AUSCERT Week in Review for 24th July 2020 Greetings, A slightly less hectic one this week. A quick reminder to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback; thank you in advance for your time and support. Thank you also to those members who attended our Malicious URL Feed webinar which took place on Wednesday 22 July; we trust that you benefitted from the session. The good news is, we will be hosting a couple more of these sessions on different topics: 5th August – Security Bulletins (register HERE) 19th August – Phishing Takedowns (registration details TBC) And last but not least, in case you haven’t stumbled across this already, the Australian Government Department of Home Affairs have released their report on Australia’s 2020 Cyber Security Strategy. AUSCERT is very proud to have been involved in the consultation process through our parent organisation, The University of Queensland, late last year. The report included 60 recommendations to bolster Australia’s critical cyber defences which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT. “Cyber security has never been more important” – we hope you find this report useful. Until next week, have a great weekend everyone! New ‘Shadow Attack’ can replace content in digitally signed PDF files Date: 2020-07-23 Author: ZDNet [The researchers disclosed this in early March, Adobe released a patch in mid-May which we published as ESB-2020.1693, and the researchers have gone public this week with information proofs of concept. This raises the public profile of the vulnerability and increases the chance that it will be exploited; patch your PDF viewer applications!] Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany. Companies should update their PDF viewer apps to make sure the PDF documents they sign can’t be tampered with via a Shadow Attack. 20,000+ new vulnerability reports predicted for 2020, shattering previous records Date: 2020-07-22 Author: Help Net Security Over 9,000 new vulnerabilities have been reported in the first six months of 2020, and we are on track to see more than 20,000 new vulnerability reports this year — a new record, Skybox Security reveals. Why the internet went haywire last week Date: 2020-07-20 Author: ZDNET It was another end of the work week; what could possibly go wrong? Sure, Outlook had failed for a few hours earlier in the week and Twitter lost control of some big-name accounts, but surely nothing else could go awry? Right? Wrong. Bad things come in threes. Starting on Friday afternoon, Cloudflare, the major content delivery network (CDN) and Domain Name System (DNS) service, had a major DNS failure, and tens of millions users found their internet services failing. ESB-2020.2480 – [Win][Mac] Photoshop: Multiple vulnerabilities Adobe’s patch day included arbitrary code execution upon opening a crafted file. ESB-2020.2460 – [Win][UNIX/Linux] Python: Execute arbitrary code/commands – Remote with user interaction Insecure linked library loading in the pliable language led to potential privilege escalation. ESB-2020.2260.7 – UPDATED ALERT [Appliance] F5 Networks: Multiple vulnerabilities F5’s fix for a critical unauthenticated RCE in their Traffic Manager User Interface has received a lot more information this week, including a warning that the Viprion B2250 Blade may have problems with the provided patch. ESB-2020.2464 – [Win][UNIX/Linux] Moodle: Multiple vulnerabilities Moodle released three advisories marked “serious” and one marked “minor”, including teachers for a course being able to assign themselves as a manager of that course and increase their own privileges. ESB-2020.2541 – [Linux] QRadar Advisor: Access confidential data – Console/Physical Just for a change of pace, here’s a simple one: IBM accidentally didn’t obscure the password field in a login form, so someone could read it over your shoulder. CVE-2020-4408. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th July 2020 Greetings, Have we been busy! This week has been another tough one for networking vendors. SAP NetWeaver, Windows Server and Cisco’s RV-series routers have all had critical vulnerabilities this week, enabling unauthenticated remote code execution. See the highlighted articles bulletins below for more information, and if you’re affected, we advise applying patches or mitigations ASAP. And last but not least, an AUSCERT membership email would have landed in your inbox this week containing some important updates for July 2020: An invitation to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August. We look forward to collating our member thoughts and feedback, thank you in advance for your time and support! An update regarding our Quarter 2; an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. An invitation to attend our Malicious URL Feed webinar taking place next Wednesday 22 July. Until next week, wishing everyone a restful weekend. Critical SAP Recon flaw exposes thousands of systems to attacks Date: 2020-07-13 Author: Bleeping Computer [Refer to AUSCERT bulletin ESB-2020.2381] SAP patched a critical vulnerability affecting over 40,000 systems and found in the SAP NetWeaver Java versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments. The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team. Microsoft urges patching severe-impact, wormable server vulnerability Date: 2020-07-15 Author: Ars Technica [Refer to AUSCERT bulletin ASB-2020.0120; member portal login required] Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer. The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday. Cyber experts urge Australia to develop local capability to defend against hackers Date: 2020-07-12 Author: Sydney Morning Herald Cyber experts have urged the federal government to become less reliant on overseas businesses, technologies and expertise for its defences against hackers as it puts the finishing touches on the nation’s new cyber security strategy. Foreign providers are responsible for most of the cyber security products and services in Australia, with no local companies among the 15 largest software providers in the local market. Thousands of shop, bank, and government websites shut down by EV revocation Date: 2020-07-13 Author: Netcraft More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge. On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked. SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework Date: 2020-07-13 Author: CISION PR Newswire [SANS Institute will be speaking and are a sponsor at AUSCERT2020.] A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Outlook down? How to fix it Date: 2020-07-15 Author: ZDNet It was just another morning at work on July 15, 2020, for many Windows users. They turned on their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook… Suddenly their day took a turn for the worst. For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem. ESB-2020.2381.2 – UPDATE [ALERT] SAP NetWeaver AS Java: Multiple Vulnerabilities A critical Vulnerability in SAP NetWeaver AS Java is identified and applying critical patches as soon as possible is recommended. ASB-2020.0120 – [ALERT] Windows: Multiple vulnerabilities Microsoft security update resolves the wormable vulnerability “SIGRed” in Windows servers acting as a DNS server. ASB-2020.0121 – Extended Support Update products: Multiple vulnerabilities Windows Server 2008 Extended Support Update (ESU) also gets a SIGRed patch. ESB-2020.2417 – [ALERT] Cisco RV-series routers: Multiple vulnerabilities Cisco update fixes a vulnerability in the web-based management interface of its RV-series routers, leading to unauthenticated root compromise of the device. Stay safe, stay patched and have a good weekend! Vishaka

AUSCERT Week in Review for 10th July 2020 Greetings, This week saw us starting the week with a critical alert for members to urgently patch the multiple vulnerabilities found within F5’s BIG-IP products: CVE-2020-5902. We trust that all necessary steps have been undertaken within your organisation. This week we also learned about CVE-2020-2034, a critical vulnerability in Palo Alto’s PAN-OS. And CVE-2020-1654 affecting Juniper’s SRX Series devices. It’s been a tough week for networking vendors. Having observed a substantial increase in the number of followers within our social media platforms, we thought it was pertinent to share our Glossary of InfoSec Terms & Acronyms again with our readers. This is a resource we’ve had plenty of positive feedback about and hopefully it comes in handy for you too. Keep an eye out for a copy of our member Security Bulletins survey landing in your inbox next week. This survey has been prepared by our team, and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. We look forward to collating our member thoughts and feedback! Until next week, we hope everyone has a restful weekend ahead – and to our friends and colleagues in Victoria, we’re thinking of you. Please stay safe and thank you for staying home. Critical F5 BIG-IP vulnerability made public Date: 2020-07-06 Author: ITNEWS [See also AUSCERT bulletin ESB-2020.2260.5.] Users of F5 enterprise and data centre BIG-IP network products are warned to patch the devices as soon as possible to handle a critical, easy to exploit remote code execution vulnerability that has now been made public. Examples of the exploit have now been posted on social media, one of which uses a single line of code that calls a JavaServer Page function to reveal the passwords stored on BIG-IP devices. The vulnerability rates as 10 out 10 on the Common Vulnerabilities Scoring System, and lies in lack of proper access control for the Traffic Management User Interface (TMUI) configuration utility for the devices. Citrix Bugs Allow Unauthenticated Code Injection, Data Theft Date: 2020-07-07 Author: Threatpost [Refer to AUSCERT bulletin ESB-2020.2310] Admins should patch their Citrix ADC and Gateway installs immediately. Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker. The Citrix products ?(formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies. Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO. Exploit developed for critical Palo Alto authentication flaw Date: 2020-07-06 Author: The Daily Swig (Portswigger) Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks. The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale. Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods. “Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises. “They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.” Microsoft takes down domains used in COVID-19-related cybercrime Date: 2020-07-07 Author: Bleeping Computer Microsoft took control of domains used by cybercriminals as part of the infrastructure needed to launch phishing attacks designed to exploit vulnerabilities and public fear resulting from the COVID-19 pandemic. The threat actors who controlled these domains were first spotted by Microsoft’s Digital Crimes Unit (DCU) while attempting to compromise Microsoft customer accounts in December 2019 using phishing emails designed to help harvest contact lists, sensitive documents, and other sensitive information, later to be used as part of Business Email Compromise (BEC) attacks. The attackers baited their victims (more recently using COVID-19-related lures) into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps. $2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise Date: 2020-07-06 Author: The Conversation Last year, Australians reported more than A$634 million lost to fraud, a significant jump from $489.7 million the year before. The Australian Competition and Consumer Commission has released its latest annual Targeting Scams report. But despite increased awareness, scam alerts and targeted education campaigns, more Australians are being targeted than ever before. Mozilla suspends Firefox Send service while it addresses malware abuse Date: 2020-07-07 Author: ZDNet Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism. Windows 10’s Microsoft Store Codecs patches are confusing users Date: 2020-07-05 Author: BleepingComputer On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library [known as the HEVC packages]. They stated that they affected both Windows 10 and Windows Server at the time. Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store. Even more confusing, the advisories did not explain what Microsoft Store apps would be updated to resolve the vulnerabilities, leaving users in the dark as to whether they were affected and patched by an update. Microsoft Defender ATP web content filtering is now free Date: 2020-07-06 Author: BleepingComputer The new Microsoft Defender Advanced Threat Protection Web Content Filtering feature will be provided for free to all enterprise customers without the need for an additional partner license. Web Content Filtering is part of Microsoft Defender ATP’s Web protection capabilities and it allows security admins to design and deploy custom web usage policies across their entire organizations, making it simple to track and control access to websites based on their content category. The feature is available on all major web browsers, with blocks performed by Network Protection (on Chrome and Firefox) and SmartScreen (on Edge). ESB-2020.2310 – Citrix: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. These vulnerabilities could result in a number of security issues. ESB-2020.2260.5 – UPDATED ALERT F5 Networks: Multiple vulnerabilities A new mitigation has been developed and published to address an RCE vulnerability in the TMUI. ESB-2020.2339 – Citrix Hypervisor products: Multiple vulnerabilities Hotfixes have been released by Citrix to address two issues in Citrix Hypervisor. ESB-2020.2309 – Android: Multiple vulnerabilities Multiple security vulnerabilities identified affecting Android devices. Security patch levels of 2020-07-05 or later address all of these issues. ESB-2020.2305 – firefox: Multiple vulnerabilities An update has been released to address multiple vulnerabilities in Firefox. ESB-2020.2297 – thunderbird: Multiple vulnerabilities Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. ESB-2020.2296 – php7.0: Multiple vulnerabilities Multiple security issues were found in PHP, which could result in information disclosure, denial of service or potentially the execution of arbitrary code. Stay safe, stay patched and have a good weekend! Vishaka

AUSCERT Week in Review for 03rd July 2020 Greetings, This week we welcomed the announcement of a record $1.35 billion investment in cyber security by the Australian Government. Hopefully this funding package will mean more Australian organisations can identify the ever-present cyber threats and protect themselves against these challenges. As always, AUSCERT is supportive of both the ASD and ACSC in their vital work within this industry and hope to leverage their expertise in our mission to help members prevent, detect, respond to and mitigate cyber-based attacks. Following the discovery of the Palo Alto vulnerability, we wanted to take this opportunity to remind members to update us with all relevant domains and IP ranges – via our member portal – that you want to receive alerts for. In this particular instance, affected members were contacted directly with a tailored email and it would have been a shame to be left off this list. And last but not least, a reminder that tutorial and workshop registrations for Virtual AUSCERT2020 is now open and priority access will be granted to all AUSCERT members. Spots are filling up fast so be sure to get in quick! Until next week, wishing everyone a restful weekend, especially the parents amongst us who are in the midst of or about to start their school holiday breaks. … Inside the hacking attacks bombarding Australia Date: 2020-06-29 Author: ABC News Who are these people? Who is directing them? What are they after? And most important of all — how can they be stopped? Questions like these have been asked more urgently since Scott Morrison announced that a “sophisticated state-based cyber actor” had launched attacks earlier this month on “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”. Craig Valli, who left a teaching career 20 years ago for academia and is now Professor of Digital Forensics at Perth’s Edith Cowan University, has many of the answers. It is a complex world that he explains with the sort of patience and relatability learnt from time corralling kids in a classroom. Microsoft releases urgent security updates for Windows 10 Codecs bugs Date: 2020-07-30 Author: Bleeping Computer [Refer to AUSCERT Bulletin ASB-2020.0117, which is member-only content.] Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. Both desktop and server platforms affected. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. Beware “secure DNS” scam targeting website owners and bloggers Date: 2020-06-29 Author: Naked Security If you run a website or a blog, watch out for emails promising “DNSSEC upgrades” – these scammers are after your whole site. The psychology of social engineering—the “soft” side of cybercrime Date: 2020-07-30 Author: Microsoft Security Blog Forty-eight percent of people will exchange their password for a piece of chocolate, 91 percent of cyberattacks begin with a simple phish, and two out of three people have experienced a tech support scam in the past 12 months. What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business. Over 82,000 Aussies’ details leaked in crypto scam Date: 2020-07-01 Author: ITNews Personal details of tens of thousands of Australians who fell for a fraudulent cryptocurrency investment scheme that used fake media sites and celebrity endorsements have been leaked onto the web. Singaporean security vendor Group-IB discovered 248,926 sets of personally identifable information, of which 82,263 records were from Australian users, leaked by an unknown party. Details leaked include names, email addresses and phone numbers. ESB-2020.2239 – misp: Multiple vulnerabilities A new version of MISP released with a significant refactoring of the STIX import/export along with many improvements. ESB-2020.2234 – chromium-browser: Multiple vulnerabilities An important update for Chromium has been released that fixes a bug in Use After Free in extensions. ESB-2020.2208 – McAfee Enterprise Appliance : Multiple vulnerabilities McAfee Security Bulletin – Enterprise Appliance updates address two vulnerabilities ESB-2020.2271 – Cisco Systems: Multiple Vulnerabilities Cisco has released software updates that address Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability Stay safe, stay patched and have a good weekend! Vishaka

AUSCERT Week in Review for 26th June 2020 Greetings, This week we’ve observed an increase in business email compromise cases so we thought it was pertinent to share this updated blog post here. Our top 3 tips to combat this threat are listed below; please help us spread this message along to your colleagues: Educate users, particularly those that handle payments, of the nature of the attack Follow up email requests with a telephone call to verify their veracity Implement appropriate checking of financial transactions Following on from the ACSC advisory issued on Friday last week, we would like to feature (and reiterate again) the following blog post containing practical tips on “How to use the YARA rules for the copy-paste compromises”. If you’ve received YARA rules, then this will help you use them. If not, we aren’t able to share them with you. And last but not least, members, a reminder that with the effective establishment of Slack, our member IRC channel will be decommissioned from Wednesday 1st July, 2020. For those of you wanting to join us on Slack, please do so by logging in with your member portal credentials here. We hope that everyone enjoys a safe and restful weekend. NVIDIA patches high severity flaws in Windows, Linux drivers Date: 2020-06-24 Author: Bleeping Computer NVIDIA has released security updates to address security vulnerabilities found in GPU Display and CUDA drivers and Virtual GPU Manager software that could lead to code execution, denial of service, escalation of privileges, and information disclosure on both Windows and Linux machines. Although all the flaws patched today require local user access and cannot be exploited remotely, with attackers having to first get a foothold on the exposed machines to launch attacks designed to abuse these bugs. Once that is achieved, they could take exploit them by remotely planting malicious code or tools targeting one of these issues on devices running vulnerable NVIDIA drivers. Twitter is “very sorry” for a security breach that exposed private data of business accounts Date: 2020-06-24 Author: The Tech Portal Twitter is back in cybersecurity news, as the company reports yet another data breach via its platform. In an email sent to its business users, Twitter said that there is a “possible” data breach that may have exposed private information of these accounts. Business users are generally those accounts which advertise on the platform. Australian security cameras hacked, streamed on a Russian-based website Date: 2020-06-24 Author: ABC News Australians are being filmed through private security cameras that are being streamed on a website based in Russia. Key points: * The Insecam website broadcasts live streams of compromised web-connected security cameras and webcams * The site allows people to control the cameras by zooming in and out and moving the camera around * The group behind the website denied it hacked the cameras Hackers use Google Analytics to steal credit cards, bypass CSP Date: 2020-06-22 Author: Bleeping Computer Hackers are using Google’s servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. New taskforce to push cyber security standards Date: 2020-06-22 Author: iTnews A cross-sector taskforce of experts from the defence, energy, health and financial services sectors has been created to accelerate the adoption of industry cyber security standards across Australia. The taskforce, which held its first meeting on Monday, is the result of an “Australian-first” collaboration between the NSW government, AustCyber and Standards Australia. It follows earlier reports on Monday that the federal government is crafting minimum cyber security standards for businesses, including critical infrastructure, as part of its next cyber security strategy. ESB-2020.2191 – telnet multiple vulnerabilities A serious remote code execution vulnerability found in Cisco IOS XE Software. ESB-2020.2116.2 – Cisco Webex Meetings Desktop App multiple vulnerabilities Another code execution vulnerability was patched in the Cisco Webex Meetings Desktop App. ESB-2020.2206 – kernel multiple vulnerabilities Multiple Nvidia code execution vulnerabilities patched on Ubuntu. Stay safe, stay patched and have a good weekend! The AUSCERT Team

AUSCERT Week in Review for 19th June 2020 Greetings, Another busy week for everyone, no doubt. A couple of emails would have landed in your inbox this week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. Be sure to catch up on these details and let us know if you have any further queries and such. A few important advisories we wanted to highlight for this week: The ACSC has issued threat advice relating to the targeting of Australian governments and companies by a sophisticated state-based actor.. We’ve provided further commentary on this via our blog HERE. Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack (known as the Ripple20), our AUSCERT bulletin below. Adobe has released out-of-band security updates to address 18 critical flaws, see highlighted bulletins below. And with that, we hope that everyone implements these latest patches and start enforcing multi-factor authentication across all areas of your business. We hope everyone enjoys a safe and restful weekend, until our next Week in Review edition! … Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks Date: 2020-06-19 Author: ACSC | Cyber.gov.au The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. Active ransomware campaign leveraging remote access technologies Date: 2020-06-16 Author: CERT-NZ We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched. The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup. Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks Date: 2020-06-16 Author: SecurityWeek [See AUSCERT bulletin ESB-2020.2090] Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday. Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20. The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet. Privacy confusion over COVID Safe Checklist rules for hospitality venues Date: 2020-06-14 Author: ABC News Notebooks, spreadsheets and paper forms used to collect personal information at cafes and restaurants are creating fears about privacy breaches and safety concerns. Queensland Council of Civil Liberties president Michael Cope says State Government guidelines about how businesses must collect and store information about customers are not clear enough. The COVID Safe Checklist for businesses requires that they keep contact information for all customers, workers and contractors, including names, addresses and mobile phone numbers for at least 56 days. This information is to be “captured and stored confidentially and securely”. No, that wasn’t a DDoS attack, just a cellular outage Date: 2020-06-16 Author: CyberScoop Neville Ray, chief technology officer at T-Mobile, said Tuesday that the company had fixed the issues. Security experts quickly pinned the issue on T-Mobile network configuration issues which resulted in the hours of downtime for customers, rather than a malicious DDoS meant to knock services offline by flooding them with internet traffic. Instead of acknowledging the more complicated reality, Anonymous amplified screenshots of a DDoS attack map that the security firm Arbor Networks uses as marketing to create interest in its product. ESB-2020.2077 – APSB20-37 Security update available for Adobe Illustrator Adobe released updates for multiple products this week. ESB-2020.2090 – ICS Advisory (ICSA-20-168-01) Treck TCP/IP Stack Possibly millions of systems affected. ESB-2020.2116 – Cisco Webex Meetings Desktop App Vulnerabilities Cisco released numerous updates this week. ESB-2020.2104 – New BIND releases are available The recent BIND vulnerabilities affect multiple products. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 12th June 2020 Greetings, The winter chill has certainly set in as we head into the 3rd week of June. Thank you to those who participated in our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar took place on Wednesday 10th June. To view a recording of this session, please visit our YouTube channel here. Members, keep an eye out for a couple of emails landing in your inbox next week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. And last but not least, we shared the news that the Microsoft June 2020 Patch Tuesday was the largest ever with 129 fixes so don’t forget to action these items and patch those vulnerabilities. A great reference point is of course our very own Security Bulletins page. Until next time, we hope everyone enjoys a safe and restful weekend. … Microsoft June 2020 Patch Tuesday: largest ever with 129 fixes Date: 2020-06-09 Author: Bleeping Computer Today is Microsoft’s June 2020 Patch Tuesday, and as many Windows administrators will be routinely screaming at computers, please be nice to them! With the release of the June 2020 Patch Tuesday security updates, Microsoft has released one advisory for an Adobe Flash Player update and fixes for 129 vulnerabilities in Microsoft products. Of these vulnerabilities, 11 are classified as Critical, 109 as Important, 7 as Moderate, and 2 as Low. This is the largest Patch Tuesday update ever released by Microsoft, with the second-largest being 115 fixes in March 2020, and the third-largest with 113 fixes in April 2020. Fisher & Paykel Appliances struck by Nefilim ransomware Date: 2020-06-10 Author: IT News Fisher & Paykel Appliances is the latest big brand name to be struck down by ransomware, shutting down its operations while it recovered following the attack. The whitegoods manufacturer’s spokesperson Andrew Luxmoore confirmed the attack to iTnews, saying it took place early last week. “The attempt was identified quickly and, as a result, we locked down our IT ecosystem immediately,” he said. Drinks maker Lion shuts IT systems after ‘cyber incident’ Date: 2020-06-09 Author: IT News Fast moving consumer goods giant Lion has shut down its IT systems after a “cyber incident” on Tuesday. The attack was first reported by the Sydney Morning Herald, which said the attack had “disrupted” manufacturing and remote access to systems. “Lion has experienced a cyber incident and has taken the precaution of shutting down our IT systems, causing some disruption to our suppliers and customers,” the company said in a brief statement on its website. Because things aren’t bad enough already: COVID-19 is going to mess up election security assumptions too Date: 2020-06-08 Author: The Register The social distancing measures brought about by the COVID-19 pandemic will weaken election security in the US, according to a non-profit’s security check. A report from New York University’s Brennan Center for Justice warns that as election workers and local officials are forced to do their jobs remotely, the risk of attack skyrockets. We have Huawei to make the internet more secure: Dump TCP/IP to make folks safer says Chinese mobe slinger Date: 2020-06-04 Author: The Register Chinese telecom companies and the Middle Kingdom government contend that the TCP/IP protocol stack is ill-suited for future networking needs and have proposed reworking the internet’s technical architecture with new, more secure internet protocols. Huawei, China Mobile, China Unicom, and China Ministry of Industry and Information Technology are backing a plan titled “New IP, Shaping Future Network.” The specifics have not been made public but Huawei – currently subject to US trade sanctions for allegedly engaging in activities contrary to national security interests – has described the goals of the initiative as an attempt to improve the flexibility, privacy, and security of the internet. ASB-2020.0107 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday updates (login required). ESB-2020.1990 – 2020.1 IPU BIOS Advisory Intel advisory of new firmware vulnerabilities. ESB-2020.1991 – 2020.1 IPU Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory Intel advisory of new management subsystem vulnerabilities. ESB-2020.2008.2 – linux security update Many linux distros released kernel and microcode patches for the Special Register Buffer Data Sampling (SRBDS) attack [CVE-2020-0543] alongside other fixes. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 5th June 2020 Greetings, This week, we are pleased to announce that the program details of our Virtual AUSCERT2020 conference has been launched. Details on this can be found here. Members, don’t forget to use your member tokens by Monday 3 August for free access to our conference registration. Please note that registrations for our tutorial sessions will open shortly and AUSCERT members will have priority access. Questions? We’ve addressed a few of these on our conference site here. Members who are on Slack are most welcome to send us your queries on that platform. Didn’t quite find what you were after? Drop us a line. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September. In other news, don’t forget to come along to our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. And last but not least, we shared the June update of the Australian Government Information Security Manual which helps organisations manage their cyber security risks on our Twitter channel but here it is for reference. Until next time, we hope everyone enjoys a safe and restful weekend. VMware Cloud Director flaw lets hackers take over virtual datacenters Date: 2020-06-02 Author: Bleeping Computer [Refer to AUSCERT Bulletin ESB-2020.1769] Organizations offering trial accounts for versions of VMware Cloud Director lower than 10.1.0 risk exposing private clouds on their virtualized infrastructure to complete takeover attacks from a threat actor. A code injection vulnerability exists in VMware Cloud Director (vCloud Director) 10.0.0.2, 9.7.0.5, 9.5.0.6, and 9.1.0.4 that may lead to remote code execution, VMware says in its security advisory. Cloud Director software allows cloud-service providers around the world to deploy, automate, and manage virtual infrastructure resources in a cloud environment. Office 365 to give detailed info on malicious email attachments Date: 2020-05-31 Author: Bleeping Computer Microsoft will provide Office 365 Advanced Threat Protection (ATP) users with more details on malware samples and malicious URLs discovered following detonation. “We’re working to reveal more of the details that led to a malicious verdict when URLs or files are detonated in Office 365 ATP,” the new feature’s Microsoft 365 roadmap entry reads. “In addition to the detonation chain (the series of detonations that were necessary to reach a verdict for this entity), we’ll also share a detonation summary, with details such as detonation time range, verdict of the file or URL, related entities (other entities called or used during the detonation), screenshots, and more.” Apple pushes fix across ALL devices for “unc0ver” jailbreak flaw Date: 2020-06-02 Author: Bleeping Computer These past few days have been quite busy for Apple on the security front. As reported by BleepingComputer, the company recently patched a critical flaw in its “Sign in with Apple” service. What follows now is a mega update across all its major operating systems and devices. Last year we provided details on the Sock Puppet jailbreak exploit that targeted the use-after-free kernel vulnerability, CVE-2019-8605. Yesterday, Apple pushed an update across all its OSes to fix the “unc0ver” jailbreak flaw, tracked as CVE-2020-9859 (note: a MITRE/NVD entry has not yet been published for this CVE). Rooting, colloquially known as ‘jailbreaking,’ refers to the concept of obtaining root access to a device that lets oneself install third-party apps and tweaks which would otherwise be restricted by the official app store and manufacturer policies. Loopholes like unc0ver allow someone to “break out of this jail” and, therefore, the moniker. Because the flaw impacted all previous versions of iOS, including 13.5, users are encouraged to update to iOS 13.5.1 and iPadOS 13.5.1 immediately. Of course, that also means the jailbreak functionality that lets users install custom tweaks and apps would be gone. MyBudget hackers threaten on dark web to release data stolen during cyberattack Date: 2020-06-03 Author: ABC News Cybercriminals are threatening to publish data they claim to have stolen from financial management group MyBudget online, an internet security expert has warned. The Adelaide-based company was hit with a ransomware attack early last month that left 13,000 customers in financial limbo for two weeks. Thousands of customers took to social media to vent their frustration at the outage and also their concerns about the security of their data. Google Faces $5B Lawsuit for Tracking Users in Incognito Mode Date: 2020-06-03 Author: Dark Reading A proposed class-action lawsuit accuses Google of collecting browser data from people who used “private” mode. A proposed class-action lawsuit filed earlier this week accuses Google of violating users’ privacy by collecting their data while they searched the Web in “incognito mode,” or private browsing. The lawsuit seeks at least $5 billion, Reuters reports. A complaint filed in federal court alleges Google collects data via Google Analytics and Google Ad Manager, along with other applications and plug-ins, to learn more about where people browse and what they view on the Web. This data collection occurs whether or not someone clicks a Google-supported ad, the report notes. ESB-2020.1935 – Cisco IOS Software for Cisco Industrial Routers: Multiple vulnerabilities Multiple advisories were released by Cisco. The most major of which was marked as critical and affected multiple Cisco routers. If exploited this vulnerability could result in a complete system compromise. ESB-2020.1909 – iOS & iPadOS: Execute arbitrary code/commands – Unknown/unspecified Apple has released iOS and ipadOS version 13.5.1. Installing this update patches the vulnerability exploited by the “unc0ver” jailbreak and also patches a potential RCE vulnerability. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 29th May 2020 Greetings, This week, we participated in the launch of National Reconciliation Week 2020 virtually by sharing an Acknowledgement of Country on our various social media platforms. To find out more about this initiative and to get involved for the remainder of the week, please visit the following page shared by the folks at Reconciliation Australia. In other news, we announced an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. Last but not least, we’re pleased to announce that the program details of our Virtual AUSCERT2020 conference will be launched next week. Most of you will recall that the 2nd to 5th of June were the original dates for our annual conference. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September! Until next time, we hope everyone enjoys a safe and restful weekend. eBay port scans visitors’ computers for remote access programs Date: 2020-05-24 Author: Bleeping Computer When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications. Over the weekend, Jack Rhysider of DarkNetDiaries discovered that when visiting eBay.com, the site performed a port scan of his computer for 14 different ports. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. Bots hit up Australian Red Cross 900 times for bushfire donations Date: 2020-05-26 Author: iTnews The Australian Red Cross is being targeted by bots that have so far made almost 900 fraudulent applications for financial assistance from a $216 million bushfire relief fund. Australian programs director Noel Clement told the Royal Commission into National Natural Disaster Arrangements on Tuesday that his organisation had seen “very significant cyber activity from the outset”. The Australian Red Cross raised a total of $216 million in donations for the victims of devastating bushfires over the summer of 2019-20, of which $83 million has so far been distributed. GitLab Hacks Own Remote-Working Staff In Phishing Test Date: 2020-05-25 Author: Silicon UK Company finds 20 percent of its all-remote staff responds to phishing message by exposing user credentials, raising fears about the work-from-home future Software development tools start-up GitLab has carried out a targeted phishing campaign on its own remote-working staff, finding that one-fifth of those targeted exposed their corporate login credentials. The study comes at a time when more employees are working from home during coronavirus shutdowns around the world. Shadowserver, an Internet Guardian, Finds a Lifeline Date: 2020-05-27 Author: WIRED The internet security group Shadowserver has a vital behind-the-scenes role; it identifies online attacks and wrests control of the infrastructure behind them. In March, it learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. On Wednesday, the IT security company Trend Micro will commit $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. The nonprofit Internet Society is also announcing a one-time donation of $400,000 to the organization. Combined with other funding that’s come in, these large contributions make it possible for the the group to continue in a more sustainable way without becoming dependent on a single funder again. It also keeps the internet at large that much safer. Apple responds to false Facebook claims about contact tracing update in iOS 13.5 Date: 2020-05-27 Author: iMore Hysterical myths regarding Apple’s exposure notification have started appearing on Facebook. Some users have taken to sharing screenshots of iOS 13.5, warning friends that it will automatically allow authorities to track their locations and who they meet. The posts have been fact-checked by Facebook, and Apple has released a response to Reuters. ESB-2020.1884 – [ALERT] Cisco CML and VIRL-PE: Multiple vulnerabilities A patch for RCE and authentication bypass vulnerabilities has been released and marked as critical by Cisco. This includes a ‘perfect’ 10.0 CVSSv3 score, which is the maximum possible. ESB-2020.1859 – macOS Catalina, Mojave & High Sierra: Multiple vulnerabilities Apple update fixes 45 macOS vulnerabilities, including a root compromise from the PackageKit component. ESB-2020.1855 – iOS and iPadOS: Multiple vulnerabilities A similar number of vulnerabilities were patched in iOS and ipadOS, with similar impacts. Reports online indicate that even the latest version is susceptible to a jailbreak by Unc0ver. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 22nd May 2020 Greetings, This week, we shared a couple of important and useful advisories with members. Namely, the joint statement from DFAT and the ACSC regarding Unacceptable malicious cyber activity by cyber actors who are seeking to exploit the pandemic for their own gain as well as the Toolkit for Universities by eSafety and Universities Australia. This toolkit contains some useful resources that assists universities and their communities have tools to help keep safe online. We are pleased to announce an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June – save the date and invitations will be sent out shortly. We hope you can join us. Last but not least, we shared news of our revised Virtual AUSCERT2020 sponsorship prospectus with various stakeholders last week. Feel free to reach out to us via conference@auscert.org.au for more information on our various options to get involved as a conference sponsor! Until next time, we hope everyone enjoys a lovely and restful weekend. Norway’s Wealth Fund Loses $10m in Data Breach Date: 2020-05-16 Author: Infosecurity Magazine Norway’s state-owned investment fund Norfund has halted all payments after losing $10m in an “advanced data breach.” On May 13, Norfund announced that it was “cooperating closely with the police and other relevant authorities” after “a series of events” allowed fraudsters to make off with $10m. The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. My Health Record system hit by hack attempt Date: 2020-05-19 Author: iTnews The My Health Record system was the subject of an attempted hack over the past 11 months, the Australian Digital Health Agency has revealed. National health chief information officer Ronan O’Connor told a parliamentary inquiry into cyber resilience the cyber incident was one of two “potential data breaches” to occur since July 2019. Nefilim ransomware gang leaks Toll documents on dark web Date: 2020-05-20 Author: iTWire The attackers behind an ongoing ransomware attack on Australian logistics and transport provider Toll Holdings has released some documents which it claims to have exfiltrated from the company when it staged the attack. News of the attack, the second this year, was announced by Toll on 5 May, with the company saying at the time that it had shut down some of its systems as a precaution. The documents released on Wednesday on the dark web include statements about company financials in plain text and a zipped file. This indicates that the ransom demand by the group has not been met by Toll. The attackers claim to have more than 200GB of company data. ESB-2020.1785 – Wireshark: Denial of service The Wireshark maintainers will be diligently patching minor crashes on crafted network traffic until after the sun burns out. I applaud their dedication to making the most resilient security tool possible. ESB-2020.1781 – IBM Security Access Manager – Unauthorised access A user-manipulable claim wasn’t validated properly, so users could forge additional access. ESB-2020.1762 – Dovecot: Multiple vulnerabilities Possible RCE and confirmed DoS in the popular Dovecot email server. ESB-2020.1754 – OpenConnect: Denial of service It’s a good time of year to be patching VPN clients, with the increased work from home arrangements. Stay safe, stay patched and have a good weekend! David & Vishaka

AUSCERT Week in Review for 15th May 2020 Greetings, This week, we announced to our members that we have doubled their member token registration eligibility for Virtual AUSCERT2020 as a gesture of appreciation for their support. Be sure to check your inbox(es) for further details. We can’t wait to see you in September. Also for our members – we have generated a new PGP/GPG Key to use for signing, and receiving encrypted data. This key will come into effect as of today (Friday 15th May 2020) and further details can be found on our website here. Last but not least, we shared this news on our social channels this week “FIRST aims to update the Traffic Light Protocol standard to increase global adoption” but if you would like get involved directly, please refer to the following press release: https://www.first.org/newsroom/releases/20200513 Until next time, we hope everyone enjoys a safe and restful weekend. Microsoft Addresses 111 Bugs for May Patch Tuesday Date: 2020-05-12 Author: Threatpost Microsoft has released fixes for 111 security vulnerabilities in its May Patch Tuesday update, including 16 critical bugs and 96 that are rated important. Unlike other recent monthly updates from the computing giant this year, none of the flaws are publicly known or under active attack at the time of release. US govt shares list of most exploited vulnerabilities since 2016 Date: 2020-05-12 Author: Bleeping Computer US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader US Government issued the AA20-133A alert through the National Cyber Awareness System to make it easier for organizations from the public and private sector to prioritize patching in their environments. Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking Date: 2020-05-10 Author: WIRED Security paranoiacs have warned for years that any laptop left alone with a hacker for more than a few minutes should be considered compromised. Now one Dutch researcher has demonstrated how that sort of physical access hacking can be pulled off in an ultra-common component: The Intel Thunderbolt port found in millions of PCs. Cisco, others, shine a light on VPN split-tunnelling Date: 2020-05-13 Author: ARN As the work-from-home trend grows due to the Covid-19 pandemic, the need for secure access to enterprise resources continues to grow and with it the demand for ever-more VPN. For example demand for commercial virtual private networks in the US jumped by 41 per cent between March 13 and March 23, according to research from Top10VPN.com, a VPN research and testing company in the UK. The VPN market will hit $70 billion by 2026, according to market research and management consulting company Global Market Insights. In an April blog AT&T pointed to a 700 per cent increase in connections to its cloud-based SD-WAN Static Network Based (ANIRA) VPN service. ASB-2020.0095 – Windows: Multiple vulnerabilities   ASB-2020.0101 – Microsoft Office, Microsoft Office Services and Web Apps: Multiple vulnerabilities   ESB-2020.1698 – McAfee ePolicy Orchestrator: Multiple vulnerabilities   ESB-2020.1705 – GlobalProtect App: Access confidential data – Existing account   Stay safe, stay patched and have a good weekend! AUSCERT Team

AUSCERT Week in Review for 8th May 2020 Greetings, This week, we launched our long-awaited AUSCERT – Members Slack. An email was sent out to members earlier this week, Tuesday 5 May to be specific; detailing the necessary steps to join us and other AUSCERT members in conversation. Be sure to check your inbox(es) for further details. Many of our members informed us through the 2019 Annual Survey that they would like to stay connected through a quicker, more effective (but secure) communication platform and we’ve delivered! Also for our members – keep an eye out for an email from our conference team early next week. This communication will provide you with some updates on member token details for Virtual AUSCERT2020. We can’t wait to see you in September. Last but not least, this week has seen us supporting the team from the Office of the Australian Information Commissioner in their Privacy Awareness Week 2020 campaign initiative to promote the importance of privacy and keeping your personal information safe. We’ve shared a number of posts on our social media channels using the following hashtags #PAW2020 #RebootYourPrivacy so please do check them out. In summary, Privacy Awareness Week 2020 is an important reminder to reboot your privacy: > Check and update your privacy controls > Consider the alternative when giving or asking for personal information > Delete any data from old devices and securely destroy or de-identify personal information if it’s no longer needed for a legal purpose. Again, well done Australia for staying home. We hope that everyone has some lovely plans lined up with the ease of Covid-19 restrictions in most parts of the country – just in time for Mother’s Day on Sunday. Until next week. New Kaiji Botnet Targets IoT, Linux Devices Date: 2020-05-05 Author: Threatpost The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language. A new botnet has been infecting internet of things (IoT) devices and Linux-based servers, to then leverage them in distributed denial-of-service (DDoS) attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today. Samsung patches 0-click vulnerability impacting all smartphones sold since 2014 Date: 2020-05-06 Author: ZDNet South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014. Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device. Toll Group suffers second ransomware attack this year Date: 2020-05-05 Author: iTnews Toll Group has revealed it is suffering its second ransomware attack this year, attributing the current infection to a type of malware known as Nefilim. The admission comes less than a day after iTnews reported exclusively that the logistics giant had shut down its IT systems after detecting “unusual activity” on an undisclosed number of servers. New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into Speakers Date: 2020-05-04 Author: The Hacker News Cybersecurity researcher Mordechai Guri from Israel’s Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices. Dubbed ‘POWER-SUPPLaY,’ the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal, optical covert channels, and even power cables to exfiltrate data from non-networked computers. GoDaddy notifies users of breached hosting accounts Date: 2020-05-04 Author: Bleeping Computer GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH. The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts’ hosting. Maze Ransomware Operators Step Up Their Game Date: 2020-05-06 Author: Dark Reading Investigations show Maze ransomware operators leave “nothing to chance” when putting pressure on victims to pay. Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves. ESB-2020.1614 – Cisco Firepower: Multiple vulnerabilities Multiple high severity vulnerabilities which could result in information disclosure, root compromise, denial of service or unauthorized access to Cisco Firepower appliances. ESB-2020.1624 – Google Chrome: Multiple vulnerabilities Two Remote code execution and denial of service vulnerabilities. ESB-2020.1607.2 – Salt: Multiple vulnerabilities Execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. Stay safe, stay patched and have a good weekend! Patch