Publications

Setting up MISP as a threat information source for Splunk Enterprise By Nicholas Soysa, AUSCERT Disclaimer: The following information is only relevant to AUSCERT members who are formally part of the CAUDIT-ISAC or AUSCERT-ISAC. For more info on this optional add-on service, please refer to the following page   1. Get a license or free trial account. If you’re an existing Splunk customer, then you should already have the credentials to access Splunk. If you’re keen on trying out first, you can obtain a limited free trial account at https://www.splunk.com/en_us/download.html.   2. Install and run Splunk Enterprise. Download the appropriate installer for your platform (32- or 64-bit)  and follow the installation steps. Launch the Splunk Enterprise search head Log into your Splunk Administrator account   IMPORTANT: MISP42Splunk 4.3.0 has been merged to the master branch. The information in section 3 is no longer relevant. You can now update misp42splunk using the “Upgrade App” (exisitng app) or “Install” option (fresh installs), as usual.   3. Install and setup MISP42Splunk MISP42Splunk 2.2.0 is not currently in the master branch. NOTE: Once the update’s been merged to the master branch, Until then, download the file from the github repo at: https://github.com/remg427/misp42splunk/tree/2.2.0 Extract the ZIP archive. Convert the folder “misp42splunk” to TAR.GZ format using a utility like 7-zip or the command line. Return to the Splunk app and navigate to “Apps” Select the “Install App from file” option Select the archive misp42splunk.tar.gz which you created and click Upload Restart Splunk when prompted   4. Add MISP instance Create a MISP instance name. For example: “AUSCERTMISP” MISP URL = Base URL of the MISP instance (e.g. https://misp-c.auscert.org.au OR https://misp.auscert.org.au) For the “Set the MISP auth key” enter a valid API key for a MISP user which has “authkey access privileges. This is typically any user with “User” up to “Org admin” roles. Untick the “Check SSL certificate of MISP server” box. We no longer require client certificate to authenticate. Untick the “Use a client certificate” if ticked. Press “Save”. Once the save is completed, you will be returned to the Apps page.   5. Check it works Navigate to the MISP42 apps (Apps dropdown -> MISP42) In the MISP42 app page, select Reports Then select, for example, mispgetioc misp_instance=AUSCERTMISP last=1d If the app works, then you should see Attributes from MISP event returned in the report It is suggested to store the feeds in an index which can be then queried in future if needed.     6. Resources        CAUDIT-ISAC users can access the PDF version at: https://wordpress-admin.auscert.org.au/publications/2018-08-22-misp-integration (Member portal login required) AUSCERT-ISAC users can access the document at: https://wordpress-admin.auscert.org.au/publications/2019-03-04-misp-integration (Member portal login required)   7. Credits       Thanks to Remi Seguy (author of misp24splunk) for promptly implementing this feature request.  

AUSCERT Week in Review for 29th October 2021 Greetings, AUSCERT is always looking for ways to increase our value to our members. We know that data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. As part of this, we would like to hear your feedback on the idea of us delivering data governance advisory services. We are seeking expressions of interest for services such as these and would welcome feedback via our online survey. All submissions are confidential and will assist us evaluate the need for this service to your organisation. The Women in Security Magazine explores different journeys of women in security, gains career perspectives from industry experts, and offers different technology perspectives, includes insights from industry greats on diversity and inclusion, and so much more! Issue 5 explores the misconception concerning the shortage of skilled women in the security industry which includes an interview with AUSCERT team member, Vishaka, about her journey into the field of cyber security. As we celebrate Cyber Security Awareness Month, it’s important to ensure you have access to the right information and tools you need to make informed decisions about your cyber risk tolerance. Overview of Malware Hosted on Discord’s Content Delivery Network Date: 2021-10-20 Author: RiskIQ RiskIQ’s Research team has begun analyzing Discord’s Content Delivery Network links with files ending in certain extensions (like exe, dll, compressed and document file extensions) to identify malware files posted to Discord servers. Through this research, we can identify the Discord channel ID to pivot off of in the RiskIQ platform. Overall, since mid-September 2021, RiskIQ was able to identify over 100 Discord URLs delivering malicious content, such as AsyncRAT, Raccoon Stealer, Agent Tesla, and many other Backdoors, Password Stealers, and Trojans. Australian Online Privacy Bill to make social media age verification mandatory for tech giants, Reddit, Zoom, gaming platforms Date: 2021-10-25 Author: ZDNet The federal government has released an exposure draft for what it has labelled an Online Privacy Bill that it hopes will enhance online privacy protections for Australians through an expansion of the nation’s Privacy Act. “The goal of the Bill is to enhance privacy protections, particularly in the online sphere, without unduly impeding innovation within the digital economy,” the federal government wrote in the Bill’s explanatory paper. Under current legislation, the federal government can only make two kinds of binding privacy codes, which are the Australian Privacy Principle code (APP) and a credit reporting code. The Bill is seeking to expand the Privacy Act to allow government to create a third code specifically for regulating three classes of organisations: Social media platforms, data brokers, and large online platforms. Mozilla Firefox cracks down on malicious add-ons used by 455,000 users Date: 2021-10-26 Author: ZDNet Mozilla’s Firefox browser team has cracked down on malicious add-ons, blocking software with a 455,000 user base. On October 25, the development team said that in early June, Firefox discovered add-ons that were misusing the browser’s proxy API, used by software to manage how the browser connects to the internet. Add-ons are software modules that can be installed to customize a user’s browsing experience and may include anti-tracking software, ad blockers, themes, and utilities. These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords Date: 2021-10-27 Author: ZDNet Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications. Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns. Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials. 1,000,000 Sites Affected by OptinMonster Vulnerabilities Date: 2021-10-27 Author: Wordfence On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021. ESB-2021.3563 – ALERT macOS Big Sur: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Apple macOS Big Sur, the most severe of which could allow root compromise ESB-2021.3602 – Junos OS and Junos OS Evolved: Multiple vulnerabilities Juniper has released new software versions for Juno OS to address multiple vulnerabilities which could lead to root compromise ESB-2021.3605 – salt: Root compromise – Existing account An issue was discovered in SaltStack Salt which allows a user who has control of the source, and source_hash URLs to gain full file system access as root ESB-2021.3599 – Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Multiple vulnerabilities Cisco has released updates for multiple vulnerabilities identified in Cisco ASA and Cisco FTD software ESB-2021.3608 – GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): Multiple vulnerabilities Gitlab has released security updates to fix multiple vulnerabilities identified in Community Edition and Enterprise Edition Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 22nd October 2021 Greetings, With the announcement of the new slate of Apple products this week that include MacBooks and AirPods, which now looks to be an annual occurrence, questions arise as to whether some of the newer versions are a needed evolution of technology or simply a tactic to increase sales. A recent article from ZDNet discusses if the drive to incorporate new and untested elements (with the goal to create the need for consumers to upgrade) come at the cost of functionality. Red Teaming, social engineering and stolen identities – war stories from the field is the topic of Episode 6 of AUSCERT’s podcast series, “Share today, save tomorrow”. It features co-Founder and CEO of Hacktive, Chris Gatford who has been responsible for delivering Attack and Penetration and Technical Security Assessments and reviewed countless IT environments and has directed and been responsible for numerous security assessments for a variety of corporations and government departments. Mike Holm returns to discuss a recent Apache Vulnerability and AUSCERT’s response, notifying member’s that were potentially susceptible to the vulnerability in a very timely manner as well as the expansion of services to include advisory on Data Governance and running Tabletop exercises. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts. We’re excited to announce the release a snapshot of our service stats for Quarter 3, 2021 in an overview of the cyber security incidents reported by members, from 1 July – 30 September 2021 and includes a summary of other key achievements this quarter. We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 3 2021. Microsoft asks admins to patch PowerShell to fix WDAC bypass Date: 2021-10-18 Author: Bleeping Computer Microsoft has asked system administrators to patch PowerShell 7 against two vulnerabilities allowing attackers to bypass Windows Defender Application Control (WDAC) enforcements and gain access to plain text credentials. Redmond released PowerShell 7.0.8 and PowerShell 7.1.5 to address these security flaws in the PowerShell 7 and PowerShell 7.1 branches in September and October. ACCC warns phone users to be aware of evolving Flubot scams Date: 2021-10-17 Author: ABC News A text message scam that contacts thousands of Australians a day has evolved to entice phone users to install software security — to protect against its own malicious malware. Since August, Australians have received text messages purporting to be an unopened voicemail notification, with a link encouraging users to download the scam “voicemail”. Cyber security experts are warning the scam has morphed into an elaborate scheme that plays on users’ security fears. In a strange twist, the scam is enticing phone users to download extra security to protect their phone — from their own scam. Australia’s Ransomware Action Plan – What does it mean for you? Date: 2021-10-14 Author: Willis Towers Watson Will Australia introduce a mandatory ransomware incident reporting regime? The government’s Ransomware Action Plan seeks to create a cultural shift in the way Australia responds to this cyber threat. On 13 October 2021, the Minister for Home Affairs Karen Andrews announced the Ransomware Action Plan which is intended to support Australian individuals, businesses, and critical infrastructure. The plan responds to significant public concern around rising losses to business and the community caused by malicious cyber extortion attacks and the worrying increase in financial and identity frauds perpetrated following ransomware attacks. It also provides key insights into the Australian Government’s wider cyber security objectives. Supply chain attacks are the hacker’s new favourite weapon. And the threat is getting bigger Date: 2021-10-20 Author: ZDNet Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it’s possible to find a potential way into thousands of targets at once. Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies. Female Cybersecurity Leaders: Who Wants Them? Date: 2021-10-20 Author: LinkedIn [Spoilers: many organisations can benefit from the female CISO’s point of view.] Last year, the world witnessed one of the greatest industrial changes in living memory with the pandemic igniting rapid, exponential growth. Caught off guard, and now in our post-pandemic reflective reality, one thing has become crystal clear. The world seeks a new kind of leader – one who must not only embrace change but become an instigator of it and renown for it. The era of the fast follower – a company that quickly imitates the innovations of its competitors – is over. Thanks to technology, continual rapid change is here to stay. For years we’ve known it was coming, what with Industry 4.0 on the horizon. And that’s why effective leaders must become experts of change. The first mover advantage is back! Google unmasks two-year-old phishing & malware campaign targeting YouTube users Date: 2021-10-21 Author: The Record by Recorded Future Almost two years after a wave of complaints flooded Google’s support forums about YouTube accounts getting hijacked even if users had two-factor authentication enabled, Google’s security team has finally tracked down the root cause of these attacks. In a report published today, the Google Threat Analysis Group (TAG) attributed these incidents to “a group of hackers recruited in a Russian-speaking forum.” TAG said the hackers operated by reaching out to victims via email with various types of business opportunities. YouTubers were typically lured with potential sponsorship deals. Victims were asked to install and test various applications and then publish a review. ASB-2021.022 – ALERT Oracle Insurance Applications: Multiple vulnerabilities Oracle has released a critical patch update that fixes multiple vulnerabilities in Oracle Insurance Applications ASB-2021.0212 – ALERT Oracle Communications products: Multiple vulnerabilities Oracle’s most recent patch update includes fixes for 71 new security patches and additional third party patches for Oracle Communication products ASB-2021.0203 – ALERT Oracle Fusion Middleware Products: Multiple vulnerabilities Oracle released 38 new security patches for multiple vulnerabilities in Oracle Fusion Middleware. 30 of these vulnerabilities may be exploited over a network without requiring user credentials ASB-2021.0198 – ALERT MySQL products: Multiple vulnerabilities Multiple vulnerabilities identified in Oracle MySQL have been addressed by Oracle’s October patch update ASB-2021.0225 – Microsoft Surface Pro 3: Reduced security – Existing account Microsoft encourages its customers to practice good security habits to address bypass vulnerability that affects Microsoft Surface Pro 3 Stay safe, stay patched and have a good weekend! The AUSCERT team

Podcast Ep6: Red Teaming, social engineering and stolen identities – war stories from the field In this episode, AUSCERT features the following guests: > Chris Gatford, Hacktive > Mike Holm, AUSCERT Senior Manager LISTEN HERE: “Share today, save tomorrow” Ep6 Red Teaming, social engineering and stolen identities – war stories from the field This episode will provide fascinating insights, great stories from the field and lessons you can take back to your workplace. Co-Founder and CEO of Hacktive, Chris has been responsible for delivering Attack and Penetration and Technical Security Assessments for a broad range of government and corporate bodies. Chris has also taught the art of professional hacking to hundreds of students from global organisations. Mike and Bek discussed a recent Apache Vulnerability and AUSCERT’s response, notifying member’s that were potentially susceptible to the vulnerability in a very timely manner. Another topic of discussion is the effort to connect Data Governance and Cyber Security and how our members can help shape services such as these. This episode was hosted by Anthony Caruana and Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

AUSCERT Week in Review for 8th October 2021 Greetings, The global outage of Facebook, Instagram and WhatsApp earlier in the week highlighted the impact a small error can have on an entire network. It’s believed that the outage was caused by a routine maintenance job that unintentionally resulted in Facebook’s data centres being disconnected from the internet, making Facebook, WhatsApp and Instagram inaccessible. With over 3.5 billion users around the planet, MIT Technology Review writes on how dependant people have become on one company’s data centre and the impact an outage on this scale has. Earlier in the week, AUSCERT team members participated in a multi-national drill that saw their skills tested with a simulated malware attack. Of the eight tasks they were asked to complete, the most challenging required the duo to analyse, evaluate and re-assess their response to what they correctly deduced was a ransomware attack. Fifteen teams took part with both AUSCERT team members expressing they enjoyed the challenge that tested abilities from file decryption to port scanning to gain an understanding of how the attack occurred. Exercises such as this provide our team with current, real-world scenarios that reinforce, add-to and enhance their skillset to ensure AUSCERT remains at the forefront of cyber security defence. Lastly, October is Cybersecurity Awareness Month, the perfect time to remind individuals and organizations of the importance of cybersecurity and to encourage active use of measures that foster vigilance and offer protection. There are many ways to improve protection against common online threats and cybercrime. At AUSCERT, we’re passionate about data security and keeping your information safe. That’s why we deliver 24/7 service to our members alongside a range of comprehensive tools to strengthen your cyber security strategy. To stay up-to-date with the latest cyber information, security alerts and more, simply head to our website, scroll to the bottom and subscribe! Legislation expanding digital identity scheme to private sector finally unveiled Date: 2021-10-04 Author: Innovation Aus The federal government has finally unveiled exposure legislation expanding its digital identity program to state governments and the private sector, with a whirlwind consultation period commencing before it is soon introduced to Parliament. The legislation will introduce two voluntary schemes to accredit companies and governments as service providers or relying partners in the digital identity program, as well as enshrining extra privacy safeguards in law and establishing a permanent oversight authority for the scheme. The digital identity scheme, a whole-of-government federal program aiming to provide identity verification across a range of government services and private sector offering, has been in the works for six years at a cost of more than $450 million, but legislation is required to expand it to the private sector. Understanding How Facebook Disappeared from the Internet Date: 2021-10-05 Author: Cloudflare “Facebook can’t be down, can it?”, we thought, for a second. Today at 1651 UTC, we opened an internal incident entitled “Facebook DNS lookup returning SERVFAIL” because we were worried that something was wrong with our DNS resolver 1.1.1.1. But as we were about to post on our public status page we realized something else more serious was going on. Social media quickly burst into flames, reporting what our engineers rapidly confirmed too. Facebook and its affiliated services WhatsApp and Instagram were, in fact, all down. Their DNS names stopped resolving, and their infrastructure IPs were unreachable. It was as if someone had “pulled the cables” from their data centres all at once and disconnected them from the Internet. Why Windows 11’s security is such a big deal Date: 2021-10-05 Author: TechRepublic The hardware requirements for Windows 11 have led to a lot of debate about exactly what changes in newer PCs and processors; they’ve also led to enterprises thinking about what security features they need in hardware. Microsoft’s second Security Signals report shows that enterprise security decision-makers are concerned about the security impact of hybrid work, and they expect PC hardware to help, said Dave Weston, director of OS security at Microsoft. Twitch source code, creator earnings exposed in 125GB leak Date: 2021-10-07 Author: Ars Technica Live video broadcasting service Twitch has been hit by a massive hack that exposed 125GB of the company’s data. In a 4chan thread posted (and removed) Wednesday, an anonymous user posted a torrent file of the data dump. The dump contains the company’s source code and details of money earned by Twitch creators. ESB-2021.3341 – Security update for apache2 Apache has another vulnerability! Here we have an SSRF via a specially crafted uri – not a fun combination. You also get a DoS for free as well. Patch your systems! ESB-2021.3321 – firefox-esr security update Extending the exhaustive list of Firefox memory corruption bugs, more have been discovered which were capable of resulting in execution of code. We use past tense, but if you don’t update, it could be present tense for you! ESB-2021.3294 – USN-5104-1: Squid vulnerability Black hat sharks have begun to encircle at-risk-squids, threatening them with DoS and confidential data disclosures. Update your systems to save the squids! ESB-2021.3287 – Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) Two for the price of one, an alert was put out for Apache systems this week, after a vulnerability allowing an attacker to link to urls outside of the expected document root was “fixed” (spoiler: not quite the first time around)… Needless to say, we recommend patching this immediately. ESB-2021.3276 – USN-5101-1: MongoDB vulnerability A DoS vulnerability discovered in MongoDB puts many home movie collections at risk. Probably some other more important services too, but think about the movies… Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 24th September 2021 Greetings, We wanted to remind everyone that it’s worth having a look to be sure that you’re not affected by the VMware vCenter vulnerability related to CVE-2021-22005 – a patch is available and so is a quicker (but temporary) mitigation. We notified a small number of members yesterday of internet-exposed servers. More information can be found in this Bleeping Computer article. Bleeping Computer also reported on a vulnerability in macOS Finder that makes it possible for attackers to run commands on Macs running any macOS version up the most recent release, Big Sur. With the unveiling of Apple’s IOS 15 this week, there has been a lot of focus on their increased efforts to offer consumers greater control over who sees their data. MacRumors released a guide on the new privacy and security features that have seen mixed reactions concerning Apple’s handling of user data. Lastly, to all the parents, guardians and family members experiencing school holidays, remember, this too shall pass so enjoy the family time and/or look forward to the end… good luck! DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public Date: 2021-09-17 Author: The Record Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets. The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub. Discovered over the summer by cloud security firm Wiz, the vulnerability resides in an app called Open Management Infrastructure (OMI), which Microsoft has been silently installing by default on most Azure Linux virtual machines. Microsoft Exchange Autodiscover bug leaks hundreds of thousands of domain credentials Date: 2021-09-22 Author: The Record Security researchers have discovered a design flaw in a feature of the Microsoft Exchange email server that can be abused to harvest Windows domain and app credentials from users across the world. Based on his finding, Serper said he registered a series of Autodiscover-based top-level domains that were still available online. […] For more than four months, between April 16, 2021, and August 25, 2021, Serper said these servers received hundreds of requests, complete with thousands of credentials, from users that were trying to set up their email clients, but their email clients were failing to find their employer’s proper Autodiscover endpoint. Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation Date: 2021-09-22 Author: The Hacker News Microsoft has opened the lid on a large-scale phishing-as-a-service operation that’s involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. “With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today,” Microsoft 365 Defender Threat Intelligence Team said in a Tuesday report. Researchers compile list of vulnerabilities abused by ransomware gangs Date: 2021-09-18 Author: Bleeping Computer Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims’ networks. All this started with a call to action made by Allan Liska, a member of Recorded Future’s CSIRT, on Twitter over the weekend. Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors. ESB-2021-3190 – Cisco IOS XE Software multiple vulnerabilities Cisco IOS XE is currently experiencing technical difficulties – those difficulties? A range of quite serious vulnerabilities, ranging from unauthenticated code execution to DoS, all warranting a patch. ESB-2021-3162 – VMSA-2021-0020 – VMware vCenter Server updates address Security bugs in VCenter server that were privately disclosed to VMWare have been classified as “critical” after it was discovered they were, in fact, critical. ASB-2021-0183-2 – Microsoft Patch Tuesday update for Azure for September 2021 It was good to see Microsoft stay consistent this week – both in the sense patch Tuesday came and went, and that we were spoiled with an assortment of privilege escalation and code execution vulnerabilities. ESB-2021-3099-2 – Apple security update for iOS 14.8 and iPadOS 14.8 Apple announced some not-so-fun vulnerabilities for iOS and iPadOS this week – malicious applications are capable of executing code with kernel privileges, and interestingly one vulnerability permitted this over a Bluetooth connection. ESB-2021-3212 – iOS 12.5.5 Vulnerabilities Apple’s at it again with the vulnerabilities, having identified a number of serious issues with iOS 12.5.5 that are actively being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th September 2021 Greetings, Apple issued a series of security updates earlier in the week to patch two critical vulnerabilities that the company says were “actively exploited” in the wild. Further information is available in this CISA article. ZDNet reported that Microsoft issued over 60 security fixes of their own with the latest round of patches to resolve issues that impacted a range of products including Azure Sphere, Microsoft Windows DNS, among other software. Following on from the release of AUSCERT’s most recent podcast last week, it has been highlighted in VMware’s latest Global incident Response Threat Report that an increasing number of cyber security professionals experienced “extreme stress or burnout” due to the surging attacks of cyber criminals during the COVID19 pandemic. Links to the report, along with tools to help identify and assist with such occurrences can be found in the report from ACS Information Age. Lastly, ARS Technica reported on what has been dubbed an “embarrassing ‘security bulletin’” from Travis CI along with the handling of the vulnerability disclosure process following the potential exposure of the information of over 600,000 users. Windows MSHTML exploits shared on hacking forums Date: 2021-09-12 Author: Bleeping Computer Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation. These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer. However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations. Google patches 10th Chrome zero-day exploited in the wild this year Date: 2021-09-13 Author: Bleeping Computer Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix eleven security vulnerabilities, two of them being zero-days exploited in the wild. “Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” the company revealed in the release notes for the new Chrome version. The update is currently rolling out worldwide in the Stable desktop channel, and Google states it will become available to everyone over the next few days. Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide Date: 2021-09-13 Author: The Hacker News Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that’s actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetration testing tool — codenamed “Vermilion Strike” — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a “threat emulation software,” with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions. Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed Date: 2021-09-14 Author: ZDNet Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution flaw in MSHTML and other critical bugs. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14. Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software. Ransomware crims saying ‘We’ll burn your data if you get a negotiator’ can’t be legally paid off anyway Date: 2021-09-15 Author: The Register A couple of ransomware gangs have threatened to start deleting files if targeted companies call in professional negotiators to help lower prices for decryption tools. Grief Corp is the latest criminal crew to warn its victims with instant data destruction if it suspects a mark has engaged a mediator. You Can Now Ditch the Password on Your Microsoft Account Date: 2021-09-15 Author: WIRED Though a completely passwordless future is still a ways off, you’ll soon be able to take a big step in that direction by nuking the password on your Microsoft account. The company announced today that the password-free features it already offers to corporate customers will now be available to everyone. Securing Netflix Studios At Scale Date: 2021-09-14 Author: Netflix TechBlog In 2017, Netflix Studios was hitting an inflection point from a period of merely rapid growth to the sort of explosive growth that throws “how do we scale?” into every conversation. The vision was to create a “Studio in the Cloud”, with applications supporting every part of the business from pitch to play. The security team was working diligently to support this effort, faced with two apparently contradictory priorities: 1) streamline any security processes so that we could get applications built and deployed to the public internet faster 2) raise the overall security bar so that the accumulated risk of this giant and growing portfolio of newly internet-facing, high-sensitivity assets didn’t exceed its value ASB-2021.0177.2 – UPDATE ALERT MSHTML: Execute arbitrary code/commands – Remote with user interaction Microsoft’s Patch Tuesday includes fixes for a remote code execution vulnerability in Windows that is being exploited in the wild ESB-2021.3099 – ALERT iOS and iPadOS: Execute arbitrary code/commands – Remote with user interaction Apple releases iOS 14.8 and iPadOS 14.8 to address remote code execution vulnerability in iOS and iPadOS ESB-2021.3102 – ALERT macOS Catalina: Execute arbitrary code/commands – Remote with user interaction Apple is aware of a remote code execution vulnerability in macOS Catalina that may have been actively exploited ESB-2021.3103 – ALERT macOS Catalina and macOS Mojave: Execute arbitrary code/commands – Remote with user interaction Apple’s most recent security patch for Safari fixes remote code execution vulnerability ESB-2021.3107 – ALERT Siemens APOGEE and TALON: Multiple vulnerabilities Unauthenticated root access available thanks to what MITRE calls a ‘classic buffer overflow’. Affects certain building automation systems from Siemens ASB-2021.0185 – ALERT Microsoft Extended Security Update: Multiple vulnerabilities Microsoft releases its monthly security patch update to resolve 25 vulnerabilities across Windows and Windows Server Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 10th September 2021 Greetings, Earlier this week, Microsoft issued a warning to Windows 10 users about a previously unknown security vulnerability, CVE-2021-40444, potentially being exploited by cybercriminals. Microsoft is advising users to execute mitigation action until an official patch becomes available. An update on the situation in this Bleeping Computer article. After reports this week that a threat actor had collected and published credentials for Fortinet’s SSL-VPN devices, we fetched a copy of the data set and yesterday we notified included members. Fortinet have today published an advisory which we’ve sent out as ASB-2021.0179. The exploited vulnerability was originally fixed in May 2019 – a sterling reminder to keep up with patching (or to ask your manager to allocate time for it!). ZDNet reported on another recent Microsoft vulnerability, a bug in its Azure Container Instances. Microsoft confirmed it had mitigated the vulnerability and advised that there hadn’t been any indications of unauthorised access to customer data. AUSCERT released our latest podcast (Episode 5), ‘Creating a culture of care’ featuring Mental Well Being Consultant, Julie Gillespie. Julie shares her insights and ideas, borne from her personal experiences, to help develop a culture that identifies and supports those experiencing challenges and difficulties that also benefits the workplace. The podcast was timely as it preceded this year’s R U OK Day which took place on Thursday, September 9. This year’s message focused on asking friends, families and colleagues if they’re really ok. Because of the volume of people experiencing isolation, frustration and helplessness, everyday is an opportunity to consider, “What can I do to make a positive influence on my own mental wellbeing and/or for the people in my life more often?”. Here at AUSCERT, we gathered in our HQ for a morning tea to reconnect and then took a stroll after lunch along some scenic walking paths nearby for a good chat and some fresh air. If you’re feeling depressed, angry, stressed, fearful, anxious or alone, visit: ruok.org.au/findhelp Hackers leak passwords for 500,000 Fortinet VPN accounts Date: 2021-09-08 Author: Bleeping Computer A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid. This leak is a serious incident as the VPN credentials could allow threat actors to access a network to perform data exfiltration, install malware, and perform ransomware attacks. Conti ransomware raiders exploit ‘ProxyShell’ Exchange bugs Date: 2021-09-06 Author: iTnews Affiliates of the Conti ransomware criminals are exploiting the ProxyShell vulnerabilities in Microsoft’s Exchange Server to attack and remotely take over organisations’ networks, security researchers warn. ProxyShell is an attack chain that can be used to remotely run arbitrary commands on unpatched on-premises Exchange Servers, without authentication. Cybersecurity is tough work, so beware of burnout Date: 2021-09-06 Author: ZDNet Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout. All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. Ransomware: Take these three steps to protect yourself from attacks and make it easier to recover Date: 2021-09-08 Author: ZDNet Microsoft has shared three key steps organizations can take to ensure a ransomware attack doesn’t cripple their entire network in an attempt to extract a multimillion dollar ransom or leak sensitive corporate data on the internet. Microsoft developed the three-step advice as part of its feedback to the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST)’s recent call for expert approaches to preventing and recovering from ransomware and other destructive cyberattacks. Protecting yourself from phone porting and SIM card scams Date: 2021-09-07 Author: ABC Everyday To get around the increased restrictions on SIM porting, scammers may impersonate your telco to get the verification code. “To port the number, for example, some telcos might require an authentication code. The criminal knows that. They also know the number of the person they’re trying to exploit.” “They’ll arrange for that code to be sent via text, then the criminal will call the victim and impersonate the telco and say, ‘Look, I noticed that there has been some unauthorised access on your account. We’ve sent you a verification code, can you confirm that to me?” ESB-2021-3048 – WordPress 5.8.1 Security and Maintenance Release Plethora of security patches for new WordPress release. ESB-2021.3045 – firefox-esr security update Mozilla Firefox abritrary code execution vulnerabilities. ASB-2021.0179 – FortiGate SSL-VPN Credentials Leaked by a Malicious Actor SSL-VPN data leaked for FortiGate by malicious actor this week. ASB-2021.0177 – Microsoft MSHTML Remote Code Execution Vulnerability Actively exploited RCE vulnerability in MSHTML, with mitigation recommendations. ESB-2021.2994 – squashfs-tools security update Vulnerability in squashfs allowing attackers to overwrite arbitrary files. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT “Share today, save tomorrow” Ep5 Creating a culture of care In this episode, AUSCERT features the following guests: > Julie Gillespie, Mental Well Being Consultant > Mike Holm, AUSCERT Senior Manager LISTEN HERE: AUSCERT “Share today, save tomorrow” Ep5 Creating a culture of care Julie‘s consulting. coaching, and training work is grounded in over 25 years of business leadership experience and technical training, supported by a Bachelor of Commerce degree and an Executive Masters of Business Administration. Mike provided an update on what has been happening at AUSCERT since episode 4 of this podcast series. In particular, AUSCERT’s involvement in the APCERT Drill, the newly released AUSCERT Daily Bulletin Digest and the new pilot service DFN. This episode was hosted by Anthony Caruana and Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts  

AUSCERT Week in Review for 3rd September 2021 Greetings, Last week, AUSCERT alerted members regarding a remote code execution vulnerability present in certain versions of Atlassian Confluence (CVE-2021-26084). Where it was possible to identify internet facing Confluence instances of our members, notifications were sent last Friday, August 27. We published ESB-2021.2901 on the same day. Read more in this Bleeping Computer article. Members, we need you! AUSCERT is always looking for ways to increase our value to you and would like your feedback. Specifically, your thoughts regarding AUSCERT delivering Cyber Tabletop Exercises as a paid service, like we currently do for cyber security training. If you’d like to get involved, please complete this survey so that we can evaluate the need for this service and what would suit your organisation. A recent spate of unsolicited text messages has offered a timely reminder that SMS is often used by scammers. Unidentified texts that don’t have an option to unsubscribe are key identifiers of potential scams, often seeking personal information and in some cases, containing electronic viruses that can compromise your phone’s security. Scammers like to disguise their deceit by using shortened URLs that hide the original domain names and, in some instances, malware that can download and execute once the link has been clicked. There are many ways this method is being used, with examples seen in this We Live Security article. Have a great weekend! NPM package with 3 million weekly downloads had a severe vulnerability Date: 2021-09-03 Author: Ars Technica Popular NPM package “pac-resolver” has fixed a severe remote code execution (RCE) flaw. The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy. Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported Date: 2021-08-19 Author: Cloudflare Earlier this summer, Cloudflare’s autonomous edge DDoS protection systems automatically detected and mitigated a 17.2 million request-per-second (rps) DDoS attack, an attack almost three times larger than any previous one that we’re aware of. For perspective on how large this attack was: Cloudflare serves over 25 million HTTP requests per second on average. This refers to the average rate of legitimate traffic in 2021 Q2. So peaking at 17.2 million rps, this attack reached 68% of our Q2 average rps rate of legitimate HTTP traffic. ACSC cyber security challenge Date: 2021-08-31 Author: Cyber.gov.au The ACSC has released a simulated cyber incident challenge so anyone can test or improve their cyber response ability and forensic skills. Organisations may wish to use the challenge as a group training exercise for cyber security staff. The challenge was originally run at the BSides Canberra conference in April 2021. Data privacy, governance and insights are all important obligations for businesses Date: 2021-08-31 Author: TechRepublic TechRepublic’s Karen Roby spoke with Kon Leong, CEO and co-founder of ZL Technologies, a data management company, about data privacy and governance. […] for the last seven decades or more, IT has focused on data that was primarily all siloed. Siloed applications generating siloed data. And now here comes a slew of legislative initiatives that say, “OK, we’re looking at privacy, and by the way, no data is exempt. Therefore, we don’t make exemptions for silos. So to manage it, you have to de-silo effectively.” And are you kidding me? You’re going to undo 70 years of IT infrastructure? So we’re still kind of scratching our heads and saying, how do we get this done?” Maths, encryption, and quantum computing Date: 2021-08-18 Author: COSMOS Magazine “Factorisation, which is used for the current classical public key cryptography, is easy [to break] on quantum computers. Factorisation is simple. You can factor long integers and break RSA on Quantum. It’s quite easy. So now we are trying to design the cryptography, which will be resistant against quantum computing.” Instead of using integer factorisation, other mathematical approaches need to be used to circumvent the sheer ‘brain’ power quantum computers will possess. One of mathematical tools that are being used to construct quantum-resistant encryption is Geometry of Numbers or Lattice Theory. ASB-2021.0176 – Microsoft Security Update Release for Microsoft Edge (Chromium-based) Fixes for multiple critical vulnerabilities for Microsoft Edge, most of which first appeared in Chrome a couple of days earlier. ESB-2021.2981 – qemu security update Various bugs in the qemu emulator leading to DoS and code execution from malicious guests. ESB-2021.2968 – USN-5051-4: OpenSSL regression OpenSSL on Ubuntu 14.04 ESM, and only 14.04, introduced a regression while fixing CVE-2021-3712. ESB-2021.2953 – sssd security update The System Security Services Daemon (SSSD) allowed shell command injection, permitting root escalation if a root user was tricked into running a specially crafted command. ESB-2021.2949 – Security update for mysql-connector-java This patch prevents unauthenticated attackers compromising the Java connector for MySQL. Stay safe, stay patched and have a good weekend! Bek, Tom & David

APCERT CYBER DRILL 2021 The progression toward a growing reliance on the e-economy within the Asia Pacific region requires ongoing protection of the various infrastructures, integral to the political and economic stability and security. The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking. This year’s theme, “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”, reflects real-world incidents and issues, experienced globally. As a founding member, AUSCERT has participated in every drill since their inception with Operations Manager, Geoff Thonon stating that the drill is “More important than ever”. “Whilst there is a time limit, the purpose of the drill isn’t to identify the fastest (CERT) team but rather, to work collaboratively to challenge and develop everyone’s skills”, Geoff continued. The experiences and tasks conducted by each participating team allows for knowledge sharing with no CERT typically experiencing the same issues or providing like for like services. The APCERT drill aims to maintain and progress internet security and safety with the exercise providing participants the chance to improve communication protocols, technical responses and the overall quality of incident responses. Although undertaken in a few hours, the lessons learned from the experience can continue long after. Analysing the challenges, choices and responses of teams provides an insight into the various perspectives of other participants. “The information available to each team from the drill provides a greater understanding of the how and why that can lead to year-round training and development for staff”, Geoff stated. With 26 CERTs from 20 economies within the Asia Pacific region taking part, there is a wealth of knowledge and experience to draw upon in the quest for ongoing learning and growth within the sector. As each drill typically requires six to eight months of planning and preparation, the 2022 APCERT Cyber Drill will soon be underway – the ongoing need for education and skill enhancement a reflection of the rapid development of the digital world we now reside in! 

AUSCERT Week in Review for 27th August 2021 Greetings, Hot topic of the week is the recently passed bill which will allow the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to access the computers and networks of those suspected of conducting criminal activity online, which raises the question: ‘How do we as a CERT tell the difference between a hacked system and a legally compromised one?’ You can read more through these articles from ZDNet and InnovationAus. This week AUSCERT joined teams from 21 other countries to take part in the annual APCERT Drill, designed to improve regional responses to emerging cyber security threats. The theme of this year’s APCERT Drill was “Supply Chain Attack Through Spear-Phishing – Beware of Working from Home”. This exercise reflected real incidents and issues that exist on the Internet. The participants handled a case of a supply chain attack triggered by spear phishing. Narayan and Vishaka represented team AUSCERT and did an outstanding job, especially considering it was their first time. We are proud of the contribution by Geoffroy Thonon, our Operations Manager who was part of the planning committee who worked tirelessly to deliver the drill. Great news for Members! You can now opt to receive AUSCERT Bulletins as a daily digest issued at the end of each business day. Subscribe now through the Member Portal, instructions can be found here. Alternatively, you can send an email to the membership team. Today is Wear it Purple Day which is a way to show young LGBTIQ+ members of the community that they have a right to be proud of who they are. The aim is to create safe spaces in schools, universities, workplaces and public areas to show LGBTIQ+ they are supported and belong. Have a great weekend! T-Mobile breach hits 53 million customers Date: 2021-08-23 Author: iTnews Cellular operator T-Mobile US said an ongoing investigation into a data breach revealed that hackers accessed personal information of an additional 5.3 million customers, bringing the total number of people affected to more than 53 million. The third largest US wireless carrier had earlier said that personal data of more than 40 million former and prospective customers was stolen along with data from 7.8 million existing T-Mobile wireless customers. COVID vaccine certificates can be forged within 10 minutes due to ‘obvious’ security flaw Date: 2021-08-23 Author: ABC News Near-perfect forgeries of the federal government’s COVID-19 vaccine digital certificate can be made in 10 minutes using free software, a member of the public has discovered. Richard Nelson, a software engineer in Sydney, has found an “obvious” security flaw in the Express Plus Medicare app allowing him to make vaccine certificates with any name and date of birth and featuring the background animations meant to prevent forgery. The Prime Minister has previously said the certificates are a “credible and effective” way for states to administer exemptions from aspects of lockdowns. Australian businesses stop reporting ransomware attacks over exfiltration doubts Date: 2021-08-23 Author: iTnews Australian businesses are incorrectly relying on what they think is a loophole in notifiable data breach laws to avoid reporting ransomware infections. The Office of the Australian Information Commissioner (OAIC) warned that “a number of entities” in the six months to June 2021 didn’t report ransomware attacks because they could not prove whether or not data was accessed or stolen. 38 million records exposed by misconfigured Microsoft Power Apps. Redmond’s advice? RTFM Date: 2021-08-23 Author: The Register Forty-seven government entities and privacy companies, including Microsoft, exposed 38 million sensitive data records online by misconfiguring the Windows giant’s Power Apps, a low-code service that promises an easy way to build professional applications. Security biz UpGuard said that in May one of its analysts found that the OData API for a Power Apps portal offered anonymously accessible database records that included personal details. That led the security shop to look at other Power Apps portals and its researchers found over one thousand apps configured to make data available to anyone who asked. Microsoft warns thousands of cloud customers of exposed databases Date: 2021-08-27 Author: Reuters Microsoft on Thursday warned thousands of its cloud computing customers, including some of the world’s largest companies, that intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher. The vulnerability is in Microsoft Azure’s flagship Cosmos DB database. A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies. [NB: This is separate from the Power Apps issue above.] Atlassian warns of critical Confluence flaw Date: 2021-08-26 Author: The Register Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. The company’s not saying a lot about CVE-2021-26084, besides describing it as a “Confluence Server Webwork OGNL injection vulnerability … that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.” The bug scores 9.8 on the ten-point Common Vulnerability Scoring System. ASB-2021.0175 – Microsoft Edge (Chromium-based): Reduced security – Remote with user interaction Please update Microsoft Edge to 92.0.902.78 to address multiple CVEs. ESB-2021.2865 – F5 BIG-IP Products: Multiple vulnerabilities Multiple vulnerabilities in BIG-IP Products have been patched by F5. ESB-2021.2871 – Application Policy Infrastructure Controller: Multiple vulnerabilities Cisco has released multiple advisories to patch against different vulnerabilties. ESB-2021.2901 – Atlassian Confluence Server and Data Center: Execute arbitrary code/commands – Remote/unauthenticated Atlassian has warned users of its Confluence Server that they need to patch the product to remedy a Critical-rated flaw. Stay safe, stay patched and have a good weekend! The AUSCERT team