Publications

AUSCERT Week in Review for 25th June 2021 Greetings, This week, we shared the final instalment of our blog articles highlighting the winners of our Annual AUSCERT Awards. This time, we featured the AUSCERT2021 Information Security Excellence Winner, Jacqui Loustau. Jacqui is a formidable figure in the Australian information security and cybersecurity community. Have a read of it here. We’re also pleased to share the following blog piece by Sean McIntyre, one of our Analysts – “I got 99 problems but a vuln ain’t one”, it’s a bit of a tongue-in-cheek one! And cheesy (revised) lyrics aside, Sean shared his top 3 observations from assisting our membership audience. For those of you based in the Greater Brisbane area and are wanting to hear more about the work done by colleagues at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AUSCERT website here. And last but not least, a big thank you to our AUSCERT2021 media partners at Source2Create for covering such a wide range of our talks and presentations from AUSCERT2021 in Issue 3 of their Women in Security Magazine. To subscribe and download a copy, hop on to their website here. Until next week everyone, have a great weekend. Labor Bill would force Aussie organisations to disclose when they pay ransoms Date: 2021-06-21 Author: ZDNet The Australian federal opposition has introduced a Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives on Monday by Shadow Assistant Minister for Cyber Security Tim Watts. According to Watts, such a scheme would be a policy foundation for a “coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy, and offensive cyber operations”. MITRE releases D3FEND, defensive measures complimentary to its ATT&CK framework Date: 2021-06-23 Author: The Record by Recorded Future The MITRE Corporation, one of the most respected organizations in the cybersecurity field, has released today D3FEND, a complementary framework to its industry-recognized ATT&CK matrix. The not-for-profit organization, which also runs the CVE database of known vulnerabilities, received funding to create the D3FEND framework from the US National Security Agency (NSA). The basic idea behind D3FEND is that the framework will provide defensive techniques that system administrators can apply to counter the practices detailed in the ATT&CK matrix, a one-of-a-kind project that was set up in 2015 to catalog and index the most common offensive techniques used by threat actors in the real world. Tony googled his investment options. Two weeks later, he’d been scammed out of $200,000 Date: 2021-06-24 Author: ABC News It cost around $20 to set up and conned $200,000 from one victim alone. Here’s how investment scammers tricked Tony into handing over part of his life savings. Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks Date: 2021-06-18 Author: The Register Google has proposed a framework called SLSA for dealing with supply chain attacks, a security risk exemplified by the recent compromise of the SolarWinds Orion IT monitoring platform. SLSA – short for Supply chain Levels for Software Artifacts and pronounced “salsa” for those inclined to add convenience vowels – aspires to provide security guidance and programmatic assurance to help defend the software build and deployment process. Former ASIO boss warns on energy sector cyber Date: 2021-06-21 Author: InnovationAus Energy experts and a former ASIO chief have warned that Australia’s critical energy infrastructure was growing in complexity and vulnerability to cyber-attacks, but a commensurate uplift in resilience has not occurred. Former ASIO director general and current chair of the Foreign Investment Review Board David Irvine said energy was one of many Australian sectors lacking sufficient cyber resilience, and that most local organisations are not “caring enough” about the new “tool of warfare”. Progress is being made but not quickly enough, and Australia is vulnerable to sophisticated cyber attacks, Mr Irvine told an Australia Israel Chamber of Commerce Business lunch on Friday. ASB-2021.0121 – Microsoft Edge (Chromium-based): Execute arbitrary code/commands – Remote with user interaction Microsoft released an update for Edge, the default internet browser for Windows 10. A vulnerability that could lead to remote code execution was addressed. ESB-2021.2208 – wireshark: Multiple vulnerabilities 9 vulnerabilities were addressed in Wireshark, a commonly used packet analyser. ESB-2021.2212 – Thunderbird: Multiple vulnerabilities Multiple vulnerabilities were addressed in Mozilla Thunderbird, these could lead to cross-site scripting attacks and code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2021 Information Security Excellence Winner [A copy of this interview article is also featured on Edition 3 of the Women in Security Magazine, published by Source2Create.] Jacqui is Founder and Executive Manager of the Australian Women in Security Network (AWSN) which aims to connect, support and inspire more people, in particular, women and female-identifying professionals to pursue a career in security. She is also co-author of the international book ‘Women in the security profession’. In April 2021, Jacqui decided to take a leap of faith and is now devoting 100% of her time to building the AWSN as a not-for-profit organisation. In short, AWSN has been Jacqui’s “passion project” for close to 7 years. Today, AWSN is a national group of close to 2,500 members across Australia with linkages to a number of prominent sponsors. It is an open network of people aiming to grow the number of women and female-identifying professionals in the cyber security community. AWSN’s mission is to support, inspire, and connect women and female-identifying professionals in the industry and those looking to enter the field with the tools, knowledge, a connected network and platforms they’ll need in order to build their confidence and cultivate their interest. Kudos to Jacqui for her tireless work in building the AWSN to where it is today, and with that – it is with great honour that we award her the Winner of Information Security Excellence in 2021.  Tell us a little about your professional career? My interest in technology started off when I worked at a help desk at Australia Post and in the area of  PC support at an insolvency company during uni where I studied a Bachelor of Information Systems. I then graduated and became a unix adminstrator for a few years before then deciding that I wanted to see and travel the world! When I was back-packing in Europe I ran out of money (as you do!) and got a job working on the helpdesk at Schlumberger. I got the opportunity to retrain to be a technical consultant. They put me through some really intensive technical networking and security training and at the end they asked what I wanted to do. I thought security was interesting, and this is pretty much how my security career journey began! I then worked as a security consultant for multiple large scale projects where I’d worked on a variety of different areas such as implementing AV, PKI solutions, performing risk assessments and technical assessments, policy-writing, and basically anything that was thrown at me at the time. I ended up spending 7 years in London and 7 years in Paris as a consultant working on many interesting projects which I loved. When I came back to Australia, I continued to consult on different projects before then moving to the in-house security team at ANZ. I started in their Identity and Access Management (IAM) team, then moved on to designing the cybercrime controls for ANZ’s institutional banking arm; and finally moved to head the Security Education and Influence team in a job share role. I then decided that I really wanted to help small businesses who I saw being affected by cybercrime and ended up spending a year in start-up land with the folks at Cynch Security. You’re the founder of AWSN. Can you tell us more about how AWSN was born and what your mission is? The idea of the AWSN (Australian Women in Security Network) was born when I returned from a 14-year stint overseas and came back to Melbourne. I walked into a security event and was overwhelmed by being the only female in the room. It was something I had gotten used to in Europe; but it really hit me when I came back to my home country to see and experience  it, especially when I didn’t know anyone in the room. I’d met one other female participant and she took me under her wing and introduced me to some people. We then brought together a number of female colleagues for casual breakfasts and met up before the start of security conferences. We spoke about how much we enjoyed working in security and some talked about the challenges they faced with being the only females in their teams. After a while, I was thinking that there may be other women out there also feeling alone, so I started a LinkedIn group. This then grew organically over time and soon local state-based chapters started to pop up across Australia. These then grew into more formal events and now our community consists of around 2500 people. The AWSN is an open network of people aiming to grow the number of women in the security community. We support, inspire, and act as role models. We connect women in the industry and those looking to enter the field with the tools, knowledge, network and platforms needed to build confidence and interest. As a network, we know the diversity of online threats require diversity of thought on how to address them, and this is where our network thrives.We do this mainly through events, hand-on workshops, training, mentoring and speaking engagements through community groups, universities and high schools. Congratulations on winning the Information Security Excellence award! What does winning this award mean to you? It was an absolute honour to have received this award. This means so very much to me and I sometimes still pinch myself with disbelief! I believe that this is a community recognition award, as the AWSN couldn’t have got to where it is today without all the volunteers, sponsors, donors, mentors, coaches, speakers, writers and all the people supporting us over the years. Receiving this award means that the Information Security industry in Australia recognises that what the AWSN is doing is important and meaningful work AND that we are on the right track with what we are trying to achieve. It means that all the hard work and hours that myself and all our volunteers put in to make AWSN what it is today is worth it! Thank you to everyone who has contributed to our cause, you know who you are. What do you see as some of the main cyber threats in today’s society and their accompanying risks? Are you seeing any trends of particular threats becoming more common? Good question! There are many and I could probably talk for hours on this topic. But if I were to choose two, which I think we as a society/community need to work together on a lot more are application vulnerabilities and supply chain risks. As we continue to use technology and build systems, apps, software faster than ever – often security is something that is considered at the last minute or sometimes, never! We shouldn’t expect the users of our systems or apps to know what to look out for when it comes to a security breach. Hence, it is my personal belief that technology should really adopt a “secure-by-design” philosophy and make it easy for users to apply security updates when they are required. When it comes to the topic of supply chain risk, some of these cyber threat issues stem from the fact that small businesses (which btw, constitutes 98% of all Australian businesses**) often cannot afford security consultants to help them with implementing secure processes or expensive security services and products to protect their company assets. These businesses are particularly vulnerable to threats such as business email compromise (BEC), ransomware or data breaches which are increasingly becoming more and more common. These can have downstream implications on large corporations, critical infrastructure and Government agencies as it is very likely that at some point these smaller businesses are further down in their supply chain. It’s cliche, but cyber security really IS in everyone’s interest – no matter the size of your workplace. ** figure obtained from the Australian Small Business and Family Enterprise Ombudsman (ASBFEO) If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be? To stay humble and keep an open mind. Remember and realise that most of our society don’t know what we know, and that no question should be considered a silly question. I don’t think that there is anyone in our sector who knows absolutely everything about security, so we shouldn’t treat/blame users like they should have known better in case of a breach or an incident. There are many people out there (they could be your grandparents, friends, family members  and colleagues) who are confused and overwhelmed by what they know and what they don’t know about the topic of cyber security. It is this stigma that cyber security is difficult and tricky which often makes many security departments feared or are perceived to be unapproachable. We, as a community therefore all have a responsibility to show them that we are keen to help them learn and have them join us on this journey. We cannot fight this battle with just technology and largely rely on humans to report things that are suspicious, to consult with us before they are about to go live with a system and to sign off on our budgets. Therefore, we need everyone on our side and we need to show that we are open to listen and help.  As a community, I think we need to communicate better, prioritise (based on known risks) and provide them with easy and accessible information, solutions and advice – so as not to confuse the general public further. What’s one common challenge you find women and female-identifying professionals are facing in the cybersecurity industry and how can organisations continue to support them? A common challenge I’ve personally found with women and female-identifying professionals in male-dominated teams is that they feel they are not heard or given the same opportunities as their male counterparts. They are often questioned why they are there and instead of asking or referring to them as subject matter experts, they are sometimes asked to be referred to a male counterpart as it’s assumed they don’t know the answer or have anything to contribute to a particular security topic. Everyone should be given an equal opportunity to contribute, and by this I don’t mean just females, but also young/elderly males, people of different ethnicities, people of different backgrounds who need a voice. Organisations must address this better, it needs to be a fundamental yet important goal within all teams or we will continue to lose good talent! And when good talent is lost, it makes it hard for upcoming new talent to see people like themselves in a career path in security, and we absolutely need this new talent in order to fight the new security and technology challenges ahead.  

AUSCERT Week in Review for 18th June 2021 Greetings, This week, we shared our June 2021 edition of The Feed – the AUSCERT membership newsletter. Members, be sure to check your inbox(es) for a copy of this newsletter to catch up on all things related to your AUSCERT membership. We’re pleased to share the following blog piece by our AUSCERT2021 Diversity and Inclusion Champion – Phillip “Pip” Jenkinson from Baidam Solutions. Congratulations Pip, a well-deserved win! For those of you based in the Greater Brisbane area and are wanting to hear more about Pip and the work he does at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AUSCERT website here. Last but not least, we’re proud to announce that there are currently 11 NEW Member Security Incident Notifications (MISNs) reports generated in the pipeline by our team of analysts – all drawn from the expertise of our various threat intelligence partners and resources. This is a pertinent reminder for members to keep your organisation’s IPs and domains up to date on the AUSCERT member portal to make sure you’re able to receive these relevant MSINs as they come through! A recap of how this particular AUSCERT service assists our members with mitigating cyber-attacks can be found here “How AUSCERT helped its members tackle the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits.” Until next week everyone, have a great weekend. Thousands of VMware vCenter Servers Remain Open to Attack Over the Internet Date: 2021-06-16 Author: Dark Reading [See related ALERT bulletin ESB-2021.1805 which AUSCERT published on the 26th May] Thousands of instances of VMware vCenter Servers with two recently disclosed vulnerabilities in them remain publicly accessible on the Internet three weeks after the company urged organizations to immediately patch the flaws, citing their severity. The flaws, CVE-2021-21985 and CVE-2021-21986, basically give attackers a way to take complete control of systems running vCenter Server, a utility for centrally managing VMware vSphere virtual server environments. The vulnerabilities exist in vCenter Server versions 6.5, 6.7, and 7.0. Nationally-known Australian company lawyered up to resist ASD help Date: 2021-06-15 Author: ZDNet The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate, likening it to refusing to cooperate with an air crash investigation. One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security on Friday. “It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said. […] However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information. Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign Date: 2021-06-14 Author: Microsoft Security Intelligence Microsoft 365 Defender researchers recently uncovered and disrupted a large-scale business email compromise (BEC) infrastructure hosted in multiple web services. Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions. Qld govt stumps up $40m for cyber security, digital Date: 2021-06-16 Author: iTnews The Queensland government will invest almost $40 million in cyber security and digital service delivery over the next five years as the state’s Covid-19 recovery gets underway. Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise Date: 2021-06-16 Author: Mandiant Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. ESB-2021.2130 – ImageMagick: Multiple vulnerabilities 34 vulnerabilities were addressed in ImageMagick, some of which could lead to code execution. ESB-2021.2141 – Nessus Agent: Increased privileges – Existing account Tenable released an update to address privilege escalation vulnerabilities in their Nessus Agent for Windows. ESB-2021.2173 – ALERT [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands – Remote with user interaction Another week, another zero-day in Google Chrome. Google reports that this been exploited in the wild so this should be patched as soon as possible. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT launching a podcast series “Share today, save tomorrow” Editor’s notes:  Hi, my name is Laura Jiew and I run the communications portfolio for team AUSCERT. I am super excited to be working on this podcast series with Anthony and Kathryn from Media-Wize. “Share today, save tomorrow” – the AUSCERT podcast, has been a project we’ve discussed in the past and has sat brewing for the past year or so, I am so happy to see it brought to life this year with the help of our many AUSCERT supporters, in particular, speakers from our AUSCERT2021 conference. So why a podcast, why now? As a CERT, we recognise that the cyber security landscape is ever-changing, and AUSCERT continues to be passionate about engaging our members to empower their people, capabilities, and capacities. We hope you will enjoy our collection of topics and discussion. Let us know what you think! +++++ Episode 1 LISTEN HERE: “Share Today, Save Tomorrow” AUSCERT Podcast Announcement This episode features the following guests, in random order: Dr David Stockdale, AUSCERT Director Mike Holm, AUSCERT Senior Manager Bek Cheb, AUSCERT Business Manager, long-time AUSCERT event convenor and producer  Dr Mark Carey-Smith, AUSCERT Principal Analyst, long-time AUSCERT conference supporter and GRC presenter  Mandy Turner, Manager, Security Operations Centre at UQ  Tim Lane, AHECS Cyber Security Community of Practice (CoP) Chair Hosted by Anthony Caruana and Laura Jiew The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

AUSCERT “Share today, save tomorrow” Ep 2: Crossing Into The Blue Team In Cyber Security In this episode, AUSCERT features the following guests: > Lukasz Gogolkiewicz, Head of Corporate Security at SEEK > Mike Holm, AUSCERT Senior Manager > Dr Mark Carey-Smith, AUSCERT Principal Analyst LISTEN HERE: “Share Today, Save Tomorrow” Crossing Into The Blue Team In Cyber Security Lukasz currently heads up Corporate Security at SEEK. In this role, he is responsible for ensuring the protection of sensitive information across a multitude of business systems, corporate systems and IT infrastructure. He was also a keynote at AUSCERT2020 and spoke on the topic of “Threat driven cyber security, does security compliance work?” On this podcast episode, we sat down with Lukasz to discuss his career journey in cyber security, his transition from a Red Team into a Blue Team and his thoughts on the next generation of professionals in the industry. Mike and Mark discussed the many on goings at AUSCERT since the launch episode. In particular – the AUSCERT2021 conference wrap-up, observations from our analyst team on the current threat and cyber security landscape (especially on the topic of ransomware) and all proposed AUSCERT membership engagement activities for the rest of 2021. This episode was hosted by Anthony Caruana and Laura Jiew The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts

AUSCERT2021 Diversity and Inclusion Champion This year, to mark the occasion of AUSCERT’s 20th annual conference anniversary, the team has decided to introduce a new award category – the AUSCERT Diversity & Inclusion Champion.  At AUSCERT, we believe that Diversity & Inclusion champions are leaders who take responsibility for instilling a diverse and inclusive workplace culture. According to the Diversity Council of Australia, the definition of a Diversity & Inclusion champion is someone who plays both a symbolic and an active strategic role. Their symbolic function is to demonstrate leadership support for diversity and inclusion by attending diversity events and delivering diversity messages to stakeholder groups within the company and externally. They contribute to diversity strategy development and implementation by serving on diversity councils, campaigning for support from their fellow colleagues, and consulting with diversity leaders. Pip Jenkinson, CEO and Co-Founder of Baidam Solutions is the inaugural winner of this AUSCERT award. For those unfamiliar with Pip, his work at Baidam emphasises the importance of partnerships with some of Australia’s largest employers to create job opportunities and funding for cybersecurity certification training. Baidam gives a significant percentage of the company’s profits to providing pathways to employment in the IT sector for Indigenous and First Nations people. Pip’s and Baidam’s journey is an inspiring story and shows a great example of how organisations can combine profit with social good. It is with great honour that we award Pip with the inaugural AUSCERT Diversity & Inclusion Champion award. Tell us a little about your professional career? I have had a very diverse career and my pathway to a career in cyber security certainly  wasn’t a straight line. Growing up on a farm in Bathurst NSW, I have worked in shearing sheds, at building sites; and I have also served in the Army. I then decided to enrol at university as a mature age student in a Business degree. My first “real” job outside of university was a sales representative for Guinness in Dublin, Ireland and I was fortunate to travel around the United Kingdom, working in some pretty amazing places. I returned to Australia and stayed within the wine trade, working (and tasting) some of Australia’s best wines and meeting some extraordinary people who were producing wine at an award-winning International standard. These folks were all working really hard to cement the image of Australia as a producer of wine that would rival some of the most famous International brands. One day, out of the blue I decided to apply for a role in ICT sales, working for a large cyber security vendor. When I was shortlisted for an interview, I was so nervous about meeting my potential line manager because I didn’t know much about the sector but I gave it my best shot. There were 4 interview rounds in total and there were many other competitive applicants with greater experience than myself, but when I was offered the role, it was life changing for me! This in turn motivated me to ask for some feedback and I was promptly told that I was hired based on attitude, not aptitude. I was motivated to learn as much as I could and certainly made mistakes along the way – but I was so grateful for the opportunity to improve, to earn a good wage and to alway remember where my start in the cyber security industry came from; and hopefully one day, being able to repay this gesture and opportunity. Can you tell us more about your work at Baidam? At a macro level, Baidam Solutions is an Indigenous owned enterprise. Baidam is a supplier of cyber security goods and services to State and Federal governments and ASX-listed corporations. We model our offerings around the ASD “Essential Eight.” At a micro level, we have created a pretty special business model that directly links a social outcome to a commercial drive. From the profits retained within our supply-chain and it in itself being free from any Government assistance or subsidy, we have been able to support two lifetime University based scholarships for Indigenous students in the STEM fields; as well as numerous industry recognised certifications. The recipients of these scholarships are now working within various SOC teams across Australia. I am incredibly fortunate to work in a team that all share a single company vision and company mission – “To increase Indingeous diversity and inclusion in the ICT sector by using education as a vehicle to build technical equity in our First Nations cyber security aspirants.” Congratulations on winning the Diversity and Inclusion Champion award! What does winning this award mean to you? I was absolutely humbled and quite frankly, speechless to win the award! I received the award on behalf of the whole team at Badaim Solutions. We all know that cyber security is a team sport and there is a great team that stands beside me. The award was really special, being the first at anything is hard, but also rewarding. We are the first Supply Nations certified cyber security practice headquartered in Queensland. Therefore, it is our job to help other Indigenous security professionals get a foothold in the industry and it is our job to lead by example,in everything we do. To be the recipient of the inaugural AUSCERT Diversity and Inclusion Champion award is a huge honour and one that must be given the respect that it deserves, to continually uphold the principles of Diversity and Inclusion and be a role model for others to follow.  What recommendations would you give to other organisations looking to provide pathways for employment in the IT sector for Indigenous and First Nations peoples? Do your research. Be committed and do it for the RIGHT reasons. Invest in cultural immersion programs to lift the knowledge of the entire organisation, don’t leave everything to the folks from Human Resources. Obtain advice and understand that there are many cultural events that don’t neatly sit inside within a standard Fair Work Act 2009 employment contract. Be sensitive and flexible and if you do a good job, the results will speak for itself, you will enjoy a richer, more diverse and inclusive employee talent pool that is more representative of the community that you operate in. Baidam’s journey is an inspiring story and a great example of how organisations can combine profit with social good. What advice would you have for organisations looking to do this? Well, this one is very simple. Just do more and do it more often! We are showing other organisations what is possible when focused on sustainable, social return on investment (SROI) rather than purely ROI. Whether you are looking to support Women’s businesses, Veterans businesses, LGBTIQ+ businesses, Australian Disability Enterprises or a myriad of other social  businesses,find a reason to do business other than the pursuit of profit! Draw a line in the sand today, not tomorrow and stand for something other than profit, your customers will appreciate it and so will your staff. Finally, what do you think are the main challenges and opportunities for the cyber security industry in the coming years? Like my past experience in the wine trade industry, Australia has the opportunity to be recognised as a global leader in the production of cyber security talent as well as sovereign cyber security solution capabilities – truly! As a community, we need to do more to support the local companies who are helping this flourishing marketplace. So where possible, buy local, support local and invest locally. I think the Australian Government is doing a good job in supporting this idea, but as with most things, greater work needs to be done. The challenges in our sector are well documented and includes amongst others; a skills shortage and a culture of sourcing projects off-shore. The final challenge, directly linked to the Indigenous cultures that Baidam represents (one that we all need to overcome!) is a mental one …  We MUST change our thoughts from “Why would I buy through an Indingeous business?” to “Why wouldn’t I buy from an Indigenous business?” To sum it up for me, I’d like to share this Norman Vincent Peale quote, “Change your thoughts and you can change your world”.                          

AUSCERT Week in Review for 11th June 2021 Greetings, This week, we’re pleased to share the following blog piece by our AUSCERT2021 Member Organisation of the Year – team ATO (Australian Taxation Office). Congratulations ATO, and in particular to Cody and Daniel for their efforts and representation of the ATO team at the conference, a well-deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AUSCERT2021. On the topic of the AUSCERT2021 conference, as per tradition, we’re slowly releasing the various recordings of our annual conference presentations and talks on our YouTube channel, please feel free to view them here. We hope folks were able to get through all of June 2021’s Patch Tuesday fixes. Please refer to our highlighted bulletins and articles below. A quick shout out to our colleague Narayan who’d processed 74 security bulletins in a single day on Wednesday this week, no small feat. Well done Narayan! Last but not least, we’re excited to share Episode 2 of the AUSCERT “Share today, save tomorrow” podcast series. Episode 2 features Lukasz Gogolkiewicz, Head of Corporate Security at SEEK and is titled “Crossing Into The Blue Team In Cyber Security.” Be sure to check it out. Our podcast is also available via Spotify, Apple Podcast and Google Podcast. Until next week everyone, have a great weekend. Microsoft June 2021 Patch Tuesday fixes 6 exploited zero-days, 50 flaws Date: 2021-06-08 Author: Bleeping Computer [See related bulletins ASB-2021.0114 through to 119, of note is the ALERT for ASB-2021.0116.] Today is Microsoft’s June 2021 Patch Tuesday, and with it comes fixes for seven zero-day vulnerabilities and a total of 50 flaws, so Windows admins will be scrambling to get devices secured. Microsoft has fixed 50 vulnerabilities with today’s update, with five classified as Critical and forty-five as Important. Scammers capitalise on pandemic as Australians lose record $851 million to scams Date: 2021-06-07 Author: ACCC Australians lost over $851 million to scams in 2020, a record amount, as scammers took advantage of the pandemic to con unsuspecting people, according to the ACCC’s latest Targeting Scams report released today. The report compiles data from Scamwatch, ReportCyber, other government agencies and 10 banks and financial intermediaries, and is based on more than 444,000 reports. Investment scams accounted for the biggest losses, with $328 million, and made up more than a third of total losses. Romance scams were the next biggest category, costing Australians $131 million, while payment redirection scams resulted in $128 million of losses. Govt to mandate the Essential Eight cyber security controls Date: 2021-06-09 Author: iTnews The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed. The Attorney-General’s Department revealed the step change in government cyber security policy in its response to last year’s parliamentary committee report into cyber resilience. The hard truth about ransomware: we aren’t prepared, it’s a battle with new rules, and it hasn’t… Date: 2021-06-09 Author: Medium [Note: this is a lengthy read, approx. 20 minutes, but is considered by our Principal Analyst as a thoughtful and timely contribution to the conversation about the modern ransomware threat.] We are rebuilding entire economies around technology, while having some fundamental issues reducing foundations to quicksand. What we are seeing currently is a predictable crisis, which hasn’t yet near peaked. I’m not sure people generally understand the situation yet. The turning circle to taking action is large. With this post, I hope to lay out the reality, and some harsh truths people need to hear. Australian Federal Police and FBI nab criminal underworld figures in worldwide sting using encrypted app Date: 2021-06-08 Author: ABC News More than 200 members of Australia’s mafia and bikie underworld have been charged in the nation’s largest-ever crime sting, police say. As part of a three-year collaboration between the Australian Federal Police (AFP) and Federal Bureau of Investigation (FBI), authorities say underworld figures were tricked into communicating via an encrypted app that had been designed by police. The app, known as AN0M, was used by organised crime gangs around the world to plan executions, mass drug importations and money laundering. Authorities say they were able to read up to 25 million messages in real-time. JBS paid $11 million to REvil ransomware, $22.5M first demanded Date: 2021-06-10 Author: Bleeping Computer JBS, the world’s largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million. On May 31, JBS was forced to shut down some of its food production sites after the REvil ransomware operators breached their network and encrypted some of its North American and Australian IT systems. ESB-2021.2019 – Intel Products: Multiple vulnerabilities Intel released firmware updates to address multiple vulnerabilities. ESB-2021.1994 – BIG-IP (all modules): Multiple vulnerabilities A flaw was found in Nettle Cryptographic Library which affects F5 BIG-IP modules. ESB-2021.1984 – Adobe Photoshop: Execute arbitrary code/commands – Remote with user interaction Adobe has released updates for Photoshop for Windows and macOS to resolve a critical RCE vulnerability. ASB-2021.0116 – ALERT Microsoft Windows: Multiple vulnerabilities Microsoft has released its monthly security patch update for the month of June 2021. ESB-2021.2097 – Apache HTTP Server: Multiple vulnerabilities Multiple vulnerabilities have been resolved in Apache HTTP server 2.4.48. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2021 Member Organisation of the Year Winner We recently had the pleasure of chatting with Daniel Ross and Cody Byrnes from the Australian Taxation Office (ATO) who won the AUSCERT Member Organisation of the Year for 2021. Daniel and Cody both opened up about what it is like to be an AUSCERT member and how the ATO is dealing with new cyber security issues. How long has the Australian Taxation Office been an AUSCERT Member? Our membership goes back well over 10 years, and we’re always really pleased to come along to the AUSCERT conference each year. This was Cody’s and my first year in attendance and it was an overall fantastic experience. What value do you get out of the on-going AUSCERT membership? Our membership with AUSCERT has been invaluable in helping us successfully respond to the myriad of tax and super scams targeting Australians on a daily basis. The AUSCERT Team support us through the takedown of malicious phishing websites, domains and spam email accounts used in these scam campaigns, blocking the ability of the scammers and heavily reducing the number of potential scam victims. Their assistance in sharing the details of these scams with other AUSCERT members also broadens our reach in stopping these scams and heightens our ability to detect future scam campaigns. Congratulations on winning the Member Organisation Of The Year award! What does winning this award mean to you? Thank you! AUSCERT has provided much benefit to ATO over the years. It is great to know that the threat intelligence we share back with them and the broader community is of equal benefit and we appreciate receiving such recognition for this. What advice would you give other AUSCERT members? Engage and be involved with AUSCERT and the community members, and share back what you can, as we are stronger at defending against threats as a community. What cyber security challenges have you faced this year? We think we see a lot of similar challenges to other cyber security teams we talk to: making sure we’ve got the right resourcing, tools and skills in an ever-evolving landscape. One of the more specific challenges we face is protecting the public from ATO themed scams that try to steal their money or personal information. We’ve got a number of preventative strategies in place, as well as rapidly responding to threats as they emerge. This is where we work closely with AUSCERT to quickly respond. It’s very easy for a malicious actor to create a domain with ATO or tax in the title, so we need intelligence to identify these and quick response pipelines to de-activate the malicious domain and minimise the risk of a member of the public being compromised. What do you see as some of the main cyber threats in today’s society? Patching, scams, and supply chain are recurring common threats in today’s society. We see malicious actors weaponising vulnerabilities before patches have been implemented and therefore patching is still a very effective security mechanism in preventing threats to individuals and organisations alike. Scams continue to be an effective method in circumventing technical controls, and supply chain is increasingly targeted as a method of compromising the clients of the particular chain.      

AUSCERT Week in Review for 4th June 2021 Greetings, National Reconciliation Week (NRW) 2021 concluded on the 3rd of June and AUSCERT would like to take this opportunity to recap this year’s theme which was “More than a word. Reconciliation takes action.” To find out more about how we can all be better allies of Australia’s First Nations people, please visit the NRW website here. Be sure to catch up on our highlighted summary of Security Bulletins and ADIR articles below. We’re also pleased to share the following blog piece by our AUSCERT2021 Member Individual of the Year Winner – Simon Coggins from CQUniversity. Congratulations Simon, well deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AUSCERT2021. Last but not least, excited to be sharing the news that AUSCERT is back in the swing of things with respect to our training options. Earlier this week, our Principal Analyst ran a pilot session of the Introduction to Cyber Security for School Professionals course. For those wanting to find out more about our training options, please visit our website for further information or send us an email. Until next week everyone, have a great weekend. New sophisticated email-based attack from NOBELIUM Date: 2021-05-27 Author: Microsoft Threat Intelligence Center (MSTIC) Microsoft Threat Intelligence Center has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals. Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. In this article, MSTIC have outlined attacker motives, malicious behavior, and best practices to protect against this attack. ASD using classified capabilities to warn local entities of impending ransomware hit Date: 2021-06-02 Author: ZDNet Speaking about the attack on Channel Nine in March, director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates that pre-warning organisations about any precursor activity on their networks or systems is part of ASD’s “value add”. “We were very engaged with [Channel Nine] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” Noble said. JBS resumes meat operations after cyber attack halts production Date: 2021-06-04 Author: ABC News Earlier this week, JBS USA confirmed the company was targeted by an organised cyber attack on Sunday, which paralysed its operations in North America and Australia. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia,” [JBS] said in the statement. There is no further information on the source of the attack which is believed to be a Russian crime gang. RBA to step up cyber resilience with new identity and access management system Date: 2021-06-02 Author: ZDNet The Reserve Bank of Australia said it is looking to modernise its identity and access management capabilities by introducing more automated controls to its existing platform. The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities. “Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request. “In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.” Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration. Countries are increasing their cyber response budgets — but spending still varies widely Date: 2021-05-28 Author: The Record by Recorded Future Nations around the world don’t seem to agree on the appropriate amount of money to earmark for cyber defense and incident response, according to an analysis by The Record. But in recent years, almost every country examined has boosted its cyber spending. ESB-2021.1884 – BIG-IQ Centralized Management: Multiple vulnerabilities F5 has released advisory to address remote code execution vulnerability in BIG-IQ Centralized Management module. ESB-2021.1897 – Firefox: Multiple vulnerabilities Mozilla has released Firefox 89 addressing multiple security vulnerabilities. ESB-2021.1905 – Cisco SD-WAN products: Root compromise – Existing account Cisco has addressed a privilege escalation vulnerability in SD-WAN software. ESB-2021.1908 – Cisco Webex Player: Multiple vulnerabilities A vulnerability in Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system. ESB-2021.1935 – dhcp: Denial of service – Remote/unauthenticated A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2020 Member Individual of the Year Winner During the AUSCERT2020 Conference, we caught up with Rachael Leighton (Principal Advisor, Cyber Strategy & Awareness @ DPC Vic Gov) to discuss her role in the cyber security fight, and how she felt about being awarded AUSCERT2020’s ‘Member Individual of The Year. Tell us a little about your professional career? I actually started as a primary school teacher by trade. Then, during 2009 I worked as a volunteer firefighter and ended up contributing towards a community education program. This was my initial foray into IT, as part of the education project involved upgrading radios and informing the community on what to do. After this, I continued to work for different companies in an organisational change capacity. Eventually I ended up in a Big 4 bank and was working on the same floor as the anti-terror and anti-fraud team. One day I asked them—how do people learn and understand this stuff about cyber security? I realised that if I didn’t know it, surely others didn’t either. From there, my passion for educating people and encouraging organisations to change their behaviour, to consider cyber security and to cultivate a cyber culture was born. What’s involved in your day-to-day role at Principal Advisor—Cyber Strategy & Awareness for the Department of Premier and Cabinet? I see myself kind of like a conductor of an orchestra. When we think of cyber security and government, we, as government have a role in creating a Cyber Safe Victoria and that means… there are lots of moving parts – lots of activity that needs to take place and lots of different teams to secure all our kit. There is still some heavy lifting to do to connect the dots between academia, industry and government to form a vibrant cyber ecosystem. That’s my role – to bring all this together, usually through engaging and with meeting the right people, identifying synergies and opportunities for connecting them together.  Congratulations on winning Member Individual Of The Year. What does winning this award mean to you? I’m so honoured to get this award. To me, this validates the importance of collaboration. At the end of the day, cyber is hard. If we want to get ahead of the bad guys, we need to be sharing info, reporting incidents, and establishing a trusted and healthy feedback loop. This can be difficult to achieve when the traditional mindset of cyber security professionals is to protect what’s valuable. Yet it’s more beneficial for us all to break down the walls and build trust across the cyber community.    Trust was immediate for me when working with AUSCERT. The team will do anything they can to help Vic Gov uplift cyber posture. So thanks AUSCERT, I really appreciate this award. To be recognised for the willingness, and the crazy, that is cyber education and engagement is beautiful. If you could give one piece of advice for organisations and IT / cyber security professionals, what would that be? Reach out—don’t go it alone. Don’t try to be a lone hero—we are stronger together. We are a cyber family. Just like the baddies work together and collaborate, if we want to succeed against them, then we too need to work together.            

AUSCERT2021 Member Individual of the Year Winner After the recent AUSCERT2021 conference, we caught up with Simon Coggins (Principal Systems Engineer at CQUniversity) to discuss his role in the cyber security sector, and how he felt about being awarded AUSCERT2021’s ‘Member Individual of The Year’. Tell us a little about your professional career? I’ve always been interested in system administration and networking. When I was in high school I started my own Bulletin Board System with a large user base and had a FidoNet address so that we could transfer email and forum posts around the world. While studying at university I started working at the local Internet Service Provider. We were small enough to only have a few staff so everyone had multiple jobs. I was a Sysadmin, Network Engineer, Developer and Tech Support. This led me to work at a University in NSW where I was the Network and Systems Management Officer. My role there involved  both networking and system administration duties as well as acting as a translation bridge between the network team and the sysadmin team. After working for 6 years at this university, friends I knew through the System Administrators Guild of Australia suggested I apply for a job at Central Queensland University, so I did.. That brings me to my current job that I’ve been in for over 15 years now. I started out as a Senior Systems Administrator and a few job title changes and roles later I’m now a Principal Systems Engineer. Because of my System Administration and Networking background and an understanding of how everything fitted together, this acted as a catalyst for security to start being included in things I was looking at. What’s involved in your day-to-day role as Principal Systems Engineer at CQUniversity ? I’m always busy doing something and every day is different. I’m the primary lead on our Linux Fleet, Firewalls, Load Balancers, SIEM platform, SAN Storage, Email Security, and the list goes on. So on any given day I will be doing operational work to keep the fleet of services running, level 3 work tickets that come in about weird issues that need problem solving, or project work for evaluating new products and testing them. Given I have a better than average understanding of how our network and systems fit together, and I have good problem solving skills, that allows me to help identify the cause of complex issues quicker. I like to think that my primary role is to automate my boring jobs where possible so I can focus on the fun ones but at the end of the day, I’m just someone that likes to solve problems, and in the process help people. Congratulations on winning the Member Individual of the Year! What does winning this award mean to you? What course will you use your SANS-sponsored prize for? It’s a great honour. AUSCERT is very trusted in the security community so getting this award is a huge deal. For me it means that what I’m doing is definitely helping other people. When I do things for CQUniversity I think to myself “Would this help me if someone else shared it?” If so, then I go and share that with the wider community via AUSCERT. This award reaffirms I’m doing good in the community. As for SANS courses, have you seen the list? It’s huge! I’m still trying to decide what I want to do, I’m thinking maybe Continuous Monitoring and Security Operations or something else on the Blue Team track. What do you see as some of the main cyber threats in today’s society? Are you seeing any trends of particular threats becoming more common? Ransomware and Phishing is the obvious choice, but for us we are seeing more and more supply chain attacks. The SolarWinds and PasswordState attacks drive home that you can do everything you possibly can to protect your systems, but you are only as good as the security of the companies that provide your tools. We need to update to fix security vulnerabilities but we can’t update until we’re sure the update hasn’t been compromised. Delay updating and you could end up with ransomware, be proactive and end up with a state based actor in your systems … It’s getting very hard! If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be? In most cases you aren’t the only one defending against that cyber incident. At the end of the day we’re all Cyber Security Professionals and we’re probably defending against the same thing, at least across the same industry. You might be surprised to find out that your industry, even though it is competitive at front of house, already has an information sharing mechanism in place to assist and share common threats across the industry and there is a good chance that AUSCERT knows where to point you. They are also happy to accept any security reports, malware samples, and indicators of compromise that you might have, anonymise them and share them with the wider community of AUSCERT members if you wish to remain anonymous.    

AUSCERT Week in Review for 28th May 2021 Greetings, To kick things off, in conjunction with National Reconciliation week 2021, AUSCERT would like to take this opportunity to acknowledge the First Nations people as the Traditional Owners of the land on which we are on today. We acknowledge all Elders past, present and emerging. The theme this year is “More than a word. Reconciliation takes action.” To find out more about the week and what it means to our First Nations people, please visit the NRW website here. Our team issued an alert re: VMWare earlier this week, be sure to catch up on it below. For those of you keen to check out photos from the recent AUSCERT2021 conference, we’ve uploaded several albums to the AUSCERT Facebook page. We’re also pleased to announce that our podcast series “Share today, save tomorrow” is now listed on Spotify. Episode 2 will be released in mid-June. Last but not least, sharing a special request from our colleagues at UQ Cyber one final time. See below: Keen on helping the future generation of cyber and information security professionals? Here’s your chance! “Vignette Survey on Effectiveness of Place Managers in Preventing Ransomware” Folks from UQ Cyber are seeking assistance from the AUSCERT membership audience to participate in a cyber security survey that is investigating factors which can influence the effectiveness of cyber security professionals in preventing cyber security incidents such as ransomware within their respective organisations. The survey results will shed valuable insights and influence how organisations should channel their limited resources in preventing cyber security incidents more effectively. The survey will take approximately 20 minutes to complete. To participate, please click here. Surveys close on Monday 31 May. For further information, please feel free to get in touch with Heemeng Ho, the lead researcher of this project. Until next week everyone, have a great weekend. This massive phishing campaign delivers password-stealing malware disguised as ransomware Date: 2021-05-24 Author: ZDNet A massive phishing campaign is distributing what looks like ransomware but is in fact trojan malware that creates a backdoor into Windows systems to steal usernames, passwords and other information from victims. Detailed by cybersecurity researchers at Microsoft, the latest version of the Java-based STRRAT malware is being sent out via a large email campaign, which uses compromised email accounts to distribute messages claiming to be related to payments, alongside an image posing as a PDF attachment that looks like it has information about the supposed transfer. Apple fixes macOS zero-day abused by XCSSET malware Date: 2021-05-24 Author: The Record Apple has released today security updates for several of its products, including a patch for its macOS desktop operating system that includes a fix for a zero-day vulnerability that has been abused in the wild for almost a year by the XCSSET malware gang. Tracked as CVE-2021-30713, the zero-day was discovered by researchers at security firm Jamf during an analysis of XCSSET, a malware strain that was spotted in the wild in August 2020, hidden inside malicious Xcode projects hosted on GitHub. VMware says critical vCenter Server bug needs ‘immediate attention’ Date: 2021-05-26 Author: iTnews [See related bulletin ESB-2021.1805] VMware said three versions of its vCenter Server management software for controlling vSphere environments are susceptible to a critical security flaw that should be immediately patched. The vendor said in a blog post that the issue needs the “immediate attention” of administrators. “Given the severity, we strongly recommend that you act,” VMware said. Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises Date: 2021-05-25 Author: FireEye Mandiant has observed an increase in compromises of internet-accessible OT assets over the past several years. In this blog post we discuss previously undisclosed compromises and place them in context alongside publicly known incidents. Although none of these incidents have appeared to significantly impact the physical world, their increasing frequency and relative severity calls for analysis on their possible risks and implications.ols and techniques. Oracle Peddled Software Used for Spying on U.S. Protesters to China Date: 2021-05-26 Author: The Intercept [Context: In early May 2021, Twitter temporarily suspended an Oracle executive from posting after he used the social network to publicise the e-mail address and Signal phone number of the journalist who wrote this article – whose reporting he had personally found to be biased and inaccurate. This research-based article has been produced to counter this claim by Oracle.] Chicago police used CIA-backed Oracle software to surveil protesters and mine their Twitter feeds. Oracle then peddled that same software for police work in China. This is an article on global surveillance. ESB-2021.1794 – Big Sur, Catalina and Mojave: Multiple vulnerabilities Apple’s latest security updates include a patch for its macOS desktop operating system that fixes a zero-day vulnerability by the XCSSET malware gang. ESB-2021.1805 – ALERT VMWare Products: Multiple vulnerabilities VMware vCenter Server updates address remote code execution and authentication vulnerabilities. ASB-2021.0112 – Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft’s Security Update released on 27 May 2021 fixes multiple vulnerabilities in Microsoft Edge (Chromium-based). ESB-2021.1819 – linux kernel: Multiple vulnerabilities An update for the Linux Kernel 4.12.14-150_66 fixes three vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team