Publications

Using threat intelligence to produce a cyber defence strategy Very few practitioners need to be told of contemporary cyber threats such as ransomware, it has found its way into the common language of risk assessments, disaster recovery plans and mainstream media alike. But what can be done other than writing playbooks and practicing response plans, following the Essential 8 and blocking known malicious indicators? Those organisations with a strategic approach to cyber defence will more likely survive a ransomware attack, and consideration of an attacker’s motive may be key towards mounting a successful defence. For example, if the motive is purely financial and the attacker causes significant business disruption if the ransom demand is not met, what controls can prevent this? However, if the motive is to hold to ransom the intellectual property, customer database or another information asset, should priority instead be given to controls which detect and mitigate data exfiltration? Whilst senior management’s risk tolerance level may be “we must implement all possible countermeasures,” few organisations will have the luxury of doing so. Utilising available data sets to form operational “cyber threat intelligence” can help mitigate harmful events such as ransomware attacks. Most importantly, to do so is within the reach of most organisations following the explosion of available open-source tools and data sets. Such “tactical” cyber threat intelligence usually consists of Indicators of Compromise (IoCs) – technical data such as known bad IP addresses, URLs, emails and file hashes. Here is where the value proposition of CERTs (Cyber Emergency Response Teams) pays off: not-for-profit organisations providing open source and member-funded services, passionate teams consisting of analyst, dev-ops and engagement functions, CERTs are trustworthy due to their independent status. CIRCL from Luxembourg famously produce the Malware Information Sharing Platform (MISP) and tactical data feeds, used worldwide by other CERTs including AUSCERT, governments and private enterprise. Many organisations do not have resources beyond the tactical level, however simply using tactical feeds of IoCs has shown to be effective detecting or even preventing the initial stages of a ransomware attack. Relevant and concise IoCs may be used in content filters, centralised logging, SIEM or even custom-scripted solutions to hunt or block threats. AUSCERT’s Malicious URL Feed is an example of a high-confidence, low-volume feed, usually consumed in an automated fashion but also suitable for manual threat hunting, depending upon the consumer’s available resources. Members of AUSCERT’s MISP community can study operational intelligence such as attackers’ tools, techniques and procedures, even visually. A “mind map” connects similar events and data, allowing members to correlate campaigns and understand the techniques used in incidents such as ransomware attacks, for example. Organisations can then form strategic plans regarding the risks associated with cyber threats. Most importantly of all, a collaborative approach must be foremost in discussions regarding cyber defence strategy. A common misconception is that sharing threat information may compromise competitive advantage, however a particular strength of CERTs is coordinating, anonymising and analysing incident data, and then providing operational intelligence to members – even entire sectors. Have you included your local CERT in your IR (Incident Response) plans? Mike HolmSenior Manager, AUSCERT

AUSCERT Week in Review for 20th August 2021 Greetings, Yesterday the ACSC issued an alert about cybercriminals targeting the Microsoft Exchange ProxyShell exploit chain. Patches were issued for these vulnerabilities in April and May 2021 so a timely reminder to stay on top of patch updates. Our Operations Team conducted a Shodan search of the involved CVEs which produced 136 records affecting 42 of our member organisations who had servers exposed to the internet reporting software versions that were potentially vulnerable. These members have all been contacted today to ensure they are protected. Our latest blog post on Using threat intelligence to produce a cyber defence strategy was published today by our Senior Manager, Mike Holm. Have a great weekend everyone. One big ransomware threat just disappeared. Now another one has jumped up to fill the gap Date: 2021-08-13 Author: ZDNet The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world. It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. Secret terrorist watchlist with 2 million records exposed online Date: 2021-08-16 Author: Bleeping Computer A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. Linux glibc security fix created a nastier Linux bug Date: 2021-08-16 Author: ZDNet The GNU C Library (glibc) is essential to Linux. So, when something goes wrong with it, it’s a big deal. When a fix was made in early June for a relatively minor problem, CVE-2021-33574, which could result in application crashes, this was a good thing. Unfortunately, it turned out the fix introduced a new and nastier problem, CVE-2021-38604. It’s always something! The first problem wasn’t that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, “In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug.” Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. Fortinet slams Rapid7 for disclosing vulnerability before end of 90-day window Date: 2021-08-17 Author: ZDNet A dispute broke out on Tuesday after cybersecurity company Rapid7 released a report about a vulnerability in a Fortinet product before the company had time to release a patch addressing the issue. Rapid7 said one of its researchers, William Vu, discovered an OS command injection vulnerability in version 6.3.11 and prior of FortiWeb’s management interface. The vulnerability allows remote, authenticated attackers to execute arbitrary commands on the system through the SAML server configuration page. Rapid7 said the vulnerability was related to CVE-2021-22123, which was addressed in FG-IR-20-120. The company added that in the absence of a patch, users should “disable the FortiWeb device’s management interface from untrusted networks, which would include the internet.” Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices Date: 2021-08-17 Author: Mandiant Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. Reducing the threat of day one exploits Date: 2021-08-10 Author: APNIC Blog Cyber hygiene and patching are key measures towards protecting data and systems. However, it’s not always possible or practical to patch when vulnerabilities and associated patches are announced. This problem gives rise to day one exploits. Day one exploits are responsible for attacks such as the recent Microsoft Exchange attack that compromised hundreds of thousands of organizations. That attack began as a zero-day exploit and was followed by numerous day one exploits once the vulnerabilities were announced. Day one exploits were also used by Iranian threat actors about a year ago to gain access to financial sector networks via published VPN vulnerabilities. Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan Date: 2021-08-17 Author: The Hacker News A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser. ASB-2021.0136.2 – UPDATE ALERT Microsoft Print Spooler: Increased privileges – Existing account Microsoft’s out-of-band critical update addresses a Windows Print Spooler Elevation of Privilege Vulnerability ESB-2021.2739 – MozillaFirefox: Multiple vulnerabilities Mozilla releases an update that fixes 6 vulnerabilities in Firefox ESB-2021.1489.2 – UPDATED ALERT Real-time Operating Systems (RTOS) products: Multiple vulnerabilities Initial advisory released on 30 April 2021 updated to include newly disclosed details about vulnerable Blackberry QNX-based products ESB-2021.2808 – ALERT Small Business RV series routers: Multiple vulnerabilities A vulnerability in Cisco’s Small Business RV series routers allows Remote Command Execution and Denial of Service ESB-2021.2777 – Adobe Photoshop: Execute arbitrary code/commands – Existing account Adobe’s updates for Photoshop for Windows and macOS resolve multiple critical vulnerabilities ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account Microsoft has released an out-of-band update to address a Windows Print Spooler Remote Code Execution Vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

Podcast Ep 4: Cyber security awareness and team culture In this episode, AUSCERT features the following guests: > Tracey Weeks, Manager of Cyber Security (Training and Awareness) in the Cyber Security Group at eHealth Queensland – Queensland Health > Brian Hay, Executive Director at Cultural Cyber Security > Dr David Stockdale, AUSCERT Director LISTEN HERE: “Share today, save tomorrow” Ep 4: Cyber security awareness and team culture Tracey Weeks has a career spanning 27 years in Queensland Health and 10 years’ experience in the field of cyber security in the healthcare sector, she leads her team within the Cyber Security Group driving cultural change across the state in cyber security awareness with the focus on the workforce being the key to ensuring the protection of Queensland Health information and service delivery. Brian Hay has a rare blend of cyber security skills and business attributes. Long considered a Thought Leader in the world of Cyber Security he learned his craft not from the technical demands of the industry but rather by focusing on the activities of organised crime and cyber criminals. David provided a current update on what has been happening at AUSCERT since episode 3 of this podcast series. In particular, AUSCERT’s new training offering aimed at increasing cyber awareness for school professionals, our recent event and partnership with Baidam Solutions and trends from the recent AUSCERT Quarter 2, 2021 Report. This episode was hosted by Anthony Caruana and Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

AUSCERT Week in Review for 13th August 2021 Greetings, Anyone else feel like we are stuck in Groundhog Day? Another Patch Tuesday and PrintNightmare refuses to leave us. Microsoft released updates for at least 44 security vulnerabilities including another Print Spooler flaw. Since the update earlier this week, another bug has been identified with no patch yet released. For more details and a work around check out this great write up from ZDNet. Following on from the Apple Announcement last week about about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content, check out the Schneier on Security blog for a great collation of articles and information. We are excited to share Episode 4 of the AUSCERT “Share today, save tomorrow” podcast series! Episode 4 titled “Cyber security awareness and team culture” features Brian Hay from Cultural Cyber Security and Tracey Weeks from Queensland Health. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts Have a great weekend everyone. Microsoft Exchange servers scanned for ProxyShell vulnerability; patch now Date: 2021-08-07 Author: Bleeping Computer [See ASB-2021.0127 and 0103] Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together. […] While both CVE-2021-34473 and CVE-2021-34523 were first disclosed in July, they were actually quietly patched in April’s Microsoft Exchange KB5001779 cumulative update. Threat actors are actively trying to exploit this vulnerability, with little success so far. However, it is only a matter of time until successful exploitation is achieved in the wild. Microsoft fixes Windows Print Spooler PrintNightmare vulnerability Date: 2021-08-10 Author: Bleeping Computer Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers. In June, a security researcher accidentally disclosed a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges. Microsoft soon released a security update that fixed the remote code execution component but not the local elevation of privileges portion. However, researchers quickly found that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed low-privileged users to gain SYSTEM privileges in Windows. Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so. Opinion: Why Australia’s Online Safety Act is an abdication of responsibility Date: 2021-08-12 Author: ZDNet The Australian government reckons the internet is full of bad things and bad people, so it must therefore surveil everyone all the time in case anyone sees the badness — but someone else can figure out the details and make it work. This brain package always includes two naive and demonstrably false beliefs. One is that safe backdoors exist so that all the good guys can come and go as they please without any of the bad guys being able to do the same. The other is that everyone will be nice to each other if we know their names. This big bad box of baloney blipped up again this week as part of the government’s consultation for the Online Safety (Basic Online Safety Expectations) Determination 2021 (BOSE) — the more detailed rules for how the somewhat rushed new Online Safety Act 2021 will work. FlyTrap Android Malware Used to Compromise Facebook Accounts Date: 2021-08-10 Author: PCMag Australia Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store. FlyTrap masqueraded as a variety of mobile apps dedicated to “free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player,” Zimperium said, and “tricked users into downloading and trusting the application with high-quality designs and social engineering” before attempting to gain access to their Facebook accounts. Hacker is returning $600M in crypto, claiming theft was just “for fun” Date: 2021-08-13 Author: Ars Technica The hacker who breached the Poly Network crypto platform says the theft was just “for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker’s own wallets to “keep it safe.” ESB-2021.2679 – MISP: Cross-site scripting – Remote with user interaction MISP 2.4.148 released including many bugs fixed along with security fixes. ASB-2021.0168 – Microsoft Office Products & Services and Web App Products: Multiple vulnerabilities SOC analyst: Are you going to fix PrintNightmare Microsoft? Microsoft: No sir! but here is something you also need to worry about. ASB-2021.0173 – Azure Products: Multiple vulnerabilities SOC analyst: *finally finished with the update of Office Products* Microsoft: Excuse me sir! This one too. ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account SOC Analyst: OK! I have patched the Office and Azure products. PrintNightmare: Did you miss me? ESB-2021.2686 – Firefox: Multiple vulnerabilities Chrome: We have released multiple patches this month. Firefox: Hold my beer! ESB-2021.2705 – Intel Ethernet Linux Driver: Multiple vulnerabilities Potential security vulnerabilities in some Intel Ethernet Controllers have been addressed in the recent update. Win/Mac users: Oh no! Anyway! Stay safe, stay patched and have a good weekend! Bek and Narayan on behalf of The AUSCERT team

AUSCERT Week in Review for 6th August 2021 Greetings, A hot topic at the moment is the announcement from Apple about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content. There is a lot of concern in the industry about the potential for misuse as well as mission creep; the team at Stanford Internet Observatory have a great discussion on the topic and The Register has a great article if you’d like to learn more. The next episode of our podcast “Share Today, Save Tomorrow” will launch soon; this is a great time to jump on and listen to our first 3 episodes. Great stories from our cyber community as well as up to date news from the AUSCERT team. The AUSCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts. With so much of the country in lockdown (including the AUSCERT team) we hope everyone is keeping well and finding ways to keep spirits up. Our team has been sharing their coping techniques as well music and book recommendations which is keeping us all connected as well as entertained. Have a great weekend everyone. ACSC survey for Australian critical infrastructure organisations Date: 2021-08-02 Author: cyber.gov.au The Australian Cyber Security Centre is asking Australian critical infrastructure providers and operators to take part in a confidential survey to help identify operational technologies used by their organisation. Cisco fixes critical, high severity pre-auth flaws in VPN routers Date: 2021-08-04 Author: Bleeping Computer [See ESB-2021.2626 and 2627.] Cisco has addressed pre-auth security vulnerabilities impacting multiple Small Business VPN routers and allowing remote attackers to trigger a denial of service condition or execute commands and arbitrary code on vulnerable devices. The two security flaws tracked as CVE-2021-1609 (rated 9.8/10) and CVE-2021-1602 (8.2/10) were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively. How the Dark Web enables access to corporate networks Date: 2021-07-28 Author: TechRepublic The Dark Web is home to a thriving marketplace for cybercriminals who want to buy or sell illegal and malicious goods and services. Advertisements and forum messages hawk everything from credit cards and bank accounts to medical records to account credentials to fake IDs to counterfeit products. But one of the most lucrative items up for sale is network access. Getting the keys to an organization’s entire network can easily pave the way for a host of attacks, including malware, data exfiltration, corporate espionage, and ransomware. A report released Wednesday by security provider Positive Technologies looks at the selling of network access on the Dark Web and examines how this threat continues to grow. How data-driven patch management can defeat ransomware Date: 2021-08-02 Author: VentureBeat Ransomware attacks are increasing because patch management techniques lack contextual intelligence and historical data needed to model threats based on previous breach attempts. As a result, CIOs, CISOs, and the teams they lead need a more data-driven approach to patch management that can deliver adaptive intelligence reliably at scale. Ivanti’s acquisition of RiskSense, announced today, highlights the new efforts to close the data-driven gap in patch management. What covid apps can teach us about privacy, utility and trust in app design Date: 2021-08-03 Author: Salinger Privacy The release last week of the report into the first 12 months of the federal government’s beleaguered ‘COVIDSafe’ app got me thinking about the importance of Privacy by Design – and in particular, how the ‘design’ part of the equation is not just about the technology. With the release of the evaluation report – months late and only after a heavily redacted version was released after a concerted FOI push – we now know that the COVIDSafe app has been a terribly expensive flop. ASB-2021.0166 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft Edge has been updated to 92.0.902.67 that addresses multiple vulnerabilities. ESB-2021.2607 – Google Chrome: Multiple vulnerabilities The stable channel update for Google Chrome has been released to address multiple vulnerabilities. ESB-2021.2626 – Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers: Multiple vulnerabilities Multiple vulnerabilities in the web-based management interface of the Cisco Small Business Dual WAN Gigabit VPN Routers could lead to Remote Code Execution. ESB-2021.2640 – wordpress: Multiple vulnerabilities Object injection vulnerability in PHPMailer affects WordPress. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 30th July 2021 Greetings, Thank you to those who were able to join us for our delayed NAIDOC event with team Baidam Solutions earlier this week. We are extremely grateful that in Brisbane we were able to meet and celebrate together (while of course following strict COVID guidelines). Of note this week, Apple released security updates to address a vulnerability (CVE-2021-30807) for macOS, iOS and iPadOS in which an application may be able to execute arbitrary code with kernel privileges. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Until next week everyone, have a great weekend. Apple releases fix for iOS and macOS zero-day, 13th this year Date: 2021-07-26 Author: The Record by Recorded Future [See ASB-2021.0165.] Apple has released patches today for iOS, iPadOS, and macOS to address a zero-day vulnerability that the company says has been exploited in the wild. Tracked as CVE-2021-30807, Apple said the zero-day impacts IOMobileFramebuffer, a kernel extension that allows developers to control how a device’s memory handles the screen display—the screen framebuffer, to be more exact. According to Apple, an application may exploit CVE-2021-30807 to execute arbitrary code with kernel privileges on a vulnerable and unpatched device. More than half of all Aussies continue to encounter forms of cyber scams in 2021 Date: 2021-07-23 Author: ZDNET Within the Asia Pacific, Australians are second most likely to fall victim to a tech support cyber scam, according to new findings from Microsoft. Leading the way is India which recorded 69% of people encountered a tech support scam. The 2021 Global Tech Scam Research report showed that in the past 12 months, 68% of Australians encountered some form of tech support scam. While it was a two-point decrease from 2018, it was still higher than the global average which came in at 59%, five points lower than in 2018. Google announces new bug bounty platform Date: 2021-07-27 Author: ZDNet Google has announced a new bug bounty platform as it celebrated the 10-year anniversary of its Vulnerability Rewards Program. The program led to a total of 11,055 bugs found, 2,022 rewarded researchers and nearly $30 million in total rewards. A Controversial Tool Calls Out Thousands of Hackable Websites Date: 2021-07-27 Author: WIRED The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure. ASB-2021.0165 – Apple IOMobileFrameBuffer vulnerability Apple released security updates for macOS, iOS and iPadOS to address CVE-2021-30807, an arbitrary code execution vulnerability ESB-2021.2561 – Security update for qemu Multiple vulnerabilities identified in qemu with a security update released by SUSE ESB-2021.2548 – Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) SUSE security update for the Linux kernel, multiple vulnerabilities ESB-2021.2531 – USN-5022-1: MySQL vulnerabilities MySQL vulnerabilities discovered with with security fixes and bug patches released Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 23rd July 2021 Hi Folks Patch fatigue is definitely setting in, another big week for our analysts issuing bulletins from Adobe and Oracle particularly. This week we released our Quarter 2, 2021 Report with some great stats and updates for the period from 1 April to 30 June 2021. Reminder, there are only 8 days left to nominate for the Australian Women in Security Awards, such a great opportunity to recognise the amazing women in our industry. Hope everyone is keeping safe in these crazy times, have a great weekend. … Shriro Hacked, Feds Cyber Security Called In Date: 2021-07-19 Author: channelnews Sydney based appliance distributor Shriro Holdings has been hacked with the business impacted claims management. CEO Tim Hargraves claims that the distributor of Casio, Blanco, Omega and Everdure barbecues was subject to a cyber security incident involving unauthorised access to its operating systems last week. Microsoft takes down domains used to scam Office 365 users Date: 2021-07-19 Author: Bleeping Computer Microsoft’s Digital Crimes Unit has seized 17 malicious domains used by scammers in a business email compromise (BEC) campaign targeting the company’s customers. The domains taken down by Microsoft were so-called “homoglyph” domains registered to resemble those of legitimate business. This technique allowed the threat actors to impersonate companies when communicating with their clients. This password-stealing Windows malware is distributed via ads in search results Date: 2021-07-21 Author: ZDNet A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware. Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible. HiveNightmare aka SeriousSAM — anybody can read the registry in Windows 10 Date: 2021-07-21 Author: Double Pulsar This is the story of how all non-admin users can read the registry — and so elevate privileges and access sensitive credential information — on various flavours of Windows 10. It appears this vulnerability has existed for years, and nobody noticed. In this post I made an exploit to test it. Australian organisations are quietly paying hackers millions in a ‘tsunami of cyber crime’ Date: 2021-07-16 Author: ABC News It’s an open secret within the tight-lipped world of cybersecurity. For years, Australian organisations have been quietly paying millions in ransoms to hackers who have stolen or encrypted their data. This money has gone to criminal organisations and encouraged further attacks, creating a vicious cycle. Now experts say Australia and the rest of the world is facing a “tsunami of cyber crime”. MITRE – 2021 CWE Top 25 Most Dangerous Software Weaknesses Date: 2021-07-22 Author: MITRE The [CWE Top 25] is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. ASB-2021.0138 – ALERT MySQL products: Multiple vulnerabilities Oracle’s July Patch Update includes 41 new security patches to address multiple vulnerabilities in Oracle MySQL ASB-2021.0139 – ALERT PeopleSoft Enterprise products: Multiple vulnerabilities Oracle releases fixes to address multiple vulnerabilities in PeopleSoft Enterprise products ASB-2021.0140 – ALERT Oracle Systems: Multiple vulnerabilities The Critical Patch Update contains 11 new security patches for Oracle Systems ESB-2021.2515 – ALERT Tenable.sc Products: Multiple vulnerabilities Multiple third-party vulnerabilities identified in Tenable .sc 5.19.0 ASB-2021.0156 – ALERT Oracle Financial Services Applications: Multiple vulnerabilities Multiple vulnerabilities in Oracle Financial Services Applications are addressed in the Oracle’s most recent Patch Update ESB-2021.2463 – Google Chrome: Multiple vulnerabilities The Chrome team releases Chrome 92.0.4515.107 with a number of fixes and improvements ESB-2021.2447 – Adobe Photoshop: Multiple vulnerabilities Adobe’s updates for Photoshop for Windows and macOS resolve a critical and a moderate vulnerability Stay safe, stay patched and have a good weekend! The AUSCERT team

Q2 2021 report Report and Stats We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 2 2021. This report provides an overview of the cyber security incidents reported by members, from 1 April – 30 June 2021 and includes a summary of other key achievements this quarter. https://auscert.shorthandstories.com/q2-2021-report/index.html

AUSCERT Week in Review for 16th July 2021 Greetings, Well doesn’t time fly, Patch Tuesday (Wednesday) we meet again. Microsoft released patches for 117 vulnerabilities, 13 of these critical. We also saw patch updates from Adobe, Chrome and Firefox. Of note this week, a new SolarWinds exploit was uncovered by Microsoft who discovered a remote code execution vulnerability in the SolarWinds Serv-U product. SolarWinds released updates for their Serv-U Managed File Transfer and Serv-U Secure FTP tools, CVE-2021-35211. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Lastly, we are excited to share Episode 3 of the AUSCERT “Share today, save tomorrow” podcast series. Episode 3 features Jacqui Loustau, AWSN Founder and Pip Jenkinson, CEO of Baidam Solutions and is titled “Passion led us here”. Be sure to check it out. Our podcast is also available via Spotify, Apple Podcast and Google Podcast. Until next week everyone, have a great weekend. SolarWinds patches critical Serv-U vulnerability exploited in the wild Date: 2021-07-12 Author: Bleeping Computer SolarWinds is urging customers to patch a Serv-U remote code execution vulnerability exploited in the wild by “a single threat actor” in attacks targeting a limited number of customers. “Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company said in an advisory published on Friday. Updated Essential Eight Maturity Model Date: 2021-07-12 Author: Australian Cyber Security Centre (ACSC) The Australian Cyber Security Centre (ACSC) has further strengthened the implementation guidance for the Essential Eight through changes that reflect its experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight. The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats. Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level. Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years Date: 2021-07-14 Author: The Conversation Australian organisations are a soft target for ransomware attacks, say experts who yesterday issued a fresh warning that the government needs to do more to stop agencies and businesses falling prey to cyber-crime. But in truth, the danger has been growing worldwide for more than three decades. Despite being a relatively new concept to the public, ransomware has roots in the late 1980s and has evolved significantly over the past decade, reaping billions of dollars in ill-gotten gains. With names like Bad Rabbit, Chimera and GoldenEye, ransomware has established a mythical quality with an allure of mystery and fascination. Unless, of course, you are the target. Strengthening Australia’s cyber security regulations and incentives Date: 2021-07-13 Author: Department of Home Affairs On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy. Interested stakeholders are invited to provide a submission to the discussion paper, Strengthening Australia’s cyber security regulations and incentives. Govts sign off on national data sharing agreement Date: 2021-07-12 Author: itnews Federal, state and territory leaders have signed off on an intergovernmental agreement aimed at making more data available across all jurisdictions for policy development and service delivery. National cabinet agreed to the intergovernmental agreement (IGA) on data sharing on Friday, formalising a plan that was first endorsed in April, in part to lay the foundations for linked-up government services. ESB-2021.2390 – ALERT HPE Edgeline Infrastructure Manager: Execute arbitrary code/commands – Remote/unauthenticated HPE has addressed a critical RCE vulnerability in Edgeline Infrastructure Manager. ESB-2021.2377 – Firefox and Firefox ESR : Multiple vulnerabilities Multiple security vulnerabilities have been fixed in Firefox 90. ASB-2021.0126 – ALERT Solarwinds Serv-U: Administrator compromise – Remote/unauthenticated CVE-2021-35211 is being exploited in the wild. Patch it to not catch it. ASB-2021.0135 – ALERT Microsoft Extended Security Update products: Multiple vulnerabilities And here we go again. Microsoft has released its monthly security patch update for the month of July 2021. ESB-2021.2374 – Adobe Acrobat and Reader: Multiple vulnerabilities Microsoft: We have critical vulnerabilities. Adobe: Hold my beer. Stay safe, stay patched and have a good weekend! Bek & Narayan on behalf of The AUSCERT team

Podcast Ep 3: Passion led us here In this episode, AUSCERT features the following guests: > Jacqui Loustau, AWSN Founder and AUSCERT2021 Individual Excellence in Information Security Winner > Phillip “Pip” Jenkinson, CEO of Baidam Solutions and AUSCERT2021 Diversity & Inclusion Champion > Dr David Stockdale, AUSCERT Director LISTEN HERE: “Share today, save tomorrow” Ep 3: Passion led us here Jacqui Loustau is the Founder and Executive Manager of AWSN, the Australian Women in Security Network.  AWSN’s mission is to support, inspire, and connect women and female-identifying professionals in the industry and those looking to enter the field with the tools, knowledge, a connected network and platforms they’ll need in order to build their confidence and cultivate their interest. AWSN has been Jacqui’s “passion project” for close to 7 years. Kudos to Jacqui for her tireless work in building the AWSN to where it is today! At AUSCERT, we believe that Diversity & Inclusion champions are leaders who take responsibility for instilling a diverse and inclusive workplace culture. Pip Jenkinson, CEO and Co-Founder of Baidam Solutions is the inaugural winner of this AUSCERT award. For those unfamiliar with Pip, his work at Baidam emphasises the importance of partnerships with some of Australia’s largest employers to create job opportunities and funding for cybersecurity certification training. Baidam gives a significant percentage of the company’s profits to providing pathways to employment in the IT sector for Indigenous and First Nations people. Pip’s and Baidam’s journey is an inspiring story and shows a great example of how organisations can combine profit with social good. David discussed the many on goings at AUSCERT since episode 2 of this podcast series. In particular, AUSCERT’s Member Security Incident Notifications (MSINs)service, the malspam “inbox-spoofing” incident and also the the recent “PrintNightmare” and Kaseya ransomware and supply chain attacks – with a reminder on how we can all continue to protect and mitigate against such incidents. This episode was hosted by Anthony Caruana and Laura Jiew. The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

AUSCERT Week in Review for 9th July 2021 Greetings, What a big week! A lot to get on top of this week between Kaseya and PrintNightmare. Of note, Microsoft released updated patches to address PrintNightmare. This is related to the Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527 and CVE-2021-1675. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. For those of you based in the Greater Brisbane area we are excited to announce a new date for our NAIDOC Week 2021 gathering. Hear more about the work done by colleagues at Baidam Solutions, come and join us on Monday 26 July, 2 – 4pm. For further details and to RSVP, visit the AUSCERT website here. Until next week everyone, have a great weekend. Kaseya supply-chain ransomware attack hits MSP customers Date: 2021-07-03 Author: iTnews A supply-chain attack on Kaseya, which provides management, monitoring and automation software for managed service providers (MSPs), has led to ransomware infections among the company’s customers around the world. Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw Date: 2021-07-04 Author: The Hacker News Microsoft is urging Azure users to update the PowerShell command-line tool as soon as possible to protect against a critical remote code execution vulnerability impacting .NET Core. The issue, tracked as CVE-2021-26701 (CVSS score: 8.1), affects PowerShell versions 7.0 and 7.1 and have been remediated in versions 7.0.6 and 7.1.3, respectively. Windows PowerShell 5.1 isn’t impacted by the flaw. QNAP fixes critical bug in NAS backup, disaster recovery app Date: 2021-07-05 Author: Bleeping Computer Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security. The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP’s disaster recovery and data backup solution. The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization. Treasury revisits cyber terrorism insurance cover Date: 2021-07-05 Author: IT News Treasury will consider whether cyber terrorism that causes physical property damage should be added to the national terrorism insurance scheme for a second time in three years. Treasury said that like the 2018 review, the 2021 review will look at “whether a sufficient rationale has emerged to include cyber terrorism causing physical property damage within the scheme”. Email fatigue among users opens doors for cybercriminals Date: 2021-07-07 Author: Bleeping Computer Given the mass migration to remote work, more critical business data is being shared by email than ever before. Users can now receive hundreds of emails a day, and sifting through them is time-consuming and exhausting. Faced with that skyrocketing volume, it’s no wonder that there’s a growing email fatigue. Unfortunately, that fatigue makes it more likely users will click on a malicious email without knowing it – which explains why 94% of malware is now delivered via email. Microsoft’s incomplete PrintNightmare patch fails to fix vulnerability Date: 2021-07-07 Author: Bleeping Computer [See related ALERT bulletin ASB-2021.0123.4 which AUSCERT updated on the 8th July] Researchers have bypassed Microsoft’s emergency patch for the PrintNightmare vulnerability to achieve remote code execution and local privilege escalation with the official fix installed. According to Mimikatz creator Benjamin Delpy, the patch could be bypassed to achieve Remote Code Execution when the Point and Print policy is enabled. ASB-2021.0123.4 – UPDATE ALERT Microsoft Print Spooler: Multiple vulnerabilities Our update was made to draw attention to Microsoft’s revised advisory announcing patches are now available for additional Windows versions ESB-2021.2341 – apache2: Multiple vulnerabilities Several vulnerabilities have been found in the Apache HTTP server, which could result in remote code execution and denial of service. ESB-2021.2332 – Cisco Web Security Appliance: Multiple vulnerabilities This Cisco product was affected by vulnerabilities which prior to fix had provided attackers opportunity to execute remote code and compromise root. ESB-2021.2344 – MDT AutoSave: Multiple vulnerabilities A perfect 10.0 (CVSS 3.0), albeit appliance based. Successful exploitation of associated vulnerabilities could lead to full remote execution on the Remote MDT Server without an existing user or password. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 2 July 2021 Greetings, Folks, welcome to the second-half of 2021. The start of July marks a new financial year here in Australia – which means, tax time is here! We’re sharing this “Is it a scam?” piece by our AUSCERT2021 Member Organisation of the Year, the folks from Australian Taxation Office. Of note this week, Microsoft has released an out-of-band critical update to address a Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527. This vulnerability has received significant media attention in the past day or so. Be sure to catch up on this alert via our highlighted AUSCERT Security Bulletin details below. Some mitigation notes and recommendations: Apply the latest security updates released on June 8, 2021 AND determining if the Print Spooler service is running; either disabling it or disabling inbound remote printing through Group Policy. Microsoft acknowledges this vuln is similar to but DISTINCT from the recent Print Spooler vuln reported as CVE-2021-1675 and addressed by the June 2021 Patch Tuesday updates. They are still investigating the issue and will update the page as more information becomes available. AUSCERT members, be sure to hop on our Slack space for some tips and notes regarding this issue from fellow AUSCERT members. It’s always an awesome space for information sharing! To sign in, please do so via our member portal here. And last but not least, for those of you based in the Greater Brisbane area and were intending to attend our proposed NAIDOC Week 2021 luncheon, please note we will be sharing a new date for this special event soon. In the meantime, please stay safe and continue to follow the latest Government advice. Until next week everyone, have a great weekend. CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability Date: 2021-06-29 Author: Tenable [CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. See related AUSCERT bulletin ASB-2021.0115. Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.] Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available. CISA releases new ransomware self-assessment security audit tool Date: 2021-06-30 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET). RRA is a security audit self-assessment tool for organizations that want to understand better how well they are equipped to defend against and recover from ransomware attacks targeting their information technology (IT), operational technology (OT), or industrial control system (ICS) assets. This CSET module was tailored by RRA to assess varying levels of ransomware threat readiness to be helpful to all orgs regardless of their cybersecurity maturity. Microsoft Edge Bug Could’ve Let Hackers Steal Your Secrets for Any Site Date: 2021-06-28 Author: The Hacker News Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website. Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the browser’s built-in feature via Microsoft Translator. Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers Date: 2021-06-28 Author: ZDNet “According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice [paying ransom demands] isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.” Note: this article includes commentary stating that paying a ransomware extortion demand is not illegal. This may not be true in some jurisdictions and readers are encouraged to seek legal counsel. Cisco ASA vulnerability actively exploited after exploit released Date: 2021-07-27 Author: Bleeping Computer Hackers are scanning for and actively exploiting a vulnerability in Cisco ASA devices after a PoC exploit was published on Twitter. This Cisco ASA vulnerability is cross-site scripting (XSS) vulnerability that is tracked as CVE-2020-3580. Cisco first disclosed the vulnerability and issued a fix in October 2020. However, the initial patch for CVE-2020-3580 was incomplete, and a further fix was released in April 2021. ASB-2021-0123 – ALERT Windows Print Spooler: Execute arbitrary code/commands – Existing Zero-day Vulnerability (PrintNightmare) can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Proof of concept exploit code has reportedly been released. ESB-2021.2240 – Thunderbird: Multiple vulnerabilities Thunderbird contained a multitude of vulnerabilties causing reduced security including remote code execution and denial of service. ESB-2021.2279 – Nessus Agent: Administrator compromise – Existing account Nessus Agent versions 8.2.5 and earlier were found to contain a privilege escalation vulnerability which could lead to gaining administrator privileges on the Nessus host. ESB-2021.2297 – htmldoc: Multiple vulnerabilities A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code and denial of service. Stay safe, stay patched and have a good weekend! The AUSCERT team