AUSCERT Week in Review for 19th March 2021 Greetings, Another big one for the AUSCERT team with several items we’d like to highlight from this week. We kicked things off on Monday by releasing our Year in Review 2020 piece. Members, we hope you find our review useful and we thank you for your continued support! Last week we highlighted the following “HAFNIUM special report” courtesy of the team from Shadowserver. Since then, the AUSCERT team has conducted a number of analyses based on this information and several follow-up reports from the Shadowserver team. Those of you who’d been affected by the ProxyLogon vulnerabilities would have been contacted throughout this week. Members, please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. In conjunction with the above, our team also released a blog article and a work flow diagram titled “Patching for HAFNIUM is just half of the story” – link to the blog highlighted below. We strongly recommend reading this piece as it has been created by our analyst team and should assist Microsoft Exchange server caretakers to check and see where within this task-flow they are placed at within their organisation’s incident response plan. Last but not least, another exciting update with respect to AUSCERT2021, we’ve updated our Program page to now include all of our tutorials and hands-on workshop offerings. Members, please note that all nominated Primary and Organisation contact person(s) would have received a reminder email this week pertaining to your member token(s), part of your AUSCERT membership perks – please utilise this by 18 April. Also a reminder that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” To find out more, please visit our conference website here. Until next week, have a good weekend everyone. Patching for HAFNIUM is just half of the story Date: 2021-03-16 Author: AUSCERT On the 2nd of March, a posting by The Department of Homeland Security (U.S.) didn’t mince its words and placed an Emergency Directive to perform a thorough check of any Microsoft Exchange servers at your control. This article served a guide for “agencies that have the expertise” to “forensically triage artefacts”. Since then there have been a number of tools that have been made available to enable the task of identifying, checking, mitigating, patching, and cleaning of your servers and systems. The key take-away here is that there has been (and this continues to grow) a huge amount of effort in making sure that caretakers go beyond the simple sole act of patching. Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities Date: 2021-03-16 Author: Microsoft Security Response Center Microsoft has provided the latest information for IT Pros and incident response teams with updated tools and investigation guidance to help organizations identify, remediate, defend against attacks associated with the recent Exchange Server vulnerabilities. Melbourne’s Eastern Health hit by suspected cyber attack Date: 2021-03-18 Author: iTnews One of Melbourne’s largest metropolitan public health services has postponed some elective surgery procedures after experiencing a “cyber incident”. The incident, which took place late on Tuesday, has forced Eastern Health to pull a number of its IT systems offline as a precaution. Eastern Health operates the Box Hill, Maroondah, Healesville and Angliss hospitals, as well as a number of health services, including Yarra Ranges Health and Wantirna Health. Microsoft releases one-click Exchange On-Premises Mitigation Tool Date: 2021-03-15 Author: Bleeping Computer Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily mitigate the recently disclosed ProxyLogon vulnerabilities. This month, Microsoft disclosed that four zero-day vulnerabilities were being actively used in attacks against Microsoft Exchange. These vulnerabilities are collectively known as ProxyLogon and are being used by threat actors to drop web shells, cryptominers, and more recently, the DearCry ransomware on exploited servers. Today, Microsoft released the EOMT one-click PowerShell script so that small business owners who do not have dedicated or security teams can get further help securing their Microsoft Exchange servers. IC3 Releases 2020 Internet Crime Report Date: 2021-03-17 Author: FBI (Federal Bureau of Investigation) The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports. The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals. Survey: Australia, NZ organisations now realise their security overconfidence Date: 2021-03-16 Author: CSO Online It took a global pandemic, but enterprises and government agencies in Australia and New Zealand are now rethinking their approach to cybersecurity—taking it seriously for the first time in a while. That’s the conclusion of a survey of about 435 people in Australia and about 40 in New Zealand by the Australian arm of the global business services firm BDO and Australia’s AUSCERT cybersecurity rapid response team. Fewer organisations (55%) now feel confident in managing cyber incidents, down from 62% just a year earlier, the survey found. New PoC for Microsoft Exchange bugs puts attacks in reach of anyone Date: 2021-03-14 Author: Bleeping Computer A security researcher has released a new proof-of-concept exploit this weekend that requires slight modification to install web shells on Microsoft Exchange servers vulnerable to the actively exploited ProxyLogon vulnerabilities. Security flaws in Microsoft email software raise questions over Australia’s cybersecurity approach Date: 2021-03-12 Author: The Conversation On March 2, 2021, Microsoft published information about four critical vulnerabilities in its widely used Exchange email server software that are being actively exploited. It also released security updates for all versions of Exchange back to 2010. Microsoft has told cybersecurity expert Brian Krebs it was notified of the vulnerabilities in “early January”. The Australian Cyber Security Centre has also issued a notice on the vulnerabilities. The situation has been widely reported in the general media as well as specialist cybersecurity sites, but often inaccurately. But the situation also highlights a contradiction in government cybersecurity policy – there is a basic conflict between building offensive cybersecurity capabilities and protecting our own businesses and citizens. ASB-2021.0048.5 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated Microsoft’s out-of-band critical updates address a number of Microsoft Exchange Server Remote Code Execution Vulnerabilities. ESB-2021.0872.2 – UPDATED ALERT BIG-IP Products: Multiple vulnerabilities F5 Networks identifies more BIG-IP Products impacted by the Advanced WAF/ASM buffer-overflow vulnerability. ESB-2021.0906 – ALERT Google Chrome: Multiple vulnerabilities Google’s update for Google Chrome fixes multiple vulnerabilities. ESB-2021.0943 – shadow: Multiple vulnerabilities Several vulnerabilities discovered in the shadow suite of login tools. ESB-2021.0950 – Cisco Products: Multiple vulnerabilities Cisco has released software updates that address multiple vulnerabilities in Cisco RV132W VPN Routers. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 12th March 2021 Greetings, What a week it has been for the folks in our sector! With admins already struggling with Microsoft Exchange updates and hacked servers – along comes Microsoft’s March 2021 Patch Tuesday, and not to forget, celebrating and honouring the many women in our lives for International Women’s Day. We wanted to start by highlighting a “HAFNIUM special report” courtesy of the team from Shadowserver. Members, please note that the AUSCERT team has conducted an analysis based on this information and those of you who’d been affected would have been contacted by our analyst team. Please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. We kicked off things this week by releasing this piece on the “The heroes of AUSCERT2020 … the women in security who made it happen.” which was first featured on Edition 1 of the Women in Security magazine by Source2Create. Be sure to catch up on our summary of critical vulnerabilities and advice on SEVERAL issues this week, all highlighted below: BIG-IP, F5, Microsoft and Adobe Creative Cloud. Last but not least, our team’s elated to announce that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” To find out more, please visit our conference website here. Until next week, have a good and restful weekend everyone. March 2021 Patch Tuesday: Microsoft fixes yet another actively exploited IE zero-day Date: 2021-03-09 Author: Help Net Security [With admins already struggling with Microsoft Exchange updates and hacked servers – along comes Microsoft’s March 2021 Patch Tuesday, and releases from Adobe and Apple too! Please refer to the multiple AUSCERT security bulletin alerts in-line below.] Microsoft has fixed 89 CVEs. Among those are the seven Microsoft Exchange flaws fixed last week, one Internet Explorer memory corruption flaw that’s being exploited in the wild, and one Windows Win32k EoP flaw that is publicly known. [See related AUSCERT bulletins ASB-2021.0050 51, 53, 54 and 56, which we marked as “alerts”. CVE-2021-26411 and 26897 are considered critical by Microsoft and covered in these bulletins. We also published other MS bulletins 55 and 57, which are not alerts.] Adobe has delivered security updates for Connect, Creative Cloud Desktop Application, and Framemaker […] [See ESB-2021.0860. These are ranked by Adobe as critical, but aren’t as urgent as some of Microsoft’s.] Apple has pushed out security updates to fix a critical RCE flaw in WebKit. [ESBs 821, 825, 826 and 827.] HAFNIUM targeting Exchange Servers with 0-day exploits Date: 2021-03-02 Author: Microsoft Security Blog [Please see AUSCERT bulletin ASB-2021.0048.3 for further information. See also https://github.com/microsoft/CSS-Exchange/tree/main/Security for information on some security scripts that automate all four of the commands listed on the blog below.] “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, we are sharing the following resources.” F5 urges customers to patch critical BIG-IP pre-auth RCE bug Date: 2021-03-10 Author: Bleeping Computer [See related AUSCERT bulletin ESB-2021.0872.] F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions. F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that “48 of the Fortune 50 rely on F5.” The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (CVE-2021-22986) which allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices: – CVE-2021-22986 iControl REST unauthenticated RCE – CVE-2021-22987 Appliance Mode TMUI authenticated RCE – CVE-2021-22991 TMM buffer-overflow – CVE-2021-22992 Advanced WAF/ASM buffer-overflow Adobe Critical Code-Execution Flaws Plague Windows Users Date: 2021-03-09 Author: Threatpost [See related AUSCERT bulletin ESB-2021.0860 for further information.] Adobe has issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems. While these vulnerabilities are classified as critical-severity flaws, it’s important to note that they were given “priority 3” ratings by Adobe. This means that the update “resolves vulnerabilities in a product that has historically not been a target for attackers,” and that administrators are urged to “install the update at their discretion.” Peter Dutton launches Cyber Security Industry Advisory Committee Ransomware Paper Date: 2021-03-11 Author: iTWire The Federal Minister for Home Affairs, Peter Dutton, and his office say that “ransomware continues to be a prevalent global threat, and cyber criminals pose a significant risk to Australians and Australian businesses.” To build awareness about the ransomware threat, the Minister for Home Affairs, Peter Dutton, and Chair of the Cyber Security Industry Advisory Committee, Telstra CEO Andrew Penn, have released the Committee’s first paper: “Locked out: Tackling the ransomware threat.” ASB-2021.0048.4 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated Microsoft have released a major revision increment of the CVEs to address Exchange Server vulnerabilities. ESB-2021.0870 – ALERT F5 Products: Multiple vulnerabilities F5 have released updates for critical vulnerabilities in BIG-IP components. F5 recommends that all customers install a fixed software version as soon as possible. ESB-2021.0860 – Creative Cloud Desktop Application: Multiple vulnerabilities Adobe has released patches for widely-used Creative Cloud Desktop Application for Windows resolving multiple critical vulnerabilities. ASB-2021.0051 – ALERT Windows: Multiple vulnerabilities Microsoft released its monthly security patch update for March 2021 which resolves 59 vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 5th March 2021 Greetings, This week we would like to congratulate the team from Source2Create on the launch of their 1st edition of the Women In Security magazine. Our team were lucky to have been given the opportunity to spread the word about our upcoming AUSCERT2021 conference as well as publish an article covering the work of the various women in security involved in making AUSCERT2020 a success last year! In honour of International Women’s Day, we will be sharing this piece on our social media channels next Monday 8th March. If you haven’t already, please do subscribe to the Women In Security magazine here. Members, please look out for an email which would have landed in your inbox earlier this week detailing your member token details – part of your AUSCERT membership perks. These tokens can be applied against both modes of registrations: In-Person OR Remote (Virtual). Should you have any further queries regarding these tokens, please feel free to reach out to our membership team. Be sure to catch up on our summary of critical vulnerability and advice on Microsoft Exchange this week. The relevant details can be found below. Last but not least, thank you to those who supported our partnership with the team from Tessian.. The Human Layer Security Summit was a successful virtual event and for those of you who missed the live event, you’ll be able to catch up on all of its content on-demand. To our friends and colleagues in Sydney, Happy Mardi Gras weekend and stay safe. Until next week, have a good weekend. Google patches actively exploited Chrome browser zero-day vulnerability Date: 2021-03-03 Author: ZDNet [ Additional resource available here, Google’s Project Zero tracking sheet: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit?usp=sharing.] Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild. The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.” Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release. Microsoft issues emergency patches for 4 exploited 0-days in Exchange Date: 2021-03-03 Author: Ars Technica [Please refer to the following AUSCERT security bulletin: ASB-2021.0048.] Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server. The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change. Universal Health Services lost $67 million due to Ryuk ransomware attack Date: 2021-03-01 Author: Bleeping Computer [Additional reading: an English version of the CERT-FR Ryuk ransomware report is now available for perusal via https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-006/] Universal Health Services (UHS) said that the Ryuk ransomware attack it suffered during September 2020 had an estimated impact of $67 million. UHS, a Fortune 500 hospital and healthcare services provider, has over 90,000 employees who provide services to roughly 3.5 million patients each year in more than 400 US and UK healthcare facilities. UHS said last week that the Ryuk ransomware attack “had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020.” “The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” UHS added. Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC Date: 2021-03-02 Author: ZDNet The Office of the Australian Information Commissioner (OAIC) has labelled the powers given to two law enforcement bodies within three new computer warrants as “wide-ranging and coercive in nature”. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) the new warrants for dealing with online crime. The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant. ESB-2021.0803 – ALERT Google Chrome: Multiple vulnerabilities Google reports that an exploit for CVE-2021-21166 exists in the wild. ASB-2021.0048.3 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated There are reports that these zero-day RCE vulnerabilities are being exploited in the wild. ESB-2021.0780 – Cisco Network Services Orchestrator (NSO): Access confidential data – Remote/unauthenticated Cisco released a raft of advisories and updates this week, including this one. ESB-2021.0748 – grub2: Multiple vulnerabilities These grub2 issues affect many linux and unix-like systems. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 26th February 2021 Greetings, This week we are very excited to announce a number of updates with respect to AUSCERT2021. For the first time ever, the annual AUSCERT conference will be delivered in a hybrid format. Registrations are now open, and we’d like to highlight several sections of the conference website which might be of interest: a list of our selected Speakers, our up-to-date Program details, details on our conference costs, details regarding our venue & accommodation and last but not least, a list of frequently asked questions. To our AUSCERT members, look out for a separate email landing in your inbox next week detailing your member token privilege(s) – part of your AUSCERT membership perks for the conference this year. Be sure to catch up on our summary of critical vulnerabilities and patches affecting VMware and Cisco. The list of relevant bulletins and further details can be found below. And last but not least, AUSCERT is proud to be an official partner of the 4th Human Layer Security Summit hosted by the team from Tessian. This is a virtual event and by signing up to participate as a delegate, you’ll be able to catch up on all of its content on-demand. Until next week, have a good weekend everyone. More than 6,700 VMware servers exposed online and vulnerable to major new bug Date: 2021-02-24 Author: ZDNet [Please refer to the following AUSCERT security bulletin ESB-2021.0677.] More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks. Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets. The scans have started earlier today after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972. This vulnerability impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations. Qantas urges govt to chip in for cyber incident interventions Date: 2021-02-22 Author: iTnews Qantas has joined other sectors in asking the government to at least partially cover the cost of complying with proposed laws aimed at better defending the country’s critical infrastructure networks and systems from cyber attacks. In its submission to the parliamentary joint committee on intelligence and security review of the Security Legislation Amendment (Critical Infrastructure) Bill, the airline said funding was necessary to support the bill’s objectives. Airplane maker Bombardier data posted on ransomware leak site following FTA hack Date: 2021-02-23 Author: ZDNet Canadian airplane manufacturer Bombardier has disclosed today a security breach after some of its data was published on a dark web portal operated by the Clop ransomware gang. “An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the company said in a press release today. While the company did not specifically name the appliance, they are most likely referring to Accellion FTA, a web server that can be used by companies to host and share large files that can’t be sent via email to customers and employees. Ransomware gangs are running riot – paying them off doesn’t help Date: 2021-02-17 Author: The Conversation In the past five years, ransomware attacks have evolved from rare misfortunes into common and disruptive threats. Hijacking the IT systems of organisations and forcing them to pay a ransom in order to reclaim them, cybercriminals are freely extorting millions of pounds from companies – and they’re enjoying a remarkably low risk of arrest as they do it. At the moment, there is no coordinated response to ransomware attacks, despite their ever-increasing prevalence and severity. Instead, states’ intelligence services respond to cybercriminals on an ad-hoc basis, while cyber-insurance firms recommend their clients simply pay off the criminal gangs that extort them. Neither of these strategies is sustainable. Instead, organisations need to redouble their cybersecurity efforts to stymie the flow of cash from blackmailed businesses to cybercriminal gangs. Failure to act means that cybercriminals will continue investing their growing loot in ransomware technologies, keeping them one step ahead of our protective capabilities. Cyber Security Pilot to Bolster Small to Medium Business Against Hack Attacks Date: 2021-02-23 Author: Cyber Security Cooperative Research Centre (CSCRC) In an Australian first, the Cyber Security Cooperative Research Centre (CSCRC) will lead a ‘hands on’ pilot project focused on uplifting cyber security across Australia’s small to medium business sector (SMEs). The pilot, which was launched in Adelaide yesterday, will involve six South Australian SMEs across a broad range of critical sectors, from medical services to satellite technologies, measuring their baseline cyber security and providing practical, cost effective uplift solutions over six months. A collaboration between the CSCRC, CyberCX, CSIRO’s Data61 and the Australian Cyber Security Centre (ACSC), and supported by the Government of South Australia, the pilot will provide a blueprint for SME cyber uplift that can be rolled out across the nation. The CSCRC is part of the Federal Government’s Cooperative Research Centres program, administered by the Department of Industry, Science, Energy and Resources. ESB-2021.0677 – ALERT VMware Products: Multiple vulnerabilities Remote Code Execution issue with multiple Proof-of-Concept exploits available ESB-2021.0705 – ALERT Cisco NX-OS: Multiple vulnerabilities Multiple remotely exploitable vulnerabilities have been patched ESB-2021.0698 – Cisco ACI Multi-Site Orchestrator (MSO): Multiple vulnerabilities Critical Cisco authentication bypass vulnerability ESB-2021.0675 – Mozilla Firefox and Firefox ESR: Multiple vulnerabilities Mozilla updates available Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 19th February 2021 Greetings, This week we hosted our very first event for the year! We hosted a joint webinar session which took place yesterday (Thursday 18th February) with the folks from Digital Shadows. The topic of this webinar was “Automation when you can’t automate – the human process journey”, a copy of the recording can be viewed here. We are also pleased to announce that our AUSCERT2021 Call for Speakers panel managed to review and score all of the submissions for this year. Congratulations to all speakers whose submissions were accepted and thank you to everyone else who submitted. As always, we were lucky to receive an overwhelming number of submissions and the decision making process wasn’t easy. A big shout-out to our panel which comprised of AUSCERT internal staff and colleagues from a range of external organisations and roles who assisted us along the process. We couldn’t have done it without you! We look forward to sharing the details regarding our speakers and program in the coming days. To stay up to date on our conference details, please visit our website. Last but not least, a reminder to all members that you can join us at the AUSCERT – Members Slack space by logging in with your member portal credentials. The space is a safe and quick way to stay engaged with the AUSCERT team. If you’re having any issues with the process, drop us a line and we’ll be able to assist. What is Slack? Find out more about it here. Until next week, have a good weekend everyone. Malvertiser abused WebKit zero-day to redirect iOS & macOS users to shady sites Date: 2021-02-16 Author: ZDNet A cybercrime group specialized in showing malicious ads has abused an unpatched zero-day vulnerability in WebKit-based browsers to break security restrictions and redirect users from legitimate portals to shady sites hosting online gift card scams. The attacks were first spotted in June 2020 and are still active today; however, patches for the WebKit zero-day have been released at the start of the month. 2021 EDUCAUSE Horizon Report: Information Security Edition Date: 2021-02-16 Author: EDUCAUSE [EDUCAUSE is a nonprofit higher education technology association that helps higher education elevate the impact of IT. They are based in the USA.] This report profiles important trends and key technologies and practices shaping the future of information security, and envisions a number of scenarios and implications for that future. It is based on the perspectives and expertise of a global panel of leaders from across the higher education landscape. How Australian cyber experts got comms back up in PNG tribal war Date: 2021-02-16 Author: Australian Financial Review A Canberra-based cyber-security firm has helped a multi-organisation operation get critical communications back up for a hospital in Papua New Guinea in the midst of an outbreak of tribal fighting. Local media reported at least 19 people were killed during the tribal violence outbreak in the country’s Hela province, many more injured and around 6000 people, mainly women and children, fleeing into the surrounding forests due to the violence. Robert Potter, security adviser and chief executive at Canberra-based cyber defence consultancy Internet 2.0, said the firm was invited to help with the relief effort, co-ordinated by the Papua New Guinea Police and security firm Black Swan, along with the United Nations and Internet 2.0’s partner on the ground Astrolab PNG. Microsoft will alert Office 365 admins of Forms phishing attempts Date: 2021-02-15 Author: Bleeping Computer Microsoft is adding new security warnings to the Security and Compliance Center default alert policies to inform IT admins of detected phishing attempts abusing Microsoft Forms in their tenants. This cybersecurity threat costs business millions. And it’s the one they often forget about Date: 2021-02-16 Author: ZDNet While ransomware is the cyberattack most feared by businesses, another form of cybercrime is slipping under the radar, one that is proving highly lucrative for internet fraudsters – and costly to business. A business email compromise (BEC) attack sees cyber criminals use social engineering to trick an employee at a business into transferring a large sum of money to an account controlled by the crooks. ESB-2021.0542 – SUSE Manager Client Tools: Multiple vulnerabilities SUSE Security Update fixes four vulnerabilities in SUSE Manager Client Tools. ESB-2021.0555 – McAfee Endpoint Security: Multiple vulnerabilities The update for McAfee Endpoint Security for Windows fixes five vulnerabilities. ESB-2021.0581 – Google Chrome: Multiple vulnerabilities The Stable channel update for Windows, Mac and Linux fixes multiple vulnerabilities. ESB-2021.0602 – Cisco Webex Meetings Desktop App & Webex Productivity Tools: Access confidential data – Existing account Cisco has released software updates that address a vulnerability in Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows. ESB-2021.0609 – McAfee Web Gateway: Root compromise – Existing account Security updates fix sudo vulnerability in the Linux-based appliances and virtual machines. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 12th February 2021 Greetings, This week saw our team supporting the 2021 Safer Internet Day initiative, it is such an important topic and we’ve shared some tips on how to “start the chat” via a blogpost here. With Patch Tuesday taking place this week, be sure to note our Security Bulletins highlighted below. A couple of important ones to note from the folks at Adobe and Microsoft. Members, look out for a copy of our membership newsletter aka The Feed which landed in your inbox earlier this week. Our first edition for the year was a bumper one with updates on our strategy for the year, how to optimise your engagement with our team, an update on the AUSCERT2021 conference and a section featuring AUSCERT in the media – we hope you found the February issue a valuable read. Last but not least, a reminder that we will be hosting our very first event for the year, a joint webinar session will take place next Thursday 18th February with the folks from Digital Shadows. The topic of this webinar will be “Automation when you can’t automate – the human process journey”, further details and the link to register can be found here. Until next week, have a good weekend – to our friends and colleagues in Victoria, we are thinking of you, stay safe and let’s remember to keep washing our hands and practise those good Covid-safe habits; and to those who celebrate the Lunar New Year festivities, may the Year of the Ox be a prosperous and kinder one for all. Attackers Exploit Critical Adobe Bug, Target Windows Date: 2021-02-09 Author: Threatpost [Refer to bulletins ESB-2021.0443 and ESB-2021.0444] Adobe is warning of a critical vulnerability that has been exploited in the wild to target Adobe Reader users on Windows. The vulnerability (CVE-2021-21017) has been exploited in “limited attacks,” according to Adobe’s Tuesday advisory, part of its regularly scheduled February updates. The flaw in question is a critical-severity heap-based buffer overflow flaw. Microsoft urges customers to patch critical Windows TCP/IP bugs Date: 2021-02-09 Author: Bleeping Computer [Refer to bulletin ASB-2021.0044] Microsoft has urged customers today to install security updates for three Windows TCP/IP vulnerabilities rated as critical and high severity as soon as possible. The three TCP/IP security vulnerabilities impact computers running Windows client and server versions starting with Windows 7 and higher. Federal government launches $26.5 million grants scheme to boost cyber security workforce Date: 2021-02-08 Author: SmartCompany A $26.5 million grants program is set to bolster Australia’s cyber security workforce, in a move that could give a boost to the Aussie industry, and start “the right kind of conversations” around cyber. The Federal government’s Cyber Security Skills Partnership Innovation Fund is intended to provide both industry participants and education providers with the funding to deliver projects to “improve the quality or availability” of cyber security professionals. It’s about ensuring a future pipeline of skilled workers in this sector, and it’s specifically targeted at bringing more women into the industry. The scheme is also designed to build stronger partnerships between the industry and education providers. Grants of between $250,000 and $3 million will available for projects that see partnering entities working together to “build the next generation of cyber security experts”, Minister for Industry, Science and Technology Karen Andrews said in a statement. Intel Patches Tens of Vulnerabilities in Software, Hardware Products Date: 2021-02-10 Author: SecurityWeek Intel on Tuesday announced the release of updates that patch tens of vulnerabilities across many of the company’s software and hardware products. The list of high-severity flaws includes a privilege escalation issue in the Intel Solid State Drive Toolbox, and a denial-of-service flaw in the XMM 7360 Cell Modem that can be exploited by an unauthenticated attacker who has network access. [All 19 advisories are published on our site between ESB-2021.0457 and 486.] What’s most interesting about the Florida water system hack? That we heard about it at all Date: 2021-02-10 Author: Krebs on Security Stories about computer security tend to go viral when they bridge the vast divide between geeks and luddites, and this week’s news about a hacker who tried to poison a Florida town’s water supply was understandably front-page material. But for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all. “It’s a difficult thing to get organizations to report cybersecurity incidents,” said Michael Arceneaux, managing director of the Water ISAC, an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector. ASB-2021.0044 – ALERT Windows: Multiple vulnerabilities Microsoft released its monthly security patch update for February 2021 which resolves 28 vulnerabilities. ESB-2021.0444 – ALERT Magento: Multiple vulnerabilities Magento’s updates for Magento Commerce and Magento Open Source edition resolve vulnerabilities rated important and critical. ESB-2021.0443 – ALERT Adobe Acrobat and Reader: Multiple vulnerabilities The security updates for Adobe Acrobat and Reader for Windows and macOS address multiple critical and important vulnerabilities. ASB-2021.0047 – Microsoft Office, Microsoft Office Services and Web Apps: Multiple Vulnerabilities Microsoft’s patch Tuesday updates for the month of February 2021 resolves 11 vulnerabilities across Microsoft Office, Microsoft Office Services and Web Apps. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 5th February 2021 Greetings, This week we’re thrilled to announce our 2nd keynote for AUSCERT2021 – Maddie Stone from Google’s Project Zero. Maddie will be joining us virtually from the USA. Her work as a Security Researcher where she focuses on 0-days actively exploited in-the-wild will be of tremendous value to our conference delegates. We look forward to welcoming her to our stage in May! A reminder that we will be hosting our very first event for the year, a joint webinar session with the folks from Digital Shadows. The topic of this webinar will be “Automation when you can’t automate – the human process journey”, further details and the link to register can be found here. Members, look out for a copy of our membership newsletter aka The Feed landing in your inbox early next week. Our first edition for the year will be a bumper one with updates on our strategy for the year, how to optimise your engagement with our team, an update on the AUSCERT2021 conference and a section featuring AUSCERT in the media. Last but not least, be sure to catch up on our summary of critical vulnerabilities and patches affecting SonicWall and Apple. The list of relevant bulletins and further details can be found below. Until next week, have a good weekend. SonicWall fixes actively exploited SMA 100 zero-day vulnerability Date: 2021-02-03 Author: Bleeping Computer SonicWall has released a patch for the zero-day vulnerability used in attacks against the SMA 100 series of remote access appliances. On January 22nd, SonicWall disclosed that their internal systems were attacked using a zero-day vulnerability in the SMA 100 series of SonicWall networking devices. A little over a week later, cybersecurity firm NCC Group discovered a zero-day vulnerability for the SonicWall SMA 100 that was actively being exploited in the wild. SonicWall later confirmed the zero-day vulnerability and announced that owners could use the built-in Web Application Firewall (WAF) to neutralize the vulnerability. As WAF requires a paid license, SonicWall has added a free 60 day WAF license to all registered SMA 100 series devices with 10.X code. Today, SonicWall has released an SMA 100 series firmware 10.2.0.5-29sv update that fixes the actively exploited zero-day vulnerability in the SMA 100 series of devices. Apple releases macOS Big Sur 11.2 plus security updates for Catalina and Mojave Date: 2021-02-02 Author: iTWire [See related AUSCERT Security Bulletin ESB-2021.0349.] Apple has released macOS Big Sur 11.2 along with corresponding security updates for Catalina and Mojave. Two of the security issues they address are reportedly being actively exploited. Between them, Big Sur 11.2 and this year’s first security updates for Catalina and Mojave address more than 60 vulnerabilities. Apple’s notes state that two of the vulnerabilities are reportedly being actively exploited. One allows arbitrary code execution, the other enables privilege escalation. Emotet, now neutralised, may have friends you’ll want to clean off your systems. Date: 2021-02-01 Author: AUSCERT News broke last week regarding an internationally coordinated action against Emotet, known as the “world’s most dangerous malware”. Via Europol: “This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT). “ Our team has written a blog piece and shared our thoughts on the initiative. A Second SolarWinds Hack Deepens Third-Party Software Fears Date: 2021-02-02 Author: Wired It’s been more than two months since revelations that alleged Russia-backed hackers broke into the IT management firm SolarWinds and used that access to launch a massive software supply chain attack. It now appears that Russia wasn’t alone; Reuters reports that suspected Chinese hackers independently exploited a different flaw in SolarWinds products last year at around the same time, apparently hitting the US Department of Agriculture’s National Finance Center. Ransomware gangs made at least $350 million in 2020 Date: 2021-02-02 Author: ZDNet Ransomware gangs made at least $350 million in ransom payments last year, in 2020, blockchain analysis firm Chainalysis said in a report last week. The figure was compiled by tracking transactions to blockchain addresses linked to ransomware attacks. Although Chainalysis possesses one of the most complete sets of data on cryptocurrency-related cybercrime, the company said its estimate was only a lower bound of the true total due. The company blamed this on the fact that not all victims disclosed their ransomware attacks and subsequent payments last year, with the real total being many times larger than what the company was able to view. ESB-2021.0349 – ALERT macOS Big Sur, macOS Catalina & macOS Mojave: Multiple vulnerabilities Apple released new updates for macOS. Quite a few vulnerabilities this time around including possible exploits in the wild. ESB-2021.0352 – ALERT iOS & iPadOS: Multiple vulnerabilities The possible active exploits mentioned above were also present in Apple’s iOS and iPadOS advisory. Get those mobile devices updated as well. ASB-2021.0037.2 – SonicWall Confirms SMA 100 Series 10.X Zero-Day Vulnerability SonicWall have released firmware updates to fix the zero-day vulnerability in its SMA 100 product. It is recommended that users patch ASAP. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 29th January 2021 Greetings, Thank you to those of you who submitted to our AUSCERT2021 Call for Papers initiative. Our team is looking forward to the review process and will be looking at launching our program by early March. This week also saw a number of critical vulnerabilities affecting SonicWall, sudo and Apple. The list of relevant bulletins and further details can be found below. Our team is excited to announce our very first event for the year – a joint webinar session with the folks from Digital Shadows. The topic of this webinar will be “Automation when you can’t automate – the human process journey”, further details and the link to register can be found here. And last but not least, we would like to bring your attention to the upcoming Safer Internet Day initiative which we will be supporting as an organisation. The theme for its 18th edition will once again be “Together for a better Internet” and we look forward to sharing further resources around maintaining a better online world. Until next week folks, have a good weekend. New Linux SUDO flaw lets local users gain root privileges Date: 2021-01-26 Author: Bleeping Computer [See related AUSCERT security bulletin ASB-2021.0036, login not required.] A now-fixed Sudo vulnerability allowed any local user to gain root privileges on Unix-like operating systems without requiring authentication. The Sudo privilege escalation vulnerability tracked as CVE-2021-3156 (aka Baron Samedit) was discovered by security researchers from Qualys, who disclosed it on January 13th and made sure that patches are available before going public with their findings. SonicWall Breach Date: 2021-01-25 Author: Australian Cyber Security Centre (ACSC) On 22 January 2021, cyber security vendor SonicWall identified an internal systems breach using a likely zero-day in the SonicWall NetExender VPN client and Secure Mobile Access (SMA) products. On 23 January 2021, SonicWall provided an updated stating that only the SMA 100 Series is potentially vulnerable and customers may continue to use the NetExtender component for remote access as it is not susceptible to exploitation. Insurers ‘funding organised crime’ by paying ransomware claims Date: 2021-01-25 Author: The Guardian [Ciaran Martin will be presenting as a keynote at AUSCERT2021.] Insurers are inadvertently funding organised crime by paying out claims from companies who have paid ransoms to regain access to data and systems after a hacking attack, Britain’s former top cybersecurity official has warned. Ciaran Martin, who ran the National Cyber Security Centre until last August, said he feared that so-called ransomware was “close to getting out of control” and that there was a risk that NHS systems could be hit during the pandemic. The problem, he said, is being fuelled because there is no legal barrier to companies paying ransoms to cyber gangs – typically from Russia and some other former Soviet states – and claiming back on insurance. “People are paying bitcoin to criminals and claiming back cash,” Martin said. Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021 Date: 2021-01-27 Author: ZDNet Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021. The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet. Apple fixes another three iOS zero-days exploited in the wild Date: 2021-01-26 Author: ZDNet [See related AUSCERT security bulletin ESB-2021.0298.] Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS. However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days. Apple also declined to comment further. ASB-2021.0036 – ALERT sudo: Root compromise – Existing account Affects most Linux and Unix-based systems. ESB-2021.0298 – Apple iOS and iPadOS: Multiple vulnerabilities These zero-days have been reportedly exploited in the wild. ESB-2021.0319 – IBM QRadar SIEM: Multiple vulnerabilities This report collates 8 IBM advisories. ESB-2021.0272 – vlc: Multiple vulnerabilities Remote Code Execution issues in vlc. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 22nd January 2021 Greetings Don’t forget – our AUSCERT2021 Call for Papers initiative is still open; this is your LAST CHANCE to submit as we will be closing the portal on Tuesday 26th January. We welcome submissions in line with this year’s theme which focuses on automation of the cyber security response, whether these stories are big or small. We also issued a couple of alerts in relation to Cisco products: further details can be found below. And last but not least, a call-out from our team seeking voluntary feedback on the preliminary stages regarding upcoming changes to the AUSCERT Security Bulletins. As a result of the feedback AUSCERT gathered via a member survey, it was concluded that: Members showed overwhelming support to migrate to CVSS replacing the current Impact/Access statements. The AUSCERT team is currently exploring suitable formats in order to enable the transition from Impact/Access to CVSS. If you’re a member who would like to be a part of this preliminary assessment team, feel free to reach out to membership@auscert.org.au by 31 January 2021. Until next week, folks. Have a good weekend. Critical Cisco SD-WAN Bugs Allow RCE Attacks Date: 2021-01-20 Author: Threatpost [See related AUSCERT security bulletins ESB-2021.0240, ESB-2021.0241 and ESB-2021.0243.] Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks solutions for business users. Cisco issued patches addressing eight buffer-overflow and command-injection SD-WAN vulnerabilities. The most serious of these flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected system with root privileges. Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop Date: 2021-01-20 Author: Microsoft Security Blog More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence. We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec. AUSCERT statement on “QuoVadis Global SSL ICA G3” issue impacting multiple customers Date: 2021-01-15 Author: AUSCERT The AUSCERT team was made aware that a number of our Certificate Services clients were and continue to be experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST on Friday 15 January 2021. A statement (blog post) was released to assist with this issue. AUSCERT is continuing to work with DigiCert + QuoVadis to ensure that they provide all required further assistance for full remediation with our clients and members. Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Date: 2021-01-19 Author: Malwarebytes While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments. ESB-2021.0240 – Cisco Smart Software Manager Satellite: Multiple vulnerabilities Critical web UI injection vulnerabilities ESB-2021.0241 – Cisco SD-WAN: Multiple vulnerabilities Critical bugger overflow and command injection vulnerabilities ESB-2021.0243 – Cisco DNA Center: Multiple vulnerabilities Critical command injection and CSRF vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 15th January 2021 Greetings As promised, we released details on our Strategic Plans for 2021 earlier this week. We’ve outlined this via the following “AUSCERT: What to Expect in 2021” blog post. Here are some key issues on the AUSCERT agenda this year: Expand and enhance our delivery of threat intelligence Remain a trusted incident response partner, both locally and globally Consistent and useful engagement with our members With 2021’s first Patch Tuesday taking place this week, be sure to note our Security Bulletins highlighted below. For those handing Cisco patches, we hope you got through them all. We would also like to share the following statement re: a QuoVadis Global SSL ICA G3 issue which impacted some of our members today. The AUSCERT team was not made aware of the revocation and began investigating this problem as soon as we were alerted by affected members. DigiCert + QuoVadis apologise that significant notice had not been provided with regards to this change, and for any inconvenience caused to AUSCERT members. Last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is still open until the end of this month and we welcome submissions in line with this year’s theme which focuses on the automation of the cyber security response, whether these stories are big or small. Until next week folks, have a good weekend. Are Australians at a ‘turning point’ on cybersecurity or still unprepared? Date: 2021-01-11 Author: ABC News Australians are on high alert about the threat of cyber attacks following Prime Minister Scott Morrison’s warning in June that Australia was targeted by a sophisticated “state-based” cyber-attack. Key points: – An average of 164 cybercrime reports are made by Australians every day according to the Australian Cyber Security Centre – Ransomware has become the biggest threat, used by criminals to lock up people’s systems and data and then demand a ransom in return for their release – The ACSC has launched a cybersecurity campaign that provides easy-to-follow advice for all Australians to prepare against cyber attacks Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day Date: 2021-01-12 Author: Bleeping Computer [Related AUSCERT security bulletins can be found on our website; accessing these will require a member portal login.] With the January 2021 Patch Tuesday security updates release, Microsoft has released fixes for 83 vulnerabilities, with ten classified as Critical and 73 as Important. There is also one zero-day and one previously disclosed vulnerabilities fixed as part of the January 2021 updates. Accellion hack behind Reserve Bank of NZ data breach Date: 2021-01-12 Author: iTnews The Reserve Bank of New Zealand, which yesterday disclosed it had suffered a data breach, now says it was caught up in a hack of enterprise data protection provider Accellion. Accellion’s file transfer appliance (FTA) was accessed illegally, RBNZ said in a statement. “We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised,” RBNZ governer Adrian Orr said. The FTA system, which was used to store and share sensitive information, has been secured and taken offline, RBNZ said. Third malware strain discovered in SolarWinds supply chain attack Date: 2021-01-12 Author: ZDNet Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack. Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains. ASB-2021.0011 – Microsoft Patch Tuesday update for Microsoft System Center for January 2021 This zero-day RCE vulnerability has been reportedly exploited in the wild. ASB-2021.0010 – Microsoft Patch Tuesday update for Windows for January 2021 Many important Windows updates to apply ASAP. ESB-2021.0135 – Cisco Webex Meetings Open Redirect Vulnerability Phishing via Webex. ESB-2021.0119 – APSB21-01 Security update available for Adobe Photoshop Adobe released a raft of updates this week also. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 08th January 2021 Greetings, Welcome to 2021. We hope all our readers enjoyed a well-deserved break over the Christmas and New Year period. We would like to highlight the following article from colleagues at Data @ UQ “What’s your (cyber and data safety) New Year’s resolution” – a relevant read to kick off the year! This week we’re thrilled to announce the first keynote speaker at our annual conference AUSCERT2021. Ciaran Martin, founding CEO of the National Cyber Security Centre and now a Professor at the University of Oxford will be joining us virtually from the UK. We look forward to hearing him speak at the conference and his thoughts on the future of our sector and conference theme “SOARing with cyber.” Don’t forget – our AUSCERT2021 Call for Papers initiative is still open until the end of this month. Those wanting feedback from our committee are encouraged to submit by Monday 11 January. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference! And last but not least, keep your eyes peeled as we announce our Strategic Plans for 2021. The team is also working hard on our 2020 Year in Review document and look forward to sharing this in the next few weeks. Until next week folks, have a good weekend. Stay safe and let’s remember to keep washing our hands and practise those good Covid-safe habits. Set up your own malware analysis pipeline with Karton – CERT Polska Date: 2020-12-30 Author: CERT Polska [CERT Polska is a fellow member of the international forum of response teams – FIRST – and is the first Polish computer emergency response team.] What is Karton? Karton is a robust framework for lightweight and flexible analysis backends. It can be used to connect malware analysis systems into a robust pipeline with very little effort. CISA Releases Free Detection Tool for Azure/M365 Environment Date: 2020-12-24 Author: Cybersecurity and Infrastructure Security Agency (CISA) CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors. China’s APT hackers move to ransomware attacks Date: 2021-01-04 Author: Bleeping Computer Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse. ANU uses new security capabilities to help other Unis fend off attacks Date: 2021-01-05 Author: iTnews The Australian National University says it has been able to help other unnamed universities “fend off attacks” using new capabilities it set up in the early part of a five-year information security program. The program, described at a high level in a parliamentary submission released at the end of last year, comes after ANU was targeted by an advanced persistent threat (APT) actor that led to two data breaches. Beware: PayPal phishing texts state your account is ‘limited’ Date: 2021-01-03 Author: Bleeping Computer A PayPal text message phishing campaign is underway that attempts to steal your account credentials and other sensitive information that can be used for identity theft. When PayPal detects suspicious or fraudulent activity on an account, the account will have its status set to “limited,” which will put temporary restrictions on withdrawing, sending, or receiving money. WhatsApp: Share your data with Facebook or delete your account Date: 2021-01-06 Author: Bleeping Computer After WhatsApp updated its Privacy Policy and Terms of Service on Monday with additional info on how it handles users’ data, the company is now notifying users through the mobile app that, starting February, they will be required to share their data with Facebook. ESB-2021.0024 – chromium: Multiple vulnerabilities Multiple security issues were discovered in the Chromium web browser, which could result in the execution of arbitrary code, denial of service or information disclosure. ESB-2021.0011 – MozillaThunderbird: Multiple vulnerabilities A security update for MozillaThunderbird fixes 9 vulnerabilities in Mozilla Thunderbird 78.6 and Mozilla Thunderbird 78.5.1. ASB-2021.0001 – Google Android devices: Multiple vulnerabilities Multiple vulnerabilities have been identified in Google Android devices which can be fixed by updating to the latest versions. ESB-2021.0067 – Firefox & Firefox ESR: Multiple vulnerabilities Multiple security vulnerabilities fixed in Firefox 84.0.2, Firefox for Android 84.1.3 and Firefox ESR 78.6.1 ESB-2021.0064 – pacemaker: Multiple vulnerabilities Several security vulnerabilities were addressed in pacemaker, a cluster resource manager Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 24th December 2020 Greetings, This week the SolarWinds attack continues to make headlines. A reminder to check out our blog on the topic “Sunburst – FireEye’s Discovery of Trojanised SolarWinds Software”. We will continue to update this with any important developments. With that said, it comes as no surprise to everyone that 2020 has been a particularly challenging year. As the year comes to an end, we would like to thank each and every one of you for your support. In a year where the basic tenets of the working world changed, YOU (our members) helped us get through it. We would like to share our reflections on the year through the following piece we wrote “The Year that was 2020”. A reminder of our scheduled shutdown over the Christmas and New Year period: Membership Will be closed from Saturday 19th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. Operations Will be closed from Friday 25th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. And last but not least, don’t forget – our AUSCERT2021 Call for Papers initiative is still open over the holiday season. Perhaps some writing to help break up the routine? Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. Until next year folks. Have a wonderful and very well deserved break over the holiday season, you have all earned it. Stay safe and let’s remember to keep washing our hands and practice those good Covid-safe habits! NSW Health, Rio Tinto, Serco named as victims of massive global SolarWinds hack attack Date: 2020-12-23 Author: ABC News NSW Health has been named in a growing list of victims of a major global cyber attack by Russian hackers — although it says patient information was not stolen. Key points: – Australian organisations were named in a list of potential victims of a global attack by Russian hackers – Dubbed the ‘SolarWinds’ attack, it has infected thousands of systems worldwide with malware – NSW Health may have been infected since June But while the health agency says its system was not “compromised”, cybersecurity experts said it appeared to be infected with malware. In a worst-case scenario, this could have allowed the hackers to escalate the attack and steal information. Cyber security left out of cabinet reshuffle Date: 2020-12-18 Author: iTnews Prime Minister Scott Morrison has not appointed a dedicated minister for cyber security in Friday’s cabinet reshuffle. Last month, The Australian reported that Morrison planned to create a cyber security role in his cabinet that would be added to the Home Affairs­ portfolio. There were no changes made to the Home Affairs portfolio in today’s announcement, meaning Home Affairs minister Peter Dutton will retain responsibility for Australia’s cyber security policy and coordination. The Cybersecurity Stories We Were Jealous of in 2020 Date: 2020-12-22 Author: Vice Motherboard The end of the year is usually a good time for retrospection and one of our favorite traditions: digging into the archives and recognizing the best cybersecurity stories of the year. Stories so good, we wish we had written them ourselves. Without further ado, here’s the annual Motherboard’s Cyber Jealousy list. 2020: The year in malware Date: 2020-12-21 Author: Cisco Talos To recap this crazy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware. Apple: Here’s how to secure an iPhone or Apple ID ‘when personal safety is at risk’ Date: 2020-12-19 Author: ZDNet [Stalking is a crime in all states and territories in Australia. If you’re spending time with family and friends over the holidays and believe they might be victims of cyber-stalking, this guide may be of use.] This document highlights the steps that an Apple user can work through if they believe that their Apple ID has been compromised, or they want to rescind someone’s access to information that they previously allowed to have access, such as an ex or a family member. ESB-2020.4513 – Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update Whilst only marked as moderate by Red Hat this advisory contained a whopping 121 CVEs, the most major of which included RCE. ESB-2020.4537 – Security update for slurm_20_02 This advisory for the powerful Linux resource manager Slurm was marked as important by SUSE and contained a RCE vulnerability. Stay safe, stay patched and have a good weekend! The AUSCERT team