AUSCERT Week in Review for 17th May 2019 AUSCERT Week in Review17 May 2019 Greetings, Hoo boy, what a week! – This patch Tuesday, Microsoft gave us CVE-2019-0708, a remote code execution vulnerability in remote desktop services. An exploit could potentially propagate like a worm, so this was severe enough for Microsoft to release free updates to Windows XP and Server 2003. – Not to be outdone, Cisco released a flock of advisories this week, including a vulnerability which allows a persistent backdoor without physical access to the device. – WhatsApp has provided an update due to a vulnerability that allows spyware to be injected onto your phone. – And the pièce de résistance, Intel have announced four new microprocessor flaws which could allow unauthorised access to cached data. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Prevent a worm by updating Remote Desktop ServicesDate published: 14/05/2019 URL: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/Author: MSRC TeamExcerpt: “Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” Title: MDS – Microarchitectural Data Sampling – CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 Date published: 14/05/2019URL: https://access.redhat.com/security/vulnerabilities/mdsAuthor: Red HatExcerpt: “Four new microprocessor flaws have been discovered, the most severe of which is rated by Red Hat Product Security as having an Important impact. These flaws, if exploited by an attacker with local shell access to a system, could allow data in the CPU’s cache to be exposed to unauthorized processes. While difficult to execute, a skilled attacker could use these flaws to read memory from a virtual or containerized instance, or the underlying host system. Red Hat has mitigations prepared for affected systems and has detailed steps customers should take as they evaluate their exposure risk and formulate their response.” Title: Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gearDate published: 13/05/2019URL: https://www.zdnet.com/article/thrangrycat-flaw-lets-attackers-plant-persistent-backdoors-on-cisco-gear/Author: Catalin CimpanuExcerpt: “A vulnerability disclosed today allows hackers to plant persistent backdoors on Cisco gear, even over the Internet, with no physical access to vulnerable devices. Named Thrangrycat, the vulnerability impacts the Trust Anchor module (TAm), a proprietary hardware security chip part of Cisco gear since 2013.” Title: WhatsApp urges users to update app after discovering spyware vulnerability Date published: 14/05/2019 URL: https://www.theguardian.com/technology/2019/may/13/whatsapp-urges-users-to-upgrade-after-discovering-spyware-vulnerabilityAuthor: Julia Carrie WongExcerpt: “WhatsApp is encouraging users to update to the latest version of the app after discovering a vulnerability that allowed spyware to be injected into a user’s phone through the app’s phone call function. The spyware was developed by the Israeli cyber intelligence company NSO Group, according to the Financial Times, which first reported the vulnerability.” Title: Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code ExecutionDate published: 13/05/2019URL: https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/Author: Sergiu GatlanExcerpt: “Linux machines running distributions powered by kernels prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free, related to net namespace cleanup, exposing vulnerable systems to remote attacks” Here are this week’s noteworthy security bulletins: 1) ASB-2019.0137 – ALERT [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0137 Microsoft has released its monthly security patch update for the month of May 2019. 2) ASB-2019.0138 – ALERT [Win][UNIX/Linux][Appliance][Virtual] Intel CPU Microcode: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/ASB-2019.0138 Intel has published a security advisory disclosing RIDL and Fallout, new speculative-execution side-channel vulnerabilities in the vein of Spectre and Meltdown. 3) ESB-2019.1721 – [Win][Mac] Adobe Acrobat and Reader : Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1721 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. 4) ESB-2019.1749 – [Win] Cisco Webex Players for Microsoft Windows: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.1749 Multiple vulnerabilities in the Cisco Webex Network Recording Player for Microsoft Windows and the Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. Stay safe, stay patched and have a good weekend! Charelle.

AUSCERT Week in Review for 10th May 2019 AUSCERT Week in Review10 May 2019 Greetings, The week kicked off with a certificate chain issue in Firefox, resulting inadd-ons being disabled and prevented new add-ons being installed. Mozillapromptly released a hotfix and have now corrected the issue in Firefox66.0.5 for Desktop and Android, and Firefox ESR 60.6.3. This week Red Hat released RHEL 8, so we’ve already started publishing thosebulletins for the early adopters. Finally to round out the week, an issue was found in the official Alpine LinuxDocker images. Since Dec 2015, a NULL password was set for the root account.Alpine Linux is popular for creating small linux containers. Users shouldexplicitly disable the root account for containers using the affected Dockerimages. Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Alpine Linux Docker Image root User Hard-Coded Credential Vulnerabilityhttps://talosintelligence.com/vulnerability_reports/TALOS-2019-0782Published: May 8th, 2019Author: Cisco Talos “Versions of the Official Alpine Linux Docker images (since v3.3) contain aNULL password for the root user. This vulnerability appears to be the resultof a regression introduced in December 2015. Due to the nature of this issue,systems deployed using affected versions of the Alpine Linux container thatutilize Linux PAM, or some other mechanism that uses the system shadow fileas an authentication database, may accept a NULL password for the root user.” —– Add-ons disabled or failing to install in Firefoxhttps://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/Published: May 4th, 2019Author: Kev Needham “Late on Friday May 3rd, we became aware of an issue with Firefox thatprevented existing and new add-ons from running or being installed. Weare very sorry for the inconvenience caused to people who use Firefox.” —– CIA sets up shop on the anonymous, encrypted Tor networkhttps://www.cnet.com/news/cia-sets-up-shop-on-the-anonymous-encrypted-tor-network/Published: May 7th, 2019Author: Justin Jaffe “The CIA’s global mission requires that “individuals can access us securelyfrom anywhere,” the intelligence agency said in a press release. “Creatingan onion site is just one of many ways we’re going where people are.” The onion site (Tor address) features secure links for reporting informationand applying for a job, and will mirror all of the content currentlyavailable at www.cia.gov.” —– How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attackshttps://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.htmlPublished: May 6th, 2019Author: Nicole Perlroth, David E. Sanger and Scott Shane “Chinese intelligence agents acquired National Security Agency hackingtools and repurposed them in 2016 to attack American allies and privatecompanies in Europe and Asia, a leading cybersecurity firm has discovered.” —– AusPost builds tool to plug cloud security gaps in 30 secondshttps://www.itnews.com.au/news/auspost-builds-tool-to-plug-cloud-security-gaps-in-30-seconds-524841Published: May 9th, 2019Author: Justin Hendry “In addition to improved security coverage across its cloud landscape, thegovernment-owned corporation with Australia’s largest retail footprinthas seen a significant reduction in remediation time since since rollingout the solution. “We’re talking about 30 to 45 seconds to remediate a particularcondition, and that is magnitudes better than what we’d be able toachieve if we were using a more traditional approach” “ —– Here are this week’s noteworthy security bulletins: 1) ASB-2019.0136 – Alpine Linux Docker Image: Root compromise –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/80582 “Versions of the Official Alpine Linux Docker images (since v3.3) containa NULL password for the root user. Due to the nature of this issue, systemsdeployed using affected versions of the Alpine Linux container that utilizeLinux PAM, or some other mechanism that uses the system shadow file as anauthentication database, may accept a NULL password for the root user.” 2) ESB-2019.1642 – [Linux] Gemalto DS3 Authentication Server / Ezio Server:Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/80614 “SEC Consult identified multiple vulnerabilities within the DS3Authentication Server (now called Gemalto Ezio Server, part of the ThalesGroup) which can be chained together to allow a low-privileged applicationuser to upload a JSP web shell with the access rights of a low privilegedLinux system user.” 3) ASB-2019.0135 – [Android] Android: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/80398 “Multiple security vulnerabilities have been identified in the Androidoperating system prior to the 2019-05-05 patch level.” 4) ESB-2019.1589 – [Win][UNIX/Linux][Debian] firefox-esr: Reduced security– Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/80394 “We’ve released Firefox 66.0.5 for Desktop and Android, and FirefoxESR 60.6.3,which include the permanent fix for re-enabling add-ons that were disabledstarting on May 3rd. The initial, temporary fix that was deployed May 4ththrough the Studies system is replaced by these updates, and we recommendupdating as soon as possible.” 5) ESB-2019.1625 – [SUSE] samba: Create arbitrary files – Existing accounthttps://portal.auscert.org.au/bulletins/80542 “SUSE has patched a flaw in the way samba implemented an RPC endpointemulating the Windows registry service API. An unprivileged attacker coulduse this flaw to create a new registry hive file anywhere they have unixpermissions which could lead to creation of a new file in the Samba share.” Stay safe, stay patched and have a good weekend! Charelle.

AUSCERT Week in Review for 3rd May 2019 Greetings, Updates to protect against a remote code execution with administration privilege vulnerability in Dell’s SupportAssist were announced this week (CVE-2019-3719). SupportAssist ,which checks software and hardware status, is typically preinstalled on Dell systems running Windows and therefore affects numerous systems. As Proof-of-Concept code has been made available, patching vulnerable Dell systems is critical. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: 2018/2019 Cyber Security Survey Results Date Published: 1/5/2019 Author: AUSCERT and BDO Australia Excerpt: “For the third year running, AUSCERT has teamed up with BDO to conduct an industry-wide survey on the state of cybersecurity. The results of our most recent survey have just been published. AUSCERT has long supported the concept of mandatory breach notification, and it is heartening to see evidence that organisations expected to comply with at least one data breach regulation (GDPR, AU NDB) spend approximately 20% more on information security controls. It is also encouraging to observe the Cyber Security Survey’s finding that leadership awareness has increased. This concurs with AUSCERT’s own experience of more regular engagement at higher levels within organisations, such as CISOs and CIOs at other universities, and Principal Advisors / CISOs within state governments.” — Title: Docker Hub Database Hack Exposes Sensitive Data of 190K Users Date Published: 26/4/2019 Author: Bleeping Computer Excerpt: “An unauthorized person gained access to a Docker Hub database that exposed sensitive information for approximately 190,000 users. This information included some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories.” Title: Dell laptops and computers vulnerable to remote hijacks Date Published: 1/5/2019 Author: ZDNet Excerpt: “A vulnerability [CVE-2019-3719] in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.” Stay safe, stay patched and have a good weekend, Eric

AUSCERT Week in Review for 26th April 2019 Greetings, For a 3-day week, this week has still been quite busy for anyone in InfoSec. We hope that you all have layers of mitigations in place for the Oracle WebLogic zero-day otherwise; you may come back with even more work on Monday! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: New Oracle WebLogic zero-day discovered in the wildDate Published: 25/4/2019Author: ZDNetExcerpt: “Security researchers have spotted a new zero-day vulnerability impacting the Oracle WebLogic server that is currently being targeted in the wild. Oracle has been notified of the zero-day, but the software maker just released its quarterly security patches four days before this zero-day’s discovery.” —– Title: Marcus Hutchins, slayer of WannaCry worm, pleads guilty to malware chargesDate Published: 19/4/2019Author: Ars TechnicaExcerpt: “Marcus Hutchins, the security researcher who helped neutralize the virulent WannaCry ransomware worm, has pleaded guilty to federal charges of creating and distributing malware used to break into online bank accounts. “I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote in a short post. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.””—– Title: Another dark web marketplace bites the dust — Wall Street MarketDate Published: 23/4/2019Author: ZDNetExcerpt: “Less than a month after the oldest and biggest dark web marketplace announced plans to shut down, another dark web market has “exit scammed” after the site’s admins ran away with over $14.2 million in user funds. Some of the market’s customer support staff are now blackmailing WSM customers. Staffers are asking for 0.05 Bitcoin (~$280) from vendors and customers who shared their Bitcoin address in support requests, threatening to share the address with law enforcement unless users pay the requested fee. And just as we were writing this article, the same moderator who was extorting WSM users took things to another level by sharing their mod account credentials online, allowing anyone – including law enforcement – to access the WSM backend, which may contain details about buyers and sellers’ real identities.”—– Title: Windows 7 Now Showing End of Support WarningsDate Published: 22/4/2019Author: BleepingComputerExcerpt: “Microsoft has started to display alerts in Windows 7 stating that the operating system will reach end of support on January 14, 2020. This alert links to a page that then recommends users upgrade to Windows 10. On January 14th, 2020, Windows 7 will officially reach end of support and Microsoft will no longer offer free security updates and technical support for the operating system.”—– Title: Another European manufacturer crippled by ransomwareDate Published: 25/4/2019Author: HelpNet SecurityExcerpt: ““Due to an IT system failure, the Aebi Schmidt Group can temporarily neither receive nor send emails,” the company announced on Thursday. “The IT system failure is due to an attempt by third parties to infiltrate malware into our systems. More and more companies worldwide are being affected by such attacks.””—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.1408 – [Win][UNIX/Linux] BIND: Denial of service – Remote/unauthenticated Multiple Denial of Service vulnerabilities have been patched in BIND. 2) ESB-2019.1412 – [Win][UNIX/Linux] Atlassian Confluence Server and Data Center: Multiple vulnerabilities Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. Stay safe, stay patched and have a great weekend,Ananda

AUSCERT Week in Review for 18th April 2019 Greetings,Easter is here again, so hopefully some of us will get a few days’ breakfrom work. If travelling, please take care on the roads.This week Oracle released vulnerability details and patches for itswide-ranging product list.For those using their products, there are many fixes to apply (up to 297)!As for other news, here is a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week:– —Oracle Releases 297 Fixes in April 2019 Critical Patch UpdateURL:https://www.securityweek.com/oracle-releases-297-fixes-april-2019-critical-patch-updateAuthor:  Ionut ArghireDate:  17-04-2019Excerpt:“Oracle this week announced the release of 297 new security fixes as partof its April 2019 Critical Patch Update (CPU), two-thirds of which areremotely exploitable without authentication.”– —The web’s infrastructure is under attack from a global hacking spreeURL:  https://www.wired.co.uk/article/dns-hijacking-hack-seaturtle-ciscoAuthor:  Matt BurgessDate:  17-04-2019Excerpt:“Hackers have been conducting a large scale attack on the websites ofgovernments and intelligence agencies around the world. Security expertsclaim the attackers are being backed by an unnamed government and theiractions threaten to undermine the systems that keep the web functioning.Startling new research from Cisco’s Talos security group says that a corepart of the internet’s infrastructure has been targeted as the hackersattempt to steal confidential information. Here’s what we know.”– —Fifth of Web Traffic Comes from Malicious BotsURL:https://www.infosecurity-magazine.com/news/fifth-of-web-traffic-comes-from-1/Author:  Phil MuncasterDate:  17-04-2019Excerpt:“Around a fifth of all web traffic last year was linked to maliciousbot activity, with financial services hit more than any other sector,according to Distil Networks.”– —Wipro hacked, internal systems used to attack customers: reportURL:https://www.itnews.com.au/news/wipro-hacked-internal-systems-used-to-attack-customers-report-523956Author:  Juha SaarinenDate:  16-04-2019Excerpt:“Wipro is currently investigating what appears to be a serious breachof its networks and systems, which are apparently being used to launchattacks on customers, forcing the outsourcing giant to build a privateemail service to replace compromised corporate system.”– —Big Companies Thought Insurance Covered a Cyberattack. They MayBe Wrong.URL:https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.htmlAuthor:  Adam Satariano and Nicole PerlrothDate:  15-04-2018Excerpt:“Mondelez, owner of dozens of well-known food brands like Cadbury chocolateand Philadelphia cream cheese, was one of the hundreds of companies struckby the so-called NotPetya cyberstrike in 2017.”…“Mondelez’s insurer, Zurich Insurance, said it would not be sendinga reimbursement check. It cited a common, but rarely used, clause ininsurance contracts: the “war exclusion,” which protects insurers frombeing saddled with costs related to damage from war.Mondelez was deemed collateral damage in a cyberwar.”– —Here are some of this week’s noteworthy security bulletins (in no particularorder):1. ESB-2019.1280 – [Linux][OSX] Webkit: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79038“Processing maliciously crafted web content may lead to arbitrary codeexecution.”2. ESB-2019.1345 – [Win][UNIX/Linux] Drupal: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79366“Service IDs derived from unfiltered user input could result in theexecution of any arbitrary code”3.  ESB-2019.1353 – [SUSE] python: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79430“blacklist bypass in URIs by using the ‘local-file:’ scheme”4.  ESB-2019.1329 – [Cisco] Aironet access points: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79278Denial of Service and Root Compromise vulnerabilities.5. ASB-2019.0110 – [Win][UNIX/Linux] Oracle Construction and EngineeringSuite: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79254Remote code execution, Denial of Service, and other vulnerabilities.– —Stay safe, stay patched and have a great weekend,Marcus.

AUSCERT Week in Review for 12th April 2019 With less than 2 months to go until the AUSCERT 2019 conference, we hope youhave your tickets ready! Our Early Bird rate and Member Tokens expire thisSunday, so please send off those applications as soon as possible. You can purchase tickets and redeem tokens here:https://gems.eventsair.com/auscert2019/register/ We’re looking forward to seeing you all at the Marriot in May! Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Title: ASD confirms data stolen in Parliament IT breachDate Published: 10 April 2019Author: Justin HendryExcerpt: “Australian Signals Directorate chief Mike Burgess has confirmed data wasstolen by a state-sponsored actor during February’s malicious attackagainst Parliament House.In what appears to be the first public admission of the data exfiltration,Burgess told senate estimates last week that a limited amount ofnon-confidential data had made its way into the hands of attackers.It was revealed during the agency’s damage assessment of the securitybreach, which has now been wrapped up and handed to government forconsideration.”—– Title: Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal RecordsDate Published: 8 April 2019Author: Scott IkedaExcerpt: “The size and scope of data breaches continues to grow. The new worldrecord has been set by email marketing service Verifications.io, thanksto some unsecured public-facing databases containing what appears to bejust about all of their customer information. Passwords were not exposedin the email data breach, but quite a bit of personal information usefulfor identity theft and scamming was.”—– Title: WikiLeaks founder Julian Assange arrested by policeDate Published: 11 April 2019Author: ITnews Staff WritersExcerpt: “Police said they arrested Assange after being “invited into the embassyby the Ambassador, following the Ecuadorean government’s withdrawalof asylum.”Assange took refuge in Ecuador’s London embassy in 2012 to avoid beingextradited to Sweden, where authorities wanted to question him as part ofa sexual assault investigation.That probe was later dropped, but Assange fears he could be extraditedto face charges in the United States, where federal prosecutors areinvestigating WikiLeaks.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.1237 – [Win][UNIX/Linux][Ubuntu] wpa_supplicant and hostapd:Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1237 Several vulnerabilities have been found in wpa, a widely-used wifiauthentication utility. 2) ESB-2019.1200 – [Win][UNIX/Linux][SUSE] sqlite3: Execute arbitrarycode/commands – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.1200 A plugin in sqlite3 could be exploited to achieve remote code execution. 3) ESB-2019.1163 – [Win][UNIX/Linux][SUSE] Salt: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.1163 Salt, a popular configuration management software, could be exploitedto achieve remote code execution.   Stay safe, stay patched and have a good weekend! Anthony

AUSCERT Week in Review for 5th April 2019 Greetings, This week, MISP released an update to patch a CVE in itself and China managed to top the cake by leaving over 590 million resumes sitting in an open-database. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: NIST cybersecurity resources for smaller businessesDate Published: 4 April 2019Author:  Lysa Myers     Excerpt: “There are a lot of challenges to being a small-business owner, including safely managing technology. Every risk can have an outsized effect on your ability to stay in business. And resources for protecting your business are often geared towards much larger organizations. The National Institute of Standards and Technology (NIST) aims to change that, with the release of their Small Business Cybersecurity Corner.”—– SamSam outbreak led to FBI restructuring, top official saysDate Published: 4 April 2019Author: Sean LyngaasExcerpt: “The notorious SamSam ransomware — which extracted over $6 million in payments from more than 200 victim organizations — forced the FBI to adjust its model for handling cyberattack investigations, a senior bureau official said Thursday.Nearly all 56 of the FBI’s field offices responded to SamSam incidents — an inefficient way of keeping up with the malware, said Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division.”—– Chinese companies have leaked over 590 million resumes via open databasesDate Published: April 4 2019Author: Catalin Cimpanu Excerpt: “Chinese companies have leaked a whopping 590 million resumes in the first three months of the year, ZDNet has learned from multiple security researchers.Most of the resume leaks have occurred because of poorly secured MongoDB databases and ElasticSearch servers that have been left exposed online without a password, or have ended up online following unexpected firewall errors.”—– 540 Mllion Facebook Records Leaked by Public Amazon S3 BucketsDate Published: 3 April 2019Author: Sergiu GatlanExcerpt: “More than 540 million records of Facebook users were exposed by publicly accessible Amazon S3 buckets used by two third-party apps to store user data such as plain text app passwords, account names, user IDs, interests, relationship status, and more.As discovered by the UpGuard Cyber Risk team, Mexico-based media company Cultura Colectiva stored the records of roughly 540 million of its users within a 146 GB database called “cc-datalake,” stored in a misconfigured Amazon S3 bucket which gave anyone download permissions.”—– Hacker group has been hijacking DNS traffic on D-Link routers for three monthsDate Published: April 4 2019Author: Catalin Cimpanu Excerpt: “For the past three months, a cybercrime group has been hacking into home routers –mostly D-Link models– to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration, changes that most users won’t ever notice.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2019.1082 – [Linux] MISP: Cross-site scripting – Remote with user interaction       A new version of MISP (2.4.105) has been released to fix a cross-site scripting vulnerability (CVE-2019-10254) in addition to some minor improvements and fixes. 2) ESB-2019.1148 – [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilities       72 CVE’s published for various different Jenkins plugins. 3) ESB-2019.1139 – [Win][UNIX/Linux] drupal7: Multiple vulnerabilities       A Drupal7 update to resolve an access bypass vulnerability.    Stay safe, stay patched and have a great weekend, Rameez Agnew

AUSCERT Week in Review for 29th March 2019 Greetings, Another eventful week in information security!  Apart from plenty of vulnerabilities disclosed and patched, we have seen much media discussion regarding the intersection of IT, foreign powers, social media companies and politics. In case you were not aware, there is a “World Backup Day”, and it is this Sunday, the day before April fool’s day! The site http://www.worldbackupday.com/en/ has some interesting stats regarding backups and some arguments as to why we should backup our important data. We have also published a short blog about backups here. Finally, another reminder regarding the upcoming AUSCERT conference.  There is just over 2 weeks left to register for the Early Bird prices.  For further details, please visit:  https://conference.auscert.org.au As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  US Congress proposes comprehensive federal data privacy legislation—finally Date:  March 28, 2019 Author:  David Ruiz Excerpt: “The United States might be the only country of its size – both in economy and population – to lack a comprehensive data privacy law protecting its citizens’ online lives. That could change this year. Never-ending cybersecurity breaches, recently-enacted international privacy laws, public outrage, and crisis after crisis from the world’s largest social media company have pushed US Senators and Representatives into rarely-charted territory: regulation.” — Title:  Commando VM: The First of Its Kind Windows Offensive Distribution Date:  March 28, 2019 Author:  Jacob Barteaux, Blaine Stancill, Nhan Huynh Excerpt: “For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist. As security researchers, every one of us has probably spent hours customizing a Windows working environment at least once and we all use the same tools, utilities, and techniques during customer engagements. Therefore, maintaining a custom environment while keeping all our tool sets up-to-date can be a monotonous chore for all. Recognizing that, we have created a Windows distribution focused on supporting penetration testers and red teamers.” — Title:  Norsk Hydro ransomware incident losses reach $40 million after one week Date:  March 26, 2019 Author:  Catalin Cimpanu Excerpt:  “A week after suffering a crippling ransomware infection, Norwegian aluminum producer Norsk Hydro estimates that total losses from the incident have already reached $40 million. […] It now remains to be seen how much of the $40 million losses will be covered by Norsk Hydro’s cyber-insurance policy. Most cyber-insurance policies don’t necessarily cover revenue losses caused by loss of business capabilities. Instead, most cover costs directly generated by the cyber-incident, such as IT consulting, incident response costs, and replacing computers and software.” — Title: Tesla car hacked at Pwn2Own contest Date: March 23, 2019 Author:Catalin Cimpanu Excerpt: “A team of security researchers has hacked a Tesla Model 3 car on the last day of the Pwn2Own 2019 hacking contest that was held this week in Vancouver, Canada.  Team Fluoroacetate –made up of Amat Cama and Richard Zhu– hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car’s firmware and show a message on its entertainment system. As per contest rules announced last fall, the duo now gets to keep the car. Besides keeping the car, they also received a $35,000 reward.” — Here are some of this week’s noteworthy security bulletins (in no particular order): ESB-2019.1047 – [RedHat] libssh2: Execute arbitrary code/commands – Remote with user interaction SSH client-side arbitary code execution. ESB-2019.1026 – [Cisco] Cisco IOS: Multiple vulnerabilities Confidential data disclosure, arbitary code execution and root compromise for Cisco IOS. ESB-2019.0997 – [RedHat] Red Hat Ansible Tower: Multiple vulnerabilities Significant vulnerabilities for this popular configuration management tool. ESB-2019.0991 – [Apple iOS] iOS: Multiple vulnerabilities A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing” Stay safe, stay patched and have a good weekend! Marcus

AUSCERT Week in Review for 22nd March 2019 AUSCERT Week in Review22 March 2019 Greetings, Have you registered for the AUSCERT conference? There’s only 3 weeks until our Early Bird closing date – registrations and program details can be found on: https://conference.auscert.org.au Speaking of events, just yesterday we jointly hosted a public lecture from Major General Marcus Thompson AM, Deputy Chief Information Warfare Division (IWD) with the Australian Defence Force.  There were over 200 attendees, and the presentation was followed by a panel which attracted a lot of audience participation with a range of perspectives. https://wordpress-admin.auscert.org.au/events/2019-03-21-cyber-warfare-hear-major-general-marcus-thompson Did you catch us at BSides Canberra last weekend?  If not, you have another opportunity – our very own Mike Holm and Anthony Vaccaro will be presenting at BrisSEC next Friday.  Be sure to come up and say ‘hello’ to them afterwards!  Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Christchurch tragedy-related scams and attacksDate Published: 18 March 2019URL: https://www.cert.govt.nz/businesses-and-individuals/recent-threats/christchurch-tragedy-related-scams-and-attacks/Author: CERT NZ “CERT NZ has received reports of different opportunistic online scams and attacks in the wake of the tragic events in Christchurch last week. This includes online donation fraud, malicious video files, defacement of NZ websites, and website disruption.”—– Spam Warns about Boeing 737 Max Crashes While Pushing MalwareDate Published: 16 March 2019URL: https://www.bleepingcomputer.com/news/security/spam-warns-about-boeing-737-max-crashes-while-pushing-malware/Author: Lawrence Abrams “A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient’s computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them.”—– The Government wants to free up your bank data. Here’s what that means for youDate Published: 20 March 2019URL: https://www.abc.net.au/news/science/2019-03-20/consumer-data-right-bank-transactions-privacy/10898060Author: Ariel Bogle “The Consumer Data Right (CDR), which begins to come online mid-year, aims to give Australians more agency to access and control parts of their personal information.The government calls it a “game changer”, but critics fear that without careful consideration, it could have serious privacy implications, among other concerns.”—– Fake CIA emails requesting Bitcoin payment or arrestDate Published: 20 March 2019URL: https://www.staysmartonline.gov.au/alert-service/fake-cia-emails-requesting-bitcoin-payment-or-arrestAuthor: Stay Smart Online “The Australian Cyber Security Centre (ACSC) is aware of malicious emails claiming to be from the Central Intelligence Agency (CIA) being received by Australians.The emails state that the recipient’s personal details, addresses, contact information and information relating to their relatives are contained in a case file about the distribution and storage of pornographic electronic materials involving underage children.The emails advise that arrests are scheduled and that a payment of $10,000 USD in Bitcoin will prevent further action or contact.”—– Facebook Stored Hundreds of Millions of User Passwords in Plain Text for YearsDate Published: 21 March 2019URL: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/Author: Brian Krebs “Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. “—– Here are this week’s noteworthy security bulletins: ESB-2019.0880 – ESB-2019.0885 [Win][UNIX/Linux] Moodle: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.0880Multiple serious vulnerabilities have been patched in Moodle, so we recommend upgrading as soon as convienient. ASB-2019.0082 – [Win][UNIX/Linux] Mozilla Firefox: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0082Several vulnerabilities have been identified in Mozilla Firefox prior to version 66.0 [1], and Firefox ESR prior to version 60.6. Updates are available through most package managers. ESB-2019.0920 – [Win][UNIX/Linux] Drupal modules: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.0920Three Drupal modules have been patched for remote code execution and cross site scripting. ESB-2019.0915 – [Appliance] Cisco IP Phone 7800 and 8800 Series: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.0915Vulnerabilities in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. ESB-2019.0950 – Medtronic Conexus telemetry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ESB-2019.0950Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.—- Stay safe, stay patched and have a good weekend! Charelle

AUSCERT Week in Review for 8th March 2019 AUSCERT Week in Review08 March 2019 Greetings, This has been an action packed week and with so many variety of events that it is hard to piece this week with one single smooth story on a Friday afternoon.  To name a few of the things that have happened, there are botnets launched and taken down, cryptojacking using vulnerable installation utilities, zero-day on a popular browser, a new analysis tool being released, another “can’t-fix-quick” vulnerability from a popular CPU manufacturer, a SIEM solution that can be potentially crashed from afar, and the list continues to be nothing short of amazing, bewildering and Friday comes as a cliffhanger for the next week’s events.Have a good rest this weekend as next week could turn out even more exciting. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——-  Title:  Serious Chrome zero-day – Google says update “right this minute”Date:  March 6th 2019Author: Paul DucklinURL: https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/ Excerpt:“Precise information about the Chrome CVE-2019-5786 zero-day is hard to come by at the moment – as Google says: ‘Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.’ According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader…it looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.…Just tricking you into looking at a booby-trapped web page might be enough for crooks to take over your computer remotely.” ——-  Title:  Vulnerable Docker Hosts Actively Abused in Cryptojacking CampaignsDate:  March 4th, 2019Author: Sergiu GatlanURL: https://www.bleepingcomputer.com/news/security/vulnerable-docker-hosts-actively-abused-in-cryptojacking-campaigns/ Excerpt:“Hundreds of vulnerable and exposed Docker hosts are being abused in cryptojacking campaigns after being compromised with the help of exploits designed to take advantage of the CVE-2019-5736 runc vulnerability discovered last month. The CVE-2019-5736 runc flaw triggers a container escape and it allows potential attackers to access the host filesystem upon execution of a malicious container, overwrite the runc binary present on the system, and run arbitrary commands on the container’s host system.” ——-  Title:  All Intel chips open to new Spoiler non-Spectre attack: Don’t expect a quick fixDate:  March 5th 2019Author: Liam TungURL: https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/ Excerpt:“Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.   Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets.” ——-  Title:  WordPress Comprises 90% of Hacked Sites: ReportDate:  March 5th 2019Author: Phil MuncasterURL: https://www.infosecurity-magazine.com/news/wordpress-comprises-90-of-hacked-1-1/ Excerpt:“The GoDaddy-owned security vendor analyzed 18,302 infected websites and over 4.4m cleaned files to compile its latest Hacked Website Trend report. It revealed that WordPress accounted for 90% of hacked websites in 2018, up from 83% in 2018. There was a steep drop before Magento (4.6%) and Joomla (4.3%) in second and third. The latter two had dropped from figures of 6.5% and 13.1% respectively in 2017.” ——-  Title:  NSA puts ‘Ghidra,’ its reverse-engineering tool for malware, in the hands of the publicDate:  March 5th 2019Author: Sean LyngaasURL: https://www.cyberscoop.com/ghidra-nsa-tool-public/ Excerpt:“After years lurking in the shadows, the National Security Agency’s tool for reverse-engineering malware is now out in the open. The software framework has moved from classified status into use by military analysts and contractors in sensitive-but-unclassified settings, and now it’s available to anyone with an internet connection.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2019.0066.2 – UPDATED ALERT [Win][Linux][Mac] Google Chrome: Execute arbitrary code/commands – Remote with user interaction https://portal.auscert.org.au/bulletins/76398Exploit in the wild has been reported. 2.    ESB-2018.1689.4 – UPDATED ALERT [Cisco] Cisco Adaptive Security Appliance Web Services: Denial of service – Remote/unauthenticated https://portal.auscert.org.au/bulletins/63666Attempted exploitation of this vulnerability in the wild. 3.    ESB-2019.0696 – [Linux] IBM QRadar SIEM: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76558..a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. 4.    ESB-2019.0739 – [Win][Linux][HP-UX][Solaris][AIX] IBM Db2: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76734could allow an authenticated local attacker to execute arbitrary code on the system as root 5.    ESB-2019.0734 – [Appliance] IBM Lotus Protector for Mail Security: Execute Arbitrary Code/Commands – Remote/Unauthenticated https://portal.auscert.org.au/bulletins/76714would allow the attacker to bypass disabled exec functions Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 15th March 2019 AUSCERT Week in Review15 March 2019 Greetings, Well this week has been interesting.  Watch out which games you play as they could be backdoored from way up the supply chain. Exaggerating a bit on the controls over USBs, you could start either tethering them to your personnel or consider thermite upon their removal of circulation. But things does not stop there. At work, this patch-cycle-week, plenty of systems had to be updated to avoid being abused.  Also, Monero mining was thought to slow down but with the incorporation in to malicious code with worm-like behaviour, mining will move into a new gear. Had enough and have the thought of applying for a job else where? Bad luck, as databases overseas also get compromised.So we all need you to rest for the weekend, recuperate, cause it will have to be all-hands-on-deck next week. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——-  Title: Game Development Companies Backdoored in Supply-Chain AttacksURL: https://www.bleepingcomputer.com/news/security/game-development-companies-backdoored-in-supply-chain-attacks/Author : Sergiu GatlanDate: 11th March 2019 Excerpt:“Two popular games and a gaming platform developed by Asian companies were compromised following a series of successful supply-chain attacks which allowed the attackers to include a malicious payload designed to provide them with a backdoor. The malware used in the supply chain attacks is designed to check the region of the compromised machines before dropping the payload and, if it’s a Chinese or a Russian computer, it will automatically stop the infection process hinting at the fact that the cybercriminals behind this supply chain attack have a very specific list of victims they need to target.” ——-  Title: CVE-2019-0797 Windows Zero-Day exploited by FruityArmor and SandCat APT GroupsURL: https://securityaffairs.co/wordpress/82345/apt/cve-2019-0797-fruitarmor-sandcat.htmlAuthor : Pierluigi PaganiniDate: 13th March 2019 Excerpt:“One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786). The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups.” ——-  Title: What do sexy selfies, search warrants, tax files have in common? They’ve all been found on resold USB sticksURL: https://www.theregister.co.uk/2019/03/14/usb_recoverable_data/Author : Thomas ClaburnDate: 14th March 2019 Excerpt:“You do know just dragging stuff to the delete folder doesn’t wipe stuff, right? Apparently not.About two-thirds of USB memory sticks bought secondhand in the US and UK have recoverable and sometimes sensitive data, and in one-fifth of the devices studied, the past owner could be identified.” ——-  Title: Unsecured Database Exposed 33 Million Job Profiles in ChinaURL: https://www.bleepingcomputer.com/news/security/unsecured-database-exposed-33-million-job-profiles-in-china/Author : Lawrence AbramsDate: 14th March 2019 Excerpt:“A large database with approximately 33 million profiles for people seeking jobs in China has been fully accessible and unprotected online. This information included sensitive information that could have been used for scammers and identity theft. The database was discovered by Sanyam Jain, a security researcher and member of GDI.Foundation, who found the database using the Shodan search engine.” ——-  Title: Malware Spreads As a Worm, Uses Cryptojacking Module to Mine for MoneroURL: https://www.bleepingcomputer.com/news/security/malware-spreads-as-a-worm-uses-cryptojacking-module-to-mine-for-monero/Author : Sergiu GatlanDate: 12th March 2019 Excerpt:“A modular malware with worm capabilities exploits known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from one server to another and mine for Monero cryptocurrency. Systemctl.exe, the worm module of the malware named PsMiner by the 360 Total Security researchers, is a Windows binary written in the Go language which bundles all the exploit modules used to hack into vulnerable servers it can find on the Internet.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2019.0834 – [Appliance] Power 9 Systems: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/77154“…could allow the host full access to BMC memory and flash… 2.    ESB-2019.0782 – [Linux][HP-UX][Solaris][AIX] IBM MQ: Execute arbitrary code/commands – Existing account https://portal.auscert.org.au/bulletins/76906“..a local user to inject code that could be executed with root privileges..” 3.    ESB-2019.0806 – [Win][Linux][HP-UX][Solaris][AIX] IBM Db2: Increased privileges – Existing accounthttps://portal.auscert.org.au/bulletins/77042“…potentially giving low privilege user full access to root…” 4.     ASB-2019.0077 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76950“CVE-2019-0797   Elevation of Privilege   Important” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 1st March 2019 AUSCERT Week in Review01 March 2019 Greetings, This week was marked by solution providers running-for-the-hills with runc as more can be done with the call than what was documented.  The vulnerability is being patched and the solutions are being rolled out. Also the final days of Coin-Hive are able to be counted on two hands. The reason for the shutdown is that the business model “isn’t economically viable anymore.”.  Somehow a permutation of it, with a different currency-algorithm pair, coupled with the fact that new APIs in browsers may continue to trudge on through even after the browser is closed, a new service is bound to emerge. This type of service, may be taking a break, but mining on other’s computers is bound to come back. After all, that’s where the money is these days.    As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——- Title:  Cisco Fixes Critical RCE Vulnerability in RV110W, RV130W, and RV215W RoutersURL: https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-rce-vulnerability-in-rv110w-rv130w-and-rv215w-routers/Date:  28th February 2019 Author: Sergiu Gatlan Excerpt:“Cisco fixed a critical remote code execution vulnerability present in the web-based management interface of the RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router devices. Cisco’s security advisory rates the vulnerability currently tracked under CVE-2019-1663 as critical and assigns it a 9.8 base score based on the Common Vulnerability Scoring System (CVSS) 3.0 given that it could allow potential unauthenticated attackers to remotely execute arbitrary code on any of the three vulnerable routers.” ——- Title:  Coinhive to Mine Its Last Monero in March  URL: https://threatpost.com/coinhive-monero-shutdown/142290/Date:   28th February 2019Author: Tara Seals Excerpt:“It seems like a good model on the surface, but in the notice on its website, posted on Tuesday, Coinhive management said that a 50 percent drop in the hash rate after the latest Monero fork “hit us hard.” The hash rate refers to the speed at which a mining operation is completed – i.e., how long it takes to uncover one block of currency.” ——- Title: Drupal RCE Flaw Exploited in Attacks Days After PatchURL: https://www.securityweek.com/drupal-rce-flaw-exploited-attacks-days-after-patchDate:  26th February 2019Author: Eduard Kovac Excerpt:“A vulnerability patched recently in the Drupal content management system (CMS) has been exploited in the wild to deliver cryptocurrency miners and other payloads. The attacks started just three days after a fix was released.…The patches released on February 20 were quickly analyzed and technical details and proof-of-concept (PoC) code were released roughly two days later.” ——- Title: Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor  URL: https://www.bleepingcomputer.com/news/security/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/Date:  25th February 2019 Author: Lawrence Abrams Excerpt:“Researchers have discovered a malspam campaign that is distributing a a malicious RAR archive that may be the first one to exploit the newly discovered WinRAR ACE vulnerability to install malware on a computer. Last week, Checkpoint disclosed a 19 year old vulnerability in the WinRAR UNACEV2.DLL library that allows a specially crafted ACE archive to extract a file to the Window Startup folder when it is extracted. This allows the executable to gain persistence and launch automatically when the user next logs in to Windows.” ——- Title: New browser attack lets hackers run bad code even after users leave a web page URL: https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/Date:  25th February 2019Author:  Catalin Cimpanu Excerpt:“Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users’ browsers even after users have closed or navigated away from the web page on which they got infected.…This is possible because modern web browsers now support a new API called Service Workers. This mechanism allows a website to isolate operations that rendering a page’s user interface from operations that handle intense computational tasks so that the web page UI doesn’t freeze when processing large quantities of data.“ ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2019.0621 – [Win] Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools: Administrator compromise – Existing account https://portal.auscert.org.au/bulletins/76234“An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.” 2.    ESB-2019.0625 – [RedHat] Red Hat Ansible Engine: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76258“path traversal vulnerability which allows copying and overwriting files…” 3.    ESB-2019.0622 – [Appliance] Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/76242“could allow an unauthenticated, remote attacker to execute arbitrary code…” 4.    ESB-2019.0597 – [Appliance] Moxa IKS and Moxa EDS: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/76138“The devices use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password.” 5.    ESB-2019.0559 – [SUSE] kernel-firmware: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/75986“..in Bluetooth where the elliptic curve parameters were not sufficiently validated during Diffie-Hellman key exchange.” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy