for lots of people, but like any other change in methods and expectations it is also a fresh playground for scammers. Security standards are being updated, recruiters are adapting, and of course the labor market is wild enough that hiring companies and applicants both are trying to move faster than ever. Attacker Targets RCE Bug in Mitel MiVoice VoIP Appliances Date: 2022-07-29 Author: Cyware Hacker News Cybercriminals have used a zero-day exploit on Linux-based Mitel MiVoice VoIP appliances. According to researchers, the exploit was used for gaining initial access to an attempted ransomware attack. The zero-day abuse A report from CrowdStrike disclosed that a zero-day RCE flaw (CVE-2022-29499) is present in the Mitel Service Appliance component of MiVoice Connect that was abused to obtain initial access to the network. Although the attack was stopped, the intrusion is suspected to be a part of a ransomware attack. Sophisticated ZuoRAT attack targets home workers Date: 2022-07-30 Author: IT News Security researchers have unearthed a sophisticated campaign that targets consumer-grade routers from multiple manufacturers in Europe and North America. The researchers at security vendor Lumen’s Black Lotus Labs spotted the ZuoRAT multi-stage remote access tool hijacking small business and residential routers from brands such as Cisco, ASUS, DrayTek and Netgear. ESB-2022.3122 – Traffix SDC: CVSS (Max): 7.8 A Linux kernel vulnerability which affects Traffix SDC has been acknowledged by F5. Currently, no mitigation or patches are available ESB-2022.3172.2 – ALERT Tenable.sc: CVSS (Max): 9.8 Tenable has released Tenable.sc patch 202206.1 to address the vulnerabilities in Apache ESB-2022.3152 – Firefox ESR 91.11: CVSS (Max): None Mozilla has updated Firefox ESR to 91.11 to address the security vulnerabilities ESB-2022.3157 – maven-shared-utils: CVSS (Max): 9.8 Debian has released new maven-shared-utils packages to address shell injection attacks Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for June 24th 2022

Greetings, Just like a bad smell or that one annoying neighbour, Log4Shell won’t go away. It has been reported that threat actors are still utilising the Log4Shell (CVE-2021-44228) vulnerability to gain access to internal systems. AUSCERT issued a Security Bulletin earlier this month providing further details on the vulnerability and affected products and versions whilst Bleeping Computer offers additional information following a warning issued by CISA. Meanwhile, the ongoing war in Ukraine continues to see tactics deployed that include the integration of cyber-attacks into overall strategies. The scope and nature of these attacks are also becoming more complex as they seemingly become more intrinsic in the landscape of modern warfare. The Hill dissects current methods being deployed along with the potentially significant impact a well-timed and placed cyber-attack can have. On a more ‘Zen’ note, June 21st was World Yoga Day, which aimed to raise awareness of the numerous benefits of yoga. The date is the longest day in the northern hemisphere and shortest in the southern hemisphere – the summer and the winter solstices – which have significance in yoga. Some benefits of yoga include balancing the hemispheres of our brains and learning ways to help improve memory, intellect, coordination, and mental health. There are several ways that you can help you boost your brain health with a few yoga-based exercises. Snake Keylogger identified as top malware circulating in Australia Date: 2022-06-20 Author: Cyber Security Connect Check Point Research (CPR) has reported that the Snake Keylogger malware has claimed first place in Australia and eighth place globally after a long absence from the Global Threat Index. Snake Keylogger records users’ keystrokes and transmit collected data to threat actors. It is usually spread through emails that include docx or xlsx attachments with malicious macros, but CPR researchers have also noticed that Snake Keylogger has also been spreading via PDF files. The CPR data has revealed Snake Keylogger is the leading malware family impacting Australian organisations, accounting for 2.48 per cent of Australian cyber incidents. Google Chrome extensions can be fingerprinted to track you online Date: 2022-06-19 Author: Bleeping Computer A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online. To track users on the web, it is possible to create fingerprints, or tracking hashes, based on various characteristics of a device connecting to a website. These characteristics include GPU performance, installed Windows applications, a device’s screen resolution, hardware configuration, and even the installed fonts. It is then possible to track a device across sites using the same fingerprinting method. China-linked APT hacking group targeting Australia and South-East Asia Date: 2022-06-22 Author: Cyber Security Connect SentinelLabs reports that it has newly discovered a China-linked APT named “Aoqin Dragon” that has been spying on organisations in Australia and South-East Asia for over a decade. The SentinelLabs researchers have revealed that this new advanced persistent threat (APT) group linked to China had been discovered “only after conducting cyber espionage campaigns under the radar since 2013”. Dubbed “Aoqin Dragon”, the Chinese hackers lure victims with malicious documents, according to SentinelLabs data, which appear to be salacious ads for pornography sites. Massive Cloudflare outage caused by network configuration error Date: 2022-06-21 Author: Bleeping Computer Cloudflare says a massive outage that affected more than a dozen of its data centers and hundreds of major online platforms and services today was caused by a change that should have increased network resilience. “Today, June 21, 2022, Cloudflare suffered an outage that affected traffic in 19 of our data centers,” Cloudflare said after investigating the incident. “Unfortunately, these 19 locations handle a significant proportion of our global traffic. This outage was caused by a change that was part of a long-running project to increase resilience in our busiest locations.” According to user reports, the full list of affected websites and services includes, but it’s not limited to, Amazon, Twitch, Amazon Web Services, Steam, Coinbase, Telegram, Discord, DoorDash, Gitlab, and more. Capital One Attacker Exploited Misconfigured AWS Databases Date: 2022-06-21 Author: Dark Reading The 36-year-old Seattle tech worker behind the infamous 2019 Capital One data breach has been convicted on seven charges related to the data theft — which are punishable by up to 20 years in jail. In the incident, Paige Thompson, who operated under the hacker handle “erratic,” made off with more than 100 million credit applications that were held in a misconfigured Amazon Web Services storage bucket in the cloud. She was arrested shortly thereafter, after the banking giant traced the malicious activity back to her and alerted the FBI. There are 24.6 billion pairs of credentials for sale on dark web Date: 2022-06-20 Author: The Register More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found. Data recorded from last year reflected a 64 percent increase over 2020’s total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. From text messages to fraudulent ads, how scammers are draining bank accounts Date: 2022-06-21 Author: ABC News There have been more than 35,000 reported attempts to gain the personal information of Australians since January. The Australian Cybersecurity Centre reported cybercrime cost the economy an estimated $33 billion in 2021. National identity and cyber-support service IDCARE has never been busier, according to its managing director, Mr Lacy. “I don’t think there are many crimes that you can say penetrate the family home almost on a daily basis,” he said. A popular method used by scammers is what’s known as “phishing”, where things like an email imitating a bank or telco are used to encourage people to share their personal information. “Smishing” is a similar method, involving text messages. “So smishing is via SMS and phishing more generally is via email or telephone,” Mr Lacy said. ESB-2022.3017 – Python-Twisted: CVSS (Max): 7.5 Suse has released a security update for a denial of service vulnerability in Python-twisted which affects multiple Suse products ESB-2022.3069 – Jenkins (core) and Jenkins Plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting Jenkins core and various plugins have been addressed by Jenkins ESB-2022.3066 – Google Chrome: CVSS (Max): None Google released Chrome 103.0.5060.53 that contains 14 security fixes and a number of improvements ESB-2022.3062 – Adaptive Security Device Manager and Adaptive Security Appliance Software: CVSS (Max): 9.1 Cisco has released patches for ASA to address a vulnerability which allows an attacker to execute arbitrary code on the machine Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for June 17th 2022

Greetings, On Wednesday, June 15, the world said goodbye to one of the original web browsers, Internet Explorer. Dating back to the age of dial-up internet when the electronic gurgling and squeaking noises signalled the impending connection, Internet Explorer diminished in popularity and saw its share of critics over the past twenty-seven years. However, as reported in The Washington Post there are regions that still heavily rely on it which could result in a few headaches for users. This week, we also learned of what many have feared and documented in science fiction like The Terminator, Artificial Intelligence (A.I.) sentience, becoming a reality when a Google employee believed a chatbot had become self-aware. Whilst the validity of this claim is doubted, it has sparked conversation around how A.I. sentience could be determined. ABC News looked at some measures that could be undertaken and, possible implications including moral and legal rights for sentient machines. A cohort of people that face challenges on this very front is refugees. June 19 – 25 is Refugee Week, a time for all Australians to understand the issues affecting refugees and, celebrate the positive contributions they make to Australian society. The theme for 2022 is ‘Healing’ which, after a few years of living with a pandemic, is paramount in coming together and contributing to a more connected and accepting culture. The Refugee Week website has some fantastic resources for individuals and organisations to use to help raise awareness and show your support. Drupal Patches ‘High-Risk’ Third-Party Library Flaws Date: 2022-06-13 Author: SecurityWeek [See AUSCERT bulletin ESB-2022.2879] The Drupal security team has released a “moderately critical” advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to remotely hijack Drupal-powered websites. The vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services. “These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites,” according to a Drupal advisory. Internet Explorer (almost) breathes its final byte on Wednesday Date: 2022-06-13 Author: Bleeping Computer Microsoft will finally end support for Internet Explorer on multiple Windows versions on Wednesday, June 15, almost 27 years after its launch on August 24, 1995. After finally reaching its end of life, the Internet Explorer desktop application will be disabled. It will be replaced with the new Chromium-based Microsoft Edge, with users automatically redirected to Edge when launching IE11. This retirement affects Internet Explorer 11 desktop apps on specific versions of Windows 10 delivered via the Semi-Annual Channel (SAC) to systems running Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Microsoft June 2022 Patch Tuesday fixes 1 zero-day, 55 flaws Date: 2022-06-14 Author: Bleeping Computer Today is Microsoft’s June 2022 Patch Tuesday, and with it comes fixes for 55 vulnerabilities, including fixes for the Windows MSDT ‘Follina’ zero-day vulnerability and new Intel MMIO flaws. Of the 55 vulnerabilities fixed in today’s update, three are classified as ‘Critical’ as they allow remote code execution, with the rest classified as Important. This does not include 5 Microsoft Edge Chromium updates that were released earlier this week. CISA Recommends Organizations Update to the Latest Version of Google Chrome Date: 2022-06-14 Author: Dark Reading The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser. In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115). Citrix warns critical bug can let attackers reset admin passwords Date: 2022-06-15 Author: Bleeping Computer [See ESB-2022.2935] Citrix warned customers to deploy security updates that address a critical Citrix Application Delivery Management (ADM) vulnerability that can let attackers reset admin passwords. Citrix ADM is a web-based solution that provides admins with a centralized cloud-based console for managing on-premises or cloud Citrix deployments, including Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix Secure Web Gateway. 24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far Date: 2022-06-15 Author: Dark Reading Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found. That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020. Potent Emotet Variant Spreads Via Stolen Email Credentials Date: 2022-06-10 Author: Threatpost The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns. Emotet’s resurgence in April seems to be the signal of a full comeback for what was once dubbed “the most dangerous malware in the world,” with researchers spotting various new malicious phishing campaigns using hijacked emails to spread new variants of the malware. ASB-2022.0135 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft has released security patch update for June that resolves 39 vulnerabilities. ASB-2022.0127.2 – UPDATE ALERT Microsoft Office: CVSS (Max): 7.8 Microsoft has issued CVE-2022-30190 for a zero-day vulnerability that allows remote code execution in Microsoft Office via the ms-msdt protocol scheme. ESB-2022.2929 – Adobe Illustrator: CVSS (Max): 7.8 Adobe’s most recent update for Adobe Illustrator 2022 resolves vulnerabilities that could lead to arbitrary code execution and memory leak. ESB-2022.2948 – Cisco Email Security Appliance and Cisco Secure Email and Web Manager: CVSS (Max): 7.7 Cisco has released software updates that address a vulnerability in the web management interface of Cisco Secure Email and Web Manager that if exploited could allow an authenticated, remote attacker to retrieve sensitive information. ESB-2022.2961 – ALERT Splunk Enterprise: CVSS (Max): 9.0 Splunk Enterprise deployment servers in versions before 9.0 allow unauthenticated downloading of forwarder bundles and let clients to deploy forwarder bundles to other deployment clients through the deployment server. Splunk advises its clients to upgrade Splunk Enterprise deployment servers to version 9.0 or higher. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for June 10th 2022

Greetings, With the ongoing impact of COVID-19 and the associated uncertainty easing, 2021 started with hope and the promise that our daily lives would return to a sense of normalcy. Eventually, we saw a return to offices, with permanent hybrid working arrangements and restrictions reduced. However, the impact on personal lives, societal changes, and increased frequency and sophistication of cyber threats presented ongoing challenges. AUSCERT dealt with many of these in 2021, ensuring our proactive approach in assisting members with potential exposure to risk continued. The 2021 Year in Review provides insight into the challenges, our accomplishments, and highlights throughout the year. One that is sure to make the highlight list for 2022 is AUSCERT2022. The four days of collaboration, education, and fun ensured that the oldest information security conference in Australia was a resounding success! View the highlights video HERE. With a commitment to current and comprehensive content, AUSCERT’s training courses are engaging and interactive. Facilitated by our Principal Analyst and industry-leading trainers, AUSCERT training courses will deliver the outcomes required by all stakeholders. This extends to anyone that looks after their organisation’s cyber security. Our next course, Cyber Security Risk Management, is taking place next week on June 13th & 14th – Book Now. The cyber security landscape is ever-changing, and AUSCERT continues to be passionate about engaging our members to empower their people, capabilities, and capacities. Microsoft: Windows Autopatch now available for public preview Date: 2022-06-05 Author: Bleeping Computer Microsoft said this week that Windows Autopatch, a service to automatically keep Windows and Microsoft 365 software up to date in enterprise environments, has now reached public preview. This enterprise service was first announced in April when Redmond said it would be made generally available in July 2022 and offered free to Microsoft customers with a Windows 10/11 Enterprise E3 license or greater. Windows Autopatch automatically manages the deployment of Windows 10 and Windows 11 quality and feature updates, drivers, firmware, and Microsoft 365 Apps for enterprise updates. Ransomware gangs now give victims time to save their reputation Date: 2022-06-06 Author: Bleeping Computer Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries. By not disclosing the victim’s name immediately, the ransomware operatives give their targets a more extended opportunity to negotiate the ransom payment in secrecy while still maintaining a level of pressure in the form of a future data leak. KELA, an Israeli cyber-intelligence specialist, has published its Q1 2022 ransomware report that illustrates this trend and highlights various changes in the field. Atlassian patches zero-day affecting Confluence Data Center and Server Date: 2022-06-03 Author: SC Media [Related to AUSCERT Bulletin ESB-2022.2737.4] Atlassian on Friday issued fixes for a zero-day remote code execution vulnerability in Confluence Data Center and Server. The critical vulnerability lets an unauthenticated user execute arbitrary code on a Confluence Server or Data Center instance. In an updated blog post, Atlassian said it fixed the following versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Atlassian said for customers that access Confluence via an Atlassian.net domain, it’s hosted by Atlassian and not vulnerable. The company’s investigation have not found any evidence of exploitation of Atlassian Cloud. The critical vulnerability — CVE-2022-26134 — affected all supported versions of Confluence Server and Data Center. Confluence Server and Data Center versions after 1.3.0 are affected. Exploit released for Atlassian Confluence RCE bug, patch now Date: 2022-06-05 Author: Bleeping Computer [This article references a vulnerability in AUSCERT Bulletin ESB-2022.2737.4] Proof-of-concept exploits for the actively exploited critical CVE-2022-26134 vulnerability impacting Atlassian Confluence and Data Center servers have been widely released this weekend. The vulnerability tracked as CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0. Successful exploitation allows unauthenticated, remote attackers to create new admin accounts, execute commands, and ultimately take over the server. Australians lose over $200m to scams in just 4 months Date: 2022-06-06 Author: Cyber Security Connect The new data, released by Scamwatch, has revealed a 166 per cent increase in losses from last year. According to the ACCC, the real losses are likely to be significantly higher as only 13 per cent of Australians are expected to refer their losses on to Scamwatch. Investment scams have been found to be the most prolific, resulting in some $158 million lost for Australian consumers, representing a 314 per cent increase on the same time last year. Of these, crypto currency investments have cost investors $113 million while imposter bond scams have resulted in $10.9 million lost. HTTP/3 becomes a standard, at last Date: 2022-06-09 Author: iTnews Faster traffic, more encryption. More than three years after it was first proposed, the third major version of the Hypertext Transfer Protocol, HTTP, has been adopted as an Internet Engineering Task Force (IETF) standard. As is common, adoption of HTTP/3 has run ahead of the formal standards process. GitLab Issues Security Patch for Critical Account Takeover Vulnerability Date: 2022-06-03 Author: Thehackernews GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1. Are You Ready for a Breach in Your Organization’s Slack Workspace? Date: 2022-06-07 Author: Dark Reading When organizations moved to hybrid work at the beginning of the pandemic, Slack offered a crucial way for teams to collaborate efficiently regardless of physical location. But in most organizations, Slack is a relatively new solution, bringing the typical challenges of adopting new technologies — related to culture, functionality, expected user behavior, and, of course, security. For many organizations, Slack is now the primary communication channel, replacing email and knowledge management repositories. As a result, Slack increasingly contains more sensitive information than those traditional systems. Researchers Warn of Unpatched “DogWalk” Microsoft Windows Vulnerability Date: 2022-06-08 Author: The Hacker News An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted “.diagcab” archive file that contains a diagnostics configuration file. ESB-2022.2726 – ACS 3.70: CVSS (Max): 9.8 Red Hat released updated images for Red Hat Advanced Cluster Security for Kubernetes. The updated image includes bug fixes and feature improvements. ESB-2022.2737.4 – UPDATED ALERT Confluence Server and Confluence Data Center: CVSS (Max): None Atlassian released fixed versions to address the unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. AUSCERT recommends affected Confluence users to regularly check for updated advice from Atlassian as the situation evolves ESB-2022.2736 – Local Run Manager (LRM): CVSS (Max): 10.0 Vulnerabilities in Local Run Manager may allow an unauthenticated user to take control of the affected product remotely and take any action at the operating system level. The users are advised to take defensive measures to minimize the risk of this vulnerability. ASB-2022.0128 – Microsoft Edge (Chromium-based): CVSS (Max): 8.3 Microsoft Security Updates for Microsoft Edge (Chromium-based) address a number of vulnerabilities. It is advised to update Edge to the latest release. ESB-2022.1284.4 – UPDATE Atlassian Products: CVSS (Max): 8.1* The vendor updated the advisory to include fixed version of the Confluence DC. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for June 3rd 2022

Greetings, Change is inevitable, often with mixed results. But one change that we hope will see improvements for our industry, is the appointment of the first-ever dedicated Cyber Security Minister. During the recent federal election campaign, new Prime Minister Anthony Albanese assured Australians that his government would “..lift cyber-resilience across the whole nation”. With the appointment of Clare O’Neil as the Minister for Home Affairs and Minister for Cyber Security, it seems that Australia may just achieve the goal of better and smarter cybersecurity. This is especially important with our industry developing at an increasingly rapid pace which can make it difficult to keep up. One term that has many scratching their heads or shrugging shoulders is IoT, also known as the Internet of Things. As technology becomes increasingly incorporated into our daily lives, it’s important for as many of us to understand what these are and, how they both benefit society and create potential threats. itNews provides an overview of IoT, including examples, along with key factors that are fuelling the rapid growth in the IoT network and our dependency on it. Seasonal change has also been afoot this week and, if you live on the east coast of Australia, you will be all too aware that winter has truly arrived following the polar blast that saw temperatures plummet. With the recent spate of extreme weather, many of us ponder our footprint on our blue and green sphere in space and how we can improve things for future generations. This Sunday, June 5, is World Environment Day with this year’s theme calling for collective, transformative global action to celebrate and protect and restore our planet. Because there is only one Earth. No patch for actively exploited Atlassian Confluence zero-day – Security – iTnews Date: 2022-06-03 Author: itnews.com.au Refer to [ESB-2022-2737] Remote code execution, with webshells written to disk. All versions of Atlassian’s corporate Wiki system, Confluence, are affected by a serious bug under active exploitation, possibly by Chinese threat actors. Atlassian has confirmed the critical vulnerability in Confluence Server and Data Center, and the company said there is currently no fix but it is working on a patch. Administrators should not expose Confluence to the Internet, and disable instances of the corporate Wiki, as options to keep themselves secure. NDIS case management system provider breached Date: 2022-05-31 Author: iTnews A security breach of a cloud-based client management system used by National Disability Insurance Scheme (NDIS) service providers has exposed a “large volume” of health and other sensitive data. CTARS, a Sydney-based software and analytics provider for the disability and care sectors, this week revealed an unauthorised third-party had gained access to its systems on May 15. Less than a week later, on May 21, the company became aware that “a sample of that data had been posted on a [dark] web form” after the third-party claimed it had “taken a large volume of data”. New Windows Search zero-day added to Microsoft protocol nightmare Date: 2022-06-01 Author: Bleeping Computer A new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document. The security issue can be leveraged because Windows supports a URI protocol handler called ‘search-ms’ that allows applications and HTML links to launch customized searches on a device. While most Windows searches will look on the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window. Zero-day vuln in Microsoft Office: ‘Follina’ will work even when macros are disabled Date: 2022-05-30 Author: The Register Infosec researchers have idenitied a zero-day code execution vulnerability in Microsoft’s ubiquitous Office software. Dubbed “Follina”, the vulnerability has been floating around for a while (cybersecurity researcher Kevin Beaumont traced it back to a report made to Microsoft on April 12) and uses Office functionality to retrieve a HTML file which in turn makes use of the Microsoft Support Diagnostic Tool (MSDT) to run some code. Albanese unveils Minister for Cyber Security Date: 2022-05-31 Author: Cyber Security Connect Prime Minister Anthony Albanese has unveiled his new ministry, introducing a new portfolio to oversee cyber security. Clare O’Neil has been announced as minister for home affairs and minister for cyber security during a press conference by Prime Minister Albanese this evening. Minister O’Neil succeeds former Minister Karen Andrews, who also supported the implementation of much of the previous government’s cyber security policy as home affairs minister. ASB-2022.0127 – ALERT Microsoft Office: CVSS (Max): 7.8 A new zero-day vulnerability has been identified allowing remote code execution in Microsoft Office via the ms-msdt protocol scheme ESB-2022.2686 – Mozilla Firefox: CVSS (Max): 7.5* Mozilla has released Firefox 101 addressing multiple vulnerabilities ESB-2022.2712 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 9.9 GitLab has released patches for several vulnerabilities including a critical account takeover vulnerability in both Community Edition and Enterprise Edition ESB-2022.2737 – ALERT Confluence Server and Confluence Data Center: CVSS (Max): None A remote code execution vulnerability has been identified in Confluence Server and Data Center. Atlassian is working on a patch for the impacted versions Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for May 27th 2022

Greetings, National Reconciliation Week started today, May 27th, and runs until Friday, June 3rd. It’s a time for all Australians to learn about our shared histories, cultures, and achievements, and to explore how each of us can contribute to achieving reconciliation in Australia As a proud Torres Strait Islander Woman, Jasmine Woolley embodies this year’s theme of Reconciliation Week, “Be Brave. Make Change.” Taking on the challenge of public speaking for the first time at the recent AUSCERT2022 Cyber Security Conference, Jasmine shared her perspective about applying Indigenous (Australian) Philosophy to Cyber Security Strategies. Demonstrating wisdom beyond her years with an insightful and enlightening presentation, Jasmine provided a fresh perspective on emerging threats to Australia’s security and challenged all in attendance to think about how they can be change-makers. We congratulate Jasmine on this fantastic achievement and we look forward to seeing what’s next! National Hamburger Day – yes, it’s an actual thing – is tomorrow, May 28. From simplistic cheeseburgers to the towering stacks, layered with an array of scrumptious and odd ingredients, burgers have become a favourite food for many the world over. A recent episode of Burger Scholar Sessions on YouTube, shows how to construct the iconic Aussie burger consisting of fried egg, tinned beetroot, and pineapple, and also delves into the history of our beloved burger that confuses and repulses many from elsewhere in the world! Don’t forget, the AUSCERT podcast, Share Today, Save Tomorrow is available to stream now. Featuring eleven episodes that cover a broad range of subjects, and include fascinating discussions from sensational guests, there’s enough content to make your next run, walk, or daily commute more enjoyable! Malicious PyPI package opens backdoors on Windows, Linux, and Macs Date: 2022-05-21 Author: Bleeping Computer Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. PyPI is a repository of open-source packages that developers can use to share their work or benefit from the work of others, downloading the functional libraries required for their projects. On May 17, 2022, threat actors uploaded a malicious package named ‘pymafka’ onto PyPI. The name is very similar to PyKafka, a widely used Apache Kafka client that counts over four million downloads on the PyPI registry. Fake Windows exploits target infosec community with Cobalt Strike Date: 2022-05-23 Author: Bleeping Computer A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor. Whoever is behind these attacks took advantage of recently patched Windows remote code execution vulnerabilities tracked as CVE-2022-24500 and CVE-2022-26809. When Microsoft patches a vulnerability, it is common for security researchers to analyze the fix and release proof-of-concept exploits for the flaw on GitHub. CISA adds 41 vulnerabilities to list of bugs used in cyberattacks Date: 2022-05-24 Author: Bleeping Computer The Cybersecurity & Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws over the past two days, including flaws for the Android kernel and Cisco IOS XR. The added vulnerabilities come from a wide range of years, with the oldest disclosed in 2016 and the most recent being a Cisco IOS XR vulnerability fixed last Friday. Quad countries to boost CERT cooperation Date: 2022-05-24 Author: itnews International cooperation over cyber security and telecommunications standards will be boosted after this week’s Quad conference in Tokyo. The White House has released a communique from the four-country leadership meeting, the first official duty of newly-elected prime minister Anthony Albanese. Action on cyber security is to include strengthened information sharing between the four countries’ Computer Emergency Response Teams (CERT), “including exchanges on lessons learned and best practices”, the communique stated. Is 100% Cybersecurity Readiness Possible? Medical Device Pros Weigh In Date: 2022-05-25 Author: Bleeping Computer As medical devices become more connected and reliant on software, their codebase grows both in size and complexity, and they are increasingly reliant on third-party and open source software components. This forces security pros to address today’s rapidly evolving threat landscape. In the hopes of helping security professionals better address cybersecurity and regulation, we conducted the 2022 Medical Device Cybersecurity: Trends and Predictions Survey Report, speaking to 150 senior decision makers who oversee product security or cybersecurity compliance in the medical device industry, to learn about their biggest challenges and how they plan to address them. ESB-2022.2513 – Firefox and Thunderbird: CVSS (Max): 7.5 Mozilla has released advisory to address 2 critical vulnerabilities in Firefox and Thunderbird ESB-2022.2556 – Google Chrome: CVSS (Max): None Google Chrome is also updated to version 102 patching multiple vulnerabilities ESB-2022.2568 – F5 Products: CVSS (Max): 7.3 F5 has released advisory to address Linux Kernel vulnerability accross multiple products ESB-2022.2570 – Drupal core: CVSS (Max): None A third party library used by Drupal Core could affect some contributed projects or custom code on Drupal sites ESB-2022.2607 – Nessus: CVSS (Max): 9.8 Multiple third party components used by Nessus were found to contain vulnerabilities. Tenable has released updates to Nessus to address those vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for May 20th 2022

Greetings, With the Australian Federal election taking place tomorrow and many unsure of their ability to vote due to recent positive results for COVID-19, the argument around online or e-voting has again been raised. Whilst technology exists to allow for digital voting, as was done in the New South Wales elections in 2021 with the iVote system, the uncertainty over voter identity along with the risk of server outages, malware, and voter fraud remain key concerns for similar systems. Despite this, The Conversation presents alternatives that combine digital technology with human input. The combination provides transparency and efficiency whilst maintaining the most difficult aspect of politics, trust if done right. It’s hard to believe that it’s already been a week since AUSCERT2022 wrapped up for another year. The AUSCERT team has been overwhelmed with the kind words and positive responses to this year’s conference which are always welcome and appreciated. The event’s theme, Rethink, Reskill, Reboot, provided a great conversation starter, idea stimulator, and opportunity to delve into the past for some of the most cherished video games of decades gone by! You can read more about Australia’s premier cyber security conference in our recent blog that includes a gallery of photos taken throughout the week. Australian Taxation Office issues capital gains warning for crypto and NFT sellers Date: 2022-05-16 Author: ZDNet The Australian Taxation Office (ATO) has issued its four priorities for the upcoming tax season, with capital gains from crypto and work-related expenses being listed. On the crypto front, simply because you managed to make money before last week’s crash hit off a decentralised system, does not mean the tax office is not owed something, much like selling property or shares, selling crypto or NFTs can mean tax is due. Researchers devise iPhone malware that runs even when device is turned off Date: 2022-05-17 Author: Ars Technica When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down. It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off. Hackers target Tatsu WordPress plugin in millions of attacks Date: 2022-05-17 Author: Bleeping Computer Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites. Up to 50,000 websites are estimated to still run a vulnerable version of the plugin, although a patch has been available since early April. Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing. Critical VMware Bug Exploits Continue, as Botnet Operators Jump In Date: 2022-05-18 Author: Dark Reading Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell. That’s according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well. WA Health: No breaches of unencrypted COVID data means well managed and secure system Date: 2022-05-18 Author: ZDNet The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday. PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage. CISA warns not to install May Windows updates on domain controllers Date: 2022-05-16 Author: Bleeping Computer The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has removed a Windows security flaw from its catalog of known exploited vulnerabilities due to Active Directory (AD) authentication issues caused by the May 2022 updates that patch it. This security bug is an actively exploited Windows LSA spoofing zero-day tracked as CVE-2022-26925, confirmed as a new PetitPotam Windows NTLM Relay attack vector. Unauthenticated attackers abuse CVE-2022-26925 to force domain controllers to authenticate them remotely via the Windows NT LAN Manager (NTLM) security protocol and, likely, gain control over the entire Windows domain. Researchers find 134 flaws in the way Word, PDFs, handle scripts Date: 2022-05-13 Author: The Register Black Hat Asia Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it’s proven so effective they’ve found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000. The tool is named “Cooper” – a reference to the “Cooperative mutation” technique employed by the tool. Speaking at the Black Hat Asia conference in Singapore, PhD student Xu Peng of the Chinese Academy of Sciences – one of the tool’s co-authors – explained that the likes of Word and Acrobat accept input from scripting languages. Acrobat, for example, allows JavaScript to manipulate PDF files. Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning Date: 2022-05-14 Author: Dark Reading A brand-new attack vector lays open enterprise data lakes, threatening grave consequences for AI use cases like telesurgery or autonomous cars. Enterprise data lakes are filling up as organizations increasingly embrace artificial intelligence (AI) and machine learning — but unfortunately, these are vulnerable to exploitation via the Java Log4Shell vulnerability, researchers have found. Hackers are exploiting critical bug in Zyxel firewalls and VPNs Date: 2022-05-15 Author: Bleeping Computer Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell. ESB-2022.2376 – F5 Products: CVSS (Max): 7.1 F5 reports a vulnerability in F5 products that may cause a breach in data confidentiality, integrity, and availability. Please read the advisory for mitigation information. ESB-2022.2447 – F5 Products: CVSS (Max): 7.2 Eclipse Jetty vulnerability in F5 products could allow an authenticated user to cause a local privilege escalation if exploited. Please read the advisory for mitigation information. ESB-2022.2443 – VMware Products: CVSS (Max): 9.8 VMWare reports that remediations are available to fix multiple vulnerabilities in VMware Workspace ONE Access, Identity Manager and vRealize Automation. ESB-2022.2475 – Red Hat OpenShift GitOps: CVSS (Max): 10.0 An update is now available to fix multiple vulnerabilities in Red Hat OpenShift GitOps 1.5. Stay safe, stay patched and have a good weekend!

Learn more

Week in review

AUSCERT Week In Review for May 13th 2022

Greetings, What a week! AUSCERT2022 has officially come to an end and it’s safe to say that it was a resounding success! We saw a return of many faithful attendees along with many first-time delegates and presenters, including our first keynote speaker of this year’s conference, Kath Koschel. Kath has faced serious personal, mental and physical setbacks but her resilience has allowed her not only to overcome these challenges, but also see the good in the world when most others couldn’t. Sharing her story with the audience saw many with tears but also, smiles and a resolve to each do #OneSmallAct of kindness each and every day. Another standout was Jasmine Woolley who presented for the first time, anywhere, and had all in attendance singing her praises. Jasmine demonstrated skill and wisdom beyond her years, asking “How do people in this room help make this statistic better?” in reference to the lack of diversity and inclusion in our industry. The conference concluded with the crowd favourite Speed Debate. Six topics were discussed including whether people, not machines are the future of cyber security and that there’s no need to worry about ransomware when insurance will pay! Suffice it to say, there were some passionate arguments delivered with some humour, witty retorts, and the occasional fact! Hackers exploiting critical F5 BIG-IP bug, public exploits released Date: 2022-05-09 Author: Bleeping Computer Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads. F5 last week released patches for the security issue (9.8 severity rating), which affects the BIG-IP iControl REST authentication component. The company warned that the vulnerability enables an unauthenticated attacker on the BIG-IP system to run “arbitrary system commands, create or delete files, or disable services.” Cyberattacks on managed service providers increasing, US and allies warn Date: 2022-05-11 Author: The Record Cybersecurity agencies from the Five Eyes intelligence alliance warned of increased cyberattacks targeting managed service providers (MSPs) on Wednesday morning. The agencies from the U.S., U.K., Australia, Canada and New Zealand said to “expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks.” MSPs are companies paid to manage IT infrastructure and provide support. The companies typically provide remote IT services to smaller businesses lacking an IT department. Windows 11 KB5013943 update causes 0xc0000135 application errors Date: 2022-05-11 Author: Bleeping Computer Windows 11 users are receiving 0xc0000135 errors when attempting to launch applications after installing the recent Windows 11 KB5013943 cumulative update. Yesterday, Microsoft released new Windows cumulative updates to fix security vulnerabilities and bugs as part of the May 2022 Patch Tuesday. These updates include the Windows 11 KB5013943 update, which included a fix for a bug causing .NET Framework 3.5 apps not to open if they used the Windows Communication Foundation (WCF) and Windows Workflow (WWF) components. Beware: This cheap and ‘homemade’ malware is surprisingly effective Date: 2022-05-09 Author: ZDNet A powerful form of trojan malware that offers complete backdoor access to Windows systems is being sold on underground forums for the price of a cup of coffee – and it’s being developed and maintained by one person. Known as DCRat, the backdoor malware has existed since 2018 but has since been redesigned and relaunched. When malware is cheap it’s often associated with only delivering limited capabilities. But DCRat – offered online for as little as $5 – unfortunately comes equipped with a variety of a functions, including the ability to steal usernames, passwords, credit card details, browser history, Telegram login credentials, Steam accounts, Discord tokens, and more. LEAK: Commission to force scanning of communications to combat child pornography Date: 2022-05-11 Author: Euractiv The European Commission is to put forward a generalised scanning obligation for messaging services, according to a draft proposal obtained by EURACTIV. The text marks a victory for child advocates, but a setback for privacy activists. The European executive is to unveil on Wednesday (11 May) its proposal to fight the online circulation of child sexual abuse material – CSAM in short. “Providers of hosting services and providers of interpersonal communication services that have received a detection order shall execute it by installing and operating technologies to detect” CSAM upon request by the competent judicial authority or independent administrative authority, the draft regulation states. Microsoft May 2022 Patch Tuesday fixes 7 critical vulnerabilities, 67 others Date: 2022-05-11 Author: ZDNet Microsoft has released a total of 74 new security fixes for its software products. This includes one “important” flaw (a Windows LSA Spoofing Vulnerability) that was being actively exploited in the wild. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month on what is known as Patch Tuesday, Microsoft fixed the aforementioned active exploit, as well as seven other “critical” issues: five remote code execution (RCE) bugs and two elevation of privilege (EoP) flaws. The remaining list of 67 exploits are dominated by additional RCE and EoP bugs. A smattering of denial-of-service, information leaks, security feature bypasses, and spoofing issues were corrected as well. Security “mindset shift” needed to protect organisations Date: 2022-05-09 Author: iTnews More than half of IT decision-makers said security solution had failed at least once, survey finds. Manual investigation, third parties, customers and law enforcement are catching far more cybersecurity threats more than software solutions, says Chris Fisher, director of security engineering APJ at cybersecurity company Vectra. Google adds phishing protection to Workspace apps Date: 2022-05-12 Author: iTnews Zero trust for Slides, Docs and Sheets as well as Gmail. Google’s Workspace productivity apps will get the same phishing and malware protection that Gmail already has later this year, the company said at its annual I/O conference. ASB-2022.0122 – ALERT Windows: CVSS (Max): 9.8 Microsoft’s security patch update for the month of May 2022 resolved 28 vulnerabilities. According to Microsoft, the most dangerous vulnerability addressed is CVE-2022-26925, which is contained in the Windows Local Security Authority. ASB-2022.0121 – ALERT Windows: CVSS (Max): 9.8 Microsoft’s most recent update resolves 62 vulnerabilities across Windows, Windows RT and Windows Server. ESB-2022.2050.2 – UPDATED ALERT F5 BIG-IP Products: CVSS (Max): 9.8 F5 Networks has reported a remote code execution vulnerability in BIG-IP iControl REST tracked in CVE-2022-1388. This is a critical vulnerability with a 9.8 CVSS score. ESB-2022.2332 – Google Chrome: CVSS (Max): None Google has released updates for the Stable channel for Desktop. The updates fix 13 known issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for May 6th 2022

Greetings, Yesterday, May 5, was ‘World Password Day’ which was created in 2013 to help promote the use of good password habits online. As technology and cyber threats advance, log-in methods, such as multi-factor authentication, are developed to help us all be more secure. Microsoft recently implemented a service to reduce relying on passwords altogether, whilst still protecting accounts, along with some tips to help manage online security. Speaking of ways to improve your online security, the next round of courses in the AUSCERT training calendar is Cyber Security Risk Management which is being held on June 13 and 14. Delivered remotely via Microsoft Teams in two half-day sessions, the course will provide attendees with the confidence to perform a risk assessment of cyber security risks and the ability to rate and assess business risks rather than technical vulnerabilities. For more information on this course, and others, or, to book online visit the AUSCERT Education page on our website. Just four sleeps remain until AUSCERT2022 which is already generating a lot of buzz and excitement! The 21st Annual AUSCERT Cyber Security Conference has a sensational line-up of speakers, tutorials and events, along with a few surprises, that we can’t wait to share with attendees. Have a great weekend and we look forward to seeing a lot of you on the Gold Coast next week! NIST Issues Guidance for Addressing Software Supply-Chain Risk Date: 2022-05-06 Author: Darkreading The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders. Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cybercriminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware. Large amount of IoT gear menaced by unpatched DNS vulnerability Date: 2022-05-04 Author: Security iTnews Security researchers have found that it is possible to conduct domain name system (DNS) poisoning attacks against Internet of Things devices, thanks to a bug in the popular uClibc and uClibc-ng standard C libraries. Although the bug was disclosed last year, it remains unpatched as the maintainer has not been able to develop a fix for it. An attacker can predict transaction IDs in DNS requests that the libraries generate, allowing DNS poisoning attacks that can be used to redirect traffic and spoof legitimate websites. F5 warns of critical BIG-IP RCE bug allowing device takeover Date: 2022-05-04 Author: Bleeping Computer F5 has issued a security advisory warning about a flaw that may allow unauthenticated attackers with network access to execute arbitrary system commands, perform file actions, and disable services on BIG-IP. The vulnerability is tracked as CVE-2022-1388 and has a CVSS v3 severity rating of 9.8, categorized as critical. Its exploitation can potentially lead up to a complete system takeover. According to F5’s security advisory, the flaw lies in the iControl REST component and allows a malicious actor to send undisclosed requests to bypass the iControl REST authentication in BIG-IP. Aussie organisations succumbing to ransomware threat Date: 2022-05-02 Author: Cyber Security Connect Almost half of the 80 per cent of Australian organisations targeted by ransomware paid cyber criminals, according to new Sophos research. Global cyber security company Sophos has released its State of Ransomware 2022 report — which involves a survey of 5,600 mid-sized organisations in 31 countries — revealing 80 per cent of Australian organisations were hit with ransomware attacks over the course of 2021, up from 45 per cent in 2020. Of those targeted, 43 per cent paid cyber criminals between US$100,000 and US$499,999. Transport for NSW struck by cyber attack Date: 2022-05-04 Author: ZDNet Transport for NSW has confirmed its Authorised Inspection Scheme (AIS) online application was impacted by a cyber incident in early April. The AIS authorises examiners to inspect vehicles to ensure a minimum safety standard. To become an authorised examiner, online applications need to be submitted and requires applicants to share personal details including their full name, address, phone number, email address, date of birth, and driver’s licence number. Security through visibility: supporting Essential Eight cyber mitigation strategies Date: 2022-05-03 Author: iTnews How can you secure what you cannot see? Strong cybersecurity strategies have become mission critical – because interrupted business leads to financial loss, employee and customer dissatisfaction and subsequent lost relationships – as well as damage to your integrity and reputation. So, the question stands as: How can you reduce and mitigate cybersecurity risk? Security Stuff Happens: What Do You Do When It Hits the Fan? Date: 2022-05-03 Author: Dark Reading Breaches can happen to anyone, but a well-oiled machine can internally manage and externally remediate in a way that won’t lead to extensive damage to a company’s bottom line. Wise security professionals understand that threat actors aren’t sitting still, and they aren’t playing by the same rules as old-school groups. Lapsus$, for example, is gaining notoriety for its unpredictable behavior, using tactics like extortion and bribing insiders for initial access. It has left even the most experienced security pros scratching their heads. ESB-2022.2027 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 6.1* GitLab has released newer versions for both Community and Enterprise Editions to address multiple vulnerabilities ESB-2022.2029 – Firefox: CVSS (Max): 7.5* Mozilla Foundation has updated Firefox ESR with a new version 91.9 fixing several vulnerabilities ESB-2022.2043 – Cisco Enterprise NFVIS: CVSS (Max): 9.9 A critical Guest Escape vulnerability along with other critical vulnerabilities affects Cisco NFVIS in the default configuration. Cisco has released an advisory with a fixed version ESB-2022.2050 – ALERT F5 BIG-IP Products: CVSS (Max): 9.8 A vulnerability in the control plane of BIG-IP modules allows an unauthenticated remote attacker to execute commands and create/delete arbitrary files in the system. F5 has released patches for the affected versions. BIG-IP version 17.x is not affected Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for April 29th 2022

Greetings, Earlier this week, we released our eleventh episode of Share Today, Save Tomorrow. Ethics, trust and collaboration form part of the discussion this month with Jeroen van der Ham and Shawn Richardson feature, providing their insights and sharing their experiences with this developing area within our industry. Today, April 29 2022, is the 40th International Dance Day which has grown into a celebration for those who can see the value and importance in the art form that is dance. Whether it’s toddlers bopping along to their favourite song or the perennial favourite ‘foot shuffle/shoulder shrug’ combo most often seen at weddings, we all have a move or routine that gets us moving when the moment and music is right! To commemorate this occasion, there will be an online celebration featuring five dance productions, each from one region (Africa, Asia-Pacific, the Americas, Europe, and Arab Countries) that will be worth watching if you appreciate dance or, would like some tips! Not to alarm people, but next week we see the arrival of May! Not only does this signify our approach towards the halfway point of 2022 but, also the imminent commencement of AUSCERT2022! A little over a week remains to register for Australia’s premier cyber security conference. We have a few surprises in store, along with the fantastic program that you can check out online, so be sure to register today as you won’t want to miss out! Manage and monitor third-party identities to protect your organization Date: 2022-04-26 Author: Help Net Security SecZetta shared a research that demonstrates a clear misalignment between the strategies organizations currently use and what is actually required to protect them from cyberattacks due to third-party vulnerabilities. At a time when cyberattacks are increasing in size, frequency, and impact, this research found most organizations are not taking the necessary steps to manage and monitor the lifecycle of their third-party identities, making them more vulnerable to cyber incidents. To strengthen cybersecurity programs and better manage identity lifecycles, including third-party and non-human workers, organizations need stronger third-party identity management strategies and solutions. Quarterly Report: Incident Response trends in Q1 2022 Date: 2022-04-26 Author: Cisco Talos Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide. The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. Five Eyes nations reveal 2021’s fifteen most-exploited flaws Date: 2022-04-28 Author: The Register Security flaws in Log4j, Microsoft Exchange, and Atlassian’s workspace collaboration software were among the bugs most frequently exploited by “malicious cyber actors” in 2021 , according to a joint advisory by the Five Eyes nations’ cybersecurity and law enforcement agencies. It’s worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years’ lists often found miscreants exploiting the older vulns for which patches had been available for years. BlackCat Ransomware gang breached over 60 orgs worldwide Date: 2022-04-25 Author: Security Affairs The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November. “The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.” How Industry Leaders Should Approach Open Source Security Date: 2022-04-28 Author: Dark Reading Security has long been a point of concern in the open source community. If not managed carefully, the same openness that allows innovative code contributions from global users can also present vulnerable attack surfaces for malicious actors. In fact, when asked about roadblocks preventing their organizations’ use of open source, respondents to Anaconda’s 2021 State of Data Science report cited “Fear of CVEs, potential exposures, or risks” (41%) and “Open source software is deemed insecure, so it’s not allowed,” (26%) among other concerns. Yet open source drives innovation, and there are ways to dramatically decrease the potential risks that arise from the use of open source software. This is why many organizations take a “best of both worlds” approach, adopting open source while prioritizing security measures. ESB-2022.1792 – Tenable.sc third party components: CVSS (Max): 9.8 Tenable has provided a patch to address multiple vulnerable third party software used by Tenable ESB-2022.1870 – grafana: CVSS (Max): 9.8 Multiple vulnerabilities affecting Grafana has now been fixed under version 8.3.5 and 7.5.15 ESB-2022.1907 – Google Chrome: CVSS (Max): None Google Chrome 101 is available for users as a stable version fixing several vulnerabilities ASB-2022.0119 – Microsoft Edge (Chromium-based): CVSS (Max): 8.3* Microsoft has also addressed Chrome’s CVE in Microsoft Edge and added 2 additional CVEs in its upstream product Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more