Week in review

AUSCERT Week in Review for 7th May 2021

AUSCERT Week in Review for 7th May 2021 Greetings, This week, we’ve been elated to announce a couple of well-known speakers joining us at AUSCERT2021. Troy Hunt will be doing an AMA session, hosted by MC Adam Spencer; and Kevin Mitnick will be joining us for the Speed Debate session. A note to remind folks that in-person places for AUSCERT2021 are selling fast, with very limited numbers remaining. The conference will be delivered in hybrid mode so you can still join us from the comfort of your own home/office. Don’t forget to register before we sell out! Another busy week has gone past for our analyst team with alerts sent out for multiple products. On that note, be sure to review our highlighted security bulletins and articles below. Members, remember to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. This week saw us supporting Privacy Awareness Week 2021, some really handy tips from the OAIC on the topics of protecting personal information, both at home and in the workplace. On that note, at AUSCERT, we also offer a short course training session on the topic of “Practising good cyber hygiene for hybrid working” – to find out more, email us via training@auscert.org.au. Last but not least, AUSCERT will be taking over the @WeAreBrisbane Twitter account over the period of 10th-16th May (during conference week, we’re very excited!). We hope to highlight and amplify the topics of Internet safety, cyber and information security as well as the various personal work of sector focussed colleagues in the greater Brisbane area. Don’t forget to follow and re-Tweet our posts during this period. Until next week everyone, have a good and restful weekend, and please remember to spoil your mums and mother figures on Sunday 9th May. Apple hurries out fixes for WebKit zero-days Date: 2021-05-03 Author: Search Security Apple dropped updates on Monday for iOS, macOS, and watchOS in response to in-the-wild attacks on its WebKit browser engine. The macOS Big Sur 11.3.1, iOS/iPadOS 14.5.1, and iOS 12.5.3 each include fixes for CVE-2021-30665 and CVE-2021-30663. Both flaws are present in WebKit, the engine Apple uses as the basis for its Safari desktop browser and multiple components of iOS. Critical 21Nails Exim bugs expose millions of servers to attacks Date: 2021-05-04 Author: Bleeping Computer Newly discovered critical vulnerabilities in the Exim mail transfer agent (MTA) software allow unauthenticated remote attackers to execute arbitrary code and gain root privilege on mail servers with default or common configurations. The security flaws (10 remotely exploitable and 11 locally) found and reported by the Qualys Research Team are collectively known a 21Nails. Exim 4.94.2 are vulnerable to attacks attempting to exploit the 21Nails vulnerabilities. “Some of the vulnerabilities can be chained together to obtain a full remote unauthenticated code execution and gain root privileges on the Exim Server,” as Qualys senior Manager Bharat Jogi noted. UnitingCare cyber attack claimed by notorious ransom gang REvil/Sodin Date: 2021-05-06 Author: ABC News Hackers claiming responsibility for an attack on health and community care provider UnitingCare Queensland have been revealed as one of the most notorious cyber ransom gangs in the world. Last week, the Queensland healthcare provider fell victim to the cyber attack, which affected its hospitals and aged care homes. It runs the Wesley and St Andrew’s Hospitals in Brisbane, St Stephen’s Hospital in Hervey Bay and the Buderim Private Hospital on the Sunshine Coast, and dozens of aged care and disability services throughout the state. UnitingCare on Wednesday confirmed the hack had been claimed by REvil/Sodin. The gang that has been linked to multiple attacks on high-profile targets across the globe and is thought to have named itself after apocalyptic science fiction horror video game-turned movie, Resident Evil. UnitingCare Queensland’s corporate affairs director Matthew Cuming said as a result, some of the organisation’s digital and technology systems had been left inaccessible. But Mr Cuming said at this time there was no evidence the health and safety of patients, residents or clients had been compromised as a result of the cyber incident. NSW Labor takes a hit from Windows Avaddon ransomware Date: 2021-05-05 Author: iTWire The NSW branch of the Labor Party appears to have suffered a Windows ransomware attack, with the Avaddon strain having been used to attack the party’s network. Cybersecurity is too big for governments or firms to handle alone Date: 2021-05-03 Author: World Economic Forum The recent hack of network management company SolarWinds, which enabled bad actors to compromise a range of US government agencies and major corporations, has revealed a troubling truth: Business and government expose each other to significant cyber-risks because they are interconnected and rely on the same network of software vendors. That’s why the strategic response must involve more intense collaboration. Simply put, the threat of cyberattacks is too big a job for either government or business to tackle alone. • Business and government are exposing each other to an increasing range of cyber-risks. • Current efforts to pool cybersecurity resources are limited in scope. • Sharing threat intelligence is the first step to provide a clear cyberthreat picture. ESB-2021.1499 – ALERT Apple iOS products: Execute arbitrary code/commands – Remote with user interaction Apple reveals two iOS zero-day vulnerabilities that allow attackers to access fully patched devices. ASB-2021.0101 – ALERT exim: Multiple vulnerabilities Qualys researchers uncover 21 bugs in Exim mail servers. ESB-2021.1528 – ALERT HyperFlex HX Software: Multiple vulnerabilities Multiple vulnerabilities in Cisco HyperFlex could allow arbitrary code execution. ESB-2021.1529 – ALERT Cisco SD-WAN vManage: Multiple vulnerabilities Cisco released patches to address critical vulnerabilities in SD-WAN vManage software. ESB-2021.1563 – ALERT vRealize Business for Cloud: Execute arbitrary code/commands – Remote/unauthenticated VMWare addresses critical remote code execution vulnerability in vRealize Business for Cloud. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 30th April 2021

AUSCERT Week in Review for 30th April 2021 Greetings, This week, we’re thrilled to announce the opening keynote at AUSCERT2021! To celebrate the return of in-person events, we will kick off the 20th anniversary of our conference with a panel discussion on how SOAR can help with your security transformation strategy. The panel will feature experts from Splunk (James Young), Microsoft (Jess Dodson), Bugcrowd (Casey Ellis) and Airservices Australia (Anthony Kitzelmann). Places selling fast, the conference will be delivered in hybrid mode so you can still join us from the comfort of your own home/office. Don’t forget to register before we sell out! Another busy week has gone past for our analyst team with alerts sent out for multiple products. On that note, be sure to review our highlighted security bulletins and articles below. Members, please keep an eye out for a copy of our membership newsletter The Feed which landed in your inbox on Tuesday this week. It was a bumper edition, on it we shared a copy of our Quarter 1, 2021 report and a piece on how we tackled the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits and helped our members – the latter was also covered in Edition 2 of the Women in Security magazine, a publication from team Source2Create. Next week will see us supporting Privacy Awareness Week 2021, follow us on our social media channels for information around this year’s campaign. Last but not least, thank you to those who joined us yesterday as we discussed the 2020 BDO and AUSCERT Cyber Security Survey insights. A copy of the webinar recording can be found here. AUSCERT will maintain minimal coverage for Labour Day long weekend in Queensland. Our staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Until next week everyone, have a good and restful weekend. UnitingCare Queensland hit by cyber attack Date: 2021-04-26 Author: iTnews UnitingCare Queensland, a provider of hospital and aged care services, said some of its digital and technology systems were rendered “inaccessible” by a cyber attack on Sunday. 9News in Queensland reported the attack as a ransomware infection that all hospitals and aged care homes run by the organisation with IT systems. Hospitals run by UnitingCare Queensland include The Wesley Hospital and St Andrews War Memorial Hospital, both in Brisbane, St Stephen’s Hospital in Hervey Bay, and Buderim Private Hospital on the Sunshine Coast. A software bug let malware bypass macOS’ security defenses Date: 2021-04-27 Author: TechCrunch Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS’ newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple’s watch. Worse, evidence shows a notorious family of Mac malware had been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Ransomware gang targets Microsoft SharePoint servers for the first time Date: 2021-04-27 Author: The Record by Recorded Future Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs. SharePoint now joins a list that also includes Citrix gateways, F5 BIG-IP load balancers, Microsoft Exchange email servers, and Pulse Secure, Fortinet, and Palo Alto Network VPNs. The group behind the attacks targeting SharePoint servers is a new ransomware operation that was first seen at the end of 2020. The group is tracked by security vendors under the codenames of Hello or the WickrMe ransomware—because of its use of Wickr encrypted instant messaging accounts as a way for victims to reach out and negotiate the ransom fee. Typical Hello/WickrMe attacks usually involve the use of a publicly known exploit for CVE-2019-0604, a well-known vulnerability in Microsoft’s SharePoint team collaboration servers. Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU Date: 2021-04-27 Author: Troy Hunt Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world’s most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before eventually being brought to a halt in February. University of Minnesota responds to Linux security patch requests Date: 2021-04-27 Author: ZDNet The UMN wants to make peace with the Linux kernel developer community after an annoying Linux code security research blunder. ESB-2021.1408.2 – UPDATED ALERT Apple iOS products: Multiple vulnerabilities The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches. ESB-2021.1416 – ALERT macOS Catalina: Multiple vulnerabilities Apple has released security patches for multiple vulnerabilities including a zero day bypass vulnerabilty. ESB-2021.1439 – ALERT FortiWAN: Multiple vulnerabilities FortiGuard has released security update to patch authentication bypass vulnerability. ESB-2021.1440 – ALERT ShareFile: Root compromise – Remote/unauthenticated A security issue in Citrix ShareFile could allow a remote attacker to compromise the storage zones controller. ASB-2021.0100 – Microsoft Edge: Multiple vulnerabilities Microsoft has released security update to address multiple vulnerabilities in Microsoft Edge. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 23rd April 2021

AUSCERT Week in Review for 23rd April 2021 Greetings, Another busy week has gone past for the folks in our sector, with Oracle’s quarterly patch releases, two separate notable announcements from FireEye, an exploited Chrome zero-day and two vulnerabilities in the QNAP NAS products for good measure! On that note, be sure to review our highlighted security bulletins and articles below. Thank you to those who’ve registered to attend the AUSCERT2021 conference with your organisation’s member tokens, part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate. Not long to go until we kick things off in mid-May! Members, keep an eye out for a copy of our membership newsletter The Feed landing in your inbox early next week. It will be a bumper edition in the lead up to AUSCERT2021. Last but not least, please come and join us on our next webinar session, Thursday 29th April at 10:00AM AEST with colleagues from BDO Australia as we discuss the 2020 BDO and AUSCERT Cyber Security Survey insights. Details on how to register for this session can be found here. Lest we forget, we would like to take this opportunity to commemorate the men and women who have served our nation in all wars, conflicts, and peacekeeping operations. AUSCERT will maintain minimal coverage for the Anzac Day long weekend. Our staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Until next week, have a good and restful weekend everyone. AirDrop bugs expose Apple users’ email addresses, phone numbers Date: 2021-04-21 Author: The Record by Recorded Future A team of academics from a German university said it discovered two vulnerabilities that can be abused to extract phone numbers and email addresses from Apple’s AirDrop file transfer feature. The two bugs reside in the authentication process during the initial phase of an AirDrop connection, where devices try to discover one another and determine if they belong to users who know each other (by checking if a device/user’s phone number is in the other device’s contacts list). Google issues Chrome update patching seven security vulnerabilities Date: 2021-04-20 Author: ZDNet [See related bulletin ESB-2021.1363] Google on Wednesday released version 90.0.4430.85 of the Chrome browser for Windows, Mac, and Linux. The release contains seven security fixes, including one for a zero-day vulnerability that was exploited in the wild. The zero-day, which was assigned the identifier of CVE-2021-21224, was described as a “type confusion in V8”. Google Alerts continues to be a hotbed of scams and malware Date: 2021-04-19 Author: Bleeping Computer Google Alerts continues to be a hotbed of scams and malware that threat actors are increasingly abusing to promote malicious websites. While Google Alerts has been abused for a long time, BleepingComputer has noticed a significant increase in activity over the past couple of weeks. To deceive Google into thinking they are legitimate sites rather than scams, threat actors use a black hat search engine optimization (SEO) technique called ‘cloaking.’ Cloaking is when a website displays different content to visitors than it does search engine spiders. This cloaking allows the website to look like a plain text or a typical blog post when Google’s search engine spiders visit the page but perform malicious redirects when a user visits the site from a Google redirect. Linux bans University of Minnesota for committing malicious code Date: 2021-04-21 Author: Bleeping Computer In a rare, groundbreaking decision, Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project. The move comes after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, as a part of their research activities. ASB-2021.0098 – ALERT QNAP NAS: Execute arbitrary code/commands – Remote/unauthenticated Widespread attacks on QNAP products resulting in Qlocker and eCh0raix ransomware infections. Attacks are being carried out through exploitation of vulnerabilities allowing unauthenticated takeover of Internet-facing hosts. ESB-2021.1363 – ALERT Google Chrome: Multiple vulnerabilities Chrome contained a multitude of vulnerabilties causing reduced security including remote code execution and denial of service. Google is aware of reports that exploits for CVE-2021-21224 exist in the wild. ASB-2021.0074 – ALERT MySQL Products: Multiple vulnerabilities Various MySQL products contained multiple vulnerabilities which granted attackers abilities to execute remote code, cause denial of service, and root compromise. ESB-2021.1330 – sudo: Root compromise – Existing account Any local user could exploit a flaw in sudo and cause a heap-based buffer overflow, which allowed privilege escalation to root. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 16th April 2021

AUSCERT Week in Review for 16th April 2021 Greetings, We hope everyone’s had a good week and were able to get through all of April 2021’s Patch Tuesday fixes. On that note, be sure to review our highlighted security bulletins below, in particular ASB-2021.0062 – these were newly announced this week and are not the previous ProxyLogon vulnerabilities. Thank you to those who tuned in to the joint AUSCERT (UQ) & Duo Security webinar which took place yesterday during which our Director, Dr. David Stockdale, discussed the focus on securing remote access as a key step in the zero-trust journey. Members – a FINAL reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate. Please make sure you utilise the token(s) by midnight on Sunday 18 April, this is your last chance to claim the token(s). Conference registrations can be completed via our website here. Ramadan Kareem to folks of the Muslim faith; until next week, have a good weekend everyone! GitLab Critical Security Release: 13.10.3, 13.9.6, and 13.8.8 Date: 2021-04-14 Author: GitLab Today we are releasing versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition and Enterprise Edition. These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. We have requested a CVE ID and will update this blog post when it is assigned. Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild Date: 2021-04-13 Author: Securelist While analyzing the CVE-2021-1732 exploit originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft released a patch to this vulnerability as a part of its April security updates. We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities. CISA gives federal agencies until Friday to patch Exchange servers Date: 2021-04-13 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to install newly released Microsoft Exchange security updates by Friday. Today, Microsoft released security updates for four Microsoft Exchange vulnerabilities discovered by the NSA. These Exchange vulnerabilities are capable of remote code execution, with two vulnerabilities not requiring attackers to authenticate first. While none of the vulnerabilities are known to be used in attacks, CISA believes that threat actors will reverse-engineer the patches to create working exploits due to their severity and public disclosure. LinkedIn denies 500 million user data breach Date: 2021-04-11 Author: The Record LinkedIn has formally denied a rumor that it suffered a devastating security breach that exposed the account details of more than 500 million of its registered users. Rumors of a breach appeared last week after a threat actor claimed to have been in possession of a large trove of LinkedIn user data and proceeded to leak a sample of two million user records as proof. But in a message published last week, LinkedIn said it investigated the breach and concluded that the hacker’s data only included public information that was scraped off LinkedIn’s website and which users consciously made public on their profiles. 100,000 Google Sites Used to Install SolarMarket RAT Date: 2021-04-14 Author: Threatpost Hackers are using search-engine optimization tactics to lure business users to more than 100,000 malicious Google Sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware. eSentire’s Threat Response Unit discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday. ESB-2021.1219 – Adobe Bridge: Multiple vulnerabilities Adobe has released a security update for Adobe Bridge addressing critical and important vulnerabilities that could lead to arbitrary code execution. ASB-2021.0062 – ALERT Microsoft Exchange Server Products: Execute arbitrary code/commands – Remote/unauthenticated Microsoft has released patches to fix four more security vulnerabilities for MS Exchange Server. ASB-2021.0063 – Microsoft Office Products & Services and Web App Products: Microsoft released updates to plug various security holes in its Windows Operating Systems and other products. ESB-2021.1285 – ALERT GitLab Products: Multiple vulnerabilities Gitlab released newer versions to address critical remote code execution vulnerability. ESB-2021.1287 – Google Chrome: Multiple vulnerabilities Google released Chrome 90.0.4430.72 which contains a number of security fixes and improvements. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 9th April 2021

AUSCERT Week in Review for 9th April 2021 Greetings, Welcome back from the Easter long weekend. This week we kicked things off by releasing a blog piece on the topic of the recent Facebook data leak of over five-hundred million of its users. We’d be remiss not to mention the good work done by the folks from Have I Been Pwned in this particular instance. Tune in next week and join our Director, Dr. David Stockdale as he discusses the focus on securing remote access as a key step in the zero-trust journey. “Securing the people, systems, and assets in a higher education org is no small task. With over fifty-thousand students supported by over seven-thousand staff members, learn why UQ chose Duo Security as its 2FA solution.” For further details on the webinar and to register, please visit the AUSCERT website here. Members – another reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate, please make sure you utilise the token(s) by midnight on Sunday 18 April! Conference registrations can be completed via our website here. Until next week, have a good weekend everyone. Cisco fixes bug allowing remote code execution with root privileges Date: 2021-04-07 Author: Bleeping Computer Cisco has released security updates to address a critical pre-authentication remote code execution (RCE) vulnerability affecting SD-WAN vManage Software’s remote management component. The critical security flaw tracked a CVE-2021-1479 which received a severity score of 9.8/10. It allows unauthenticated, remote attackers to trigger a buffer overflow on vulnerable devices in low complexity attacks that don’t require user interaction. “An attacker could exploit this vulnerability by sending a crafted connection request to the vulnerable component that, when processed, could cause a buffer overflow condition,” Cisco explained. The company fixed two other high-severity security vulnerabilities in the user management (CVE-2021-1137) and system file transfer (CVE-2021-1480) functions of the same product allowing attackers to escalate privileges. Successful exploitation of these two bugs could allow threat actors targeting them to obtain root privileges on the underlying operating system. Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof Date: 2021-04-06 Author: CyberNews Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn. An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. Too slow! Booking.com fined for not reporting data breach fast enough Date: 2021-04-06 Author: Naked Security The Dutch Data Protection Authority (DPA) – the country’s data protection regulator – has fined online travel and hotel booking company Booking.com almost half a million Euros over a data breach. Interestingly, the fine was issued not merely because there was a breach, but because the company didn’t report the breach quickly enough. Facebook data leak: How to know if your business has been affected, and what to do next Date: 2021-04-06 Author: SmartCompany The personal data of more than 533 million Facebook users has been leaked online. But, if you’re a business owner, there are a few things you can do to make sure your professional page is as safe as possible. Contact books of Australian diplomats hacked in major ‘phishing’ scam Date: 2021-04-07 Author: Sydney Morning Herald Senior Australian diplomats, including United States ambassador Arthur Sinodinos, have been caught up in a sophisticated identity theft scam in which cyber attackers impersonated them on encrypted messaging services WhatsApp and Telegram in a bid to get sensitive information from their contacts. Under the scam, senior politicians and diplomats are being sent messages asking them to validate new WhatsApp and Telegram accounts. Once they click on the link or download the app, the hacker then has access to their contact book and the ability to impersonate them on the new account. ESB-2021.1131 – VMware Carbon Black Cloud Workload appliance: Administrator compromise – Remote/unauthenticated VMWare addresses a critical vulnerability in Carbon Black Cloud. ESB-2021.1163 – ALERT Cisco SD-WAN vManage Software: Multiple vulnerabilities Multiple Vulnerabilities in Cisco SD-WAN vManage software can lead to arbitrary code execution. ESB-2021.1165 – ALERT Cisco Small Business RV Series Router products: Execute arbitrary code/commands – Remote/unauthenticated Cisco released an advisory on a critical RCE on End of Life RV Series routers. ESB-2021.1183 – Jenkins (core) and plugins: Multiple vulnerabilities Jenkins has released security updates for different Jenkins deliverables including Jenkins (core). ESB-2021.1176 – Cisco Webex Meetings: Multiple vulnerabilities Cisco addresses XSS vulnerability in Webex Meetings. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 1st April 2021

AUSCERT Week in Review for 1st April 2021 Greetings, Here we are, at the end of Quarter 1 2021. What a year it’s been for our sector so far! The wave of vulnerabilities and associated attacks we’ve observed has certainly kept all of us busy. This week we saw an urgent out-of-band Apple security update for its iOS and iPadOS mobile operating system, see bulletin details below. We also witnessed Nine Media recovering from what’s been described as a “significant and complex” cyber-attack, a timely prompt to re-visit “The Essential Eight” a prioritised list of mitigation strategies issued by the ACSC. Last week, the AUSCERT team were privileged to attend our first in-person conference event in over a year – BrisSEC21, an event hosted by the AISA Brisbane chapter. Our Director, Dr David Stockdale presented a talk on the theme of cybercrime at the event. An article based on this talk will be submitted to the next edition of the Women in Security magazine and we will share it when it’s published. We look forward to our next event, our very own annual conference, AUSCERT2021. On that note, members – a reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate – please make sure you utilise the token(s) by 18 April. Conference registrations can be done via our website here. AUSCERT will maintain minimal coverage for the Easter holidays from Friday 2 April to Monday 5 April. AUSCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AUSCERT member with an emergency may contact on-call AUSCERT staff on the AUSCERT Incident Hotline, details available here. Until next week, have a good long Easter weekend everyone. Stay safe and let’s keep up with our Covid-safe practices. Apple patches exploited iOS, iPadOS zero-day Date: 2021-03-28 Author: iTnews Apple has issued an urgent out-of-band security update for its iOS and iPadOS mobile operating system, after a zero-day vulnerability that is under active exploitation was found. The vulnerability in the WebKit browser engine can lead to universal site cross-scripting, Apple said. Cross-scripting allows attackers to inject their own scripts via maliciously crafted web page content. VMware fixes bug allowing attackers to steal admin credentials Date: 2021-03-30 Author: Bleeping Computer VMware has published security updates to address a high severity vulnerability in vRealize Operations that could allow attackers to steal admin credentials after exploiting vulnerable servers. vRealize Operations is an AI-powered and “self-driving” IT operations management for private, hybrid, and multi-cloud environments, available as an on-premises or SaaS solution. Automated Clean-up of HAFNIUM Shells and Processes with Splunk Phantom Date: 2021-03-26 Author: Splunk The Splunk team have released a couple of blogs on this topic, concentrated on two things: 1. Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk: Explaining the vulnerabilities and associated exploits 2. Detecting Microsoft Exchange Vulnerabilities – 0 + 8 Days Later…: Sharing SPL to detect and hunt for malicious behavior withrelated to the exploits and detections you can use with Splunk Enterprise Security Docker Hub images downloaded 20M times come with cryptominers Date: 2021-03-29 Author: Bleeping Computer Researchers found that more than two-dozen containers on Docker Hub have been downloaded more than 20 million times for cryptojacking operations spanning at least two years. Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects. Holding the news to ransom? What we know so far about the Channel 9 cyber attack Date: 2021-03-30 Author: The Conversation As is often the case in the early stages of a major cyber incident, details are scarce, and it’s very hard to know who is behind it. What happened? There is no official statement of cause, but it is clear that malware spread between devices at Channel 9’s Sydney headquarters, leaving data and production systems inaccessible. ESB-2021.1067 – ALERT Apple Products: Cross-site scripting – Remote with user interaction The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches. ESB-2021.1082 – Cisco Products: Multiple vulnerabilities Multiple vulnerabilities on OpenSSL affecting Cisco Products. ESB-2021.1087 – VMWare Products: Multiple vulnerabilities VMware vRealize Operations updates address server side request forgery and arbitrary file write vulnerabilities. ESB-2021.1107 – Google Chrome: Multiple Vulnerabilities Google released stable channel update for Chrome addressing multiple vulnerabilities. ESB-2021.1116 – GitLab: Multiple vulnerabilities Gitlab released new versions for GitLab CE and EE to address multiple vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 26th March 2021

AUSCERT Week in Review for 26th March 2021 Greetings, This week we released the results from our joint 2020 AUSCERT and BDO in Australia Cyber Security Survey. Thank you to all those who helped us with this endeavour! For the fifth year in a row, we surveyed member organisations across Australia and New Zealand, allowing us to clearly unpack the COVID-19 pandemic’s impacts on cyber – detailing significant shifts in the way organisations are impacted by, and responding to, evolving cyber threats. “Adaptation is key to winning the battle.” Download a copy of the report here. Also this week, the AUSCERT team conducted yet another analysis on the evolving MS Exchange ProxyLogon vulnerabilities based on a latest report from the Shadowserver team – this report (article) has been highlighted below. Those of you who’d been affected would have been contacted on Wednesday. Members, please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. Members, a reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AUSCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate – please utilise the token(s) by 18 April. Conference registrations can be done via our website here. Also a reminder that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” Applications for this grant scheme are due on Tuesday 30th March. To find out more about our sponsorship options, please visit our conference website here. Until next week, have a good weekend everyone. … RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 Date: 2021-03-18 Author: NCC Group Research On Thursday (Friday, Australian time) cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices. Shadowserver Special Report – Exchange Scanning #5 Date: 2021-03-24 Author: The Shadowserver Foundation Over the past 12 days we have published 5 one-off Special Reports that provided information about the recently patched recently patched zero-day vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065). This latest Special Report represents our most comprehensive effort yet to enumerate as many vulnerable and compromised Microsoft Exchange Servers as possible. Much of the detection of potentially vulnerable Microsoft Exchange servers performed to date has been based on internet-wide scanning of all ~4 billion IPv4 addresses (IPv4 /0 scanning), which is effective at identifying Exchange/OWA environments which are configured to use the default IP address. However, this kind of mass scanning will not always identify potentially vulnerable Microsoft Exchange servers, since they can also be configured to use web server virtual hosting on fully qualified domain names (FQDNs), rather than simply binding to the default web site instance or a server’s main IP address. In such cases, it is possible that virtual host-based Microsoft Exchange Server instances may be missed during IPv4 /0 scans. Cisco addresses critical bug in Windows, macOS Jabber clients Date: 2021-03-24 Author: Bleeping Computer Cisco has addressed a critical arbitrary program execution vulnerability impacting several versions of Cisco Jabber client software for Windows, macOS, Android, and iOS. Cisco Jabber is a web conferencing and instant messaging app that allows users to send messages via the Extensible Messaging and Presence Protocol (XMPP). The vulnerability was reported by Olav Sortland Thoresen of Watchcom. Cisco’s Product Security Incident Response Team (PSIRT) says that the flaw is not currently exploited in the wild. Additionally, the vulnerability does not affect Cisco Jabber client software configured for Team Messaging or Phone-only modes. University of Queensland uplifts its vulnerability management Date: 2021-03-23 Author: iTnews The University of Queensland has upgraded its vulnerability management tooling as part of an ongoing security improvements program. The university said it had selected cloud-based Tenable.io to “to see, predict and act to reduce cyber risk across its domestic campuses.” Tenable.io is used to scan the university’s “complex environment made up of tens of thousands of personal devices, vendor partnerships and connections to remote teams and other institutions,” information technology services deputy director Dr David Stockdale said in a statement. Australian firms to spend $4.9b on infosec, risk management in 2021 Date: 2021-03-23 Author: iTWire Organisations in Australia are forecast to spend more than $4.9 billion on enterprise information security and risk management products and services in 2021, an increase of 8% year-on-year, the technology analyst firm Gartner says. The forecast was made during the online Gartner Security & Risk Management Summit APAC which is being held this week. Senior research director Richard Addiscott said the focus on security and risk was due to major attacks like the SolarWinds supply chain incident, proposed legislation such as the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and regulatory obligations “Many of the conversations we’re having with government and private sector clients in Australia revolve around the Essential Eight, varying state government cyber security frameworks, and regulatory instruments such as APRA’s Prudential Standard CPS 234,” said Addiscott. ESB-2021.1010 – ALERT Cisco Jabber: Multiple vulnerabilities Multiple Vulnerabilities in Cisco Jabber could allow for Arbitrary Code Execution. ESB-2021.1003 – Firefox: Multiple vulnerabilities Mozilla has released Firefox 87 fixing multiple vulnerabilities including Remote Code Execution. ESB-2021.1043 – McAfee Data Loss Prevention (DLP) Endpoint for Windows: Increased privileges – Existing account McAfee released update to address privilege escalation vulnerability for Windows. ESB-2021.1056 – OpenSSL: Multiple vulnerabilities OpenSSL version 1.1.1h and newer are affected with multiple vulnerabilities. ESB-2021.1012 – sudo: Root compromise – Existing account An update that addresses one vulnerability in Sudo is now available for Suse products. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th March 2021

AUSCERT Week in Review for 19th March 2021 Greetings, Another big one for the AUSCERT team with several items we’d like to highlight from this week. We kicked things off on Monday by releasing our Year in Review 2020 piece. Members, we hope you find our review useful and we thank you for your continued support! Last week we highlighted the following “HAFNIUM special report” courtesy of the team from Shadowserver. Since then, the AUSCERT team has conducted a number of analyses based on this information and several follow-up reports from the Shadowserver team. Those of you who’d been affected by the ProxyLogon vulnerabilities would have been contacted throughout this week. Members, please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. In conjunction with the above, our team also released a blog article and a work flow diagram titled “Patching for HAFNIUM is just half of the story” – link to the blog highlighted below. We strongly recommend reading this piece as it has been created by our analyst team and should assist Microsoft Exchange server caretakers to check and see where within this task-flow they are placed at within their organisation’s incident response plan. Last but not least, another exciting update with respect to AUSCERT2021, we’ve updated our Program page to now include all of our tutorials and hands-on workshop offerings. Members, please note that all nominated Primary and Organisation contact person(s) would have received a reminder email this week pertaining to your member token(s), part of your AUSCERT membership perks – please utilise this by 18 April. Also a reminder that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” To find out more, please visit our conference website here. Until next week, have a good weekend everyone. Patching for HAFNIUM is just half of the story Date: 2021-03-16 Author: AUSCERT On the 2nd of March, a posting by The Department of Homeland Security (U.S.) didn’t mince its words and placed an Emergency Directive to perform a thorough check of any Microsoft Exchange servers at your control. This article served a guide for “agencies that have the expertise” to “forensically triage artefacts”. Since then there have been a number of tools that have been made available to enable the task of identifying, checking, mitigating, patching, and cleaning of your servers and systems. The key take-away here is that there has been (and this continues to grow) a huge amount of effort in making sure that caretakers go beyond the simple sole act of patching. Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities Date: 2021-03-16 Author: Microsoft Security Response Center Microsoft has provided the latest information for IT Pros and incident response teams with updated tools and investigation guidance to help organizations identify, remediate, defend against attacks associated with the recent Exchange Server vulnerabilities. Melbourne’s Eastern Health hit by suspected cyber attack Date: 2021-03-18 Author: iTnews One of Melbourne’s largest metropolitan public health services has postponed some elective surgery procedures after experiencing a “cyber incident”. The incident, which took place late on Tuesday, has forced Eastern Health to pull a number of its IT systems offline as a precaution. Eastern Health operates the Box Hill, Maroondah, Healesville and Angliss hospitals, as well as a number of health services, including Yarra Ranges Health and Wantirna Health. Microsoft releases one-click Exchange On-Premises Mitigation Tool Date: 2021-03-15 Author: Bleeping Computer Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily mitigate the recently disclosed ProxyLogon vulnerabilities. This month, Microsoft disclosed that four zero-day vulnerabilities were being actively used in attacks against Microsoft Exchange. These vulnerabilities are collectively known as ProxyLogon and are being used by threat actors to drop web shells, cryptominers, and more recently, the DearCry ransomware on exploited servers. Today, Microsoft released the EOMT one-click PowerShell script so that small business owners who do not have dedicated or security teams can get further help securing their Microsoft Exchange servers. IC3 Releases 2020 Internet Crime Report Date: 2021-03-17 Author: FBI (Federal Bureau of Investigation) The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports. The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals. Survey: Australia, NZ organisations now realise their security overconfidence Date: 2021-03-16 Author: CSO Online It took a global pandemic, but enterprises and government agencies in Australia and New Zealand are now rethinking their approach to cybersecurity—taking it seriously for the first time in a while. That’s the conclusion of a survey of about 435 people in Australia and about 40 in New Zealand by the Australian arm of the global business services firm BDO and Australia’s AUSCERT cybersecurity rapid response team. Fewer organisations (55%) now feel confident in managing cyber incidents, down from 62% just a year earlier, the survey found. New PoC for Microsoft Exchange bugs puts attacks in reach of anyone Date: 2021-03-14 Author: Bleeping Computer A security researcher has released a new proof-of-concept exploit this weekend that requires slight modification to install web shells on Microsoft Exchange servers vulnerable to the actively exploited ProxyLogon vulnerabilities. Security flaws in Microsoft email software raise questions over Australia’s cybersecurity approach Date: 2021-03-12 Author: The Conversation On March 2, 2021, Microsoft published information about four critical vulnerabilities in its widely used Exchange email server software that are being actively exploited. It also released security updates for all versions of Exchange back to 2010. Microsoft has told cybersecurity expert Brian Krebs it was notified of the vulnerabilities in “early January”. The Australian Cyber Security Centre has also issued a notice on the vulnerabilities. The situation has been widely reported in the general media as well as specialist cybersecurity sites, but often inaccurately. But the situation also highlights a contradiction in government cybersecurity policy – there is a basic conflict between building offensive cybersecurity capabilities and protecting our own businesses and citizens. ASB-2021.0048.5 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated Microsoft’s out-of-band critical updates address a number of Microsoft Exchange Server Remote Code Execution Vulnerabilities. ESB-2021.0872.2 – UPDATED ALERT BIG-IP Products: Multiple vulnerabilities F5 Networks identifies more BIG-IP Products impacted by the Advanced WAF/ASM buffer-overflow vulnerability. ESB-2021.0906 – ALERT Google Chrome: Multiple vulnerabilities Google’s update for Google Chrome fixes multiple vulnerabilities. ESB-2021.0943 – shadow: Multiple vulnerabilities Several vulnerabilities discovered in the shadow suite of login tools. ESB-2021.0950 – Cisco Products: Multiple vulnerabilities Cisco has released software updates that address multiple vulnerabilities in Cisco RV132W VPN Routers. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 12th March 2021

AUSCERT Week in Review for 12th March 2021 Greetings, What a week it has been for the folks in our sector! With admins already struggling with Microsoft Exchange updates and hacked servers – along comes Microsoft’s March 2021 Patch Tuesday, and not to forget, celebrating and honouring the many women in our lives for International Women’s Day. We wanted to start by highlighting a “HAFNIUM special report” courtesy of the team from Shadowserver. Members, please note that the AUSCERT team has conducted an analysis based on this information and those of you who’d been affected would have been contacted by our analyst team. Please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AUSCERT member portal. We kicked off things this week by releasing this piece on the “The heroes of AUSCERT2020 … the women in security who made it happen.” which was first featured on Edition 1 of the Women in Security magazine by Source2Create. Be sure to catch up on our summary of critical vulnerabilities and advice on SEVERAL issues this week, all highlighted below: BIG-IP, F5, Microsoft and Adobe Creative Cloud. Last but not least, our team’s elated to announce that AUSCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” To find out more, please visit our conference website here. Until next week, have a good and restful weekend everyone. March 2021 Patch Tuesday: Microsoft fixes yet another actively exploited IE zero-day Date: 2021-03-09 Author: Help Net Security [With admins already struggling with Microsoft Exchange updates and hacked servers – along comes Microsoft’s March 2021 Patch Tuesday, and releases from Adobe and Apple too! Please refer to the multiple AUSCERT security bulletin alerts in-line below.] Microsoft has fixed 89 CVEs. Among those are the seven Microsoft Exchange flaws fixed last week, one Internet Explorer memory corruption flaw that’s being exploited in the wild, and one Windows Win32k EoP flaw that is publicly known. [See related AUSCERT bulletins ASB-2021.0050 51, 53, 54 and 56, which we marked as “alerts”. CVE-2021-26411 and 26897 are considered critical by Microsoft and covered in these bulletins. We also published other MS bulletins 55 and 57, which are not alerts.] Adobe has delivered security updates for Connect, Creative Cloud Desktop Application, and Framemaker […] [See ESB-2021.0860. These are ranked by Adobe as critical, but aren’t as urgent as some of Microsoft’s.] Apple has pushed out security updates to fix a critical RCE flaw in WebKit. [ESBs 821, 825, 826 and 827.] HAFNIUM targeting Exchange Servers with 0-day exploits Date: 2021-03-02 Author: Microsoft Security Blog [Please see AUSCERT bulletin ASB-2021.0048.3 for further information. See also https://github.com/microsoft/CSS-Exchange/tree/main/Security for information on some security scripts that automate all four of the commands listed on the blog below.] “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, we are sharing the following resources.” F5 urges customers to patch critical BIG-IP pre-auth RCE bug Date: 2021-03-10 Author: Bleeping Computer [See related AUSCERT bulletin ESB-2021.0872.] F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions. F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that “48 of the Fortune 50 rely on F5.” The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (CVE-2021-22986) which allows unauthenticated remote attackers to execute arbitrary commands on compromised BIG-IP devices: – CVE-2021-22986 iControl REST unauthenticated RCE – CVE-2021-22987 Appliance Mode TMUI authenticated RCE – CVE-2021-22991 TMM buffer-overflow – CVE-2021-22992 Advanced WAF/ASM buffer-overflow Adobe Critical Code-Execution Flaws Plague Windows Users Date: 2021-03-09 Author: Threatpost [See related AUSCERT bulletin ESB-2021.0860 for further information.] Adobe has issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems. While these vulnerabilities are classified as critical-severity flaws, it’s important to note that they were given “priority 3” ratings by Adobe. This means that the update “resolves vulnerabilities in a product that has historically not been a target for attackers,” and that administrators are urged to “install the update at their discretion.” Peter Dutton launches Cyber Security Industry Advisory Committee Ransomware Paper Date: 2021-03-11 Author: iTWire The Federal Minister for Home Affairs, Peter Dutton, and his office say that “ransomware continues to be a prevalent global threat, and cyber criminals pose a significant risk to Australians and Australian businesses.” To build awareness about the ransomware threat, the Minister for Home Affairs, Peter Dutton, and Chair of the Cyber Security Industry Advisory Committee, Telstra CEO Andrew Penn, have released the Committee’s first paper: “Locked out: Tackling the ransomware threat.” ASB-2021.0048.4 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated Microsoft have released a major revision increment of the CVEs to address Exchange Server vulnerabilities. ESB-2021.0870 – ALERT F5 Products: Multiple vulnerabilities F5 have released updates for critical vulnerabilities in BIG-IP components. F5 recommends that all customers install a fixed software version as soon as possible. ESB-2021.0860 – Creative Cloud Desktop Application: Multiple vulnerabilities Adobe has released patches for widely-used Creative Cloud Desktop Application for Windows resolving multiple critical vulnerabilities. ASB-2021.0051 – ALERT Windows: Multiple vulnerabilities Microsoft released its monthly security patch update for March 2021 which resolves 59 vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 5th March 2021

AUSCERT Week in Review for 5th March 2021 Greetings, This week we would like to congratulate the team from Source2Create on the launch of their 1st edition of the Women In Security magazine. Our team were lucky to have been given the opportunity to spread the word about our upcoming AUSCERT2021 conference as well as publish an article covering the work of the various women in security involved in making AUSCERT2020 a success last year! In honour of International Women’s Day, we will be sharing this piece on our social media channels next Monday 8th March. If you haven’t already, please do subscribe to the Women In Security magazine here. Members, please look out for an email which would have landed in your inbox earlier this week detailing your member token details – part of your AUSCERT membership perks. These tokens can be applied against both modes of registrations: In-Person OR Remote (Virtual). Should you have any further queries regarding these tokens, please feel free to reach out to our membership team. Be sure to catch up on our summary of critical vulnerability and advice on Microsoft Exchange this week. The relevant details can be found below. Last but not least, thank you to those who supported our partnership with the team from Tessian.. The Human Layer Security Summit was a successful virtual event and for those of you who missed the live event, you’ll be able to catch up on all of its content on-demand. To our friends and colleagues in Sydney, Happy Mardi Gras weekend and stay safe. Until next week, have a good weekend. Google patches actively exploited Chrome browser zero-day vulnerability Date: 2021-03-03 Author: ZDNet [ Additional resource available here, Google’s Project Zero tracking sheet: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit?usp=sharing.] Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild. The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.” Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release. Microsoft issues emergency patches for 4 exploited 0-days in Exchange Date: 2021-03-03 Author: Ars Technica [Please refer to the following AUSCERT security bulletin: ASB-2021.0048.] Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server. The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change. Universal Health Services lost $67 million due to Ryuk ransomware attack Date: 2021-03-01 Author: Bleeping Computer [Additional reading: an English version of the CERT-FR Ryuk ransomware report is now available for perusal via https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-006/] Universal Health Services (UHS) said that the Ryuk ransomware attack it suffered during September 2020 had an estimated impact of $67 million. UHS, a Fortune 500 hospital and healthcare services provider, has over 90,000 employees who provide services to roughly 3.5 million patients each year in more than 400 US and UK healthcare facilities. UHS said last week that the Ryuk ransomware attack “had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020.” “The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” UHS added. Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC Date: 2021-03-02 Author: ZDNet The Office of the Australian Information Commissioner (OAIC) has labelled the powers given to two law enforcement bodies within three new computer warrants as “wide-ranging and coercive in nature”. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) the new warrants for dealing with online crime. The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant. ESB-2021.0803 – ALERT Google Chrome: Multiple vulnerabilities Google reports that an exploit for CVE-2021-21166 exists in the wild. ASB-2021.0048.3 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated There are reports that these zero-day RCE vulnerabilities are being exploited in the wild. ESB-2021.0780 – Cisco Network Services Orchestrator (NSO): Access confidential data – Remote/unauthenticated Cisco released a raft of advisories and updates this week, including this one. ESB-2021.0748 – grub2: Multiple vulnerabilities These grub2 issues affect many linux and unix-like systems. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 26th February 2021

AUSCERT Week in Review for 26th February 2021 Greetings, This week we are very excited to announce a number of updates with respect to AUSCERT2021. For the first time ever, the annual AUSCERT conference will be delivered in a hybrid format. Registrations are now open, and we’d like to highlight several sections of the conference website which might be of interest: a list of our selected Speakers, our up-to-date Program details, details on our conference costs, details regarding our venue & accommodation and last but not least, a list of frequently asked questions. To our AUSCERT members, look out for a separate email landing in your inbox next week detailing your member token privilege(s) – part of your AUSCERT membership perks for the conference this year. Be sure to catch up on our summary of critical vulnerabilities and patches affecting VMware and Cisco. The list of relevant bulletins and further details can be found below. And last but not least, AUSCERT is proud to be an official partner of the 4th Human Layer Security Summit hosted by the team from Tessian. This is a virtual event and by signing up to participate as a delegate, you’ll be able to catch up on all of its content on-demand. Until next week, have a good weekend everyone. More than 6,700 VMware servers exposed online and vulnerable to major new bug Date: 2021-02-24 Author: ZDNet [Please refer to the following AUSCERT security bulletin ESB-2021.0677.] More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks. Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets. The scans have started earlier today after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972. This vulnerability impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations. Qantas urges govt to chip in for cyber incident interventions Date: 2021-02-22 Author: iTnews Qantas has joined other sectors in asking the government to at least partially cover the cost of complying with proposed laws aimed at better defending the country’s critical infrastructure networks and systems from cyber attacks. In its submission to the parliamentary joint committee on intelligence and security review of the Security Legislation Amendment (Critical Infrastructure) Bill, the airline said funding was necessary to support the bill’s objectives. Airplane maker Bombardier data posted on ransomware leak site following FTA hack Date: 2021-02-23 Author: ZDNet Canadian airplane manufacturer Bombardier has disclosed today a security breach after some of its data was published on a dark web portal operated by the Clop ransomware gang. “An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network,” the company said in a press release today. While the company did not specifically name the appliance, they are most likely referring to Accellion FTA, a web server that can be used by companies to host and share large files that can’t be sent via email to customers and employees. Ransomware gangs are running riot – paying them off doesn’t help Date: 2021-02-17 Author: The Conversation In the past five years, ransomware attacks have evolved from rare misfortunes into common and disruptive threats. Hijacking the IT systems of organisations and forcing them to pay a ransom in order to reclaim them, cybercriminals are freely extorting millions of pounds from companies – and they’re enjoying a remarkably low risk of arrest as they do it. At the moment, there is no coordinated response to ransomware attacks, despite their ever-increasing prevalence and severity. Instead, states’ intelligence services respond to cybercriminals on an ad-hoc basis, while cyber-insurance firms recommend their clients simply pay off the criminal gangs that extort them. Neither of these strategies is sustainable. Instead, organisations need to redouble their cybersecurity efforts to stymie the flow of cash from blackmailed businesses to cybercriminal gangs. Failure to act means that cybercriminals will continue investing their growing loot in ransomware technologies, keeping them one step ahead of our protective capabilities. Cyber Security Pilot to Bolster Small to Medium Business Against Hack Attacks Date: 2021-02-23 Author: Cyber Security Cooperative Research Centre (CSCRC) In an Australian first, the Cyber Security Cooperative Research Centre (CSCRC) will lead a ‘hands on’ pilot project focused on uplifting cyber security across Australia’s small to medium business sector (SMEs). The pilot, which was launched in Adelaide yesterday, will involve six South Australian SMEs across a broad range of critical sectors, from medical services to satellite technologies, measuring their baseline cyber security and providing practical, cost effective uplift solutions over six months. A collaboration between the CSCRC, CyberCX, CSIRO’s Data61 and the Australian Cyber Security Centre (ACSC), and supported by the Government of South Australia, the pilot will provide a blueprint for SME cyber uplift that can be rolled out across the nation. The CSCRC is part of the Federal Government’s Cooperative Research Centres program, administered by the Department of Industry, Science, Energy and Resources. ESB-2021.0677 – ALERT VMware Products: Multiple vulnerabilities Remote Code Execution issue with multiple Proof-of-Concept exploits available ESB-2021.0705 – ALERT Cisco NX-OS: Multiple vulnerabilities Multiple remotely exploitable vulnerabilities have been patched ESB-2021.0698 – Cisco ACI Multi-Site Orchestrator (MSO): Multiple vulnerabilities Critical Cisco authentication bypass vulnerability ESB-2021.0675 – Mozilla Firefox and Firefox ESR: Multiple vulnerabilities Mozilla updates available Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th February 2021

AUSCERT Week in Review for 19th February 2021 Greetings, This week we hosted our very first event for the year! We hosted a joint webinar session which took place yesterday (Thursday 18th February) with the folks from Digital Shadows. The topic of this webinar was “Automation when you can’t automate – the human process journey”, a copy of the recording can be viewed here. We are also pleased to announce that our AUSCERT2021 Call for Speakers panel managed to review and score all of the submissions for this year. Congratulations to all speakers whose submissions were accepted and thank you to everyone else who submitted. As always, we were lucky to receive an overwhelming number of submissions and the decision making process wasn’t easy. A big shout-out to our panel which comprised of AUSCERT internal staff and colleagues from a range of external organisations and roles who assisted us along the process. We couldn’t have done it without you! We look forward to sharing the details regarding our speakers and program in the coming days. To stay up to date on our conference details, please visit our website. Last but not least, a reminder to all members that you can join us at the AUSCERT – Members Slack space by logging in with your member portal credentials. The space is a safe and quick way to stay engaged with the AUSCERT team. If you’re having any issues with the process, drop us a line and we’ll be able to assist. What is Slack? Find out more about it here. Until next week, have a good weekend everyone. Malvertiser abused WebKit zero-day to redirect iOS & macOS users to shady sites Date: 2021-02-16 Author: ZDNet A cybercrime group specialized in showing malicious ads has abused an unpatched zero-day vulnerability in WebKit-based browsers to break security restrictions and redirect users from legitimate portals to shady sites hosting online gift card scams. The attacks were first spotted in June 2020 and are still active today; however, patches for the WebKit zero-day have been released at the start of the month. 2021 EDUCAUSE Horizon Report: Information Security Edition Date: 2021-02-16 Author: EDUCAUSE [EDUCAUSE is a nonprofit higher education technology association that helps higher education elevate the impact of IT. They are based in the USA.] This report profiles important trends and key technologies and practices shaping the future of information security, and envisions a number of scenarios and implications for that future. It is based on the perspectives and expertise of a global panel of leaders from across the higher education landscape. How Australian cyber experts got comms back up in PNG tribal war Date: 2021-02-16 Author: Australian Financial Review A Canberra-based cyber-security firm has helped a multi-organisation operation get critical communications back up for a hospital in Papua New Guinea in the midst of an outbreak of tribal fighting. Local media reported at least 19 people were killed during the tribal violence outbreak in the country’s Hela province, many more injured and around 6000 people, mainly women and children, fleeing into the surrounding forests due to the violence. Robert Potter, security adviser and chief executive at Canberra-based cyber defence consultancy Internet 2.0, said the firm was invited to help with the relief effort, co-ordinated by the Papua New Guinea Police and security firm Black Swan, along with the United Nations and Internet 2.0’s partner on the ground Astrolab PNG. Microsoft will alert Office 365 admins of Forms phishing attempts Date: 2021-02-15 Author: Bleeping Computer Microsoft is adding new security warnings to the Security and Compliance Center default alert policies to inform IT admins of detected phishing attempts abusing Microsoft Forms in their tenants. This cybersecurity threat costs business millions. And it’s the one they often forget about Date: 2021-02-16 Author: ZDNet While ransomware is the cyberattack most feared by businesses, another form of cybercrime is slipping under the radar, one that is proving highly lucrative for internet fraudsters – and costly to business. A business email compromise (BEC) attack sees cyber criminals use social engineering to trick an employee at a business into transferring a large sum of money to an account controlled by the crooks. ESB-2021.0542 – SUSE Manager Client Tools: Multiple vulnerabilities SUSE Security Update fixes four vulnerabilities in SUSE Manager Client Tools. ESB-2021.0555 – McAfee Endpoint Security: Multiple vulnerabilities The update for McAfee Endpoint Security for Windows fixes five vulnerabilities. ESB-2021.0581 – Google Chrome: Multiple vulnerabilities The Stable channel update for Windows, Mac and Linux fixes multiple vulnerabilities. ESB-2021.0602 – Cisco Webex Meetings Desktop App & Webex Productivity Tools: Access confidential data – Existing account Cisco has released software updates that address a vulnerability in Cisco Webex Meetings Desktop App and Webex Productivity Tools for Windows. ESB-2021.0609 – McAfee Web Gateway: Root compromise – Existing account Security updates fix sudo vulnerability in the Linux-based appliances and virtual machines. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more