Greetings, AUSCERT is seeking a new team member in our security systems admin and development area to lead engineering efforts and coordinate projects across our Analyst Team. If you're interested in security automation, infrastructure-as-a-service and cybersecurity-specific open source projects such as MISP, apply now – applications close this Sunday! AUSCERT’s Senior Manager, Mike Holm delivered a presentation on how to digest MISP data and draw meaningful conclusions from it during the 2022 AHECS Cybersecurity Summit held on the 7th-9th November in Canberra. The AHECS Cybersecurity Summit is a conference developed by the sector with a focus on the Higher Education and Research Cybersecurity, Identity Management and Privacy Community. In Cyber security news this week, criminals released files on a dark web forum that are believed to contain stolen Medibank customer data. Australian Federal Police announced the expansion of Operation Guardian to protect Medibank Private customers whose personal data was unlawfully released to the internet. Operation Guardian was set up in September this year to deliver specialised protection to current and former Optus customers from identity crime and financial fraud following the Optus cybercrime incident. AUSCERT advises its members who are impacted by the recent data breaches to be alert for any phishing scams via email, texts, voice calls or post and verify any communications received to ensure that they are from a legitimate source. In other news this week, our celestial neighbour glowed a spectacular red colour as the last total lunar eclipse for three years illuminated the sky on Tuesday night. While most parts of Australia had a clear view of the total lunar eclipse, the stargazers from our neighbours across the ditch had the most spectacular full show. The next total lunar eclipse is expected to grace our skies on March 14, 2025. Last but not least, AUSCERT acknowledges Remembrance Day and remembers the armed forces members who gave their lives in the line of duty to protect the nation. Have a good weekend! Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data Date: 2022-11-07 Author: The Hacker News Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft Date: 2022-11-07 Author: Security Week According to Microsoft’s 2022 Digital Defense Report, nation-state hacker attacks on critical infrastructure have soared, largely due to Russian cyber operations targeting Ukraine and its allies. Between June 2020 and June 2021, 20% of all nation-state attacks observed by Microsoft were aimed at critical infrastructure. That percentage increased to 40% in the period between July 2021 and June 2022. Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws Date: 2022-11-08 Author: Bleeping Computer Today is Microsoft's November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws. Eleven of the 68 vulnerabilities fixed in today's update are classified as 'Critical' as they allow privilege elevation, spoofing, or remote code execution, one of the most severe types of vulnerabilities. ‘Cyberspace has become a battleground,’ warns Australian Cyber Security Centre Date: 2022-11-04 Author: The Record The Australian Cyber Security Centre received over 76,000 cybercrime reports during the last financial year — an increase of nearly 13% — and warned in its latest annual report that “cyberspace has become a battleground.” The agency also warned that the regional dynamics in the Indo-Pacific were “increasing the risk of crisis” and cautioned that “cyber operations are likely to be used by states to challenge the sovereignty of others.” Several Cyber Attacks Observed Leveraging IPFS Decentralized Network Date: 2022-11-09 Author: The Hacker News A number of phishing campaigns are leveraging the decentralized Interplanetary Filesystem (IPFS) network to host malware, phishing kit infrastructure, and facilitate other attacks. "Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks," Cisco Talos researcher Edmund Brumaghin said in an analysis shared with The Hacker News. The research mirrors similar findings from Trustwave SpiderLabs in July 2022, which found more than 3,000 emails containing IPFS phishing URLs as an attack vector, calling IPFS the new "hotbed" for hosting phishing sites. Medibank hackers target high-profile drug and mental health patients as AFP steps up action Date: 2022-11-09 Author: ABC News Medibank customers remain in the dark about whether any of their personal information is among that leaked onto the dark web by hackers overnight. It appears the cybercriminals have published what they have termed "naughty" and "nice" lists of prominent people amongst the leaked data. ASB-2022.0199.5 – UPDATE Medibank Cyber Security Incident : Medibank released further information on the Medibank cyber security incident and confirmed that customer data has been released on a dark web forum. ESB-2022.5782 – Nessus : CVSS (Max): 9.8 Tenable released Nessus Version 8.15.7 to address multiple vulnerabilities in its third-party components. ASB-2022.0234 – ALERT Exchange Server: CVSS (Max): 8.8 Microsoft's most recent security patch update includes a fix to resolves 4 vulnerabilities across Microsoft Exchange Server. ASB-2022.0233 – ALERT Windows 7 and Windows Server 2008: CVSS (Max): 8.8* Microsoft has released its patch update for the month of November 2022 which resolves 24 vulnerabilities in Windows 7 and Windows Server 2008. ASB-2022.0231 – ALERT Windows and Windows Server: CVSS (Max): 8.8* Microsoft released fixes for 40 vulnerabilities across Windows 8.1, 10, 11 and Windows Server 2012, 2016, 2019, 2022. ESB-2022.5792.2 – UPDATE iOS and iPadOS: CVSS (Max): 8.2 Apple released iOS 16.1.1 and iPadOS 16.1.1 to address issues in libxml which if exploited could result in arbitrary code execution or denial of service. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week saw trick-or-treaters and people of all ages flock to the streets in ‘spooky’ costumes in celebration of Halloween. The history of trick-or-treating goes back to Scotland and Ireland, where the tradition began as people would go door to door staging performances that were rewarded with food and sweets. Speaking of candy, today is the National Candy Day! Of course, this is mostly celebrated in the US, but why not make it into an excuse to dig into the leftover Halloween treats? Whether it is chewy, gummy, hard, fruit-flavoured or the ones that melt in your mouth, candy has always been a source of universal happiness. On a more serious topic, The OpenSSL Project released OpenSSL 3.0.7 to address two high-severity security flaws in its cryptographic library amid a big storm of hype in the Cyber Security world. These flaws were initially listed as “critical” but were downgraded to “high” following additional testing. The vulnerabilities affect OpenSSL versions 3.0.0 to 3.0.6. AUSCERT strongly recommends the deployment of OpenSSL 3.0.7 as soon as possible to impacted applications and servers to avoid potential Denial of Service or Remote Code Execution attacks. In other news this week, Australia took part in the Counter Ransomware Initiative (CRI) Summit hosted by the White House on 31 October to 1 November 2022. The participating governments released a set of planned actions including the establishment of the Voluntary International Counter Ransomware Task Force, led by Australia that will encourage threat information sharing and better coordination of the international actions aimed at tracking ransomware criminals' financial activities. Last but not least, AUSCERT would like to remind everyone to be mindful of current threats and vulnerabilities, with the recent spate of data breaches and ransomware attacks targeting Australian organisations. Have a good weekend! … Microsoft releases out-of-band updates to fix OneDrive crashes Date: 2022-10-29 Author: Bleeping Computer Microsoft has released out-of-band updates to address a known issue causing OneDrive and OneDrive for Business to crash after installing recent Windows 10 updates. The issue occurs when signing out or unlinking OneDrive accounts or sites and folders from Microsoft Teams and SharePoint. "After installing KB5018410 or later updates, OneDrive might unexpectedly close," Redmond explained in a Windows health dashboard update on Friday. OpenSSL fixes two high severity vulnerabilities Date: 2022-11-01 Author: Bleeping Computer The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7. CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow. Australian Defence Department caught up in ransomware attack Date: 2022-10-31 Author: ABC News A communications platform used by military personnel and Defence Department public servants has been hit by a ransomware attack. Hackers have targeted the ForceNet service, which is run by an external ICT provider, but Defence has been told no data of current or former personnel appears to have been compromised. Dropbox discloses breach after hacker stole 130 GitHub repositories Date: 2022-11-01 Author: Bleeping Computer Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent. "To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers," Dropbox revealed on Tuesday. Govt counter-ransomware taskforce in works Date: 2022-11-02 Author: FST Media Minister for Home Affairs and Cyber Security, Clare O’Neil, said the taskforce will be convened by the Department of Home Affairs Cyber and Critical Technology Coordination Centre after members of the international initiative agreed to establish a unit at the Counter Ransomware Summit in Washington earlier this week. “The cyber incident involving Medibank Private is a blunt reminder that we need a globally focused capability to combat cyber threats, including ransomware,” Minister O’Neil said. ESB-2022.5595 – Red Hat Single Sign-On 7.6.1 security update on RHEL 9 Multiple security fixes introduced with the latest version of Red Hat Single Sign On address remote code execution, denial of service and XSS vulnerabilities. ASB-2022.0229.2 – OpenSSL Critical Patch Update for 3.0.x It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. ESB-2022.5303.2 – APPLE-SA-2022-10-24-1 iOS 16.1 and iPadOS 16 Multiple security updates were released by Apple for iOS 16.1 and IPadOS 16 that addressed vulnerabilities relating to arbitrary code execution, app privilege levels and disclosure of user information. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Episode 16 of our podcast has landed and features a chat between Anthony Caruana and Alex Tilley of Secureworks about understanding and combatting cyberattacks – timely given the recent spate of Australians impacted by several large-scale data breaches. Later, the AUSCERT team discuss the intangible nature of cyber threats and the need for greater awareness of their relevance and potential impact. To improve understanding of what can be done in this regard, the discussion then focuses on education and learning, including AUSCERT’s training courses. The first of November of each year sees the culturally significant celebration Dia de los Muertos, also known as the Day of the Dead, across Mexico. Unlike Halloween, Dia de los Muertos isn’t about scaring or being frightened but celebrates the lives of loved ones who have passed away. Day of the Dead combines the ancient Aztec custom of celebrating ancestors with All Souls’ Day, a holiday that Spanish invaders brought to Mexico starting in the early 1500s and has become a joyful time that helps people remember the deceased and celebrate their memory. This time of year also typically sees shades of purple dominate streetscapes across Australia with the Jacaranda trees flowering. The captivating and vibrant Jacaranda is an iconic tree in Australia but is native to Central and South America. Here at The University of Queensland, they’re even part of local lore, signifying the end-of-year exams and are celebrated with the BLOOM Festival. There’s a lot to see, including interactive exhibits, live music, pop-up picnics and indigenous foods. Gov invokes emergency coordination as Medibank breach worsens Date: 2022-10-26 Author: IT News The government has invoked a Covid-era response mechanism, bringing together federal, state and territory agencies to coordinate on the worsening Medibank data breach. Minister for cyber security Clare O’Neil said the national coordination mechanism (NCM) was activated on Saturday. The activation came as Medibank announced that the attackers who breached its ahm and international student systems had provided a file which demonstrated compromise of customer records under its main brand as well. Security experts targeted with malicious CVE PoC exploits on GitHub Date: 2022-10-24 Author: Security Affairs A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities. The experts analyzed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, some of these repositories were used by threat actors to spread malware. The experts pointed out that public code repositories do not provide any guarantees that any given PoC comes from a trustworthy source. Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn Date: 2022-10-28 Author: Dark Reading [Refer AUSCERT Bulletin ASB-2022.0229 ] Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a “critical” vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet. On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue. Why Retail Stores Are More Vulnerable Than Ever to Cybercrime Date: 2022-10-27 Author: Dark Reading When we think about cybercrime and retail it is natural to focus on websites being targeted with attacks. Indeed, there has been a shocking rise in the number of cyberattacks perpetrated against online retailers in the past year. Dakota Murphey explains why store owners and security managers need to also protect their physical locations from the cyber threat, too, however. Figures from SonicWall’s Biannual Report revealed that e-commerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers’ minds. However, for those retailers that have a physical store as well as an online presence, there might be an assumption that the cybersecurity in-store doesn’t need to be considered as a top priority. Well, doing so could be a big mistake. Third quarter of 2022 reveals increase in cyberattacks and unexpected developments in global trends Date: 2022-10-26 Author: Check Point Highlights: Global attacks increased by 28%in the third quarter of 2022 compared to same period in 2021. The average weekly attacks per organization worldwide reached over 1,130 The most attacked industry in the third quarter of the year was the Education/Research sector, with an average of 2,148 attacks per organization every week, an increase of 18% compared to third quarter of 2021 The Healthcare sector was the most targeted industry for ransomware during the third quarter of 2022, with one in 42 organizations impacted by ransomware, a 5% increase YoY Australian Clinical Labs says patient data stolen in ransomware attack Date: 2022-10-27 Author: Bleeping Computer Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people. ESB-2022.5278 – Apache Commons Text : CVSS (Max): 9.8 Apache Software Foundation has reported a vulnerability in Apache Commons Text and recommends the users to upgrade Commons Text to 1.10.0. ESB-2022.5300 – ALERT macOS Ventura: CVSS (Max): 9.8* Apple has released macOS Ventura 13 which fixes a number of issues across a range of products. ASB-2022.0199.4 – UPDATE Medibank Cyber Security Incident Medibank announced a further development in the Medibank data breach incident. AUSCERT continues to keep its members updated as further information is released. ASB-2022.0228 – Energy Australia Data Breach Energy Australia announced a cyber incident which involved unauthorised access to their online platform. AUSCERT is aware of the incident and will share further information with members as they become available. ASB-2022.0229 – OpenSSL OpenSSL version 3.0.7 is scheduled for Tuesday, 1 November 2022 and includes a patch for a critical vulnerability. AUSCERT strongly recommends the administrators to apply the patch when it is released. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, AUSCERT has been receiving reports of various Request For Quote (RFQ) scams spoofing Australian Universities and targeting several small vendors via the spoofed domain. Our recent blog post delves into the current methods being used to help identify potential scams and recommendations on what can be done, should you be the victim of such a scam. AUSCERT aims to inform and educate how and when we can, including through our training sessions, aimed at anyone that looks after their organisation’s cyber security. We have three courses currently available for the remainder of 2022, as per the below: Intro to Cyber for IT Professionals | October 24 and 25 (it’s not too late to register!) Cyber Security Risk Management | October 31 and November 1 Incident Response Planning | December 6 and 7 All courses are delivered online in two half-day sessions from 9 am to 12:30 pm each day. For more information on each course or, to book online, visit our Education page. Diwali, also known as the Festival of lights or Deepavali, will commence on Monday, October 24 and is a five-day-long celebration. It is revered as a day to light the lamp of power, knowledge, and virtues within each of us and signifies the victory of good over evil. Watch out for the celebrations with entertainers, fireworks displays, dancing performances, music, henna and more throughout the city in many shopping centres, King George Square and Indian restaurants. You can learn more about this cultural festival, including a feast consisting of special dishes, by clicking here. Speaking of food, today is International Day of the Nacho. Yes, there is an official day to indulge and overeat the tasty corn chip or tortilla-based treat, layered with guacamole, beans, minced beef and cheese! Invented in 1943, nachos have been a go-to dish for many with unknown and seemingly unlimited variations seen in their near 80-year history. To see how others eat their nachos, or, to learn more about this Tex-Mex culinary delight, click here. Adobe patches critical Magento XSS that puts sites at takeover risk Date: 2022-10-14 Author: The Daily Swig A super-critical vulnerability in Adobe Magento could allow attackers to fully compromise e-commerce platforms, according to the security researcher who unearthed the bug. Adobe has urged users to update their systems to protect their websites from abuse of the flaw, which has been assigned the maximum possible severity (CVSS) score of 10. Woolworths says 2.2m MyDeal customers’ data hacked Date: 2022-10-15 Author: Financial Review [Refer AUSCERT Bulletin: ASB-2022.0200.2] In the third major corporate security breach in as many weeks, Woolworths is scrambling to contact 2.2 million customers of its MyDeal online marketplace arm whose data has been accessed by an unauthorised user using “compromised” credentials, the supermarkets giant says. The hack follows telecoms group Optus in owning up to data breaches affecting millions of consumers. Health insurer Medibank Private also disclosed a data breach but said it had no evidence of any customer data being accessed, although it was still investigating the hack. Apache Commons Text RCE flaw — Keep calm and patch away Date: 2022-10-19 Author: Bleeping Computer [Refer AUSCERT Bulletin: ESB-2022.5278] A remote code execution flaw in the open-source Apache Commons Text library has some people worried that it could turn into the next Log4Shell. However, most cybersecurity researchers say it is nowhere near as concerning. Apache Commons Text is a popular open-source Java library with an “interpolation system” that allows developers to modify, decode, generate, and escape strings based on inputted string lookups. For example, passing the string lookup ${base64Decoder:SGVsbG9Xb3JsZCE=} to the interpolation system would cause the library to convert it to its base64 decoded value of ‘HelloWorld!’. Microsoft Office 365 email encryption could expose message content Date: 2022-10-14 Author: Bleeping Computer Security researchers at WithSecure, previously F-Secure Business, found that it is possible to partially or fully infer the contents of encrypted messages sent through Microsoft Office 365 due to the use of a weak block cipher mode of operation. Organizations use Office 365 Message Encryption to send or receive emails, both external and internal, to ensure confidentiality of the content from destination to source. However, the feature encrypts the data using the Electronic Code Book (ECB) mode, which allows inferring the plaintext message under certain conditions. Police tricked a ransomware gang into handing over its decryption keys. Here’s how they did it Date: 2022-10-17 Author: ZDNET Police tricked a ransomware gang into handing over decryption keys, providing victims with the ability to unlock their encrypted data for free. Working alongside cybersecurity company Responders.NU, the Dutch National Police obtained 150 decryption keys from ransomware group Deadbolt. With the decryption keys now in the hands of law enforcement, some victims of Deadbolt ransomware attacks can retrieve encrypted files and servers without the need to pay cyber-criminal extortionists. Medibank’s alleged attackers threaten data release, extortion Date: 2022-10-20 Author: iTnews [Refer AUSCERT Bulletin: ASB-2022.0199.3] Medibank has entered a trading halt after being contacted by a group claiming to have copied customer data. The Sydney Morning Herald yesterday reported it had heard from the alleged attackers, who were threatening to release patient data from a “200 gigabyte” haul. The threats included selling the data, or releasing information like diagnoses about the most prominent people found in the database. In an market disclosure late yesterday, the health insurer said it was “a new development” that will “cause concerns for customers”. ESB-2022.5278 – Apache Commons Text : CVSS (Max): 9.8 Apache Software Foundation has reported a critical vulnerability in Apache Common Text and recommends its users to upgrade to version 1.10.0. ASB-2022.0199.3 – UPDATE Medibank Cyber Security Incident Medibank has reported that the alleged hacking group has provided a sample of records for 100 policies. Australian Federal Police is investigating the issue as a crime. ASB-2022.0200.2 – UPDATE MyDeal Data Breach The hacker involved in the MyDeal data breach has reportedly released samples of the stolen data to a hacking forum. MyDeal customers are encouraged to reset their passwords. ASB-2022.0220 – Oracle PeopleSoft: CVSS (Max): 8.1* Multiple vulnerabilities have been identified in Oracle PeopleSoft. The vendor has released a critical patch update which contains 8 new security patches. ASB-2022.0201 – Oracle Commerce Platform: CVSS (Max): 9.8 The critical patch update for October 2022 contains 3 new security patches for Oracle Commerce. ESB-2022.5232 – Jenkins Plugins: CVSS (Max): 8.8 Jenkins Security Advisory for October 2022 announces vulnerabilities in Jenkins plugins. Security updates have been released for most of the plugins. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As Marie Antoinette is said to have proclaimed, “Let them eat cake!”, for today, October 14 is National Dessert Day. Given the need to celebrate such an auspicious occasion, it’s official that today is the day when calories don’t count. As such, we implore everyone to consider their preferred sugary, tasty treat to indulge in and if you’re stuck for ideas, the following site may be able to assist. Simply click HERE. The Optus saga moves forward with ongoing commentary made about the situation which only increases as more details and issues arise, seemingly every day. A recent article in the Financial Review posits that “Companies and individuals don’t rise to the occasion. They fall to their level of preparedness.” The comment comes as banks, such as the CBA, experience an increase in the number of calls received each day from concerned customers about their financial security. The article also states that whilst risks can never be completely removed, those responsible should be aware of the risks and plan for how to respond should an incident occur. We’d like to remind those that wish to share their thoughts, experience, and insights into the dynamic and ever-changing landscape of cyber security that the annual BDO and AUSCERT Cyber Security Survey is now open! The annual BDO and AUSCERT cyber security survey identifies the current cyber security trends, issues and threats facing organisations across Australia and New Zealand. Zimbra remote code execution vulnerability actively exploited in the wild Date: 2022-10-10 Author: The Daily Swig [AUSCERT has been in touch with the affected members] A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild. The bug was assigned the tracker CVE-2022-41352 in late September. Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system. Zimbra, once known as the Zimbra Collaboration Suite (ZCS), is an open source email suite. The software is relied upon by millions of users and is designed for managing enterprise and SMB email and collaboration tools. Fortinet says critical auth bypass bug is exploited in attacks Date: 2022-10-10 Author: Bleeping Computer [See also ASB-2022.0192.2] Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild. The security flaw (CVE-2022-40684) is an auth bypass on the administrative interface that enables remote threat actors to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances. “An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet said in an advisory issued today. Medibank takes systems offline after ‘cyber incident’ Date: 2022-10-13 Author: iTnews [See also ASB-2022.0199 ] Investigates extent of unauthorised access. Medibank has taken two customer-facing systems offline “to reduce the likelihood of damage to systems or data loss” stemming from a cyber security incident. The insurer said that policy management systems covering its ahm brand as well as international students are now offline, and would remain that way “for most of the day”. It did not detail what had exactly occurred, aside from the detection of “unusual activity on its network.” Optus data breach response ‘cracking’ as cyber support charity fields 15,000 queries and counting Date: None Author: ABC News A national identity and cyber support charity say they are enduring the “toughest” period in the organisation’s history following the Optus data breach. IDCARE fielded a months’ worth of calls in just three days following the incident, and in the past three weeks has dealt with more than 15,000 interactions with no signs of slowing down. Darkweb market BidenCash gives away 1.2 million credit cards for free Date: 2022-10-09 Author: Bleeping Computer [AUSCERT has been in touch with the affected members] A dark web carding market named ‘BidenCash’ has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud. Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware. BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move. Indicators of Behavior and the Diminishing Value of IOCs Date: 2022-10-12 Author: Cyber reason How secure is your organization if you can only stop attacks that have already been detected in other environments based on Indicators of Compromise (IOCs)? Secure enough, if those were the only attacks you needed to be concerned with. But what about targeted attacks with bespoke tactics, techniques, and procedures (TTPs) that have never been documented because they were designed only to be used against your organization? In today’s threat landscape that’s what’s happening: zero-day exploits, never-before-seen malware strains, and advanced techniques developed specifically for high-value targets are plaguing security teams. ASB-2022.0199 – Medibank Cyber Security Incident AUSCERT shares information on a security incident targeting Medibank. AUSCERT will continue to share further information as they become available. ASB-2022.0192.2 – UPDATED ALERT FortiOS,FortiProxy and FortiSwitchManager: CVSS (Max): 9.6 Fortinet reported a critical vulnerability in 3 of its products which may allow an unauthenticated attacker to perform operations on the compromised devices. Fortinet released important mitigation information as well as security updates. ESB-2022.5034 – wordpress: CVSS (Max): 9.8 Several security vulnerabilities were discovered in WordPress for which a security patch has been released. ASB-2022.0195 – ALERT Azure: CVSS (Max): 10.0 Microsoft’s monthly security patch update for October included an update to resolves 3 vulnerabilities in Azure. ASB-2022.0193 – ALERT Windows and Windows Server: CVSS (Max): 8.8 Microsoft’s most recent patch update fixes 68 vulnerabilities in Windows and Widows Server. ESB-2022.5091 – Google Chrome: CVSS (Max): None Google announced updates to the Google Chrome Stable channel and Extended stable channel. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, It’s Cyber Security Awareness Month in October which, given the recent breadth and severity of data leaks seen in Australia, is an opportune reminder to be mindful of current threats and vulnerabilities. Now in its seventh year, the BDO and AUSCERT Cyber Security Survey allows organizations to benchmark their approach to cyber risk. The information provided will then provide the chance to assess and optimise organizational cyber security. There’s also the chance to win one of two Apple Airpod Pros so be sure to complete your survey before Friday, November 18! It was announced yesterday that a proposal by the federal government had been made to allow Australian banks temporary access to government identification details by telcos in the wake of the Optus data breach. The move is to assist in preventing fraud, but banks would need to adhere to strict requirements to reduce the risk of further compromise of customer data. This Monday, October 10 will see the next full moon, referred to as the Pink Moon, signifying the arrival of the first spring flowers. Apart from the pink moon, the other October full moon names in the southern hemisphere are Egg Moon, Seed Moon, and Waking Moon whilst in the northern hemisphere, they will experience the Hunter’s Moon. The name derives from a time when the full moon signified the time to start preparing for the coming winter by hunting animals and preserving meat. If you live north of the equator, be sure to learn how you can view one of the year’s most stunning celestial events! Cisco Patches High-Severity Vulnerabilities in Communications, Networking Products Date: 2022-10-06 Author: SECURITY WEEK Cisco announced on Wednesday that it has patched potentially serious vulnerabilities in some of its networking and communications products, including Enterprise NFV, Expressway and TelePresence. Windows 11 22H2 breaks provisioning with 0x800700b7 errors Date: 2022-10-06 Author: Bleeping Computer Microsoft says the Windows 11 2022 Update is breaking provisioning, leaving Windows 11 enterprise endpoints partially configured and failing to finish installing. Meta sues app dev for stealing over 1 million WhatsApp accounts Date: 2022-10-06 Author: BLEEPING COMPUTER Meta has sued several Chinese companies doing business as HeyMods, Highlight Mobi, and HeyWhatsApp for developing and allegedly using “unofficial” WhatsApp Android apps to steal over one million WhatsApp accounts starting May 2022. Sydney man charged for allegedly trying to scam Optus breach victims – Telco/ISP – iTnews Date: 2022-10-06 Author: ITNEWS A 19-year-old Sydney man has been charged with allegedly trying to blackmail Optus customers whose data was leaked onto the internet as proof of a data breach. Optus ups number of Medicare cards breached – Security Date: 2022-10-07 Author: ITNEWS Optus has revised the number of its customers whose Medicare card numbers were exposed in a recent data breach to 43,000. Microsoft Updates Mitigation for Exchange Server Zero-Days Date: 2022-10-05 Author: Dark Reading [AUSCERT Bulletin: ASB-2022.0191.2] Microsoft today updated its mitigation measures for two recently disclosed and actively exploited zero-day vulnerabilities in its Exchange Server technology after researchers found its initial guidance could be easily bypassed. Microsoft’s original mitigation for the two vulnerabilities — CVE-2022-41040 and CVE-2022-41082 — was to apply a blocking rule to a specific URL path using the URL Rewrite Module on IIS Server. According to the company, adding the string “.*autodiscover\.json.*\@.*Powershell.*” would help block known attack patterns against the vulnerabilities. It’s Telstra’s Turn for a Data Breach, This Time It’s Staff That Are Affected Date: 2022-10-04 Author: Gizmodo The term ‘data breach’ has, in the last few weeks, worked its way into everyday conversation in Australia, thanks mostly to the failings of Optus. But now, details have emerged of another data breach affecting the Aussie telco sector – this time, it’s Telstra and it is employees that are at risk. Brought to our attention first by The Australian, Telstra reportedly sent out a memo to staff over the weekend informing them of the data breach. It has since been confirmed by Telstra, with a spokesman telling Gizmodo Australia that the data breach affecting a third party included “limited” Telstra employee information from 2017. It is understood the third party handled Telstra’s rewards program for staff. ESB-2022.4906 – chromium: CVSS (Max): None Debian has released a new Chromium package version that fixes arbitrary code execution, denial of service or information disclosure. ESB-2022.4967 – nodejs: CVSS (Max): 9.8 Debian has released an update for nodejs that address multiple vulnerabilities. ESB-2022.5007 – LibreOffice: CVSS (Max): 8.8 Ubuntu has released a new package version that fixes several security issues in LibreOffice. ASB-2022.0191.3 – ALERT Microsoft Exchange Server: CVSS (Max): 8.8 Microsoft has made significant updates to its advisory regarding Exchange Server Zero-Day Vulnerabilities which could lead to remote code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The fallout from last week’s Optus data breach has impacted customers across Australia. There has been a flurry of reports and statements advising the varying options available to affected individuals in relation to attaining a replacement Driver’s Licence, many of which have indicated that they will pursue Optus to cover the cost. Earlier today, Optus agreed to pay for the replacement of passports exposed in the leak and, that the Australian Federal Police (AFP) had launched Operation Guardian which would prioritise the protection of the 10,000 records that were revealed last week before the hacker had a change of mind about releasing additional data. Today, September 30, is International Podcast Day, an opportunity to explore seemingly endless genres that anyone can access just about anywhere. There are millions of podcasts available across an array of platforms, including our very own series, Share Today, Save Tomorrow, which features episodes that range in topics including ITOT Convergence, Diversity and Culture in Cyber Security and more! You can download or stream an episode, kick back and enjoy a cup of coffee this Saturday, October 1st, which just so happens to be International Coffee Day. Over three billion cups of coffee are consumed each day across the globe, making it a significant part of many people’s daily routines. This year, members, and partners of the International Coffee Organization (ICO) wish to highlight their commitment to coffee farmers’ prosperity and efforts to reduce the coffee industry’s impact on the environment and mitigate climate change with the vision of an effective Circular Economy. Two Remote Code Execution Vulnerabilities Patched in WhatsApp Date: 2022-09-27 Author: Security Week WhatsApp has patched two serious vulnerabilities that could be exploited for remote code execution. WhatsApp only has three security advisories for 2022, with the first two released in January and February. The latest advisory, released this month, informs customers of two memory-related issues affecting the WhatsApp mobile applications. One of the flaws, tracked as CVE-2022-36934 and rated ‘critical’, is an integer overflow issue that affects WhatsApp for Android prior to 2.22.16.12, Business for Android prior to 2.22.16.12, iOS prior to 2.22.16.12, and Business for iOS prior to 2.22.16.12. Attackers abuse web security flaw in Sophos Firewall Date: 2022-09-26 Author: The Daily Swig A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns. The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk. Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall. In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology. This is just as well given the vulnerability has already featured in attacks in the wild. Hacking group hides backdoor malware inside Windows logo image Date: 2022-09-29 Author: Bleeping Computer Security researchers have discovered a malicious campaign by the ‘Witchetty’ hacking group, which uses steganography to hide a backdoor malware in a Windows logo. New Microsoft Exchange zero-day actively exploited in attacks Date: 2022-09-29 Author: Bleeping Computer Threat actors are exploiting yet-to-be-disclosed Microsoft Exchange zero-day bugs allowing for remote code execution. Hackers now sharing cracked Brute Ratel post-exploitation kit online Date: 2022-09-28 Author: Bleeping Computer The Brute Ratel post-exploitation toolkit has been cracked and is now being shared for free across Russian-speaking and English-speaking hacking communities. For those unfamiliar with Brute Ratel C4 (BRC4), it is a post-exploitation toolkit created by Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike. Red teamers are cybersecurity professionals whose job is to try and breach a corporate network to learn its flaws, while those on the blue team attempt to defend against these attacks. Russia Planning Cyberattacks on Ukraine’s Energy Grid Date: 2022-09-27 Author: Dark Reading As protests against military conscription rage inside Russia, the country is planning to continue its offensive into Ukraine with cyberattacks on critical infrastructure. The Odessa Journal reported Ukrainian military intelligence has learned the first cyberattacks will soon be launched against the Ukrainian energy sector, informed by previous Russian cyberattacks on the country’s electricity infrastructure in 2015 and 2016. After energy supply operations are crippled by cyberattacks, the Russian military plans to ramp up missile strikes on those facilities to shut down the electrical service throughout the war-battered country. Microsoft finally adds a Task Manager link to the Windows 11 taskbar Date: 2022-09-29 Author: Bleeping Computer Microsoft has finally re-added a link to the Task Manager to the taskbar’s contextual menu in the latest Windows 11 Insider preview build. ASB-2022.0190.3 – Optus Data Breach Following a cyberattack, Optus has advised its customers to be vigilant about any suspicious activities. ESB-2022.4826 – Cisco IOS XE: CVSS (Max): 5.5 Cisco has released software updates that address a vulnerability in the web UI feature of Cisco IOS XE software. ESB-2022.4848 – chromium: CVSS (Max): 7.8 Debian has released an upgrade package for Chromium that addresses a vulnerability which allows an attacker to execute arbitrary code denial of service or information disclosure. ASB-2022.0191 – ALERT Microsoft Exchange Server News is currently emerging regarding possible Microsoft Exchange Server Zero-Day Vulnerabilities which could lead to remote code execution. ESB-2022.4884 – Google Chrome: CVSS (Max): None Google has released a new Chrome update for Windows, Mac and Linux. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The cyber attack on Optus on Thursday (September 22) is said to impact current and former customers with information including names, birth dates, email addresses and phone numbers said to have been disclosed. It remains unknown how many of the 9.7 million Optus customers have been compromised with Scamwatch issuing an alert, warning customers to be vigilant to mitigate any potential harm. An unknown time factor is associated with the attack as data can be retained indefinitely. Of particular focus is individuals’ financial accounts with suggestions on what to do to help protect your personal information provided by the ACCC division. What may be causing others in the community a bit of undue stress is the school holidays that are underway or just getting started. With the addition of a public holiday, potentially utilised to create a long weekend, along with some less-than-ideal weather, you may be looking for something to fill your time or, distract from the kids playing or warring with one another. If so, AUSCERT has something to help. In fact, we have two ‘somethings’ for you to choose from! Our YouTube channel has over 50 videos from this year’s conference that cover a diverse range of topics that will inform, inspire and illicit reactions of varying scope. The other option available to you is fifteen episodes of our podcast, Share Today, Save Tomorrow. You can select from several subjects that provide insights and understanding as well as an understanding of potential challenges. EZVIZ video cameras can be accessed remotely – Security Date: 2022-09-19 Author: IT News Full device takeover possible. Researchers at security vendor Bitdefender have found a series of serious vulnerabilities which could be used to remotely control EZVIZ networked cameras without authentication, in order to download and decrypt images. Bitdefender was able to create an attack chain of four different bugs to take over the EZVIZ cameras, exploiting a stack buffer overflow, and vulnerable application programming interface endpoints. Google, Microsoft can get your passwords via web browser’s spellcheck Date: 2022-09-17 Author: Bleeping Computer Extended spellcheck features in Google Chrome and Microsoft Edge web browsers transmit form data, including personally identifiable information (PII) and in some cases, passwords, to Google and Microsoft respectively. While this may be a known and intended feature of these web browsers, it does raise concerns about what happens to the data after transmission and how safe the practice might be, particularly when it comes to password fields. Australian business owners urged to shorten web addresses to avoid cybercrime attack Date: 2022-09-17 Author: ABC news Business owners across Australia are being told to update their domain names or risk being targeted by cybercriminals. New rules are being introduced to allow Australian businesses, organisations and individuals to shorten their web address to a simpler .au domain name instead of .com.au, .net.au, .or .org.au. For example, www.abc.net.au could become www.abc.au, or www.books.com.au could be shortened to www.books.au. Microsoft 365 phishing attacks impersonate U.S. govt agencies Date: 2022-09-19 Author: Bleeping Computer An ongoing phishing campaign targeting U.S. government contractors has expanded its operation to push higher-quality lures and better-crafted documents. The lure in these phishing emails is a request for bids for lucrative government projects, taking them to phishing pages that are clones of legitimate federal agency portals. This is the same operation that INKY reported about in January 2022, with the threat actors using attached PDFs with instructions on going through the bidding process for the U.S. Department of Labor projects. ESB-2022.4669 – Nessus Network Monitor: CVSS (Max): 9.8 Tenable has released Nessus Network Monitor 6.1.0 to fix multiple third-party vulnerabilities in Nessus Network Monitor. ESB-2022.4662 – Hitachi Energy AFF660/665 Series: CVSS (Max): 9.8 A vulnerability in Hitachi Energy AFF660/665, an industrial firewall could overflow a buffer on the device and fully compromise it. Hitachi Energy recommends its users to follow the security practices and firewall configurations to help protect from outside attacks. ESB-2022.4601 – OpenShift Virtualization: CVSS (Max): 9.8 Red Hat has released an update to OpenShift Virtualization which fixes several bugs and add enhancements. ESB-2022.4611 – Google Chrome: CVSS (Max): None Google has updated its stable channel to 105.0.5195.125 for Mac and Linux. This update includes 11 security fixes. ESB-2022.4655 – SUSE Manager Server: CVSS (Max): 9.8 A security update that solves four vulnerabilities in SUSE manager server has been released. ESB-2022.4634 – connman: CVSS (Max): 9.8 Debian recommends that Connman, a network manager for embedded devices be updated to the latest version to fix a few vulnerabilities, which if exploited could result in denial of service or the execution of arbitrary code. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Members of the AUSCERT team recently ventured south from HQ in Brisbane to participate in the long-awaited conference, BSides Melbourne. With travelling returning to pre-COVID normality, our crew were excited at the opportunity to mingle with members of the industry and gain insights and hear of experiences from a wonderful collection of presenters. You can read about the highlights and experiences from one of our team in a recent blog, My Time on the BSide. With school holidays on the horizon, we wish all of those about to embark on travel all the best. Be it heading to the airport or enduring road trips of seemingly ceaseless requests to stop or cries of, “Are we there yet?”, travel safe and may the odds be ever in your favour. There are still a few spots remaining in our first online information gathering session on how you and your organisation use Cyber Threat Intelligence (CTI). The short (1 hour) information gathering sessions via video conference so we can pick your brain about CTI with the first session next Tuesday, September 20 from 9 am until 10 am. To learn more or, register your interest, please click here. On a greener note, in parts of the world, September 16 is National Guacamole Day. Yes, the avocado-based dip, condiment, and salad ingredient is being celebrated today. The tasty green blend known as Guacamole (or “guac”) is said to date back to the Aztecs and is today, synonymous with Mexican cuisine. Traditionally served with tortilla chips, guacamole also goes well with corn chips, carrot sticks or even on its own., With the price of avocados dropping significantly recently, now is the time to go green with guacamole! We’ve found a recipe or 203 for you to peruse and use – enjoy! Zero-day in WPGateway WordPress plugin actively exploited in attacks Date: 2022-09-13 Author: Bleeping Computer [See also ESB-2022.3966] The Wordfence Threat Intelligence team warned today that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin. WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard. This critical privilege escalation security flaw (CVE-2022-3180) enables unauthenticated attackers to add a rogue user with admin privileges to completely take over sites running the vulnerable WordPress plugin. Ransomware gangs switching to new intermittent encryption tactic Date: 2022-09-10 Author: Bleeping Computer A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while reducing the chances of being detected and stopped. This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files’ content, which would still render the data unrecoverable without using a valid decryptor+key. For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good. Uber Says It’s Investigating a Potential Breach of Its Computer Systems Date: 2022-09-16 Author: The Hacker News Ride hailing giant Uber disclosed Thursday it’s responding to a cybersecurity incident involving a breach of its network and that it’s in touch with law enforcement authorities. The New York Times first reported the incident. The company pointed to its tweeted statement when asked for comment on the matter. Death of Queen Elizabeth II exploited to steal Microsoft credentials Date: 2022-09-14 Author: Bleeping Computer Threat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure their targets to malicious sites designed to steal their Microsoft account credentials. Besides Microsoft account details, the attackers also attempt to steal their victims’ multi-factor authentication (MFA) codes to take over their accounts. “Messages purported to be from Microsoft and invited recipients to an ‘artificial technology hub’ in her honor,” Proofpoint’s Threat Insight team revealed today. Rampant ransomware pushes cyber security premium up by 80% Date: 2022-09-12 Author: Cyber Security Connect Global insurance broker Marsh has identified that the cost of taking out cyber cover had doubled on average every year for the past three years, which has contributed to the sharp rise in premiums. Backed by data from another broker, Honan Group, the 80 per cent rise in premiums in the past 12 months has been determined following a 20 per cent increase in the cost of cover in each of the previous two years. According to Craig Claughton, a senior executive at Marsh, “cyber has become the new D&O”, referring to sharp rises in directors’ and officers’ insurance premiums since 2018. ASB-2022.0186 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft Patch Tuesday for September includes patches for various vulnerabilities affecting Windows ESB-2022.4508 – ALERT macOS Big Sur: CVSS (Max): 7.8* Apple released updates to Big Sur addressing multiple vulnerabilities out of which CVE-2022-32917 may have been actively exploited ESB-2022.4611 – Google Chrome: CVSS (Max): None A stable channel for Google Chrome has been updated to address multiple vulnerabilities ESB-2022.4555 – Red Hat Advanced Cluster Management: CVSS (Max): 10.0 Multiple security issues and bugs have been fixed in Red Hat Advanced Cluster Management for Kubernetes Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. The APCERT drill aims to maintain and progress internet security and safety with the exercise, allowing participants to improve communication protocols, technical responses, and the overall quality of incident responses. Our recent blog provides insight into what took place and what was learnt, including solutions to real-world situations and challenges. You can read more about this year’s APCERT Cyber Drill HERE. R U OK? Day was held yesterday, September 8, which promoted the power and importance a question can have. It has been demonstrated that a conversation can change a life and we at AUSCERT had one of our own with Dr Carla Rogers. A renowned Holistic Psychologist, Dr Rogers is featured in our latest episode of Share Today, Save Tomorrow where she discusses the connection between mind and body along with techniques to help individuals identify, treat and overcome challenges in the workplace. Lastly, AUSCERT is really interested in how you and your organisation use Cyber Threat Intelligence (CTI). We want to know about this to inform the services we provide to our members, and to ensure we’re doing the best we can to meet your needs. We’re running some short (1 hour) information gathering sessions via video conference so we can pick your brain about CTI. What’s in it for you? You’ll get to contribute your opinion about CTI so we can improve the services we provide to you and your organisation. You’ll have the opportunity to exchange information with other AUSCERT members and learn from their experiences. You’ll get the lovely warm* inner glow that comes from knowing you have performed a good deed by helping us help you. Please register your interest here. *Actual amount of warm inner glow varies from person to person. Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability Date: 2022-09-03 Author: The Hacker News [Refer to Security Bulletin ESB-2022.4344] Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild. The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). An anonymous researcher has been credited with reporting the high-severity flaw on August 30, 2022. New EvilProxy service lets all hackers use advanced phishing tactics Date: 2022-09-05 Author: Bleeping Computer A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. The service enables low-skill threat actors who don’t know how to set up reverse proxies to steal online accounts that are otherwise well-protected. Reverse proxies are servers that sit between the targeted victim and a legitimate authentication endpoint, such as a company’s login form. When the victim connects to a phishing page, the reverse proxy displays the legitimate login form, forwards requests, and returns responses from the company’s website. Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan Date: 2022-09-05 Author: The Hacker News The notorious Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. “This new dropper doesn’t rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware,” NCC Group’s Fox-IT said in a report. “Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.” The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria. Home Affairs Could Be Looking Into TikTok’s Data Practices Date: 2022-09-05 Author: Gizmodo Back in July, we brought it to your attention that an investigation found that using TikTok on your phone gives the app access to your personal information. A lot of it, in fact. Analysis by Australian cybersecurity firm Internet 2.0 found TikTok requests almost complete access to the contents of a phone while the app is in use. That data includes calendar, contact lists and photos. As a result, the Australian Department of Home Affairs is going to be looking into the data harvesting practices of both TikTok and WeChat. QNAP patches zero-day used in new Deadbolt ransomware attacks Date: 2022-09-05 Author: Bleeping Computer QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station. The company has patched the security flaw but attacks continue today. “QNAP® Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet,” explains the security notice. Ransomware gang’s Cobalt Strike servers DDoSed with anti-Russia messages Date: 2022-09-07 Author: Bleeping Computer Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity. The operators of Conti ransomware completed turning off their internal infrastructure in May this year but its members have dispersed to other ransomware gangs, such as Quantum, Hive, and BlackCat. However, former Conti members continue to use the same Cobalt Strike infrastructure to conduct new attacks under other ransomware operations. Microsoft mistakenly rated Chromium, Electron, as malware Date: 2022-09-05 Author: The Register Microsoft appears to have fixed a problem that saw its Defender antivirus program identify apps based on the Chromium browser engine and/or Electron JavaScript framework as malware, and suggest users remove them. Numerous social media and forum posts made over the weekend detail how Windows has produced a warning of “Behavior:Win32/Hive.ZY” when users run everyday applications like Google’s Chrome browser or the Spotify music streamer. ESB-2022.4345 – WordPress: CVSS (Max): None WordPress has released WordPress 6.0.2 which includes 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes. ESB-2022.4460 – Android OS: CVSS (Max): 9.8* Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. Google encourages all users to update to the latest version of Android where possible. ESB-2022.4472 – Linux kernel (Raspberry Pi): CVSS (Max): 8.2 Ubuntu reports the security issues detected in Linux kernel for Raspberry Pi systems can be fixed by applying the latest updates. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, It’s already September which seems to have arrived quicker than many of us expected. The AUSCERT team has already commenced planning for next year’s conference which, as we’ve experienced, will be upon us in no time. But let’s not get ahead of ourselves, this year’s conference is still fresh in the minds of many thanks to the fantastic array of speakers and activities. If you missed a presentation due to a clash or would like to revisit a standout speaker, head over to our YouTube channel and peruse the AUSCERT2022 playlist! One aspect of this year’s conference that was of special importance, was the number of female presenters. Yesterday, September 1st, was International Women In Cyber Day. An initiative aimed at promoting and supporting the advancement and support of women in cybersecurity. Whilst the day has passed, each opportunity to create a more diverse and inclusive workforce should be encouraged. If you’d like to learn more about how you can get involved, visit the Women In Cyber Day website. If you’re new to the world of cyber or, you have a curious mind and would like to learn more about information security principles, the next round of AUSCERT’s Intro to Cyber for IT Professionals training is taking place in late October. Facilitated by our Principal Analyst and a guest industry trainer, our two half-day courses are aimed at engaging attendees with interactive content and a focus on delivering effective training outcomes. You can view the full list of our 2022 training schedule HERE. Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers Date: 2022-08-29 Author: The Register A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories. Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild. WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites Date: 2022-08-31 Author: Security Week The WordPress team this week announced the release of version 6.0.2 of the content management system (CMS), with patches for three security bugs, including a high-severity SQL injection vulnerability. Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations. However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS, the Wordfence team at WordPress security company Defiant says. Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report Date: 2022-08-30 Author: The Daily Swig The rush to patch systems affected by the landmark Log4Shell vulnerability has coincided with a wider improvement in patching rates for the most critical flaws, a report has found. The remote code execution (RCE) flaw in Apache Log4j (CVE-2021-44228), the near-ubiquitous open source Java logging utility, sent organizations across the ecosystem scrambling to fix applications or patch systems after it emerged in December 2021. Okta Says Customer Data Compromised in Twilio Hack Date: 2022-08-29 Author: Security Week Identity and access management provider Okta said last week that customer mobile phone numbers and SMS messages containing one-time passwords (OTPs) were compromised during the recent Twilio cyberattack. In early August, enterprise communications firm Twilio announced that it was hacked after an employee fell victim to a phishing attack and provided their login credentials to a sophisticated threat actor. The incident resulted in attackers accessing information related to 163 Twilio customers, with secure communications firm Signal and Okta already confirming being impacted by the incident. Apple backports fix for actively exploited iOS zero-day to older iPhones Date: 2022-08-31 Author: Bleeping Computers Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. This zero-day vulnerability is the same one Apple patched for macOS Monterey and iPhone/iPad devices on August 17, and for Safari on August 18. The flaw is tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps to access the web. Details Disclosed for OPC UA Vulnerabilities Exploited at ICS Hacking Competition Date: 2022-08-29 Author: Security Week Software development and security solutions provider JFrog has disclosed the details of several vulnerabilities affecting the OPC UA protocol, including flaws exploited by its employees at a hacking competition earlier this year. OPC UA (Open Platform Communications United Architecture) is a machine-to-machine communication protocol that is used by many industrial solutions providers to ensure interoperability between various types of industrial control systems (ICS). JFrog’s researchers discovered several vulnerabilities in OPC UA and disclosed some of them at the Pwn2Own Miami 2022 competition in April, where participants earned a total of $400,000 for hacking ICS. Google Fixes 24 Vulnerabilities With New Chrome Update Date: 2022-09-01 Author: Dark Reading Google’s first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one “critical” flaw and eight that the company rated as being of “high” severity. A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture. Ubuntu Linux 18.04 systemd security patch breaks DNS in Microsoft Azure Date: 2022-08-30 Author: The Register Microsoft Azure customers running Canonical’s Ubuntu 18.04 (aka Bionic Beaver) in the cloud have seen their applications fail after a flawed security update to systemd broke DNS queries. The situation is as odd as it sounds: if you’re running Ubuntu 18.04 in an Azure virtual machine, and you installed the systemd 237-3ubuntu10.54 security update, you’ve probably found yourself unable to use DNS within the VM, which causes applications and other software relying on domain-name look-ups to stop working properly. ESB-2022.4225 – Linux kernel (AWS): CVSS (Max): 9.8 Ubuntu reports the security issues detected in Linux kernel for Amazon Web Services (AWS)can be fixed by applying the latest updates. ESB-2022.4243 – zlib: CVSS (Max): 9.8 A heap-based buffer overflow vulnerability in the inflate operation in zlib has been reported which, if exploited could result in denial of service or execution of arbitrary code.Debian recommends upgrading the zlib packages. ESB-2022.4273 – Moodle: CVSS (Max): 8.8 Moodle reports that they have upgraded their Mustache template library to the latest version which includes a fix for a security issue. ESB-2022.4294.2 – UPDATED ALERT GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.9 Gitlab has released its monthly security release for August for GitLab Community Edition (CE) and Enterprise Edition (EE) which contains important security fixes. Gitlab strongly recommends that all GitLab installations be upgraded to one of the recommended versions immediately. ESB-2022.4288 – Hitachi Energy MSM Product: CVSS (Max): 9.8* Hitachi Energy reports multiple open-source software related vulnerabilities in MSM version 2.2 and earlier and released mitigation information including security practices and firewall configurations to help protect process control networks from outside attacks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Today, August 26, is Wear it Purple Day which is aimed at fostering supportive, safe, empowering, and inclusive environments for LGBTQIA+ youth. Founded in 2010, Wear it Purple has developed into an international movement in response to the challenges, obstacles, prejudice and dire situations queer youth face each day. There are events, training and educational tools amongst other resources aimed at raising awareness and promoting understanding at the Wear it Purple website that everyone can access and help be part of the change. Earlier this week, Google reported that it had blocked the largest Distributed Denial of Service, or DDoS, attack with over 46 million requests per second. A Senior Product Manager for Cloud Armor likened the attack to “receiving all the daily requests to Wikipedia – in just ten seconds”. The growth in DDoS attacks is on the rise with a 200+% increase in attacks thus far in 2022 and has progressed from being perceived as a minor nuisance to extremely sophisticated attacks. A recent blog explains what a DDoS is and, how it works. What commenced as a “hobby” twenty-five years ago on August 25, 1991, Linux is celebrating 31 years as a technological revolution! The importance of this innovation cannot be understated. It’s found in servers, desktop PCs, smartphones, routers and more. Even if a product isn’t deemed ‘Linux’, it’s quite likely that it was still influenced or affected by Linux along the path to its own creation. Lastly, today is also International Dog Day during which we celebrate all dogs, mixed breed and pure, with a focus on celebrating man’s best friend and encouraging adoption first rather than buying dogs from pet stores, backyard breeders or via the internet. If you already have a pet companion or are not quite ready to commit to a dog full time, there are plenty of ways to show your support and assist organisations like the RSPCA through volunteering, donating and even, fostering! Labor to overhaul national cyber security strategy Date: 2022-08-19 Author: Cyber Security Connect The Albanese government is set to reform former prime minister Scott Morrison’s $1.7 billion, 10-year cyber security strategy. As a top priority, Home Affairs Minister and Minister for Cyber Security Clare O’Neil has ordered her department to “recast the cyber security strategy” rushed out during the COVID-19 pandemic by the former prime minister in mid-2020. According to The Australian, Minister O’Neil outlined that the new strategy will be designed to focus on building closer links with Quad partners, the US, Japan and India, to accelerate the shift from ­reliance on China for critical technologies, amid concerns about Beijing’s global supply chain ­dominance. Google Blocks Record-Setting DDoS Attack That Peaked at 46 Million RPS Date: 2022-08-19 Author: Security Week In June 2022, Google mitigated a Layer 7 distributed denial-of-service (DDoS) attack that peaked at 46 million requests per second (RPS). Disclosed this week, this is the third HTTPS attack this year to reach tens of millions of RPS, after two lower-volume assaults were mitigated by Cloudflare. The first of them peaked at 15.3 million RPS, Cloudflare announced in April, while the second reached 26 million RPS, the web security company announced in June. Ransomware variants almost double in six months Date: 2022-08-22 Author: Security Brief Ransomware variants have almost doubled in the past six months, with exploit trends demonstrating the endpoint remains a target as work-from-anywhere continues, according to the latest semiannual FortiGuard Labs Global Threat Landscape Report. “Cyber adversaries are advancing their playbooks to thwart defence and scale their criminal affiliate networks,” says Derek Manky, chief security strategist and VP global threat intelligence, FortiGuard Labs. “They are using aggressive execution strategies such as extortion or wiping data as well as focusing on reconnaissance tactics pre-attack to ensure better return on threat investment,” he says. ACCC warns of steady uptick in ‘Hi Mum’ message scams Date: 2022-08-23 Author: Cyber Security Connect More than 1,150 Australians have already fallen victim to the so-called “Hi Mum” scam in the first seven months of this year, with total reported losses of $2.6 million so far. Known as “Hi Mum” or “family impersonation” scams, victims are contacted most often through WhatsApp and text message by a scammer posing as a family member or friend. Following a significant rise in “Hi Mum” scams in recent months, Scamwatch is urging the public to be wary of phone messages from a family member or friend claiming they need help. Twitter savaged by former security boss Mudge in whistleblower complaint Date: 2022-08-23 Author: The Register Twitter’s former security chief Peiter “Mudge” Zatko accused the company and its board of directors of violating financial rules, of fraud, and of grossly neglecting its security obligations in a complaint to the US Securities & Exchange Commission, the Federal Trade Commission, and the US Justice Department last month. The Washington Post obtained and published a redacted copy of the complaint, which makes numerous allegations about occurrences and practices preceding and during Zatko’s time at the company, which ran from November 16, 2020 through January 19, 2022, when he was terminated by the new CEO Parag Agrawal. Zatko’s complaint was filed by nonprofit law firm Whistleblower Aid, which confirmed the authenticity of the Post’s republished document to The Register. ESB-2022.4149 – GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 9.9 A critical remote code execution vulnerability via Github Import has been fixed in the latest version of Github Enterprise Edition and Community Edition ESB-2022.4172 – Firefox: CVSS (Max): None Mozilla has fixed multiple vulnerabilities in its recent version of Firefox 104 ESB-2022.4177 – VMware Tools: CVSS (Max): 7.0 VMware Tools update addresses a local privilege escalation vulnerability (CVE-2022-31676) ESB-2022.4196 – Cisco FXOS and NX-OS Software: CVSS (Max): 8.8 A denial of service vulnerability affecting NX-OS and FXOS has been addressed by Cisco Systems Stay safe, stay patched and have a good weekend! The AUSCERT team