Publications

AUSCERT mailout: ProctorU breach An apparent data breach of the ProctorU service, apparently published by a user named ShinyHunters, has been making news in the last week, including an article yesterday in the Sydney Morning Herald. AUSCERT has acquired a copy of the data and notified affected members. ProctorU gave us the following comment: On Monday July 27, 2020, we were made aware that some information purporting to come from ProctorU.com was posted to an internet message board. Although we are still investigating, none of the data analyzed so far from that posted data was from our active production servers and all of it was at least five years old. Therefore, we currently have no reason to believe that our active production servers or data of current clients and students from the last five years was implicated. We are continuing to investigate and will update you should that understanding change or with any additional information pertinent to you. How bad is it? You will need to assess it in the context of your own organisation. It appears that none of the data is newer than 2016. It includes personal information of ProctorU users, as well as institutional email addresses, and password digests. We’re not sure of the severity of the password digests – digests can be very easy or very difficult to crack depending what they incorporate. There are reports that they are bcrypt hashes.   Was my organisation affected? It affects mainly educational institutions who used ProctorU prior to approximately Q3 of 2016. We’ve notified affected members through their normal incident email alias. An administrator for your organisation can check in the member portal what that’s set to; if it’s current, and you haven’t heard from us, then you’re clear. Not all our educational members are affected.   I’ve received a file and don’t know how to decrypt it Please log in to the member portal and consult this page for the passphrase. You’ll need a program like Kleopatra for Windows or GPG for Linux/Mac. If using the command-line, enter this and type the passphrase: gpg --output your-domain.tsv --decrypt your-domain.tsv.gpg   I’m encountering a GPG error when decrypting the file GPG has some quirks. Please check the directory containing the encrypted file to see whether the decrypted file was created despite the error message. If it’s not there, please double-check the passphrase, and if that doesn’t work, reach out to us at auscert@auscert.org.au and we’ll assist.   How do I view a TSV file? We suggest opening it in Excel or another spreadsheet program, choosing “My file is delimited”, ensuring that it uses the “Tab” as a delimiter, and ensuring that columns are of type “general”. Excel will default to all of these. You’re also welcome to use a command-line utility to split on tab characters.

AUSCERT Week in Review for 31st July 2020 Greetings, This Thursday started out with a surprise, with a responsible disclosure of GRUB2 vulnerabilities by Eclypsium. A supporting write-up and ASB have been issued by AUSCERT to help you wade through the original advisories. In other news, we are excited to announce our 3rd keynote speaker for AUSCERT2020 – Julie Inman-Grant – Australia’s eSafety Commissioner. In this role, Julie leads the world’s first government agency committed to keeping its citizens safer online. We look forward to hosting her on Friday 18th September. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Details below: • 5th August – Security Bulletins (register HERE) • 19th August – Phishing Takedowns (register HERE) And last but not least, another quick reminder for members to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback, thank you in advance for your time and support. Until next week, have a great weekend and remember to keep washing your hands and stay 1.5m apart in public areas! Billions of Devices Impacted by Secure Boot Bypass Date: 2020-07-29 Author: Threatpost [Refer to AUSCERT bulletin ASB-2020.0135 and blog post on the AUSCERT website “There’s a hole in the boot”] The “BootHole” bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks. Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning. GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel. Hacker leaks 386 million user records from 18 companies for free Date: 2020-07-28 Author: Bleeping Computer A threat actor is flooding a hacker forum with databases exposing over 386 million user records that they claim were stolen from eighteen companies during data breaches. Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data. ShinyHunters has been involved in or responsible for a wide assortment of data breaches this past year, including Wattpad, Dave, Chatbooks, Promo.com, Mathway, HomeChef, and the breach of Microsoft private GitHub repository. Of the databases released since July 21st, nine of them were already disclosed in some manner in the past. The other nine, including Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha, have not been previously disclosed. CISO concern grows as ransomware plague hits close to home Date: 2020-07-28 Author: ZDNet Ransomware is on a roll. Garmin is currently wrestling with a ransomware-induced outage, and locally in Australia, 2020 has seen ransomware take out major companies and threaten beer supplies when it hit logistics giant Toll and beverage company Lion. Toll has only recently recovered from its second dose of the year. These sorts of attacks are starting to ring alarm bells, with APAC CISO of JLL Mark Smink telling ZDNet on Tuesday the ransomware plague has evolved a long way from where it was four or five years ago. Mystery actor disrupts Emotet malware distribution botnet Date: 2020-07-25 Author: iTnews Malware payloads replaced with animated GIFs. Security researchers are watching the infrastructure of malware delivery botnet Emotet being compromised by an unknown actor, and disrupting the criminals’ activities in the process. Microsoft cyber security researcher Kevin Beaumont wrote that someone is currently replacing the malware files distributed by Emotet with animated GIF images. The images include one of Hackerman, who starred in the internet cult classic Kung Fury. ASB-2020.0135 – Linux and Windows: Multiple vulnerabilities Summary of the GRUB2 bootloader vulnerability “BootHole” which made headlines late this week. ESB-2020.2587 – APSB20-47 Security updates available for Magento Adobe issued an out-of-band patch for 2 critical and 2 important vulnerabilities in the Magento e-commerce system, which has been famously targeted by MageCart malware in the past. ESB-2020.2599 – Cisco SD-WAN Solution Software Buffer Overflow Vulnerability Cisco’s updates this week included an unauthenticated root compromise. Quelle surprise. ESB-2020.2561 – SQLite: Multiple impacts SQLite is one of those core software projects – few people think about it, but everybody uses it. This issue was in the query optimisation engine. Stay safe, stay patched and have a good weekend! The AUSCERT team

There's a hole in the boot Introduction Responsible disclosure from Eclypsium has enabled the patches to the GRand Unified Boot Loader (GRUB) to be coordinated on the night of the 29th July 2020. Impact Modifications to the GRUB configuration file can result in the the execution of arbitrary code which can also allow UEFI Secure Boot restrictions to be bypassed.  Subsequently it is then possible to load further arbitrary executable code as well as drivers. To be able to exploit this vulnerability you first must have administrator or physical access to the target machine.  System affected The vulnerability affects Microsoft as well as Linux based distributions as it affect UEFI Secure Boot DBX, along with GRUB2. A non-exhaustive list of operating systems affected has been compiled by Eclypsium being: Microsoft UEFI Security Response Team (USRT) Oracle Red Hat (Fedora and RHEL) Canonical (Ubuntu) SuSE (SLES and openSUSE) Debian Citrix VMware Various OEMs … and others … Mitigation It is recommended that an organisation undertakes their own risk assessment, addressing the severity of the impact of administrative/root control with the need for the attacker to already have administrator or physical access to the target.  Microsoft notes that it is possible to detect this vulnerability using either Key Attestation or Defender ATP Eclypsium has outlined steps to mitigate this vulnerability as follows: Updates to GRUB2 to address the vulnerability. Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims. New shims will need to be signed by the Microsoft 3rd Party UEFI CA. Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot. Advisories AUSCERT has issued out an AUSCERT Security Bulletins (ASB) [ASB-2020.135] and will be issuing out External Security Bulletins (ESB) as they come to hand. Below are excerpts of the Product Security Incident Response Teams (PSIRT) advisory that describe in brief the Impact and vectors of these vulnerabilities. Microsoft Tag Description ADV200011 To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.   Linux Distribution Tag Description CVE-2020-10713 Crafted grub.cfg file can lead to arbitrary code execution during boot process CVE-2020-14308 grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow.6.4 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14309 Integer overflow in grub_squash_read_symlink may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14310 Integer overflow in read_section_from_string may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14311 Integer overflow in grub_ext2_read_link leads to heap based buffer overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-15705 Failure to validate kernel signature when booted without shim6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15706 Use-after-free in grub_script_function_create6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15707 Integer overflows in efilinux grub_cmd_initrd and grub_initrd_init leads to heap based buffer overflow5.7 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H   Sources Media reports Forbes : https://www.forbes.com/sites/daveywinder/2020/07/29/boothole-secure-boot-threat-confirmed-in-most-every-linux-distro-windows-8-and-10-microsoft-ubuntu-redhat-suse-debian-citrix-oracle-vmware/#2537b652666e ZDNet : https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot/ Threatpost : https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/ Further information Key Attestation : https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation Defender ATP: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection UEFI Forum: https://uefi.org/revocationlistfile Canonical : https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass PSIRT Information Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 Canonical: https://ubuntu.com/security/notices/USN-4432-1 Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot HPE: www.hpe.com/info/security-alerts Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ VMware: https://kb.vmware.com/s/article/80181  

AUSCERT Week in Review for 24th July 2020 Greetings, A slightly less hectic one this week. A quick reminder to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback; thank you in advance for your time and support. Thank you also to those members who attended our Malicious URL Feed webinar which took place on Wednesday 22 July; we trust that you benefitted from the session. The good news is, we will be hosting a couple more of these sessions on different topics: 5th August – Security Bulletins (register HERE) 19th August – Phishing Takedowns (registration details TBC) And last but not least, in case you haven’t stumbled across this already, the Australian Government Department of Home Affairs have released their report on Australia’s 2020 Cyber Security Strategy. AUSCERT is very proud to have been involved in the consultation process through our parent organisation, The University of Queensland, late last year. The report included 60 recommendations to bolster Australia’s critical cyber defences which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT. “Cyber security has never been more important” – we hope you find this report useful. Until next week, have a great weekend everyone! New ‘Shadow Attack’ can replace content in digitally signed PDF files Date: 2020-07-23 Author: ZDNet [The researchers disclosed this in early March, Adobe released a patch in mid-May which we published as ESB-2020.1693, and the researchers have gone public this week with information proofs of concept. This raises the public profile of the vulnerability and increases the chance that it will be exploited; patch your PDF viewer applications!] Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany. Companies should update their PDF viewer apps to make sure the PDF documents they sign can’t be tampered with via a Shadow Attack. 20,000+ new vulnerability reports predicted for 2020, shattering previous records Date: 2020-07-22 Author: Help Net Security Over 9,000 new vulnerabilities have been reported in the first six months of 2020, and we are on track to see more than 20,000 new vulnerability reports this year — a new record, Skybox Security reveals. Why the internet went haywire last week Date: 2020-07-20 Author: ZDNET It was another end of the work week; what could possibly go wrong? Sure, Outlook had failed for a few hours earlier in the week and Twitter lost control of some big-name accounts, but surely nothing else could go awry? Right? Wrong. Bad things come in threes. Starting on Friday afternoon, Cloudflare, the major content delivery network (CDN) and Domain Name System (DNS) service, had a major DNS failure, and tens of millions users found their internet services failing. ESB-2020.2480 – [Win][Mac] Photoshop: Multiple vulnerabilities Adobe’s patch day included arbitrary code execution upon opening a crafted file. ESB-2020.2460 – [Win][UNIX/Linux] Python: Execute arbitrary code/commands – Remote with user interaction Insecure linked library loading in the pliable language led to potential privilege escalation. ESB-2020.2260.7 – UPDATED ALERT [Appliance] F5 Networks: Multiple vulnerabilities F5’s fix for a critical unauthenticated RCE in their Traffic Manager User Interface has received a lot more information this week, including a warning that the Viprion B2250 Blade may have problems with the provided patch. ESB-2020.2464 – [Win][UNIX/Linux] Moodle: Multiple vulnerabilities Moodle released three advisories marked “serious” and one marked “minor”, including teachers for a course being able to assign themselves as a manager of that course and increase their own privileges. ESB-2020.2541 – [Linux] QRadar Advisor: Access confidential data – Console/Physical Just for a change of pace, here’s a simple one: IBM accidentally didn’t obscure the password field in a login form, so someone could read it over your shoulder. CVE-2020-4408. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th July 2020 Greetings, Have we been busy! This week has been another tough one for networking vendors. SAP NetWeaver, Windows Server and Cisco’s RV-series routers have all had critical vulnerabilities this week, enabling unauthenticated remote code execution. See the highlighted articles bulletins below for more information, and if you’re affected, we advise applying patches or mitigations ASAP. And last but not least, an AUSCERT membership email would have landed in your inbox this week containing some important updates for July 2020: An invitation to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August. We look forward to collating our member thoughts and feedback, thank you in advance for your time and support! An update regarding our Quarter 2; an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. An invitation to attend our Malicious URL Feed webinar taking place next Wednesday 22 July. Until next week, wishing everyone a restful weekend. Critical SAP Recon flaw exposes thousands of systems to attacks Date: 2020-07-13 Author: Bleeping Computer [Refer to AUSCERT bulletin ESB-2020.2381] SAP patched a critical vulnerability affecting over 40,000 systems and found in the SAP NetWeaver Java versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments. The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team. Microsoft urges patching severe-impact, wormable server vulnerability Date: 2020-07-15 Author: Ars Technica [Refer to AUSCERT bulletin ASB-2020.0120; member portal login required] Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer. The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday. Cyber experts urge Australia to develop local capability to defend against hackers Date: 2020-07-12 Author: Sydney Morning Herald Cyber experts have urged the federal government to become less reliant on overseas businesses, technologies and expertise for its defences against hackers as it puts the finishing touches on the nation’s new cyber security strategy. Foreign providers are responsible for most of the cyber security products and services in Australia, with no local companies among the 15 largest software providers in the local market. Thousands of shop, bank, and government websites shut down by EV revocation Date: 2020-07-13 Author: Netcraft More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge. On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked. SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework Date: 2020-07-13 Author: CISION PR Newswire [SANS Institute will be speaking and are a sponsor at AUSCERT2020.] A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Outlook down? How to fix it Date: 2020-07-15 Author: ZDNet It was just another morning at work on July 15, 2020, for many Windows users. They turned on their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook… Suddenly their day took a turn for the worst. For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem. ESB-2020.2381.2 – UPDATE [ALERT] SAP NetWeaver AS Java: Multiple Vulnerabilities A critical Vulnerability in SAP NetWeaver AS Java is identified and applying critical patches as soon as possible is recommended. ASB-2020.0120 – [ALERT] Windows: Multiple vulnerabilities Microsoft security update resolves the wormable vulnerability “SIGRed” in Windows servers acting as a DNS server. ASB-2020.0121 – Extended Support Update products: Multiple vulnerabilities Windows Server 2008 Extended Support Update (ESU) also gets a SIGRed patch. ESB-2020.2417 – [ALERT] Cisco RV-series routers: Multiple vulnerabilities Cisco update fixes a vulnerability in the web-based management interface of its RV-series routers, leading to unauthenticated root compromise of the device. Stay safe, stay patched and have a good weekend! Vishaka

Q2 2020 report Report and Stats We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 2 2020. This report provides an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. Attached Documents auscert-q2-2020-report-and-stats.pdf

AUSCERT Week in Review for 10th July 2020 Greetings, This week saw us starting the week with a critical alert for members to urgently patch the multiple vulnerabilities found within F5’s BIG-IP products: CVE-2020-5902. We trust that all necessary steps have been undertaken within your organisation. This week we also learned about CVE-2020-2034, a critical vulnerability in Palo Alto’s PAN-OS. And CVE-2020-1654 affecting Juniper’s SRX Series devices. It’s been a tough week for networking vendors. Having observed a substantial increase in the number of followers within our social media platforms, we thought it was pertinent to share our Glossary of InfoSec Terms & Acronyms again with our readers. This is a resource we’ve had plenty of positive feedback about and hopefully it comes in handy for you too. Keep an eye out for a copy of our member Security Bulletins survey landing in your inbox next week. This survey has been prepared by our team, and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. We look forward to collating our member thoughts and feedback! Until next week, we hope everyone has a restful weekend ahead – and to our friends and colleagues in Victoria, we’re thinking of you. Please stay safe and thank you for staying home. Critical F5 BIG-IP vulnerability made public Date: 2020-07-06 Author: ITNEWS [See also AUSCERT bulletin ESB-2020.2260.5.] Users of F5 enterprise and data centre BIG-IP network products are warned to patch the devices as soon as possible to handle a critical, easy to exploit remote code execution vulnerability that has now been made public. Examples of the exploit have now been posted on social media, one of which uses a single line of code that calls a JavaServer Page function to reveal the passwords stored on BIG-IP devices. The vulnerability rates as 10 out 10 on the Common Vulnerabilities Scoring System, and lies in lack of proper access control for the Traffic Management User Interface (TMUI) configuration utility for the devices. Citrix Bugs Allow Unauthenticated Code Injection, Data Theft Date: 2020-07-07 Author: Threatpost [Refer to AUSCERT bulletin ESB-2020.2310] Admins should patch their Citrix ADC and Gateway installs immediately. Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker. The Citrix products ?(formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies. Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO. Exploit developed for critical Palo Alto authentication flaw Date: 2020-07-06 Author: The Daily Swig (Portswigger) Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks. The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale. Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods. “Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises. “They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.” Microsoft takes down domains used in COVID-19-related cybercrime Date: 2020-07-07 Author: Bleeping Computer Microsoft took control of domains used by cybercriminals as part of the infrastructure needed to launch phishing attacks designed to exploit vulnerabilities and public fear resulting from the COVID-19 pandemic. The threat actors who controlled these domains were first spotted by Microsoft’s Digital Crimes Unit (DCU) while attempting to compromise Microsoft customer accounts in December 2019 using phishing emails designed to help harvest contact lists, sensitive documents, and other sensitive information, later to be used as part of Business Email Compromise (BEC) attacks. The attackers baited their victims (more recently using COVID-19-related lures) into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps. $2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise Date: 2020-07-06 Author: The Conversation Last year, Australians reported more than A$634 million lost to fraud, a significant jump from $489.7 million the year before. The Australian Competition and Consumer Commission has released its latest annual Targeting Scams report. But despite increased awareness, scam alerts and targeted education campaigns, more Australians are being targeted than ever before. Mozilla suspends Firefox Send service while it addresses malware abuse Date: 2020-07-07 Author: ZDNet Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism. Windows 10’s Microsoft Store Codecs patches are confusing users Date: 2020-07-05 Author: BleepingComputer On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library [known as the HEVC packages]. They stated that they affected both Windows 10 and Windows Server at the time. Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store. Even more confusing, the advisories did not explain what Microsoft Store apps would be updated to resolve the vulnerabilities, leaving users in the dark as to whether they were affected and patched by an update. Microsoft Defender ATP web content filtering is now free Date: 2020-07-06 Author: BleepingComputer The new Microsoft Defender Advanced Threat Protection Web Content Filtering feature will be provided for free to all enterprise customers without the need for an additional partner license. Web Content Filtering is part of Microsoft Defender ATP’s Web protection capabilities and it allows security admins to design and deploy custom web usage policies across their entire organizations, making it simple to track and control access to websites based on their content category. The feature is available on all major web browsers, with blocks performed by Network Protection (on Chrome and Firefox) and SmartScreen (on Edge). ESB-2020.2310 – Citrix: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. These vulnerabilities could result in a number of security issues. ESB-2020.2260.5 – UPDATED ALERT F5 Networks: Multiple vulnerabilities A new mitigation has been developed and published to address an RCE vulnerability in the TMUI. ESB-2020.2339 – Citrix Hypervisor products: Multiple vulnerabilities Hotfixes have been released by Citrix to address two issues in Citrix Hypervisor. ESB-2020.2309 – Android: Multiple vulnerabilities Multiple security vulnerabilities identified affecting Android devices. Security patch levels of 2020-07-05 or later address all of these issues. ESB-2020.2305 – firefox: Multiple vulnerabilities An update has been released to address multiple vulnerabilities in Firefox. ESB-2020.2297 – thunderbird: Multiple vulnerabilities Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. ESB-2020.2296 – php7.0: Multiple vulnerabilities Multiple security issues were found in PHP, which could result in information disclosure, denial of service or potentially the execution of arbitrary code. Stay safe, stay patched and have a good weekend! Vishaka

AUSCERT Week in Review for 03rd July 2020 Greetings, This week we welcomed the announcement of a record $1.35 billion investment in cyber security by the Australian Government. Hopefully this funding package will mean more Australian organisations can identify the ever-present cyber threats and protect themselves against these challenges. As always, AUSCERT is supportive of both the ASD and ACSC in their vital work within this industry and hope to leverage their expertise in our mission to help members prevent, detect, respond to and mitigate cyber-based attacks. Following the discovery of the Palo Alto vulnerability, we wanted to take this opportunity to remind members to update us with all relevant domains and IP ranges – via our member portal – that you want to receive alerts for. In this particular instance, affected members were contacted directly with a tailored email and it would have been a shame to be left off this list. And last but not least, a reminder that tutorial and workshop registrations for Virtual AUSCERT2020 is now open and priority access will be granted to all AUSCERT members. Spots are filling up fast so be sure to get in quick! Until next week, wishing everyone a restful weekend, especially the parents amongst us who are in the midst of or about to start their school holiday breaks. … Inside the hacking attacks bombarding Australia Date: 2020-06-29 Author: ABC News Who are these people? Who is directing them? What are they after? And most important of all — how can they be stopped? Questions like these have been asked more urgently since Scott Morrison announced that a “sophisticated state-based cyber actor” had launched attacks earlier this month on “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”. Craig Valli, who left a teaching career 20 years ago for academia and is now Professor of Digital Forensics at Perth’s Edith Cowan University, has many of the answers. It is a complex world that he explains with the sort of patience and relatability learnt from time corralling kids in a classroom. Microsoft releases urgent security updates for Windows 10 Codecs bugs Date: 2020-07-30 Author: Bleeping Computer [Refer to AUSCERT Bulletin ASB-2020.0117, which is member-only content.] Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. Both desktop and server platforms affected. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. Beware “secure DNS” scam targeting website owners and bloggers Date: 2020-06-29 Author: Naked Security If you run a website or a blog, watch out for emails promising “DNSSEC upgrades” – these scammers are after your whole site. The psychology of social engineering—the “soft” side of cybercrime Date: 2020-07-30 Author: Microsoft Security Blog Forty-eight percent of people will exchange their password for a piece of chocolate, 91 percent of cyberattacks begin with a simple phish, and two out of three people have experienced a tech support scam in the past 12 months. What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business. Over 82,000 Aussies’ details leaked in crypto scam Date: 2020-07-01 Author: ITNews Personal details of tens of thousands of Australians who fell for a fraudulent cryptocurrency investment scheme that used fake media sites and celebrity endorsements have been leaked onto the web. Singaporean security vendor Group-IB discovered 248,926 sets of personally identifable information, of which 82,263 records were from Australian users, leaked by an unknown party. Details leaked include names, email addresses and phone numbers. ESB-2020.2239 – misp: Multiple vulnerabilities A new version of MISP released with a significant refactoring of the STIX import/export along with many improvements. ESB-2020.2234 – chromium-browser: Multiple vulnerabilities An important update for Chromium has been released that fixes a bug in Use After Free in extensions. ESB-2020.2208 – McAfee Enterprise Appliance : Multiple vulnerabilities McAfee Security Bulletin – Enterprise Appliance updates address two vulnerabilities ESB-2020.2271 – Cisco Systems: Multiple Vulnerabilities Cisco has released software updates that address Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability Stay safe, stay patched and have a good weekend! Vishaka

How to use the YARA rules for the "Copy-paste compromises" advisory Regarding today’s “copy-paste compromises” advisory from the ACSC, we’ve had a lot of enquiries on how to download and consume the indicators of compromise (IoCs) provided. This is a how-to guide for YARA rules you may have received. Here is our full commentary on the alert. Downloading the files Feel free to download them from the original source; however, we’ve had some enquiries asking for assistance with this, so have re-published the public files in CloudStor, as well as imported them directly into our member MISP instances for members of the CAUDIT-ISAC and AusMISP agreements. Original ACSC source on cyber.gov.au AUSCERT CAUDIT-ISAC MISP on CAUDIT MISP AUSCERT AusMISP on AusMISP The files comprise a list of IoCs in CSV (comma-separated values) format, plus source code for a web shell in .txt (text) format, as well as PDF and Word versions of the advisory. You may also have received a list of YARA rules under the green level of the Traffic Light Protocol, in which case here’s how to use them. The green level does not permit us to redistribute them. Indicators of compromise in CSV We’re not aware of a single simple way to consume these. You can massage them into a suitable format or formats to search for them, but YARA rules are the standard automated way to do this, and are the focus of this guide. YARA rules YARA rules are a widely-used way to format IoCs in a way which can be used by scanning engines. Some more info, and the official source, and the official documentation. How to use Yara rules on your entire fleet (if you’re prepared and lucky) Many Endpoint Detection and Response (EDR) solutions provide Yara support. If you have one deployed, you can import the Yara rules and run it, which will be relatively quick and easy. If not, you could try using your existing fleet management system to deploy Yara and run a scan. E.g. for Windows, perhaps push out an installation via SCCM or Group Policy and then some kind of group policy background script to run the scan and deliver results. If you try this, we’d love to hear how it goes, and we’d also love any info or scripts you can provide that might help other members. Consider whether this is worth doing for your fleet. Otherwise, keep reading. How to use Yara rules on Windows Official binaries are available so you’re in good shape. Head to their Releases page and grab the latest binary for your architecture (at time of writing, yara-v4.0.1-1323-win32.zip or yara-v4.0.1-1323-win64.zip). Once in, you can scan individual directories or drives, ideally in an admin shell: yara64.exe -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" C: (the yarac.exe binary is for compiling rules, which you probably don’t need to do.) How to use Yara rules on Linux Your distribution’s package manager will likely have a version available. Give that a try first. However, the YARA project notes that the version available in some distros’ repositories is out of date and may contain security vulnerabilities, so check the version – the latest release at time of writing is v4.0.1, updated mid-May 2020. yum install yara apt install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null You may wish to run this as a privileged user to ensure maximum access, but balance this with the security risk of older versions. If your distribution’s version is unacceptable, the Yara project has some information on compiling from source. Compiling from source is an often time-consuming and fiddly process. How to use Yara rules on macOS Homebrew (an unofficial but very widely-used package manager) seems to be the best way other than compiling from source. It has the very latest release, v4.0.1, without the known security issues of older versions. brew install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null  Or only scan specific parts: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /path/to/likely/folders/or/mounts What to do if you find something Firstly, any rule matches starting with “heuristic” are just that – heuristics. You may wish to investigate them in closer detail, but there will be plenty of false positives, so don’t panic when you see them, and don’t start by investigating them. Consider advising the ACSC that you need assistance. Copying their advice here for convenience: If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371). If you are an AUSCERT member, you can call the 24/7 Member Hotline (login required) for advice. It’s also worth noting that the ACSC’s advisory states that this has been a ramping up of events over time, and our interpretation of that is that most organisations will not need to spend all weekend frantically digging – just make it a priority on Monday.

AUSCERT Week in Review for 26th June 2020 Greetings, This week we’ve observed an increase in business email compromise cases so we thought it was pertinent to share this updated blog post here. Our top 3 tips to combat this threat are listed below; please help us spread this message along to your colleagues: Educate users, particularly those that handle payments, of the nature of the attack Follow up email requests with a telephone call to verify their veracity Implement appropriate checking of financial transactions Following on from the ACSC advisory issued on Friday last week, we would like to feature (and reiterate again) the following blog post containing practical tips on “How to use the YARA rules for the copy-paste compromises”. If you’ve received YARA rules, then this will help you use them. If not, we aren’t able to share them with you. And last but not least, members, a reminder that with the effective establishment of Slack, our member IRC channel will be decommissioned from Wednesday 1st July, 2020. For those of you wanting to join us on Slack, please do so by logging in with your member portal credentials here. We hope that everyone enjoys a safe and restful weekend. NVIDIA patches high severity flaws in Windows, Linux drivers Date: 2020-06-24 Author: Bleeping Computer NVIDIA has released security updates to address security vulnerabilities found in GPU Display and CUDA drivers and Virtual GPU Manager software that could lead to code execution, denial of service, escalation of privileges, and information disclosure on both Windows and Linux machines. Although all the flaws patched today require local user access and cannot be exploited remotely, with attackers having to first get a foothold on the exposed machines to launch attacks designed to abuse these bugs. Once that is achieved, they could take exploit them by remotely planting malicious code or tools targeting one of these issues on devices running vulnerable NVIDIA drivers. Twitter is “very sorry” for a security breach that exposed private data of business accounts Date: 2020-06-24 Author: The Tech Portal Twitter is back in cybersecurity news, as the company reports yet another data breach via its platform. In an email sent to its business users, Twitter said that there is a “possible” data breach that may have exposed private information of these accounts. Business users are generally those accounts which advertise on the platform. Australian security cameras hacked, streamed on a Russian-based website Date: 2020-06-24 Author: ABC News Australians are being filmed through private security cameras that are being streamed on a website based in Russia. Key points: * The Insecam website broadcasts live streams of compromised web-connected security cameras and webcams * The site allows people to control the cameras by zooming in and out and moving the camera around * The group behind the website denied it hacked the cameras Hackers use Google Analytics to steal credit cards, bypass CSP Date: 2020-06-22 Author: Bleeping Computer Hackers are using Google’s servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. New taskforce to push cyber security standards Date: 2020-06-22 Author: iTnews A cross-sector taskforce of experts from the defence, energy, health and financial services sectors has been created to accelerate the adoption of industry cyber security standards across Australia. The taskforce, which held its first meeting on Monday, is the result of an “Australian-first” collaboration between the NSW government, AustCyber and Standards Australia. It follows earlier reports on Monday that the federal government is crafting minimum cyber security standards for businesses, including critical infrastructure, as part of its next cyber security strategy. ESB-2020.2191 – telnet multiple vulnerabilities A serious remote code execution vulnerability found in Cisco IOS XE Software. ESB-2020.2116.2 – Cisco Webex Meetings Desktop App multiple vulnerabilities Another code execution vulnerability was patched in the Cisco Webex Meetings Desktop App. ESB-2020.2206 – kernel multiple vulnerabilities Multiple Nvidia code execution vulnerabilities patched on Ubuntu. Stay safe, stay patched and have a good weekend! The AUSCERT Team

Business Email Compromise June 2020 update Here at AUSCERT, we’ve again seen an increase in instances of business email compromise and would like to take this opportunity to update the list of useful resources on this topic.  Scammers will take advantage of any opportunity to steal your money, personal information, or both. Right now, they are using the uncertainties surrounding the COVID-19 pandemic and remote working.  You may find the following articles useful:  Advice from the ACSC (cyber.gov.au): Understanding and preventing BECScamwatch: The cost of BEC (report from 2019)Threatpost: General advice from Threatpost on issues caused by working from home, including BEC_____ We’ve blogged about this before, but instances of business email compromise (BEC) are increasing. The FBI is warning potential victims of a dramatic increase in the BEC scam, with a 270% increase in identified victims and exposed loss since January 2015. From October 2013 through February 2016, losses have exceeded USD 2.3 billion. BEC scams work because they target specific employees of an organisation with email that appears to be from their CEO, asking for a wire transfer of funds to a nominated recipient. Criminals either compromise the CEO’s email account through phishing, or they use a very similar domain to the targeted organisation to send the message from. Often, the fraud targets organisations that regularly perform wire transfer payments. The emails avoid being caught as spam because they are not mass-mailed and address specific individuals. There are some actions you can take to combat this threat: Educate users, particularly those that handle payments, of the nature of the attack. Follow up email requests with a telephone call to verify their veracity. Implement appropriate checking of financial transactions. Implement Sender Policy Framework (SPF) to prevent attackers from impersonating your domain; and to help detect and block emails sent to your organisation that use forged domains. Don’t click on links or open attachments in unsolicited emails. Keep desktop anti-malware up to date. Don’t use your computer day-to-day with an administrator account. https://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scamshttps://www.ic3.gov/media/2015/150827-1.aspx

AUSCERT commentary "major cyber attack on Australian governments and business" Friday 19 June 2020 11.45am AEST This morning Prime Minister Scott Morrison and Minister for Defence Linda Reynolds announced that Australian organisations, including governments and businesses, are currently being targeted by a sophisticated foreign “state-based” actor. [1] The Prime Minister says there does not appear to have been any large scale breaches of people’s personal information but described the attacks as malicious.  “It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.” As an initial step, we encourage everyone to follow the Government’s latest advisory from the ACSC and ASD. [2]  Echoing the words of the Minister for Defence Linda Reynolds, we recommend members promptly patch internet-facing software, devices and operating systems and to implement multifactor authentication across all remote services. [2] In addition to the above, this most recent advisory from the ACSC has identified that threat actors are using exploits that are publicly known to have patches or mitigations available.The following vulnerabilities CVE-2019-18935, CVE-2019-19781 and CVE-2019-0604 are actively being used for initial access.  AUSCERT strongly encourages members to ensure that all Microsoft Sharepoint, Citrix ADC, Citrix Gateway and Telerik UI are kept up to date. Members, this is the time to review the vectors of vulnerability and see if any indicators of compromise can be found attempting to access your network or has left traces of their activity within your networks.   After the IoCs have been verified not to have affected your network, it will be beneficial to then review and apply ASD’s Essential 8 where applicable. [3] With respect to the IoCs shared on [2], our team has taken the steps to consume this into our MISP instance and are happy to coordinate the sharing of relevant information with our members. As always, members are welcome to contact us for any further information and assistance via auscert@auscert.org.au.  Last but not least, AUSCERT is working with our international counterparts in cyber security to handle the indicators of compromise (IoC). [1] https://www.abc.net.au/news/2020-06-19/foreign-cyber-hack-targets-australian-government-and-business/12372470 [2] https://www.cyber.gov.au/news/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks [3] https://www.cyber.gov.au/publications/essential-eight-explained Additional references: Recent ACSC Advisories via https://www.cyber.gov.au/ Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks (18 June 2020) Advisory 2020-006: Active exploitation of vulnerability in Microsoft Internet Information Services last updated 22nd May 2020 Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors last updated 22nd may 2020  Recent NIST Advisories via https://www.nist.gov/ https://nvd.nist.gov/vuln/detail/CVE-2019-18935 https://nvd.nist.gov/vuln/detail/CVE-2019-19781 https://nvd.nist.gov/vuln/detail/CVE-2019-0604   Our own guidance on consuming YARA rules https://wordpress-admin.auscert.org.au/blog/2020-06-19-how-to-use-yara-rules-copy-paste-compromises-advisory