Week in review

AUSCERT Week in Review for 6th March 2020

AUSCERT Week in Review for 6th March 2020 Greetings, Welcome to March. This month sees us turning 27. As an organisation, we have come a long way since the day that student hacked into NASA in their spare time in 1993! 27 years later, we are still preaching our greater good ethos and are proud to be serving our members daily. Soon, we will be sharing with you a copy of our Year in Review 2019 publication. This is something we have put together to help our members (and the public) understand the current trends in our industry – from AUSCERT’s unique perspective; it will also provide an oversight of our operations and offers a preview of our automation-focused road map for 2020 and beyond. Last but not least, Happy International Women’s Day to all our readers. To celebrate and pay homage to our female colleagues, AUSCERT will be featuring a Women of AUSCERT series on our LinkedIn page throughout next week. The Let’s Encrypt CAA Code Bug – A Plain View Date: 2020-03-05 Author: AUSCERT Blog Let’s Encrypt recently found a bug in their CAA checking code and after remediating the bug on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), announced they would revoke approximately 2.6% of their active certificates that were potentially affected by the bug, totaling approximately 3 million certificates. Whilst this might not be seen as critical on the surface, a certificate is fundamentally used to establish and maintain site trustworthiness between two parties. Essentially, certificates are used by browsers to ensure that the site we intended to visit is really the one we’ve arrived at. Leaving a revoked certificate in-place could trigger errors in browsers and other applications, cause loss availability and/or trust, all potentially causing harm to the companies that rely on them. Social Engineering Risks: How to Patch the Humans in Your Organization Date: 2020-02-28 Author: PenTest Magazine Employees have long been presumed as the weakest link in the corporate cybersecurity chain. But new research from Proofpoint’s Human Factor report claims that over 99% of email-borne cyber-attacks require human intervention to work. Hackers are targeting primarily people, rather than technology systems, to get what they want. Technically anyone in your organization could be on the receiving end of such an attack. Organizations need to do better at protecting and educating these Very Attacked People (VAPs) in their midst. As always, a defense-in-depth approach makes the best sense. This should start with user awareness training and education, but not rely 100% on it. By adding in other steps, you stand a better chance of knocking back the hackers in the event that they manage to trick an employee or bypass a security solution. Citrix vulnerability used for potential Defence recruitment database access Date: 2020-03-04 Author: ZDNet The Australian Signals Directorate (ASD) has revealed that a vulnerability in Citrix, announced over Christmas, could have been used by malicious actors to access a database of Australian Defence recruitment details. “On the 24th of January … through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue,” newly installed director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates on Wednesday night. Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability. Fraud Prevention Month: How to protect yourself from scams Date: 2020-03-04 Author: WeLiveSecurity Businesses and citizens lead busy lives and it is very easy to keep items that may not immediately affect us towards the bottom of the to-do list. Fraud is potentially one of those items, we may appreciate it can happen but unless it’s happening to us at this moment in time then we can often be guilty of delaying preventative action. And for businesses the risk is compounded; fraud may affect the daily operations of the business and if it requires public disclosure can lead to loss of reputation and potentially create a distrust atmosphere with customers. Banking fraud and identity theft are intrinsically linked, as you would expect. Here are some tips on what should be the beginning of your plan to protect your identity. ASB-2020.0051 – Android: Multiple vulnerabilities The March 2020 patch level for Android includes fixes for multiple critical vulnerabilities. ESB-2020.0769 – zsh: Increased privileges The commonly-used zsh shell had a flaw in its –no-PRIVILEGED option. ESB-2020.0746 – Salt: Unauthenticated RCE A SecOps product fixed an unauthenticated command injection vulnerability. Stay safe, stay patched and have a good weekend! Sean & Mal

Learn more

Week in review

AUSCERT Week in Review for 28th February 2020

AUSCERT Week in Review for 28th February 2020 Greetings, Just a reminder that on Monday 2 March the AUSCERT External Security Bulletins (ESB) and AUSCERT Security Bulletins (ASB) are going to be sent from bulletins@auscert.org.au. You will still receive the bulletin service as usual but the source email address will be changed to bulletins@auscert.org.au. This change is being executed to allow for easier filtering of one of our largest volumes of email correspondence. However, if you are currently automating the bulletins you receive from auscert@auscert.org.au, make sure you tweak your scripts / update your mail rules to match on Monday 2 March. Last but not least, AUSCERT as an ally for the LGBTIQ+ community would like to wish all members a safe and enjoyable Mardi Gras weekend. Apple Takes Heat Over ‘Vulnerable’ iOS Cut-and-Paste Data Date: 2020-02-24 Author: Threatpost Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email. Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk. Mysk said that any app that can constantly read a device’s clipboard can easily abuse the data. One caveat to the developer’s research was that iOS can only allow apps to read clipboard data when the apps are active and in the foreground. Apple is no strangers to clipboard concerns. Three years ago a Reddit user pleaded; “Apple should fix the clipboard on iOS to make accessing it require Permission. This is a massive opening for malicious apps.” Australian Government attacked over ransomware ‘epidemic’ Date: 2020-02-25 Author: Micky The shadow assistant minister for cyber security Tim Watts has taken aim at the Federal Government over a lack of attention to the ransomware epidemic. In an opinion piece published in the Australian Financial Review, Watts cited last year’s attack on hospitals in the Gippsland Health Alliance and the South West Alliance of Rural Health, as well as the more recent attack on global transport company Toll, as warning signs the threat was increasing. As Coronavirus Spreads, So Does Covid-19 Themed Malware Date: 2020-02-27 Author: Bleeping Computer Threat actors are still taking advantage of the ongoing COVID-19 global outbreak by attempting to drop Remcos RAT and malware payloads on their targets’ computers via malicious files that promise to provide Coronavirus safety measures. Yoroi researchers recently spotted a suspicious CoronaVirusSafetyMeasures_pdf.exe executable after it was submitted to their free sandbox-based file analysis service. As the Yoroi research team later discovered, the executable is an obfuscated Remcos RAT dropper that would drop a Remcos RAT executable on the compromised computer, together with a VBS file designed to run the RAT. Essentially, COVID-19 is a popular phishing bait right now. The World Health Organization (WHO) recently warned of active Coronavirus-themed phishing attacks that impersonate the organization with the end goal of delivering malware and stealing sensitive information. Massive DDoS Attack Shuts Down Iran’s Internet, Tehran Blames Washington Date: 2020-02-21 Author: CPO Magazine The head of Iran Civil Defense has accused Washington of the latest large-scale cyber-attack that targeted Iranian infrastructure. The coordinated Distributed Denial of Service attack affected two mobile operators and partially shut down Iran’s internet for hours. Corruption watchdog calls for mandatory data breach laws in Qld Date: 2020-02-26 Author: iTnews Queensland’s corruption watchdog has called for state government agencies to be subjected to a mandatory data breach notification scheme after uncovering corruption risks around confidential information. The Crime and Corruption Commission made the recommendation in its Operation Impala report into the misuse of confidential information in the state’s public sector. The inquiry found “potential corruption risks associated with confidential information” at seven government agencies, including police, health, transport, education and corrective services. The report, handed down on Friday, has recommended the mandatory data breach scheme be developed and managed by the Office of the Information Commissioner Queensland (OIC). ASB-2020.0049 – ALERT [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities There have been reports of active exploits in the wild. ASB-2020.0050 – ALERT [Win] Microsoft Edge: Multiple vulnerabilities The corresponding advisory from Microsoft as Edge is now based on Chrome. ESB-2020.0712 – [Cisco] Cisco Wi-Fi Products: Multiple vulnerabilities A concerning vulnerability affecting multiple Cisco Wi-Fi devices. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

Learn more

Week in review

AUSCERT Week in Review for 21st February 2020

AUSCERT Week in Review for 21st February 2020 Greetings, On Monday 2 March the AUSCERT External Security Bulletins (ESB) and AUSCERT Security Bulletins (ASB) are going to be sent from bulletins@auscert.org.au. You will still receive the bulletin service as usual but the source email address will be changed to bulletins@auscert.org.au. This change is being executed to allow for easier filtering of one of our largest volumes of email correspondence. However, if you are currently automating the bulletins you receive from auscert@auscert.org.au, make sure you tweak your scripts / update your mail rules to match on Monday 2 March. Please see below for a selection of this week’s interesting news articles and security advisories. China seeks help of national tech giants to track coronavirus with QR codes Date: 2020-02-18 Author: iTnews China’s government is enlisting the help of Alibaba Group Holding Ltd and Tencent Holdings Ltd to expand colour-based systems for tracking individuals affected with the coronavirus nationwide. On Wednesday, Alipay, the payment app operated by Alibaba’s financial division Ant Financial, released a feature in collaboration with the government that assigns a coloured QR code representing the health of residents in Hangzhou. APIs are becoming a major target for credential stuffing attacks Date: 2020-02-19 Author: CSO Online New research shows that attackers use APIs to automate credential stuffing attacks. The financial sector is particularly vulnerable. South Korea sees rise in smishing with coronavirus misinformation Date: 2020-02-17 Author: ZDNet The South Korean government has warned the public of a sharp rise in smishing attempts — scam text messages — that use misinformation about the novel coronavirus outbreak. Firmware Weaknesses Can Turn Computer Subsystems Date: 2020-02-19 Author: Dark Reading Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants. Why fixing security vulnerabilities in medical devices, IoT is so hard Date: 2020-02-20 Author: Ars Technica When your family opened up that brand-new computer when you were a kid, you didn’t think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn’t have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day. The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space. Samsung freaks out smartphone owners with mysterious ‘1’ notification Date: 2020-02-20 Author: Graham Cluley Many owners of Samsung smartphones have received an odd notification from the Find My Mobile app. Curious users who clicked on the notification message found that it simply disappeared, leaving them none the wiser. The truth, however, is this – no, it’s nothing malicious. It was just an accident, as Samsung explained on Twitter, and it’s not the first time a test message has accidentally gone to the wider public. ESB-2020.0537 – chromium-browser security update Keep those browsers updated! ESB-2020.0536 – firefox security update As above. ESB-2020.0548 – sudo security update Another sudo vulnerability. ESB-2020.0601 – USN-4289-1: Squid vulnerabilities DOS, bypass and possibly RCE in a popular web proxy product. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

Learn more

Week in review

AUSCERT Week in Review for 14th February 2020

AUSCERT Week in Review for 14th February 2020 Happy Friday (and Valentine’s Day for those who celebrate)! If you’re still looking for a last-minute gift inspiration, we recommend giving your significant other the gift of security and help them set up two-factor authentication on their accounts (Credit: CERT NZ). In addition to our weekly summary below, please keep an eye out for a copy of our membership newsletter in your inbox today; some important messages on there including a copy of our survey results and some upcoming changes to how we send security bulletins. From Monday 2nd of March we will be sending bulletins from bulletins@auscert.org.au rather than auscert@auscert.org.au. Get ready to update your mail rules. Until next week. Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches Date: 2020-02-11 Author: Threatpost Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important. Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm Date: 2020-02-10 Author: Threatpost The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops. Puerto Rico govt loses $2.6M in phishing scam Date: 2020-02-13 Author: AP News Puerto Rico’s government has lost more than $2.6 million after falling for an email phishing scam, according to a senior official. The finance director of the island’s Industrial Development Company, Rubén Rivera, said in a complaint filed to police Wednesday that the agency sent the money to a fraudulent account. Dangerous Domain Corp.com Goes Up for Sale Date: 2020-02-08 Author: Krebs on Security As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe. During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks. ASB-2020.0043 – Windows Malicious Software Removal Tool Microsoft’s Patch Tuesday included fixes for the Windows Malicious Software Removal Tool. ASB-2020.0038 – Microsoft Patch Tuesday updates for Windows (February 2020) Microsoft’s Patch Tuesday also included fixes for 81 Windows vulnerabilities. ESB-2020.0480 – Security Updates Available for multiple Adobe products This bulletin contains 5 Adobe security advisories. Stay safe, stay patched and have a good weekend! Mal

Learn more

Week in review

AUSCERT Week in Review for 7th February 2020

AUSCERT Week in Review for 7th February 2020 Greetings, The AUSCERT team would like to thank all members who completed our 2019 Annual Survey. All completed non-anonymous survey respondents will receive a branded wireless charging mouse pad; and our survey results will be shared next week. And last but not least, our AUSCERT2020 Early Bird registrations and ticket sales are now in full swing so be sure to tap into your membership benefits. Please note that our membership team will be sending out member token emails in coming weeks so be sure to look out for these in your inbox. CDPwn: 5 Zero-Days in Cisco Discovery Protocol Date: 2020-02-06 Author: Armis Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. [See ESB-2020.0424.2, which was sent as an AUSCERT alert bulletin.] Apple proposes simple security upgrade for SMS 2FA codes Date: 2020-02-03 Author: Naked Security Apple engineers think they’ve come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction. The concept proposed by the company’s Safari WebKit team is that apps such as mobile browsers will automatically process SMS text codes as they are received, submitting them to the correct website. This dodges today’s hazard that phishing websites can first fool people into entering their password and username, before asking them to submit the correct 2FA code sent to their phone to the same bogus site. Update: Toll says IT systems infected by new variant of ‘Mailto’ ransomware Date: 2020-02-06 Author: CSO Online Australian logistics and delivery firm Toll has confirmed the ransomware attack that forced it to take its IT systems offline was a new variant of the Mailto ransomware. Toll Group took some key IT systems offline last Friday after detecting the cyber attack and has gradually released more information about the attacks and their impact, on Monday confirming it was a ransomware attack. The latest update confirms its systems were infected by the Mailto ransomware. Hackers are hijacking smart building access systems to launch DDoS attacks Date: 2020-02-02 Author: ZDNet Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall. The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control. Anatomy of a rental phishing scam Date: 2020-02-04 Author: Jeffrey Ladish I was recently the (unsuccessful) target of a very well-crafted phishing scam. As part of a housing search a few weeks ago, I was trawling craigslist and zillow for rental opportunities in the SF bay area. I reached out to a beautiful looking rental place to inquire about a tour. Despite my experience as a security professional, I didn’t realize this was a scam until about the third email! Below I will account the story in excessive detail including screenshots. ESB-2020.0424.2 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability These are the “CDPwn” suite of vulnerabilities. ESB-2020.0421 – Cisco IOS XR Software Intermediate System-to-Intermediate System DoS Vulnerability DoS vulnerability for IS-IS routing protocol functionality in Cisco IOS XR Software. Stay safe, stay patched and have a good weekend! Mal

Learn more

Week in review

AUSCERT Week in Review for 31st January 2020

AUSCERT Week in Review for 31st January 2020 Greetings, It is the end of another week, and another month – 2020 seems to be moving fast! Call for Presentations and Tutorials – AUSCERT Conference Date: 2020-01-31 Author: AUSCERT2020 Do YOU or someone YOU KNOW have a great story to tell? We would like to hear it! Our AUSCERT2020 Call for Presentations and Tutorials close at midnight AEST and submissions can be entered here. The AUSCERT2020 Program Committee welcomes original contributions for presentations not previously published nor submitted in parallel for publication to any other conference or workshop taking place in proximity of the conference. Citrix rolls out final patches to defend against the CVE-2019-19781 vulnerability Date: 2020-01-27 Author: The Daily Swig Citrix has completed the process of releasing patches for all supported versions of its technology affected by the CVE-2019-19781 vulnerability. The now-infamous security flaw (CVE-2019-19781), which affects Citrix Application Delivery Controller (ADC) and Gateway products, first surfaced in mid-December. Proof-of-concept exploit code dropped earlier this month. This prompted Citrix to double down on its patch release schedule – a process it completed on Friday. Immediate patching is strongly recommended. [See AUSCERT ESB-2019.4708.8 for what may be the final version of Citrix’s advisory.] What ‘Have I been Pwned?’ taught DHS’s internal cyber chief about passwords Date: 2020-01-28 Author: CyberScoop A website that informs users if their email address has been swept up in a data breach isn’t just popular with vigilant business owners or private security sleuths. The man charged with protecting the Department of Homeland Security’s systems from hackers also maintains an account on the “Have I been Pwned?” website, and it regularly reminds him of the risks passwords pose. “I get emails from this website…on a monthly or bimonthly basis,” DHS CISO Paul Beckman said Tuesday at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop. “That is how often my username and password is getting compromised.” Beckman said he registered both his personal and DHS email addresses on the website. The good news for him is that he uses a “second factor” – something like a SMS message or an authentication app – to log into his accounts and keep hackers out of them. United Nations Confirms ‘Serious’ Cyberattack With 42 Core Servers Compromised Date: 2020-01-30 Author: Forbes One week after the United Nations called for an investigation into the claims that Jeff Bezos’ smartphone was hacked by Saudi Crown Prince Mohammed bin Salman, a claim that I first reported in March 2019, another investigation has revealed that the UN itself has been hacked. The leak of an internal UN report to investigators at The New Humanitarian shows that core infrastructure servers were compromised during a successful cyberattack last year. Although not yet attributed, attack fingerprint suggests sophisticated APT actors. It’s further understood that the hackers used a known vulnerability (CVE-2019-0604) in an internet-facing Microsoft SharePoint server, a web-based collaborative platform integrated with Microsoft Office. UN spokesperson confirms decision not to disclose was taken. Legacy TLS is on the way out: Start deprecating TLSv1.0 and TLSv1.1 now Date: 2020-01-23 Author: Scott Helme With TLS having taken some great steps forwards in recent years, with TLSv1.2 in 2008 and TLSv1.3 in 2018, it’s time to start dropping support for the legacy versions of TLS. It would be good to remove these legacy versions now but it’s more important we upgrade to support higher versions and we do have some encouragement beyond me telling you it’s a good idea. Chrome is now warning users about sites that they visit that are using either TLSv1.0 or TLSv1.1 for the connection. It’s not just Chrome either, Firefox announced they are going to drop all support for both TLSv1.0 and TLSv1.1 in March 2020 and they announced this all the way back in October 2018! Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina Date: 2020-01-29 Author: SecurityWeek Apple this week released software updates to address tens of security flaws in iOS, iPadOS, macOS Catalina, and other products. A total of 23 vulnerabilities were addressed in iOS 13.3.1 and iPadOS 13.3.1, now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation. The flaws impact components such as Audio, FaceTime, ImageIO, IOAcceleratorFamily, IPSec, Kernel, libxpc, Mail, Messages, Phone, Safari Login AutoFill, Screenshots, and wifivelocityd. ESB-2020.0282 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online “A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password.” ESB-2020.0310 – USN-4256-1: Cyrus SASL vulnerability “Cyrus SASL could be made to crash or execute arbitrary code if it received a specially crafted LDAP packet.” ESB-2020.0273 – git security update Multiple git issues addressed ESB-2020.0291 – Intel Processors Data Leakage Advisory “Potential security vulnerabilities in some Intel Processors may allow information disclosure.” ESB-2020.0351 – macOS: Multiple vulnerabilities Multiple issues addressed Stay safe, stay patched and have a good weekend! The AUSCERT team.

Learn more

Week in review

Week in Review for 24th January 2020

Week in Review for 24th January 2020 Greetings, The AUSCERT team would like to wish all of you a relaxing Australia Day long weekend; and a Happy Lunar New Year to those who celebrate. A reminder that the auscert@auscert.org.au mailbox will not be monitored on Monday 27 January as it is a nationwide public holiday. However, we will staff the 24/7 member incident hotline as usual, so do call us for any urgent matters during this period. Fraudsters impersonate Chinese consulate in scam targeting international students Date: 2020-01-23 Author: ABC News Police say scores of international students in Queensland have been stung in a scam where fraudsters impersonated the Chinese consulate and demanded thousands of dollars to avoid deportation. Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices Date: 2020-01-20 Author: ZDNet A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices. The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet. According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations. 5 tips to avoid spear-phishing attacks Date: 2020-01-17 Author: Naked Security Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself. The good news is that most of us have learned to spot obvious phishing attacks these days. The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name. You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company. Inside Pwn2Own’s High-Stakes Industrial Hacking Contest Date: 2020-01-24 Author: WIRED On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation. Former ACSC chief MacGibbon blasts calls to legitimise screen scrapers Date: 2020-01-21 Author: iTnews Australia’s high profile former cybersecurity tsar Alastair MacGibbon has waded into the increasingly heated debate over the use of screen scrapers by fintech firms, warning any weakening of security controls under open banking will create an instant target list for hackers. NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance Date: None Author: Help Net Security Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework. Microsoft Exposed 250 Million Customer Support Records Date: 2020-01-20 Author: SecurityWeek Nearly 250 million Microsoft Customer Service and Support records were found exposed to the Internet in five insecure Elasticsearch databases, Comparitech reports. The records on those servers contained 14 years’ worth of logs of conversations between support agents and customers, all of which could be accessed by anyone directly from a browser, without any form of authentication. In an update, Microsoft says that the exposure was the result of a misconfiguration that occurred on December 5, but that its investigation into the incident did not reveal malicious use. ESB-2019.4708.7 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway The RCE in Citrix NetScaler which has been making headlines lately & was updated this week with patches for specific versions. ESB-2020.0262 – Red Hat kernel security and bug fix update Linux kernel upgrades patching severe vulnerabilities reaches RHEL 8 for SAP ESB-2020.0261 – Red Hat chromium-browser security update Red Hat releases an Important update for chromium-browser Stay safe, stay patched and have a good weekend!

Learn more

Week in review

AUSCERT Week in Review for 17th January 2020

AUSCERT Week in Review for 17th January 2020 Greetings, Is everyone still reeling from Microsoft Patch Tuesday? The Windows CryptoAPI vulnerability has security professionals across the world scrambling as news spread across the internet. Spoofing certificates has never been easier! In other news, go check for mitigations for your Citrix Gateways and ADCs. Citrix advises that certain releases of Citrix ADC are still vulnerable even after application of mitigation steps. To make things even spicier, the remote code execution vulnerability is being actively exploited in the wild, and with Shodan showing over 125,400 Citrix ADC or Gateway servers publicly accessible… Yikes! CVE-2020-0601 – An Exploit has been made public. Date: 2020-01-16 Author: SANS Internet Storm Center There is no catchy name or logo for this vulnerability. It is referred to as “CVE-2020-0601”, “CryptoAPI ECC Verification Vulnerability,” or “crypt32.dll Vulnerability” and several other names. It is probably best to use the CVE number as an identifier. Only Windows 10 and Windows Server 2016 and 2019 are affected. Windows 7 is not affected. We also made a simple PowerPoint presentation available to help you brief management on the issue. PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability Date: 2020-01-11 Author: The Hacker News It’s now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code for a recently disclosed remote code execution vulnerability in Citrix’s NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. Microsoft fixes Windows crypto bug reported by the NSA Date: 2020-01-14 Author: ZDNet Microsoft has released a security update today to fix “a broad cryptographic vulnerability” impacting the Windows operating system. “Given the information at our disposal right now, customers should absolutely make sure they apply this patch quickly. This is true for all “critical patches” but is doubly true at this time,” Yonatan Striem-Amit, CTO and Cofounder of Cybereason told ZDNet earlier today. The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations. “A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft also said. According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. Some noteworthy bulletins this week are as follows: Vulnerability in Citrix Application Delivery Controller and Citrix Gateway Certain releases of Citrix ADC are still vulnerable to exploits. Security update for Microsoft Windows Microsoft’s Patch Tuesday included code-signing spoof vulnerability. Stay safe, stay patched and have a good weekend! Mal

Learn more

Week in review

AUSCERT Week in Review for 6th December 2019

AUSCERT Week in Review for 6th December 2019 Greetings, The Christmas season is fast approaching. Do you hang up stockings or keyboards and mice? AUSCERT will be shutting down for a week between December 25th and January 1st inclusive. This means mailboxes will not be monitored. However, we will still provide the 24/7 Member Hotline. Feel free to give us a call during the break if you need assistance. We’ve also sent out links for the 2019 AUSCERT Member Survey. Please do check it out and give us your feedback – we’re keen to know where to put our efforts. Microsoft Patches Vulnerability Leading to Azure Account Takeover Date: 2019-12-03 Author: SecurityWeek Microsoft recently addressed an OAuth 2.0 vulnerability that could allow an attacker to take over Azure accounts. The issue impacts specific Microsoft OAuth 2.0 applications and allows an attacker to create tokens with the victim’s permissions, CyberArk’s security researchers have discovered. The root cause of the security flaw, which CyberArk calls BlackDirect, is that anyone can register domains and sub-domains that OAuth applications trust. Moreover, because the apps are approved by default and can ask for an access_token, an attacker could gain access to Azure resources, AD resources and more. Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter Date: 2019-12-05 Author: The Register Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM’s Aspera software. Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack. As Ormandy explained, “you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you’e talking to a trusted local service and not an attacker.” Two malicious Python libraries caught stealing SSH and GPG keys Date: 2019-12-04 Author: ZDNet The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries were created by the same developer and mimicked other more popular libraries — using a technique called typosquatting to register similarly-looking names. Federal cops spring domestic violence RAT trap Date: 2019-12-02 Author: iTnews An Australian Federal Police operation in conjunction with peer international agencies and Europol has shuttered commercial access to the Imminent Monitor Remote Access Trojan (IM-RAT), with the malware allegedly being commonly used to stalk domestic violence victims, authorities say. Sales records accessed in the swoop showed there may more than 14,500 buyers with the Trojan advertised via a website dedicated to hacking and the use of criminal malware with a licence costing as little as $US25, the AFP said. Noteworthy bulletins this week: ESB-2019.4548 – patch: remote code execution It’s not often in 2019 that you see vulnerabilities featuring ed, “the standard editor” which spawned emacs and vim. ESB-2019.4556 – Oniguruma: Multiple vulnerabilities A host of issues in the widely-used regex library Oniguruma. ESB-2019.4554 – WireShark: CMS dissector crash WireShark’s dedication to filing CVEs any time their program can be made to crash is an inspiration to us all. ESB-2019.4520 – [ALERT] TightVNC: Unauthenticated RCE No proof of concept is available but an unauthenticated RCE is suspected in a program often used to contact unfamiliar hosts. Stay safe, stay patched and have a good weekend! David   “Coral” header image by Evan Yes on Unsplash.

Learn more

Week in review

AUSCERT Week in Review for 10th January 2020

AUSCERT Week in Review for 10th January 2020 Greetings, The big headline this week is the opening of physical hostilities between the US and Iran, one of its long-standing cyber-adversaries (remember Stuxnet?). While we’re staying out of the politics, it does mean that there might be more cyber-attacks flying around on the internet than usual. Maybe Iran’s Silent Librarian APT will take a break from targeting universities for IP and focus their efforts in that direction. There’s also been a lot of ransomware in the news recently, so we’ve collated a few of the bigger stories. The cyber pirates of the Caribbean Date: 2020-01-06 Author: ABC News When Jane Smith invested $670,000 to boost her retirement savings, it was flushed into a river of stolen cash flowing out of Australia and into the pockets of criminals. An ABC investigation has tracked down where the money went. DHS: Iran maintains a robust cyber program and can execute cyber-attacks against the US Date: 2020-01-07 Author: ZDNet The US government has issued a security alert over the weekend, warning of possible acts of terrorism and cyber-attacks that could be carried out by Iran following the killing of a top general by the US military on Friday. The warning comes in the form of a rare NTAS (National Terrorism Advisory System) alert, of which the US government has issued only a handful since 2011 when the system was put into place. According to the DHS’ NTAS alert, possible attack scenarios could include “scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.” DeathRansom Campaign Linked to Malware Cornucopia Date: 2020-01-07 Author: Threatpost An ongoing DeathRansom malware campaign has been found by researchers to be part of a larger collection of malicious offensives, all carried out by an actor going by the nickname “scat01”. According to Artem Semenchenko and Evgeny Ananin at FortiGuard Labs, evidence found on Russian underground forums and in their forensic investigations points to a significant connection between ongoing DeathRansom and various infostealing malware campaigns, all likely directed by one Russian-speaking individual living in Italy. Christmas cyber attack spelled early holidays for council staff, nightmare for IT workers Date: 2020-01-06 Author: ABC News A council in Adelaide’s south is up and running again after cyber attack just before Christmas locked down its IT systems and forced staff to start their holidays earlier than planned. City of Onkaparinga mayor Erin Thompson said its systems fell victim to the so-called Ryuk ransomware, which has also hit “other government organisations around the world”, on December 14. REvil ransomware exploiting VPN flaws made public last April Date: 2020-01-09 Author: Naked Security Researchers report flaws, vendors issue patches, organisations apply them – and everyone lives happily ever after. Right? Not always. Sometimes, the middle element of that chain – the bit where organisations apply patches – can takes months to happen. Sometimes it doesn’t happen at all. It’s a relaxed patching cycle that has become security’s unaffordable luxury. Take, for instance, this week’s revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure’s Zero Trust business VPN system are being exploited to break into company networks to install the REvil (Sodinokibi) ransomware. ESB-2020.0094 – Cisco Webex Video Mesh Node: Root escalation An administrative user in the software could execute commands with root privileges on the underlying Linux system. ESB-2020.0075 – Node.JS 8: Arbitrary file overwrite Arbitrary file overwrite in one of the internet’s favourite application languages. ESB-2020.0078 – [ALERT] Firefox & Firefox ESR: RCE Shortly after releasing v72.0, Mozilla issued v72.1 to address an RCE which was being used in targeted attacks in the wild. ASB-2020.0002 – Android: January patch level The usual crop, and notably a privileged RCE using physical proximity and the Realtek wifi driver. Stay safe, stay patched and have a good weekend! David

Learn more

Week in review

AUSCERT Week in Review for 3rd January 2020

AUSCERT Week in Review for 3rd January 2020 Greetings, 2020 has begun, and with it, the end of party time. Here is this week’s Week in Review. Cisco DCNM Users Warned of Serious Vulnerabilities Date: 2020-01-02 Author: SecurityWeek Cisco on Thursday informed customers that it has released software updates for its Data Center Network Manager (DCNM) product to address several critical and high-severity vulnerabilities. Two tips to make multifactor authentication for Office 365 more effective Date: 2020-01-02 Author: CSO Online Multifactor authentication (MFA) is a key tool in ensuring that your Office 365 and any online application will be secure in the cloud. For those with Microsoft 365 here are some tips to ensure you provide maximum protection to your Office 365 deployment without sacrificing usability. Microsoft takes down 50 domains operated by North Korean hackers Date: 2019-12-30 Author: ZDNet Microsoft announced today [December 30th] that it successfully took down 50 web domains previously used by a North Korean government-backed hacking group. The OS maker said the 50 domains were used to launch cyberattacks by a group the company has been tracking as Thallium. Sextortion Email Scammers Try New Tactics to Bypass Spam Filters Date: 2019-12-31 Author: Bleeping Computer Sextortion scams have become so common that spam filters and secure mail gateways have been doing a good job at preventing them from being delivered to their recipients. To bypass these filters, attackers have started to utilize new tactics such as sending sextortion emails in foreign languages and splitting bitcoin addresses into two parts. 7 Tips for Maximizing Your SOC Date: 2019-12-31 Author: Threatpost Use the seven points listed above to create an effective and efficient operational workflow and, importantly, happier analysts who aren’t buried at the bottom of a pile of mostly irrelevant data. Cisco (DCNM): Execute arbitrary code/commands Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager. typo3 Execute arbitrary code Multiple vulnerabilities which could lead to code execution have been found in typo3, an open-source web content management system. libxml2 Denial of service A denial of service vulnerability in libxml2, the GNOME XML parsing library. Stay safe, stay patched and best wishes from all of us, Rameez and the team at AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 20th December 2019

AUSCERT Week in Review for 20th December 2019 Greetings, This week may be drawing to a close, but there’s some life left in 2019! If you’re looking for something creative to do during the upcoming break, why not submit a presentation or tutorial idea to our Call For Presentations for the AUSCERT2020 Cyber Security Conference? If selected, we’ll cover your travel and accommodation costs and we’re especially keen to see presentations by AUSCERT members. Just a reminder that although AUSCERT remains on call for emergency assistance via the 24/7 member hotline, the Membership Team are taking a break until Monday 6 January. Similarly AUSCERT’s Operations Team will close from 25 December to 1 January, so the auscert@auscert.org.au email address (and IRC) will not be monitored during that time. And now here’s some reading material to ease you into the weekend: Microsoft: We never encourage a ransomware victim to pay Date: 2019-12-17 Author: ZDNet Microsoft advocates for organizations to take preemptive measures. Says companies should treat cyberattacks “as a matter of when” and not “whether.” Chrome Will Automatically Scan Your Passwords Against Data Breaches Date: 2019-12-16 Author: WIRED Google’s password checking feature has slowly been spreading across the Google ecosystem this past year. It started as the “Password Checkup” extension for desktop versions of Chrome, which would audit individual passwords when you entered them, and several months later it was integrated into every Google account as an on-demand audit you can run on all your saved passwords. Now, instead of a Chrome extension, Password Checkup is being integrated into the desktop and mobile versions of Chrome 79. 10 cyber security trends to look out for in 2020 Date: 2019-12-19 Author: Information Age When looking for possible cyber security trends in 2020, it is clear to see that 2019 was an interesting year for all things cyber security. It was the year that brought major breaches pretty much every week. Recently, it was found that charities reported over 100 data breaches to the ICO in the second quarter of 2019-20 alone. Cyber security is still the issue on every business leaders mind. This year, the need for organisations to keep GDPR in mind has remained prominent. The stakes for protecting your organisation from cyber threats have never been higher. So, what cyber security trends can we expect to see in 2020 then? Here are some things to consider. Inside Evil Corp, a $100M Cybercrime Menace Date: 2019-12-17 Author: Krebs on Security So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob. [This is a very narrative dive into payroll compromises and money mules.] debian-edu-config: Unauthorised access – Existing account An insecure configuration allowed every user to change other users’ passwords, which is less than ideal. Citrix Application Delivery Controller and Citrix Gateway: Execute arbitrary code/commands – Remote/unauthenticated An unauthenticated attacker may be able to execute arbitrary code via this vulnerability. python-django: Unauthorised access – Remote/unauthenticated A case insensitive query on Django’s password reset form for email addresses could result in unauthorised access. Firefox: Multiple vulnerabilities Nine CVEs are patched in this Firefox update. We wish you and your loved ones all the best for the holiday season and look forward to returning in 2020, reinvigorated and ready to conquer new cyber security challenges with you! Kind regards, Mike and the AUSCERT Team

Learn more