Publications

2020 Cyber Security Survey Complete the 2020 Cyber Security Survey Since launching the BDO and AUSCERT Cyber Security survey in 2016, one thing is clear – many Australian and New Zealand organisations overestimate their ability to deal with the evolving cyber threat risk landscape. Getting a handle on this in 2020 is vital. With more people working, learning and teaching from home, the transition from office or school-based network access to remote/home access creates new operational and cyber security challenges.  Get on the front foot Understanding your organisation’s cyber threat risk posture is the essential first step to reducing the likelihood and impact of a cyber incident. This is why we continue to conduct the annual BDO and AUSCERT Cyber Security survey. For five years, it has provided key decision-makers with the information they need about current cyber security trends, issues and threats. Do not miss your chance to take part and gain free insight into the maturity of your organisation’s cyber security approach.  TAKE PART NOW The anonymous survey closes at midnight on Friday, 30 October 2020 and takes less than 10 minutes to complete. By taking part you will be offered the chance to win one of two Apple Watches.  * Refer to the survey competition terms and conditions.

AUSCERT Week in Review for 02nd October 2020 Greetings, And just like that, we’ve landed in the final quarter of 2020. This week we would like to share a couple of initiatives from colleagues in the industry, namely: · AustCyber and their Australian Cyber Week 2020 range of events which will take place at the end of this month between 26th to 30th October. · AHECS and their inaugural AHECS Cybersecurity Summit, which is a conference with a focus on the higher education & research, as well as identity management & privacy communities. We also wanted to bring to your attention a recent alert published by the ACSC (cyber.gov.au) on the topic of an observed resurgence of the Emotet malware campaign. Have a read and please do not hesitate to get in touch with our team should you require any assistance in this area. For those of you who took the time to complete our AUSCERT Security Bulletins survey – thank you! The team is currently working through the feedback you’ve provided and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. Last but not least, don’t forget to complete the 2020 BDO in Australia and AUSCERT Cyber Security Survey. This anonymous survey closes at midnight on Friday, 30 October 2020 and takes less than 10 minutes to complete and by taking part, you will be offered the chance to win one of two Apple Watches. Until next week, have a wonderful weekend everyone. Government’s cyber pledge has largely failed to increase awareness Date: 2020-09-30 Author: CRN Australia The federal government’s decision to spend $1.6bn boosting Australia’s ability to repel cyber-attacks might have highlighted the risks they pose to the economy, but security partners say that some customers still struggle to understand the scale of the threat and manage it appropriately. It was a trend that generally became more pronounced as businesses diminished in size, they said. However, even in larger organisations, board level support for company-wide measures to tackle cyber security breaches was still far from universal as cyber leaders continued to grapple with stubborn communication barriers. Microsoft Netlogon exploitation continues to rise Date: 2020-10-28 Author: Talos Intelligence Cisco Talos is tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials. Airports, ATMs, hospitals: Microsoft Windows XP leak would be less of an issue, if so many didn’t use it Date: 2020-10-30 Author: The Conversation The source code of the Windows XP operating system is now circulating online as a huge 43GB mega-dump. Although the software is nearly two decades old, it’s still used by people, businesses and organisations around the world. This source code leak leaves it open to being scoured for bugs and weaknesses hackers can exploit. Microsoft disrupts nation-state hacker op using Azure Cloud service Date: 2020-10-25 Author: Bleeping Computer In a report this week, Microsoft said that it disrupted operations of a nation-state threat group that was using its Azure cloud infrastructure for cyber attacks. Microsoft refers to the actor by the name Gadolinium and says that it’s been active for about a decade targeting organizations in the maritime and health industry; more recently, the hackers expanded focus to higher education and regional government entities. WA govt creates first cyber security operations centre Date: 2020-10-29 Author: ITnews The WA government has established a cyber security operations centre to coordinate its response to cyber security incidents and improve visability over the network threats facing agencies. The government launched the centre, complete with eight cyber security personnel, on Tuesday using $1.8 million set aside in next week’s 2020-21 state budget. Wondering how to tell the world you’ve been hacked? Here’s a handy guide from infosec academics Date: 2020-10-24 Author: theregister.com Infosec boffins at the University of Kent have developed a “comprehensive playbook” for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything’s fine. In a new paper titled “A framework for effective corporate communication after cyber security incidents,” Kent’s Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data security breaches and similar incidents where servers are hacked and customer records end up in the hands of criminals. GitHub rolls out new Code Scanning security feature to all users Date: 2020-10-30 Author: ZDNet Code-hosting website GitHub is rolling out today a new security feature named Code Scanning for all users, on both paid and free accounts. GitHub says the new Code Scanning feature “helps prevent vulnerabilities from reaching production by analyzing every pull request, commit, and merge—recognizing vulnerable code as soon as it’s created.” Once vulnerabilities are detected, Code Scanning works by prompting the developer to revise their code. ESB-2020.3403 – firefox: Multiple vulnerabilities Red Hat’s updates include fixes for multiple vulnerabilities in Firefox. ESB-2020.3360 – NetworkManager: Reduced security – Existing account An update released for NetworkManager to address a Reduced Security vulnerability. ESB-2020.3343 – IBM Cloud Private: Multiple vulnerabilities IBM releases updates to address Kubernetes vulnerabilities. ASB-2020.0160 – Microsoft Edge (based on Chromium): Multiple vulnerabilities Microsoft updates its Edge browser to include security fixes from the upstream Chromium project. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 25th September 2020 Greetings, We hope everyone’s been enjoying the Spring weather we’ve had recently! For those of you who attended our AUSCERT2020 conference last week, you can revisit the conference’s key learnings by re-watching the presentations on-demand on our now LIVE website. Please keep an eye out for an email that was sent earlier today with the specific details on how to access this resource page. A common theme throughout last week was just how much delegates enjoyed the ability to remain connected with their network of industry peers despite the circumstances this year. We hope you enjoyed your conference experience and we look forward to having you join us again at AUSCERT2021. Last but not least, it’s that time of the year again folks – the 2020 BDO in Australia and AUSCERT Cyber Security Survey is now open. This annual survey of key decision-makers across Australia and New Zealand, identifies the current cybersecurity trends, issues and threats facing organisations. We would like to encourage as many of you as possible to take part now. This anonymous survey closes at midnight on Friday, 30 October 2020 and takes less than 10 minutes to complete and by taking part, you will be offered the chance to win one of two Apple Watches. Until next week, have a restful weekend everyone. … Microsoft: Hackers using Zerologon exploits in attacks, patch now! Date: 2020-09-23 Author: BleepingComputer [Please refer to AUSCERT Bulletin ASB-2020.0140, member portal login required] Microsoft has warned that attackers are actively using the Windows Server Zerologon exploits in attacks and advises all Windows administrators to install the necessary security updates. Researchers say not to use myGovID until login flaw is fixed Date: 2020-09-21 Author: iTnews ATO declines to change protocol. Two security researchers are warning Australians not to use myGovID as they say the login system contains an implementation flaw that could lead to attackers gaining full access to their accounts. Masters student Ben Frengley and adjunct professor Vanessa Teague created a threat scenario in which an attacker sets up sites that they control and asks users to log into them with myGovID. In the scenario, the attacker captures the email address of the user and then immediately uses it to try to log into an official government portal. The official portal displays a 4-digit PIN that the attacker then relays back to the user via the controlled site. Popular password manager could have a critical vulnerability Date: 2020-09-22 Author: TechRadar A security researcher has discovered a new vulnerability in a popular password manager that could allow for remote code execution. The password manager in question is Bitwarden and the vulnerability resides in the company’s desktop app which automatically downloads updates and replaces its own code with these updates without user intervention. Australians want more control over privacy, survey shows Date: 2020-09-24 Author: Office of the Australian Information Commissioner (OAIC) Privacy is a major concern for 70% of Australians while 87% want more control and choice over the collection and use of their personal information, a new study shows. The Australian Community Attitudes to Privacy Survey (ACAPS) 2020 released today provides a comprehensive view of beliefs and concerns about the protection of personal information. “Our survey shows data privacy is a significant concern for Australians, particularly as the digital environment and data practices evolve rapidly. The community sees identity theft and fraud, and data breaches and security, as the biggest privacy risks we face today.” Phishing awareness training wears off after a few months Date: 2020-09-21 Author: ZDNet Security and phishing awareness programs wear off in time, and employees need to be re-trained after around six months, according to a paper presented at the USENIX SOUPS security conference last month. The purpose of the paper was to analyze the effectiveness of phishing training in time. Taking advantage of the fact that organizations in the German public administration sector must go through mandatory phishing awareness training programs, academics from several German universities surveyed 409 of 2,200 employees of the State Office for Geoinformation and State Survey (SOGSS). ESB-2020.3307 – Apple: Multiple vulnerabilities Apple releases updates for macOS Catalina, High Sierra and Mojave ESB-2020.3233 – Google Chrome: Multiple vulnerabilities Updates released to address the multiple vulnerabilities in Google Chrome ESB-2020.3226 – MISP: Multiple vulnerabilities A new version of MISP released with several bugs fixed ESB-2020.3188 – Samba: Multiple vulnerabilities An update has been released to fix multiple vulnerabilities in Netlogon protocol Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 18th September 2020 Greetings, What a week it was! We took on uncharted territory this year by hosting our 19th annual conference, AUSCERT 2020 – virtually. While it mimicked an in-person event in so many ways (think: tech glitches and hiccups), our team is so very proud to have been able to deliver the conference nevertheless. We trust that you enjoyed your delegate experience and don’t forget to save the dates for next year as we look forward to seeing everyone SOAR with cyber. We would like to take this opportunity to congratulate our 2020 Australian Information Security Awards winners again: • Member Organisation of the Year: Federation University • Member Individual of the Year: Rachael Leighton from the Department of Premier and Cabinet, Victorian Government • Information Security Excellence Winner: Michelle Price from AustCyber Congratulations on their very deserving awards and we hope to continue working together in fostering our cyber and information security community. Members, don’t forget that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to the close of business today. Every completed survey will go in the draw to win Nintendo Switch Lite console, valued at AU$299. Until next week, have a restful weekend everyone. … New privacy resource: When do Australian Government agencies need to conduct a privacy impact assessment? Date: 2020-09-14 Author: Office of the Australian Information Commissioner (OAIC) The Office of the Australian Information Commissioner (OAIC) has released a privacy resource to assist Australian Government agencies to determine when they need to conduct a privacy impact assessment. Govt systems to be classed critical infrastructure under cyber reforms Date: 2020-09-14 Author: IT News Select federal government systems and networks will be classified critical infrastructure alongside nationally significant private sector systems, Home Affairs boss Mike Pezzullo has revealed. Pending the passage of amendments to the Act and the co-design of sector-specific standards, the government expects the new cyber security obligations to come into effect in mid-2021. Office 365 will let users view their quarantined phishing messages Date: 2020-09-11 Author: Bleeping Computer Microsoft is planning to allow Office 365 users to view and request the release of phishing messages automatically quarantined by the Exchange Online Protection (EOP) filtering stack. This new capability is designed to make it possible for end-users to reclaim e-mails that have been accidentally marked as phishing or spam messages by Office 365 EOP. Attacked by ransomware? Five steps to recovery Date: 2020-09-15 Author: Help Net Security Ransomware has been noted by many as the most threatening cybersecurity risk for organizations, and it’s easy to see why: in 2019, more than 50 percent of all businesses were hit by a ransomware attack – costing an estimated $11.5 billion. In the last month alone, major consumer corporations, including Canon, Garmin, Konica Minolta and Carnival, have fallen victim to major ransomware attacks, resulting in the payment of millions of dollars in exchange for file access. While there is a lot of discussion about preventing ransomware from affecting your business, the best practices for recovering from an attack are a little harder to pin down. Govt elevates consent in proposed public data sharing laws Date: 2020-09-17 Author: ITNEWS Federal government agencies will need to seek consent before releasing personal information to other governments and the private sector if it feasible to do so under proposed public sector data sharing laws. An exposure draft of the Data Availability and Transparency Bill, published this week, reveals a change to the Office of National Data Commissioner (ONDC) policy position that embeds consent within one of five data sharing principles. ESB-2020.3181 – iOS & iPadOS: Multiple vulnerabilities Apple releases updates to address issues in iOS & iPadOS ESB-2020.3165 – McAfee Email Gateway: Multiple vulnerabilities Email Gateway update fixes path traversal vulnerability ESB-2020.3128 – McAfee Agent: Multiple vulnerabilities McAfee Agent update fixes four vulnerabilities in Windows and MacOs ESB-2020.3175 – Drupal: Multiple vulnerabilities Updates released to fix the multiple vulnerabilities identified in Drupal Core ESB-2020.3151 – mysql:8.0: Multiple vulnerabilities An update for the mysql:8.0 module is released for Red Hat Enterprise Linux 8 Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 11th September 2020 Greetings, It seemed like ages ago when we announced that AUSCERT2020 will be moved to a virtual platform. Here we are, tutorials kick off in just 4-sleeps on Tuesday 15th September! Delegates, you would have received a unique targeted email featuring specific areas within our conference program over the past few days this week. Be sure to catch up on those to maximise your delegate experience. We covered the following areas of the conference: Interactive activities, Speakers and Keynotes, Program and Social Activities, Sponsor thank-you, and Delegate Experience. This week also saw us acknowledging R U OK Day and we realise the question is heavier this year. Sharing this blog piece from our conference charity partner LIVIN here. Members, don’t forget that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to 5.00pm AEST on Friday 18th September. Every completed survey will go in the draw to win a Nintendo Switch Lite console, valued at AU$299. Until next week, we hope to catch up with as many of you as possible virtually at AUSCERT2020, “We Can be Heroes”. Have a great weekend everyone! … Universities are a juicy prize for cyber criminals. Here are 5 ways to improve their defences Date: 2020-09-08 Author: The Conversation [Dr David Stockdale, AUSCERT Director and Deputy Director of Infrastructure Operations Information Technology Services at The University of Queensland, co-authored this article.] Universities worldwide are a growing target for hackers. A July 2020 report by cybersecurity company Redscan found more than 50% of UK universities recorded a data breach in the previous 12 months. More recently, a data breach has affected 444,000 users of ProctorU. Universities, including several Australian ones, use this online tool to supervise students sitting exams from home. Personal records from ProctorU were made available on hacker forums. What can unis do to improve cybersecurity? Patch Wednesday fixes ‘worst-case scenario’ Exchange bug Date: 2020-09-09 Author: IT News Today’s regular set of security updates for Microsoft products fixes 23 critical and 105 important flaws, including a serious vulnerability in Exchange Server that is remotely exploitable. Dustin Childs of the Zero Day Initiative noted the vulnerability allows an attacker to run code at the high-privilege SYSTEM user level, simply by sending a specially crafted email to an unpatched Exchange server. Australian cyber companies collaborate on online training program for Defence Force Date: 2020-09-07 Author: iTWire A group of Australian sovereign cyber companies are claiming an Australia-first collaboration to create a successful pilot of a fully online, collective cyber training program for the Australian Defence Force. The companies – Cydarm, Elttam, Penten and Retrospect Labs – each with expertise in niche cyber technology, came together to tailor a solution for the ADF on FifthDomain’s cyber training platform. Newcastle Uni Ransomware Attack Will “Take Weeks” to Mitigate Date: 2020-09-08 Author: Infosecurity Magazine A leading UK university has warned staff and students that it will take weeks to recover from a recent ransomware incident, with a well-known threat group already posting stolen documents. Newcastle University in the north-east of England is part of the elite Russell Group. It claimed to have been attacked on August 30 2020 with most university systems unavailable or restricted indefinitely. “The nature of the problem means this is an on-going situation which we anticipate will take a number of weeks to address,” it said in an update on Monday. “We hope to have a better estimate at the end of this week.” Cybersecurity 101: Protect your privacy from hackers, spies, and the government Date: 2020-09-09 Author: ZDNet Privacy used to be considered a concept generally respected in many countries — at least, in the West — with a few changes to rules and regulations here and there often made only in the name of the common good. Things have changed, and not for the better. China’s Great Firewall, the UK’s Snooper’s Charter, the US’ mass surveillance and bulk data collection — compliments of the National Security Agency (NSA) and Edward Snowden’s whistleblowing — Russia’s insidious election meddling, and countless censorship and communication blackout schemes across the Middle East are all contributing to a global surveillance state in which privacy is a luxury of the few and not a right of the many. ASB-2020.0158 – Microsoft Exchange Server: Execute arbitrary code/commands – Existing account Microsoft’s Patch Tuesday included fixes for a vulnerability in Exchange Server ASB-2020.0156 – Internet Explorer & ChakraCore: Multiple vulnerabilities Microsoft released an update that resolves 6 vulnerabilities in Internet Explorer & ChakraCore ESB-2020.3108 – Threat Intelligence Exchange Server: Multiple vulnerabilities McAfee Threat Intelligence Exchange Server update includes fixes for five third-party vulnerabilities ESB-2020.3096 – Intel BIOS firmware: Multiple vulnerabilities Security vulnerabilities in BIOS firmware for multiple Intel platforms allow escalation of privilege, denial of service and/or information disclosure. ESB-2020.3095 – IBM Security Access Manager for Enterprise Single Sign-On: Multiple vulnerabilities Security Vulnerability has been identified in Apache Batik used by IBM WebSphere Application Access Manager for Enterprise Single Sign-On Stay safe, stay patched and have a good weekend! Vishaka

AUSCERT at the forefront of Cybersecurity and AUSCERT2020 "We Can be Heroes" [Editor’s notes: an edited version of this article features in the CyberAustralia Magazine 2020-2021] AUSCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, AUSCERT delivers 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy. The Australian Government Department of Home Affairs released their report on Australia’s 2020 Cyber Security Strategy recently and AUSCERT is very proud to have been involved in the consultation process late last year. The report included 60 recommendations to bolster Australia’s critical cyber defenses which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT: Deterrence: Any infrastructure reported by our members that proves to be malicious will be subject to persistent and escalating takedown notices. Prevention: The initiative of providing Indicators of Compromise, Indicators of Vulnerability, security advisories and bulletins provides strong proactive preventative information.    Detection: Bi-directional threat intelligence gathering through open source platforms where members are given real-time intel that help to automatically detect and block potential attacks. Resilience: AUSCERT partakes and assists to organise Asia Pacific regional cyber drills, as well as provide webinars to members to maintain cyber security awareness as front-of-mind. Investment: AUSCERT being a non-profit organisation reinvests all of our membership proceeds into service deliveries, improvements and the building of our membership cyber security capabilities.   Clear benefits for members AUSCERT leverages the resources provided by its membership base and The University of Queensland Australia. Our reach with international CERTS as well as other Australian organisations, increases the effectiveness of our action for malicious infrastructure take-downs, abuse advisory and this international co-operation enables an internationally recognised norm of incident response. With a 24/7 member incident hotline, AUSCERT enables our members to keep their incident response effective by providing assistance that complements existing capabilities. Cyber risks are owned by those best positioned to manage them Assistance in establishing risk assessment as well as an incident response plan are covered through AUSCERT education where an understanding of these concepts allows for efficient use of resources in preventing, mitigating the transfer of or avoiding cyber risks. AUSCERT members practice cyber security at home and at work With the increase in remote-working, AUSCERT assists our members no matter the physical location of their work setting may be. AUSCERT is a cyber security incident response team exemplar AUSCERT takes incident response seriously and trains its staff body to be able to handle incidents whenever they arise. This is done not only through internal training; all staff are also encouraged to attain industry certification(s) in line with their job requirement. This experience is then reinvested back to members in the form of advice publication, blog article(s) and educational events such as webinar sessions. Additionally, Indications of Vulnerabilities and Indications of Compromises are streamed to members on a daily basis, thus keeping our members aware of vulnerabilities, leaked credentials, misconfigurations as well as the availability of remedial advice. Trusted services, nationally and internationally AUSCERT as a trusted entity in cyber security is handed information on incidents and vulnerabilities from national and international sources.  AUSCERT2020 “We Can Be Heroes”  AUSCERT2019 “It’s Dangerous to Go Alone” gave delegates the tools to build knowledge within their teams. This year, the emphasis lies on the fact that anyone in your organisation can be your champion, your cyber security hero. Not only is it vital that you have a strong team behind you, but it is also equally important that you equip and encourage every individual in your organisation to assist in cyber and data security.  AUSCERT2020 will be held across 4-days; packed with world-class tutorials and presentations delivered by over 60 speakers from around the globe. With an audience of around 1000 delegates, this year’s confererence will be the largest held in recent years.  We’re especially proud to feature a number of AUSCERT content and speakers, namely – Colby Prior and his tutorial on the topic of “Running your own honeypot: An Introduction”, Mike Holm and his co-presentation with Leon Fouche from BDO on the topic of the “Joint AUSCERT and BDO Annual Cyber Security Survey Report 2019” and last but not least, Geoff Thonon on the topic of “Could Phishing be nastier by any other name?”. In addition to these AUSCERT presentations, UQ will also be represented by Mandy Turner from the SOC team, speaking on the topic of “Cybercrime” and the team from UQ Cyber from the EAIT Faculty will also be hosting a virtual booth at the conference.  The format of the conference delivery may be different this year, but AUSCERT is as committed as ever to providing you with meaningful and rich content – all from the comfort of your office or home environment. “Cyber security has never been more important”. The cyber security landscape is ever-changing, and AUSCERT is passionate about engaging with members to empower their people, capabilities and capacities. For more information on AUSCERT, please contact membership@auscert.org.au or +61 7 3365 4417. For further information on the AUSCERT2020 conference, please contact conference@auscert.org.au.     

AUSCERT Week in Review for 4th September 2020 Greetings, This week, the team made headlines with our research piece on a data dump claimed to be from the Department of Education, which turned out to be low-threat info from a third-party company. Members, don’t forget that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to 5.00pm AEST on Friday 18th September. Every completed survey will go in the draw to win Nintendo Switch Lite console, valued at AU$299. As promised, we announced our AUSCERT2020 partnership with LIVIN.org, an organisation focussed on “Breaking the stigma of mental health.” In 2020, all revenue raised through our general admission registration sales for AUSCERT2020 will be donated directly to a chosen charity. As an organisation, AUSCERT has always felt strongly about the effects of mental health in the cyber and information security industry and are proud to utilise this opportunity to contribute towards a very worthy cause. Word on the street also has it that our various delegate swag bags are making their way this week to the first 600 registered delegates with an Australian address. We hope you love the items included in the swag bag and have to thank our wonderful sponsors. Until next week, take care – don’t forget to spoil your awesome dads (Father’s Day on Sunday 6 September!) and have a great weekend everyone. David Lord, former team lead: On another note, I’m leaving AUSCERT today. I’m ADIR’s original creator and editor, although in recent times our comms expert Laura has taken the helm. It has been a pleasure to build and shape this service. Members sometimes send notes of thanks for our emphasis on concise but informative summaries, and that’s high praise indeed. I’ll certainly be staying subscribed 😉 Large Australian education data leak traced to third-party service Date: 2020-09-02 Author: iTnews An online maths resource with a large Australian user base appears to be behind a large-scale leak of data touted online as a dataset belonging to the “Australian department of education”. Images of the dataset purporting to contain the data of an unknown number of individuals, including those with vic.edu.au and wa.edu.au email addresses, emerged on Tuesday night. Alon Gal, chief technology officer at cyber security intelligence firm Hudson Rock, claimed the dataset belonged to the “Australian Department of Education”, which does not exist. AUSCERT says alleged DoE hack came from a third-party Date: 2020-09-02 Author: ZDNet In a statement posted on its website, AUSCERT said that after analyzing the data with cyber-security firm Cosive, it determined that the leaked data originated from K7Maths, an online service providing school e-learning solutions. AUSCERT is now urging Australian schools to check if their staff are using the K7Maths service for their daily activities, and take appropriate measures, such as resetting the teacher and students’ password, in case they had re-used passwords across other internal applications. SendGrid under siege from hacked accounts Date: 2020-08-29 Author: Krebs on Security Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid’s parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime. [AUSCERT can empirically confirm that we see this daily.] Over 54,000 scanned NSW driver’s licences found in open cloud storage Date: 2020-08-28 Author: iTnews Tens of thousands of scanned NSW driver’s licenses and completed tolling notice statutory declarations were left exposed on an open Amazon Web Services storage instance, but Transport for NSW doesn’t know how the sensitive personal data ended up in the cloud. The open AWS S3 bucket was found by Bob Diachenko of Security Discovery, as part of an investigation into another data breach. “All the documents I observed were related to the NSW area and there was no indication as to who might be the owner of the data,” Diachenko told iTnews. ESB-2020.3001 – Django: Multiple vulnerabilities Filesystem permissions meant that a malicious local user had more access than they should. ESB-2020.2976 – Bacula: Denial of service It’s just a cool name for a backup service. ESB-2020.3028 – GitLab: Access confidential data GitLab’s packaging woes continued as they released another security release which excluded the security fixes, and then another hasty release to include them. If you’re using v13.3.3, v13.2.7 or v13.1.9, you should update. ESB-2020.3006 – Ansible: Multiple vulnerabilities (RCE) Another user/admin can manipulate the package store, and ansible will install packages that have been altered but won’t know or report it – so the deployment/config/ansible workflow/admin will not be aware of the compromise. Stay safe, stay patched and have a good weekend! David

AUSCERT investigating a data dump claimed to be from the Department of Education 3:40pm 03/09/20 AEST Updated below to clarify that first and last name are also included in the data. This doesn’t change our assessment. Unless further developments occur, we believe no further research is required. Please notify us if you find that your staff or students have used the service and you have concerns.   4:30pm 02/09/20 AEST Working with Cosive, we’ve found signs that this is a re-publish of a dataset published in March 2020 or earlier, relating to a service called “K7 Maths”. The TLS on their site also correlates with what seems to be their Australian presence. It’s likely that the data came from an exposed Elasticsearch instance. There are no plaintext passwords exposed, just bcrypt hashes, although they can be cracked with enough effort. Members concerned that their staff may have used this tool and may be included in the full dump should, where possible: Check with teaching and admin staff for usage of the service. Check mailboxes for sign-up emails from schoolcentre.com.au, k7maths.com or schoolcentre.com before that date. If usage is found, we recommend: Consider that that credential may be compromised, and anywhere the password was re-used, may now be exploited. A password reset for internal services is usually worthwhile, but consider your environment before applying this advice. Monitor staff accounts for suspicious logins – email, VPN, etc. This can lead to business email compromise (BEC), unauthorised access to the network, malware being sent between users, and more. Notify AUSCERT. There’s a mitigating factor: the password hashes use the standard bcrypt algorithm, with a “cost factor” of ten rather than eight, which makes it four times harder than usual to crack. We think that the only personal information in the dump is email address and country (edit: as well as first and last name) which would likely not count as a notifiable data breach. Our investigation there is incomplete. Consult your usual legal team if you have concerns.   4:00pm 02/09/20 AEST We have a suspected source for the data, which is not a government agency. More information to follow.   9:50am 02/09/20 AEST The dump refers to “the Australian Department of Education (edu.au)”, and no such organisation exists. We’ve reached out to likely candidates for comment.   9:15am 02/09/20 AEST We’ve seen reports that an Australian educated-related data set of unknown origin has been published. We’re looking into it now and will update this post as we get more information. We’ll also be posting updates on Twitter and LinkedIn. The claim is that it’s from the Australian Department of Education, and was retrieved in 2019. The claimed fields are: country_id created_at email encrypted_password (may be a bcrypt hash?) first_name id is_admin is_guest last_mail_at last_name last_sign_in_at newsletter region_id tags subscription orders  

AUSCERT Week in Review for 28th August 2020 Greetings, Members, this week we informed everyone that we are extending the closing date of the AUSCERT Security Bulletins survey (member portal login required) to 5.00pm AEST on Friday 18th September. Every completed survey will go in the draw to win a Nintendo Switch Lite console, valued at AU$299. As we approach the AUSCERT2020 conference, we would like to take this opportunity to remind everyone of our program offerings, speakers list as well as all the interactive activities that will be on offer during the conference. Registrations for the conference are still open but with very limited spaces remaining so be sure to spread the word amongst your professional network so they don’t miss out. In 2020, all revenue raised through our general admission registration sales will be donated directly to a chosen charity. We will be announcing this charity early next week. We’re very much looking forward to catching up with as many of you as possible in mid-September – albeit virtually! Until next week, take care and have a great weekend everyone. ASIC sues financial services company for repeated hacks Date: None Author: iTnews The Australian Securities and Investments Commission today said it has taken RI Advice Group to court for cyber security failings that led to its systems being hacked for months on end, and on multiple occasions. In its notice of filing, the regulator says RI is required to establish and maintain compliance measures, as an Australian financial services licence holder. The unknown hacker obtained access via an FFG staff account, and spent more than 155 hours logged into the file server that contained senstiive financial information and client identification documents. MITRE Releases ‘Shield’ Active Defense Framework Date: None Author: Dark Reading MITRE Corp. has released a new guide cataloging measures that organizations can take to actively engage with and counter intruders on their networks. Like MITRE’s widely used ATT&CK framework, which offers a comprehensive listing of attacker behavior, the federally funded organization’s new Shield is a publicly availably knowledge base, this time of tactics and techniques for proactive defense. NZ stock exchange suffers outages due to DDoS attacks Date: None Author: iTWire New Zealand’s stock exchange has been hit by a distributed denial of service attack on Wednesday morning which forced the exchange to go offline for about an hour. The New Zealand Herald reported that the exchange had gone down at 11.24am local time (9.24am AEDT) on Wednesday and resumed operations at 12.20pm. On Tuesday evening, the exchange could not operate during its last hour, due to a similar reason. This outage happened as the exchange was approaching a record closing. Elon Musk confirms Russian hacking plot targeted Tesla factory Date: None Author: ZDNet Earlier this week, US authorities arrested and charged a Russian national for traveling to the US to recruit and convince an employee of a Nevada company to install malware on their employer’s network in exchange for $1 million. While no court indictment named the targeted company, several news outlets specialized in covering the electric cars scene speculated today that the attack had very likely targeted US carmaker Tesla, which operates a mega-factory in Sparks, a town new Reno, Nevada. While Tesla had not returned requests for comment on the topic, in a tweet earlier today, Tesla CEO Elon Musk officially confirmed that the hacking plot did, indeed, target his company. New Zealand bourse crashes for fourth day after cyber attacks Date: None Author: iTnews New Zealand’s stock exchange crashed for a fourth day on Friday, due to network connectivity issues relating to two cyber attacks targeted at the bourse this week, bourse operator NZX said. There is no clarity on who is behind these “offshore” attacks and why New Zealand was targeted. ASB-2020.0148 – AUSCERT member survey: security bulletins If you only read one bulletin this week, read this one. Tell us what you want from the service and we’ll enter you in the draw for a Nintendo Switch Lite, which will make you very cool with people in the 8-12yr age bracket. ESB-2020.2898 – MongoDB: Denial of service – existing account An authorised user could misuse the function to compare two geographic points. ESB-2020.2899 – QEMU: Multiple vulnerabilities Everyone’s favourite free and open-source hardware virtualiser. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 21st August 2020 Greetings, Members, keep an eye out for a copy of the August edition of our membership newsletter “The Feed” landing in your inbox today. This week we supported the National Scams Awareness Week 2020 as a campaign partner and shared the various messages through our social media channels, don’t forget to visit this campaign page for further details and tips on how to protect yourself against scams. In lieu of the various member meet-ups we have been unable to host this year, our team hosted a series of webinars featuring our range of services with the focus on how to maximise the utilisation of these services. Topics covered: Malicious URL Feed, Security Bulletins and Phishing Take-Down. To catch up on the recordings of these sessions, visit our YouTube channel here. Last but not least, we’d previously shared this on our LinkedIn page – the Australian Department of Home Affairs is inviting you to have your say on the Protecting Critical Infrastructure and Systems of National Significance Package 2020. This initiative is particularly relevant to members from the following critical infrastructure sectors: Banking and Finance Communications Data and the Cloud Defence industry Education, Research and Innovation Energy Food and Grocery Health Space Transport Water Until next week, take care and have a great weekend everyone. Over 25% of all UK universities were attacked by ransomware Date: None Author: Bleeping Computer A third of the universities in the United Kingdom responding to a freedom of information request admitted to being a victim of a ransomware attack. These represent more than 25% of the universities and colleges in the country. The incidents occurred in the past decade, most of them between 2015 and 2017. Several educational institutions suffered at least two file-encrypting attacks over the past decade, one of them recording more than 40 since 2013. Digital PR and SEO agency TopLine Comms on June 29 submitted an FOI request to 134 universities in the U.K., asking if they had recorded a ransomware attack, when it happened, if they paid a ransom or not, and what the amount was if they did pay. University of Utah pays $450K ransom to stop leak of stolen data Date: 2020-08-20 Author: Bleeping Computer The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack. Since the end of 2019, ransomware operators have started stealing unencrypted files before deploying their ransomware. The ransomware gang then threatens the victims by saying they will publicly leak the stolen files if a ransom is not paid. ACT Education blocks student Gmail access after spam email storm Date: 2020-08-14 Author: ITNews ACT’s Education Directorate has blocked all public school students from accessing their Google email accounts after they were spammed en masse on Friday. The spam campaign emerged on Friday afternoon with an undisclosed number of students receiving dozens of emails, resulting in a reply-all “email storm”. iTnews understands some of the emails link to lewd websites and Instagram accounts, while other messages tried to solicit inappropriate images. World’s largest cruise line operator Carnival hit by ransomware Date: None Author: Bleeping Computer Cruise line operator Carnival Corporation has disclosed that one of their brands suffered a ransomware attack over the past weekend. Carnival Corporation is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn. In an 8-K form filed with the Securities and Exchange Commission, Carnival Corporation has disclosed that one of its brands suffered a ransomware attack on August 15th, 2020. As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach. ESB-2020.2832 – GitLab: Access confidential data – remote/unauthenticated GitLab released new versions to fix a critical issue with deploy token access control, but owing to a packaging error, they didn’t contain the fix. A second set of versions was released soon after. ESB-2020.2809 – Jenkins core and plugins: Multiple vulnerabilities Sentences like these really show the complexity of software: “Jenkins […] does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability.” ESB-2020.2852 – Cisco vWAAS: Administrator compromise – remote/unauthenticated “A vulnerability in vWAAS … could allow an unauthenticated, remote attacker to log into the CLI … by using accounts that have a default, static password.” Cisco have rooted out countless issues like these in recent years. ESB-2020.2680.2 – Cisco AnyConnect for Windows: Multiple vulnerabilities This was updated with Cisco’s advice that proof-of-concept exploit code has been published. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 14th August 2020 Greetings, If you were part of the first 600 delegates who registered for AUSCERT2020, you would have received an email earlier this week with details confirming your entitlement to a complimentary Conference Swag Bag. We trust that you’re as excited as we are that the conference is only 5 weeks away. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise usage of these within our membership group. Our last session pre AUSCERT2020 is detailed below: 19th August – Phishing Takedowns (register HERE) Last but not least, next week marks the National Scams Awareness Week 2020 and as a campaign partner, AUSCERT will be sharing the various messages from this campaign through our social media channels. Until next week, take care and have a great weekend everyone. Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft Date: 2020-08-11 Author: Threatpost [Refer to AUSCERT related bulletins ASB-2020.0139, ASB-2020.0140 and ASB-2020.0145. Member portal login required.] Two Microsoft vulnerabilities are under active attack, according the software giant’s August Patch Tuesday Security Updates. Patches for the flaws are available for the bugs, bringing this month’s total number of vulnerabilities to 120. One of the flaws being exploited in the wild is CVE-2020-1464, a Windows-spoofing bug tied to the validation of file signatures on Windows 10, 7 8.1 and versions of Windows Server. Rated “important,” the flaw allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said. A second zero-day is a remote code-execution bug rated “critical,” which is tied to the Internet Explorer web browser. Tracked as CVE-2020-1380, this is a scripting engine memory-corruption problem. A successful hack gives the attacker same user rights as the current user, the company wrote. NSW govt agencies to face cyber security inquiry Date: 2020-08-12 Author: iTnews A parliamentary inquiry will scrutinise the NSW government’s handling of cyber security incidents, as well as its measures to protect digital infrastructure more generally, following a spate of cyber attacks. The NSW upper house premier and finance committee quietly opened the probe by self-referral earlier this month, just weeks after Labor public services minister Sophie Cotsis called for such an inquiry. The inquiry will look into “cyber security and digital information management in NSW”, including the number of cyber incidents and data breaches experienced by government agencies and the financial cost of those incidents. Upgraded Agent Tesla malware steals passwords from browsers, VPNs Date: 2020-08-10 Author: Bleeping Computer New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014. Travelex Forced into Administration After Ransomware Attack Date: 2020-08-10 Author: Infosecurity Magazine Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed joint administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK. PwC remained upbeat about the future of the company, following its £84 million restructuring. ESB-2020.2680.2 – Cisco AnyConnect client for Windows: Increased privileges Cisco updated last week’s advisory to add that proof-of-concept exploit code is now available. ESB-2020.2803 – Apache Struts: Multiple vulnerabilities Apache Struts is one of those libraries deployed more widely than you’d think, and a previous vulnerability contributed to the infamous Equifax breach. ESB-2020.2780 – Citrix Endpoint Management aka XenMobile Server: Unspecified critical vulnerabilities Citrix released a patch assessed as critical severity without providing detail on the vulnerabilities involved, which is a fun mystery. ESB-2020.2802 – Microsoft Dynamics 365: Remote code execution Microsoft released a separate advisory the day after Patch Tuesday to warn of this RCE and its corresponding patch, also assessed as critical. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 7th August 2020 Greetings, This week we wanted to highlight the blog we’ve written on the topic of the ProctorU breach. Key takeaways include: members are encouraged to assess it in the context of their own organisation, this breach mainly affects educational institutions who used ProctorU (prior to approximately Q3 of 2016) and AUSCERT has notified affected members through their normal incident email alias. Thank you to those who attended our Malicious URL Feed and Security Bulletins webinars. To catch up on the content we’d presented for these, drop by our YouTube channel. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Our last session pre AUSCERT2020 is detailed below: • 19th August – Phishing Takedowns (register HERE) Last but not least, further to the Prime Minister’s press conference with Home Affairs Minister Peter Dutton yesterday, we wanted to share the official launch details of Australia’s 2020 Cyber Security Strategy. The Strategy outlines Australia’s approach to protecting Australians from growing cyber threats and has committed an investment of $1.67 billion over 10 years to achieve this vision. We hope you find this document a useful resource. Until next week, take care and have a restful weekend everyone. Australia’s Cyber Security Strategy 2020 Date: 2020-08-06 Author: Australian Department of Home Affairs The Australian Government has today launched Australia’s Cyber Security Strategy 2020. The Strategy outlines Australia’s approach to keeping families, vulnerable Australians, critical infrastructure providers and business secure online. It is a strategy for all Australians and Australian businesses. Security is a whole-of-community effort, in which we all have a role to play. The Strategy will invest $1.67 billion to build new cyber security and law enforcement capabilities, assist industry to protect themselves and raise the community’s understanding of how to be secure online. This includes the $1.35 billion Cyber Enhanced Situational Awareness and Response (CESAR) package. We encourage all Australians to read the Cyber Security Strategy 2020 and play your part in creating a more secure online world. INTERPOL report shows alarming rate of cyberattacks during COVID-19 Date: 2020-08-04 Author: INTERPOL An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure. With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption. In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners. Hacker leaks passwords for 900+ enterprise VPN servers Date: 2020-08-04 Author: ZDNet A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. According to a review, the list includes: IP addresses of Pulse Secure VPN servers Pulse Secure VPN server firmware version SSH keys for each server A list of all local users and their password hashes Admin account details Last VPN logins (including usernames and cleartext passwords) VPN session cookies Phishing campaigns, from first to last victim, take 21h on average Date: 2020-08-01 Author: ZDNet A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University has spent an entire year analyzing the phishing landscape and how users interact with phishing pages. In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work. “We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit,” the research team wrote in a report they are scheduled to present at the USENIX security conference this month. ESB-2020.2699 – Cisco Identity Services Engine: Access confidential data – Existing account There was a large batch of Cisco bulletins released this week. ESB-2020.2679 – GRUB2: Multiple vulnerabilities Further grub2 patches were released by many linux distros, including fixes for regressions. ESB-2020.2661 – Android: Multiple vulnerabilities Android patches released. ESB-2020.2672 – Whoopsie: Multiple vulnerabilities Isn’t that just a great product name! Stay safe, stay patched and have a good weekend! The AUSCERT team