AUSCERT Week in Review for 11th June 2021 Greetings, This week, we’re pleased to share the following blog piece by our AUSCERT2021 Member Organisation of the Year – team ATO (Australian Taxation Office). Congratulations ATO, and in particular to Cody and Daniel for their efforts and representation of the ATO team at the conference, a well-deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AUSCERT2021. On the topic of the AUSCERT2021 conference, as per tradition, we’re slowly releasing the various recordings of our annual conference presentations and talks on our YouTube channel, please feel free to view them here. We hope folks were able to get through all of June 2021’s Patch Tuesday fixes. Please refer to our highlighted bulletins and articles below. A quick shout out to our colleague Narayan who’d processed 74 security bulletins in a single day on Wednesday this week, no small feat. Well done Narayan! Last but not least, we’re excited to share Episode 2 of the AUSCERT “Share today, save tomorrow” podcast series. Episode 2 features Lukasz Gogolkiewicz, Head of Corporate Security at SEEK and is titled “Crossing Into The Blue Team In Cyber Security.” Be sure to check it out. Our podcast is also available via Spotify, Apple Podcast and Google Podcast. Until next week everyone, have a great weekend. Microsoft June 2021 Patch Tuesday fixes 6 exploited zero-days, 50 flaws Date: 2021-06-08 Author: Bleeping Computer [See related bulletins ASB-2021.0114 through to 119, of note is the ALERT for ASB-2021.0116.] Today is Microsoft’s June 2021 Patch Tuesday, and with it comes fixes for seven zero-day vulnerabilities and a total of 50 flaws, so Windows admins will be scrambling to get devices secured. Microsoft has fixed 50 vulnerabilities with today’s update, with five classified as Critical and forty-five as Important. Scammers capitalise on pandemic as Australians lose record $851 million to scams Date: 2021-06-07 Author: ACCC Australians lost over $851 million to scams in 2020, a record amount, as scammers took advantage of the pandemic to con unsuspecting people, according to the ACCC’s latest Targeting Scams report released today. The report compiles data from Scamwatch, ReportCyber, other government agencies and 10 banks and financial intermediaries, and is based on more than 444,000 reports. Investment scams accounted for the biggest losses, with $328 million, and made up more than a third of total losses. Romance scams were the next biggest category, costing Australians $131 million, while payment redirection scams resulted in $128 million of losses. Govt to mandate the Essential Eight cyber security controls Date: 2021-06-09 Author: iTnews The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed. The Attorney-General’s Department revealed the step change in government cyber security policy in its response to last year’s parliamentary committee report into cyber resilience. The hard truth about ransomware: we aren’t prepared, it’s a battle with new rules, and it hasn’t… Date: 2021-06-09 Author: Medium [Note: this is a lengthy read, approx. 20 minutes, but is considered by our Principal Analyst as a thoughtful and timely contribution to the conversation about the modern ransomware threat.] We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand. What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The turning circle to taking action is large. With this post, I hope to lay out the reality, and some harsh truths people need to hear. Australian Federal Police and FBI nab criminal underworld figures in worldwide sting using encrypted app Date: 2021-06-08 Author: ABC News More than 200 members of Australia’s mafia and bikie underworld have been charged in the nation’s largest-ever crime sting, police say. As part of a three-year collaboration between the Australian Federal Police (AFP) and Federal Bureau of Investigation (FBI), authorities say underworld figures were tricked into communicating via an encrypted app that had been designed by police. The app, known as AN0M, was used by organised crime gangs around the world to plan executions, mass drug importations and money laundering. Authorities say they were able to read up to 25 million messages in real-time. JBS paid $11 million to REvil ransomware, $22.5M first demanded Date: 2021-06-10 Author: Bleeping Computer JBS, the world’s largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million. On May 31, JBS was forced to shut down some of its food production sites after the REvil ransomware operators breached their network and encrypted some of its North American and Australian IT systems. ESB-2021.2019 – Intel Products: Multiple vulnerabilities Intel released firmware updates to address multiple vulnerabilities. ESB-2021.1994 – BIG-IP (all modules): Multiple vulnerabilities A flaw was found in Nettle Cryptographic Library which affects F5 BIG-IP modules. ESB-2021.1984 – Adobe Photoshop: Execute arbitrary code/commands – Remote with user interaction Adobe has released updates for Photoshop for Windows and macOS to resolve a critical RCE vulnerability. ASB-2021.0116 – ALERT Microsoft Windows: Multiple vulnerabilities Microsoft has released its monthly security patch update for the month of June 2021. ESB-2021.2097 – Apache HTTP Server: Multiple vulnerabilities Multiple vulnerabilities have been resolved in Apache HTTP server 2.4.48. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 4th June 2021 Greetings, National Reconciliation Week (NRW) 2021 concluded on the 3rd of June and AUSCERT would like to take this opportunity to recap this year’s theme which was “More than a word. Reconciliation takes action.” To find out more about how we can all be better allies of Australia’s First Nations people, please visit the NRW website here. Be sure to catch up on our highlighted summary of Security Bulletins and ADIR articles below. We’re also pleased to share the following blog piece by our AUSCERT2021 Member Individual of the Year Winner – Simon Coggins from CQUniversity. Congratulations Simon, well deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AUSCERT2021. Last but not least, excited to be sharing the news that AUSCERT is back in the swing of things with respect to our training options. Earlier this week, our Principal Analyst ran a pilot session of the Introduction to Cyber Security for School Professionals course. For those wanting to find out more about our training options, please visit our website for further information or send us an email. Until next week everyone, have a great weekend. New sophisticated email-based attack from NOBELIUM Date: 2021-05-27 Author: Microsoft Threat Intelligence Center (MSTIC) Microsoft Threat Intelligence Center has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. In this article, MSTIC have outlined attacker motives, malicious behavior, and best practices to protect against this attack. ASD using classified capabilities to warn local entities of impending ransomware hit Date: 2021-06-02 Author: ZDNet Speaking about the attack on Channel Nine in March, director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates that pre-warning organisations about any precursor activity on their networks or systems is part of ASD’s “value add”. “We were very engaged with [Channel Nine] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” Noble said. JBS resumes meat operations after cyber attack halts production Date: 2021-06-04 Author: ABC News Earlier this week, JBS USA confirmed the company was targeted by an organised cyber attack on Sunday, which paralysed its operations in North America and Australia. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia,” [JBS] said in the statement. There is no further information on the source of the attack which is believed to be a Russian crime gang. RBA to step up cyber resilience with new identity and access management system Date: 2021-06-02 Author: ZDNet The Reserve Bank of Australia said it is looking to modernise its identity and access management capabilities by introducing more automated controls to its existing platform. The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities. “Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request. “In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.” Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration. Countries are increasing their cyber response budgets — but spending still varies widely Date: 2021-05-28 Author: The Record by Recorded Future Nations around the world don’t seem to agree on the appropriate amount of money to earmark for cyber defense and incident response, according to an analysis by The Record. But in recent years, almost every country examined has boosted its cyber spending. ESB-2021.1884 – BIG-IQ Centralized Management: Multiple vulnerabilities F5 has released advisory to address remote code execution vulnerability in BIG-IQ Centralized Management module. ESB-2021.1897 – Firefox: Multiple vulnerabilities Mozilla has released Firefox 89 addressing multiple security vulnerabilities. ESB-2021.1905 – Cisco SD-WAN products: Root compromise – Existing account Cisco has addressed a privilege escalation vulnerability in SD-WAN software. ESB-2021.1908 – Cisco Webex Player: Multiple vulnerabilities A vulnerability in Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. ESB-2021.1935 – dhcp: Denial of service – Remote/unauthenticated A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 28th May 2021 Greetings, To kick things off, in conjunction with National Reconciliation week 2021, AUSCERT would like to take this opportunity to acknowledge the First Nations people as the Traditional Owners of the land on which we are on today. We acknowledge all Elders past, present and emerging. The theme this year is “More than a word. Reconciliation takes action.” To find out more about the week and what it means to our First Nations people, please visit the NRW website here. Our team issued an alert re: VMWare earlier this week, be sure to catch up on it below. For those of you keen to check out photos from the recent AUSCERT2021 conference, we’ve uploaded several albums to the AUSCERT Facebook page. We’re also pleased to announce that our podcast series “Share today, save tomorrow” is now listed on Spotify. Episode 2 will be released in mid-June. Last but not least, sharing a special request from our colleagues at UQ Cyber one final time. See below: Keen on helping the future generation of cyber and information security professionals? Here’s your chance! “Vignette Survey on Effectiveness of Place Managers in Preventing Ransomware” Folks from UQ Cyber are seeking assistance from the AUSCERT membership audience to participate in a cyber security survey that is investigating factors which can influence the effectiveness of cyber security professionals in preventing cyber security incidents such as ransomware within their respective organisations. The survey results will shed valuable insights and influence how organisations should channel their limited resources in preventing cyber security incidents more effectively. The survey will take approximately 20 minutes to complete. To participate, please click here. Surveys close on Monday 31 May. For further information, please feel free to get in touch with Heemeng Ho, the lead researcher of this project. Until next week everyone, have a great weekend. This massive phishing campaign delivers password-stealing malware disguised as ransomware Date: 2021-05-24 Author: ZDNet A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords and other information from victims. Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts to distribute messages claiming to be related to payments, alongside an image posing as a PDF attachment that looks like it has information about the supposed transfer. Apple fixes macOS zero-day abused by XCSSET malware Date: 2021-05-24 Author: The Record Apple has released today security updates for several of its products, including a patch for its macOS desktop operating system that includes a fix for a zero-day vulnerability that has been abused in the wild for almost a year by the XCSSET malware gang. Tracked as CVE-2021-30713, the zero-day was discovered by researchers at security firm Jamf during an analysis of XCSSET, a malware strain that was spotted in the wild in August 2020, hidden inside malicious Xcode projects hosted on GitHub. VMware says critical vCenter Server bug needs ‘immediate attention’ Date: 2021-05-26 Author: iTnews [See related bulletin ESB-2021.1805] VMware said three versions of its vCenter Server management software for controlling vSphere environments are susceptible to a critical security flaw that should be immediately patched. The vendor said in a blog post that the issue needs the “immediate attention” of administrators. “Given the severity, we strongly recommend that you act,” VMware said. Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises Date: 2021-05-25 Author: FireEye Mandiant has observed an increase in compromises of internet-accessible OT assets over the past several years. In this blog post we discuss previously undisclosed compromises and place them in context alongside publicly known incidents. Although none of these incidents have appeared to significantly impact the physical world, their increasing frequency and relative severity calls for analysis on their possible risks and implications.ols and techniques. Oracle Peddled Software Used for Spying on U.S. Protesters to China Date: 2021-05-26 Author: The Intercept [Context: In early May 2021, Twitter temporarily suspended an Oracle executive from posting after he used the social network to publicise the e-mail address and Signal phone number of the journalist who wrote this article – whose reporting he had personally found to be biased and inaccurate. This research-based article has been produced to counter this claim by Oracle.] Chicago police used CIA-backed Oracle software to surveil protesters and mine their Twitter feeds. Oracle then peddled that same software for police work in China. This is an article on global surveillance. ESB-2021.1794 – Big Sur, Catalina and Mojave: Multiple vulnerabilities Apple’s latest security updates include a patch for its macOS desktop operating system that fixes a zero-day vulnerability by the XCSSET malware gang. ESB-2021.1805 – ALERT VMWare Products: Multiple vulnerabilities VMware vCenter Server updates address remote code execution and authentication vulnerabilities. ASB-2021.0112 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft’s Security Update released on 27 May 2021 fixes multiple vulnerabilities in Microsoft Edge (Chromium-based). ESB-2021.1819 – linux kernel: Multiple vulnerabilities An update for the Linux Kernel 4.12.14-150_66 fixes three vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 21st May 2021 Greetings, To kick things off, we’d like to share the following wrap-up article on AUSCERT2021 which concluded last week. Again, heartfelt thanks to our colleagues, delivery partners, delegates, speakers and sponsors who came along to support our first ever hybrid endeavour. To those of you who registered to attend as a delegate, you can revisit the conference’s key learnings by re-watching the presentations on-demand. A personalised link to access these recordings has been shared by team GEMS Events so please keep an eye out for it in your inbox. To those who didn’t register as an AUSCERT2021 delegate, we will also be sharing these recordings via our YouTube channel in due time. Last but not least, sharing a special request from our colleagues at UQ Cyber. See below: Keen on helping the future generation of cyber and information security professionals? Here’s your chance! “Vignette Survey on Effectiveness of Place Managers in Preventing Ransomware” Folks from UQ Cyber are seeking assistance from the AUSCERT membership audience to participate in a cyber security survey that is investigating factors which can influence the effectiveness of cyber security professionals in preventing cyber security incidents such as ransomware within their respective organisations. The survey results will shed valuable insights and influence how organisations should channel their limited resources in preventing cyber security incidents more effectively. The survey will take approximately 20 minutes to complete. To participate, please click here. For further information, please feel free to get in touch with Heemeng Ho, the lead researcher of this project. Until next week everyone, have a great weekend. AFP using a squad of good boys to detect devices such as USBs and SIM cards Date: 2021-05-20 Author: ZDNet The Australian Federal Police (AFP) this week revealed some of its canine squad have been trained to sniff out devices, such as USBs and SIM cards, at crime scenes or during the execution of search warrants. In a Facebook post showing a video of one dog, Georgia, finding a phone hidden in a vacuum cleaner, the AFP said since 2019, its three AFP technology detection dogs have located more than 120 devices in support of investigations ranging from child protection investigations to counter terrorism operations. How to ‘Demystify’ Cybersecurity Date: 2021-05-14 Author: BankInfoSecurity [Jeremy Kirk was hosted at the AUSCERT2021 conference as a media representative.] To defend against cyberattacks, it’s important to “demystify” cybersecurity and break it into risks that can be managed by any organization, says Ciaran Martin, the former director of the U.K. National Cyber Security Center. “It’s very easy to be terrified of cybersecurity,” Martin said. “It’s very easy to be infantilized by cyber risks and the hype around cybersecurity.” In his keynote speech, Martin showed a slide listing key cybersecurity steps, including ensuring software is up to date, making sure partners and suppliers protect data and reviewing authentication methods used to access systems. An essential step, he said, is making sure an organization knows what data it holds and who may most likely try to target it so the right security controls can be deployed. Most organizations, for example, are not going to be targeted by nation-states, he said. “Just manage risk well enough,” Martin said. “You don’t need to have nation-state defenses.” “So understand the harms, have a risk-bask based approach – a realistic approach, and work with partners,” Martin said. “We can get on top of this problem.” Exploit released for wormable Windows HTTP vulnerability Date: 2021-05-17 Author: Bleeping Computer Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. The bug, tracked as CVE-2021-31166, was found in the HTTP Protocol Stack (HTTP.sys) used by the Windows Internet Information Services (IIS) web server as a protocol listener for processing HTTP requests. Microsoft has patched the vulnerability during this month’s Patch Tuesday, and it impacts ONLY Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2. Chrome now automatically fixes breached passwords on Android Date: 2021-05-18 Author: Bleeping Computer Google is rolling out a new Chrome on Android feature to help users change passwords compromised in data breaches with a single tap. Chrome already helped you check if your credentials were compromised and, with the rollout of the new automated password change feature, it will also allow you to change them automatically. Now, whenever checking for stolen passwords on supported sites and apps, Google Assistant will display a “Change password” button that will instruct Chrome to navigate to the website and go through the entire password change process on its own. Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data Date: 2021-05-17 Author: WIRED Ransomeware groups have always taken a more-is-more approach. If a victim pays a ransom and then goes back to business as usual—hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.” ASB-2021.0111 – Microsoft Edge (based on Chromium): Multiple vulnerabilities Microsoft Edge, the default browser for Windows 10, contained multiple vulnerabilities that could lead to arbitrary code execution. ESB-2021.1721 – GNOME: Multiple vulnerabilities Patches were made available for GNOME to address multiple code execution vulnerabilities. ESB-2021.1702 – sudo: Multiple vulnerabilities Red Hat released patches for vulnerabilities that could lead to privilege escalation via sudo utilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 14th May 2021 Greetings, What a week! (although it certainly feels like we’ve been saying this a bit in 2021) To kick things off, we celebrated the 20th anniversary of our annual conference AUSCERT2021. It’s been a week of awesome catch-ups and learnings from the various presentation sessions on the conference program. Thank you so much for the support of our wonderful sponsors and delegates. We hope you enjoyed coming back together in-person as much as the AUSCERT team did. For those who couldn’t make it, we will be sharing the content from the conference in due time via our YouTube channel. We hope folks were able to get through all of May 2021’s Patch Tuesday fixes, please refer to our highlighted bulletins and articles below. Thrilled to announce that we’ve now officially launched our AUSCERT podcast, “Share today, save tomorrow” – a special shout out to our ex colleague Nick Soysa for coining this phrase. Episode 1 now available on our website here. Last but not least, thank you for supporting AUSCERT taking over the @WeAreBrisbane Twitter account this week, we hope that was an educational one for those who play in the Twitter space. Until next week everyone, have a wonderful weekend – to our colleagues and followers of Muslim faith, Happy Eid ul Fitr, Eid Mubarak! Microsoft’s May 2021 Patch Tuesday: 55 flaws fixed, four critical Date: 2021-05-11 Author: ZDNet Microsoft’s May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited. Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here. The fixed zero day bugs include: – CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability – CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability – CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader Date: 2021-05-11 Author: Threatpost A patch for Adobe Acrobat, the world’s leading PDF reader, fixes a vulnerability under active attack affecting both Windows and macOS systems that could lead to arbitrary code execution. Adobe is warning customers of a critical zero-day bug actively exploited in the wild that affects its ubiquitous Adobe Acrobat PDF reader software. A patch is available, as part of the company’s Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento. Attackers added thousands of Tor exit nodes to carry out SSL stripping attacks Date: 2021-05-10 Author: Security Affairs Starting from January 2020, a threat actor has been adding thousands of malicious exit relays to the Tor network to intercept traffic and carry out SSL stripping attacks on users while accessing mixing websites, The Record first reported. SSL Stripping (aka SSL Downgrade Attack) allows downgrading connection from secure HTTPS to HTTP which could expose the traffic to eavesdropping and data manipulation. In the case of the attacks against the Tor network, threat actors aimed at replacing the addresses of legitimate wallets with the ones under the control of the attackers to hijack transactions. In August 2020, the security researcher and Tor node operator “Nusenu” described this practice in an analysis on how malicious Tor Relays are exploiting users in 2020. Nusenu has published a new part of its research that reveals that threat actor are still active. US and Australia warn of escalating Avaddon ransomware attacks Date: 2021-05-10 Author: Bleeping Computer The Federal Bureau of Investigation and the Australian Cyber Security Centre are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations around the world. The ACSC expanded on the targeting information, saying that the ransomware gang’s affiliates are targeting entities from a wide range of sectors, including but not limited to government, finance, law enforcement, energy, information technology, and health. A Closer Look at the DarkSide Ransomware Gang Date: 2021-05-11 Author: Krebs on Security The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue. New York City-based cyber intelligence firm Flashpoint said its analysts assess with a moderate-strong degree of confidence that the attack was not intended to damage national infrastructure and was simply associated with a target which had the finances to support a large payment. “This would be consistent with DarkSide’s earlier activities, which included several ‘big game hunting’ attacks, whereby attackers target an organization that likely possesses the financial means to pay the ransom demanded by the attackers,” Flashpoint observed. The DarkSide of the Ransomware Pipeline Date: 2021-05-11 Author: Splunk If you want to quickly find out how to use Splunk to find activity related to the DarkSide Ransomware, skip to the “Detection and Remediation of DarkSide” section. Otherwise, read on for a quick breakdown of what happened to the Colonial Pipeline, how to detect the ransomware, and view MITRE ATT&CK mappings. ESB-2021.1611 – ALERT Adobe Acrobat & Adobe Reader: Multiple vulnerabilities Adobe reports that CVE-2021-28550 has been exploited in the wild that could lead to arbitrary code execution. ASB-2021.0101 – ALERT exim: Multiple vulnerabilities Serious vulnerabilities identified in the Exim mail server allowing remote attackers to gain complete root privileges. ASB-2021.0110 – ALERT Microsoft Extended Security Update products Microsoft releases its monthly security patch update for the month of May 2021 resolving 12 vulnerabilities. ESB-2021.1644 – ALERT libgetdata: Multiple vulnerabilities Multiple vulnerabilities in libgetdata are addressed by Debian’s security updates. ASB-2021.0108 – Microsoft Developer Tools : Multiple vulnerabilities Latest security patches for Microsoft fix multiple vulnerabilities in Developer Tools. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 7th May 2021 Greetings, This week, we’ve been elated to announce a couple of well-known speakers joining us at AUSCERT2021. Troy Hunt will be doing an AMA session, hosted by MC Adam Spencer; and Kevin Mitnick will be joining us for the Speed Debate session. A note to remind folks that in-person places for AUSCERT2021 are selling fast, with very limited numbers remaining. The conference will be delivered in hybrid mode so you can still join us from the comfort of your own home/office. Don’t forget to register before we sell out! Another busy week has gone past for our analyst team with alerts sent out for multiple products. On that note, be sure to review our highlighted security bulletins and articles below. Members, remember to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. This week saw us supporting Privacy Awareness Week 2021, some really handy tips from the OAIC on the topics of protecting personal information, both at home and in the workplace. On that note, at AUSCERT, we also offer a short course training session on the topic of “Practising good cyber hygiene for hybrid working” – to find out more, email us via training@auscert.org.au. Last but not least, AUSCERT will be taking over the @WeAreBrisbane Twitter account over the period of 10th-16th May (during conference week, we’re very excited!). We hope to highlight and amplify the topics of Internet safety, cyber and information security as well as the various personal work of sector focussed colleagues in the greater Brisbane area. Don’t forget to follow and re-Tweet our posts during this period. Until next week everyone, have a good and restful weekend, and please remember to spoil your mums and mother figures on Sunday 9th May. Apple hurries out fixes for WebKit zero-days Date: 2021-05-03 Author: Search Security Apple dropped updates on Monday for iOS, macOS, and watchOS in response to in-the-wild attacks on its WebKit browser engine. The macOS Big Sur 11.3.1, iOS/iPadOS 14.5.1, and iOS 12.5.3 each include fixes for CVE-2021-30665 and CVE-2021-30663. Both flaws are present in WebKit, the engine Apple uses as the basis for its Safari desktop browser and multiple components of iOS. Critical 21Nails Exim bugs expose millions of servers to attacks Date: 2021-05-04 Author: Bleeping Computer Newly discovered critical vulnerabilities in the Exim mail transfer agent (MTA) software allow unauthenticated remote attackers to execute arbitrary code and gain root privilege on mail servers with default or common configurations. The security flaws (10 remotely exploitable and 11 locally) found and reported by the Qualys Research Team are collectively known a 21Nails. Exim 4.94.2 are vulnerable to attacks attempting to exploit the 21Nails vulnerabilities. “Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server,” as Qualys senior Manager Bharat Jogi noted. UnitingCare cyber attack claimed by notorious ransom gang REvil/Sodin Date: 2021-05-06 Author: ABC News Hackers claiming responsibility for an attack on health and community care provider UnitingCare Queensland have been revealed as one of the most notorious cyber ransom gangs in the world. Last week, the Queensland healthcare provider fell victim to the cyber attack, which affected its hospitals and aged care homes. It runs the Wesley and St Andrew’s Hospitals in Brisbane, St Stephen’s Hospital in Hervey Bay and the Buderim Private Hospital on the Sunshine Coast, and dozens of aged care and disability services throughout the state. UnitingCare on Wednesday confirmed the hack had been claimed by REvil/Sodin. The gang that has been linked to multiple attacks on high-profile targets across the globe and is thought to have named itself after apocalyptic science fiction horror video game-turned movie, Resident Evil. UnitingCare Queensland’s corporate affairs director Matthew Cuming said as a result, some of the organisation’s digital and technology systems had been left inaccessible. But Mr Cuming said at this time there was no evidence the health and safety of patients, residents or clients had been compromised as a result of the cyber incident. NSW Labor takes a hit from Windows Avaddon ransomware Date: 2021-05-05 Author: iTWire The NSW branch of the Labor Party appears to have suffered a Windows ransomware attack, with the Avaddon strain having been used to attack the party’s network. Cybersecurity is too big for governments or firms to handle alone Date: 2021-05-03 Author: World Economic Forum The recent hack of network management company SolarWinds, which enabled bad actors to compromise a range of US government agencies and major corporations, has revealed a troubling truth: Business and government expose each other to significant cyber-risks because they are interconnected and rely on the same network of software vendors. That’s why the strategic response must involve more intense collaboration. Simply put, the threat of cyberattacks is too big a job for either government or business to tackle alone. • Business and government are exposing each other to an increasing range of cyber-risks. • Current efforts to pool cybersecurity resources are limited in scope. • Sharing threat intelligence is the first step to provide a clear cyberthreat picture. ESB-2021.1499 – ALERT Apple iOS products: Execute arbitrary code/commands – Remote with user interaction Apple reveals two iOS zero-day vulnerabilities that allow attackers to access fully patched devices. ASB-2021.0101 – ALERT exim: Multiple vulnerabilities Qualys researchers uncover 21 bugs in Exim mail servers. ESB-2021.1528 – ALERT HyperFlex HX Software: Multiple vulnerabilities Multiple vulnerabilities in Cisco HyperFlex could allow arbitrary code execution. ESB-2021.1529 – ALERT Cisco SD-WAN vManage: Multiple vulnerabilities Cisco released patches to address critical vulnerabilities in SD-WAN vManage software. ESB-2021.1563 – ALERT vRealize Business for Cloud: Execute arbitrary code/commands – Remote/unauthenticated VMWare addresses critical remote code execution vulnerability in vRealize Business for Cloud. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 30th April 2021 Greetings, This week, we’re thrilled to announce the opening keynote at AUSCERT2021! To celebrate the return of in-person events, we will kick off the 20th anniversary of our conference with a panel discussion on how SOAR can help with your security transformation strategy. The panel will feature experts from Splunk (James Young), Microsoft (Jess Dodson), Bugcrowd (Casey Ellis) and Airservices Australia (Anthony Kitzelmann). Places selling fast, the conference will be delivered in hybrid mode so you can still join us from the comfort of your own home/office. Don’t forget to register before we sell out! Another busy week has gone past for our analyst team with alerts sent out for multiple products. On that note, be sure to review our highlighted security bulletins and articles below. Members, please keep an eye out for a copy of our membership newsletter The Feed which landed in your inbox on Tuesday this week. It was a bumper edition, on it we shared a copy of our Quarter 1, 2021 report and a piece on how we tackled the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits and helped our members – the latter was also covered in Edition 2 of the Women in Security magazine, a publication from team Source2Create. Next week will see us supporting Privacy Awareness Week 2021, follow us on our social media channels for information around this year’s campaign. Last but not least, thank you to those who joined us yesterday as we discussed the 2020 BDO and AUSCERT Cyber Security Survey insights. A copy of the webinar recording can be found here. AUSCERT will maintain minimal coverage for Labour Day long weekend in Queensland. Our staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Until next week everyone, have a good and restful weekend. UnitingCare Queensland hit by cyber attack Date: 2021-04-26 Author: iTnews UnitingCare Queensland, a provider of hospital and aged care services, said some of its digital and technology systems were rendered “inaccessible” by a cyber attack on Sunday. 9News in Queensland reported the attack as a ransomware infection that all hospitals and aged care homes run by the organisation with IT systems. Hospitals run by UnitingCare Queensland include The Wesley Hospital and St Andrews War Memorial Hospital, both in Brisbane, St Stephen’s Hospital in Hervey Bay, and Buderim Private Hospital on the Sunshine Coast. A software bug let malware bypass macOS’ security defenses Date: 2021-04-27 Author: TechCrunch Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS’ newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple’s watch. Worse, evidence shows a notorious family of Mac malware had been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Ransomware gang targets Microsoft SharePoint servers for the first time Date: 2021-04-27 Author: The Record by Recorded Future Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs. SharePoint now joins a list that also includes Citrix gateways, F5 BIG-IP load balancers, Microsoft Exchange email servers, and Pulse Secure, Fortinet, and Palo Alto Network VPNs. The group behind the attacks targeting SharePoint servers is a new ransomware operation that was first seen at the end of 2020. The group is tracked by security vendors under the codenames of Hello or the WickrMe ransomware—because of its use of Wickr encrypted instant messaging accounts as a way for victims to reach out and negotiate the ransom fee. Typical Hello/WickrMe attacks usually involve the use of a publicly known exploit for CVE-2019-0604, a well-known vulnerability in Microsoft’s SharePoint team collaboration servers. Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU Date: 2021-04-27 Author: Troy Hunt Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world’s most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before eventually being brought to a halt in February. University of Minnesota responds to Linux security patch requests Date: 2021-04-27 Author: ZDNet The UMN wants to make peace with the Linux kernel developer community after an annoying Linux code security research blunder. ESB-2021.1408.2 – UPDATED ALERT Apple iOS products: Multiple vulnerabilities The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches. ESB-2021.1416 – ALERT macOS Catalina: Multiple vulnerabilities Apple has released security patches for multiple vulnerabilities including a zero day bypass vulnerabilty. ESB-2021.1439 – ALERT FortiWAN: Multiple vulnerabilities FortiGuard has released security update to patch authentication bypass vulnerability. ESB-2021.1440 – ALERT ShareFile: Root compromise – Remote/unauthenticated A security issue in Citrix ShareFile could allow a remote attacker to compromise the storage zones controller. ASB-2021.0100 – Microsoft Edge: Multiple vulnerabilities Microsoft has released security update to address multiple vulnerabilities in Microsoft Edge. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 23rd April 2021 Greetings, Another busy week has gone past for the folks in our sector, with Oracle’s quarterly patch releases, two separate notable announcements from FireEye, an exploited Chrome zero-day and two vulnerabilities in the QNAP NAS products for good measure! On that note, be sure to review our highlighted security bulletins and articles below. Thank you to those who’ve registered to attend the AUSCERT2021 conference with your organisation’s member tokens, part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate. Not long to go until we kick things off in mid-May! Members, keep an eye out for a copy of our membership newsletter The Feed landing in your inbox early next week. It will be a bumper edition in the lead up to AUSCERT2021. Last but not least, please come and join us on our next webinar session, Thursday 29th April at 10:00AM AEST with colleagues from BDO Australia as we discuss the 2020 BDO and AUSCERT Cyber Security Survey insights. Details on how to register for this session can be found here. Lest we forget, we would like to take this opportunity to commemorate the men and women who have served our nation in all wars, conflicts, and peacekeeping operations. AUSCERT will maintain minimal coverage for the Anzac Day long weekend. Our staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Until next week, have a good and restful weekend everyone. AirDrop bugs expose Apple users’ email addresses, phone numbers Date: 2021-04-21 Author: The Record by Recorded Future A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apple’s AirDrop file transfer feature. The two bugs reside in the authentication process during the initial phase of an AirDrop connection, where devices try to discover one another and determine if they belong to users who know each other (by checking if a device/user’s phone number is in the other device’s contacts list). Google issues Chrome update patching seven security vulnerabilities Date: 2021-04-20 Author: ZDNet [See related bulletin ESB-2021.1363] Google on Wednesday released version 90.0.4430.85 of the Chrome browser for Windows, Mac, and Linux. The release contains seven security fixes, including one for a zero-day vulnerability that was exploited in the wild. The zero-day, which was assigned the identifier of CVE-2021-21224, was described as a “type confusion in V8”. Google Alerts continues to be a hotbed of scams and malware Date: 2021-04-19 Author: Bleeping Computer Google Alerts continues to be a hotbed of scams and malware that threat actors are increasingly abusing to promote malicious websites. While Google Alerts has been abused for a long time, BleepingComputer has noticed a significant increase in activity over the past couple of weeks. To deceive Google into thinking they are legitimate sites rather than scams, threat actors use a black hat search engine optimization (SEO) technique called ‘cloaking.’ Cloaking is when a website displays different content to visitors than it does search engine spiders. This cloaking allows the website to look like a plain text or a typical blog post when Google’s search engine spiders visit the page but perform malicious redirects when a user visits the site from a Google redirect. Linux bans University of Minnesota for committing malicious code Date: 2021-04-21 Author: Bleeping Computer In a rare, groundbreaking decision, Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project. The move comes after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, as a part of their research activities. ASB-2021.0098 – ALERT QNAP NAS: Execute arbitrary code/commands – Remote/unauthenticated Widespread attacks on QNAP products resulting in Qlocker and eCh0raix ransomware infections. Attacks are being carried out through exploitation of vulnerabilities allowing unauthenticated takeover of Internet-facing hosts. ESB-2021.1363 – ALERT Google Chrome: Multiple vulnerabilities Chrome contained a multitude of vulnerabilties causing reduced security including remote code execution and denial of service. Google is aware of reports that exploits for CVE-2021-21224 exist in the wild. ASB-2021.0074 – ALERT MySQL Products: Multiple vulnerabilities Various MySQL products contained multiple vulnerabilities which granted attackers abilities to execute remote code, cause denial of service, and root compromise. ESB-2021.1330 – sudo: Root compromise – Existing account Any local user could exploit a flaw in sudo and cause a heap-based buffer overflow, which allowed privilege escalation to root. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 16th April 2021 Greetings, We hope everyone’s had a good week and were able to get through all of April 2021’s Patch Tuesday fixes. On that note, be sure to review our highlighted security bulletins below, in particular ASB-2021.0062 – these were newly announced this week and are not the previous ProxyLogon vulnerabilities. Thank you to those who tuned in to the joint AUSCERT (UQ) & Duo Security webinar which took place yesterday during which our Director, Dr. David Stockdale, discussed the focus on securing remote access as a key step in the zero-trust journey. Members – a FINAL reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate. Please make sure you utilise the token(s) by midnight on Sunday 18 April, this is your last chance to claim the token(s). Conference registrations can be completed via our website here. Ramadan Kareem to folks of the Muslim faith; until next week, have a good weekend everyone! GitLab Critical Security Release: 13.10.3, 13.9.6, and 13.8.8 Date: 2021-04-14 Author: GitLab Today we are releasing versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition and Enterprise Edition. These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. We have requested a CVE ID and will update this blog post when it is assigned. Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild Date: 2021-04-13 Author: Securelist While analyzing the CVE-2021-1732 exploit originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft released a patch to this vulnerability as a part of its April security updates. We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities. CISA gives federal agencies until Friday to patch Exchange servers Date: 2021-04-13 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to install newly released Microsoft Exchange security updates by Friday. Today, Microsoft released security updates for four Microsoft Exchange vulnerabilities discovered by the NSA. These Exchange vulnerabilities are capable of remote code execution, with two vulnerabilities not requiring attackers to authenticate first. While none of the vulnerabilities are known to be used in attacks, CISA believes that threat actors will reverse-engineer the patches to create working exploits due to their severity and public disclosure. LinkedIn denies 500 million user data breach Date: 2021-04-11 Author: The Record LinkedIn has formally denied a rumor that it suffered a devastating security breach that exposed the account details of more than 500 million of its registered users. Rumors of a breach appeared last week after a threat actor claimed to have been in possession of a large trove of LinkedIn user data and proceeded to leak a sample of two million user records as proof. But in a message published last week, LinkedIn said it investigated the breach and concluded that the hacker’s data only included public information that was scraped off LinkedIn’s website and which users consciously made public on their profiles. 100,000 Google Sites Used to Install SolarMarket RAT Date: 2021-04-14 Author: Threatpost Hackers are using search-engine optimization tactics to lure business users to more than 100,000 malicious Google Sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware. eSentire’s Threat Response Unit discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday. ESB-2021.1219 – Adobe Bridge: Multiple vulnerabilities Adobe has released a security update for Adobe Bridge addressing critical and important vulnerabilities that could lead to arbitrary code execution. ASB-2021.0062 – ALERT Microsoft Exchange Server Products: Execute arbitrary code/commands – Remote/unauthenticated Microsoft has released patches to fix four more security vulnerabilities for MS Exchange Server. ASB-2021.0063 – Microsoft Office Products & Services and Web App Products: Microsoft released updates to plug various security holes in its Windows Operating Systems and other products. ESB-2021.1285 – ALERT GitLab Products: Multiple vulnerabilities Gitlab released newer versions to address critical remote code execution vulnerability. ESB-2021.1287 – Google Chrome: Multiple vulnerabilities Google released Chrome 90.0.4430.72 which contains a number of security fixes and improvements. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 9th April 2021 Greetings, Welcome back from the Easter long weekend. This week we kicked things off by releasing a blog piece on the topic of the recent Facebook data leak of over five-hundred million of its users. We’d be remiss not to mention the good work done by the folks from Have I Been Pwned in this particular instance. Tune in next week and join our Director, Dr. David Stockdale as he discusses the focus on securing remote access as a key step in the zero-trust journey. “Securing the people, systems, and assets in a higher education org is no small task. With over fifty-thousand students supported by over seven-thousand staff members, learn why UQ chose Duo Security as its 2FA solution.” For further details on the webinar and to register, please visit the AUSCERT website here. Members – another reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate, please make sure you utilise the token(s) by midnight on Sunday 18 April! Conference registrations can be completed via our website here. Until next week, have a good weekend everyone. Cisco fixes bug allowing remote code execution with root privileges Date: 2021-04-07 Author: Bleeping Computer Cisco has released security updates to address a critical pre-authentication remote code execution (RCE) vulnerability affecting SD-WAN vManage Software’s remote management component. The critical security flaw tracked a CVE-2021-1479 which received a severity score of 9.8/10. It allows unauthenticated, remote attackers to trigger a buffer overflow on vulnerable devices in low complexity attacks that don’t require user interaction. “An attacker could exploit this vulnerability by sending a crafted connection request to the vulnerable component that, when processed, could cause a buffer overflow condition,” Cisco explained. The company fixed two other high-severity security vulnerabilities in the user management (CVE-2021-1137) and system file transfer (CVE-2021-1480) functions of the same product allowing attackers to escalate privileges. Successful exploitation of these two bugs could allow threat actors targeting them to obtain root privileges on the underlying operating system. Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof Date: 2021-04-06 Author: CyberNews Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn. An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. Too slow! Booking.com fined for not reporting data breach fast enough Date: 2021-04-06 Author: Naked Security The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach. Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough. Facebook data leak: How to know if your business has been affected, and what to do next Date: 2021-04-06 Author: SmartCompany The personal data of more than 533 million Facebook users has been leaked online. But, if you’re a business owner, there are a few things you can do to make sure your professional page is as safe as possible. Contact books of Australian diplomats hacked in major ‘phishing’ scam Date: 2021-04-07 Author: Sydney Morning Herald Senior Australian diplomats, including United States ambassador Arthur Sinodinos, have been caught up in a sophisticated identity theft scam in which cyber attackers impersonated them on encrypted messaging services WhatsApp and Telegram in a bid to get sensitive information from their contacts. Under the scam, senior politicians and diplomats are being sent messages asking them to validate new WhatsApp and Telegram accounts. Once they click on the link or download the app, the hacker then has access to their contact book and the ability to impersonate them on the new account. ESB-2021.1131 – VMware Carbon Black Cloud Workload appliance: Administrator compromise – Remote/unauthenticated VMWare addresses a critical vulnerability in Carbon Black Cloud. ESB-2021.1163 – ALERT Cisco SD-WAN vManage Software: Multiple vulnerabilities Multiple Vulnerabilities in Cisco SD-WAN vManage software can lead to arbitrary code execution. ESB-2021.1165 – ALERT Cisco Small Business RV Series Router products: Execute arbitrary code/commands – Remote/unauthenticated Cisco released an advisory on a critical RCE on End of Life RV Series routers. ESB-2021.1183 – Jenkins (core) and plugins: Multiple vulnerabilities Jenkins has released security updates for different Jenkins deliverables including Jenkins (core). ESB-2021.1176 – Cisco Webex Meetings: Multiple vulnerabilities Cisco addresses XSS vulnerability in Webex Meetings. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 1st April 2021 Greetings, Here we are, at the end of Quarter 1 2021. What a year it’s been for our sector so far! The wave of vulnerabilities and associated attacks we’ve observed has certainly kept all of us busy. This week we saw an urgent out-of-band Apple security update for its iOS and iPadOS mobile operating system, see bulletin details below. We also witnessed Nine Media recovering from what’s been described as a “significant and complex” cyber-attack, a timely prompt to re-visit “The Essential Eight” a prioritised list of mitigation strategies issued by the ACSC. Last week, the AUSCERT team were privileged to attend our first in-person conference event in over a year – BrisSEC21, an event hosted by the AISA Brisbane chapter. Our Director, Dr David Stockdale presented a talk on the theme of cybercrime at the event. An article based on this talk will be submitted to the next edition of the Women in Security magazine and we will share it when it’s published. We look forward to our next event, our very own annual conference, AUSCERT2021. On that note, members – a reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate – please make sure you utilise the token(s) by 18 April. Conference registrations can be done via our website here. AUSCERT will maintain minimal coverage for the Easter holidays from Friday 2 April to Monday 5 April. AUSCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Until next week, have a good long Easter weekend everyone. Stay safe and let’s keep up with our Covid-safe practices. Apple patches exploited iOS, iPadOS zero-day Date: 2021-03-28 Author: iTnews Apple has issued an urgent out-of-band security update for its iOS and iPadOS mobile operating system, after a zero-day vulnerability that is under active exploitation was found. The vulnerability in the WebKit browser engine can lead to universal site cross-scripting, Apple said. Cross-scripting allows attackers to inject their own scripts via maliciously crafted web page content. VMware fixes bug allowing attackers to steal admin credentials Date: 2021-03-30 Author: Bleeping Computer VMware has published security updates to address a high severity vulnerability in vRealize Operations that could allow attackers to steal admin credentials after exploiting vulnerable servers. vRealize Operations is an AI-powered and “self-driving” IT operations management for private, hybrid, and multi-cloud environments, available as an on-premises or SaaS solution. Automated Clean-up of HAFNIUM Shells and Processes with Splunk Phantom Date: 2021-03-26 Author: Splunk The Splunk team have released a couple of blogs on this topic, concentrated on two things: 1. Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk: Explaining the vulnerabilities and associated exploits 2. Detecting Microsoft Exchange Vulnerabilities – 0 + 8 Days Later…: Sharing SPL to detect and hunt for malicious behavior withrelated to the exploits and detections you can use with Splunk Enterprise Security Docker Hub images downloaded 20M times come with cryptominers Date: 2021-03-29 Author: Bleeping Computer Researchers found that more than two-dozen containers on Docker Hub have been downloaded more than 20 million times for cryptojacking operations spanning at least two years. Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects. Holding the news to ransom? What we know so far about the Channel 9 cyber attack Date: 2021-03-30 Author: The Conversation As is often the case in the early stages of a major cyber incident, details are scarce, and it’s very hard to know who is behind it. What happened? There is no official statement of cause, but it is clear that malware spread between devices at Channel 9’s Sydney headquarters, leaving data and production systems inaccessible. ESB-2021.1067 – ALERT Apple Products: Cross-site scripting – Remote with user interaction The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches. ESB-2021.1082 – Cisco Products: Multiple vulnerabilities Multiple vulnerabilities on OpenSSL affecting Cisco Products. ESB-2021.1087 – VMWare Products: Multiple vulnerabilities VMware vRealize Operations updates address server side request forgery and arbitrary file write vulnerabilities. ESB-2021.1107 – Google Chrome: Multiple Vulnerabilities Google released stable channel update for Chrome addressing multiple vulnerabilities. ESB-2021.1116 – GitLab: Multiple vulnerabilities Gitlab released new versions for GitLab CE and EE to address multiple vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 26th March 2021 Greetings, This week we released the results from our joint 2020 AUSCERT and BDO in Australia Cyber Security Survey. Thank you to all those who helped us with this endeavour! For the fifth year in a row, we surveyed member organisations across Australia and New Zealand, allowing us to clearly unpack the COVID-19 pandemic’s impacts on cyber – detailing significant shifts in the way organisations are impacted by, and responding to, evolving cyber threats. “Adaptation is key to winning the battle.” Download a copy of the report here. Also this week, the AUSCERT team conducted yet another analysis on the evolving MS Exchange ProxyLogon vulnerabilities based on a latest report from the Shadowserver team – this report (article) has been highlighted below. Those of you who’d been affected would have been contacted on Wednesday. Members, please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. Members, a reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate – please utilise the token(s) by 18 April. Conference registrations can be done via our website here. Also a reminder that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” Applications for this grant scheme are due on Tuesday 30th March. To find out more about our sponsorship options, please visit our conference website here. Until next week, have a good weekend everyone. … RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 Date: 2021-03-18 Author: NCC Group Research On Thursday (Friday, Australian time) cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices. Shadowserver Special Report – Exchange Scanning #5 Date: 2021-03-24 Author: The Shadowserver Foundation Over the past 12 days we have published 5 one-off Special Reports that provided information about the recently patched recently patched zero-day vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065). This latest Special Report represents our most comprehensive effort yet to enumerate as many vulnerable and compromised Microsoft Exchange Servers as possible. Much of the detection of potentially vulnerable Microsoft Exchange servers performed to date has been based on internet-wide scanning of all ~4 billion IPv4 addresses (IPv4 /0 scanning), which is effective at identifying Exchange/OWA environments which are configured to use the default IP address. However, this kind of mass scanning will not always identify potentially vulnerable Microsoft Exchange servers, since they can also be configured to use web server virtual hosting on fully qualified domain names (FQDNs), rather than simply binding to the default web site instance or a server’s main IP address. In such cases, it is possible that virtual host-based Microsoft Exchange Server instances may be missed during IPv4 /0 scans. Cisco addresses critical bug in Windows, macOS Jabber clients Date: 2021-03-24 Author: Bleeping Computer Cisco has addressed a critical arbitrary program execution vulnerability impacting several versions of Cisco Jabber client software for Windows, macOS, Android, and iOS. Cisco Jabber is a web conferencing and instant messaging app that allows users to send messages via the Extensible Messaging and Presence Protocol (XMPP). The vulnerability was reported by Olav Sortland Thoresen of Watchcom. Cisco’s Product Security Incident Response Team (PSIRT) says that the flaw is not currently exploited in the wild. Additionally, the vulnerability does not affect Cisco Jabber client software configured for Team Messaging or Phone-only modes. University of Queensland uplifts its vulnerability management Date: 2021-03-23 Author: iTnews The University of Queensland has upgraded its vulnerability management tooling as part of an ongoing security improvements program. The university said it had selected cloud-based Tenable.io to “to see, predict and act to reduce cyber risk across its domestic campuses.” Tenable.io is used to scan the university’s “complex environment made up of tens of thousands of personal devices, vendor partnerships and connections to remote teams and other institutions,” information technology services deputy director Dr David Stockdale said in a statement. Australian firms to spend $4.9b on infosec, risk management in 2021 Date: 2021-03-23 Author: iTWire Organisations in Australia are forecast to spend more than $4.9 billion on enterprise information security and risk management products and services in 2021, an increase of 8% year-on-year, the technology analyst firm Gartner says. The forecast was made during the online Gartner Security & Risk Management Summit APAC which is being held this week. Senior research director Richard Addiscott said the focus on security and risk was due to major attacks like the SolarWinds supply chain incident, proposed legislation such as the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and regulatory obligations “Many of the conversations we’re having with government and private sector clients in Australia revolve around the Essential Eight, varying state government cyber security frameworks, and regulatory instruments such as APRA’s Prudential Standard CPS 234,” said Addiscott. ESB-2021.1010 – ALERT Cisco Jabber: Multiple vulnerabilities Multiple Vulnerabilities in Cisco Jabber could allow for Arbitrary Code Execution. ESB-2021.1003 – Firefox: Multiple vulnerabilities Mozilla has released Firefox 87 fixing multiple vulnerabilities including Remote Code Execution. ESB-2021.1043 – McAfee Data Loss Prevention (DLP) Endpoint for Windows: Increased privileges – Existing account McAfee released update to address privilege escalation vulnerability for Windows. ESB-2021.1056 – OpenSSL: Multiple vulnerabilities OpenSSL version 1.1.1h and newer are affected with multiple vulnerabilities. ESB-2021.1012 – sudo: Root compromise – Existing account An update that addresses one vulnerability in Sudo is now available for Suse products. Stay safe, stay patched and have a good weekend! The AUSCERT team