AUSCERT Week in Review for 26th November 2021 Greetings, Did you know that the first known computer virus was called the Creeper Virus? It affected the Advanced Research Projects Agency Network (ARPANET), the precursor to today’s internet. Since then, many more cyber attacks have occurred all over the world and have grown in sophistication and potential impact. Tuesday 30 November is Computer Security Day, a timely reminder for individuals and businesses to stay on top of cyber security, ensuring the necessary steps are taking to protect their data. Some suggestions to help you include changing your passwords across all platforms, devices, and services and sign-up to a trusted password manager so you don’t have to remember them all! Update your spyware and malware protection software and review your security strategy and best practices for staff, checking their understanding of what to do, when and how. Time is running out to complete the 2021 BDO and AUSCERT Cyber Security Survey, closing at midnight on Friday, 3 December 2021. The 10-minute survey is an opportunity to benchmark your organisation’s cyber security efforts, by gaining access to valuable data and insights into the cyber threats faced by your industry peers. Don’t forget, survey respondents will go in the draw to win an Apple Watch so, take part now for your chance to win! Australia has a cybercrime under-reporting problem Date: 2021-11-22 Author: Consultancy.com.au When global IT and cybersecurity association ISACA [Information Systems Audit and Control Association] declared that “under-reporting [of] cybercrime – even when disclosure is legally mandated – appears to be the norm” back in 2019, it rang alarm bells and led to a flurry of headlines. “Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so,” ISACA reported. GoDaddy’s Latest Breach Affects 1.2M Customers Date: 2021-11-22 Author: Threat Post The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins. Ransomware warning: Hackers see holidays and weekends as a great time to attack Date: 2021-11-23 Author: ZDNet Ahead of Thanksgiving this Thursday, the US Cybersecurity and Infrastructure Agency (CISA) and the FBI have released a warning for critical infrastructure providers to stay vigilant on holidays and weekends, because hackers don’t plan on taking a holiday break. The agency issued a similar warning in August ahead of the Labor Day weekend, warning that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed. Apple sues spyware-maker NSO Group, notifies iOS exploit targets Date: 2021-11-23 Author: Bleeping Computer Apple has filed a lawsuit against Pegasus spyware-maker NSO Group and its parent company for the targeting and spying of Apple users with surveillance tech. The company says the state-sponsored attacks that used NSO’s spyware only targeted “a very small number” of individuals, across multiple platforms, including iOS and Android. The exploits used to deploy NSO Group’s Pegasus spyware were used to hack and compromise the devices of high-profile targets such as government officials, diplomats, activists, dissidents, academics, and journalists worldwide. Black Friday: Online retailers exposed to email fraud and domain impersonation Date: 2021-11-23 Author: Cyber Security Connect Proofpoint has released new research that found one in four of the top online retailers in Australia today are wide open to email fraud and domain impersonation, with days to go until the start of the shopping spree of Black Friday and Cyber Monday. The study looked at the DMARC (domain-based message authentication reporting and conformance) records of the top 100 shopping websites ranked by Power Retail. It found that 27 companies have no DMARC protocol, leaving their customers, employees, partners and vendors exposed to receiving emails from scammers posing as trusted retailers. To date, only 16 top online retailers have achieved the highest level of DMARC protection, allowing these companies to block fraudulent emails from reaching inboxes. Coin mining, ransomware, APTs target cloud: GCAT report Date: 2021-11-24 Author: Google Cloud While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation. Most recently, our internal security teams have responded to cryptocurrency mining abuse, phishing campaigns, and ransomware. Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact. The [Threat Horizons] report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats. In this and future threat intelligence reports, the Google Cybersecurity Action Team will provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action. ESB-2021.3963 – php72: Root compromise – Existing account The new update for php72 fixes local privilege escalation via PHP-FPM and is available for install now ESB-2021.3958 – ALERT salt: Multiple vulnerabilities Multiple security vulnerabilities have been discovered in Salt execution manager which is open-source software for data-driven orchestration and remote execution ESB-2021.3965 – MozillaFirefox: Multiple vulnerabilities Multiple Mozilla Firefox vulnerabilities have been discovered which are capable of resulting in the execution of code ASB-2021.0242 – Microsoft Edge (Chromium-based): Execute arbitrary code/commands – Remote with user interaction Microsoft addressed Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability on their newest update ESB-2021.3999 – VMware vCenter Server and Cloud Foundation: Multiple vulnerabilities Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware and their new updates addressed arbitrary file read and SSRF vulnerabilities on affected products Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 19th November 2021 Greetings, This Sunday, November 21, is World Television Day. A time to pay homage to the tube, and in so many cases, the saviour to our recent spate of lockdown induced boredom! The day was established by the United Nations in 1996 to recognize the impact television has in bringing world attention to conflicts and threats to peace and security and its potential in highlighting issues of importance and significance. So, T.V. isn’t just a device to binge watch the latest season of your favourite show, in fact, as technology evolves and becomes more integrated, the use of the humble ‘idiot box’ as a major tool to inform, educate and connect enhances. For those that have a Smart T.V., the following We Live Security article discusses why such T.V.s make for attractive and potentially soft targets, and how cybercriminals can ruin more than your T.V. viewing experience Podcasts are another way of sharing information and engaging with people far and wide with the latest in our ‘Share Today, Save Tomorrow’ series released earlier in the week. Episode 7, ‘The future of the cyber security pipeline and education in Australia’. includes a discussion featuring Prof. Ryan Ko and Ivano Bongiovanni on how The University of Queensland Cyber Security is helping build a pipeline of cybersecurity talent. It also includes insights from AUSCERT Senior Analyst Mark about how we are supporting UQ Cyber Security through lectures as well as supervising student capstone and research projects, and more! Today also marks thirty-six days until Christmas, yikes! With a marked shift to online shopping during the pandemic, many of us may have already started purchasing presents to ensure delivery whilst the rest of us had better get started! Gov unveils principles to help secure critical technology supply chains Date: 2021-11-15 Author: iTnews The federal government has unveiled a final set of regulatory principles aimed at helping businesses secure the supply chains of critical technologies like artificial intelligence and quantum computing. New study shows workplace blame cultures undermining cloud adoption Date: 2021-11-17 Author: Cyber Security Connect New research by Veritas Technologies highlights the damage that workplace blame cultures are having on the success of cloud adoption, which found that businesses are losing critical data, such as customer orders and financial data, because office workers are too scared or too embarrassed to report data loss or ransomware issues when using cloud applications, such as Microsoft Office 365. Among the latest Veritas findings, half (50 per cent) of office workers have accidentally deleted files hosted in the cloud – such as business documents, presentations and spreadsheets. The report also gathered that as many as 14 per cent of office workers do so multiple times per week. Amazon’s Dark Secret: It Has Failed to Protect Your Data Date: 2021-11-18 Author: WIRED According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon’s vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who’s at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn’t even map all of it, much less adequately defend its borders. Cyber attack affects Federal Group payroll system but staff will still be paid Date: 2021-11-17 Author: ABC News Tasmania’s largest private sector employer has been affected by a cyber attack for the second time this year. Federal Group yesterday made advance payments to staff after the payroll system it uses — run by global company Frontier Software — was affected by a “cyber incident”. Federal Group is one of more than 1,500 organisations, including the South Australian government and the Melbourne Theatre Company, that use Frontier’s software. Official FBI email server hacked, used to send fake threat Date: 2021-11-13 Author: The Record A group of unidentified hackers have compromised one of the FBI’s email servers and have sent out a massive wave of spam emails containing a warning about a (fake) cyberattack that was allegedly taking place. The attack, which took place in the early hours of the US East Coast morning [November 13], impacted an email server that the FBI was using for some sort of public ticketing and alerting system, Carel Bitter, Chief Data Officer at Spamhaus, told The Record in an interview today. 91% of IT leaders affected by supply chain disruption: survey Date: 2021-11-16 Author: ZDNet A new survey of 400 IT decision-makers from Insight Enterprises found that 95% of IT decision-makers say the impact of the pandemic accelerated business transformation priorities. The 2022 Insight Intelligent Technology Report found that nearly all of the IT leaders surveyed have been affected in some way by the IT supply chain disruption. The survey featured the responses of 400 North America-based IT leaders to a 23-question survey in September. About two-thirds said they believe their enterprise has successfully adapted to the COVID-19 pandemic and adjusted to new realities using new tech and IT processes. ESB-2021.3890 – Moodle: Multiple vulnerabilities Remote code execution risk found on Moodle when restoring malformed backup file ESB-2021.3952 – php74: Root compromise – Existing account The new update for php74 fixes local privilege escalation via PHP-FPM ESB-2021.3903 – FortiPortal: Cross-site scripting – Remote with user interaction FortiPortal allows an attacker to perform reflected Cross-site scripting attacks via specially crafted HTTP request parameters ESB-2021.3933 – Google Chrome: Multiple vulnerabilities The Chrome team announced the Chrome 96 to the stable channel for Windows, Mac and Linux ESB-2021.3939 – MozillaFirefox: Multiple vulnerabilities SUSE has released an update which fixes 8 Mozilla Firefox vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team  

AUSCERT Week in Review for 12th November 2021 Greetings, This Saturday, November 13, is World Kindness Day which aims to help everyone understand that compassion for others is what binds us together. The Kindness Factory is on a mission it is to make the world a kinder place! This not-for-profit organisation was founded by former elite cricketer, Kath Koschel, following a series of events that saw her life spiral into despair and darkness without warning. But Kath fought through her ordeal and emerged with a new passion for life and complete understanding of how powerful kindness can be. The Kindness Log is a platform for anyone to log an act of kindness allowing people to share experiences that demonstrate how one small act of kindness can make a really big difference. Remember, the world is full of kind people. If you can’t find one, be one! Earlier this week, AUSCERT Director, Dr David Stockdale, was a guest speaker at the UQ School of IT and Electrical Engineering Cybersecurity Workshop. The topics discussed covered Cyber Incidence Response within Critical Infrastructure and how to uplift our resilience. The session was one of four conducted throughout the day that also discussed diversity in the cybersecurity workforce, upskilling and inter-disciplinary cyber education, to name a few. The experiences, insights and knowledge sharing by the speakers is just one of the many ways AUSCERT collaborates, informs and helps those within the field. But with the strong held belief that cyber security is everyone’s problem, particularly with the shift to remote working over the past eighteen months, what is being done to counter the growing cyber threat? A recent article on Cyber Security Connect discusses what businesses should be doing to help employees, and themselves, tackle the issue. Beyond the Basics: Tips for Building Advanced Ransomware Resiliency Date: 2021-11-05 Author: Threatpost The rate at which ransomware attacks occur is rapidly increasing. Not only have we witnessed the rise in the frequency of these attacks, but have also seen them evolve into more sophisticated, successful and damaging events. The potential monetary gain from a ransomware attack is now so lucrative that many ransomware developers have established affiliate programs for their tools and expertise, offering ransomware-as-a-service. Ransomware demands also continue to skyrocket as more than 80 percent of victim organizations admit to paying ransom demands. Op-Ed: What a house cat can teach us about cybersecurity Date: 2021-11-07 Author: Los Angeles Times The news today often contains reports about cybersecurity breaches that steal our data or threaten our national security. The nation spends billions of dollars on cybersecurity measures, and yet we seem unable to get ahead of this problem. Why are our computers so hard to protect? Recent experience with a house cat provided insights into the nature of this problem. I am allergic to cats. My daughter came home, cat in hand, for an extended stay, and I had to find a way of confining Pounce to a limited area. However, as many cat parents would have known — though I did not — this was doomed to be a losing battle. Businesses don’t know how to manage VPN security properly – and cyber criminals are taking advantage Date: 2021-11-11 Author: ZDNet Cyber attacks targeting vulnerabilities in virtual private networks (VPN) are on the rise, and many organisations are struggling to protect their networks. The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time. While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks. Queensland water supplier Sunwater targeted by hackers in months-long undetected cyber security breach Date: 2021-11-11 Author: ABC News It has been revealed that hackers left suspicious files on a webserver to redirect visitor traffic to an online video platform last year. Queensland’s largest regional water supplier, Sunwater, says it was targeted by hackers in a cyber security breach that went undetected for nine months. Sunwater admitted the cyber breach after the tabling of a Queensland’s Audit Office report into the state’s water authorities, which mentioned the incident but did not say which authority was targeted. Microsoft November 2021 Patch Tuesday: 55 bugs squashed, two under active exploit Date: 2021-11-10 Author: ZDNet Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender. Vagabon PhishKit – An Example of Shared Code Modularity Date: 2021-11-03 Author: RiskIQ In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself “Vagabon”, looks to collect PayPal login credentials, as well as complete credit card information from the victim. While the kit itself doesn’t display many unique characteristics, it does contain bits and pieces of other known, familiar phish kits. This “Frankenstein” technique of piecing together modular, free or readily available kits and services has become increasingly popular. ASB-2021.0236 – Microsoft Apps: Execute arbitrary code/commands – Existing account Microsoft has released its monthly security patch update for the month of November 2021 ESB-2021.3714 – docker.io: Access confidential data – Remote/unauthenticated An information disclosure issue was discovered in the command line interface of docker.io ESB-2021.3716.2 – UPDATE Adobe Creative Cloud Desktop Application: Multiple vulnerabilities Adobe has released an update for the Creative Cloud Desktop for Windows and macOS ESB-2021.3818 – tcpdump: Denial of service – Remote/unauthenticated Denial of Service vulnerability found on tcpdump network traffic tool and an update is now available ESB-2021.3856 – postgresql: Multiple vulnerabilities Two vulnerabilities discovered in the PostgreSQL database system, which could result in man-in-the-middle attacks Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 5th November 2021 Greetings, Last year’s BDO and AUSCERT Cyber Security Survey found that data breaches doubled and organisations were overconfident in their cyber controls. To challenge this trend, now is the time to review your approach to cyber security. The annual BDO and AUSCERT Cyber Security Survey identifies the current cyber security trends, issues and threats facing organisations across Australia and New Zealand. We invite you to take our 10-minute survey which provides the opportunity to sense check your organisation’s approach to cyber risk. By taking part, you will gain access to valuable data, allowing you to benchmark your organisation’s cyber security efforts and gain insights into the cyber threats faced by your industry peers. Survey respondents will go in the draw to win an Apple Watch. The survey closes at midnight on Friday, 3 December 2021. A recent article by ZDNet revealed that a significant number of people have accepted that remote working may be accompanied by being monitored by the companies they work for. Based on a survey of 11,000 consumers across eleven countries, the article also points out that only a small number of respondents were familiar with cyber security issues or, where to report scams should they be targeted, highlighting the potential risk for organisations in a hybrid working environment. It’s Movember again, a global campaign which quite simply asks you to pay attention to, talk about, raise funds and, most importantly, raise awareness for men’s cancers and other men’s health issues. The traditional way to get involved is to “Grow a Mo” but anyone can show their support by taking part in “Move for Movember”, “Host a Mo-ment” and “Mo Your Own Way”. The campaign runs for the entire month so there’s plenty of time to get involved and create your very own mo-ments to support men’s health issues. Building sovereign resilience into Australian technology supply chains Date: 2021-10-28 Author: Cyber Security Connect Proofpoint threat researchers have identified a new, highly active cyber criminal threat actor TA2722, and have colloquially named the cyber threat group as the ‘Balikbayan Foxes’. The cyber criminal group impersonates Philippine health, labour and customs organisations as well as other entities based in the Philippines. A series of campaigns impersonated multiple Philippine government entities including the Department of Health, the Philippine Overseas Employment Administration and the Bureau of Customs. ‘Trojan Source’ Bug Threatens the Security of All Code Date: 2021-11-01 Author: Krebs on Security Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode […]. Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right). “By placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.” Microsoft: This macOS flaw could have let attackers install undetectable malware Date: 2021-11-01 Author: ZDNet Apple has patched a security flaw in macOS that Microsoft researchers found could be used to install a malicious kernel driver, otherwise known as a ‘rootkit’. The flaw resided within macOS System Integrity Protection (SIP). The glitch allowed a potential attacker to install a hardware interface that allows them to “overwrite system files, or install persistent, undetectable malware”. FBI: Ransomware groups tying attacks to ‘significant financial events’ Date: 2021-11-03 Author: ZDNet The FBI has released a new report saying ransomware groups are increasingly using “significant financial events” as leverage during their attacks. According to the FBI, ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms. “Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material non-public information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI wrote. EU to adopt new cybersecurity rules for smartphones, wireless, IoT devices Date: 2021-11-01 Author: The Record The European Commission has ordered an update to the Radio Equipment Directive in order to introduce new cybersecurity guidelines for radio and wireless equipment sold on the EU market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices. The new standards, which are currently scheduled to enter into effect by mid-2024, were adopted following a delegated act to the Radio Equipment Directive, a piece of 2014 EU legislation that acts as the regulatory framework that equipment vendors must follow in order to sell electronic equipment on the EU market. Google wants every account to use 2FA, starts auto-enrolling users Date: 2021-11-04 Author: Ars Technica Google announced earlier this year that it is planning to forcefully transition as many of its users as possible to two-factor authentication. The company elaborated further in October, saying it was planning to auto-enroll 150 million Google accounts in 2FA by the end of the year. Now, with just two months left in the year, Android Police has found a few reports showing that the process has started, with some users finally being auto-enrolled in 2FA. ESB-2021.3668 – ALERT Catalyst Passive Optical Network (PON) Series Switches: Multiple vulnerabilities Cisco has released software updates that address vulnerabilities in Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) ESB-2021.3667 – ALERT Policy Suite: Root compromise – Remote/unauthenticated Cisco has released free software updates that address the vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite which could lead to root compromise ASB-2021.0229.2 – UPDATED ALERT Unicode Directional Formatting: Multiple Vulnerabilities An attacker could exploit Unicode Standards to deceive a human code reviewer and hide unexpected and potentially dangerous behavior ESB-2021.3666 – GitLab: Multiple vulnerabilities This critical vulnerability is the result of improper validation of image files by a 3rd-party file parser, resulting in a remote command execution vulnerability ESB-2021.3684 – Firefox: Multiple vulnerabilities Firefox could be made to crash or run programs as your login if it opened a malicious website Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 15th October 2021 Greetings, This week’s image, the captivating and vibrant Jacaranda, is an iconic tree in Australia but is in fact, native to Central and South America. Here at The University of Queensland, they’re even part of local lore, signifying the end of year exams, colloquially known as ‘purple panic’. The idea of panic, isolation and anxiety has been an all too common one of late with this year’s Mental Health Week (October 9 – 17) reminding us of the need to ‘Take time – for mental health’. We can all take steps to promote better health for ourselves and others by engaging in the building blocks of wellbeing. Just remember PERMA: Positive emotion Engagement Relationships Meaning Accomplishments Earlier in the week, the Australian Cyber Security Centre released an update to the Essential 8 (or, E8) which are key mitigation strategies that can save organisations considerable time, money, effort, and reputational damage. The most recent evolution of the E8 has been assessed by CyberSecurity Connect as heightening the baseline for cyber security in Australia. With the growing sophistication of malicious events that target individuals and corporates through phishing, SMS malware, trojan viruses and more, it’s important to understand the value of cyber security. CyberExperts.com delves into the impact a cyber-attack can have. In an ever-changing technological landscape that sees growing inter-connectivity with more Internet of Things (IoT) devices connected globally and cybercrime becoming more sophisticated, cyber security is increasingly important to defend against hackers and other online threats. Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed Date: 2021-10-13 Author: ZDNet Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public. Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. 150 Million Google Users To Get 7 Days’ Notice Before Bold Security Change Date: 2021-10-09 Author: Davey Winder Google has confirmed that it will be pushing forward, on an ‘automatic enrollment’ basis, with a bold security update for some 150 million users before the year-end. The confirmation from Google came by way of an official safety and security blog posting this week. Yes, we are talking about two-factor authentication (2FA) here, or two-step verification (2SV) in the case of Google. What matters most here is that Google is bringing additional protection to your login credentials. Important because, as recent research into credential stuffing showed, the use of compromised login details is on the up. One significant report even pegs 61% of data breaches as involving credential misuse. Emergency Apple iOS 15.0.2 update fixes zero-day used in attacks Date: 2021-10-11 Author: Bleeping Computer Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks targeting Phones and iPads. This vulnerability, tracked as CVE-2021-30883, is a critical memory corruption bug in the IOMobileFrameBuffer allowing an application to execute commands on vulnerable devices with kernel privileges. Microsoft Azure fends off huge DDoS Attack Date: 2021-10-13 Author: ZDNet Distributed Denial of Service attacks are happening ever more often and growing ever bigger. At 2.4 terabits per second, the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date. What we know for certain is it’s the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020’s Azure 1 Tbps attack, and Microsoft reported it was “higher than any network volumetric event previously detected on Azure.” Who was targeted? We don’t know. Microsoft isn’t talking. The attack itself came from over 70,000 sources. Student finds zero-days in Exterity devices while rick-rolling school district Date: 2021-10-13 Author: The Record An Illinois teenager has found a zero-day vulnerability in Exterity IPTV systems during a rick-roll prank he pulled off on his school district before graduation. On April 30, this year, Minh Duong and a group of close friends took over all networked TVs and other displays inside the six high-schools part of the Illinois Township High School District 214 to play Rick Astley’s infamous “Never Gonna Give You Up” song disguised as an important announcement. The hack, detailed in a step-by-step blog post published last week, involved scanning the school network for connected devices, analyzing their firmware for bugs, and deploying a payload for a carefully timed attack that took over school TV and displays during a recess to prevent interfering with classes or other exams. ASB-2021.0193 – Microsoft Patch Tuesday update for Microsoft Extended Security Update (ESU) products for October 2021 It’s that time of month where Microsoft scare us again – there is the usual assortment of serious vulnerabilities worthy of updates. Keep your systems up to date! ESB-2021.3357 – apache2 security update Apache2 living up to its name, in that the denial of service and data leak risks should be enough for you to, uh, patch it too. ESB-2021.3364 – firefox security update Firefox fraught with fire after felonious fellows find fatal flaw with various flagshi… Actually code execution, DoS and information disclosure are no joking matter, you should pay attention to this one. ESB-2021.3401 – MFSA 2021-46 and MFSA 2021-47 Security Vulnerabilities fixed in Thunderbird Do you like computers? How would you like to use emails to gain control of someone else’s computer? Wait, no, we’re the good guys… If you DON’T want to lose your servers, we recommend checking these vulnerabilities out. ESB-2021.3415 – wordpress security update Word press cross site scripting sending you cross eyed this week, which won’t help the double vision you get when your users are impersonating each other as well. Patch time! Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 1st October 2021 Greetings, Today is International Coffee Day, an opportunity to celebrate the tasty brew that provides a kickstart to get us going or provides a boost to sustain us when needed. How do you prefer your coffee? Earlier in the week, it was revealed that almost 10 million Android devices globally had been infected with malware delivered via GriftHorse apps. The Register reported on the Trojan code that has already netted millions of dollars. ZDNet advised many experts, including VMware and CISA, have been begging people to address the CVE-2021-22005 issue, a vulnerability with VMware vCenter, by updating their systems as soon as possible. Microsoft rolled out a new feature to Exchange that will automatically install temporary mitigations that block active security flaws until an official patch is released by Microsoft. The Record wrote about the proactive move by Microsoft with its first-of-its-kind security feature. Lastly, we wanted to advise of some upcoming training that is being held in the last quarter of 2021, delivered remotely via Zoom. The courses will focus on Cyber Security Risk Management and Introduction to Cyber for IT Professionals. Dates and further information can be found on the online booking portal or, by contacting us via email at training@auscert.org.au Emergency Google Chrome update fixes zero-day exploited in the wild Date: 2021-09-24 Author: Bleeping Computer Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild. “Google is aware that an exploit for CVE-2021-37973 exists in the wild,” the browser vendor revealed in Friday’s security advisory. Victoria launches five-year, AU$50 million cyber strategy Date: 2021-09-20 Author: ZDNet The Victorian government has launched a new five-year cyber strategy that will see over AU$50 million be allocated towards bolstering the state’s cybersecurity resilience. The cyber strategy will focus on three core missions that government has described as providing safe and reliable delivery of government services, creating a cyber safe place, and creating a “vibrant” cyber economy. The strategy will be implemented through the state’s chief information security officer releasing annual mission delivery plans that outline specific activities associated with the three core missions. The CISO will develop this plan in consultation with relevant stakeholders across government, industry, and the community. Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes Date: 2021-09-27 Author: The Record Microsoft will soon roll out a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years. Called the Microsoft Exchange Emergency Mitigation service, the new feature works by automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches. The Emergency Mitigation service will be enabled by default for all Exchange servers once they install the September 2021 Cumulative Updates for Exchange servers, which are shipping out soon, after Microsoft delayed their release last week to have more time to work on it. Wide-ranging BEC scam underscores dangers of doing business with (un)trusted suppliers Date: 2021-09-27 Author: SC Media Such schemes, referred to as “business email compromise,” often don’t get nearly the amount of attention or public awareness as ransomware and other forms of cybercrime, but the cumulative losses to businesses and individuals every year often dwarf what is seen in almost all other areas of digital crime. According to the latest annual internet crime report from the FBI, they helped fuel a record account of complaints reported to authorities by the American public in 2020, with 19,369 complaints and adjusted losses of $1.8 billion attributed to BEC schemes alone. Govt cyber incident intervention powers likely to be rushed in Date: 2021-09-30 Author: iTnews ‘Last resort’ powers that would allow the government to intervene to contain a cyber attack on critical infrastructure should be “swiftly legislated”, a parliamentary committee says. ESB-2021.3226 – ALERT Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google Chrome has released updates to fix an actively exploited zero-day vulnerability tracked as CVE-2021-37973. ASB-2021.0187 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft last week rolled out updates for its Chromium based Edge browser addressing multiple vulnerabilities including the zero day CVE-2021-37973. ESB-2021.3214 – Traffix SDC: Denial of service – Remote/unauthenticated F5 is yet to release the fix for Traffix SDC to address use-after-free vulnerability in glibc. ESB-2021.3262 – GitLab Community Edition and GitLab Enterprise Edition: Multiple vulnerabilities GitLab addresses numerous vulnerabilities in latest security release including stored XSS, DNS rebinding, and a bunch of permission mishaps. ESB-2021.3162.2 – UPDATE ALERT VMware vCenter Server & Cloud Foundation : Multiple vulnerabilities VMware has updated their security advisory to confirm that CVE-2021-22005 is being exploited in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 29th October 2021 Greetings, AUSCERT is always looking for ways to increase our value to our members. We know that data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. As part of this, we would like to hear your feedback on the idea of us delivering data governance advisory services. We are seeking expressions of interest for services such as these and would welcome feedback via our online survey. All submissions are confidential and will assist us evaluate the need for this service to your organisation. The Women in Security Magazine explores different journeys of women in security, gains career perspectives from industry experts, and offers different technology perspectives, includes insights from industry greats on diversity and inclusion, and so much more! Issue 5 explores the misconception concerning the shortage of skilled women in the security industry which includes an interview with AUSCERT team member, Vishaka, about her journey into the field of cyber security. As we celebrate Cyber Security Awareness Month, it’s important to ensure you have access to the right information and tools you need to make informed decisions about your cyber risk tolerance. Overview of Malware Hosted on Discord’s Content Delivery Network Date: 2021-10-20 Author: RiskIQ RiskIQ’s Research team has begun analyzing Discord’s Content Delivery Network links with files ending in certain extensions (like exe, dll, compressed and document file extensions) to identify malware files posted to Discord servers. Through this research, we can identify the Discord channel ID to pivot off of in the RiskIQ platform. Overall, since mid-September 2021, RiskIQ was able to identify over 100 Discord URLs delivering malicious content, such as AsyncRAT, Raccoon Stealer, Agent Tesla, and many other Backdoors, Password Stealers, and Trojans. Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom, gaming platforms Date: 2021-10-25 Author: ZDNet The federal government has released an exposure draft for what it has labelled an Online Privacy Bill that it hopes will enhance online privacy protections for Australians through an expansion of the nation’s Privacy Act. “The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy,” the federal government wrote in the Bill’s explanatory paper. Under current legislation, the federal government can only make two kinds of binding privacy codes, which are the Australian Privacy Principle code (APP) and a credit reporting code. The Bill is seeking to expand the Privacy Act to allow government to create a third code specifically for regulating three classes of organisations: Social media platforms, data brokers, and large online platforms. Mozilla Firefox cracks down on malicious add-ons used by 455,000 users Date: 2021-10-26 Author: ZDNet Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities. These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords Date: 2021-10-27 Author: ZDNet Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns. Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. 1,000,000 Sites Affected by OptinMonster Vulnerabilities Date: 2021-10-27 Author: Wordfence On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021. ESB-2021.3563 – ALERT macOS Big Sur: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Apple macOS Big Sur, the most severe of which could allow root compromise ESB-2021.3602 – Junos OS and Junos OS Evolved: Multiple vulnerabilities Juniper has released new software versions for Juno OS to address multiple vulnerabilities which could lead to root compromise ESB-2021.3605 – salt: Root compromise – Existing account An issue was discovered in SaltStack Salt which allows a user who has control of the source, and source_hash URLs to gain full file system access as root ESB-2021.3599 – Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Multiple vulnerabilities Cisco has released updates for multiple vulnerabilities identified in Cisco ASA and Cisco FTD software ESB-2021.3608 – GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): Multiple vulnerabilities Gitlab has released security updates to fix multiple vulnerabilities identified in Community Edition and Enterprise Edition Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 22nd October 2021 Greetings, With the announcement of the new slate of Apple products this week that include MacBooks and AirPods, which now looks to be an annual occurrence, questions arise as to whether some of the newer versions are a needed evolution of technology or simply a tactic to increase sales. A recent article from ZDNet discusses if the drive to incorporate new and untested elements (with the goal to create the need for consumers to upgrade) come at the cost of functionality. Red Teaming, social engineering and stolen identities – war stories from the field is the topic of Episode 6 of AUSCERT’s podcast series, “Share today, save tomorrow”. It features co-Founder and CEO of Hacktive, Chris Gatford who has been responsible for delivering Attack and Penetration and Technical Security Assessments and reviewed countless IT environments and has directed and been responsible for numerous security assessments for a variety of corporations and government departments. Mike Holm returns to discuss a recent Apache Vulnerability and AUSCERT’s response, notifying member’s that were potentially susceptible to the vulnerability in a very timely manner as well as the expansion of services to include advisory on Data Governance and running Tabletop exercises. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts. We’re excited to announce the release a snapshot of our service stats for Quarter 3, 2021 in an overview of the cyber security incidents reported by members, from 1 July – 30 September 2021 and includes a summary of other key achievements this quarter. We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 3 2021. Microsoft asks admins to patch PowerShell to fix WDAC bypass Date: 2021-10-18 Author: Bleeping Computer Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October. ACCC warns phone users to be aware of evolving Flubot scams Date: 2021-10-17 Author: ABC News A text message scam that contacts thousands of Australians a day has evolved to entice phone users to install software security — to protect against its own malicious malware. Since August, Australians have received text messages purporting to be an unopened voicemail notification, with a link encouraging users to download the scam “voicemail”. Cyber security experts are warning the scam has morphed into an elaborate scheme that plays on users’ security fears. In a strange twist, the scam is enticing phone users to download extra security to protect their phone — from their own scam. Australia’s Ransomware Action Plan – What does it mean for you? Date: 2021-10-14 Author: Willis Towers Watson Will Australia introduce a mandatory ransomware incident reporting regime? The government’s Ransomware Action Plan seeks to create a cultural shift in the way Australia responds to this cyber threat. On 13 October 2021, the Minister for Home Affairs Karen Andrews announced the Ransomware Action Plan which is intended to support Australian individuals, businesses, and critical infrastructure. The plan responds to significant public concern around rising losses to business and the community caused by malicious cyber extortion attacks and the worrying increase in financial and identity frauds perpetrated following ransomware attacks. It also provides key insights into the Australian Government’s wider cyber security objectives. Supply chain attacks are the hacker’s new favourite weapon. And the threat is getting bigger Date: 2021-10-20 Author: ZDNet Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it’s possible to find a potential way into thousands of targets at once. Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies. Female Cybersecurity Leaders: Who Wants Them? Date: 2021-10-20 Author: LinkedIn [Spoilers: many organisations can benefit from the female CISO’s point of view.] Last year, the world witnessed one of the greatest industrial changes in living memory with the pandemic igniting rapid, exponential growth. Caught off guard, and now in our post-pandemic reflective reality, one thing has become crystal clear. The world seeks a new kind of leader – one who must not only embrace change but become an instigator of it and renown for it. The era of the fast follower – a company that quickly imitates the innovations of its competitors – is over. Thanks to technology, continual rapid change is here to stay. For years we’ve known it was coming, what with Industry 4.0 on the horizon. And that’s why effective leaders must become experts of change. The first mover advantage is back! Google unmasks two-year-old phishing & malware campaign targeting YouTube users Date: 2021-10-21 Author: The Record by Recorded Future Almost two years after a wave of complaints flooded Google’s support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google’s security team has finally tracked down the root cause of these attacks. In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to “a group of hackers recruited in a Russian-speaking forum.” TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. ASB-2021.022 – ALERT Oracle Insurance Applications: Multiple vulnerabilities Oracle has released a critical patch update that fixes multiple vulnerabilities in Oracle Insurance Applications ASB-2021.0212 – ALERT Oracle Communications products: Multiple vulnerabilities Oracle’s most recent patch update includes fixes for 71 new security patches and additional third party patches for Oracle Communication products ASB-2021.0203 – ALERT Oracle Fusion Middleware Products: Multiple vulnerabilities Oracle released 38 new security patches for multiple vulnerabilities in Oracle Fusion Middleware. 30 of these vulnerabilities may be exploited over a network without requiring user credentials ASB-2021.0198 – ALERT MySQL products: Multiple vulnerabilities Multiple vulnerabilities identified in Oracle MySQL have been addressed by Oracle’s October patch update ASB-2021.0225 – Microsoft Surface Pro 3: Reduced security – Existing account Microsoft encourages its customers to practice good security habits to address bypass vulnerability that affects Microsoft Surface Pro 3 Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 8th October 2021 Greetings, The global outage of Facebook, Instagram and WhatsApp earlier in the week highlighted the impact a small error can have on an entire network. It’s believed that the outage was caused by a routine maintenance job that unintentionally resulted in Facebook’s data centres being disconnected from the internet, making Facebook, WhatsApp and Instagram inaccessible. With over 3.5 billion users around the planet, MIT Technology Review writes on how dependant people have become on one company’s data centre and the impact an outage on this scale has. Earlier in the week, AUSCERT team members participated in a multi-national drill that saw their skills tested with a simulated malware attack. Of the eight tasks they were asked to complete, the most challenging required the duo to analyse, evaluate and re-assess their response to what they correctly deduced was a ransomware attack. Fifteen teams took part with both AUSCERT team members expressing they enjoyed the challenge that tested abilities from file decryption to port scanning to gain an understanding of how the attack occurred. Exercises such as this provide our team with current, real-world scenarios that reinforce, add-to and enhance their skillset to ensure AUSCERT remains at the forefront of cyber security defence. Lastly, October is Cybersecurity Awareness Month, the perfect time to remind individuals and organizations of the importance of cybersecurity and to encourage active use of measures that foster vigilance and offer protection. There are many ways to improve protection against common online threats and cybercrime. At AUSCERT, we’re passionate about data security and keeping your information safe. That’s why we deliver 24/7 service to our members alongside a range of comprehensive tools to strengthen your cyber security strategy. To stay up-to-date with the latest cyber information, security alerts and more, simply head to our website, scroll to the bottom and subscribe! Legislation expanding digital identity scheme to private sector finally unveiled Date: 2021-10-04 Author: Innovation Aus The federal government has finally unveiled exposure legislation expanding its digital identity program to state governments and the private sector, with a whirlwind consultation period commencing before it is soon introduced to Parliament. The legislation will introduce two voluntary schemes to accredit companies and governments as service providers or relying partners in the digital identity program, as well as enshrining extra privacy safeguards in law and establishing a permanent oversight authority for the scheme. The digital identity scheme, a whole-of-government federal program aiming to provide identity verification across a range of government services and private sector offering, has been in the works for six years at a cost of more than $450 million, but legislation is required to expand it to the private sector. Understanding How Facebook Disappeared from the Internet Date: 2021-10-05 Author: Cloudflare “Facebook can’t be down, can it?”, we thought, for a second. Today at 1651 UTC, we opened an internal incident entitled “Facebook DNS lookup returning SERVFAIL” because we were worried that something was wrong with our DNS resolver 1.1.1.1. But as we were about to post on our public status page we realized something else more serious was going on. Social media quickly burst into flames, reporting what our engineers rapidly confirmed too. Facebook and its affiliated services WhatsApp and Instagram were, in fact, all down. Their DNS names stopped resolving, and their infrastructure IPs were unreachable. It was as if someone had “pulled the cables” from their data centres all at once and disconnected them from the Internet. Why Windows 11’s security is such a big deal Date: 2021-10-05 Author: TechRepublic The hardware requirements for Windows 11 have led to a lot of debate about exactly what changes in newer PCs and processors; they’ve also led to enterprises thinking about what security features they need in hardware. Microsoft’s second Security Signals report shows that enterprise security decision-makers are concerned about the security impact of hybrid work, and they expect PC hardware to help, said Dave Weston, director of OS security at Microsoft. Twitch source code, creator earnings exposed in 125GB leak Date: 2021-10-07 Author: Ars Technica Live video broadcasting service Twitch has been hit by a massive hack that exposed 125GB of the company’s data. In a 4chan thread posted (and removed) Wednesday, an anonymous user posted a torrent file of the data dump. The dump contains the company’s source code and details of money earned by Twitch creators. ESB-2021.3341 – Security update for apache2 Apache has another vulnerability! Here we have an SSRF via a specially crafted uri – not a fun combination. You also get a DoS for free as well. Patch your systems! ESB-2021.3321 – firefox-esr security update Extending the exhaustive list of Firefox memory corruption bugs, more have been discovered which were capable of resulting in execution of code. We use past tense, but if you don’t update, it could be present tense for you! ESB-2021.3294 – USN-5104-1: Squid vulnerability Black hat sharks have begun to encircle at-risk-squids, threatening them with DoS and confidential data disclosures. Update your systems to save the squids! ESB-2021.3287 – Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) Two for the price of one, an alert was put out for Apache systems this week, after a vulnerability allowing an attacker to link to urls outside of the expected document root was “fixed” (spoiler: not quite the first time around)… Needless to say, we recommend patching this immediately. ESB-2021.3276 – USN-5101-1: MongoDB vulnerability A DoS vulnerability discovered in MongoDB puts many home movie collections at risk. Probably some other more important services too, but think about the movies… Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 24th September 2021 Greetings, We wanted to remind everyone that it’s worth having a look to be sure that you’re not affected by the VMware vCenter vulnerability related to CVE-2021-22005 – a patch is available and so is a quicker (but temporary) mitigation. We notified a small number of members yesterday of internet-exposed servers. More information can be found in this Bleeping Computer article. Bleeping Computer also reported on a vulnerability in macOS Finder that makes it possible for attackers to run commands on Macs running any macOS version up the most recent release, Big Sur. With the unveiling of Apple’s IOS 15 this week, there has been a lot of focus on their increased efforts to offer consumers greater control over who sees their data. MacRumors released a guide on the new privacy and security features that have seen mixed reactions concerning Apple’s handling of user data. Lastly, to all the parents, guardians and family members experiencing school holidays, remember, this too shall pass so enjoy the family time and/or look forward to the end… good luck! DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public Date: 2021-09-17 Author: The Record Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub. Discovered over the summer by cloud security firm Wiz, the vulnerability resides in an app called Open Management Infrastructure (OMI), which Microsoft has been silently installing by default on most Azure Linux virtual machines. Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials Date: 2021-09-22 Author: The Record Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world. Based on his finding, Serper said he registered a series of Autodiscover-based top-level domains that were still available online. […] For more than four months, between April 16, 2021, and August 25, 2021, Serper said these servers received hundreds of requests, complete with thousands of credentials, from users that were trying to set up their email clients, but their email clients were failing to find their employer’s proper Autodiscover endpoint. Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation Date: 2021-09-22 Author: The Hacker News Microsoft has opened the lid on a large-scale phishing-as-a-service operation that’s involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. “With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report. Researchers compile list of vulnerabilities abused by ransomware gangs Date: 2021-09-18 Author: Bleeping Computer Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks. All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT, on Twitter over the weekend. Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors. ESB-2021-3190 – Cisco IOS XE Software multiple vulnerabilities Cisco IOS XE is currently experiencing technical difficulties – those difficulties? A range of quite serious vulnerabilities, ranging from unauthenticated code execution to DoS, all warranting a patch. ESB-2021-3162 – VMSA-2021-0020 – VMware vCenter Server updates address Security bugs in VCenter server that were privately disclosed to VMWare have been classified as “critical” after it was discovered they were, in fact, critical. ASB-2021-0183-2 – Microsoft Patch Tuesday update for Azure for September 2021 It was good to see Microsoft stay consistent this week – both in the sense patch Tuesday came and went, and that we were spoiled with an assortment of privilege escalation and code execution vulnerabilities. ESB-2021-3099-2 – Apple security update for iOS 14.8 and iPadOS 14.8 Apple announced some not-so-fun vulnerabilities for iOS and iPadOS this week – malicious applications are capable of executing code with kernel privileges, and interestingly one vulnerability permitted this over a Bluetooth connection. ESB-2021-3212 – iOS 12.5.5 Vulnerabilities Apple’s at it again with the vulnerabilities, having identified a number of serious issues with iOS 12.5.5 that are actively being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th September 2021 Greetings, Apple issued a series of security updates earlier in the week to patch two critical vulnerabilities that the company says were “actively exploited” in the wild. Further information is available in this CISA article. ZDNet reported that Microsoft issued over 60 security fixes of their own with the latest round of patches to resolve issues that impacted a range of products including Azure Sphere, Microsoft Windows DNS, among other software. Following on from the release of AUSCERT’s most recent podcast last week, it has been highlighted in VMware’s latest Global incident Response Threat Report that an increasing number of cyber security professionals experienced “extreme stress or burnout” due to the surging attacks of cyber criminals during the COVID19 pandemic. Links to the report, along with tools to help identify and assist with such occurrences can be found in the report from ACS Information Age. Lastly, ARS Technica reported on what has been dubbed an “embarrassing ‘security bulletin’” from Travis CI along with the handling of the vulnerability disclosure process following the potential exposure of the information of over 600,000 users. Windows MSHTML exploits shared on hacking forums Date: 2021-09-12 Author: Bleeping Computer Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation. These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer. However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations. Google patches 10th Chrome zero-day exploited in the wild this year Date: 2021-09-13 Author: Bleeping Computer Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix eleven security vulnerabilities, two of them being zero-days exploited in the wild. “Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” the company revealed in the release notes for the new Chrome version. The update is currently rolling out worldwide in the Stable desktop channel, and Google states it will become available to everyone over the next few days. Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide Date: 2021-09-13 Author: The Hacker News Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that’s actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed “Vermilion Strike” — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a “threat emulation software,” with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed Date: 2021-09-14 Author: ZDNet Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution flaw in MSHTML and other critical bugs. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14. Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software. Ransomware crims saying ‘We’ll burn your data if you get a negotiator’ can’t be legally paid off anyway Date: 2021-09-15 Author: The Register A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools. Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator. You Can Now Ditch the Password on Your Microsoft Account Date: 2021-09-15 Author: WIRED Though a completely passwordless future is still a ways off, you’ll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone. Securing Netflix Studios At Scale Date: 2021-09-14 Author: Netflix TechBlog In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation. The vision was to create a “Studio in the Cloud”, with applications supporting every part of the business from pitch to play. The security team was working diligently to support this effort, faced with two apparently contradictory priorities: 1) streamline any security processes so that we could get applications built and deployed to the public internet faster 2) raise the overall security bar so that the accumulated risk of this giant and growing portfolio of newly internet-facing, high-sensitivity assets didn’t exceed its value ASB-2021.0177.2 – UPDATE ALERT MSHTML: Execute arbitrary code/commands – Remote with user interaction Microsoft’s Patch Tuesday includes fixes for a remote code execution vulnerability in Windows that is being exploited in the wild ESB-2021.3099 – ALERT iOS and iPadOS: Execute arbitrary code/commands – Remote with user interaction Apple releases iOS 14.8 and iPadOS 14.8 to address remote code execution vulnerability in iOS and iPadOS ESB-2021.3102 – ALERT macOS Catalina: Execute arbitrary code/commands – Remote with user interaction Apple is aware of a remote code execution vulnerability in macOS Catalina that may have been actively exploited ESB-2021.3103 – ALERT macOS Catalina and macOS Mojave: Execute arbitrary code/commands – Remote with user interaction Apple’s most recent security patch for Safari fixes remote code execution vulnerability ESB-2021.3107 – ALERT Siemens APOGEE and TALON: Multiple vulnerabilities Unauthenticated root access available thanks to what MITRE calls a ‘classic buffer overflow’. Affects certain building automation systems from Siemens ASB-2021.0185 – ALERT Microsoft Extended Security Update: Multiple vulnerabilities Microsoft releases its monthly security patch update to resolve 25 vulnerabilities across Windows and Windows Server Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 10th September 2021 Greetings, Earlier this week, Microsoft issued a warning to Windows 10 users about a previously unknown security vulnerability, CVE-2021-40444, potentially being exploited by cybercriminals. Microsoft is advising users to execute mitigation action until an official patch becomes available. An update on the situation in this Bleeping Computer article. After reports this week that a threat actor had collected and published credentials for Fortinet’s SSL-VPN devices, we fetched a copy of the data set and yesterday we notified included members. Fortinet have today published an advisory which we’ve sent out as ASB-2021.0179. The exploited vulnerability was originally fixed in May 2019 – a sterling reminder to keep up with patching (or to ask your manager to allocate time for it!). ZDNet reported on another recent Microsoft vulnerability, a bug in its Azure Container Instances. Microsoft confirmed it had mitigated the vulnerability and advised that there hadn’t been any indications of unauthorised access to customer data. AUSCERT released our latest podcast (Episode 5), ‘Creating a culture of care’ featuring Mental Well Being Consultant, Julie Gillespie. Julie shares her insights and ideas, borne from her personal experiences, to help develop a culture that identifies and supports those experiencing challenges and difficulties that also benefits the workplace. The podcast was timely as it preceded this year’s R U OK Day which took place on Thursday, September 9. This year’s message focused on asking friends, families and colleagues if they’re really ok. Because of the volume of people experiencing isolation, frustration and helplessness, everyday is an opportunity to consider, “What can I do to make a positive influence on my own mental wellbeing and/or for the people in my life more often?”. Here at AUSCERT, we gathered in our HQ for a morning tea to reconnect and then took a stroll after lunch along some scenic walking paths nearby for a good chat and some fresh air. If you’re feeling depressed, angry, stressed, fearful, anxious or alone, visit: ruok.org.au/findhelp Hackers leak passwords for 500,000 Fortinet VPN accounts Date: 2021-09-08 Author: Bleeping Computer A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs Date: 2021-09-06 Author: iTnews Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn. ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication. Cybersecurity is tough work, so beware of burnout Date: 2021-09-06 Author: ZDNet Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout. All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. Ransomware: Take these three steps to protect yourself from attacks and make it easier to recover Date: 2021-09-08 Author: ZDNet Microsoft has shared three key steps organizations can take to ensure a ransomware attack doesn’t cripple their entire network in an attempt to extract a multimillion dollar ransom or leak sensitive corporate data on the internet. Microsoft developed the three-step advice as part of its feedback to the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST)’s recent call for expert approaches to preventing and recovering from ransomware and other destructive cyberattacks. Protecting yourself from phone porting and SIM card scams Date: 2021-09-07 Author: ABC Everyday To get around the increased restrictions on SIM porting, scammers may impersonate your telco to get the verification code. “To port the number, for example, some telcos might require an authentication code. The criminal knows that. They also know the number of the person they’re trying to exploit.” “They’ll arrange for that code to be sent via text, then the criminal will call the victim and impersonate the telco and say, ‘Look, I noticed that there has been some unauthorised access on your account. We’ve sent you a verification code, can you confirm that to me?” ESB-2021-3048 – WordPress 5.8.1 Security and Maintenance Release Plethora of security patches for new WordPress release. ESB-2021.3045 – firefox-esr security update Mozilla Firefox abritrary code execution vulnerabilities. ASB-2021.0179 – FortiGate SSL-VPN Credentials Leaked by a Malicious Actor SSL-VPN data leaked for FortiGate by malicious actor this week. ASB-2021.0177 – Microsoft MSHTML Remote Code Execution Vulnerability Actively exploited RCE vulnerability in MSHTML, with mitigation recommendations. ESB-2021.2994 – squashfs-tools security update Vulnerability in squashfs allowing attackers to overwrite arbitrary files. Stay safe, stay patched and have a good weekend! The AUSCERT team