Publications

Greetings, February 13 – 19 is “Random acts of kindness Week”, an opportunity for everyone to do one small act of kindness each day! You can help make kindness the norm! The foundation behind the initiative encourages and challenges everyone to try different activities from giving a gift card to being a kid again and letting someone know that they bring joy! Although celebrations end this weekend, every day of the year is an opportunity to be kind. To help you, the Random Acts of Kindness Foundation has some great ideas to inspire you to make kindness the norm. Someone that has made kindness part of their every day is Kath Koschel, our keynote speaker for AuSCERT2022. Kath’s amazing and inspiring story saw her choose to make kindness part of every day. The flow-on effects resulted in The Kindness Factory, whose mission it is to make the world a kinder place. The journey to where Kath is today was possible in large part, to her resilience. This aspect of who we are is discussed in our latest episode of “Share Today, Save Tomorrow”, AUSCERT’s podcast series. You will also hear from Kylie Watson, a Technology Executive and Sociologist, who talks about her experience and perspective of working in the cyber industry that incorporates psychology, providing a unique perspective. Lastly, AUSCERT recently finalised a range of training sessions that we will deliver in 2022, designed for anyone that looks after their organisation’s cyber security. You can view training dates and book directly online HERE. This training is exclusive for AUSCERT Members only. ‘You can’t stop it’: in rural Australia, digital coercive control can be inescapable Date: 2022-02-17 Author: The Conversation [This article contains information about domestic and family violence that may be triggering.] Domestic and family violence perpetrators commonly use technology such as phones and other devices as a weapon to control and entrap victims and survivors, alongside other forms of abuse. This “digital coercive control” is not bound to a particular location and can follow targets anywhere, any time they access devices or digital media. For women outside urban Australia, technology-enabled abuse can pose more risk than for those in cities. In research funded by the Australian Institute of Criminology, we spoke to 13 such women who have been subjected to digital coercive control to understand what it is like. Massive QR breach from NSW Government exposes 500,000 people Date: 2022-02-15 Author: news.com.au More than 500,000 addresses – including those of defence sites, domestic violence shelters and a missile maintenance unit – in a massive NSW Government QR code bungle. The hundreds of thousands of locations were collected by the NSW Customer Services Department through its QR code registration system, having registered as wanting to comply with Covid-Safe directions. Joint Aust-UK-US intelligence paper highlights ransomware threat Date: 2022-02-14 Author: InnovationAus A joint report coordinated by the cybersecurity authorities of the US, the UK, and Australia has warned of the increased global threat of ransomware attack and have advised organisations to take immediate precautions. In the financial year 2020-21 the Australian Cyber Security Centre (ACSC) received more than 67,500 reports of cybercrime an increase of 13 per cent on the preceding year. Released on February 9, the ACSC co-authored paper found that ransomware attackers increased their impact by targeting the cloud, managed service providers, industrial processes, the software supply chain, and by timing them on holidays and weekends. Emotet Now Spreading Through Malicious Excel Files Date: 2022-02-16 Author: Threatpost An ongoing malicious email campaign that includes macro-laden files and multiple layers of obfuscation has been active since late December. The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found. Researchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they wrote in a report published online Tuesday. TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands Date: 2022-02-16 Author: Threatpost The resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an eye to virulent follow-on attacks. Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check Point Research (CPR), which are being cherry-picked for victimization. According to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others. ESB-2022.0621 – Adobe Commerce: CVSS (Max): 9.8 Adobe has released security updates for Adobe Commerce and Magento Open Source. This vulnerability is being exploited in the wild ESB-2022.0642 – macOS Monterey 12.2.1: CVSS (Max): None Apple has released updates to its webkit engine used by Safari to address a remote code execution vulnerability ESB-2022.0653 – Google Chrome: CVSS (Max): None Google has released stable update for Chrome to address multiple vulnerabilities. Google is also aware that the exploit for CVE-2022-0609 exists in the wild ESB-2022.0693 – Drupal core: CVSS (Max): None Drupal has fixed an improper input validation vulnerability affecting Drupal Core ESB-2022.0695 – Jenkins Plugins: CVSS (Max): 8.8 Multiple command execution vulnerabilities in pipeline related plugins has been addressed by Jenkins Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Ep 9 – Strategic Resilience and Psychology in Cyber Security In this episode, AUSCERT features the following guests: Kylie Watson, Lead Partner at IBM. Technology Executive (Cybersecurity, Cloud, Data) and Sociologist Mark Carey-Smith, AUSCERT Principal Analyst Kylie and Anthony discuss the unique perspective of psychology in cyber security, including diversity of thinking and approaching problems by looking at them through a different lens. Later in the episode, Mark and Bek talk about the importance of personal and organisational resilience as well as some exciting news about the keynote speaker at AUSCERT2022. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, International Safer Internet Day took place on February 8, which was an opportunity for everyone to ensure they play it safe and fair online. There is no place for online abuse. We can all help to make life online enjoyable by being kind and respectful to each other. Research shows that Australians are learning and caring more about online safety than ever before and if you wish to learn more, visit the eSafety Commissioner website to help you to Play it Fair! The beginning of this week also saw Meta (formerly Facebook) lose a bid to dismiss legal action against them that related to the misuse of information of some of its Australian users. The social media giant was also flagged for not taking “responsible steps” to keep that information safe. This was the second time Meta’s request was denied following a ruling in late 2020 with authorities ruling that the company operated within Australia and collected data therein. Business Insider details the journey to the decision, made by the full bench of the Federal Court, which could have long-lasting and broad ramifications. Elsewhere, Telstra revealed plans to improve and increase its’ cyber security offerings to the Australian government. The pandemic has been identified as the catalyst for the increase in digital adoption which has also seen cyber attacks adapt and increase. itnews highlights how that, along with the government’s plans to centralise networks, are part of the reason for Telstra to create a specialised team to provide cyber security services at all levels of government. Have a great weekend! Microsoft February 2022 Patch Tuesday: 48 bugs squashed, one zero-day resolved Date: 2022-02-09 Author: ZDNet Microsoft has released 48 security fixes for software, including a patch for a zero-day bug, but there are no critical-severity flaws on the list this month. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits. Products impacted by February’s security update include the Windows Kernel, Hyper-V, Microsoft Outlook and Office, Azure Data Explorer, and Microsoft SharePoint. ASIO tracking foreign spies on dating apps Tinder and Bumble Date: 2022-02-09 Author: The Sydney Morning Herald The boss of Australia’s counter-espionage agency ASIO has warned foreign spies appear to be using dating apps such as Tinder, Bumble and Hinge to get sensitive information from Australians. In his latest annual threat assessment delivered on Wednesday night, Mr Burgess for the first time confirmed that espionage and foreign interference has supplanted terrorism as ASIO’s principal security concern. [Mr Burgess] also revealed his agency recently foiled a foreign interference plot in the lead-up to an election in Australia, which involved an attempt to install political candidates at the behest of a foreign government. Microsoft will block downloaded macros in Office versions going back to 2013 Date: 2022-02-08 Author: Ars Technica In the interest of combating ransomware and other malware, Microsoft is planning a major change in how its Office software handles macros: when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros. The change will be previewed starting in April in Office version 2203, before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013. The Mac, iOS, Android, and web versions of Office won’t be affected. China suspected of cyber attack on News Corp Date: 2022-02-07 Author: Cyber Security Connect According to Reuters, hackers broke into News Corp email accounts and compromised the data of an unspecified number of journalists, the media firm disclosed last week. The hack was likely aimed at gathering intelligence for Beijing’s benefit, according to News Corp’s internet security adviser. The breach was discovered in late January and affected emails and documents of what it described as a limited number of employees, including journalists. News Corp, which publishes The Wall Street Journal, confirmed that cyber security firm Mandiant had contained the breach. Australia’s anti-trolling Bill enters Parliament retaining defamation focus Date: 2022-02-10 Author: ZDNet The federal government has officially introduced the highly-publicised anti-trolling Bill into Parliament. The Bill, Social Media (Anti-Trolling) Bill 2022, was first announced by Australian Prime Minister Scott Morrison in November as a mechanism that would “unmask anonymous online trolls” and address toxic content existing on social media platforms. The anti-trolling Bill has since been touted by the Liberal Senator and Attorney-General Michaelia Cash as one of her party’s primary items that it wants to push out before the federal election. UK.gov threatens to make adults give credit card details for access to Facebook or TikTok Date: 2022-02-08 Author: The Register Adults will have to hand over credit card or passport details before they can access social media sites, the British government threatened this morning. Internet use age verification – first floated and then abandoned via the country’s 2017 Digital Economy Act – will return in the UK’s Online Safety Bill, digital minister Chris Philp MP has vowed, linking the technology, widely criticised by privacy activists, to protecting children from pornography websites. No early data on use of Australia’s cyber-abuse takedown laws Date: 2022-02-08 Author: iTnews Immmediate applications of Australia’s new cyber-abuse takedown laws that came into force on January 23 remain unclear, with parties on all sides saying it is too early to have access to meaningful data. The “world-first scheme” gives Australia’s eSafety commissioner Julie Inman Grant authority to have the ‘worst of the worst’ content removed from the internet, “no matter where it is hosted”. Vodafone Portugal struggles to restore service following cyberattack Date: 2022-02-09 Author: ViralAmo Vodafone Portugal is slowly working to recover following a “deliberate and malicious cyberattack” that brought down services used by millions of people and businesses in that country, including those for ambulances and other emergency services. Vodafone Portugal—a subsidiary of UK-based Vodafone Group with 4.3 million cell phone subscribers and 3.4 million fibre subscribers—said in a statement that the attack began on Monday evening. The attack quickly took down the subsidiary’s 4G and 5G networks and halted fixed voice, television, SMS, and voice and digital answering services. Google fixes remote escalation of privileges bug on Android Date: 2022-02-08 Author: Bleeping Computer Google has released the February 2022 Android security updates, addressing two critical vulnerabilities, one being a remote escalation of privilege that requires no user interaction. The vulnerability is tracked as CVE-2021-39675, carrying a “critical” severity rating, and affects only Android 12, the latest version of the popular OS. These flaws are typically leveraged by sophisticated spyware vendors that independently discover and privately use zero-days in mobile operating systems. However, in this case, Google hasn’t seen any signs of active exploitation. ASB-2022.0050 – Microsoft 365 Apps for Enterprise: CVSS (Max): 8.8 Microsoft has released its monthly security patch update for the month of February 2022. ESB-2022.0532 – Adobe Creative Cloud Desktop Application: CVSS (Max): 7.0 Adobe has released an update for the Creative Cloud Installer for Windows. This update includes a fix for a critical vulnerability that could lead to arbitrary code execution in the context of the current user. ESB-2022.0554 – Python: CVSS (Max): 9.8 Python could be made to execute arbitrary code or denial of service if it received a specially crafted input. ESB-2022.0524 – Android: CVSS (Max): 9.1* The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The beginning of February signified the Lunar New Year which in 2022, is the Year of the Tiger. Many Asian cultures historically follow a lunar calendar which sees the Lunar New Year fall on a different day than the (solar) Gregorian calendar. People born during a Tiger Year are thought to be natural leaders who are both brave and thrill-seeking, often craving attention. Some might say, these attributes are embodied by a lot of the competitors at this year’s Winter Olympic Games that officially gets underway tonight, in Beijing China. Though an exciting time for all taking part, the FBI has issued a warning to athletes to take a temporary, or burner, phone with them to mitigate risk of cyberattacks. NPR details the reason for this with all participants and officials required to download and use an app as part of the COVID-19 safety protocols. With over 450 million cyberattacks connected to the 2020 Tokyo Olympic and Paralympic games, the FBI is concerned the app would be a potential target for ransomware and malware, data theft, and distributed denial of service attacks. Elsewhere, a recent situation at Spotify has seen an exodus from the music streaming service. Subsequently, people across the globe have been looking at alternative platforms for their audio fixations with ZDNet providing a range of services to compare and evaluate to help in the decision-making process to get back to enjoying your favourite artists, songs and podcasts (including our very own ‘Share today, Save tomorrow’) 600K WordPress sites impacted by critical plugin RCE vulnerability Date: 2022-01-31 Author: Bleeping Computer Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution (RCE) vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site. "The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax_load_more and ajax_eael_product_gallery functions." explains PatchStack researchers who discovered the vulnerability. Malicious hybrid cloud campaign uses 0Auth apps to target C-level executives Date: 2022-01-28 Author: SC Media Researchers reported a new hybrid cloud campaign — dubbed OiVaVoii — that uses hijacked Office 365 users and a sophisticated combination of malicious OAuth apps and targeted phishing threats to attack many C-level executives, including CEOs, general managers, former board members and the presidents of companies. In a Jan. 28 blog post, Proofpoint researchers said starting on Jan. 18, they observed account takeovers by malicious OAuth apps stealing OAuth tokens and via credential theft. The researchers said there are other risks after the account takeovers, mainly data leakage, continued phishing, lateral movement, brand abuse and malware distribution. NSW Police warns of new FluBot malware scam phishing texts Date: 2022-02-01 Author: Cyber Security Connect NSW Police posted a warning on their official Facebook page about the new FluBot phishing texts that have been making the rounds, sending malware links that enables download and installation of malicious software on to devices. According to Scamwatch, many Australians have been receiving scam text messages about missed calls, voicemails, deliveries and photo uploads since August 2021. The text messages ask recipients to tap on a link to download or access something. Doing so will download a specific type of malware to your device. These are “FluBot” text messages. Australian Red Cross clients potentially caught up in international cyber attack Date: 2022-01-31 Author: iTnews Australian Red Cross is contacting clients and reviewing its local systems and services in the wake of a “major” cyber attack on a large database hosted by the International Committee of the Red Cross (ICRC). The database held case file details on more than 500,000 people worldwide who had sought services for loved ones missing or uncontactable overseas due to disaster or conflict, or that were being held in immigration detention. Scammers continue to spoof job listings to steal money and data, FBI warns Date: 2022-02-02 Author: The Record Since at least early 2020, video game giant Riot Games has been dealing with a scam that is increasingly ensnaring companies and job seekers alike. According to a lawsuit filed by the company in November, a team of scammers “undertook an extensive, coordinated, and highly sophisticated fraud scheme” that lured eager professionals into handing over banking information and other sensitive data by dangling fraudulent job postings and interviews with fake human resources representatives. Similar scams have been reported by Biogen, Vox Media, Harvard University and many others. On Tuesday, the US Federal Bureau of Investigation warned that these scams have cost victims an average of [US]$3,000 since 2019, and often negatively impact their credit scores. The FBI’s Internet Crime Complaint Center (IC3) specifically alerted companies to a lack of strong security verification standards on recruitment websites, which allows criminals to post fake job ads. ESB-2022.0429 – Samba: CVSS (Max): 9.9 All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability leading to root compromise ESB-2022.0462 – Google Chrome: CVSS (Max): None Google has released updates to Chrome to address 19 security vulnerabilities ASB-2022.0049 – Microsoft Edge (Chromium-based): CVSS (Max): 7.7* Following Google Chrome advisory, Microsoft has also released updates for Edge (Chromium based) with an addition of 3 unique CVEs ESB-2022.0454 – ALERT Cisco RV Series Routers: CVSS (Max): 10.0 Multiple vulnerabilities in RV series routers have been identified with a CVSS score of 10.0 ESB-2022.0501 – GitLab Community Edition and GitLab Enterprise Edition: CVSS (Max): 7.7 GitLab has released security updates to address multiple vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This coming Monday, 31 January 2022, AUSCERT’s own Impact and Access Assessment is being replaced by the industry standard CVSS score in our Security Bulletins Service. You can filter (or use scripts) for “CVSS (Max)” and “ALERT” to prioritise vulnerability management. For more info see: https://portal.auscert.org.au/bulletins/ASB-2022.0048 https://wordpress-admin.auscert.org.au/blogs/bulletin-impact-access-to-cvss-migration/ Earlier this week, AUSCERT released the latest podcast episode, the first for 2022! We were delighted to have Amy Holden and Garrett O’Hara from Mimecast as our special guests. Amy and Garrett talk about podcasts and communication in cyber including lessons learnt from their podcast “The Get Cyber Resilient Show” as well as Cyber Resilience. In follow-up, Mike talks about how AUSCERT is focused on collaboration and layered security as well as excitement building for AUSCERT2022. Speaking of which, it’s the final call for submissions to this year’s conference. The call for presentations and tutorials closes this Sunday, January 30, and we’re on the lookout for unique topics, extraordinary projects or perhaps a clever way of optimising processes. So if you, or someone you know, has something to say and would like to share it, complete your submission online. AUSCERT is also able to assist in covering the travel and accommodation costs for one speaker per successful submission (conditions apply). Apple fixes new zero-day exploited to hack macOS, iOS devices Date: 2022-01-26 Author: Bleeping Computer Apple has released security updates to fix two zero-day vulnerabilities, with one publicly disclosed and the other exploited in the wild by attackers to hack into iPhones and Macs. The first zero-day patched today (tracked as CVE-2022-22587) [1, 2] is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey. Successful exploitation of this bug leads to arbitrary code execution with kernel privileges on compromised devices. Over 90 WordPress themes, plugins backdoored in supply chain attack Date: 2022-01-21 Author: Bleeping Computer [Described in AUSCERT bulletin ESB-2022.0325, released Jan 24] A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites. The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to the themes and plugins. Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites. Google warns Aussie libel ruling could force it to censor search results Date: 2022-01-24 Author: iTnews Google has warned that it could be forced to “censor” search results if an Australian court ruling, which found it liable for defamatory material contained in hyperlinks, is not overturned. The web giant made the comments in submissions to the High Court, where it is appealing a defamation ruling that saw $40,000 in damages awarded to prominent Victorian criminal lawyer George Defteros. Staying insurable for your cyber security insurance policy Date: 2022-01-25 Author: Consultancy As the risk of cyber threats and its impact continues to rise, insurance companies are tightening their policy conditions. Murray Mills, a Manager at Tecala, outlines what Australian organisations can do to stay insurable against the threat of ransomware and other attacks. Growing increasingly tired of the operating environment, and in particular, the never-ending flood of ransomware infections, are the insurers whose role it often is to help victim organisations pick up the pieces and pay for much of the damage done. In 2022 changes to how insurers assess risk and determine premiums and coverage could become a problem for some organisations. Prime Minister Scott Morrison’s WeChat account is hijacked and renamed Date: 2022-01-24 Author: ABC News Senior Coalition MPs have accused China’s government of foreign interference after the Prime Minister’s account on the ubiquitous Chinese language messaging app WeChat was hijacked. As first reported by NewsCorp Australia, Scott Morrison’s account on the massive Chinese social media platform WeChat has been renamed and the account description changed. Singapore gives banks two-week deadline to fix SMS security Date: 2022-01-20 Author: The Register A widespread phishing operation targeting Southeast Asia’s second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry. Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower. How I Got Pwned by My Cloud Costs Date: 2022-01-24 Author: Troy Hunt I have been, and still remain, a massive proponent of “the cloud”. I built Have I Been Pwned (HIBP) as a cloud-first service that took advantage of modern cloud paradigms such as Azure Table Storage to massively drive down costs at crazy levels of performance I never could have achieved before. I wrote many blog posts about doing big things for small dollars and did talks all over the world about the great success I’d had with these approaches. One such talk was How I Pwned My Cloud Costs so it seems apt that today, I write about the exact opposite: how my cloud costs pwned me. It all started with my monthly Azure bill for December which was way over what it would normally be. It only took a moment to find the problem. Linux version of LockBit ransomware targets VMware ESXi servers Date: 2022-01-26 Author: Bleeping Computer LockBit is the latest ransomware gang whose Linux encryptor has been discovered to be focusing on the encryption of VMware ESXi virtual machines. The enterprise is increasingly moving to virtual machines to save computer resources, consolidate servers, and for easier backups. Due to this, ransomware gangs have evolved their tactics to create Linux encryptors that specifically target the popular VMware vSphere and ESXi virtualization platforms over the past year. ESB-2022.0329 – chromium: Multiple vulnerabilities Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure ESB-2022.0346 – ipython: Execute arbitrary code/commands – Existing account A potential arbitrary code execution vulnerability discovered in IPython (the interactive Python shell) ESB-2022.0352 – polkit: Increased privileges – Existing account Polkit vulnerability provides increased privileges on Linux systems ESB-2022.0399 – ALERT macOS Monterey 12.2: Multiple vulnerabilities Apple releases multiple updates including for macOS Monterey 12.2 ASB-2022.0048 – AUSCERT Bulletin Impact /Access Assessment to CVSS Migration AUSCERT’s own Impact and Access Assessment is being replaced by the industry standard CVSS score in our Security Bulletins Service. You can filter (or use scripts) for “CVSS (Max)” and “ALERT” to prioritise vulnerability management Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Ep 7 The future of the cyber security pipeline and education in Australia In this episode, AUSCERT features the following guests: Amy Holden, Senior Enterprise Marketing Manager at Mimecast Garrett O’Hara, Field CTO at Mimecast Mike Holm, AUSCERT Senior Manager Amy and Garrett talk about podcasts and communication in cyber including lessons learnt from their podcast “The Get Cyber Resilient Show” as well as Cyber Resilience. In follow up Mike talked about how AUSCERT are focused on collaboration and layered security as well as excitement building for AUSCERT2022 with the Call for Presentations closing soon. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, Last week’s undersea volcanic eruption near Tonga has impacted the island nation in several ways, including upon the submarine cables on which Tonga relied to connect to the world which is expected to take at least four weeks to repair. The eruption ruptured the single fibre cable, one of 280 across the globe, responsible for more than 95% of global data transfer. The Conversation highlights the vulnerable state of the network and, suggests how to potentially mitigate risk moving forward, in order to protect the 1.3 million kilometres (approx.) of cables. Time is running out to get your submission in for the AUSCERT2022 conference. The call for presentations and tutorials closes on January 30 and we’re on the lookout for unique topics, extraordinary projects or perhaps a clever way of optimising processes. So if you, or someone you know, has something to say and would like to share it, complete your submission online. AUSCERT is also able to assist in covering the travel and accommodation costs for one speaker per successful submission (conditions apply). Red Cross begs hackers not to leak data of “highly vulnerable people” Date: 2022-01-19 Author: The Record The Red Cross has disclosed that it was the victim of a cyber attack and has asked the hackers who broke into the IT network of one of its contractors not to leak the personal information of more than 515,000 of “highly vulnerable people.” The data was stolen from a Red Cross program called Restoring Family Links, which aims to reunite family members separated by conflict, disaster, or migration. “While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” said Robert Mardini, director-general for the International Committee of the Red Cross. Singapore monetary authority threatens action on bank over widespread phishing scam Date: 2022-01-18 Author: The Register The Monetary Authority of Singapore says it is considering supervisory action against Southeast Asia's second largest bank, Oversea-Chinese Banking Corporation, which was criticised for its incident response to a widespread phishing scheme across the island nation. "Monetary Authority Singapore takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers. OCBC has acknowledged that its incident response and customer service should have been better. MAS has been following up with the bank on these and broader issues relating to the incident," said MAS deputy managing director Ms Ho Hern Shin in a statement to The Register. Bunnings customers’ personal data compromised following cyber attack Date: 2022-01-17 Author: Cyber Security Connect Bunnings Warehouse customers who shopped using the contactless pick-up service may have had some of their personal information stolen. The company has emailed customers to say they have recently been made aware of a data security breach experienced by its third-party booking provider FlexBooker. In December of 2021, the third-party software firm suffered a cyber security breach that led to the information of 3.7 million customers being exposed, and last week Bunnings was forced to warn its customers of the incident. The compromised information may have included customers' names and email addresses, which were provided when they selected a timeslot for a drive and collect order. ASB-2022.0046 – Oracle Java SE: Multiple vulnerabilities Oracle released their 3-monthly critical patches this week. Many products were patched. These Java fixes are likely to flow on to many other products over the next few weeks. ESB-2022.0223 – telnet: Execute arbitrary code/commands – Remote/unauthenticated Hopefully not too many people are still using telnet, but if so, consider patching. ESB-2022.0256 – AIDE: Multiple vulnerabilities A possible root compromise in this useful security tool. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, There are happenings taking place that are giving many of us the sense of déjà vu or a feeling as though a prolonged situation seemingly has no end. One such challenge is the constant presence and threat of Log4j. Labelled a ‘severe risk’ to the internet by some outlets, it continues to be utilised by parties that aim to exploit the vulnerabilities for their own gain. ZDNet recently reported on one that saw a cybercrime group attempting to deploy NightSky ransomware, highlighting the need to remain vigilant whilst these particularly problematic vulnerabilities remain. Log4j was also a significant contributor to the increase in cyber-attacks in 2021. Tech Republic provides an insight into the industries and locations that were most affected last year, with some sectors and countries seeing a increase of over 50% from 2020. Whilst it may seem that we’re experiencing Groundhog Day or some aspects of our lives are moving at a glacial pace, individuals and organisations shouldn’t look past the importance of taking stock of current processes and requirements and ask, “Can this be done better?”. Business Reporter published an article earlier this week that looks at the significance of seeking out and embracing change, when and where appropriate. This is especially relevant in our modern world and, in an industry with one significant constant – change. Microsoft: powerdir bug gives access to protected macOS user data Date: 2022-01-10 Author: Bleeping Computer Microsoft says threat actors could use a macOS vulnerability to bypass Transparency, Consent, and Control (TCC) technology to access users' protected data. TCC is security tech designed to block apps from accessing sensitive user data by allowing macOS users to configure privacy settings for the apps installed on their systems and devices connected to their Macs, including cameras and microphones. Apple fixed the vulnerability in security updates released last month, on December 13, 2021. Microsoft: New critical Windows HTTP vulnerability is wormable Date: 2022-01-11 Author: Bleeping Computer Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022. The bug, tracked as CVE-2022-21907 and patched during this month's Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server. Report: Increased Log4J exploit attempts leads to all-time peak in weekly cyberattacks per org Date: 2022-01-11 Author: ZDnet Cybersecurity firm Check Point Research has released new data from 2021 showing that among their customers, there was a significant increase in overall cyberattacks per week on corporate networks compared to 2020. Researchers attributed some of the increases, which were concentrated toward the end of the year, to the Log4J vulnerability discovered in December. Check Point said in a report that 2021 was a record-breaking year for cyberattacks and the Log4J vulnerability only made things worse. Indian Patchwork hacking group infects itself with remote access Trojan Date: 2022-01-11 Author: ZDNet An Indian threat group's inner workings have been exposed after it accidentally infected its own development environment with a remote access Trojan (RAT). Dubbed Patchwork by Malwarebytes and tracked under names including Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and is actively launching campaigns designed to deploy RATs for the purposes of data theft and other malicious activities. In one of the latest attack waves connected to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences. Ransomware: Hackers are using Log4j flaw as part of their attacks, warns Microsoft Date: 2022-01-11 Author: ZDNet Microsoft has confirmed that suspected China-based cyber criminals are targeting the Log4j 'Log4Shell' flaw in VMware's Horizon product to install NightSky, a new ransomware strain that emerged on December 27. The financially motivated ransomware attacks target CVE-2021-44228, the original Log4Shell flaw disclosed on December 9, and mark one new threat posed by the critical vulnerability that affects internet-facing software, systems and devices where vulnerable versions of the Java-based Log4j application error-logging component are present. Who is the Network Access Broker ‘Wazawaka?’ Date: 2022-01-12 Author: Krebs on Security In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka,” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene. ESB-2022.0097 – ALERT HP-UX telnetd: Execute arbitrary code/commands – Remote/unauthenticated Hewlett Packard Enterprise has issued an UN-OF point fix to address the Remote Execution of Arbitrary Code vulnerability in HP-UX telnetd. ASB-2022.0002 – ALERT Microsoft Windows, Windows Server, Remote Desktop Client and HEVC Video Extensions: Multiple vulnerabilities Microsoft's Patch Tuesday for January included fixes to resolve 87 vulnerabilities across various Microsoft products including Windows and Windows Server. ESB-2022.0111 – Acrobat, Acrobat DC, Adobe Reader and Adobe Reader DC: Multiple vulnerabilities Adobe's most recent security updates for Adobe Acrobat and Reader for Windows address multiple vulnerabilities. Adobe recommended its users to update their software installations to the latest versions. ASB-2022.0005 – Microsoft Exchange Server: Execute arbitrary code/commands – Existing account Microsoft's most recent security updates fix Remote Code Execution vulnerability in Microsoft Exchange Server 2013, 2016 and 2019. ESB-2022.0107 – Citrix Workspace App: Root compromise – Existing account A vulnerability in Citrix Workspace app for Linux could result in increased privilege level to root. Citrix recommends that the affected users upgrade to a fixed version as soon as possible. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Happy New Year! The first week of 2022 saw a few people in the AUSCERT office return to work following a short break over the Christmas and New Year period – one down, 51 more to go! A reminder to those that may have a great story to tell, or know someone else that does, the Call for Presentations for the AUSCERT2022 Conference is NOW OPEN. The Conference will be held as a hybrid event from Tuesday, 10th May – Friday, 13th May 2022 at The Star Gold Coast, Broadbeach and online via the OnAIR Virtual Conferencing Platform. You must submit by Monday, 10 January to receive feedback from our committee for further improvements before the final deadline of 30 January. Submit to our AUSCERT2022. Call for Presentations and Tutorials, due in January 2022. An interesting article featured on the info security website from earlier in the week predicts some of the trends for the Cyber Security sector in 2022. Specifically, it looks at Resilience, Secure by Design, Skills and Technology and offers some food for thought regarding our ever-evolving digital landscape. Google Chrome update includes 37 security fixes Date: 2022-01-06 Author: ZDNet [See AUSCERT Bulletin ASB-2022.0049, published January 06.] Google rolled out an update for Chrome this week on Windows, Mac and Linux that included 37 security fixes, one of which was rated critical. Google Chrome’s Prudhvikumar Bommana thanked dozens of security researchers for helping them find bugs, many of which were given a high severity rating. Chrome 97.0.4692.71 includes fixes for CVE-2022-0096 — a critical use-after-free (UAF) vulnerability — as well as other UAFs like CVE-2022-0098, CVE-2022-0099, CVE-2022-0103, CVE-2022-0105 and CVE-2022-0106. There are also three heap buffer overflow issues rated high severity. Detecting Evasive Malware on IoT Devices Using Electromagetic Emanations Date: 2022-01-03 Author: The Hacker News Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. With the rapid adoption of IoT appliances presenting an attractive attack surface for threat actors, in part due to them being equipped with higher processing power and capable of running fully functional operating systems, the latest research aims to improve malware analysis to mitigate potential security risks. FTC threatens legal action over unpatched Log4j systems Date: 2022-01-05 Author: The Register The US Federal Trade Commission on Tuesday warned companies that vulnerable Log4j software needs to be patched … or else. […] The FTC is advising companies to consult the US Cybersecurity and Infrastructure Security Agency’s (CISA) guidance on dealing with the Log4j flaws. If companies fail to fix their code and lose customer data, the FTC says it may just see what a judge thinks about that. The biggest data breaches, hacks of 2021 Date: 2022-01-01 Author: ZDNet In 2021, thousands of new cybersecurity incidents have been recorded — and while cryptocurrency theft and data loss are now commonplace, this year stands out due to several high-profile incidents involving ransomware, supply chain attacks, and the exploitation of critical vulnerabilities. The Identity Theft Research Center (ITRC) has reported an increase of 17% in the number of recorded data breaches during 2021 in comparison to 2020. However, an entrenched lack of transparency around the disclosure of security incidents continues to persist — and so this may be a low ball estimation. Don’t copy-paste commands from webpages — you can get hacked Date: 2022-01-03 Author: Bleeping Computer Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised. A technologist demonstrates a simple trick that’ll make you think twice before copying and pasting text from web pages. ASB-2021.0244.6 – UPDATED ALERT log4j: Multiple vulnerabilities Apache has released updates for log4j2 to address CVE-2021-44832 fixing another remote code execution vulnerability ESB-2022.0028 – wireshark: Multiple vulnerabilities Several vulnerabilities leading to a remote code execution or denial of service have been fixed in Wireshark ESB-2022.0042 – VMWare products: Execute arbitrary code/commands – Existing account VMWare has addressed a heap-overflow vulnerability affecting multiple products ESB-2022.0049 – Google Chrome: Multiple vulnerabilities Google has now released Chrome 97 which also addresses multiple security vulnerabilities including a critical vulnerability: CVE-2022-0096 which leads to a remote code execution ESB-2022.0059 – Tenable.sc: Multiple vulnerabilities Tenable has released Tenable.sc 5.20.0 to address multiple vulnerabilities including a critical vulnerability related to Apache HTTP server Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th December 2021 Greetings, With only seven sleeps until Christmas, the realisation that the end of the year being upon us has well and truly set in! A reminder of our scheduled shutdown over the Christmas and New Year period: AUSCERT will be closed from Thursday, December 23rd until Monday, January 3rd 2022. We will reopen on Tuesday, January 4th 2022. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. If you’re looking for something to do over the break, don’t forget the Call for Presentations for AUSCERT2022 is OPEN! We’re looking for something unique, a great story or, something new that can be shared with our attendees. The closing date for submissions is January 10th so be sure to get your idea to our committee to ensure feedback can be provided by the final deadline of January 30th. Also AUSCERT is hiring, so if you’re interested in infrastructure, putting together security solutions and working collaboratively with cyber security analysts, brush off your resume and send it to us over the break! Something that we have been reminded of this past week with Log4J, is that the world of cyber doesn’t have holidays and we must always remain vigilant. A recent blog from Seriously Risky Business provides a great overview of the situation and suggests how future occurrences of similar incidents can be avoided. Another blog post, this time from Rapid 7, highlights how threat actors seek to take advantage of large scale vulnerabilities such as Log4J, often working just as hard as those trying to remedy the situation, but with the aim to exploit the vulnerability. As this is the last Week In Review before Christmas, and with a lot of folk switching off for a well-earned break, the team at AUSCERT wanted to wish everyone a safe and happy Christmas and Festive Season and all the very best for 2022. Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation Date: 2021-12-11 Author: Microsoft Security Blog [This article is focused on the use of Microsoft security products to mitigate exploits. See also ASB-2021.0244.2, published December 10.] Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. Bugs in billions of WiFi, Bluetooth chips allow password, data theft Date: 2021-12-13 Author: Bleeping Computer Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component. Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation. Second Log4j vulnerability discovered, patch already released Date: 2021-12-15 Author: ZDNet A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.” “This could allow attackers… to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack,” the CVE description says. Why Companies Shouldn’t Shame Employees Who Fall for Hacking Scams Date: 2021-12-06 Author: Wall Street Journal [This article may be behind a paywall for some readers] The implications of our survey were clear: Shame is similar to a boomerang that will come back to hurt the organization, as well as harming the employee. Managers should deal with the mistake, but not reject the employee. If employees feel that their personhood is being attacked, they will respond defensively. Shaming results in a lose-lose outcome. Employees can be an organization’s greatest asset when it comes to defeating the efforts of cybercriminals. Using shame as a behavior modification tool squanders that potential. And that’s the real shame. Google pushes emergency Chrome update to fix zero-day used in attacks Date: 2021-12-13 Author: Bleeping Computer Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild. “Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild,” the browser vendor said in today’s security advisory. Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel. Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery Date: 2021-12-14 Author: Threat Post Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications. The patch came as part of the computing giant’s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft’s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack. Australia to establish youth advisory council for countering online child exploitation Date: 2021-12-15 Author: ZDnet Australia will create a new panel consisting of Australian youths and young adults that will provide consultation to industry and government about how to approach regulating online platforms. “Young people know better than anyone about the good, the bad and the plain ugly that exists in the online world,” Prime Minister Scott Morrison said. “They are the first generation of Australians to grow up living simultaneously in both the real and digital worlds, and they are always at the forefront of new technologies. Visa pilots enumeration attack prevention requirement in Australia Date: 2021-12-15 Author: IT News Visa has chosen Australia as the first country worldwide where all “e-commerce payment providers” must have botnet detection capabilities in place by October to mitigate the threat posed by enumeration attacks. The payments giant said it could not fight a rise in enumeration attacks alone and needed the assistance of the entire payments ecosystem. ESB-2021.4192 – apache-log4j2: Execute arbitrary code/commands – Remote/unauthenticated An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled ESB-2021.4268 – Safari: Execute arbitrary code/commands – Remote with user interaction Processing maliciously crafted web content may lead to arbitrary code execution on Safari browser ASB-2021.0245 – ALERT Microsoft Windows: Multiple vulnerabilities Microsoft has released its monthly security patch update and the update resolves 38 vulnerabilities across their products ASB-2021.0252 – ALERT Microsoft Edge (Chromium-based): Multiple vulnerabilities Microsoft addressed a Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability on their newest update ASB-2021.0253 – Azure Products: Multiple vulnerabilities Microsoft states “Successful exploitation allows for arbitrary code execution in the targeted application” Stay safe, stay patched and Merry Christmas and a Happy New Year! The AUSCERT team

Log4Shell-Logjam Overview Picture credit : Lunasec[1] TLDR; Patch, check your patches work, check logs for attempts and possible compromise.   Log4Shell is a tag used by Lunasec[1] to describe the vulnerability in Apache Log4j2 that was disclosed abruptly by a tweet[2] and a github repo. This sudden announcement alerted security professionals to work in a short time frame to protect systems and avoid other interested parties in discovering, compromising and potentially taking over systems. Security groups alerted through the above were computer emergency response teams, which recognised the impact and came out with early advisories[3][4][5] which are either being updated or are being referenced by newer advisories[6]. The attack surface was of prime concern and security professionals were exchanging ways to detect through various third party search results.  One of the lists of the attack surface that was published early showed that Log4Shell or LogJam would affect a large number of systems[7][8].  Ways to detect affected servers were refined into a script[9][10] and other entities also released tools to detect vulnerable servers through first party scanning[11][12][13].  First party scanning is not of concern but unauthorised second party scanning is. This activity was eventually detected[14], and exploit payloads soon followed[15]. The manner in which the vulnerability was disclosed gave a short time frame for the naming and grading.  This was evident as the PSIRT initial only had release candidates[16][17] which later were checked and reported that both had to be used[18]. The vulnerability was later allocated CVE-2021-44228[19] and carried the PSIRT’s analysis[20][21] of a CVSSv3 base score of a perfect 10.0. (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Before a full patch was available by the PSIRT[22], mitigations were collated and a vaccine made available[23][24] to provide an easy way to mitigate[24] the unauthorised second party scanning attempts to drop a malicious payload. No doubt there will be more numerous and extensive reports[26][27][28][29][30][31][32][33][34][35] made available by noted security organisations, as well as a plethora of resources listed to help[36][37], but the advice right now is as the TLDR, check your version[38][39], patch, check your patch, check your logs for attempts and possible compromise[40], and take remediation steps if any IoC show up[41][42][43][44][45][46]. In a time span no longer than a week CVE-2021-44228 has gone from proof of concept drop to internet wide scans to carrying crypto-coin miner payloads to no being found to carry ransomware payloads.[47][48] Finally, if your weekend was thought to be hectic as a result of this abrupt disclosure, send some positive thoughts to the three volunteers[49][50] who maintain a piece of code that the internet has come to depend so much on.  These three volunteers have worked very hard getting us a patch as soon as possible.[51] As well, we would like to thank all the contributors that have made this article possible by submitting to us relevant links and articles. [1] Lunasec Advisory https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] Tweeted 0-Day https://twitter.com/P0rZ9/status/1468949890571337731 [3] NZCERT https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/ [4] AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2021.0244.2 [5] SingCERT https://www.csa.gov.sg/en/singcert/Alerts/al-2021-070 [6] AUSCERT ESB https://portal.auscert.org.au/bulletins/ESB-2021.4186 [7] Attack Surface https://github.com/YfryTchsGD/Log4jAttackSurface [8] Randori Blog https://www.randori.com/blog/cve-2021-44228/ [9] log4j_rce_check https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6 [10] Log4j2Scan https://github.com/whwlsfb/Log4j2Scan [11] Qualys Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell [12] SocPrime https://socprime.com/blog/cve-2021-44228-detection-notorious-zero-day-in-log4j-java-library/ [13] Imperva https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/ [14] Log4j RCE Attempts https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217 [15] Cloudflare Blog https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/ [16] PSIRT rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 [17] PSIRT rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2 [18] CyberKendra https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html [19] NVDB https://nvd.nist.gov/vuln/detail/CVE-2021-44228 [20] RecordedMedia https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/ [21] PSIRT Advisory https://logging.apache.org/log4j/2.x/security.html [22] PSIRT Download https://logging.apache.org/log4j/2.x/download.html [23] Cybereason Blog https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228 [24] Cyberreason Vax https://github.com/Cybereason/Logout4Shell [25] DarkReading https://www.darkreading.com/dr-tech/what-to-do-while-waiting-for-the-log4ju-updates [26] PaloAlto https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ [27] Cloudflare Blog https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/ [28] Cloudflare Blog https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/ [29] Sygnia Advisory https://blog.sygnia.co/log4shell-remote-code-execution-advisory [30] ISC SANS Diary https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/ [31] ISC SANS Diary https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/ [32] Crowdstrike https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/ [33] Bleeping Computer https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/ [34] Trusted Sec https://www.trustedsec.com/blog/log4j-playbook/ [35] Bleeping Computer https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/ [36] Reddit List of resources on log4j  https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/ [37] CVE-2021-44228-Log4Shell-Hashes  https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes [38] NCSC-NL https://github.com/NCSC-NL/log4shell [39] BlueTeam CheatSheet https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 [40] Log4ShellDetector  https://github.com/Neo23x0/log4shell-detector [41] Bazaar https://bazaar.abuse.ch/browse/tag/log4j [42] URLHaus https://urlhaus.abuse.ch/browse/tag/log4j [43] Threatfox https://threatfox.abuse.ch/browse/tag/log4j [44] CuratedIntel https://github.com/curated-intel/Log4Shell-IOCs [45] Microsoft Guidance https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ [46] TryHackme https://tryhackme.com/room/solar [47] Twitter https://twitter.com/80vul/status/1470272820571963392?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet [48] Twitter https://twitter.com/ankit_anubhav/status/1470648109625536515 [49] Twitter “@FiloSottile” https://twitter.com/FiloSottile/status/1469441487175880711 [50] Twitter “@matthew_d_green” https://twitter.com/matthew_d_green/status/1469715416549367812 [51] ITNews https://www.itnews.com.au/news/log4js-project-sponsorship-skyrockets-after-critical-bug-exploitation-573914