Publications

AUSCERT Week in Review for 20th November 2020 Greetings, This week saw us supporting a couple of initiatives. We attended the 32nd Annual FIRST Conference which was held virtually. Despite the time difference, we were able to catch up on a number of presentations delivered at the conference on-demand. Most if not all of you would be familiar with FIRST which is the global Forum of Incident Response and Security Teams. As a proud member of FIRST for the past 24 years, AUSCERT is grateful to have been able to participate again in 2020. The other initiatives we supported this week were the International Fraud Awareness Week campaign which is an initiative run by the International Association of Certified Fraud Examiners (ACFE) – mainly on our social media platforms. We also supported the Australian Security Intelligence Organisation (ASIO) information campaign called Think Before You Link. The aim of the campaign is to raise awareness of the threat of foreign spies that are actively undertaking espionage and foreign interference in Australia, as well as to provide advice on how to reduce risk and respond to suspicious approaches. We shared this through our ADIR earlier in the week, please feel free to share it with colleagues. And last but not least, don’t forget – we’ve launched our AUSCERT2021 Call for Papers initiative. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. AUSCERT members, we would love to see YOUR submissions containing stories, whether it be one of success or failure! The “heart” of our conference has always been about knowledge sharing and collaboration, so if you’ve got a story to share, AUSCERT may be able to provide you a stage. Feel free to share this with your network Until next week, have a wonderful weekend everyone. Retail giant Cencosud hit by Egregor Ransomware attack, stores impacted Date: 2020-11-14 Author: Bleeping Computer [Egregor continues to make waves in the sector, the AUSCERT team recently presented a case study on our Incident Management service which can be found on our website under Blogs & Publications. Be sure to note our 3-takeaways.] Chilean-based multinational retail company Cencosud has suffered a cyberattack by the Egregor ransomware operation that impacts services at stores. Cencosud is one of the largest retail companies in Latin America, with over 140,000 employees and $15 billion in revenue for 2019. Cencosud manages a wide variety of stores in Argentina, Brazil, Chile, Colombia, and Peru, including Easy home goods, Jumbo supermarkets, and the Paris department stores. Chrome 87 released with fix for NAT Slipstream attacks, broader FTP deprecation Date: 2020-11-17 Author: ZDNet [Refer to AUSCERT security bulletin ESB-2020.4090.] Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol. Chrome 87 also comes with a fix for a new attack disclosed at the end of October by Samy Kamkar, a famous security researcher and computer hacker. Cisco fixes WebEx bugs allowing ‘ghost’ attackers in meetings Date: 2020-11-18 Author: Bleeping Computer [Refer to AUSCERT security bulletin ESB-2020.4095.2 on our website.] Cisco has fixed today three Webex Meetings security vulnerabilities that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants. Cisco Webex is an online meeting and video conferencing software that can be used to schedule and join meetings. It also provides users with presentation, screen sharing, and recording capabilities. Threat actors abusing the now patched flaws could become ‘ghost’ users capable of joining a meeting without being detected as IBM researchers discovered while analyzing Cisco’s collaboration tool for vulnerabilities. Cyberattacks targeting health care must stop Date: 2020-11-13 Author: Microsoft On The Issues Blog [We are sharing this as an additional read to the alert issued by the ACSC (cyber.gov.au) on Friday 13 Nov regarding the observed increased activity by threat actors using the SDBBot Remote Access Tool (RAT) against the Australian health sector.] Two global issues will help shape people’s memories of this time in history – Covid-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic. We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act. Ticketmaster Scores Hefty Fine Over 2018 Data Breach Date: 2020-11-13 Author: Threatpost Ticketmaster’s UK division has been slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4 million customers. The fine (£1.25million) has been levied after the ICO found that the company “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” – a failure which violates the E.U.’s General Data Protection Regulation (GDPR). ESB-2020.4090 – Google Chrome: Multiple vulnerabilities Multiple fixes for the world’s most popular browser ESB-2020.4082 – Mozilla Firefox: Multiple vulnerabilities Multiple fixes for another popular browser ESB-2020.4095.2 – UPDATE Cisco Webex Meetings and Cisco Webex Meetings Server: Multiple vulnerabilities Fixes released to address ‘ghost’ attackers in webex meetings ESB-2020.4128 – postgresql12: Multiple vulnerabilities PostgreSQL database issues patched Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 13th November 2020 Greetings, This week we launched our AUSCERT2021 Call for Papers initiative. Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference. AUSCERT members, we would love to see YOUR submissions containing stories – whether they’re of success or failure! The “heart” of our conference has always been about knowledge sharing and collaboration, so if you’ve got a story to share, AUSCERT may be able to provide you a stage. Feel free to share this with your network. This week we also celebrated NAIDOC Week 2020 with friends from Baidam Solutions. We were proud to host a panel session and an online screening of the film “In My Blood It Runs”. This film is an observational feature documentary following 10-yr-old Arrernte Aboriginal boy Dujuan as he grows up in Alice Springs, Australia. The work we do in terms of reconciliation in this country is ongoing, the producers of this film have shared a resource of First Nations-led solutions we can all explore here. With November 2020’s Patch Tuesday taking place this week, be sure to note our Security Bulletins highlighted below. And last but not least, we would like to quickly highlight the following alert issued by the ACSC (cyber.gov.au) just this morning on the SDBBot targeting our country’s health sector. For those of you who celebrate – Happy Diwali, may it be filled with light despite the year we’ve all had. Until next week, have a wonderful weekend everyone. Intel fixes 95 vulnerabilities in November 2020 Platform Update Date: 2020-11-11 Author: Bleeping Computer [AUSCERT issued an alert on CVE-2020-12321 and 12322 yesterday, please refer to ESB-2020.3962] Intel addressed 95 vulnerabilities as part of the November 2020 Patch Tuesday, including critical ones affecting Intel Wireless Bluetooth products and Intel Active Management Technology (AMT). The issues were detailed in the 40 security advisories published by Intel on its Product Security Center, with the company having delivered security and functional updates to users through the Intel Platform Update (IPU) process. Microsoft, Amazon, Cisco, Salesforce alarmed at security incident response takeover by govt Date: 2020-11-09 Author: iTnews Microsoft, AWS, Telstra, Cisco and Salesforce reacted with alarm at the prospect of direct administrative intervention by Australian authorities to counter cyber security threats against certain customers. Draft laws proposed by Home Affairs include “last resort” government assistance powers that, in “exceptional circumstances”, would allow the government to intervene in a particularly threatening attack scenario. The powers are broad – allowing the government to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove it entirely from premises, according to an exposure draft of the bill published today. IoT security is a mess. These guidelines could help fix that. Date: 2020-11-10 Author: ZDNet The supply chain around the Internet of Things (IoT) has become the weak link in cybersecurity, potentially leaving organisations open to cyber attacks via vulnerabilities they’re not aware of. But a newly released set of guidelines aims to ensure that security forms part of the entire lifespan of IoT product development. New guidelines from European Union Agency for Cybersecurity (ENISA) recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure. Chinese hacking competition cracks Chrome, ESXi, Windows 10, iOS 14, Galaxy 20, Qemu, and more Date: 2020-11-09 Author: The Register VMware has taken the unusual step of warning about an imminent security advisory after a Chinese team successfully popped its flagship product. News of the crack came from Tianfu Cup, a hacking contest staged in China over the weekend and modelled on events like “Pwn2Own” where vendors allow teams to take down their wares under controlled conditions. The targets for the competition included the iPhone 11 running the new iOS 14, and the big four browsers – Chrome, Safari, Firefox and Edge. Cup organisers said 11 of the attacks succeeded. Play Store identified as main distribution vector for most Android malware Date: 2020-11-11 Author: ZDNet The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date. Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019. In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps. ESB-2020.4051 – Apache OpenOffice: Execute arbitrary code/commands – Remote with user interaction A malicious document can contain links to any executable on the system triggered via a single click. ESB-2020.4043 – MISP: Multiple vulnerabilities An important SSRF vulnerability fixed, and numerous improvements. ESB-2020.3962 – Intel Wireless Bluetooth products: Multiple vulnerabilities One of around 40 Intel advisories released this week. This wireless issue is remotely exploitable. ASB-2020.0206 – Microsoft Windows: Multiple vulnerabilities Microsoft released numerous fixes for many products this week as part of its monthly ‘Patch Tuesday’. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 6th November 2020 Greetings, This week, our team enjoyed participating in the Inaugural AHECS Cybersecurity Summit “Bridging the Gap”. Well done to all partners involved: AARNet, Australian Access Federation (AAF), REANNZ and especially to the team from CAUDIT. Several great takeaways from the presentations delivered over the 2.5 days which focussed on the various cybersecurity threats and safeguard measurements we should be adopting in order to protect the reputation of Australasia’s universities. We also sat down with Sean, an analyst in our team, to put together a case study on AUSCERT’s Incident Management service; one that is integral to our organisation as a CERT. Coincidentally, this week marks our 24th anniversary as part of FIRST, very proud of our rich history as a CERT! Next week will see us celebrating NAIDOC Week 2020 with friends from Baidam Solutions. We are pleased to invite you to an online screening of the film “In My Blood It Runs” on Thursday 12 November. This film is an observational feature documentary following 10-yr-old Arrernte Aboriginal boy Dujuan as he grows up Alice Springs, Australia. Preceding this screening will be a 20-minute panel discussion. For further details and to RSVP, please visit our website here. Last but not least, we must apologise – due to unforeseen circumstances, we have had to delay the launch of our AUSCERT2021 Call for Papers initiative. We’re confident this will be announced early next week though. So please keep an eye out for details on this launch on our communication channels. Until next week, have a wonderful weekend everyone. UK cyber-threat agency confronts Covid-19 attacks Date: 2020-11-03 Author: BBC News [The NCSC Annual Review 2020 was released on 03 Nov; to find out more, please refer to their website directly.] More than a quarter of the incidents which the UK’s National Cyber Security Centre (NCSC) responded to were Covid-related, according to its latest annual report. The review covers the period from September 2019 to August 2020, so the pandemic occupied an even higher proportion of the agency’s efforts after the first lockdown began. In total there were 723 incidents of all kinds, marking close to a 10% rise on the previous period. Of those, 194 were Covid-related. Sustained targeting of the health sector Date: 2020-10-30 Author: ACSC (cyber.gov.au) [Further resources can also be found on the AUSCERT LinkedIn page] The Australian Signals Directorate’s Australian Cyber Security Centre has identified a sustained campaign by sophisticated cybercrime actors impacting the Australian health sector. We continue to see activity against the health sector similar to the increase of identified Emotet activity in Advisory 2020-17: Resumption of Emotet malware campaign. This type of campaign is not limited to Australia, with the United States of America Cybersecurity and Infrastructure Security Agency (CISA) recently issuing a cyber security alert. This alert identifies a campaign, with Emotet and TrickBot being used to further deploy Conti or Ryuk ransomware variants. The alert also provides detection and mitigation advice. While this campaign is targeted at the health sector, the ACSC recommends that all Australian organisations read the two documents linked above and follow their recommended mitigation advice. Google patches second Chrome zero-day in two weeks Date: 2020-11-02 Author: ZDNet Google has released a security update today for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability [identified as CVE-2020-16009] that is currently actively exploited in the wild. In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day. Govt kicks off long-awaited Privacy Act review Date: 2020-10-30 Author: iTnews The federal government has kicked off its review of the Privacy Act, which will consider whether Australians should have the right to have their personal information erased like in the European Union, among other reforms. Attorney-General Christian Porter on Friday released the terms of reference for the wide-ranging review that the government committed to undertake in response to the digital platforms inquiry in December 2019. The review will consider whether the Privacy Act, which has not been amended since the introduction of the Australian Privacy Principles (APP) in 2012, remains fit for purpose in the digital economy. The energy-sector threat: How to address cybersecurity vulnerabilities Date: 2020-11-03 Author: McKinsey & Company Electric-power and gas companies are especially vulnerable to cyberattacks, but a structured approach that applies communication, organizational, and process frameworks can significantly reduce cyber-related risks. ESB-2020.3893 – gnome: Multiple vulnerabilities Gnome vulnerabilities offered attackers opportunity to complete remote code execution, denial of service, cross-site scripting, and privileged & confidential data access. ESB-2020.3833.2 – Cisco IOS XR Software: Multiple vulnerabilities Cisco’s enhanced Preboot eXecution Environment (PXE) boot loader for Cisco IOS XR 64-bit Software allowed an unauthenticated, remote attacker to execute unsigned code during the PXE boot process on an affected device. ESB-2020.3818 – Cisco Identity Services Engine: Multiple vulnerabilities Cisco Identity Services Engine (ISE) web-based management interface vulnerabilities allows an authenticated, remote attacker with administrative credentials to conduct cross-site scripting, remote code execution attacks, and compromise root. ESB-2020.3598.2 – UPDATE VMware Products: Multiple vulnerabilities VMware have updated patch version details associated with their earlier advisory after release of ESXi patches that completed the incomplete fix for CVE-2020-3992, which carries a 9.8 Critical CVSS3 score. ESB-2020.3789 – ALERT wordpress: Multiple vulnerabilities Multiple vulnerabilites reported against WordPress, permitting opportunity for remote code execution, privilege escalation, cross-site request forgery, denial of service and cross-site scripting attacks. ESB-2020.3777 – BIG-IP Products: Multiple vulnerabilities BIG-IP Products affected by Administrator compromise, remote code execution and cross-site Scripting vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT case study: an insight into our Incident Management service November 2020  AUSCERT case study: an insight into our Incident Management service Featuring Sean McIntyre, AUSCERT Senior Info Security AnalystYou recently assisted a client who came to us via Chris Gatford, a long-time AUSCERT supporter and contributor to our annual conference. Can you tell us a little bit more about the incident and what service category/categories did this fall under? Sure thing! A few weeks ago AUSCERT was called upon to assist Chris with a cyber security incident he was dealing with on behalf of a client. We won’t be able to disclose too many specific details out of respect for the client; but basically, the incident  involved a new threat actor that has popped up – Egregor (we recently shared an article about this on our ADIR) – a Sekhmet ransomware spin-off, also linked to the Maze threat actor group. We started off without knowing too much information on this particular ransomware nor its threat vectors; but with some research and a thorough scan of our various OSINT resources, I was able to find samples of the malware and some IOCs proved useful in assisting this client.  Another channel we tapped into was our connection with the various CERTs around the world. In particular, the APAC region – thanks to our international liaison expert, Geoff Thonon, who is also our Operations Manager here at AUSCERT.  Quite a few Egregor malicious URLs were discovered over this period of investigation and Chris had also provided a few more to be taken down. These requests were sent off to a number of  hosting and domain providers as per our routine Phishing Take-Down service procedure. And last but not least, we added these URLs to our Malicious URL Feed and IOCs to our MISP instance as a way of sharing the details with (i.e. protecting) our members.  I would say that this particular request falls under our Incident Management (although on the “lighter” side of a scale), Phishing Take-Down and Malicious URL Feed service categories.  Between receiving this request and to the time that the incident was resolved, can you outline the time it took our incident response team to resolve the issue? What do you think sets AUSCERT apart from a service delivery point of view? From AUSCERT’s perspective, we always initiate action on any request that comes through as soon as possible and definitely within a 24-hour period. In this instance, our expertise was sought after in regards to this new ransomware/threat actor. We were able to provide Chris with some of this threat intelligence and information over a couple business days of research work. Take-down requests for the initial URLs that were provided to us by Chris were submitted instantaneously, with follow-ups done whenever additional URLs were submitted on behalf of his client.   Even though these take-down requests were actioned promptly on our end, it’s important to note that we were reliant on the hosting providers to action them. Thankfully, most of the URLs seemed to stop functioning/existing within 1 business day or so after the request(s) was/were submitted.  I think what sets AUSCERT apart is our reach and connection with the CERT community, and also the fact that our member incident hotline is open 24/7. There’s a saying here at AUSCERT, “We exist for the greater good” – and we really try and showcase this with our members. Sean, what do you think are the 3 key takeaways from this incident, what can members or clients do to avoid something similar happening to them in the future?  Review your operating system (OS) compliance. It is super important to make sure unmaintained OSs such as Windows XP are taken off the network where possible. If an outdated OS is supplied by a vendor on a core system/endpoint – please work with them to upgrade all products. This is a super simple yet most effective way to avoid such incidents from happening within your SME. Ingest IOCs of known malware into firewalls/SIEM. These can be found via various OSINT sources or via a trusted partner such as AUSCERT. If you’re a member, utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au. Where possible, implement the “Essential 8” as outlined by the ACSC. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

AUSCERT2020 interview with Chris Gatford AUSCERT2020 Conference Interview: Chris Gatford from Hacktive.io Leading up to the AUSCERT2020 conference, we sat down with Chris Gatford from Hacktive.io about his involvement in the conference and the recent work he has done for the SBS. Tell us about your professional career? I was the type of kid that would take my toys apart and put them back together with less parts, and then terrorise my sister. Looking back, I would like to think that this was the start of my hacking passion. I think it’s important to remember that hacking is not just about breaking into computer systems. It’s a way of thinking, and a method for approaching problems such as out-of-the-box thinking and solving problems by doing things differently. I was introduced to the IT industry as a child and after creating my own computer out of a cardboard box and motherboard, I soon realised I had a knack for this. After school, I completed a business computing degree and became a system administrator. I was responsible for looking after computer networks and had to draw on out-of-the-box thinking whenever an issue arose. During this role, my interest in security began to grow. After several years, I eventually jumped into The Big Four and got involved in IT consulting and testing computer security. You are the founder and Director of Hacktive.io, what does your company do? Hacktive.io is actually my second business. My first business venture was founded in 2008 and I sold it soon after. I learnt a lot from this experience and started my second business Hacktive.io. At Hacktive.io, we engage with organisations across the world and test their physical security and computer/network security. We focus on helping our clients understand the security vulnerabilities of their networks, applications, premises, and their people. Can you expand further on social engineering tests and how these tests are completed?  Often a customer will approach Hacktive.io and request that their company’s environment (a building or third party site) get tested. Firstly, we obviously get permission from the company. Then we will conduct the social engineering tests on the physical environment, the people/employees of the company, and their IT department. Following the social engineering test, we teach the company how they can better defend themselves against hackers. More so now, than ever before, individuals and employees are getting targeted by hackers. We equip businesses with common and useful tools that are available to everyone. What made you want to be a part of the AUSCERT2020 Conference? I have been a long believer and supporter of AUSCERT, and have attended every conference since 2003. The fact that it’s the oldest IT security conference, and it’s still going strong after all these years, is a huge testament to the company. To be among so many professionals who share information on staying secure is a huge honour. Can you tell us more about the tutorial you ran at the conference?  My tutorial was on “How to build a security awareness training program” and demonstrated how Hacktive had infiltrated and extracted sensitive information from organisations, and the mechanics involved in an attack. I discussed how to reverse the process and understand the mechanisms involved in breaking into the organisation. I am also a strong believer in computer-based training, while also reflecting on how to excite and energise a workforce to be interested in computer security again. You were recently interviewed on SBS, can you tell us more about this?  I was very lucky to have the SBS team alongside a Red Teaming Pen Test. SBS was able to capture the reasons behind our testing and record us walking away with a company’s equipment. We were able to show how easy it was to use a company’s own devices to hack back into their network.  What do you see as some of the biggest cyber threats in today’s society? The first cyber threat that comes to mind is that information security is hard, and breaking into systems can be a very easy job. However, it is really difficult to build systems, maintain them and in the long-term keep them secure. So it’s critical to have the right tools in place to monitor security, because ultimately ransomware is still an effective attacker. The second cyber threat that comes to mind is invoice fraud. I often hear instances of ‘customers’ pretending to change their bank account details and then the invoices are getting paid out to the wrong bank account. The financial fraud impact on business is massive and businesses must recognise that fraud is still alive and well.  

AUSCERT Week in Review for 30th October 2020 Greetings, This week, our team enjoyed participating in the range of initiatives that took place for AU CyberWeek2020, well done to colleagues from AustCyber for their wonderful work in pulling this event off. Next week sees us supporting the Inaugural AHECS Cybersecurity Summit “Bridging the Gap”. Coby Prior, our infrastructure Engineer Lead will be presenting on the topic of Honeypots of Threat Intelligence. We look forward to connecting with you at this Summit. Keep an eye out for the launch of our AUSCERT2021 Call for Papers initiative by following AUSCERT on social media Twitter, LinkedIn and Facebook. Do YOU or someone YOU KNOW have a great story to tell? We would like to hear it! At AUSCERT2021, we want to see you dusting off your playbooks: Security, Orchestration, Automation, and Response will see us SOARing with cyber. Last but not least, don’t forget to complete the 2020 BDO in Australia and AUSCERT Cyber Security Survey by COB today! Do not miss your chance to gain insight into the maturity of your organisation’s cyber security approach. This annual survey will allow you to benchmark your organisation’s current cyber security efforts with industry trends and determine ways to improve its cyber security culture, planning and response measures. Until next week, have a wonderful weekend everyone. Don’t dose up on too much Halloween sugar and Queenslanders – enjoy the state election weekend and last but not least, congratulations again to our friends in Melbourne and the wider Victorian region for their tremendous effort in tackling the Covid curve! Emotet malware now wants you to upgrade Microsoft Word Date: 2020-10-24 Author: Bleeping Computer Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature. Emotet is a malware infection that spreads through emails containing Word documents with malicious macros. When opening these documents, their contents will try to trick the user into enabling macros so that the Emotet malware will be downloaded and installed on the computer Attackers finding new ways to exploit and bypass Office 365 defenses Date: 2020-10-26 Author: Help Net Security Over the six-month period from March to August 2020, over 925,000 malicious emails managed to bypass Office 365 defenses and well-known secure email gateways (SEGs), an Area 1 Security study reveals. Attackers increasingly use highly sophisticated, targeted campaigns like business email compromise to evade traditional email defenses, which are based on already-known threats. Attackers also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication (DMARC, SPF, DKIM). Business Email Compromise Date: 2020-10-27 Author: ACSC (cyber.gov.au) [Members, feel free to reach out via our 24/7 Incident Hotline for any BEC related assistance] The Australian Cyber Security Centre (ACSC) has released a new publication – Protecting Against Business Email Compromise (BEC) – to help Australians defend against these deceptive and expensive scams. Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo Date: 2020-10-28 Author: Krebs on Security In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of thousands of sensitive documents — including schematics of client bank vaults and surveillance systems. Massive Nitro data breach impacts Microsoft, Google, Apple, more Date: 2020-10-26 Author: Bleeping Computer A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank. Claimed to be used by over 10 thousand business customers and 1.8 million licensed users, Nitro is an application used to create, edit, and sign PDFs and digital documents. ESB-2020.3750 – Junos OS: Multiple vulnerabilities Appliances running Junos OS affected by serious Administrator Compromise and Cross-site Scripting vulnerabilities. ESB-2020.3709 – python-django: Multiple vulnerabilities Contained multiple vulnerabilities which would grant attackers abilities to modify arbitrary files, cause denial of service and access confidential data. ESB-2020.3701 – thunderbird: Multiple vulnerabilities Thunderbird hosted multiple vulnerabilities including remote code execution and denial of service. ESB-2020.3669 – linux kernel: Multiple vulnerabilities World-wide user of the Linux kernel were affected by multiple vulnerabilities including Root Compromise. ESB-2020.3662 – ALERT phpmyadmin: Multiple vulnerabilities Popula phpmyadmin contained remote code execution, cross-site scripting and confidential data access vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2020 MC: Adam Spencer Prior to the AUSCERT2020 Conference, we caught up with Adam Spencer to chat about his involvement with the conference, and hear his thoughts around cyber security and observations on the year of 2020.   Can you start by telling us about your professional career? I could say lawyer and mathematician, although neither of those career paths really worked out. I am probably better to lead with stand-up comedian, from where I then stumbled into the world of radio and television where I continue to be thoroughly unprofessional. I have also written and co-written approximately ten different books trying to popularise mathematics. These are written for people who do really get mathematics and have a talent for it and want to get better at it. When writing, I’ve had the pleasure of reaching out to smart, switched on nerdy kids from about the age 12 and above—and I absolutely love it.   You are a self-confessed lifelong number nerd. What is your favourite number? As a kid, my favourite number was four. This was the first number that realised you could break into two even groups. For example, you couldn’t break down five or seven, but you could break down nine into three groups of three. It was from here that I started to get the concept of prime numbers and composite numbers just from breaking down the number four. I have now been fascinated by multiples of four for the rest of my life. For example, if we were to go for a drive and you turned the volume up to 31, I would need to change it to 32 so it could be a multiple of four.   How do numbers and maths play a role in cyber security? The basis of all computing and code of any sort is beautifully mathematical. I was lucky enough to interview Steve Wozniak who wrote the original Apple Source Code, back when it was just ones and zeros. Now, I’m not a specialist in that field, but from what I understand, no one has ever found a single error in Wozniak’s original programming and coding. Which is beyond belief for something as complicated as that not to have mistypes. The genius that underpins a system like that is incredible. Furthermore, the basis of the systems that we use to exchange credit card details online and not being hacked by a third party through the RSA algorithm, is just beautifully mathematical. Cyber security is a great example of how maths is still relevant. Mathematics permeates everything and we are just blissfully unaware.   You have been part of the AUSCERT conference for a few years now. What is it that first prompted you to be a part of it? The thing that I enjoy about my line of work as a professional MC and facilitator is that I’m rarely the smartest guy in the room on any given topic. But to learn anything, you need to expose yourself to the absolute best people in those fields. I’m a strong believer that if you speak to those passionate and informed about something, almost any topic can be interesting. For almost a decade I have been able to surround myself with people who are the best in the business (of Cyber Security) and hear about what’s on their mind about the cutting edge trends is incredible.  I remember first hearing mutterings about ransomware in the AUSCERT community years ago, and now it’s something that people have to deal with all the time. I feel like I am in the presence of people who really understand cyber security and having discussions that are ahead of the general population, is just so exciting.   Tell me about your most recent book, Numberland. I filled it with a bunch of stuff that blew my mind at the time. Looking back at it, I think I can best describe it as a compilation of stuff that I hope intrigues the ‘number curious’ amongst us. For AUSCERT members who are interested in my book, they can use the promo code ‘HOME’ to receive 20% off. Visit adamspencer.com.au to grab a signed copy.   Do you have any advice for someone who is passionate about maths or cyber security? Mathematicians will build this century—this is the century that will be built on ones and zeros. I think of many cyber security experts as mathematicians. So, for people with a passion in the area of cyber security, coding, app design, software, or statistics will have a role to play in building our future. It has never made more sense to find your passion in mathematics or cyber security, and take whatever skillset you have and maximise it. For young people coming out of high school and into the job market, my advice would be, if you can show that you have experience and knowledge in Mathematics, you’ll end up writing your own cheques in the workplace. There is no denying that mathematical thinking is going to underpin and build this century.      

AUSCERT Week in Review for 23rd October 2020 Greetings, A number of important security patches to pay attention to this week (Oracle, Google and Cisco) – please refer to our highlighted articles and Security Bulletins section below. Members, a copy of our October edition of the AUSCERT membership newsletter aka The Feed, landed in your inbox earlier this week. Be sure to catch up on all of our membership-related news; it was a bumper edition which also contained a copy of our Q3 2020 report. Our team is looking forward to participating in the range of AustCyber CyberWeek2020 initiatives taking place next week; as well as supporting the Inaugural AHECS Cybersecurity Summit “Bridging the Gap” in early November. Last but not least, don’t forget to complete the 2020 BDO in Australia and AUSCERT Cyber Security Survey. This anonymous survey closes at midnight next Friday, 30 October 2020 and takes less than 10 minutes to complete and by taking part, you will be offered the chance to win one of two Apple Watches. Until next week, have a wonderful weekend everyone. Google releases Chrome security update to patch actively exploited zero-day Date: 2020-10-20 Author: ZDNet [Refer to AUSCERT bulletin ESB-2020.3611] Google has released Chrome version 86.0.4240.111 earlier today to deploy security fixes, including a patch for an actively exploited zero-day vulnerability. The zero-day is tracked as CVE-2020-15999 and is described as a memory corruption bug in the FreeType font rendering library that’s included with standard Chrome distributions. Cisco warns of attacks targeting high severity router vulnerability Date: 2020-10-20 Author: Bleeping Computer [Refer to AUSCERT bulletin ESB-2020.0424.10] Cisco today warned of attacks actively targeting the CVE-2020-3118 high severity vulnerability found to affect multiple carrier-grade routers that run the company’s Cisco IOS XR Software. The IOS XR Network OS is deployed on several Cisco router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers. UK urges orgs to patch severe CVE-2020-16952 SharePoint RCE bug Date: 2020-10-16 Author: Bleeping Computer The U.K. National Cyber Security Centre (NCSC) today issued an alert highlighting the risks behind the recently addressed CVE2020-16952 remote code execution (RCE) vulnerability in Microsoft SharePoint Server. NCSC, the cybersecurity arm of the UK’s GCHQ intelligence service, urges organizations to make sure that all Microsoft SharePoint products in their environments are patched against CVE-2020-16952 to block takeover attempts. Watch out for Emotet malware’s new ‘Windows Update’ attachment Date: 2020-10-18 Author: Bleeping Computer The Emotet botnet has begun to use a new malicious attachment that pretends to be a message from Windows Update telling you to upgrade Microsoft Word. Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which uses the computer to send spam email and ultimately leads to a ransomware attack on a victim’s network. Big engineering consultancy takes a hit from REvil ransomware Date: 2020-10-22 Author: iTWire The Meinhardt Group, an engineering consultancy with 51 offices worldwide and 5000 employees, appears to have been attacked by a group using the REvil ransomware last month. The group has offices in Greater China, United Kingdom, India, Pakistan, Singapore, Malaysia, Indonesia, Thailand, Vietnam, the Philippines, the Middle East and Africa, according to information on its website. The group says that, by revenue, it is ranked among the largest independent engineering consulting firms globally. ESB-2020.3611 – Google Chrome: Multiple vulnerabilities The new stable desktop release for Google Chrome patches a zero-day exploit, as seen above it has made the news cycle. ESB-2020.0424.10 – UPDATE ALERT Cisco products using Cisco Discovery Protocol: Multiple vulnerabilities As mentioned above Cisco has warned that CVE-2020-3118 is being actively targeted in the wild. ASB-2020.0176 – ALERT Oracle MySQL Products: Multiple vulnerabilities Part of Oracle’s quarterly patch day this contains a CVE rated at 9.8 that can result in a total takeover of a MySQL cluster. Stay safe, stay patched and have a good weekend! The AUSCERT team

Q3 2020 report Report and Stats We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 3 2020. This report provides an overview of the cyber security incidents reported by members, from 1 July – 30 September 2020 and includes a summary of other key achievements this quarter. Attached Documents auscert-q3-2020-report-and-stats_YZth2cS.pdf

AUSCERT Week in Review for 16th October 2020 Greetings, This week, our Senior Manager Mike Holm joined a number of panel members from Baidam Solutions Pty Ltd and Vectra AI to discuss the topic of “Network Detection and Response”. This event was held in conjunction with the annual Australian Indigenous Business Month. A recording of this thought-leadership panel discussion can be found here. For those of you who missed out on attending AUSCERT2020, good news – content from the conference can now be found on the AUSCERT YouTube channel. Look out for the “AUSCERT2020” playlist to browse through all the presentations we’ve uploaded on there for your viewing pleasure. In addition to this, we’ve also published a couple of blog articles from the winners of our annual awards at the conference. These can be found here, with more to come in the following weeks! Members, keep an eye out for a copy of our October edition of the AUSCERT membership newsletter aka “The Feed”, landing in your inbox early next week. We will be sharing a bumper edition which will also contain a copy of our Q3 2020 report. Last but not least, don’t forget to complete the 2020 BDO in Australia and AUSCERT Cyber Security Survey. This anonymous survey closes at midnight on Friday, 30th October 2020 and takes less than 10 minutes to complete and by taking part, you will be offered the chance to win one of two Apple Watches. Until next week, have a wonderful weekend everyone. … Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities Date: 2020-10-13 Author: ZDNet [Please refer to AUSCERT bulletin ASB-2020.0161, member portal login required] Microsoft has released today its monthly batch of security updates known as Patch Tuesday, and this month the OS maker has patched 87 vulnerabilities across a wide range of Microsoft products. By far, the most dangerous bug patched this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this bug can allow attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection. Microsoft and others orchestrate takedown of TrickBot botnet Date: 2020-10-12 Author: ZDNet A coalition of tech companies has announced today a coordinated effort to take down the backend infrastructure of the TrickBot malware botnet. Companies and organizations which participated in the takedown included Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec. Iranian hackers restart attacks on universities as the new school year begins Date: 2020-10-14 Author: ZDNet A group of Iranian hackers with a history of attacking academic institutions have come back to life to launch a new series of phishing campaigns, security firm Malwarebytes said today. The new attacks were timed to coincide with the start of the new academic years when both students and university staff were expected to be active on university portals. The attacks consisted of emails sent to victims. Known as “phishing emails,” they contained links to a website posing as the university portal or an associated app, such as the university library. The websites were hosted on sites with lookalike domains, but in reality, collected the victim’s login credentials. The most common malicious email attachments infecting Windows Date: 2020-10-11 Author: Bleeping Computer To stay safe online, everyone needs to recognize malicious attachments that are commonly used in phishing emails to distribute malware. When distributing malware, threat actors create spam campaigns that pretend to be invoices, invites, payment information, shipping information, eFaxes, voicemails, and more. Included in these emails are malicious Word and Excel attachments, or links to them, that when opened and macros are enabled, will install malware on a computer. Malware gangs love open source offensive hacking tools Date: 2020-10-13 Author: ZDNet In the cyber-security field, the term OST refers to software apps, libraries, and exploits that possess offensive hacking capabilities and have been released as either free downloads or under an open source license. OST projects are usually released to provide a proof-of-concept exploit for a new vulnerability, to demonstrate a new (or old) hacking technique, or as penetration testing utilities shared with the community. Today, OST is one of the most (if not the most) controversial topics in the information security (infosec) community. ASB-2020.0161 – ALERT Windows: Multiple vulnerabilities Microsoft’s Patch Tuesday included fixes for multiple vulnerabilities ASB-2020.0167 – Microsoft Dynamics 365 (on-premises): Multiple vulnerabilities October 2020 patch by Microsoft resolves 3 vulnerabilities in Microsoft Dynamics 365 (on-premises) ESB-2020.3511 – Adobe Flash Player: Multiple vulnerabilities Adobe Flash Player updates for Windows, macOS, Linux and Chrome OS address a critical vulnerability in Adobe Flash Player ESB-2020.3531 – chromium-browser: Multiple vulnerabilities Update for chromium-browser fixes multiple vulnerabilities Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT2020 Member Organisation of the Year Winner AUSCERT2020 Interview: Leigh Vincent from Federation University Australia We recently had the pleasure of chatting with Leigh Vincent from Federation University Australia who won the AUSCERT Member Organisation of the Year for 2020. Leigh opened up about what it is like to be an AUSCERT member and how Federation University is dealing with new cyber security issues. Can you start by telling us about your professional career? I have been at Federation University Australia (formally known as the University of Ballarat) for about 16 years in a cyber security role. This role has developed over the years and last year, we officially doubled our team, so now there are two of us!  While working at Federation University, I have gone through extensive training in incident handling and response, web application, penetration testing, and digital forensics and analysis. Having been a one-person team for so long, I was often in the position where I needed to provide the resources and support to University staff myself. There have been many years where the University’s budget just did not have enough room to stretch when it came to security. During this time, we could not justify hiring support from outside organisations when I could upskill and undergo training myself. I’m sure many would agree that cyber security in the university sector is a very interesting beast to work with. This was actually my first role working in security as I had previously worked in a system network administrator role. Since moving into security, I’ve enjoyed almost every moment. How long has Federation University been an AUSCERT Member? Federation University has been a member for as long as I have worked there, so at least 16 years. Personally, I have attended several of AUSCERT’s conferences since 2004. The highlight is always having the opportunity to network and catch up with people over the conference period.  What value do you get out of the on-going AUSCERT membership? In my experience, I would say the advice that the AUSCERT team and other members provide is invaluable and having people there that you can bounce ideas off makes resolving an issue much easier. Back when I was a one-man-team, I went on long-service leave and AUSCERT acted as the primary point of contact for the University if issues popped up. So both at a personal and professional level, the AUSCERT membership has been very beneficial. Speaking of your membership… Congratulations on winning the Member Organisation Of The Year award! What does winning this award mean to you? It was a complete surprise! I had to read over the email a couple of times before I realised that we had won. Winning this award is not something we had thought about, we often just continue to go about our work every day, but the acknowledgement means a lot. Receiving that recognition, especially as a two-person cyber security team just shows that people really do take notice of you and how you contribute to the industry. If you had some advice for some other AUSCERT members, what would you say? The biggest piece of advice I could give would be get involved. Take the time to interact with AUSCERT and its members—it is a valuable industry tool. As the ‘good guys’ in cyber security, we need to work on communicating more. We know the ‘bad guys’ are great at communicating and that is why they are always one step ahead of us. Ultimately we are all fighting the same fight so use the tools provided by AUSCERT (such as the Slack channels) to get involved, communicate and most of all keep an ear to the ground. Have you had any cyber security challenges this year, and how have you addressed this? Money has certainly been the biggest challenge, there is no denying that the education sector has taken a huge financial hit recently. We have also had to alter our focus to keeping tabs on all the remote workers and moving the University’s systems online very quickly. By making these quick changes, we have had to reassess some of our security restrictions to ensure a smooth and easy transition to working online for staff and students. Our focus has had to be on delivering quickly and trying to keep everyone safe when they are not inside our walls anymore. We control less when people are working from home, so we have had to encourage people to ask questions relating to their home security and support them where possible. Because we have made the switch to online for all course material, the push is now that we should keep it all online and maintain those platforms. However the challenge is ensuring that security can be enhanced and maintained to meet what will become a permanent method of content delivery to students and capabilities for staff to work from home as required going forward. Alternatively, we could also create something parallel that is safe and secured correctly, not just a platform that can ‘make it work’. What do you see as some of the main cyber threats in today’s society and their accompanying risks? Personally, I see social engineering as one of the biggest risks in cyber security today. It is a very real issue and we see it constantly. However, we can only overcome it by increasing user awareness and education—without this it can be very difficult to fight. Until we can get on top of that and educate users to make decisions themselves, it will inevitably remain a problem.  What is some advice you would give to organisations and other IT cyber security professionals? Talk and share with one another. We are all fighting the same fight and facing the same challenges. We might be from different organisations and have different technology, but ultimately, we are all fighting the same enemy.

AUSCERT2020 Information Security Excellence Winner Congratulations to Michelle Price for being given the AUSCERT2020 “Information Security Excellence” award. During AUSCERT2020 we had a chat with her to learn more about her role as CEO at AustCyber, and her vision for the cyber security industry.   Tell us a little about your professional career? My first job was working in a small business that my family owned, that focused on food safety consulting and training. We also ran international conferences and created a lot of thought-leadership on the topic of food safety. Food safety in the mid-to-late 90s was an emerging issue in Australia; there were no standard practices. In the end, there were three companies (owned by my parents) that focused on risk, and the upside and downside of risk. I worked there for 10 years, starting in marketing and communications roles, and ending up doing food safety audits and strategy. I then moved into the advertising industry for a short stint, before moving into the federal government, with the majority of my time in National Security. The common thing across all the agencies I worked in at the government was risk and strategy. What was your role in the Prime Minister’s Department? When I was working in the Prime Minister’s Department, my first job was to work across all of national security, and I ended up running the National Security Budget and developing the world’s first national security strategic risk framework, and developing a framework of how to prioritise national security issues. That was under the Gillard government. Then when Prime Minister Abbot came in, I switched roles and moved across from high-level strategy on national security to focus on the cyber security area, and that’s how I ended up penning the 2016 National Cyber Security Strategy. How did you end up at AustCyber? After the strategy was launched, I was fortunate enough to have quite a few opportunities. I chose to focus on helping the Australian National University stand up a cyber policy function and to be able to better coordinate the growing area of cyber research across different disciplines. I didn’t stay there for as long as I thought I would, because I then got asked to come to AustCyber, and AustCyber was one of the initiatives in the Cyber Security Strategy that I had worked very hard on, so it was a no-brainer. Being born into a house of entrepreneurs it felt like a natural extension for me to end up running an organisation that is trail blazing around how to do the business of cyber security, and while we are doing that, is also creating an industry. That is the mission of AustCyber: To create an industry that is globally competitive and has impact for the country. Congratulations on winning the Information Security Excellent award. What does winning this award mean to you? Every time I think about it, I still get tingles. Partly because, cyber security is often a closed environment, but that is changing a lot. So, when someone like me turns up and writes a national strategy on something that I don’t have years of experience in, who am I to advocate for, and educate the country on a topic that is not natively my own. To have a community like the AUSCERT community that is dominated by traditional security leaders, that is composed of technical practitioners, to have someone like me recognised by them, and by AUSCERT, is so special to me. That’s why in my acceptance speech, I accepted it for the whole industry. We’ve started to mature, to grow up, and have so much to offer, and people outside of our industry have so much to offer as well. We are the enablers of the entire economy. To me this is an example of how our industry is shifting and changing for the better.   If you could give a piece of advice for organisations and security professionals, what would it be? Understanding other people’s context helps us work together. ‘Collaboration’ is a bit of an overused word, but it’s the right word, if we come together and work together to a common outcome. ‘Outcome’ is also an important word—it’s not just about outputs. If we continue to focus on outputs, we will never win the battle. Output is important, but to be able to achieve outcomes, we have to work together, and to work together, we need to understand contexts.  If we take a few moments in the day to understand who we are working with and what their context is helps us have a more open mind. We spend too much time focusing on the battle with each other, rather than coming together to focus on battling with our adversaries. They’re the ones who are ripping off the economy. They’re the ones who are affecting the physical and emotional lives of Australians. We all want the same outcome, and we can do better at collaborating. I know we can do this. #GAMEON