AUSCERT Week in Review for 3rd September 2021 Greetings, Last week, AUSCERT alerted members regarding a remote code execution vulnerability present in certain versions of Atlassian Confluence (CVE-2021-26084). Where it was possible to identify internet facing Confluence instances of our members, notifications were sent last Friday, August 27. We published ESB-2021.2901 on the same day. Read more in this Bleeping Computer article. Members, we need you! AUSCERT is always looking for ways to increase our value to you and would like your feedback. Specifically, your thoughts regarding AUSCERT delivering Cyber Tabletop Exercises as a paid service, like we currently do for cyber security training. If you’d like to get involved, please complete this survey so that we can evaluate the need for this service and what would suit your organisation. A recent spate of unsolicited text messages has offered a timely reminder that SMS is often used by scammers. Unidentified texts that don’t have an option to unsubscribe are key identifiers of potential scams, often seeking personal information and in some cases, containing electronic viruses that can compromise your phone’s security. Scammers like to disguise their deceit by using shortened URLs that hide the original domain names and, in some instances, malware that can download and execute once the link has been clicked. There are many ways this method is being used, with examples seen in this We Live Security article. Have a great weekend! NPM package with 3 million weekly downloads had a severe vulnerability Date: 2021-09-03 Author: Ars Technica Popular NPM package “pac-resolver” has fixed a severe remote code execution (RCE) flaw. The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy. Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported Date: 2021-08-19 Author: Cloudflare Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems automatically detected and mitigated a 17.2 million request-per-second (rps) DDoS attack, an attack almost three times larger than any previous one that we’re aware of. For perspective on how large this attack was: Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic. ACSC cyber security challenge Date: 2021-08-31 Author: Cyber.gov.au The ACSC has released a simulated cyber incident challenge so anyone can test or improve their cyber response ability and forensic skills. Organisations may wish to use the challenge as a group training exercise for cyber security staff. The challenge was originally run at the BSides Canberra conference in April 2021. Data privacy, governance and insights are all important obligations for businesses Date: 2021-08-31 Author: TechRepublic TechRepublic’s Karen Roby spoke with Kon Leong, CEO and co-founder of ZL Technologies, a data management company, about data privacy and governance. […] for the last seven decades or more, IT has focused on data that was primarily all siloed. Siloed applications generating siloed data. And now here comes a slew of legislative initiatives that say, “OK, we’re looking at privacy, and by the way, no data is exempt. Therefore, we don’t make exemptions for silos. So to manage it, you have to de-silo effectively.” And are you kidding me? You’re going to undo 70 years of IT infrastructure? So we’re still kind of scratching our heads and saying, how do we get this done?” Maths, encryption, and quantum computing Date: 2021-08-18 Author: COSMOS Magazine “Factorisation, which is used for the current classical public key cryptography, is easy [to break] on quantum computers. Factorisation is simple. You can factor long integers and break RSA on Quantum. It’s quite easy. So now we are trying to design the cryptography, which will be resistant against quantum computing.” Instead of using integer factorisation, other mathematical approaches need to be used to circumvent the sheer ‘brain’ power quantum computers will possess. One of mathematical tools that are being used to construct quantum-resistant encryption is Geometry of Numbers or Lattice Theory. ASB-2021.0176 – Microsoft Security Update Release for Microsoft Edge (Chromium-based) Fixes for multiple critical vulnerabilities for Microsoft Edge, most of which first appeared in Chrome a couple of days earlier. ESB-2021.2981 – qemu security update Various bugs in the qemu emulator leading to DoS and code execution from malicious guests. ESB-2021.2968 – USN-5051-4: OpenSSL regression OpenSSL on Ubuntu 14.04 ESM, and only 14.04, introduced a regression while fixing CVE-2021-3712. ESB-2021.2953 – sssd security update The System Security Services Daemon (SSSD) allowed shell command injection, permitting root escalation if a root user was tricked into running a specially crafted command. ESB-2021.2949 – Security update for mysql-connector-java This patch prevents unauthenticated attackers compromising the Java connector for MySQL. Stay safe, stay patched and have a good weekend! Bek, Tom & David

AUSCERT Week in Review for 27th August 2021 Greetings, Hot topic of the week is the recently passed bill which will allow the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to access the computers and networks of those suspected of conducting criminal activity online, which raises the question: ‘How do we as a CERT tell the difference between a hacked system and a legally compromised one?’ You can read more through these articles from ZDNet and InnovationAus. This week AUSCERT joined teams from 21 other countries to take part in the annual APCERT Drill, designed to improve regional responses to emerging cyber security threats. The theme of this year’s APCERT Drill was “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”. This exercise reflected real incidents and issues that exist on the Internet. The participants handled a case of a supply chain attack triggered by spear phishing. Narayan and Vishaka represented team AUSCERT and did an outstanding job, especially considering it was their first time. We are proud of the contribution by Geoffroy Thonon, our Operations Manager who was part of the planning committee who worked tirelessly to deliver the drill. Great news for Members! You can now opt to receive AUSCERT Bulletins as a daily digest issued at the end of each business day. Subscribe now through the Member Portal, instructions can be found here. Alternatively, you can send an email to the membership team. Today is Wear it Purple Day which is a way to show young LGBTIQ+ members of the community that they have a right to be proud of who they are. The aim is to create safe spaces in schools, universities, workplaces and public areas to show LGBTIQ+ they are supported and belong. Have a great weekend! T-Mobile breach hits 53 million customers Date: 2021-08-23 Author: iTnews Cellular operator T-Mobile US said an ongoing investigation into a data breach revealed that hackers accessed personal information of an additional 5.3 million customers, bringing the total number of people affected to more than 53 million. The third largest US wireless carrier had earlier said that personal data of more than 40 million former and prospective customers was stolen along with data from 7.8 million existing T-Mobile wireless customers. COVID vaccine certificates can be forged within 10 minutes due to ‘obvious’ security flaw Date: 2021-08-23 Author: ABC News Near-perfect forgeries of the federal government’s COVID-19 vaccine digital certificate can be made in 10 minutes using free software, a member of the public has discovered. Richard Nelson, a software engineer in Sydney, has found an “obvious” security flaw in the Express Plus Medicare app allowing him to make vaccine certificates with any name and date of birth and featuring the background animations meant to prevent forgery. The Prime Minister has previously said the certificates are a “credible and effective” way for states to administer exemptions from aspects of lockdowns. Australian businesses stop reporting ransomware attacks over exfiltration doubts Date: 2021-08-23 Author: iTnews Australian businesses are incorrectly relying on what they think is a loophole in notifiable data breach laws to avoid reporting ransomware infections. The Office of the Australian Information Commissioner (OAIC) warned that “a number of entities” in the six months to June 2021 didn’t report ransomware attacks because they could not prove whether or not data was accessed or stolen. 38 million records exposed by misconfigured Microsoft Power Apps. Redmond’s advice? RTFM Date: 2021-08-23 Author: The Register Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant’s Power Apps, a low-code service that promises an easy way to build professional applications. Security biz UpGuard said that in May one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal details. That led the security shop to look at other Power Apps portals and its researchers found over one thousand apps configured to make data available to anyone who asked. Microsoft warns thousands of cloud customers of exposed databases Date: 2021-08-27 Author: Reuters Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. [NB: This is separate from the Power Apps issue above.] Atlassian warns of critical Confluence flaw Date: 2021-08-26 Author: The Register Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. The company’s not saying a lot about CVE-2021-26084, besides describing it as a “Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.” The bug scores 9.8 on the ten-point Common Vulnerability Scoring System. ASB-2021.0175 – Microsoft Edge (Chromium-based): Reduced security – Remote with user interaction Please update Microsoft Edge to 92.0.902.78 to address multiple CVEs. ESB-2021.2865 – F5 BIG-IP Products: Multiple vulnerabilities Multiple vulnerabilities in BIG-IP Products have been patched by F5. ESB-2021.2871 – Application Policy Infrastructure Controller: Multiple vulnerabilities Cisco has released multiple advisories to patch against different vulnerabilties. ESB-2021.2901 – Atlassian Confluence Server and Data Center: Execute arbitrary code/commands – Remote/unauthenticated Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 20th August 2021 Greetings, Yesterday the ACSC issued an alert about cybercriminals targeting the Microsoft Exchange ProxyShell exploit chain. Patches were issued for these vulnerabilities in April and May 2021 so a timely reminder to stay on top of patch updates. Our Operations Team conducted a Shodan search of the involved CVEs which produced 136 records affecting 42 of our member organisations who had servers exposed to the internet reporting software versions that were potentially vulnerable. These members have all been contacted today to ensure they are protected. Our latest blog post on Using threat intelligence to produce a cyber defence strategy was published today by our Senior Manager, Mike Holm. Have a great weekend everyone. One big ransomware threat just disappeared. Now another one has jumped up to fill the gap Date: 2021-08-13 Author: ZDNet The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world. It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. Secret terrorist watchlist with 2 million records exposed online Date: 2021-08-16 Author: Bleeping Computer A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. Linux glibc security fix created a nastier Linux bug Date: 2021-08-16 Author: ZDNet The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something! The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. Fortinet slams Rapid7 for disclosing vulnerability before end of 90-day window Date: 2021-08-17 Author: ZDNet A dispute broke out on Tuesday after cybersecurity company Rapid7 released a report about a vulnerability in a Fortinet product before the company had time to release a patch addressing the issue. Rapid7 said one of its researchers, William Vu, discovered an OS command injection vulnerability in version 6.3.11 and prior of FortiWeb’s management interface. The vulnerability allows remote, authenticated attackers to execute arbitrary commands on the system through the SAML server configuration page. Rapid7 said the vulnerability was related to CVE-2021-22123, which was addressed in FG-IR-20-120. The company added that in the absence of a patch, users should “disable the FortiWeb device’s management interface from untrusted networks, which would include the internet.” Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices Date: 2021-08-17 Author: Mandiant Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. Reducing the threat of day one exploits Date: 2021-08-10 Author: APNIC Blog Cyber hygiene and patching are key measures towards protecting data and systems. However, it’s not always possible or practical to patch when vulnerabilities and associated patches are announced. This problem gives rise to day one exploits. Day one exploits are responsible for attacks such as the recent Microsoft Exchange attack that compromised hundreds of thousands of organizations. That attack began as a zero-day exploit and was followed by numerous day one exploits once the vulnerabilities were announced. Day one exploits were also used by Iranian threat actors about a year ago to gain access to financial sector networks via published VPN vulnerabilities. Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan Date: 2021-08-17 Author: The Hacker News A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser. ASB-2021.0136.2 – UPDATE ALERT Microsoft Print Spooler: Increased privileges – Existing account Microsoft’s out-of-band critical update addresses a Windows Print Spooler Elevation of Privilege Vulnerability ESB-2021.2739 – MozillaFirefox: Multiple vulnerabilities Mozilla releases an update that fixes 6 vulnerabilities in Firefox ESB-2021.1489.2 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities Initial advisory released on 30 April 2021 updated to include newly disclosed details about vulnerable Blackberry QNX-based products ESB-2021.2808 – ALERT Small Business RV series routers: Multiple vulnerabilities A vulnerability in Cisco’s Small Business RV series routers allows Remote Command Execution and Denial of Service ESB-2021.2777 – Adobe Photoshop: Execute arbitrary code/commands – Existing account Adobe’s updates for Photoshop for Windows and macOS resolve multiple critical vulnerabilities ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account Microsoft has released an out-of-band update to address a Windows Print Spooler Remote Code Execution Vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 13th August 2021 Greetings, Anyone else feel like we are stuck in Groundhog Day? Another Patch Tuesday and PrintNightmare refuses to leave us. Microsoft released updates for at least 44 security vulnerabilities including another Print Spooler flaw. Since the update earlier this week, another bug has been identified with no patch yet released. For more details and a work around check out this great write up from ZDNet. Following on from the Apple Announcement last week about about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content, check out the Schneier on Security blog for a great collation of articles and information. We are excited to share Episode 4 of the AUSCERT “Share today, save tomorrow” podcast series! Episode 4 titled “Cyber security awareness and team culture” features Brian Hay from Cultural Cyber Security and Tracey Weeks from Queensland Health. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts Have a great weekend everyone. Microsoft Exchange servers scanned for ProxyShell vulnerability; patch now Date: 2021-08-07 Author: Bleeping Computer [See ASB-2021.0127 and 0103] Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together. […] While both CVE-2021-34473 and CVE-2021-34523 were first disclosed in July, they were actually quietly patched in April’s Microsoft Exchange KB5001779 cumulative update. Threat actors are actively trying to exploit this vulnerability, with little success so far. However, it is only a matter of time until successful exploitation is achieved in the wild. Microsoft fixes Windows Print Spooler PrintNightmare vulnerability Date: 2021-08-10 Author: Bleeping Computer Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers. In June, a security researcher accidentally disclosed a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges. Microsoft soon released a security update that fixed the remote code execution component but not the local elevation of privileges portion. However, researchers quickly found that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed low-privileged users to gain SYSTEM privileges in Windows. Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so. Opinion: Why Australia’s Online Safety Act is an abdication of responsibility Date: 2021-08-12 Author: ZDNet The Australian government reckons the internet is full of bad things and bad people, so it must therefore surveil everyone all the time in case anyone sees the badness — but someone else can figure out the details and make it work. This brain package always includes two naive and demonstrably false beliefs. One is that safe backdoors exist so that all the good guys can come and go as they please without any of the bad guys being able to do the same. The other is that everyone will be nice to each other if we know their names. This big bad box of baloney blipped up again this week as part of the government’s consultation for the Online Safety (Basic Online Safety Expectations) Determination 2021 (BOSE) — the more detailed rules for how the somewhat rushed new Online Safety Act 2021 will work. FlyTrap Android Malware Used to Compromise Facebook Accounts Date: 2021-08-10 Author: PCMag Australia Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store. FlyTrap masqueraded as a variety of mobile apps dedicated to “free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player,” Zimperium said, and “tricked users into downloading and trusting the application with high-quality designs and social engineering” before attempting to gain access to their Facebook accounts. Hacker is returning $600M in crypto, claiming theft was just “for fun” Date: 2021-08-13 Author: Ars Technica The hacker who breached the Poly Network crypto platform says the theft was just “for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker’s own wallets to “keep it safe.” ESB-2021.2679 – MISP: Cross-site scripting – Remote with user interaction MISP 2.4.148 released including many bugs fixed along with security fixes. ASB-2021.0168 – Microsoft Office Products & Services and Web App Products: Multiple vulnerabilities SOC analyst: Are you going to fix PrintNightmare Microsoft? Microsoft: No sir! but here is something you also need to worry about. ASB-2021.0173 – Azure Products: Multiple vulnerabilities SOC analyst: *finally finished with the update of Office Products* Microsoft: Excuse me sir! This one too. ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account SOC Analyst: OK! I have patched the Office and Azure products. PrintNightmare: Did you miss me? ESB-2021.2686 – Firefox: Multiple vulnerabilities Chrome: We have released multiple patches this month. Firefox: Hold my beer! ESB-2021.2705 – Intel Ethernet Linux Driver: Multiple vulnerabilities Potential security vulnerabilities in some Intel Ethernet Controllers have been addressed in the recent update. Win/Mac users: Oh no! Anyway! Stay safe, stay patched and have a good weekend! Bek and Narayan on behalf of The AUSCERT team

AUSCERT Week in Review for 6th August 2021 Greetings, A hot topic at the moment is the announcement from Apple about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content. There is a lot of concern in the industry about the potential for misuse as well as mission creep; the team at Stanford Internet Observatory have a great discussion on the topic and The Register has a great article if you’d like to learn more. The next episode of our podcast “Share Today, Save Tomorrow” will launch soon; this is a great time to jump on and listen to our first 3 episodes. Great stories from our cyber community as well as up to date news from the AUSCERT team. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts. With so much of the country in lockdown (including the AUSCERT team) we hope everyone is keeping well and finding ways to keep spirits up. Our team has been sharing their coping techniques as well music and book recommendations which is keeping us all connected as well as entertained. Have a great weekend everyone. ACSC survey for Australian critical infrastructure organisations Date: 2021-08-02 Author: cyber.gov.au The Australian Cyber Security Centre is asking Australian critical infrastructure providers and operators to take part in a confidential survey to help identify operational technologies used by their organisation. Cisco fixes critical, high severity pre-auth flaws in VPN routers Date: 2021-08-04 Author: Bleeping Computer [See ESB-2021.2626 and 2627.] Cisco has addressed pre-auth security vulnerabilities impacting multiple Small Business VPN routers and allowing remote attackers to trigger a denial of service condition or execute commands and arbitrary code on vulnerable devices. The two security flaws tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively. How the Dark Web enables access to corporate networks Date: 2021-07-28 Author: TechRepublic The Dark Web is home to a thriving marketplace for cybercriminals who want to buy or sell illegal and malicious goods and services. Advertisements and forum messages hawk everything from credit cards and bank accounts to medical records to account credentials to fake IDs to counterfeit products. But one of the most lucrative items up for sale is network access. Getting the keys to an organization’s entire network can easily pave the way for a host of attacks, including malware, data exfiltration, corporate espionage, and ransomware. A report released Wednesday by security provider Positive Technologies looks at the selling of network access on the Dark Web and examines how this threat continues to grow. How data-driven patch management can defeat ransomware Date: 2021-08-02 Author: VentureBeat Ransomware attacks are increasing because patch management techniques lack contextual intelligence and historical data needed to model threats based on previous breach attempts. As a result, CIOs, CISOs, and the teams they lead need a more data-driven approach to patch management that can deliver adaptive intelligence reliably at scale. Ivanti’s acquisition of RiskSense, announced today, highlights the new efforts to close the data-driven gap in patch management. What covid apps can teach us about privacy, utility and trust in app design Date: 2021-08-03 Author: Salinger Privacy The release last week of the report into the first 12 months of the federal government’s beleaguered ‘COVIDSafe’ app got me thinking about the importance of Privacy by Design – and in particular, how the ‘design’ part of the equation is not just about the technology. With the release of the evaluation report – months late and only after a heavily redacted version was released after a concerted FOI push – we now know that the COVIDSafe app has been a terribly expensive flop. ASB-2021.0166 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft Edge has been updated to 92.0.902.67 that addresses multiple vulnerabilities. ESB-2021.2607 – Google Chrome: Multiple vulnerabilities The stable channel update for Google Chrome has been released to address multiple vulnerabilities. ESB-2021.2626 – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers: Multiple vulnerabilities Multiple vulnerabilities in the web-based management interface of the Cisco Small Business Dual WAN Gigabit VPN Routers could lead to Remote Code Execution. ESB-2021.2640 – wordpress: Multiple vulnerabilities Object injection vulnerability in PHPMailer affects WordPress. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 30th July 2021 Greetings, Thank you to those who were able to join us for our delayed NAIDOC event with team Baidam Solutions earlier this week. We are extremely grateful that in Brisbane we were able to meet and celebrate together (while of course following strict COVID guidelines). Of note this week, Apple released security updates to address a vulnerability (CVE-2021-30807) for macOS, iOS and iPadOS in which an application may be able to execute arbitrary code with kernel privileges. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Until next week everyone, have a great weekend. Apple releases fix for iOS and macOS zero-day, 13th this year Date: 2021-07-26 Author: The Record by Recorded Future [See ASB-2021.0165.] Apple has released patches today for iOS, iPadOS, and macOS to address a zero-day vulnerability that the company says has been exploited in the wild. Tracked as CVE-2021-30807, Apple said the zero-day impacts IOMobileFramebuffer, a kernel extension that allows developers to control how a device’s memory handles the screen display—the screen framebuffer, to be more exact. According to Apple, an application may exploit CVE-2021-30807 to execute arbitrary code with kernel privileges on a vulnerable and unpatched device. More than half of all Aussies continue to encounter forms of cyber scams in 2021 Date: 2021-07-23 Author: ZDNET Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam. The 2021 Global Tech Scam Research report showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018. Google announces new bug bounty platform Date: 2021-07-27 Author: ZDNet Google has announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program. The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards. A Controversial Tool Calls Out Thousands of Hackable Websites Date: 2021-07-27 Author: WIRED The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure. ASB-2021.0165 – Apple IOMobileFrameBuffer vulnerability Apple released security updates for macOS, iOS and iPadOS to address CVE-2021-30807, an arbitrary code execution vulnerability ESB-2021.2561 – Security update for qemu Multiple vulnerabilities identified in qemu with a security update released by SUSE ESB-2021.2548 – Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) SUSE security update for the Linux kernel, multiple vulnerabilities ESB-2021.2531 – USN-5022-1: MySQL vulnerabilities MySQL vulnerabilities discovered with with security fixes and bug patches released Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 23rd July 2021 Hi Folks Patch fatigue is definitely setting in, another big week for our analysts issuing bulletins from Adobe and Oracle particularly. This week we released our Quarter 2, 2021 Report with some great stats and updates for the period from 1 April to 30 June 2021. Reminder, there are only 8 days left to nominate for the Australian Women in Security Awards, such a great opportunity to recognise the amazing women in our industry. Hope everyone is keeping safe in these crazy times, have a great weekend. … Shriro Hacked, Feds Cyber Security Called In Date: 2021-07-19 Author: channelnews Sydney based appliance distributor Shriro Holdings has been hacked with the business impacted claims management. CEO Tim Hargraves claims that the distributor of Casio, Blanco, Omega and Everdure barbecues was subject to a cyber security incident involving unauthorised access to its operating systems last week. Microsoft takes down domains used to scam Office 365 users Date: 2021-07-19 Author: Bleeping Computer Microsoft’s Digital Crimes Unit has seized 17 malicious domains used by scammers in a business email compromise (BEC) campaign targeting the company’s customers. The domains taken down by Microsoft were so-called “homoglyph” domains registered to resemble those of legitimate business. This technique allowed the threat actors to impersonate companies when communicating with their clients. This password-stealing Windows malware is distributed via ads in search results Date: 2021-07-21 Author: ZDNet A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware. Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible. HiveNightmare aka SeriousSAM — anybody can read the registry in Windows 10 Date: 2021-07-21 Author: Double Pulsar This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it. Australian organisations are quietly paying hackers millions in a ‘tsunami of cyber crime’ Date: 2021-07-16 Author: ABC News It’s an open secret within the tight-lipped world of cybersecurity. For years, Australian organisations have been quietly paying millions in ransoms to hackers who have stolen or encrypted their data. This money has gone to criminal organisations and encouraged further attacks, creating a vicious cycle. Now experts say Australia and the rest of the world is facing a “tsunami of cyber crime”. MITRE – 2021 CWE Top 25 Most Dangerous Software Weaknesses Date: 2021-07-22 Author: MITRE The [CWE Top 25] is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. ASB-2021.0138 – ALERT MySQL products: Multiple vulnerabilities Oracle’s July Patch Update includes 41 new security patches to address multiple vulnerabilities in Oracle MySQL ASB-2021.0139 – ALERT PeopleSoft Enterprise products: Multiple vulnerabilities Oracle releases fixes to address multiple vulnerabilities in PeopleSoft Enterprise products ASB-2021.0140 – ALERT Oracle Systems: Multiple vulnerabilities The Critical Patch Update contains 11 new security patches for Oracle Systems ESB-2021.2515 – ALERT Tenable.sc Products: Multiple vulnerabilities Multiple third-party vulnerabilities identified in Tenable .sc 5.19.0 ASB-2021.0156 – ALERT Oracle Financial Services Applications: Multiple vulnerabilities Multiple vulnerabilities in Oracle Financial Services Applications are addressed in the Oracle’s most recent Patch Update ESB-2021.2463 – Google Chrome: Multiple vulnerabilities The Chrome team releases Chrome 92.0.4515.107 with a number of fixes and improvements ESB-2021.2447 – Adobe Photoshop: Multiple vulnerabilities Adobe’s updates for Photoshop for Windows and macOS resolve a critical and a moderate vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 16th July 2021 Greetings, Well doesn’t time fly, Patch Tuesday (Wednesday) we meet again. Microsoft released patches for 117 vulnerabilities, 13 of these critical. We also saw patch updates from Adobe, Chrome and Firefox. Of note this week, a new SolarWinds exploit was uncovered by Microsoft who discovered a remote code execution vulnerability in the SolarWinds Serv-U product. SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools, CVE-2021-35211. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Lastly, we are excited to share Episode 3 of the AUSCERT “Share today, save tomorrow” podcast series. Episode 3 features Jacqui Loustau, AWSN Founder and Pip Jenkinson, CEO of Baidam Solutions and is titled “Passion led us here”. Be sure to check it out. Our podcast is also available via Spotify, Apple Podcast and Google Podcast. Until next week everyone, have a great weekend. SolarWinds patches critical Serv-U vulnerability exploited in the wild Date: 2021-07-12 Author: Bleeping Computer SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday. Updated Essential Eight Maturity Model Date: 2021-07-12 Author: Australian Cyber Security Centre (ACSC) The Australian Cyber Security Centre (ACSC) has further strengthened the implementation guidance for the Essential Eight through changes that reflect its experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight. The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats. Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level. Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years Date: 2021-07-14 Author: The Conversation Australian organisations are a soft target for ransomware attacks, say experts who yesterday issued a fresh warning that the government needs to do more to stop agencies and businesses falling prey to cyber-crime. But in truth, the danger has been growing worldwide for more than three decades. Despite being a relatively new concept to the public, ransomware has roots in the late 1980s and has evolved significantly over the past decade, reaping billions of dollars in ill-gotten gains. With names like Bad Rabbit, Chimera and GoldenEye, ransomware has established a mythical quality with an allure of mystery and fascination. Unless, of course, you are the target. Strengthening Australia’s cyber security regulations and incentives Date: 2021-07-13 Author: Department of Home Affairs On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy. Interested stakeholders are invited to provide a submission to the discussion paper, Strengthening Australia’s cyber security regulations and incentives. Govts sign off on national data sharing agreement Date: 2021-07-12 Author: itnews Federal, state and territory leaders have signed off on an intergovernmental agreement aimed at making more data available across all jurisdictions for policy development and service delivery. National cabinet agreed to the intergovernmental agreement (IGA) on data sharing on Friday, formalising a plan that was first endorsed in April, in part to lay the foundations for linked-up government services. ESB-2021.2390 – ALERT HPE Edgeline Infrastructure Manager: Execute arbitrary code/commands – Remote/unauthenticated HPE has addressed a critical RCE vulnerability in Edgeline Infrastructure Manager. ESB-2021.2377 – Firefox and Firefox ESR : Multiple vulnerabilities Multiple security vulnerabilities have been fixed in Firefox 90. ASB-2021.0126 – ALERT Solarwinds Serv-U: Administrator compromise – Remote/unauthenticated CVE-2021-35211 is being exploited in the wild. Patch it to not catch it. ASB-2021.0135 – ALERT Microsoft Extended Security Update products: Multiple vulnerabilities And here we go again. Microsoft has released its monthly security patch update for the month of July 2021. ESB-2021.2374 – Adobe Acrobat and Reader: Multiple vulnerabilities Microsoft: We have critical vulnerabilities. Adobe: Hold my beer. Stay safe, stay patched and have a good weekend! Bek & Narayan on behalf of The AUSCERT team

AUSCERT Week in Review for 9th July 2021 Greetings, What a big week! A lot to get on top of this week between Kaseya and PrintNightmare. Of note, Microsoft released updated patches to address PrintNightmare. This is related to the Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527 and CVE-2021-1675. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. For those of you based in the Greater Brisbane area we are excited to announce a new date for our NAIDOC Week 2021 gathering. Hear more about the work done by colleagues at Baidam Solutions, come and join us on Monday 26 July, 2 – 4pm. For further details and to RSVP, visit the AUSCERT website here. Until next week everyone, have a great weekend. Kaseya supply-chain ransomware attack hits MSP customers Date: 2021-07-03 Author: iTnews A supply-chain attack on Kaseya, which provides management, monitoring and automation software for managed service providers (MSPs), has led to ransomware infections among the company’s customers around the world. Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw Date: 2021-07-04 Author: The Hacker News Microsoft is urging Azure users to update the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core. The issue, tracked as CVE-2021-26701 (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn’t impacted by the flaw. QNAP fixes critical bug in NAS backup, disaster recovery app Date: 2021-07-05 Author: Bleeping Computer Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security. The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution. The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization. Treasury revisits cyber terrorism insurance cover Date: 2021-07-05 Author: IT News Treasury will consider whether cyber terrorism that causes physical property damage should be added to the national terrorism insurance scheme for a second time in three years. Treasury said that like the 2018 review, the 2021 review will look at “whether a sufficient rationale has emerged to include cyber terrorism causing physical property damage within the scheme”. Email fatigue among users opens doors for cybercriminals Date: 2021-07-07 Author: Bleeping Computer Given the mass migration to remote work, more critical business data is being shared by email than ever before. Users can now receive hundreds of emails a day, and sifting through them is time-consuming and exhausting. Faced with that skyrocketing volume, it’s no wonder that there’s a growing email fatigue. Unfortunately, that fatigue makes it more likely users will click on a malicious email without knowing it – which explains why 94% of malware is now delivered via email. Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability Date: 2021-07-07 Author: Bleeping Computer [See related ALERT bulletin ASB-2021.0123.4 which AUSCERT updated on the 8th July] Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed. According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled. ASB-2021.0123.4 – UPDATE ALERT Microsoft Print Spooler: Multiple vulnerabilities Our update was made to draw attention to Microsoft’s revised advisory announcing patches are now available for additional Windows versions ESB-2021.2341 – apache2: Multiple vulnerabilities Several vulnerabilities have been found in the Apache HTTP server, which could result in remote code execution and denial of service. ESB-2021.2332 – Cisco Web Security Appliance: Multiple vulnerabilities This Cisco product was affected by vulnerabilities which prior to fix had provided attackers opportunity to execute remote code and compromise root. ESB-2021.2344 – MDT AutoSave: Multiple vulnerabilities A perfect 10.0 (CVSS 3.0), albeit appliance based. Successful exploitation of associated vulnerabilities could lead to full remote execution on the Remote MDT Server without an existing user or password. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 2 July 2021 Greetings, Folks, welcome to the second-half of 2021. The start of July marks a new financial year here in Australia – which means, tax time is here! We’re sharing this “Is it a scam?” piece by our AUSCERT2021 Member Organisation of the Year, the folks from Australian Taxation Office. Of note this week, Microsoft has released an out-of-band critical update to address a Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527. This vulnerability has received significant media attention in the past day or so. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Some mitigation notes and recommendations: Apply the latest security updates released on June 8, 2021 AND determining if the Print Spooler service is running; either disabling it or disabling inbound remote printing through Group Policy. Microsoft acknowledges this vuln is similar to but DISTINCT from the recent Print Spooler vuln reported as CVE-2021-1675 and addressed by the June 2021 Patch Tuesday updates. They are still investigating the issue and will update the page as more information becomes available. AUSCERT members, be sure to hop on our Slack space for some tips and notes regarding this issue from fellow AUSCERT members. It’s always an awesome space for information sharing! To sign in, please do so via our member portal here. And last but not least, for those of you based in the Greater Brisbane area and were intending to attend our proposed NAIDOC Week 2021 luncheon, please note we will be sharing a new date for this special event soon. In the meantime, please stay safe and continue to follow the latest Government advice. Until next week everyone, have a great weekend. CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability Date: 2021-06-29 Author: Tenable [CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. See related AUSCERT bulletin ASB-2021.0115. Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.] Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available. CISA releases new ransomware self-assessment security audit tool Date: 2021-06-30 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). RRA is a security audit self-assessment tool for organizations that want to understand better how well they are equipped to defend against and recover from ransomware attacks targeting their information technology (IT), operational technology (OT), or industrial control system (ICS) assets. This CSET module was tailored by RRA to assess varying levels of ransomware threat readiness to be helpful to all orgs regardless of their cybersecurity maturity. Microsoft Edge Bug Could’ve Let Hackers Steal Your Secrets for Any Site Date: 2021-06-28 Author: The Hacker News Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website. Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the browser’s built-in feature via Microsoft Translator. Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers Date: 2021-06-28 Author: ZDNet “According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice [paying ransom demands] isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.” Note: this article includes commentary stating that paying a ransomware extortion demand is not illegal. This may not be true in some jurisdictions and readers are encouraged to seek legal counsel. Cisco ASA vulnerability actively exploited after exploit released Date: 2021-07-27 Author: Bleeping Computer Hackers are scanning for and actively exploiting a vulnerability in Cisco ASA devices after a PoC exploit was published on Twitter. This Cisco ASA vulnerability is cross-site scripting (XSS) vulnerability that is tracked as CVE-2020-3580. Cisco first disclosed the vulnerability and issued a fix in October 2020. However, the initial patch for CVE-2020-3580 was incomplete, and a further fix was released in April 2021. ASB-2021-0123 – ALERT Windows Print Spooler: Execute arbitrary code/commands – Existing Zero-day Vulnerability (PrintNightmare) can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Proof of concept exploit code has reportedly been released. ESB-2021.2240 – Thunderbird: Multiple vulnerabilities Thunderbird contained a multitude of vulnerabilties causing reduced security including remote code execution and denial of service. ESB-2021.2279 – Nessus Agent: Administrator compromise – Existing account Nessus Agent versions 8.2.5 and earlier were found to contain a privilege escalation vulnerability which could lead to gaining administrator privileges on the Nessus host. ESB-2021.2297 – htmldoc: Multiple vulnerabilities A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code and denial of service. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 25th June 2021 Greetings, This week, we shared the final instalment of our blog articles highlighting the winners of our Annual AUSCERT Awards. This time, we featured the AUSCERT2021 Information Security Excellence Winner, Jacqui Loustau. Jacqui is a formidable figure in the Australian information security and cybersecurity community. Have a read of it here. We’re also pleased to share the following blog piece by Sean McIntyre, one of our Analysts – “I got 99 problems but a vuln ain’t one”, it’s a bit of a tongue-in-cheek one! And cheesy (revised) lyrics aside, Sean shared his top 3 observations from assisting our membership audience. For those of you based in the Greater Brisbane area and are wanting to hear more about the work done by colleagues at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AUSCERT website here. And last but not least, a big thank you to our AUSCERT2021 media partners at Source2Create for covering such a wide range of our talks and presentations from AUSCERT2021 in Issue 3 of their Women in Security Magazine. To subscribe and download a copy, hop on to their website here. Until next week everyone, have a great weekend. Labor Bill would force Aussie organisations to disclose when they pay ransoms Date: 2021-06-21 Author: ZDNet The Australian federal opposition has introduced a Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives on Monday by Shadow Assistant Minister for Cyber Security Tim Watts. According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”. MITRE releases D3FEND, defensive measures complimentary to its ATT&CK framework Date: 2021-06-23 Author: The Record by Recorded Future The MITRE Corporation, one of the most respected organizations in the cybersecurity field, has released today D3FEND, a complementary framework to its industry-recognized ATT&CK matrix. The not-for-profit organization, which also runs the CVE database of known vulnerabilities, received funding to create the D3FEND framework from the US National Security Agency (NSA). The basic idea behind D3FEND is that the framework will provide defensive techniques that system administrators can apply to counter the practices detailed in the ATT&CK matrix, a one-of-a-kind project that was set up in 2015 to catalog and index the most common offensive techniques used by threat actors in the real world. Tony googled his investment options. Two weeks later, he’d been scammed out of $200,000 Date: 2021-06-24 Author: ABC News It cost around $20 to set up and conned $200,000 from one victim alone. Here’s how investment scammers tricked Tony into handing over part of his life savings. Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks Date: 2021-06-18 Author: The Register Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA – short for Supply chain Levels for Software Artifacts and pronounced “salsa” for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process. Former ASIO boss warns on energy sector cyber Date: 2021-06-21 Author: InnovationAus Energy experts and a former ASIO chief have warned that Australia’s critical energy infrastructure was growing in complexity and vulnerability to cyber-attacks, but a commensurate uplift in resilience has not occurred. Former ASIO director general and current chair of the Foreign Investment Review Board David Irvine said energy was one of many Australian sectors lacking sufficient cyber resilience, and that most local organisations are not “caring enough” about the new “tool of warfare”. Progress is being made but not quickly enough, and Australia is vulnerable to sophisticated cyber attacks, Mr Irvine told an Australia Israel Chamber of Commerce Business lunch on Friday. ASB-2021.0121 – Microsoft Edge (Chromium-based): Execute arbitrary code/commands – Remote with user interaction Microsoft released an update for Edge, the default internet browser for Windows 10. A vulnerability that could lead to remote code execution was addressed. ESB-2021.2208 – wireshark: Multiple vulnerabilities 9 vulnerabilities were addressed in Wireshark, a commonly used packet analyser. ESB-2021.2212 – Thunderbird: Multiple vulnerabilities Multiple vulnerabilities were addressed in Mozilla Thunderbird, these could lead to cross-site scripting attacks and code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 18th June 2021 Greetings, This week, we shared our June 2021 edition of The Feed – the AUSCERT membership newsletter. Members, be sure to check your inbox(es) for a copy of this newsletter to catch up on all things related to your AUSCERT membership. We’re pleased to share the following blog piece by our AUSCERT2021 Diversity and Inclusion Champion – Phillip “Pip” Jenkinson from Baidam Solutions. Congratulations Pip, a well-deserved win! For those of you based in the Greater Brisbane area and are wanting to hear more about Pip and the work he does at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AUSCERT website here. Last but not least, we’re proud to announce that there are currently 11 NEW Member Security Incident Notifications (MISNs) reports generated in the pipeline by our team of analysts – all drawn from the expertise of our various threat intelligence partners and resources. This is a pertinent reminder for members to keep your organisation’s IPs and domains up to date on the AUSCERT member portal to make sure you’re able to receive these relevant MSINs as they come through! A recap of how this particular AUSCERT service assists our members with mitigating cyber-attacks can be found here “How AUSCERT helped its members tackle the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits.” Until next week everyone, have a great weekend. Thousands of VMware vCenter Servers Remain Open to Attack Over the Internet Date: 2021-06-16 Author: Dark Reading [See related ALERT bulletin ESB-2021.1805 which AUSCERT published on the 26th May] Thousands of instances of VMware vCenter Servers with two recently disclosed vulnerabilities in them remain publicly accessible on the Internet three weeks after the company urged organizations to immediately patch the flaws, citing their severity. The flaws, CVE-2021-21985 and CVE-2021-21986, basically give attackers a way to take complete control of systems running vCenter Server, a utility for centrally managing VMware vSphere virtual server environments. The vulnerabilities exist in vCenter Server versions 6.5, 6.7, and 7.0. Nationally-known Australian company lawyered up to resist ASD help Date: 2021-06-15 Author: ZDNet The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate, likening it to refusing to cooperate with an air crash investigation. One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security on Friday. “It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said. […] However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information. Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign Date: 2021-06-14 Author: Microsoft Security Intelligence Microsoft 365 Defender researchers recently uncovered and disrupted a large-scale business email compromise (BEC) infrastructure hosted in multiple web services. Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions. Qld govt stumps up $40m for cyber security, digital Date: 2021-06-16 Author: iTnews The Queensland government will invest almost $40 million in cyber security and digital service delivery over the next five years as the state’s Covid-19 recovery gets underway. Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Date: 2021-06-16 Author: Mandiant Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. ESB-2021.2130 – ImageMagick: Multiple vulnerabilities 34 vulnerabilities were addressed in ImageMagick, some of which could lead to code execution. ESB-2021.2141 – Nessus Agent: Increased privileges – Existing account Tenable released an update to address privilege escalation vulnerabilities in their Nessus Agent for Windows. ESB-2021.2173 – ALERT [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands – Remote with user interaction Another week, another zero-day in Google Chrome. Google reports that this been exploited in the wild so this should be patched as soon as possible. Stay safe, stay patched and have a good weekend! The AUSCERT team