AUSCERT Week in Review for 31st January 2020 Greetings, It is the end of another week, and another month – 2020 seems to be moving fast! Call for Presentations and Tutorials – AUSCERT Conference Date: 2020-01-31 Author: AUSCERT2020 Do YOU or someone YOU KNOW have a great story to tell? We would like to hear it! Our AUSCERT2020 Call for Presentations and Tutorials close at midnight AEST and submissions can be entered here. The AUSCERT2020 Program Committee welcomes original contributions for presentations not previously published nor submitted in parallel for publication to any other conference or workshop taking place in proximity of the conference. Citrix rolls out final patches to defend against the CVE-2019-19781 vulnerability Date: 2020-01-27 Author: The Daily Swig Citrix has completed the process of releasing patches for all supported versions of its technology affected by the CVE-2019-19781 vulnerability. The now-infamous security flaw (CVE-2019-19781), which affects Citrix Application Delivery Controller (ADC) and Gateway products, first surfaced in mid-December. Proof-of-concept exploit code dropped earlier this month. This prompted Citrix to double down on its patch release schedule – a process it completed on Friday. Immediate patching is strongly recommended. [See AUSCERT ESB-2019.4708.8 for what may be the final version of Citrix’s advisory.] What ‘Have I been Pwned?’ taught DHS’s internal cyber chief about passwords Date: 2020-01-28 Author: CyberScoop A website that informs users if their email address has been swept up in a data breach isn’t just popular with vigilant business owners or private security sleuths. The man charged with protecting the Department of Homeland Security’s systems from hackers also maintains an account on the “Have I been Pwned?” website, and it regularly reminds him of the risks passwords pose. “I get emails from this website…on a monthly or bimonthly basis,” DHS CISO Paul Beckman said Tuesday at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop. “That is how often my username and password is getting compromised.” Beckman said he registered both his personal and DHS email addresses on the website. The good news for him is that he uses a “second factor” – something like a SMS message or an authentication app – to log into his accounts and keep hackers out of them. United Nations Confirms ‘Serious’ Cyberattack With 42 Core Servers Compromised Date: 2020-01-30 Author: Forbes One week after the United Nations called for an investigation into the claims that Jeff Bezos’ smartphone was hacked by Saudi Crown Prince Mohammed bin Salman, a claim that I first reported in March 2019, another investigation has revealed that the UN itself has been hacked. The leak of an internal UN report to investigators at The New Humanitarian shows that core infrastructure servers were compromised during a successful cyberattack last year. Although not yet attributed, attack fingerprint suggests sophisticated APT actors. It’s further understood that the hackers used a known vulnerability (CVE-2019-0604) in an internet-facing Microsoft SharePoint server, a web-based collaborative platform integrated with Microsoft Office. UN spokesperson confirms decision not to disclose was taken. Legacy TLS is on the way out: Start deprecating TLSv1.0 and TLSv1.1 now Date: 2020-01-23 Author: Scott Helme With TLS having taken some great steps forwards in recent years, with TLSv1.2 in 2008 and TLSv1.3 in 2018, it’s time to start dropping support for the legacy versions of TLS. It would be good to remove these legacy versions now but it’s more important we upgrade to support higher versions and we do have some encouragement beyond me telling you it’s a good idea. Chrome is now warning users about sites that they visit that are using either TLSv1.0 or TLSv1.1 for the connection. It’s not just Chrome either, Firefox announced they are going to drop all support for both TLSv1.0 and TLSv1.1 in March 2020 and they announced this all the way back in October 2018! Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina Date: 2020-01-29 Author: SecurityWeek Apple this week released software updates to address tens of security flaws in iOS, iPadOS, macOS Catalina, and other products. A total of 23 vulnerabilities were addressed in iOS 13.3.1 and iPadOS 13.3.1, now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation. The flaws impact components such as Audio, FaceTime, ImageIO, IOAcceleratorFamily, IPSec, Kernel, libxpc, Mail, Messages, Phone, Safari Login AutoFill, Screenshots, and wifivelocityd. ESB-2020.0282 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online “A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password.” ESB-2020.0310 – USN-4256-1: Cyrus SASL vulnerability “Cyrus SASL could be made to crash or execute arbitrary code if it received a specially crafted LDAP packet.” ESB-2020.0273 – git security update Multiple git issues addressed ESB-2020.0291 – Intel Processors Data Leakage Advisory “Potential security vulnerabilities in some Intel Processors may allow information disclosure.” ESB-2020.0351 – macOS: Multiple vulnerabilities Multiple issues addressed Stay safe, stay patched and have a good weekend! The AUSCERT team.

Week in Review for 24th January 2020 Greetings, The AUSCERT team would like to wish all of you a relaxing Australia Day long weekend; and a Happy Lunar New Year to those who celebrate. A reminder that the auscert@auscert.org.au mailbox will not be monitored on Monday 27 January as it is a nationwide public holiday. However, we will staff the 24/7 member incident hotline as usual, so do call us for any urgent matters during this period. Fraudsters impersonate Chinese consulate in scam targeting international students Date: 2020-01-23 Author: ABC News Police say scores of international students in Queensland have been stung in a scam where fraudsters impersonated the Chinese consulate and demanded thousands of dollars to avoid deportation. Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices Date: 2020-01-20 Author: ZDNet A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices. The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet. According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations. 5 tips to avoid spear-phishing attacks Date: 2020-01-17 Author: Naked Security Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself. The good news is that most of us have learned to spot obvious phishing attacks these days. The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name. You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company. Inside Pwn2Own’s High-Stakes Industrial Hacking Contest Date: 2020-01-24 Author: WIRED On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation. Former ACSC chief MacGibbon blasts calls to legitimise screen scrapers Date: 2020-01-21 Author: iTnews Australia’s high profile former cybersecurity tsar Alastair MacGibbon has waded into the increasingly heated debate over the use of screen scrapers by fintech firms, warning any weakening of security controls under open banking will create an instant target list for hackers. NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance Date: None Author: Help Net Security Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework. Microsoft Exposed 250 Million Customer Support Records Date: 2020-01-20 Author: SecurityWeek Nearly 250 million Microsoft Customer Service and Support records were found exposed to the Internet in five insecure Elasticsearch databases, Comparitech reports. The records on those servers contained 14 years’ worth of logs of conversations between support agents and customers, all of which could be accessed by anyone directly from a browser, without any form of authentication. In an update, Microsoft says that the exposure was the result of a misconfiguration that occurred on December 5, but that its investigation into the incident did not reveal malicious use. ESB-2019.4708.7 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway The RCE in Citrix NetScaler which has been making headlines lately & was updated this week with patches for specific versions. ESB-2020.0262 – Red Hat kernel security and bug fix update Linux kernel upgrades patching severe vulnerabilities reaches RHEL 8 for SAP ESB-2020.0261 – Red Hat chromium-browser security update Red Hat releases an Important update for chromium-browser Stay safe, stay patched and have a good weekend!

AUSCERT Week in Review for 17th January 2020 Greetings, Is everyone still reeling from Microsoft Patch Tuesday? The Windows CryptoAPI vulnerability has security professionals across the world scrambling as news spread across the internet. Spoofing certificates has never been easier! In other news, go check for mitigations for your Citrix Gateways and ADCs. Citrix advises that certain releases of Citrix ADC are still vulnerable even after application of mitigation steps. To make things even spicier, the remote code execution vulnerability is being actively exploited in the wild, and with Shodan showing over 125,400 Citrix ADC or Gateway servers publicly accessible… Yikes! CVE-2020-0601 – An Exploit has been made public. Date: 2020-01-16 Author: SANS Internet Storm Center There is no catchy name or logo for this vulnerability. It is referred to as “CVE-2020-0601”, “CryptoAPI ECC Verification Vulnerability,” or “crypt32.dll Vulnerability” and several other names. It is probably best to use the CVE number as an identifier. Only Windows 10 and Windows Server 2016 and 2019 are affected. Windows 7 is not affected. We also made a simple PowerPoint presentation available to help you brief management on the issue. PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability Date: 2020-01-11 Author: The Hacker News It’s now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code for a recently disclosed remote code execution vulnerability in Citrix’s NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. Microsoft fixes Windows crypto bug reported by the NSA Date: 2020-01-14 Author: ZDNet Microsoft has released a security update today to fix “a broad cryptographic vulnerability” impacting the Windows operating system. “Given the information at our disposal right now, customers should absolutely make sure they apply this patch quickly. This is true for all “critical patches” but is doubly true at this time,” Yonatan Striem-Amit, CTO and Cofounder of Cybereason told ZDNet earlier today. The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations. “A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft also said. According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. Some noteworthy bulletins this week are as follows: Vulnerability in Citrix Application Delivery Controller and Citrix Gateway Certain releases of Citrix ADC are still vulnerable to exploits. Security update for Microsoft Windows Microsoft’s Patch Tuesday included code-signing spoof vulnerability. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 6th December 2019 Greetings, The Christmas season is fast approaching. Do you hang up stockings or keyboards and mice? AUSCERT will be shutting down for a week between December 25th and January 1st inclusive. This means mailboxes will not be monitored. However, we will still provide the 24/7 Member Hotline. Feel free to give us a call during the break if you need assistance. We’ve also sent out links for the 2019 AUSCERT Member Survey. Please do check it out and give us your feedback – we’re keen to know where to put our efforts. Microsoft Patches Vulnerability Leading to Azure Account Takeover Date: 2019-12-03 Author: SecurityWeek Microsoft recently addressed an OAuth 2.0 vulnerability that could allow an attacker to take over Azure accounts. The issue impacts specific Microsoft OAuth 2.0 applications and allows an attacker to create tokens with the victim’s permissions, CyberArk’s security researchers have discovered. The root cause of the security flaw, which CyberArk calls BlackDirect, is that anyone can register domains and sub-domains that OAuth applications trust. Moreover, because the apps are approved by default and can ask for an access_token, an attacker could gain access to Azure resources, AD resources and more. Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter Date: 2019-12-05 Author: The Register Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM’s Aspera software. Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack. As Ormandy explained, “you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you’e talking to a trusted local service and not an attacker.” Two malicious Python libraries caught stealing SSH and GPG keys Date: 2019-12-04 Author: ZDNet The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries were created by the same developer and mimicked other more popular libraries — using a technique called typosquatting to register similarly-looking names. Federal cops spring domestic violence RAT trap Date: 2019-12-02 Author: iTnews An Australian Federal Police operation in conjunction with peer international agencies and Europol has shuttered commercial access to the Imminent Monitor Remote Access Trojan (IM-RAT), with the malware allegedly being commonly used to stalk domestic violence victims, authorities say. Sales records accessed in the swoop showed there may more than 14,500 buyers with the Trojan advertised via a website dedicated to hacking and the use of criminal malware with a licence costing as little as $US25, the AFP said. Noteworthy bulletins this week: ESB-2019.4548 – patch: remote code execution It’s not often in 2019 that you see vulnerabilities featuring ed, “the standard editor” which spawned emacs and vim. ESB-2019.4556 – Oniguruma: Multiple vulnerabilities A host of issues in the widely-used regex library Oniguruma. ESB-2019.4554 – WireShark: CMS dissector crash WireShark’s dedication to filing CVEs any time their program can be made to crash is an inspiration to us all. ESB-2019.4520 – [ALERT] TightVNC: Unauthenticated RCE No proof of concept is available but an unauthenticated RCE is suspected in a program often used to contact unfamiliar hosts. Stay safe, stay patched and have a good weekend! David   “Coral” header image by Evan Yes on Unsplash.

AUSCERT Week in Review for 10th January 2020 Greetings, The big headline this week is the opening of physical hostilities between the US and Iran, one of its long-standing cyber-adversaries (remember Stuxnet?). While we’re staying out of the politics, it does mean that there might be more cyber-attacks flying around on the internet than usual. Maybe Iran’s Silent Librarian APT will take a break from targeting universities for IP and focus their efforts in that direction. There’s also been a lot of ransomware in the news recently, so we’ve collated a few of the bigger stories. The cyber pirates of the Caribbean Date: 2020-01-06 Author: ABC News When Jane Smith invested $670,000 to boost her retirement savings, it was flushed into a river of stolen cash flowing out of Australia and into the pockets of criminals. An ABC investigation has tracked down where the money went. DHS: Iran maintains a robust cyber program and can execute cyber-attacks against the US Date: 2020-01-07 Author: ZDNet The US government has issued a security alert over the weekend, warning of possible acts of terrorism and cyber-attacks that could be carried out by Iran following the killing of a top general by the US military on Friday. The warning comes in the form of a rare NTAS (National Terrorism Advisory System) alert, of which the US government has issued only a handful since 2011 when the system was put into place. According to the DHS’ NTAS alert, possible attack scenarios could include “scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.” DeathRansom Campaign Linked to Malware Cornucopia Date: 2020-01-07 Author: Threatpost An ongoing DeathRansom malware campaign has been found by researchers to be part of a larger collection of malicious offensives, all carried out by an actor going by the nickname “scat01”. According to Artem Semenchenko and Evgeny Ananin at FortiGuard Labs, evidence found on Russian underground forums and in their forensic investigations points to a significant connection between ongoing DeathRansom and various infostealing malware campaigns, all likely directed by one Russian-speaking individual living in Italy. Christmas cyber attack spelled early holidays for council staff, nightmare for IT workers Date: 2020-01-06 Author: ABC News A council in Adelaide’s south is up and running again after cyber attack just before Christmas locked down its IT systems and forced staff to start their holidays earlier than planned. City of Onkaparinga mayor Erin Thompson said its systems fell victim to the so-called Ryuk ransomware, which has also hit “other government organisations around the world”, on December 14. REvil ransomware exploiting VPN flaws made public last April Date: 2020-01-09 Author: Naked Security Researchers report flaws, vendors issue patches, organisations apply them – and everyone lives happily ever after. Right? Not always. Sometimes, the middle element of that chain – the bit where organisations apply patches – can takes months to happen. Sometimes it doesn’t happen at all. It’s a relaxed patching cycle that has become security’s unaffordable luxury. Take, for instance, this week’s revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure’s Zero Trust business VPN system are being exploited to break into company networks to install the REvil (Sodinokibi) ransomware. ESB-2020.0094 – Cisco Webex Video Mesh Node: Root escalation An administrative user in the software could execute commands with root privileges on the underlying Linux system. ESB-2020.0075 – Node.JS 8: Arbitrary file overwrite Arbitrary file overwrite in one of the internet’s favourite application languages. ESB-2020.0078 – [ALERT] Firefox & Firefox ESR: RCE Shortly after releasing v72.0, Mozilla issued v72.1 to address an RCE which was being used in targeted attacks in the wild. ASB-2020.0002 – Android: January patch level The usual crop, and notably a privileged RCE using physical proximity and the Realtek wifi driver. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 3rd January 2020 Greetings, 2020 has begun, and with it, the end of party time. Here is this week’s Week in Review. Cisco DCNM Users Warned of Serious Vulnerabilities Date: 2020-01-02 Author: SecurityWeek Cisco on Thursday informed customers that it has released software updates for its Data Center Network Manager (DCNM) product to address several critical and high-severity vulnerabilities. Two tips to make multifactor authentication for Office 365 more effective Date: 2020-01-02 Author: CSO Online Multifactor authentication (MFA) is a key tool in ensuring that your Office 365 and any online application will be secure in the cloud. For those with Microsoft 365 here are some tips to ensure you provide maximum protection to your Office 365 deployment without sacrificing usability. Microsoft takes down 50 domains operated by North Korean hackers Date: 2019-12-30 Author: ZDNet Microsoft announced today [December 30th] that it successfully took down 50 web domains previously used by a North Korean government-backed hacking group. The OS maker said the 50 domains were used to launch cyberattacks by a group the company has been tracking as Thallium. Sextortion Email Scammers Try New Tactics to Bypass Spam Filters Date: 2019-12-31 Author: Bleeping Computer Sextortion scams have become so common that spam filters and secure mail gateways have been doing a good job at preventing them from being delivered to their recipients. To bypass these filters, attackers have started to utilize new tactics such as sending sextortion emails in foreign languages and splitting bitcoin addresses into two parts. 7 Tips for Maximizing Your SOC Date: 2019-12-31 Author: Threatpost Use the seven points listed above to create an effective and efficient operational workflow and, importantly, happier analysts who aren’t buried at the bottom of a pile of mostly irrelevant data. Cisco (DCNM): Execute arbitrary code/commands Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager. typo3 Execute arbitrary code Multiple vulnerabilities which could lead to code execution have been found in typo3, an open-source web content management system. libxml2 Denial of service A denial of service vulnerability in libxml2, the GNOME XML parsing library. Stay safe, stay patched and best wishes from all of us, Rameez and the team at AUSCERT

AUSCERT Week in Review for 20th December 2019 Greetings, This week may be drawing to a close, but there’s some life left in 2019! If you’re looking for something creative to do during the upcoming break, why not submit a presentation or tutorial idea to our Call For Presentations for the AUSCERT2020 Cyber Security Conference? If selected, we’ll cover your travel and accommodation costs and we’re especially keen to see presentations by AUSCERT members. Just a reminder that although AUSCERT remains on call for emergency assistance via the 24/7 member hotline, the Membership Team are taking a break until Monday 6 January. Similarly AUSCERT’s Operations Team will close from 25 December to 1 January, so the auscert@auscert.org.au email address (and IRC) will not be monitored during that time. And now here’s some reading material to ease you into the weekend: Microsoft: We never encourage a ransomware victim to pay Date: 2019-12-17 Author: ZDNet Microsoft advocates for organizations to take preemptive measures. Says companies should treat cyberattacks “as a matter of when” and not “whether.” Chrome Will Automatically Scan Your Passwords Against Data Breaches Date: 2019-12-16 Author: WIRED Google’s password checking feature has slowly been spreading across the Google ecosystem this past year. It started as the “Password Checkup” extension for desktop versions of Chrome, which would audit individual passwords when you entered them, and several months later it was integrated into every Google account as an on-demand audit you can run on all your saved passwords. Now, instead of a Chrome extension, Password Checkup is being integrated into the desktop and mobile versions of Chrome 79. 10 cyber security trends to look out for in 2020 Date: 2019-12-19 Author: Information Age When looking for possible cyber security trends in 2020, it is clear to see that 2019 was an interesting year for all things cyber security. It was the year that brought major breaches pretty much every week. Recently, it was found that charities reported over 100 data breaches to the ICO in the second quarter of 2019-20 alone. Cyber security is still the issue on every business leaders mind. This year, the need for organisations to keep GDPR in mind has remained prominent. The stakes for protecting your organisation from cyber threats have never been higher. So, what cyber security trends can we expect to see in 2020 then? Here are some things to consider. Inside Evil Corp, a $100M Cybercrime Menace Date: 2019-12-17 Author: Krebs on Security So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob. [This is a very narrative dive into payroll compromises and money mules.] debian-edu-config: Unauthorised access – Existing account An insecure configuration allowed every user to change other users’ passwords, which is less than ideal. Citrix Application Delivery Controller and Citrix Gateway: Execute arbitrary code/commands – Remote/unauthenticated An unauthenticated attacker may be able to execute arbitrary code via this vulnerability. python-django: Unauthorised access – Remote/unauthenticated A case insensitive query on Django’s password reset form for email addresses could result in unauthorised access. Firefox: Multiple vulnerabilities Nine CVEs are patched in this Firefox update. We wish you and your loved ones all the best for the holiday season and look forward to returning in 2020, reinvigorated and ready to conquer new cyber security challenges with you! Kind regards, Mike and the AUSCERT Team

AUSCERT Week in Review for 13th December 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. … Microsoft to help Office 365 customers track entire phishing campaigns, not just lone emails Date: 2019-12-10 Author: ZDNet Microsoft is launching today a new security feature in public preview. Named “Campaign Views,” this is a new feature that will be available for Office 365 Advanced Threat Protection (ATP) […] Until today, Office 365 ATP users could only see details about each of the individual malicious emails that reached users. Campaign Views will show details about the entire phishing campaign and all the tricks and infrastructure it uses. The goal is to give security teams an idea of what other tricks the same attacker might be using, so they can put filters and security protections in place. Phishing Campaign Uses Malicious Office 365 App Date: 2019-12-11 Author: Phishlabs Blog Most phishing campaigns attempt to take over accounts by tricking the victim into divulging their credentials. PhishLabs has uncovered a previously unseen tactic by attackers that uses a malicious Microsoft Office 365 App to gain access to a victim’s account without requiring them to give up their credentials to the attackers. Australia Post SMS scam targeting Australians Date: 2019-12-12 Author: Stay Smart Online With millions of parcel deliveries expected around the country, Australia Post is seeing widespread scam text (SMS) messages being sent to people, using their brand. These fake SMS messages may tell you that your parcel is “detained”, you’ve “missed a delivery” or there’s an “important update” to your delivery – and include a link to click on for more details. As scammers use technology that imitates a caller ID, these scam texts can even appear in the same conversation thread as a legitimate Australia Post conversation. Amazon Battles Leaky S3 Buckets with a New Security Tool Date: 2019-12-09 Author: Bit Defender Anyone who has been following security trends in recent years cannot fail to have noticed the preponderance of data breaches which have stemmed from unsecured Amazon S3 buckets. Many well-known organisations, including FedEx, Capital One bank, Verizon, and even US defense contractors, have left confidential and sensitive data publicly exposed by not having properly configured the security of their cloud-based storage servers. Chrome now warns you if your password has been stolen Date: 2019-12-12 Author: WeLiveSecurity Google has added a new feature to its Chrome web browser that will alert users if their login credentials have been compromised in a security breach, according to the company’s announcement. Intel Processors Intel CPU vulnerability, which could allow an attacker to extract highly-sensitive information, such as encryption keys from affected processors by altering their voltage. Xen Multiple privilege escalation and guest escape vulnerabilities. Adobe Multiple Remote code execution, privilege escalation and information disclosure vulnerabilities. Stay safe, stay patched and have a good weekend! Rameez Agnew

AUSCERT Week in Review for 22nd November 2019 Greetings, Welcome to the new format for the Week in Review. We hope you like it! AUSCERT’s Week in Review will move to a new mailing list known as the AUSCERT Daily Intelligence Report. This consists of a daily report on Mondays to Thursdays, and a weekly report on Fridays. If you don’t want this, please click the “unsubscribe” link at the bottom of the email. If you encounter any problems, please email <membership@auscert.org.au>. “Sic Transit Gloria Mundi”, and so our perception of a secure system does erode away with time. Well, systems do not form security cracks over time but there is an enormous amount of effort being made to find them and then patch them. So don’t let your systems security fade: keep the patches up to date. Microsoft Outlook for Android Bug Opens Door to XSS Date: 2019-11-21 Author: Threatpost Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks. The bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft’s advisory on the bug. XSS occurs when malicious parties inject client-side scripts into web pages, which trick the unsuspecting user’s browser into thinking that the script came from a trusted source. Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies Date: 2019-11-17 Author: VICE An infamous vigilante hacker known for their hits on surveillance companies is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks. In their new manifesto, Phineas Fisher also claimed to have hacked an offshore bank and called on other hacktivists to join in the fight against inequality and capitalism. The hacker said that in 2016 they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. The hacker said they were able to steal money, documents, and emails from the bank. The hacker shared the stolen documents and emails from the bank to the leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best, who said they uploaded 640,000 emails, in what is “the most detailed look at international banking that the public will have ever had access to.” Get ahead of the cybersecurity curve Date: 2019-11-18 Author: SC Magazine Experienced cybersecurity leaders are beginning to call for a move from reactive detection to proactive prevention. It’s clear that the need to get ahead of the cybersecurity curve is real. Over the past decade, experts talked about the number of days that malware is in your system, and now the discussion is fast becoming how many seconds you have between detection and disaster. There is no longer time to call the boss, check your files or phone a friend. Victims are literally watching their systems being taken over, and they are powerless to stop it despite massive budgets and plans. Clearly, spending on an arms race with dollars, people and technology is not an effective long-term solution. We need a different approach. Enter proactive prevention, the concept behind this move toward flipping the script and finally getting ahead of our adversaries. Twitter will finally let users disable SMS as default 2FA method Date: 2019-11-22 Author: ZDNet Twitter announced today that users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key. Google will pay $1.5 million for the most severe Android exploits Date: 2019-11-22 Author: Ars Technica Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said. Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday. The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen. Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin Date: 2019-11-20 Author: Bleeping Computer Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1. You can update your installation to the 7.9.1 version through your dashboard, or manually download the Jetpack 7.9.1 release. ANU students forced to re-sit exam after data leak Date: 2019-11-19 Author: The Riot ACT Students in the Digital Analysis course at the ANU will be forced to re-take an exam, potentially delaying their graduation, after the university confirmed a data leak last week. “The need for a class to re-sit an exam is extremely rare, and is only undertaken when absolutely required,” an ANU spokesperson said after security protocols successfully identified that a breach had occurred. Noteworthy bulletins this week: ESB-2019.4421 – [Win][UNIX/Linux] Asterisk: Multiple vulnerabilities Denial of Service from Remote Unauthenticated Sessions ESB-2019.4410 – [UNIX/Linux] BIND: Denial of service – Remote/unauthenticated “… the load on the server releasing these multiple resources can cause it to become unresponsive …” ESB-2019.4400 – [Cisco] Cisco Small Business Routers: Access confidential data – Remote/unauthenticated “… could allow an unauthenticated, remote attacker to view information displayed in the web-based management interface …” ESB-2019.4384 – [Win][Linux][Mac] Flexera FlexNet Publisher: Multiple vulnerabilities “… could allow the attacker to deny the acquisition of a valid license …” ESB-2019.4379 – [Linux] Apache Solr: Execute arbitrary code/commands – Remote/unauthenticated “… which may in turn allow them to upload malicious code for execution on the Solr server.” Stay safe, stay patched and have a good weekend! Geoff

AUSCERT Week in Review for 29th November 2019 Greetings, It’s been a week for embarrassing mistakes in the cyber world. Splunk and Hewlett-Packard have both announced show-stopping (but silly) bugs with how their systems keep track of time, and Australian parliamentarians have been told that they’ll undergo phishing simulations to prevent them from making the same mistakes as in the breach earlier this year. Then again, who among us is immune to the most careful, targeted phishing attacks? We heard tell recently of one large organisation conducting a test by sending forged emails to its developers, which told them to update their system by running $(curl | bash) – downloading a shell script from the internet and executing it immediately. Some cautious developers tried to fetch the script with curl before piping it to bash, but the remote host could tell that it was not going straight to a shell, and returned an innocent-seeming script. Developers who executed the command as given did receive a malicious payload and a slap on the wrist. Stay sharp, but stay forgiving. Splunk customers should update now to dodge Y2K-style bug Date: 2019-11-27 Author: Naked Security If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention. According to this week’s advisory, from 1 January 2020 unpatched instances of Splunk will be unable to extract and recognise timestamps submitted to it in a two-digit date format. Pollies to face phishing tests after Parliament breach Date: 2019-11-28 Author: iTnews Parliamentarians and their staff will be subject to phishing email simulations in the wake of the state-sponsored cyber attack against Parliament House earlier this year. The Department of Parliamentary Services will conduct the simulations as part of a new program to test the cyber security awareness of its more than 4000 parliamentary computing network users. My Health Record: Australian healthcare scheme grades poorly on cybersecurity Date: 2019-11-28 Author: The Daily Swig A review of Australia’s controversial My Health Record scheme has concluded that it does, as experts have warned, present security risks to the public. In its review of the system, published on Monday, the Australian National Audit Office (ANAO) concluded that the A$1.5 billion project is “largely effective”, although poor management of shared cybersecurity risks, including inadequate controls over access to patients’ records, remains a pressing issue. In terms of privacy, the ANAO found, emergency access to patients’ records was widely being misused. Meanwhile, healthcare providers are not all achieving minimum levels of cybersecurity, says the ANAO, with the Australian Digital Health Agency failing to monitor compliance effectively. It has also failed to check whether third-party software providers to healthcare agencies are complying with the government’s cybersecurity framework. HP Warns That Some SSD Drives Will Fail at 32,768 Hours of Use Date: 2019-11-26 Author: BleepingComputer HP released firmware updates for a number of its Serial-Attached SCSI solid-state drives to prevent their failure at exactly 32,768 hours of operation time. The devices are used in multiple server and storage products for enterprise, such as HPE ProLiant, Synergy, Apollo, JBOD D3xxx, D6xxx, D8xxx, MSA, StoreVirtual 4335 and StoreVirtual 3200. The abnormal expiration time translates to 3 years, 270 days and 8 hours, a lot less than the normal lifespan of these products. For some of them, the warranty can be extended to up to five years. Silly Phishing Spotlight: Login to Unblock Microsoft Excel Date: 2019-11-24 Author: BleepingComputer As part of our ongoing series to educate users about some of the more silly phishing scams out there, we bring a new one that states Excel is blocked unless you login and verify your details. As people get more educated about phishing scams and how to spot them, we continue to see scammers create outlandish campaigns in order to bait people into entering their login credentials. Such is the case with this new phishing email that states you won’t be able to use your Excel due to a “system delay” unless you first login. ESB-2019.4501 – GitLab GitLab released an update for the 12.5, 12.4 and 12.3 branches and almost immediately realised it omitted the important security fix they intended. If you only installed 12.5.1, 12.4.4 or 12.3.7 then ensure you update again to catch this. ESB-2019.4475 – FreeRDP on SUSE: Unauthenticated memory leaks Expect this fix to reach other distros soon. ESB-2019.4441 – Symantec Critical System Protection: Authentication bypass Symantec’s CSP software scored a 9.4/10 on the CVSSv3 scale for letting an attacker stroll through its controls. ESB-2019.4460: Mailman on SUSE: Privilege escalation The GNU mailing list manager contained a privilege escalation from the wwwrun user to root. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 15th November 2019 Greetings, Emotet is up officially by 730%. It feels better when things are officially reported by researchers. By the time the report is out most of the front line people would have already felt and dealt with the effects of this campaign. Criminals are going where the money is, no not the banks, but server of all flavour for their processing power. Also this week Bash got bashed and Intel says we can’t tell about their intel until they say so but what they say may have been fixed six months ago, a story that did not sell well with some Dutch security boffins. Feels like things are going fast, well I’ll play the researcher and tell you post-priori they certainly are and that security automation and response is the future. Oh hang on you also knew that too. Fact is that when you are at the front lines you get front row seat to the details as they happen. That’s why keeping communication lines open to AUSCERT, either push by report, or pull from feeds such as Malicious URL, MSIN, and MISP feeds provides you the intelligence the moment it happens. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——- Title: PureLocker Ransomware Can Lock Files on Windows, Linux, and macOSAuthor: Ionut IlascuDate Published: November 13th, 2019 Excerpt: “Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers. The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks. Built to dodge detection. The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback.” Title: Lateral Phishing Makes for Dangerous Waters, Here’s How You Can Avoid Getting Caught in the NetAuthor: Anurag KaholDate: November 13th, 2019 Excerpt: “Like regular phishing, a lateral phishing attack has the goal of gaining access to private information and begins with a user receiving an email that is attempting to extract login credentials or PII. However, the main differentiator between the two attack methods is that lateral phishing is conducted from a compromised email address within an organization. Once a hacker gains access to a legitimate email account, whether it belongs to a CEO or an intern, the hacker can then use it to target individuals within the company. Lateral phishing techniques are highly effective. When hackers impersonate someone that the recipient knows and trusts, said recipient tends to lower her or his guard, making it more likely that sensitive information will be surrendered.” Title: Researchers Discover Massive Increase in Emotet Activity Author : Helpnet SecurityDate: November 13th, 2019 Excerpt: “Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim’s inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the most damage to a network.” Title: Microsoft Patch Tuesday Updates Fix CVE-2019-1429 Flaw Exploited in the WildAuthor: Pierluigi PaganiniDate: November 13th, 2019 Excerpt: “Microsoft’s Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn’t provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time. The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft. “A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same use rights as the current user.” read the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” Title: Intel launches security blog, pushes security patchesAuthor: Doug OlenickDate: November 13th, 2019 “Intel has joined the Patch Tuesday crowd with a platform update that covered 77 vulnerabilities, two of which were rated critical.The chip maker noted the security updates in a new blog the company said it will use to disseminate security updates, bug bounty topics, new security research, and engagement activities within the security research community.Intel is dividing its updates by advisory with each covering a single or set of products.” Title: Intel Fixes a Security Flaw It Said Was Repaired 6 Months AgoAuthor : Kim ZetterDate : November 12th, 2019 Excerpt:“Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company’s computer processors, Intel implied that all the problems were solved. But that wasn’t entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found.”   Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2019.4311 – [Appliance] Phillips IntelliBridge EC40 and Phillips IntelliBridge EC80: Access privileged data – Remote/unauthenticated“…to execute software, modify system configuration, or view/update files, including unidentifiable patient data.” 2. ESB-2019.4300 – [Cisco] Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Root compromise – Existing account “.. to execute arbitrary code with root privileges on the underlying Linux operating system.” 3. ASB-2019.0337 – [Win] McAfee Data Loss Prevention ePO: Access confidential data – Existing account“…remote attackers with access to the network to collect login details to the LDAP server..” 4. ESB-2019.4289 – [Virtual] microcode: Access privileged data – Existing account“..speculative execution may be able to infer the value of data in the microarchitectural structures..” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 8th November 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. BlueKeep attacks are happening, but it’s not a worm Date published: 03/11/2019 Author: Catalin Cimpanu Excerpt: “This BlueKeep campaign has been happening at scale for almost two weeks, but it’s been only spotted today by cybersecurity expert Kevin Beaumont. The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet. Beaumont’s discovery was confirmed by Marcus “MalwareTech” Hutchins, the security researcher who stopped the WannaCry ransomware outbreak, and who’s a recognized expert in the BlueKeep exploit.” QSnatch malware already infected thousands of QNAP NAS devices Date published: 04/11/2019 Author: Pierluigi Paganini Excerpt: “A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware. The experts were alerted about the malware in October and immediately launched an investigation. “NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate to specific command and control (C2) servers.” reads the report. “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.” Trend Micro reveals that customer data was illegally sold following inside-job ‘security incident’ Date published: 06/11/2019 Author: Mark Wyci?lik-Wilson Excerpt: “Security firm Trend Micro has revealed details of an inside scam which led to personal details of its customers being exposed. The security incident dates back to August this year, and the company says that it was made aware of customers being contacted by fake Trend Micro support staff. Following an investigation lasting until the end of October, it was determined that it was a member of staff that had fraudulently gained access to a customer database and sold personal data to a third party.” Buran Ransomware; the Evolution of VegaLocker Date published: 05/11/2019 Authors: Alexandre Mundo and Marc Rivero Lopez Excerpt: “This ransomware was announced in a well-known Russian forum with the following message: “Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7. Functional: Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream works for each disk and network path; Skipping Windows system directories and browser directories; Decryptor generation based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;” The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment.” Critical Remote Code Execution Flaw Found in Open Source rConfig Utility Date published: 04/11/2019 Authors: Tom Spring Excerpt: “Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication. RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website. The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.” Here are this week’s noteworthy security bulletins: 1) Tenable.sc: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0310/ Tenable Security Center received stand-alone patches that address multiple vulnerabilities affecting PHP. The most severe of these could lead to a remote denial of service attack and Cross-Site Scripting attacks. 2) Android: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0311/ Android received its monthly update that addresses 38 vulnerabilities. These include a remote code execution and privilege escalation vulnerabilities. 3) Cisco Web Security Appliance: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.4172/ Cisco Web Security Appliance received fixes for a couple of vulnerabilities. This particular bulletin addresses an update for fixing a reflected XSS vulnerability. 4) IBM QRadar SIEM: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ESB-2019.4193/ Last, but most certainly not least, IBM’s QRadar SIEM received fixes for over 39 vulnerabilities, including local arbitrary code execution, remote Denial of Service, and remote information disclosure. ..and with that, have a great weekend all!  Nick