AUSCERT Week in Review for 24th April 2020 Greetings, Hoping everyone’s had a good week, and that the parents amongst us are managing the juggle of work-life balance, with the Term 2 remote learning of school-aged children commencing this week. This week, we announced that our annual conference will be taking on a different spin! Given the current ever-evolving situation with COVID-19 and the advice from our Chief Information Officer, it is with a mixture of nervous energy and excitement that we announce the fact that AUSCERT2020 will now go virtual in September. The dates will remain as previously discussed: 15 – 18 September. While we understand that a virtual event isn’t quite the same as an in-person one, we are still committed as ever to featuring world-class tutorials and presentations from leading experts in the cyber and information security industry. Speaker details can be found here. In other news this week, we shared the fact that our friends from ENISA (the EU Agency for Cybersecurity) have just published some new training materials on the topic of “Orchestration of CSIRT Tools”. It includes practical usages of MISP, The Hive Project and IntelMQ; these are very SOAR-relevant, and definitely worth a read. Please refer to their website. Have a great weekend, and thank you for staying home. Until next time. Microsoft releases OOB security updates for Microsoft Office Date: 2020-04-21 Author: Bleeping Computer [This has been published as AUSCERT bulletin ASB-2020.0090] Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications. Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files. An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations. Critical bug in Google Chrome – get your update now Date: 2020-04-17 Author: Sophos [This has been published as AUSCERT bulletin ASB-2020.0088] The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix. … [Sophos] recommends going through the update process as as soon as you can. Go to the About Chrome menu option (or About Chromium if you use the non-proprietary flavour of the browser) and check that you have 81.0.4044.113 or later. Hackers have breached 60 ad servers to load their own malicious ads Date: 2020-04-22 Author: ZDNet A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites. This clever hacking campaign was discovered last month by cyber-security firm Confiant and appears to have been running for at least nine months, since August 2019. Confiant says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads. Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files – usually disguised as Adobe Flash Player updates. Who’s Behind the “Reopen” Domain Surge? Date: 2020-04-20 Author: Krebs on Security The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created […] urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains. [A neat demo of threat hunting in DomainTools, albeit without the usual phishing/malware bent we focus on at AUSCERT.] ASB-2020.0088- Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google has issued an update addressing a critical CVE for Chrome Stable Channel for Desktop. ASB-2020.0090 – Microsoft products utilising the Autodesk FBX library: Multiple vulnerabilities Microsoft out-of-band security update fixing remote code execution vulnerabilities in Autodesk FBX library. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 17th April 2020 Greetings, Hoping everyone’s come off the sugar rush that was the Easter long weekend! This week, we announced that our member newsletter; circulated every other month – will now be called The Feed. We think this better reflects our mission, readers and the content we share. The April 2020 edition was sent in the mail yesterday (Thursday 16.04) so be sure to check your inbox to stay up-to-date with the on goings at AUSCERT. In other news this week, we’ve published a snapshot of our services stats for Quarter 1 2020. To find this information, please visit the Blogs & Publications section of our website. This report provides an overview of the cyber security incidents reported by members, from 1 January – 31 March 2020. Last but not least, a final reminder that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. Affected members have been emailed directly. Feel free to reach out to us should you require further assistance or clarification regarding this change. Stay well (and thank you for staying home), until next time. Microsoft April 2020 Patch Tuesday comes with fixes for three zero-days Date: 2020-04-14 Author: ZDNet [Please refer to the following AUSCERT Security Bulletins for more information: ASB-2020.0077 to 86] Microsoft has published today its monthly roll-up of security updates known as Patch Tuesday. This month’s updates are a bulky release. The OS maker has made available patches today for 113 vulnerabilities across 11 products, including three zero-day bugs that were being actively exploited in the wild. As always, details remain scant for the time being. Details about zero-day attacks are usually kept under wraps for days or weeks, to give users time to patch and prevent attackers from developing proof-of-concept code. When corporate communications smell phishy: Why customers don’t trust your emails Date: 2020-04-08 Author: The Daily Swig We are constantly urged to stay vigilant to spam and malicious emails. Threat actors’ increasingly sophisticated tactics and mimicry of organizations poses a serious problem for businesses attempting to engage with their customers without appearing to be scammers. However, some of the tactics employed by phishers are also used by genuine companies to promote consumer engagement or simply within the workplace between teams, which can lead to confusion and legitimate emails being reported as fraudulent. Coronavirus tracing tech policy ‘more significant’ than the war on encryption Date: 2020-04-15 Author: ZDNet COVID-19 apps that track individuals’ movements and report them to a government server? What could possibly go wrong? Digital rights activists are starting to push back. Tech-savvy individuals and firms have been eager to apply their skills to the coronavirus pandemic, as they should be. Some of them are working with governments who have flexed their “special powers” and public health muscles, as governments should do. Much of this tech effort, from all sides, has been put into contact tracing, which aims to find out who might have been exposed to the virus from an infectious person. ASB-2020.0082 – Microsoft Patch Tuesday update for Windows for April 2020 Microsoft’s Patch Tuesday included updates to resolve 66 vulnerabilities from Windows products. ASB-2020.0076 – Oracle CPU April 2020 for Java SE Oracle Java SE had a critical patch update with 15 new security patches made available. Stay safe, stay patched and have a good weekend! Mal.

AUSCERT Week in Review for 9th April 2020 Greetings, How glad are we that it’s a short week? Our member incident hotline continues to operate 24/7 over the long weekend (this one in particular will be fuelled by chocolate!). Details can be found on our website by logging in to our member portal. Also, a reminder that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. To find out if any of your email addresses are going to be affected, please see below: a) If you currently receive our AUSCERT Bulletins with the acronym “AMPBE” in the email subject line, then you/your organisation is not affected. b) If the above acronym is missing, then be prepared to see it included in the subject line from Monday 20th April 2020 onwards. You will then be able to see that email address though the member portal in the Bulletins subscription section, when logged in as a privileged user. Be sure to check your email filters if you fall into category b). Feel free to reach out to us via auscert@auscert.org.au should you require further assistance or clarification. Last but not least, it’s been brought to our attention that 80% of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability. Please apply this patch if you haven’t done so already. Our related bulletin info can be found here. We hope everyone stays safe and are being creative with their long weekend plans. 80% of all exposed Exchange servers still unpatched for critical flaw Date: 2020-04-06 Author: Bleeping Computer Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions. This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials. “There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,” Rapid7 Labs senior manager Tom Sellers further explained. Beyond Zoom: How Safe Are Slack and Other Collaboration Apps? Date: 2020-04-06 Author: Threatpost COVID-19’s effect on work footprints has created an unprecedented challenge for IT and security staff. Many departments are scrambling to enable collaboration apps for all — but without proper security they can be a big risk. As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention. Australia on the cyber offence to bring down COVID-19 scammers Date: 2020-04-06 Author: ZDNet Australia has launched a cyber offence against offshore criminals, targeting those responsible for scams related to the COVID-19 outbreak. Minister for Defence Linda Reynolds said in a statement that the Australian Signals Directorate (ASD) had mobilised its offensive cyber capabilities to disrupt the foreign cyber criminals behind the spate of malicious activities that have come out of the global pandemic. “Cyber criminals that are using the cover of cyberspace and international borders to target Australians are not beyond our reach,” Reynolds said. Atlassian issues advice on how to keep your IT service desk secure… after hundreds of portals found facing the internet amid virus lockdown Date: 2020-04-07 Author: The Register As companies move their staff to remote working amid the COVID-19 coronavirus pandemic, some IT teams have made internal platforms, such as tech support desks, face the public internet. The hope, presumably, is that this ensures employees can easily reach these services from their homes, allowing them to raise support tickets and the like. However, organizations are leaving themselves open to mischief or worse by miscreants, we’re told, because the portals are not fully secured. Strangers on the internet can create new accounts, impersonate staff, submit requests for bogus work, potentially access sensitive information, such as payroll details and documentation, and so on. NASA under ‘significantly increasing’ hacking, phishing attacks Date: 2020-04-07 Author: Bleeping Computer NASA has seen “significantly increasing” malicious activity from both nation-state hackers and cybercriminals targeting the US space agency’s systems and personnel working from home during the COVID-19 pandemic. Mitigation tools and measures set in place by NASA’s Security Operations Center (SOC) successfully blocked a wave of cyberattacks, the agency reporting double the number of phishing attempts, an exponential increase in malware attacks, and double the number of malicious sites being blocked to protect users from potential malicious attacks. ESB-2020.1208 – ALERT Firefox & ESR: Multiple vulnerabilities Security vulnerabilities that are being exploited by targeted attacks have been fixed in Firefox 74.0.1 and Firefox ESR 68.6.1. ESB-2020.1218 – telnet: Multiple vulnerabilities Telnet is affected by a RCE & DOS vulnerability across multiple Red Hat versions; it is possible this also affects other OSes. Red Hat have addressed this via updates. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 3rd April 2020 Greetings, We’ve (safely) made it through another week. For many, if not all of us, mastering remote work is all about finding the right tools to stay productive and connected. As we try to stay connected with colleagues remotely, we think it is also important to remind everyone to keep security front of mind. We took the opportunity this week to remind folks that it is important to have a proper read through the safety policies of your web conferencing and sharing platform(s) of choice – make sure you’ve set yours up appropriately! In other news this week, we reached out to a number of AUSCERT2019 delegates that were potentially affected by the recent Marriott International data breach incident. In short, if you were personally affected by this breach, you would have received an email from Marriott International by now. For those wanting to find out more, Marriott International has set up a dedicated website here where guests can find more information about this incident. Lastly, a reminder that we are here for you; it is business as usual for our team, and our member incident hotline continues to operate 24/7 in these extraordinary times. Details can be found on our website by logging in to our member portal. Zoom Client Leaks Windows Login Credentials to Attackers Date: 2020-03-31 Author: BleepingComputer The Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link. Morrison: No anonymous tracking of people to enforce COVID-19 rules Date: 2020-03-30 Author: iTWire Australian Prime Minister Scott Morrison says the government would not be looking to use location data to track people anonymously in order to find out if they are following the rules which have been put in place to keep the coronavirus pandemic in check within the country. New email phishing scam exploits Coronavirus fears Date: 2020-03-31 Author: iTWire A new type of email phishing scam has been discovered which warns people that they’ve come into contact with a friend/colleague/family member who has been infected with the coronavirus, according to one global security firm. According to security awareness training and simulated phishing platform provider KnowBe4, the email instructs people to download a malicious attachment and proceed immediately to the hospital, with the particular “social engineering scheme” appearing to come from a legitimate hospital, “which is why it’s so alarming and could trick even a cautious end user”. If you’re working from home, you’ve probably used Zoom. The FBI says you should be careful Date: 2020-04-02 Author: ABCNews Zoom has had a surge in popularity during the coronavirus pandemic, but some businesses are backing away from the videoconferencing app over concerns about security flaws. It topped charts worldwide in February and March, according to TechCrunch, after swathes of companies moved their core functions online with workers sent home. But Elon Musk’s rocket company SpaceX and NASA have both banned employees from using Zoom, with SpaceX citing “significant privacy and security concerns”. SpaceX’s ban came just days after a warning from the FBI urging users not to make meetings public or share links widely. Meet ‘Sara’, ‘Sharon’ and ‘Mel’: why people spreading coronavirus anxiety on Twitter might actually be bots Date: 2020-04-01 Author: The Conversation Recently Facebook, Reddit, Google, LinkedIn, Microsoft, Twitter and YouTube committed to removing coronavirus-related misinformation from their platforms. COVID-19 is being described as the first major pandemic of the social media age. In troubling times, social media helps distribute vital knowledge to the masses. Unfortunately, this comes with myriad misinformation, much of which is spread through social media bots. ESB-2020.1189 – haproxy: Multiple vulnerabilities Code execution and DOS vulnerability patched in multiple versions of HAProxy. ESB-2020.1095 – PAN-OS log daemon (logd): Multiple vulnerabilities Patch for arbitrary code execution and privilege escalation vulnerability in PAN-OS 8.1. ESB-2020.1096 – PAN-OS CLI: Multiple vulnerabilities Patch for a shell injection vulnerability in PAN-OS CLI that allows execution of shell commands. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 27th March 2020 Greetings, Hoping this lands in your inbox while you’re reading it in the comfort of your home office. A reminder that we are here for you; it is business as usual for our team, and our member incident hotline continues to operate 24/7 in these extraordinary times. Details can be found on our website by logging in to our member portal. In other news this week, we wanted to let you know that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. To find out if any of your email addresses are going to be affected, please see below: a) If you currently receive our AUSCERT Bulletins with the acronym “AMPBE” in the email subject line, then you/your organisation is not affected. b) If the above acronym is missing, then be prepared to see it included in the subject line from Monday 20th April 2020 onwards. You will then be able to see that email address though the member portal in the Bulletins subscription section, when logged in as a privileged user. Be sure to check your email filters if you fall into category b). Feel free to reach out to us via auscert@auscert.org.au should you require further assistance or clarification. Windows code-execution zero-day is under active exploit, Microsoft warns Date: 2020-03-24 Author: Ars Technica Attackers are actively exploiting a Windows zero-day vulnerability that can execute malicious code on fully updated systems, Microsoft warned on Monday. The font-parsing remote code-execution vulnerability is being used in “limited targeted attacks,” the software maker said in an advisory published on Monday morning. The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane. [AUSCERT published this alert the same day in ASB-2020.0066.] Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps Date: 2020-03-23 Author: Bleeping Computer A new cyber attack is hijacking router’s DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO). After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers. Cybercrime and Social Engineering Threats – COVID-19 Date: 2020-03-25 Author: Brian Hay Criminals thrive during tough fiscal times because they’re adept and skilled at exploiting people’s emotions who desire a better life, wish for better times, or are seeking a solution to the troubles they’re currently facing. They know how to take advantage of the confusion, the breakdown of “normal” procedures, the proliferation of “misinformation” and they also understand the hunger for people to know more about what is going on – so more people are likely to click on a link to find out the latest “news”. Appealing to people’s sense of curiosity is a powerful weapon and it is a difficult behavioural pattern for many of us to control. Three More Ransomware Families Create Sites to Leak Stolen Data Date: 2020-03-24 Author: ZDNet Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. Ever since Maze created their “news” site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow. Minister backflips on myGov DDoS attack claim Date: 2020-03-23 Author: iT News Government services minister Stuart Robert has quickly walked back his claim that the online services portal myGov suffered a “significant distributed-denial-of-service attack”. ASB-2020.0066.2 – Windows: RCE – Remote with user interaction A critical vulnerability in Windows’ font handling was announced out of the usual cycle. At time of writing, no fix is available, and versions of Windows below 10 are strongly recommended to configure the provided mitigations. ESB-2020.1042 – macOS: Multiple vulnerabilities Apple released multiple security updates this week, including some spicy-looking vulnerabilities in macOS. ESB-2020.1057 – Adobe Creative Cloud Desktop for Windows: Arbitrary file deletion – Remote with user interaction Adobe called this critical; users opening a crafted file could find other files deleted. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 20th March 2020 Greetings, Given the current ever-evolving situation with COVID-19 and the advice from our State and Federal Governments; in support of the health and wellbeing of our stakeholders we wanted to let you know that the AUSCERT2020 Conference has now been postponed. The Conference will now take place on 15th – 18th September 2020. A reminder that our member incident hotline continues to operate 24/7 and details can be found on our website by logging in to our member portal. In other news this week, our Principal Analyst wrote a blog on the various COVID-19 cyber threats we’re seeing out there. It’s unfortunate that this happens at a time when the community is already vulnerable! Read more about it here and be sure to check out his recommendations. Last but not least, we are pleased to share with you a copy of our 2019 Year in Review publication which provides members (and the general public) with a summary of our state-of-the-union, statistics from our range of services, achievements and milestones as well as details of our goals for 2020 and beyond. COVID-19 Cyber Threats: Observations, OSINT and Safety Recommendations Date: 2020-03-18 Author: AUSCERT AUSCERT have been made aware from either direct reports or via OSINT research that related threats have been seen relating to emails, mobile apps, web-applications; and social engineering scams. The purpose of this blog post is to: – Remind readers that it is common for threat actors to use the most compelling or big news topics of the times to be used in malspam attacks to incite their targets to open a crafted attachment linked to a website. – Inform readers of the various vectors or attack angles that threat actors have deployed using COVID-19 as their theme so they (organisations) can make informed decisions and take appropriate actions. A Critical Internet Safeguard Is Running Out of Time Date: 2020-03-16 Author: WIRED Keeping the internet safe may sometimes feel like a game of Whac-A-Mole, reacting to attacks as they arise, then moving on to the next. In reality, though, it’s an ongoing process that involves not just identifying threats but grabbing and retaining control of the infrastructure behind them. For years a small nonprofit called Shadowserver has quietly carried out a surprisingly large portion of that work. But now the organization faces permanent extinction in a matter of weeks. There’s a pivotal scene in Ghostbusters in which Environmental Protection Agency inspector Walter Peck marches into the group’s headquarters, armed with a cease and desist order. “Shut this off,” Peck tells the utility worker accompanying him. “Shut this all off.” They cut power to the Ghostbusters’ protection grid, and all the ghosts are released. Think of Shadowserver as the internet’s protection grid. For more than 15 years, Shadowserver has been funded by Cisco as an independent organization. But thanks to budget restructuring, the group now has to go out on its own. Rather than seek a new benefactor, founder Richard Perlotto says the goal is for Shadowserver to become a fully community-funded alliance that doesn’t rely on any one contributor to survive. The group needs to raise $400,000 in the next few weeks to survive the transition, and then it will still need $1.7 million more to make it through 2020—an already Herculean fundraising effort coinciding with a global pandemic. They’ve set up a page for both large corporate donations and smaller individual contributions. Exploring Various Ways in Which Hackers Are Milking the COVID-19 Scare Date: 2020-03-13 Author: Cyware Hackers have a history of sabotaging and manipulating public emergencies for their own gains. Imagine how tempting an epidemic like Coronavirus disease (COVID-19) would be for the crooks. Recently, hackers have run several attack campaigns across various countries, taking advantage of the spread of the disease. Microsoft releases patches for leaked, wormable ‘SMBGhost’ flaw Date: 2020-03-13 Author: IT News Microsoft has rushed out security updates for a remotely exploitable vulnerability in the Windows System Message Block version 3 file sharing protocol that researchers said could be abused to create self-spreading “worms” like the 2017 WannaCry malware. Adobe Fixes Nine Critical Vulnerabilities in Reader, Acrobat Date: 2020-03-17 Author: Bleeping Computer Adobe has released security updates for Adobe Acrobat and Adobe Reader that fix numerous vulnerabilities ranging from information disclosure to arbitrary code execution. Adobe usually releases security updates in conjunction with Microsoft’s Patch Tuesday security updates, but this month nothing was released at that time. ESB-2020.0975 – Security Bulletin for Adobe Acrobat and Reader | APSB20-13 Security updates for Adobe Acrobat and Adobe Reader for vulnerabilities ranging from information disclosure to arbitrary code execution. ESB-2020.0942.2 – VMware Security Advisories – VMSA 2020-0005 VMware security updates to address privilege escalation and denial-of-service (DoS) in the VMware Workstation, Fusion, VMware Remote Console and Horizon Client. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 13th March 2020 Greetings, We understand that this is a worrying time for many in our community and wanted to broach the subject of how COVID-19 (Coronavirus) impacts AUSCERT. Our team will continue to support our members through our range of services. A reminder that our member incident hotline continues to operate 24/7 and details can be found on our website by logging in to our member portal.  Because we are a part of The University of Queensland, we are aligning ourselves with the University by responding to the situation as it evolves and are also planning for contingencies to continue delivering our services. In other news this week, AUSCERT took part as the leading team in the annual Asia Pacific Computer Emergency Response Team (APCERT) drill. This drill tests the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. To find out more about this annual endeavour, please visit our site here. Last but not least, we are pleased to announce that our conference website is now updated with a list of speakers and program details will be announced soon. Microsoft emits SMBv3 worm-cure crisis patch Date: 2020-03-12 Author: The Register Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw designated CVE-2020-0796. The bug can be exploited by an unauthenticated attacker to execute malicious code, at administrator level, on an un-patched system simply by sending the targeted system specially crafted compressed data packets. Systems running 32 and 64-bit Windows 10 v1903, Windows 10 v1909, Windows Server v1903 (Server Core), and Windows Server v1909 (Server Core) – and just those versions – need to get patched right now. Coronavirus map used to spread malware Date: 2020-03-09 Author: Graham Cluley Be careful about which websites you trust. A malicious site appears to have copied the look-and-feel of a legitimate Coronavirus map from Johns Hopkins University. Security researchers at Malwarebytes say that they have found malicious code hiding behind the fake website that claimed to show an up-to-date global heatmap of Coronavirus reports. The malicious code skims for passwords and payment card details, as a variant of the AzorUlt spyware. Be careful what programs you install and run on your computers folks… or you might be putting yourself at risk. Coronavirus: How hackers are preying on fears of Covid-19 Date: 2020-03-13 Author: BBC News Cyber-criminals are targeting individuals as well as industries, including aerospace, transport, manufacturing, hospitality, healthcare and insurance. Phishing emails written in English, French, Italian, Japanese, and Turkish languages have been found. The BBC has tracked five of the campaigns. March 2020 Patch Tuesday: Microsoft fixes 115 vulnerabilities, Adobe none Date: 2020-03-10 Author: Help Net Security It’s March 2020 Patch Tuesday, Adobe seems to have skipped releasing any patches, whilst Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The 26 critical flaws all allow remote code execution, but some are more easily exploited than others. The good news is that no active attacks have been observed for any of the vulnerabilities at this time. Preparing for Covid-19 and beyond Date: 2020-03-06 Author: Beta News The threat of a global pandemic is alarming, but at least in this case, IT has some advance notice to prepare for the worst-case scenario. You do not want to be caught without a plan if local governments institute a quarantine or local schools are closed for several weeks. And even if we avoid a pandemic — fingers crossed — the planning you did won’t be in vain. It’s important for every organization to always have a plan to deal with disasters large and small, whether it’s flooding, inclement winter weather or a particularly bad cold that sends half your team home. Here are the steps you should take to put together your plan and prepare for a potential pandemic. ESB-2020.0862.2 – UPDATED ALERT SMBv3: Execute arbitrary code/commands – Remote/unauthenticated Microsoft released an out-of-bounds emergency patch today for a vulnerability identified as wormable. See article above. ESB-2020.0868 – Firefox ESR: Multiple vulnerabilities Firefox update patches Airpod information disclosure vulnerability. ASB-2020.0054 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday resolves 78 vulnerabilities for Windows. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 6th March 2020 Greetings, Welcome to March. This month sees us turning 27. As an organisation, we have come a long way since the day that student hacked into NASA in their spare time in 1993! 27 years later, we are still preaching our greater good ethos and are proud to be serving our members daily. Soon, we will be sharing with you a copy of our Year in Review 2019 publication. This is something we have put together to help our members (and the public) understand the current trends in our industry – from AUSCERT’s unique perspective; it will also provide an oversight of our operations and offers a preview of our automation-focused road map for 2020 and beyond. Last but not least, Happy International Women’s Day to all our readers. To celebrate and pay homage to our female colleagues, AUSCERT will be featuring a Women of AUSCERT series on our LinkedIn page throughout next week. The Let’s Encrypt CAA Code Bug – A Plain View Date: 2020-03-05 Author: AUSCERT Blog Let’s Encrypt recently found a bug in their CAA checking code and after remediating the bug on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), announced they would revoke approximately 2.6% of their active certificates that were potentially affected by the bug, totaling approximately 3 million certificates. Whilst this might not be seen as critical on the surface, a certificate is fundamentally used to establish and maintain site trustworthiness between two parties. Essentially, certificates are used by browsers to ensure that the site we intended to visit is really the one we’ve arrived at. Leaving a revoked certificate in-place could trigger errors in browsers and other applications, cause loss availability and/or trust, all potentially causing harm to the companies that rely on them. Social Engineering Risks: How to Patch the Humans in Your Organization Date: 2020-02-28 Author: PenTest Magazine Employees have long been presumed as the weakest link in the corporate cybersecurity chain. But new research from Proofpoint’s Human Factor report claims that over 99% of email-borne cyber-attacks require human intervention to work. Hackers are targeting primarily people, rather than technology systems, to get what they want. Technically anyone in your organization could be on the receiving end of such an attack. Organizations need to do better at protecting and educating these Very Attacked People (VAPs) in their midst. As always, a defense-in-depth approach makes the best sense. This should start with user awareness training and education, but not rely 100% on it. By adding in other steps, you stand a better chance of knocking back the hackers in the event that they manage to trick an employee or bypass a security solution. Citrix vulnerability used for potential Defence recruitment database access Date: 2020-03-04 Author: ZDNet The Australian Signals Directorate (ASD) has revealed that a vulnerability in Citrix, announced over Christmas, could have been used by malicious actors to access a database of Australian Defence recruitment details. “On the 24th of January … through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue,” newly installed director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates on Wednesday night. Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability. Fraud Prevention Month: How to protect yourself from scams Date: 2020-03-04 Author: WeLiveSecurity Businesses and citizens lead busy lives and it is very easy to keep items that may not immediately affect us towards the bottom of the to-do list. Fraud is potentially one of those items, we may appreciate it can happen but unless it’s happening to us at this moment in time then we can often be guilty of delaying preventative action. And for businesses the risk is compounded; fraud may affect the daily operations of the business and if it requires public disclosure can lead to loss of reputation and potentially create a distrust atmosphere with customers. Banking fraud and identity theft are intrinsically linked, as you would expect. Here are some tips on what should be the beginning of your plan to protect your identity. ASB-2020.0051 – Android: Multiple vulnerabilities The March 2020 patch level for Android includes fixes for multiple critical vulnerabilities. ESB-2020.0769 – zsh: Increased privileges The commonly-used zsh shell had a flaw in its –no-PRIVILEGED option. ESB-2020.0746 – Salt: Unauthenticated RCE A SecOps product fixed an unauthenticated command injection vulnerability. Stay safe, stay patched and have a good weekend! Sean & Mal

AUSCERT Week in Review for 28th February 2020 Greetings, Just a reminder that on Monday 2 March the AUSCERT External Security Bulletins (ESB) and AUSCERT Security Bulletins (ASB) are going to be sent from bulletins@auscert.org.au. You will still receive the bulletin service as usual but the source email address will be changed to bulletins@auscert.org.au. This change is being executed to allow for easier filtering of one of our largest volumes of email correspondence. However, if you are currently automating the bulletins you receive from auscert@auscert.org.au, make sure you tweak your scripts / update your mail rules to match on Monday 2 March. Last but not least, AUSCERT as an ally for the LGBTIQ+ community would like to wish all members a safe and enjoyable Mardi Gras weekend. Apple Takes Heat Over ‘Vulnerable’ iOS Cut-and-Paste Data Date: 2020-02-24 Author: Threatpost Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email. Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk. Mysk said that any app that can constantly read a device’s clipboard can easily abuse the data. One caveat to the developer’s research was that iOS can only allow apps to read clipboard data when the apps are active and in the foreground. Apple is no strangers to clipboard concerns. Three years ago a Reddit user pleaded; “Apple should fix the clipboard on iOS to make accessing it require Permission. This is a massive opening for malicious apps.” Australian Government attacked over ransomware ‘epidemic’ Date: 2020-02-25 Author: Micky The shadow assistant minister for cyber security Tim Watts has taken aim at the Federal Government over a lack of attention to the ransomware epidemic. In an opinion piece published in the Australian Financial Review, Watts cited last year’s attack on hospitals in the Gippsland Health Alliance and the South West Alliance of Rural Health, as well as the more recent attack on global transport company Toll, as warning signs the threat was increasing. As Coronavirus Spreads, So Does Covid-19 Themed Malware Date: 2020-02-27 Author: Bleeping Computer Threat actors are still taking advantage of the ongoing COVID-19 global outbreak by attempting to drop Remcos RAT and malware payloads on their targets’ computers via malicious files that promise to provide Coronavirus safety measures. Yoroi researchers recently spotted a suspicious CoronaVirusSafetyMeasures_pdf.exe executable after it was submitted to their free sandbox-based file analysis service. As the Yoroi research team later discovered, the executable is an obfuscated Remcos RAT dropper that would drop a Remcos RAT executable on the compromised computer, together with a VBS file designed to run the RAT. Essentially, COVID-19 is a popular phishing bait right now. The World Health Organization (WHO) recently warned of active Coronavirus-themed phishing attacks that impersonate the organization with the end goal of delivering malware and stealing sensitive information. Massive DDoS Attack Shuts Down Iran’s Internet, Tehran Blames Washington Date: 2020-02-21 Author: CPO Magazine The head of Iran Civil Defense has accused Washington of the latest large-scale cyber-attack that targeted Iranian infrastructure. The coordinated Distributed Denial of Service attack affected two mobile operators and partially shut down Iran’s internet for hours. Corruption watchdog calls for mandatory data breach laws in Qld Date: 2020-02-26 Author: iTnews Queensland’s corruption watchdog has called for state government agencies to be subjected to a mandatory data breach notification scheme after uncovering corruption risks around confidential information. The Crime and Corruption Commission made the recommendation in its Operation Impala report into the misuse of confidential information in the state’s public sector. The inquiry found “potential corruption risks associated with confidential information” at seven government agencies, including police, health, transport, education and corrective services. The report, handed down on Friday, has recommended the mandatory data breach scheme be developed and managed by the Office of the Information Commissioner Queensland (OIC). ASB-2020.0049 – ALERT [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities There have been reports of active exploits in the wild. ASB-2020.0050 – ALERT [Win] Microsoft Edge: Multiple vulnerabilities The corresponding advisory from Microsoft as Edge is now based on Chrome. ESB-2020.0712 – [Cisco] Cisco Wi-Fi Products: Multiple vulnerabilities A concerning vulnerability affecting multiple Cisco Wi-Fi devices. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 21st February 2020 Greetings, On Monday 2 March the AUSCERT External Security Bulletins (ESB) and AUSCERT Security Bulletins (ASB) are going to be sent from bulletins@auscert.org.au. You will still receive the bulletin service as usual but the source email address will be changed to bulletins@auscert.org.au. This change is being executed to allow for easier filtering of one of our largest volumes of email correspondence. However, if you are currently automating the bulletins you receive from auscert@auscert.org.au, make sure you tweak your scripts / update your mail rules to match on Monday 2 March. Please see below for a selection of this week’s interesting news articles and security advisories. China seeks help of national tech giants to track coronavirus with QR codes Date: 2020-02-18 Author: iTnews China’s government is enlisting the help of Alibaba Group Holding Ltd and Tencent Holdings Ltd to expand colour-based systems for tracking individuals affected with the coronavirus nationwide. On Wednesday, Alipay, the payment app operated by Alibaba’s financial division Ant Financial, released a feature in collaboration with the government that assigns a coloured QR code representing the health of residents in Hangzhou. APIs are becoming a major target for credential stuffing attacks Date: 2020-02-19 Author: CSO Online New research shows that attackers use APIs to automate credential stuffing attacks. The financial sector is particularly vulnerable. South Korea sees rise in smishing with coronavirus misinformation Date: 2020-02-17 Author: ZDNet The South Korean government has warned the public of a sharp rise in smishing attempts — scam text messages — that use misinformation about the novel coronavirus outbreak. Firmware Weaknesses Can Turn Computer Subsystems Date: 2020-02-19 Author: Dark Reading Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants. Why fixing security vulnerabilities in medical devices, IoT is so hard Date: 2020-02-20 Author: Ars Technica When your family opened up that brand-new computer when you were a kid, you didn’t think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn’t have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day. The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space. Samsung freaks out smartphone owners with mysterious ‘1’ notification Date: 2020-02-20 Author: Graham Cluley Many owners of Samsung smartphones have received an odd notification from the Find My Mobile app. Curious users who clicked on the notification message found that it simply disappeared, leaving them none the wiser. The truth, however, is this – no, it’s nothing malicious. It was just an accident, as Samsung explained on Twitter, and it’s not the first time a test message has accidentally gone to the wider public. ESB-2020.0537 – chromium-browser security update Keep those browsers updated! ESB-2020.0536 – firefox security update As above. ESB-2020.0548 – sudo security update Another sudo vulnerability. ESB-2020.0601 – USN-4289-1: Squid vulnerabilities DOS, bypass and possibly RCE in a popular web proxy product. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 14th February 2020 Happy Friday (and Valentine’s Day for those who celebrate)! If you’re still looking for a last-minute gift inspiration, we recommend giving your significant other the gift of security and help them set up two-factor authentication on their accounts (Credit: CERT NZ). In addition to our weekly summary below, please keep an eye out for a copy of our membership newsletter in your inbox today; some important messages on there including a copy of our survey results and some upcoming changes to how we send security bulletins. From Monday 2nd of March we will be sending bulletins from bulletins@auscert.org.au rather than auscert@auscert.org.au. Get ready to update your mail rules. Until next week. Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches Date: 2020-02-11 Author: Threatpost Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important. Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm Date: 2020-02-10 Author: Threatpost The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops. Puerto Rico govt loses $2.6M in phishing scam Date: 2020-02-13 Author: AP News Puerto Rico’s government has lost more than $2.6 million after falling for an email phishing scam, according to a senior official. The finance director of the island’s Industrial Development Company, Rubén Rivera, said in a complaint filed to police Wednesday that the agency sent the money to a fraudulent account. Dangerous Domain Corp.com Goes Up for Sale Date: 2020-02-08 Author: Krebs on Security As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe. During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks. ASB-2020.0043 – Windows Malicious Software Removal Tool Microsoft’s Patch Tuesday included fixes for the Windows Malicious Software Removal Tool. ASB-2020.0038 – Microsoft Patch Tuesday updates for Windows (February 2020) Microsoft’s Patch Tuesday also included fixes for 81 Windows vulnerabilities. ESB-2020.0480 – Security Updates Available for multiple Adobe products This bulletin contains 5 Adobe security advisories. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 7th February 2020 Greetings, The AUSCERT team would like to thank all members who completed our 2019 Annual Survey. All completed non-anonymous survey respondents will receive a branded wireless charging mouse pad; and our survey results will be shared next week. And last but not least, our AUSCERT2020 Early Bird registrations and ticket sales are now in full swing so be sure to tap into your membership benefits. Please note that our membership team will be sending out member token emails in coming weeks so be sure to look out for these in your inbox. CDPwn: 5 Zero-Days in Cisco Discovery Protocol Date: 2020-02-06 Author: Armis Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. [See ESB-2020.0424.2, which was sent as an AUSCERT alert bulletin.] Apple proposes simple security upgrade for SMS 2FA codes Date: 2020-02-03 Author: Naked Security Apple engineers think they’ve come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction. The concept proposed by the company’s Safari WebKit team is that apps such as mobile browsers will automatically process SMS text codes as they are received, submitting them to the correct website. This dodges today’s hazard that phishing websites can first fool people into entering their password and username, before asking them to submit the correct 2FA code sent to their phone to the same bogus site. Update: Toll says IT systems infected by new variant of ‘Mailto’ ransomware Date: 2020-02-06 Author: CSO Online Australian logistics and delivery firm Toll has confirmed the ransomware attack that forced it to take its IT systems offline was a new variant of the Mailto ransomware. Toll Group took some key IT systems offline last Friday after detecting the cyber attack and has gradually released more information about the attacks and their impact, on Monday confirming it was a ransomware attack. The latest update confirms its systems were infected by the Mailto ransomware. Hackers are hijacking smart building access systems to launch DDoS attacks Date: 2020-02-02 Author: ZDNet Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall. The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control. Anatomy of a rental phishing scam Date: 2020-02-04 Author: Jeffrey Ladish I was recently the (unsuccessful) target of a very well-crafted phishing scam. As part of a housing search a few weeks ago, I was trawling craigslist and zillow for rental opportunities in the SF bay area. I reached out to a beautiful looking rental place to inquire about a tour. Despite my experience as a security professional, I didn’t realize this was a scam until about the third email! Below I will account the story in excessive detail including screenshots. ESB-2020.0424.2 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability These are the “CDPwn” suite of vulnerabilities. ESB-2020.0421 – Cisco IOS XR Software Intermediate System-to-Intermediate System DoS Vulnerability DoS vulnerability for IS-IS routing protocol functionality in Cisco IOS XR Software. Stay safe, stay patched and have a good weekend! Mal