AUSCERT Week in Review for 8th September 2017 AUSCERT Week in Review8th September 2017 Greetings, As Friday 8th of September comes to a close, we are looking forward to having as many people answering the 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey.By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector.Time is running out! Complete the survey and go in the draw to win one of three Apple Watches.* The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions. This is all topped off with numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Breach at Equifax May Impact 143M AmericansURL: https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/Date: 7th September 2017Author: Brian Krebs Excerpt:“Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.” ——- Title: Patch Released for Critical Apache Struts BugURL: https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/Date: 5tht September 2017Author: Tom Spring Excerpt:“This particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,” ——- Title: Australian SMEs consider antivirus software sufficient defence: MYOBURL: http://www.zdnet.com/article/australian-smes-consider-antivirus-software-sufficient-defence-myob/Date: 6th September 2017Author: Asha McLean Excerpt:“A study by accounting software firm MYOB has found that 87 percent of small and medium-sized enterprises (SMEs) in Australia consider their business to be safe from cyber attacks, mainly because they use antivirus software.” ——-Title: Xero users targeted by info stealer malwareURL: https://www.itnews.com.au/news/xero-users-targeted-by-info-stealer-malware-472853Date: 8th September 2017Author:Juha Saarinen Excerpt:“..a sophisticated phishing email campaign in August that purported to be from Xero.The messages were similar to Xero monthly billing notifications, and asked users to review their invoices by clicking on a link in the email.If the targeted users clicked on the link, a ZIP archive containing obfuscated Javascript was downloaded to their computers..” ——-Title: Australians turning a blind eye to data backup & securityURL:  https://securitybrief.com.au/story/australians-turning-blind-eye-data-backup-security/Date: 6th September 2017Author: Sara Barker Excerpt:“Some Australians are turning a blind eye to their computer safety – even despite highly publicised cyber attacks, according to a survey from Acronis.The global poll was conducted on the general internet population from Australia, Japan, Germany, the US, U.K, Germany, France and Spain in August.The survey found that 46.5% of respondents do not back up their computers – possibly because 67.8% have never lost important photos or files from a computer or mobile device.” ——-Title: CSIRO’s Data61 builds innovative security platform for defence sectorURL: https://securitybrief.com.au/story/csiros-data61-builds-innovative-security-platform-defence-sector/Date: 7th September 2017Author: Sara Barker Excerpt:“The technology, dubbed ‘Cross-Domain Desktop Compositor’ (CDDC), provides a single interface for staff, which works well in areas with limited physical workspace such as ships, Data61 says.The CDDC also provides a seamless and fully integrated secure system, as well as additional functionality such as controlled data transfer and copy-paste.According to Data61, solutions in the market often trade off security and usability against each other. Buyers who favour usability are more vulnerable to attacks and data leakage between secret networks.” ——- And lastly, here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2017.2220 – [RedHat] kernel-rt : Root compromise – Existing account https://portal.auscert.org.au/bulletins/51926 A vulnerability in the web interface for Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to bypass authentication and perform command injection with root privileges 2.    ASB-2017.0141 – [Android] Google Nexus devices: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/51978 Multiple vulnerabilities have been identified in Android prior to security patch level strings 2017-09-01 and 2017-09-05. 3.    ESB-2017.2261 – [BlackBerry] BlackBerry: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/52102 BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. 4.    ESB-2017.2271 – [Win][UNIX/Linux] IBM Db2: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/52142 A series of vulnerabilities in IBM Db2 that include Administrator Compromise. Wishing you the best from AUSCERT and stay safe,Geoffroy

AUSCERT Week in Review for 1st September 2017 AUSCERT Week in Review 01 September 2017 Greetings, 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches*. The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete. https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT * Refer to the website for competition terms and conditions.  As Friday 1st of September comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:   Title: 700 Million-Plus Email Addresses Leaked by Spam OperationDate Published: 31 Aug 2017URL: https://www.bankinfosecurity.com/700-million-plus-email-addresses-leaked-by-spam-operation-a-10246Author: Jeremy KirkExcerpt: “A sloppy spamming operation has exposed on a server in the Netherlands gigabytes of files that include 711 million email addressees and some associated account passwords.”   Title: China Creates Secure Communications NetworkDate Published: 1 Sep 2017URL: http://www.securitymagazine.com/articles/88280-china-creates-secure-communications-networkAuthor: Kylie BullExcerpt: “China is to use quantum cryptography to create an unhackable communications network. Using the network, some 200 users from the military, government, finance and electricity sectors will be able to send messages without the concern that others may be able to read them.” Title: Session hijacking bug exposed GITLab users private tokensDate Published: 31 Aug 2017URL: https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/Author: Chris BrookExcerpt: “GitLab, the popular web-based Git repository manager, fixed a vulnerability recently that could have opened its users up to session hijacking attacks.”   Title: Prevention is no Longer the Best Medicine – Recovery is KeyDate Published: 29 Aug 2017URL: https://www.infosecurity-magazine.com/opinions/prevention-medicine-recovery-key/Author: Rick Orloff Excerpt: “In an ideal world, every company could trust each of its employees not to make any mistakes or slip up in regards to the handling of sensitive corporate data. In this utopia, each employee would also have an impregnable security solutionrendering themselves invulnerable to attack or breach.” Title: Cyber-squatters Target Luxury Brands from Fendi to PradaDate Published: 31 Aug 2017URL: https://www.infosecurity-magazine.com/news/cybersquatters-target-luxury-brands/Author: Tara Seals Excerpt: “Fan of Fendi? Lover of Louboutin? Gaga for Gucci? Be careful, as there are more than 500 websites out here that are actively tricking web usersinto thinking they’re legitimate luxury fashion websites.”   Here are this week’s noteworthy security bulletins: 1) ASB-2017.0137 – [Win][UNIX/Linux] RubyGems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/51746 This one is a gem. 2) ESB-2017.2157 – [Appliance] Abbott Laboratories Accent/Anthem, Accent MRI, Assurity/Allure and Assurity MRI: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/51662 Is your patching keeping pace? 3) ESB-2017.2165 – [Win][UNIX/Linux] Wireshark: Denial of service – Remote with user interaction https://portal.auscert.org.au/bulletins/51694   A reminder to keep your tools up to date also. Stay safe and have a great weekend. Peter

AUSCERT Week in Review for 25th August 2017 Greetings, 2017 Cyber Security Survey – Time is running out to submit! Public awareness of cyber-crime has never been higher, but is that translating to business readiness? For the second consecutive year, AUSCERT and BDO are delivering the Cyber Security Survey. By taking part you will gain direct access to our survey report in November. This contains valuable data allowing you to compare your business’ current cyber security efforts with trends in your industry sector. Time is running out! Complete the survey and go in the draw to win one of three Apple Watches. The survey closes at midnight on Friday, 15 September 2017. The survey is anonymous and takes 15 minutes to complete.https://www.bdo.com.au/en-au/insights/cyber-security/surveys/2017-cyber-security-survey?utm_medium=Email&utm_source=AUSCERT —–As Friday 25th August comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Malware rains on Googles Android Oreo parade Date Published: 24 Aug 2017 URL: https://nakedsecurity.sophos.com/2017/08/24/malware-rains-on-googles-android-oreo-parade/Author: Bill Brenner Excerpt: “Google has had an exciting summer, for good and bad reasons. The good news: Google just officially launched the eighth version of its operating system, Android Oreo, with enhancements for battery life and security. Last month, it also began rolling out a new feature called Google Play Protect, designed to scan apps that could cause harm to your Android device and data. The bad news: at least five different types of malware were found in Google Play in August alone, including spyware, banking bots and aggressive adware. Thousands of apps contain these malicious payloads and have infected millions of users.” —– Title: Ropemaker exploit allows for changing of email post-delivery Date Published: 23 Aug 2017 URL: https://threatpost.com/ropemaker-exploit-allows-for-changing-of-email-post-delivery/127600/Author: Chris Brook Excerpt: “Researchers say a new exploitable attack vector for email, one that could enable the changing of email content content post-delivery, could let attackers bypass security controls and trick victims into clicking through to a malicious site.”—– Title: OAIC investigating Flight Centre customer data leak Date Published: 21 Aug 2017 URL: https://www.itnews.com.au/news/oaic-investigating-flight-centre-customer-data-leak-471346Author: Allie Coyne Excerpt: “Firm is ‘co-operating’ with inquiries. Travel agency Flight Centre is under investigation by the country’s privacy regulator after accidentally releasing personal information of an undisclosed number of its customers to third-party suppliers.”—– Title: Turnbull’s counter-terrorism plan goes beyond whether our cities need bollards Date Published: 23 Aug 2017 URL: https://www.theguardian.com/commentisfree/2017/aug/23/turnbulls-counter-terrorism-plan-goes-beyond-whether-our-cities-needs-bollards-or-notAuthor: Patrick Walsh Excerpt: “Its yet unclear how much help small business owners in public places can expect in order to become resilient to terrorist attacks. But the strategy serves a more important point”—– Here are this week’s noteworthy security bulletins: 1) ESB-2017.2135 – ALERT [Appliance] Westermo MRD: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/5157010 for the CVE score need I say more! 2) ESB-2017.2128 – [Appliance] HPE Integrated Lights-out 4: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/51542 Lights out cards for priviliged remote access. 3) ESB-2017.2110 – [Debian] smb4k: Root compromise – Existing account https://portal.auscert.org.au/bulletins/51470 Samba we are blocking it at the edge right? Where is the edge today? — Stay safe and have a great weekend. Peter

AUSCERT Week in Review for 18th August 2017 Greetings, As Friday 18th August comes to a close, we have seen another busy week of security updates. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Botched Firmware Update Bricks Hundreds of Smart Door LocksDate Published: 12/08/17URL: https://www.bleepingcomputer.com/news/hardware/botched-firmware-update-bricks-hundreds-of-smart-door-locks/Author: Catalin CimpanuExcerpt: “On Tuesday, August 8, smart locks manufacturer LockState botched an over-the-air firmware update for its WiFi enabled smart locks, causing the devices to lose connectivity to the vendor’s servers and the ability to open doors for its users.”—– Title: Seven More Chrome Extensions CompromisedDate Published: 15/08/17URL: https://threatpost.com/seven-more-chrome-extensions-compromised/127458/Author: Tom SpringExcerpt: “The number of compromised Chrome browser extensions is growing beyond the initial Aug. 1 hijacking of the OCR add-on called Copyfish. Added to list are seven additional legitimate Chrome Extensions that attackers took over and used to manipulate internet traffic and web-based ads, according to researchers at Proofpoint.”—– Title: Maersk Shipping Reports $300M Loss Stemming from NotPetya AttackDate Published: 16/08/17URL: https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/Author: Michael MimosoExcerpt: “Maersk was just one of hundreds of companies impacted around the world by NotPetya, also known as ExPetr. The wiper attack was disguised as ransomware, and like WannaCry before it, was spread via the leaked NSA EternalBlue exploit along with a few other distribution vectors, including a watering hole attack.”—– Title: LambdaLocker ransomware victim? Now you can decrypt your files for freeDate Published: 17/08/17URL: http://www.zdnet.com/article/lambdalocker-ransomware-victim-now-you-can-decrypt-your-files-for-free/Author: Danny PalmerExcerpt: “No More Ransom recently celebrated its one-year anniversary, and now offers over 50 decryption tools for use against more than 100 ransomware families.”—– Title: Biohackers Encoded Malware in a Strand of DNADate Published: 08/08/17URL: https://www.wired.com/story/malware-dna-hack/Author: Andy GreenbergExcerpt: “In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2017.2048 – [Win][UNIX/Linux] Drupal Core: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/51222The latest release of Drupal Core fixes some vulnerabilities that could allow attackers to bypass access restrictions. 2) ESB-2017.2032 – [Ubuntu] postgresql: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/51158New vulnerabilities in the authentication modules of postgresql could allow attackers to access users’ passwords, or log in with an empty password. 3) ESB-2017.2010 – [Linux][Debian] iortcw: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/51070The Quake 3 engine, despite being 18 years old now, still has bugs present. —   Stay safe and have a great weekend. Anthony

AUSCERT Week in Review for 11th August 2017 Greetings, As Friday 11th August comes to a close, we have seen another busy week of security updates. AUSCERT published its 2000th ESB bulletin for the year today – an average of nearly 9 each day since the year began! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Attackers Use Typo-Squatting To Steal npm CredentialsDate Published: 4/08/2017URL: https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/Author: Tom SpringExcerpt: “Hackers seeking developer credentials used typo-squatting to spread malicious code via libraries hosted at the online repository npm. In all,40 npm packages were found malicious and removed from the Node.js package management registry, according to npm.” —— Title: Aussie domain registrars sued over alleged fake invoice scamDate Published: 11/08/2017URL: https://www.itnews.com.au/news/aussie-domain-registrars-sued-over-alleged-fake-invoice-scam-470631Author: Allie CoyneExcerpt: “Two Australian domain name registration companies are being taken to court by the competition watchdog for an alleged fake invoice scam that reaped $2.3 million from their customers.” —— Title: Blood Service escapes penalties in data breach investigationDate Published: 07/08/2017URL: https://www.itnews.com.au/news/blood-service-escapes-penalties-in-data-breach-investigation-470264Author: Allie CoyneExcerpt: “The Australian Red Cross Blood Service and its website contractor have escaped penalties from the country’s privacy watchdog over a 2016 data breach that exposed the data of 550,000 donors.” —— Title: VPN Provider Accused of Sharing Customer Traffic With Online AdvertisersDate Published: 08/08/2017URL: https://www.bleepingcomputer.com/news/technology/vpn-provider-accused-of-sharing-customer-traffic-with-online-advertisers/Author: Catalin CimpanuExcerpt: “In a 14-page complaint, the CDT accuses AnchorFree — the company behind the Hotspot Shield VPN — of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users.” —— Here are this week’s noteworthy security bulletins: 1) ESB-2017.1987 – [Linux][Debian][OSX] git: Execute arbitrary code/commands — Remote with user interactionhttps://portal.auscert.org.au/bulletins/50982A newly-discovered vulnerability in git can cause users to execute shell commands by cloning a malicious repo, by making use of ssh:// URLs. 2) ESB-2017.1978 – [Win][OSX] Adobe: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50942The latest round of Adobe patches fix various security vulnerabilities in Adobe Reader, including remote code execution and denial of service. 3) ASB-2017.0134 – [Win][UNIX/Linux] Mozilla Firefox and Mozilla Firefox ESR: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50958A new update for Mozilla Firefox fixes several significant security issues. Stay safe, stay patched and have a good weekend! Anthony

AUSCERT Week in Review for 4th August 2017 Greetings, As Friday 4th August comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: WannaCry hero arrested over banking malwareDate Published: 4/08/2017URL: https://www.itnews.com.au/news/wannacry-hero-arrested-over-banking-malware-470090Author: Juha SaarinenExcerpt: “Marcus Hutchins, the security researcher credited for blunting the effect of the WannaCry ransomware attack in May this year, has been arrested in the United States.”—– Title: HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE)Date Published: 2/08/2017URL: http://variety.com/2017/digital/news/hbo-hack-thousands-of-documents-stolen-1202513573/Author: Janko RoettgersExcerpt: “The HBO hack may have been worse than the initial leaks of a few unaired TV show episodes suggested. A security company hired by HBO to scrub search results for the hacked files from search engines has told Google that the hackers stole “thousands of Home Box Office (HBO) internal company documents.””—– Title: Cryptocurrency community readies for Bitcoin Cash forkDate Published: 31/07/2017URL: https://www.itnews.com.au/news/cryptocurrency-community-readies-for-bitcoin-cash-fork-469732Author: Juha SaarinenExcerpt: “A new version of the Bitcoin cryptocurrency will be launched this Wednesday, in an effort to rectify the network capacity issues that have plagued the digital currency in recent months.”—– Title: SMBLoris – the new SMB flawDate Published: 30/07/2017URL: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/Author: Renato MarinhoExcerpt: “While studying the infamous EternalBlue exploit about 2 months ago, researchers Sean Dillon (zerosum0x0) and Zach Harding (Aleph-Naught-) found a new flaw in the Server Message Block (SMB) protocol that could allow an adversary to interrupt the service by depleting the memory and CPU resources of the targeted machine on a Denial of Service (DoS) attack.”—– Title: How Netflix DDoS’d Itself To Help Protect the Entire InternetDate Published: 28/07/2017URL: https://www.wired.com/story/netflix-ddos-attack/Author: Lily Hay NewmanExcerpt: “In June 2016, Netflix security engineer Scott Behrens ran a massive infrastructure test on the streaming system in front of dozens of coworkers. In the process, he brought the site down. But instead of panic or embarrassment, it was a moment of celebration. Behrens, working with cloud security engineer Jeremy Heffner and others, had successfully shown that Netflix was in fact vulnerable to an unorthodox type of distributed denial of service attack. And proving it worked was the first step toward preventing it in the future—not just for Netflix but for the entire internet.”—– Here are this week’s noteworthy security bulletins: 1) ESB-2017.1859 – ALERT [Win][UNIX/Linux] BIND: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50434BIND 9 version 9.9.10-P2,BIND 9 version 9.10.5-P2 and BIND 9 version 9.11.1-P2 have been released and these versions fix two vulnerabilities that allow to Attacker to circumvent TSIG authentication of AXFR and NOTIFY requests or forge a valid TSIG or signature for a dynamic update. 2) ESB-2017.1932.2 – UPDATED ALERT [Win] Siemens Molecular Imaging: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/50722Siemens Molecular Imaging are vulnerable to multiple remote code unauthenticated exploits, exploit have been seen in the wild so please apply mitigations until Siemens produces patches! 3) ESB-2017.1926 – [Win][OSX] Prenotification Security Advisory for Adobe Acrobat and Readerhttps://portal.auscert.org.au/bulletins/50702Adobe have been keeping with the Microsoft patch Tuesday schedule for a couple of years now but this vulnerability must be pretty severe if they are doing a pre-notification of the out of band update! Get ready to patch your SOEs/MOEs at least twice next month! Stay safe, stay patched and have a good weekend! Ananda

AUSCERT Week in Review for 28th July 2017 Greetings, As Friday 28th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: WikiLeaks drops another cache of ‘Vault7’ stolen toolsDate Published: 26/07/2017URL: https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-of-vault7-stolen-tools/Author: Taylor ArmerdingExcerpt: “The WikiLeaks “Vault 7” almost-weekly drip-drip-drip of confidential information on the cybertools and tactics of the CIA continued last week. The latest document dump is a trove from agency contractor Raytheon Blackbird Technologies for the so-called “UMBRAGE Component Library” (UCL) Project, which includes reports on five types of malware and their attack vectors.” —– Title: Joint international operation sees US citizen arrested for denial of service attacks on IT systems Date Published: 28/07/2017 URL: https://www.afp.gov.au/news-media/media-releases/joint-international-operation-sees-us-citizen-arrested-denial-serviceAuthor: AFPExcerpt: “A two and a half year joint operation between the Australian Federal Police (AFP), Federal Bureau of Investigation (FBI) and Toronto Police Department has resulted in a 37-year-old Seattle man being arrested in connection with serious offences relating to distributed denial of service attacks on IT systems.” —– Title: Australia’s war on maths blessed with gong at Pwnie AwardsDate Published: 27/07/2017URL: https://www.computerworld.com.au/article/625351/australia-war-maths-blessed-gong-pwnie-awards/Author: Rohan PearceExcerpt: “Australia’s own Malcolm Turnbull has been recognised at the Pwnie Awards in Las Vegas, with the prime minister taking out the ‘Pwnie for Most Epic FAIL’. The annual awards, staged at the BlackHat security conference, recognise security successes and failures.” —–Title: Flash Player death warrant signed by AdobeDate Published: 27/07/2017URL: http://technology.inquirer.net/65543/flash-player-death-warrant-signed-by-adobeAuthor: INQUIRER.netExcerpt: “Adobe is making a move to permanently terminate it’s Flash Player feature—which many believe should have been done a while back. According to an Adobe press release, the end-of-life (EOL) of the multimedia software platform is already in the works, as they are working with various technology partners like Apple, Facebook, Google, Microsoft and Mozilla, to create a smooth transition into open web platform.” —–Title: Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. GoxDate Published: 26/07/2017URL: https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-allegedAuthor: Department of JusticeExcerpt: “SAN FRANCISCO – A grand jury in the Northern District of California has indicted a Russian national and an organization he allegedly operated, BTC-e, for operating an unlicensed money service business, money laundering, and related crimes.” —–Here are this week’s noteworthy security bulletins: 1) ESB-2017.1841 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50358 Cisco has released information about three vulnerabilities (CVE-2017-6665, CVE-2017-6664, CVE-2017-6663) that do not have any patches currently. 2) ASB-2017.0125 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50350 Two vulnerabilities have been fixed in Joomla! core, the first is a fix to the CMS Installer itself and the second is a fix in the lack of proper filtering of potentially malicious HTML tags. 3) ESB-2017.1852 – ALERT [Cisco] Cisco Products: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/50402 Multiple Cisco Products are susceptible to an OSPF LSA Manipulation Vulnerability. This allows an attacker to take full control of the OSPF AS routing table. AUSCERT in the Media: Title: The Methodology of Improving Incident ResponseURL: http://www.bankinfosecurity.com/methodology-improving-incident-response-a-10124Author: Tom FieldExcerpt: “AUSCERT is one of the oldest CERT’s in the world, and Phil Cole says the independent organization is now laser-focused on helping enterprises across sectors to fundamentally improve their strategies and solutions for incident response.”—-Title: Is your company and customer data being sold on the darknet?URL: https://www.cio.com.au/article/621699/your-company-customer-data-being-sold-darknet/Author: George NottExcerpt: “Increasingly businesses are monitoring the darknet for clues that their company and customer data is being exposed. But it’s no easy task. Last week, The Guardian reported that Australians’ Medicare numbers were being offered for sale on a darknet marketplace for the equivalent of $30 in Bitcoins each.” Stay safe, stay patched and have a good weekend! Ananda

AUSCERT Week in Review for 21st July 2017 As Friday 21st July comes to a close along with the latest Oracle and Apple security updates, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Cisco patches critical bug in WebEx plug-in for Chrome, Firefox on WindowsDate Published: July 18 2017URL: http://www.zdnet.com/google-amp/article/cisco-patches-critical-bug-in-webex-plug-in-for-chrome-firefox-on-windows/Author: Liam TungExcerpt: “Google’s Project Zero researcher Tavis Ormandy reported the bug to Cisco earlier this month. It was discovered by him and Chris Neckar of Divergent Security, a former member of the Chrome security team. Ormandy earlier this year found two other flaws in the WebEx extension that allowed remote code execution. WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. It’s also installed on 731,000 Firefox instances.” Title: Issues found via fuzzing by Guido VrankenDate Published: July 17 2017URL: http://freeradius.org/security/fuzzer-2017.htmlAuthor: FreeRADIUS Excerpt:“In order to improve the security of FreeRADIUS, we asked Guido to try fuzzing FreeRADIUS. He spent a week working with us, and managed to find a number of issues. We worked together to create and validate fixes for all of them. His blog contains a short note on the subject. The short summary is that if your RADIUS server is on a private network, accessible only by managed devices, you are likely safe. If your RADIUS server is part of a roaming consortium, then anyone within that consortium can attack it. If your RADIUS server is on the public internet, then you are not following best practices, and anyone on the net can attack your systems.” Title: Oracle e-business suite flaw allows downloads of documentsDate Published: July 18 2017URL: https://threatpost.com/oracle-e-business-suite-flaw-allows-downloads-of-documents/126897/Author: Michael MimosoExcerpt:“Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication. The vulnerability, CVE-2017-10244, was addressed in today’s quarterly Critical Patch Update, but given the critical apps and data moving through the suite, and the potential downtime required to patch, it’s unknown how long it would take for the bulk of installations to be update and the risk be mitigated completely.” Title: Apple patches BROADPWN bug in IOS 10.3.3Date Published: July 20 2017 URL: https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/Author: Tom SpringExcerpt:“Apple released iOS 10.3.3 Wednesday, which serves as a cumulative update that includes patches for multiple vulnerabilities including the high-profile BroadPwn bug that allowed an attacker to seize control of a targeted iOS device. BroadPwn was revealed earlier this month as a flaw in Broadcom Wi-Fi chipsets used in Apple and Android devices. Apple said the vulnerability affected the iPhone 5 to iPhone 7, the fourth-generation iPad and later versions, and the iPod Touch 6th generation.” —- Here are this week’s noteworthy security bulletins: 1) ESB-2017.1765 – ALERT [Win] Cisco WebEx extensions: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/49958 WebEx is one the most widely used meeting and collaboration tools in use today. If you use the Google Chrome or Firefox WebEx extension on Windows, then upgrade as soon as possible. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected browser on the affected system. 2) ESB-2017.1767 – ALERT [UNIX/Linux][BSD][RedHat] freeradius: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49966 FreeRADIUS is a Remote Authentication Dial In User Service (RADIUS) server. It provides centralised authentication and authorization for many Fortune-500 companies and ISPs. It’s also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in the academic community, including eduroam. A remote attacker could crash the FreeRADIUS server or execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. For more information see the article we referenced earlier. 3) ASB-2017.0121 – ALERT [Appliance][Solaris] Oracle Sun Systems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50066 If you have Oracle Sun Solaris systems in your environment, we advise patching as soon as possible to mitigate a shadowbrokers EASYSTREET (CVE-2017-3632) vulnerability. This easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to completely take over the system. 4) ASB-2017.0106 – ALERT [Win][UNIX/Linux] Oracle E-Business Suite: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50006 An easily exploitable vulnerability (CVE-2017-10244) would allow an unauthenticated attacker with network access to access any document stored there with a single HTTP request. 5) ASB-2017.0104.2 – UPDATE ALERT [Win][UNIX/Linux] Oracle Fusion Middleware: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49998 This easily exploitable vulnerability (CVE-2017-10137) is rated 10.0 and allows the unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. 6) ESB-2017.1783 – [Apple iOS] Apple iOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50118 Of interest is the BroadPwn vulnerability (CVE-2017-9417). An attacker within range of an iPhone, iPad or IPod touch may be able to execute arbitrary code on the Wi-Fi chip. See more information in the article we referenced earlier. —- Stay safe, stay patched and have a good weekend! Danny  

AUSCERT Week in Review for 14th July 2017 As Friday 14th July comes to a close along with the monthly Microsoft Security Update, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Microsoft Patches 19 Critical Vulnerabilities in July Patch Tuesday UpdateDate Published: July 12 2017URL: http://www.esecurityplanet.com/endpoint/microsoft-patches-19-critical-vulnerabilities-in-july-patch-tuesday-update.htmlAuthor: Sean Michael KernerExcerpt: “Microsoft released its latest monthly Patch Tuesday update on July 11, patching a total of 54 vulnerabilities, of which 19 were rated as critical. Microsoft’s HoloLens Virtual Reality (VR) technology received its first patch this month, for a critical remote code execution vulnerability identified as CVE-2017-8584. The vulnerability could have been triggered by an attack that sent a malicious WiFi packet to the HoloLens.” —– Title: The laws of Australia will trump the laws of mathematics: TurnbullDate Published: July 14 2017 URL: http://www.zdnet.com/article/the-laws-of-australia-will-trump-the-laws-of-mathematics-turnbull/Author: Chris Duckett and Asha McLeanExcerpt: “Regardless of what the laws of mathematics state around breaking into end-to-end encryption, the Australian government is determined to bring in laws that go against them, with the Prime Minister of Australia telling ZDNet that the laws produced in Canberra are able to trump the laws of mathematics. ‘The laws of Australia prevail in Australia, I can assure you of that,’ he said on Friday. ‘The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.’ On Friday, the government unveiled plans to introduce legislation this year that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.” —– Title: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals, Expert SaysDate Published: July 12 2017URL: http://www.securityweek.com/lets-encrypt-wildcard-certificates-boon-cybercriminals-expert-saysAuthor: Ionut ArghireExcerpt: “The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time. Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.“ —– Title: China orders complete block on VPNs to begin by February 2018Date Published: 11 July 2017URL: https://www.v3.co.uk/v3-uk/news/3013611/china-orders-complete-block-on-vpns-to-begin-by-february-2018Author: Graeme BurtonExcerpt: “The Chinese government has ordered the country’s big-three telecoms and internet service providers, China Mobile, China Telecom and China Unicom, to completely block access to virtual private networks (VPNs) by February 2018 in the latest stage of its campaign to prevent web users from circumventing the ‘great firewall of China’.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2017.1714 – ALERT [Win][UNIX/Linux] Apache Struts: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/49726 This *new* Apache struts issue went largely unnoticed by mainstream media despite there being POCs available and vulnerable servers visible in Google search. AUSCERT advises members to inform web developers and users to check if sites are vulnerable. 2) ESB-2017.1715 – [UNIX/Linux][Debian] xorg-server: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49730 This was another vulnerability that went largely unnoticed. Two security issues were discovered in the X.org X server, the worst leading to privilege escalation. Since X server in most environments runs as root this vulnerability could potentially lead to root compromise. 3) ESB-2017.1721 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49754 Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. AUSCERT advises members to remove Adobe Flash if possible otherwise to keep Adobe products upgraded. 4) ASB-2017.0100 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49782 Our hundredth ASB for 2017 is fittingly for Microsoft Windows and includes an unusual vulnerability – a critical remote code execution vulnerability in Microsoft’s HoloLens Virtual Reality (VR) technology. Refer to our first interesting article of the week for more details. —- Stay safe, stay patched and have a good weekend! Danny

AUSCERT Week in Review for 7th July 2017 As Friday 7th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Westpac joins Swift blockchain testDate Published: 06/07/2017URL: https://www.itnews.com.au/news/westpac-joins-swift-blockchain-test-467746Author: Staff Writers Excerpt: “Second Aussie bank after ANZ to take part.Westpac has become the second Australian bank to join a proof-of-concept by payment messaging service Swift that aims to test blockchain for facilitating cross-border payments.It is one of 22 global banks to join the PoC today, adding to the six foundational banking participants, one of which is ANZ Bank.” —–Title: Microsoft to cut ‘thousands’ of jobsDate Published: 07/07/2016URL: http://www.bbc.com/news/business-40523172Author: BBCExcerpt: “Microsoft is to cut “thousands” of jobs worldwide as it attempts to beef up its presence in the cloud computing sector.The technology giant wants to strengthen its cloud computing division but is facing intense competition from rivals such as Amazon and Google.” —–Title: Australia stuck with higher cost of deploying FttP: NBN CoDate Published: 06/07/2017URL: https://www.itwire.com/telecoms-and-nbn/78880-australia-stuck-with-higher-cost-of-deploying-fttp-nbn-co.htmlAuthor: Peter DinhamExcerpt: “NBN Co, the builder of the national broadband network, has moved to defend the higher costs of deploying fibre-to-the-premises in Australia and “set the record straight” on recent media claims about the local cost of FttP compared to other operators around the world.” —–Title: Ukrainian police seize computers that spread global NotPetya attackDate Published: 05/07/2017URL: http://www.itworld.com/article/3205810/malware/ukrainian-police-seize-computers-that-spread-global-notpetya-attack.htmlAuthor: Peter Sayer Excerpt: “Ukraine’s Cyber Police have intervened to prevent further cyberattacks in the wake of last week’s global attack, initially considered to be ransomware and called by various names including NotPetya.” —–Title: Govt blames Medicare card breach on ‘traditional’ crimsDate Published: 04/07/2017URL: https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502Author: Allie Coyne Excerpt: “Not wide-scale, and no IT breach, says minister. The federal government says there has been no breach of the Department of Human Services’ IT systems and the Medicare card data currently on sale likely affects only a small number of people.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1655 – [SUSE] Xen: Multiple vulnerabilities 2017-06-30https://portal.auscert.org.au/bulletins/49486Quite a few Xen Vulnerabilities, if you are running Xen it is time to check for updates. 2) ESB-2017.1659 – [Debian] libgcrypt20: Unauthorised access – Existing account 2017-07-03https://portal.auscert.org.au/bulletins/49510Side channel attacks are getting rather popular. 3) ESB-2017.1676 – [SUSE] sudo: Root compromise – Existing account 2017-07-05https://portal.auscert.org.au/bulletins/49570Regression fix for CVE-2017-1000368, this has been repeated in a few products. 4) ESB-2017.1682 – [Win][UNIX/Linux] samba: Denial of service – Remote/unauthenticated 2017-07-06https://portal.auscert.org.au/bulletins/49594Remote Samba denial of service, that has to be able to affect a lot of people. —- Stay safe, stay patched and have a good weekend! Peter

AUSCERT Week in Review for 30th June 2017 Hope you all have had a chance to investigate the new website. Please email us at auscert@auscert.org.au or call 07 3365 4417 with any questions or concerns about the new website. As Friday 30th June comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: The Petya ransomware is starting to look like a cyberattack in disguiseDate Published: 28/06/2017 URL: https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russiaAuthor: Russell Brandom Excerpt: “The haze of yesterdays massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hacks reach touched some of the countrys most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.” —– Title: Google Slapped With Record $3.6 Billion Fine In Europe For Manipulating Shopping Results Date Published: 28/06/2017URL:  https://www.gizmodo.com.au/2017/06/google-slapped-with-record-3-6-billion-fine-in-europe-for-manipulating-shopping-results/Author: Matt Novak Excerpt: “Yesterday, government regulators in Europe hit Google with a record 2.42 billion fine, roughly the equivalent of $3.5 billion. The search engine company was found to be manipulating search results to favour its own shopping service, a violation of antitrust laws. And if it doesn’t fix the problem within 90 days it faces an additional 12.5 million ($18.7 million) fine per day.” —– Title: Defence launches ‘Information Warfare Division’ Date Published: 30/06/2017 URL: https://www.computerworld.com.au/article/621324/defence-launches-information-warfare-division/Author: George Nott Excerpt: “The Australian Defence Force is launching a new Information Warfare Division responsible for electronic warfare, the government announced today.” —– Title: Turnbull government continues push against online encryption ahead of Five Eyes meeting Date Published: 26/06/2017 URL: http://www.news.com.au/technology/online/security/turnbull-government-continues-push-against-online-encryption-ahead-of-five-eyes-meeting/news-story/cae2303d24bcfe90cf3d490083c208e9Author: Nick Whigham and AAP Excerpt: “AUSTRALIA will be leading the discussion on an encrypted technology crack down when ministers meet with FiveEyes nations to talk terror prevention. Leaders from Australia, the United States, United Kingdom, Canada and New Zealand, will meet in the Canadian city of Ottawa where they will discuss tactics to combat terrorism and the spread of extremism.” —– Title: Qld ex-cop charged with 44 counts of database snooping Date Published: 28/06/2017 URL: https://www.itnews.com.au/news/qld-ex-cop-charged-with-44-counts-of-database-snooping-466817Author: Allie Coyne Excerpt: “The Queensland Crime and Corruption Commission has charged a former police officer with accessing information in the force’score crimes database 44 times over six years without authorisation.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1639 – [Ubuntu] Kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49422 USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. That is a lot of regressions 🙁 2) ESB-2017.1643 – [Win] OpenSource Apache Struts: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49438 Struts is in all sorts of products. 3) ESB-2017.1644 – [Appliance] Cisco IOS and IOS XE Software: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49442 Root compromise that is significant. 4) ESB-2017.1602 – [Win][Linux][AIX] IBM Java SDK: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49270 Oh no not Java vulnerabilities —- Stay safe, stay patched and have a good weekend! Peter