Publications

AUSCERT Week in Review for 19th June 2020 Greetings, Another busy week for everyone, no doubt. A couple of emails would have landed in your inbox this week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. Be sure to catch up on these details and let us know if you have any further queries and such. A few important advisories we wanted to highlight for this week: The ACSC has issued threat advice relating to the targeting of Australian governments and companies by a sophisticated state-based actor.. We’ve provided further commentary on this via our blog HERE. Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack (known as the Ripple20), our AUSCERT bulletin below. Adobe has released out-of-band security updates to address 18 critical flaws, see highlighted bulletins below. And with that, we hope that everyone implements these latest patches and start enforcing multi-factor authentication across all areas of your business. We hope everyone enjoys a safe and restful weekend, until our next Week in Review edition! … Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks Date: 2020-06-19 Author: ACSC | Cyber.gov.au The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. Active ransomware campaign leveraging remote access technologies Date: 2020-06-16 Author: CERT-NZ We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched. The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup. Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks Date: 2020-06-16 Author: SecurityWeek [See AUSCERT bulletin ESB-2020.2090] Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday. Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20. The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet. Privacy confusion over COVID Safe Checklist rules for hospitality venues Date: 2020-06-14 Author: ABC News Notebooks, spreadsheets and paper forms used to collect personal information at cafes and restaurants are creating fears about privacy breaches and safety concerns. Queensland Council of Civil Liberties president Michael Cope says State Government guidelines about how businesses must collect and store information about customers are not clear enough. The COVID Safe Checklist for businesses requires that they keep contact information for all customers, workers and contractors, including names, addresses and mobile phone numbers for at least 56 days. This information is to be “captured and stored confidentially and securely”. No, that wasn’t a DDoS attack, just a cellular outage Date: 2020-06-16 Author: CyberScoop Neville Ray, chief technology officer at T-Mobile, said Tuesday that the company had fixed the issues. Security experts quickly pinned the issue on T-Mobile network configuration issues which resulted in the hours of downtime for customers, rather than a malicious DDoS meant to knock services offline by flooding them with internet traffic. Instead of acknowledging the more complicated reality, Anonymous amplified screenshots of a DDoS attack map that the security firm Arbor Networks uses as marketing to create interest in its product. ESB-2020.2077 – APSB20-37 Security update available for Adobe Illustrator Adobe released updates for multiple products this week. ESB-2020.2090 – ICS Advisory (ICSA-20-168-01) Treck TCP/IP Stack Possibly millions of systems affected. ESB-2020.2116 – Cisco Webex Meetings Desktop App Vulnerabilities Cisco released numerous updates this week. ESB-2020.2104 – New BIND releases are available The recent BIND vulnerabilities affect multiple products. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 12th June 2020 Greetings, The winter chill has certainly set in as we head into the 3rd week of June. Thank you to those who participated in our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar took place on Wednesday 10th June. To view a recording of this session, please visit our YouTube channel here. Members, keep an eye out for a couple of emails landing in your inbox next week: an update on our member tokens for Virtual AUSCERT2020 and the June edition of our member newsletter aka The Feed. And last but not least, we shared the news that the Microsoft June 2020 Patch Tuesday was the largest ever with 129 fixes so don’t forget to action these items and patch those vulnerabilities. A great reference point is of course our very own Security Bulletins page. Until next time, we hope everyone enjoys a safe and restful weekend. … Microsoft June 2020 Patch Tuesday: largest ever with 129 fixes Date: 2020-06-09 Author: Bleeping Computer Today is Microsoft’s June 2020 Patch Tuesday, and as many Windows administrators will be routinely screaming at computers, please be nice to them! With the release of the June 2020 Patch Tuesday security updates, Microsoft has released one advisory for an Adobe Flash Player update and fixes for 129 vulnerabilities in Microsoft products. Of these vulnerabilities, 11 are classified as Critical, 109 as Important, 7 as Moderate, and 2 as Low. This is the largest Patch Tuesday update ever released by Microsoft, with the second-largest being 115 fixes in March 2020, and the third-largest with 113 fixes in April 2020. Fisher & Paykel Appliances struck by Nefilim ransomware Date: 2020-06-10 Author: IT News Fisher & Paykel Appliances is the latest big brand name to be struck down by ransomware, shutting down its operations while it recovered following the attack. The whitegoods manufacturer’s spokesperson Andrew Luxmoore confirmed the attack to iTnews, saying it took place early last week. “The attempt was identified quickly and, as a result, we locked down our IT ecosystem immediately,” he said. Drinks maker Lion shuts IT systems after ‘cyber incident’ Date: 2020-06-09 Author: IT News Fast moving consumer goods giant Lion has shut down its IT systems after a “cyber incident” on Tuesday. The attack was first reported by the Sydney Morning Herald, which said the attack had “disrupted” manufacturing and remote access to systems. “Lion has experienced a cyber incident and has taken the precaution of shutting down our IT systems, causing some disruption to our suppliers and customers,” the company said in a brief statement on its website. Because things aren’t bad enough already: COVID-19 is going to mess up election security assumptions too Date: 2020-06-08 Author: The Register The social distancing measures brought about by the COVID-19 pandemic will weaken election security in the US, according to a non-profit’s security check. A report from New York University’s Brennan Center for Justice warns that as election workers and local officials are forced to do their jobs remotely, the risk of attack skyrockets. We have Huawei to make the internet more secure: Dump TCP/IP to make folks safer says Chinese mobe slinger Date: 2020-06-04 Author: The Register Chinese telecom companies and the Middle Kingdom government contend that the TCP/IP protocol stack is ill-suited for future networking needs and have proposed reworking the internet’s technical architecture with new, more secure internet protocols. Huawei, China Mobile, China Unicom, and China Ministry of Industry and Information Technology are backing a plan titled “New IP, Shaping Future Network.” The specifics have not been made public but Huawei – currently subject to US trade sanctions for allegedly engaging in activities contrary to national security interests – has described the goals of the initiative as an attempt to improve the flexibility, privacy, and security of the internet. ASB-2020.0107 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday updates (login required). ESB-2020.1990 – 2020.1 IPU BIOS Advisory Intel advisory of new firmware vulnerabilities. ESB-2020.1991 – 2020.1 IPU Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory Intel advisory of new management subsystem vulnerabilities. ESB-2020.2008.2 – linux security update Many linux distros released kernel and microcode patches for the Special Register Buffer Data Sampling (SRBDS) attack [CVE-2020-0543] alongside other fixes. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 5th June 2020 Greetings, This week, we are pleased to announce that the program details of our Virtual AUSCERT2020 conference has been launched. Details on this can be found here. Members, don’t forget to use your member tokens by Monday 3 August for free access to our conference registration. Please note that registrations for our tutorial sessions will open shortly and AUSCERT members will have priority access. Questions? We’ve addressed a few of these on our conference site here. Members who are on Slack are most welcome to send us your queries on that platform. Didn’t quite find what you were after? Drop us a line. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September. In other news, don’t forget to come along to our joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. And last but not least, we shared the June update of the Australian Government Information Security Manual which helps organisations manage their cyber security risks on our Twitter channel but here it is for reference. Until next time, we hope everyone enjoys a safe and restful weekend. VMware Cloud Director flaw lets hackers take over virtual datacenters Date: 2020-06-02 Author: Bleeping Computer [Refer to AUSCERT Bulletin ESB-2020.1769] Organizations offering trial accounts for versions of VMware Cloud Director lower than 10.1.0 risk exposing private clouds on their virtualized infrastructure to complete takeover attacks from a threat actor. A code injection vulnerability exists in VMware Cloud Director (vCloud Director) 10.0.0.2, 9.7.0.5, 9.5.0.6, and 9.1.0.4 that may lead to remote code execution, VMware says in its security advisory. Cloud Director software allows cloud-service providers around the world to deploy, automate, and manage virtual infrastructure resources in a cloud environment. Office 365 to give detailed info on malicious email attachments Date: 2020-05-31 Author: Bleeping Computer Microsoft will provide Office 365 Advanced Threat Protection (ATP) users with more details on malware samples and malicious URLs discovered following detonation. “We’re working to reveal more of the details that led to a malicious verdict when URLs or files are detonated in Office 365 ATP,” the new feature’s Microsoft 365 roadmap entry reads. “In addition to the detonation chain (the series of detonations that were necessary to reach a verdict for this entity), we’ll also share a detonation summary, with details such as detonation time range, verdict of the file or URL, related entities (other entities called or used during the detonation), screenshots, and more.” Apple pushes fix across ALL devices for “unc0ver” jailbreak flaw Date: 2020-06-02 Author: Bleeping Computer These past few days have been quite busy for Apple on the security front. As reported by BleepingComputer, the company recently patched a critical flaw in its “Sign in with Apple” service. What follows now is a mega update across all its major operating systems and devices. Last year we provided details on the Sock Puppet jailbreak exploit that targeted the use-after-free kernel vulnerability, CVE-2019-8605. Yesterday, Apple pushed an update across all its OSes to fix the “unc0ver” jailbreak flaw, tracked as CVE-2020-9859 (note: a MITRE/NVD entry has not yet been published for this CVE). Rooting, colloquially known as ‘jailbreaking,’ refers to the concept of obtaining root access to a device that lets oneself install third-party apps and tweaks which would otherwise be restricted by the official app store and manufacturer policies. Loopholes like unc0ver allow someone to “break out of this jail” and, therefore, the moniker. Because the flaw impacted all previous versions of iOS, including 13.5, users are encouraged to update to iOS 13.5.1 and iPadOS 13.5.1 immediately. Of course, that also means the jailbreak functionality that lets users install custom tweaks and apps would be gone. MyBudget hackers threaten on dark web to release data stolen during cyberattack Date: 2020-06-03 Author: ABC News Cybercriminals are threatening to publish data they claim to have stolen from financial management group MyBudget online, an internet security expert has warned. The Adelaide-based company was hit with a ransomware attack early last month that left 13,000 customers in financial limbo for two weeks. Thousands of customers took to social media to vent their frustration at the outage and also their concerns about the security of their data. Google Faces $5B Lawsuit for Tracking Users in Incognito Mode Date: 2020-06-03 Author: Dark Reading A proposed class-action lawsuit accuses Google of collecting browser data from people who used “private” mode. A proposed class-action lawsuit filed earlier this week accuses Google of violating users’ privacy by collecting their data while they searched the Web in “incognito mode,” or private browsing. The lawsuit seeks at least $5 billion, Reuters reports. A complaint filed in federal court alleges Google collects data via Google Analytics and Google Ad Manager, along with other applications and plug-ins, to learn more about where people browse and what they view on the Web. This data collection occurs whether or not someone clicks a Google-supported ad, the report notes. ESB-2020.1935 – Cisco IOS Software for Cisco Industrial Routers: Multiple vulnerabilities Multiple advisories were released by Cisco. The most major of which was marked as critical and affected multiple Cisco routers. If exploited this vulnerability could result in a complete system compromise. ESB-2020.1909 – iOS & iPadOS: Execute arbitrary code/commands – Unknown/unspecified Apple has released iOS and ipadOS version 13.5.1. Installing this update patches the vulnerability exploited by the “unc0ver” jailbreak and also patches a potential RCE vulnerability. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 29th May 2020 Greetings, This week, we participated in the launch of National Reconciliation Week 2020 virtually by sharing an Acknowledgement of Country on our various social media platforms. To find out more about this initiative and to get involved for the remainder of the week, please visit the following page shared by the folks at Reconciliation Australia. In other news, we announced an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June, for further details and to register, please click here. We hope you can join us. Last but not least, we’re pleased to announce that the program details of our Virtual AUSCERT2020 conference will be launched next week. Most of you will recall that the 2nd to 5th of June were the original dates for our annual conference. Although we are not convening on the Gold Coast this year, we look forward to catching up with as many of you as possible virtually in September! Until next time, we hope everyone enjoys a safe and restful weekend. eBay port scans visitors’ computers for remote access programs Date: 2020-05-24 Author: Bleeping Computer When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications. Over the weekend, Jack Rhysider of DarkNetDiaries discovered that when visiting eBay.com, the site performed a port scan of his computer for 14 different ports. Many of these ports are related to remote access/remote support tools such as the Windows Remote Desktop, VNC, TeamViewer, Ammy Admin, and more. Bots hit up Australian Red Cross 900 times for bushfire donations Date: 2020-05-26 Author: iTnews The Australian Red Cross is being targeted by bots that have so far made almost 900 fraudulent applications for financial assistance from a $216 million bushfire relief fund. Australian programs director Noel Clement told the Royal Commission into National Natural Disaster Arrangements on Tuesday that his organisation had seen “very significant cyber activity from the outset”. The Australian Red Cross raised a total of $216 million in donations for the victims of devastating bushfires over the summer of 2019-20, of which $83 million has so far been distributed. GitLab Hacks Own Remote-Working Staff In Phishing Test Date: 2020-05-25 Author: Silicon UK Company finds 20 percent of its all-remote staff responds to phishing message by exposing user credentials, raising fears about the work-from-home future Software development tools start-up GitLab has carried out a targeted phishing campaign on its own remote-working staff, finding that one-fifth of those targeted exposed their corporate login credentials. The study comes at a time when more employees are working from home during coronavirus shutdowns around the world. Shadowserver, an Internet Guardian, Finds a Lifeline Date: 2020-05-27 Author: WIRED The internet security group Shadowserver has a vital behind-the-scenes role; it identifies online attacks and wrests control of the infrastructure behind them. In March, it learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco’s facility—not to mention an additional $1.7 million to make it through the year—the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. On Wednesday, the IT security company Trend Micro will commit $600,000 to Shadowserver over three years, providing an important backbone to the organization’s fundraising efforts. The nonprofit Internet Society is also announcing a one-time donation of $400,000 to the organization. Combined with other funding that’s come in, these large contributions make it possible for the the group to continue in a more sustainable way without becoming dependent on a single funder again. It also keeps the internet at large that much safer. Apple responds to false Facebook claims about contact tracing update in iOS 13.5 Date: 2020-05-27 Author: iMore Hysterical myths regarding Apple’s exposure notification have started appearing on Facebook. Some users have taken to sharing screenshots of iOS 13.5, warning friends that it will automatically allow authorities to track their locations and who they meet. The posts have been fact-checked by Facebook, and Apple has released a response to Reuters. ESB-2020.1884 – [ALERT] Cisco CML and VIRL-PE: Multiple vulnerabilities A patch for RCE and authentication bypass vulnerabilities has been released and marked as critical by Cisco. This includes a ‘perfect’ 10.0 CVSSv3 score, which is the maximum possible. ESB-2020.1859 – macOS Catalina, Mojave & High Sierra: Multiple vulnerabilities Apple update fixes 45 macOS vulnerabilities, including a root compromise from the PackageKit component. ESB-2020.1855 – iOS and iPadOS: Multiple vulnerabilities A similar number of vulnerabilities were patched in iOS and ipadOS, with similar impacts. Reports online indicate that even the latest version is susceptible to a jailbreak by Unc0ver. Stay safe, stay patched and have a good weekend! Sean

AUSCERT Week in Review for 22nd May 2020 Greetings, This week, we shared a couple of important and useful advisories with members. Namely, the joint statement from DFAT and the ACSC regarding Unacceptable malicious cyber activity by cyber actors who are seeking to exploit the pandemic for their own gain as well as the Toolkit for Universities by eSafety and Universities Australia. This toolkit contains some useful resources that assists universities and their communities have tools to help keep safe online. We are pleased to announce an upcoming joint webinar session on the topic of “An Integrated Approach to Embedding Security into DevOps” with the team from Checkmarx. This webinar will take place on Wednesday 10 June – save the date and invitations will be sent out shortly. We hope you can join us. Last but not least, we shared news of our revised Virtual AUSCERT2020 sponsorship prospectus with various stakeholders last week. Feel free to reach out to us via conference@auscert.org.au for more information on our various options to get involved as a conference sponsor! Until next time, we hope everyone enjoys a lovely and restful weekend. Norway’s Wealth Fund Loses $10m in Data Breach Date: 2020-05-16 Author: Infosecurity Magazine Norway’s state-owned investment fund Norfund has halted all payments after losing $10m in an “advanced data breach.” On May 13, Norfund announced that it was “cooperating closely with the police and other relevant authorities” after “a series of events” allowed fraudsters to make off with $10m. The fund said that a data breach allowed defrauders to access information concerning a loan of US$10m from Norfund to a microfinance institution in Cambodia. Using a mixture of manipulated data and falsified information, the fraudsters managed to impersonate the borrowing institution and divert funds away from the genuine recipient and into their own pockets. My Health Record system hit by hack attempt Date: 2020-05-19 Author: iTnews The My Health Record system was the subject of an attempted hack over the past 11 months, the Australian Digital Health Agency has revealed. National health chief information officer Ronan O’Connor told a parliamentary inquiry into cyber resilience the cyber incident was one of two “potential data breaches” to occur since July 2019. Nefilim ransomware gang leaks Toll documents on dark web Date: 2020-05-20 Author: iTWire The attackers behind an ongoing ransomware attack on Australian logistics and transport provider Toll Holdings has released some documents which it claims to have exfiltrated from the company when it staged the attack. News of the attack, the second this year, was announced by Toll on 5 May, with the company saying at the time that it had shut down some of its systems as a precaution. The documents released on Wednesday on the dark web include statements about company financials in plain text and a zipped file. This indicates that the ransom demand by the group has not been met by Toll. The attackers claim to have more than 200GB of company data. ESB-2020.1785 – Wireshark: Denial of service The Wireshark maintainers will be diligently patching minor crashes on crafted network traffic until after the sun burns out. I applaud their dedication to making the most resilient security tool possible. ESB-2020.1781 – IBM Security Access Manager – Unauthorised access A user-manipulable claim wasn’t validated properly, so users could forge additional access. ESB-2020.1762 – Dovecot: Multiple vulnerabilities Possible RCE and confirmed DoS in the popular Dovecot email server. ESB-2020.1754 – OpenConnect: Denial of service It’s a good time of year to be patching VPN clients, with the increased work from home arrangements. Stay safe, stay patched and have a good weekend! David & Vishaka

AUSCERT Week in Review for 15th May 2020 Greetings, This week, we announced to our members that we have doubled their member token registration eligibility for Virtual AUSCERT2020 as a gesture of appreciation for their support. Be sure to check your inbox(es) for further details. We can’t wait to see you in September. Also for our members – we have generated a new PGP/GPG Key to use for signing, and receiving encrypted data. This key will come into effect as of today (Friday 15th May 2020) and further details can be found on our website here. Last but not least, we shared this news on our social channels this week “FIRST aims to update the Traffic Light Protocol standard to increase global adoption” but if you would like get involved directly, please refer to the following press release: https://www.first.org/newsroom/releases/20200513 Until next time, we hope everyone enjoys a safe and restful weekend. Microsoft Addresses 111 Bugs for May Patch Tuesday Date: 2020-05-12 Author: Threatpost Microsoft has released fixes for 111 security vulnerabilities in its May Patch Tuesday update, including 16 critical bugs and 96 that are rated important. Unlike other recent monthly updates from the computing giant this year, none of the flaws are publicly known or under active attack at the time of release. US govt shares list of most exploited vulnerabilities since 2016 Date: 2020-05-12 Author: Bleeping Computer US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader US Government issued the AA20-133A alert through the National Cyber Awareness System to make it easier for organizations from the public and private sector to prioritize patching in their environments. Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking Date: 2020-05-10 Author: WIRED Security paranoiacs have warned for years that any laptop left alone with a hacker for more than a few minutes should be considered compromised. Now one Dutch researcher has demonstrated how that sort of physical access hacking can be pulled off in an ultra-common component: The Intel Thunderbolt port found in millions of PCs. Cisco, others, shine a light on VPN split-tunnelling Date: 2020-05-13 Author: ARN As the work-from-home trend grows due to the Covid-19 pandemic, the need for secure access to enterprise resources continues to grow and with it the demand for ever-more VPN. For example demand for commercial virtual private networks in the US jumped by 41 per cent between March 13 and March 23, according to research from Top10VPN.com, a VPN research and testing company in the UK. The VPN market will hit $70 billion by 2026, according to market research and management consulting company Global Market Insights. In an April blog AT&T pointed to a 700 per cent increase in connections to its cloud-based SD-WAN Static Network Based (ANIRA) VPN service. ASB-2020.0095 – Windows: Multiple vulnerabilities   ASB-2020.0101 – Microsoft Office, Microsoft Office Services and Web Apps: Multiple vulnerabilities   ESB-2020.1698 – McAfee ePolicy Orchestrator: Multiple vulnerabilities   ESB-2020.1705 – GlobalProtect App: Access confidential data – Existing account   Stay safe, stay patched and have a good weekend! AUSCERT Team

AUSCERT Week in Review for 8th May 2020 Greetings, This week, we launched our long-awaited AUSCERT – Members Slack. An email was sent out to members earlier this week, Tuesday 5 May to be specific; detailing the necessary steps to join us and other AUSCERT members in conversation. Be sure to check your inbox(es) for further details. Many of our members informed us through the 2019 Annual Survey that they would like to stay connected through a quicker, more effective (but secure) communication platform and we’ve delivered! Also for our members – keep an eye out for an email from our conference team early next week. This communication will provide you with some updates on member token details for Virtual AUSCERT2020. We can’t wait to see you in September. Last but not least, this week has seen us supporting the team from the Office of the Australian Information Commissioner in their Privacy Awareness Week 2020 campaign initiative to promote the importance of privacy and keeping your personal information safe. We’ve shared a number of posts on our social media channels using the following hashtags #PAW2020 #RebootYourPrivacy so please do check them out. In summary, Privacy Awareness Week 2020 is an important reminder to reboot your privacy: > Check and update your privacy controls > Consider the alternative when giving or asking for personal information > Delete any data from old devices and securely destroy or de-identify personal information if it’s no longer needed for a legal purpose. Again, well done Australia for staying home. We hope that everyone has some lovely plans lined up with the ease of Covid-19 restrictions in most parts of the country – just in time for Mother’s Day on Sunday. Until next week. New Kaiji Botnet Targets IoT, Linux Devices Date: 2020-05-05 Author: Threatpost The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language. A new botnet has been infecting internet of things (IoT) devices and Linux-based servers, to then leverage them in distributed denial-of-service (DDoS) attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today. Samsung patches 0-click vulnerability impacting all smartphones sold since 2014 Date: 2020-05-06 Author: ZDNet South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014. Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device. Toll Group suffers second ransomware attack this year Date: 2020-05-05 Author: iTnews Toll Group has revealed it is suffering its second ransomware attack this year, attributing the current infection to a type of malware known as Nefilim. The admission comes less than a day after iTnews reported exclusively that the logistics giant had shut down its IT systems after detecting “unusual activity” on an undisclosed number of servers. New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into Speakers Date: 2020-05-04 Author: The Hacker News Cybersecurity researcher Mordechai Guri from Israel’s Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices. Dubbed ‘POWER-SUPPLaY,’ the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal, optical covert channels, and even power cables to exfiltrate data from non-networked computers. GoDaddy notifies users of breached hosting accounts Date: 2020-05-04 Author: Bleeping Computer GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH. The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts’ hosting. Maze Ransomware Operators Step Up Their Game Date: 2020-05-06 Author: Dark Reading Investigations show Maze ransomware operators leave “nothing to chance” when putting pressure on victims to pay. Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves. ESB-2020.1614 – Cisco Firepower: Multiple vulnerabilities Multiple high severity vulnerabilities which could result in information disclosure, root compromise, denial of service or unauthorized access to Cisco Firepower appliances. ESB-2020.1624 – Google Chrome: Multiple vulnerabilities Two Remote code execution and denial of service vulnerabilities. ESB-2020.1607.2 – Salt: Multiple vulnerabilities Execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. Stay safe, stay patched and have a good weekend! Patch

AUSCERT Week in Review for 1st May 2020 Greetings, Well done Australia for staying home! We hope that everyone has some nice and creative plans lined up with the ease of Covid-19 restrictions in certain parts of our country. This week, the most talked-about topic around town is the launch of the COVIDSafe app. As an organisation, we have been sharing a number of resources, posts and articles on this topic via our Twitter channel so members and readers can make their own judgement calls around whether or not to download this app. For many, if not all of us, this week marks the 6th week of working from home due to the pandemic. Whilst we’re all used to the various different remote working platforms by now, it’s worth re-visiting some best practices as a reminder to ensure that everyone is keeping security front of mind. It is important to have a proper read through the safety policies of your web conferencing and sharing platform(s) of choice to make sure that you’ve maintained your privacy settings accordingly. Last but not least, next week (4-10 May) will see us supporting the team from the Office of the Australian Information Commissioner in their Privacy Awareness Week 2020 campaign initiative to promote the importance of privacy and keeping your personal information safe. Look out for our posts on social media with the following hashtags: #PAW2020 #RebootYourPrivacy Until next time. Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk Date: 2020-04-28 Author: Microsoft Blog At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations. In this blog, we share our in-depth analysis of these ransomware campaigns. The coronavirus tracing app has been released. Here’s what it looks like and what it wants to do Date: 2020-04-27 Author: ABC News The Government’s coronavirus tracing app has been released, and its uptake will play a large part in helping ease restrictions. It has been called COVIDSafe and will allow authorities to quickly notify people if they have been in contact with someone who has been infected with coronavirus. Federal Police investigate hoax involving users of COVIDSafe coronavirus app Date: 2020-05-28 Author: ABC News The Australian Federal Police are investigating allegations of a hoax targeting the Government’s new coronavirus app. The allegations concern images of an apparently fraudulent message, shared on social media, that told the recipient the COVIDSafe app had alerted the Government they are more than 20km from their home, and were required to phone the Government. Consumers benefit as video call vendors scramble to revamp security in a COVID-19 world Date: 2020-04-28 Author: ZDNet As many of us grapple with the transition to working from home due to the coronavirus outbreak, video conferencing platforms suddenly experiencing a surge in user numbers are, on the whole, meeting the security challenges associated with uptake. Houseparty, Discord, and Doxy.me, however, fail to meet basic security standards, new research suggests. When in Doubt: Hang Up, Look Up, & Call Back Date: 2020-05-20 Author: Krebs on Security Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse. ESB-2020.1457 – VMware ESXi patches address Stored Cross-Site Scripting VM user can inject script to browser of ESXi host client. ESB-2020.1516 – Security Updates Available for Magento Important updates for Magento users. ASB-2020.0092 – Google Chrome for Desktop version 81.0.4044.129 released Google releases latest Chrome version. Stay safe, stay patched and have a good long weekend! Regards, AUSCERT Team

Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781 Version 1.2 NB. The information in this blog is provided as is and will be updated according to the situation as it evolves. 1.2 Available patch for Citrix ADC versions 11.1 and 12.0 [20th January 2020] 1.1 Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. [17th January 2020]  1.0 Initial publication [14th January 2020] Summary Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers in Australia are vulnerable to CVE-2019-19781. AUSCERT has received information from a trusted third party source [1] about opportunistic scans being performed. Constituents are being contacted about the vulnerability and the applicable mitigation [2][3][4]. This blog post also serves as a general notice; issued for all who own and operate the vulnerable appliance. Update v1.1: Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. Update v1.2:  Patches being made available for Citrix ADC versions 11.1 and 12.0 [13]   Description Citrix (NetScaler) endpoints are vulnerable to CVE-2019-19781 affecting the following products[5]: o Citrix ADC and Citrix Gateway version 13.0 all supported builds o Citrix ADC and NetScaler Gateway version 12.1 all supported builds o Citrix ADC and NetScaler Gateway version 12.0 all supported builds (Patch issued from Citrix)[13] o Citrix ADC and NetScaler Gateway version 11.1 all supported builds (Patch issued from Citrix)[13] o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds Unauthenticated Remote Code execution has been demonstrated to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India[6] and TrustedSec[7]. A summary report is available from BadPackets[1]. A notification is available from US-CERT[8] and has been reported in the media by Bleeping Computer[9]. Testing Vulnerability Proof-of-Concept (PoC) to validate CVE-2019-19781 without extracting sensitive information. A successful “HTTP 200/OK” response to this scan indicates the Citrix (NetScaler) server is vulnerable to further attacks. curl -k -I --path-as-is https://<IP_address>/vpn/../vpns/cfg/smb.conf   Suggested Mitigation Patch is currently available from Citrix only for ADC versions 11.1 and 12.0,[13] and it is expected that further firmware updates be made available by the end of January 2020. Citrix has provided mitigations steps to prevent further compromise[3]. Note that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided, so be sure that you are running a safe version.   Remediation Actions A forensic guide is available from Trusted Sec to find evidence of a compromise[10]. Talos has issued out snort rules[11] to detect the exploit. A Suricata rule for this emerging threat is also available[12]. Reference and Credits [1] Badpackets https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/ [2] Citrix Advisory https://support.citrix.com/article/CTX267027 [3] Mitigation Steps for CVE-2019-19781 https://support.citrix.com/article/CTX267679 [4] AUSCERT ESB-2019.4708 https://portal.auscert.org.au/bulletins/ESB-2019.4708/ [5] Reddit https://www.reddit.com/r/sysadmin/comments/en5y8l/multiple_exploits_for_cve201919781_citrix/ [6] Project Zero India https://github.com/projectzeroindia/CVE-2019-19781 [7] Trustedsec Github https://github.com/trustedsec/cve-2019-19781 [8] US-CERT https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability [9] Bleeping Computers https://www.bleepingcomputer.com/news/security/cisa-releases-test-tool-for-citrix-adc-cve-2019-19781-vulnerability/ [10] Trusted Sec Forensic Guide https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/ [11] Talos https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html [12] Suricata Emerging Threats https://rules.emergingthreats.net/open/ [13] Vulnerability Update: First permanent fixes available, timeline accelerated https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/

AUSCERT Week in Review for 24th April 2020 Greetings, Hoping everyone’s had a good week, and that the parents amongst us are managing the juggle of work-life balance, with the Term 2 remote learning of school-aged children commencing this week. This week, we announced that our annual conference will be taking on a different spin! Given the current ever-evolving situation with COVID-19 and the advice from our Chief Information Officer, it is with a mixture of nervous energy and excitement that we announce the fact that AUSCERT2020 will now go virtual in September. The dates will remain as previously discussed: 15 – 18 September. While we understand that a virtual event isn’t quite the same as an in-person one, we are still committed as ever to featuring world-class tutorials and presentations from leading experts in the cyber and information security industry. Speaker details can be found here. In other news this week, we shared the fact that our friends from ENISA (the EU Agency for Cybersecurity) have just published some new training materials on the topic of “Orchestration of CSIRT Tools”. It includes practical usages of MISP, The Hive Project and IntelMQ; these are very SOAR-relevant, and definitely worth a read. Please refer to their website. Have a great weekend, and thank you for staying home. Until next time. Microsoft releases OOB security updates for Microsoft Office Date: 2020-04-21 Author: Bleeping Computer [This has been published as AUSCERT bulletin ASB-2020.0090] Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications. Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files. An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations. Critical bug in Google Chrome – get your update now Date: 2020-04-17 Author: Sophos [This has been published as AUSCERT bulletin ASB-2020.0088] The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix. … [Sophos] recommends going through the update process as as soon as you can. Go to the About Chrome menu option (or About Chromium if you use the non-proprietary flavour of the browser) and check that you have 81.0.4044.113 or later. Hackers have breached 60 ad servers to load their own malicious ads Date: 2020-04-22 Author: ZDNet A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites. This clever hacking campaign was discovered last month by cyber-security firm Confiant and appears to have been running for at least nine months, since August 2019. Confiant says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads. Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files – usually disguised as Adobe Flash Player updates. Who’s Behind the “Reopen” Domain Surge? Date: 2020-04-20 Author: Krebs on Security The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created […] urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains. [A neat demo of threat hunting in DomainTools, albeit without the usual phishing/malware bent we focus on at AUSCERT.] ASB-2020.0088- Google Chrome: Execute arbitrary code/commands – Remote with user interaction Google has issued an update addressing a critical CVE for Chrome Stable Channel for Desktop. ASB-2020.0090 – Microsoft products utilising the Autodesk FBX library: Multiple vulnerabilities Microsoft out-of-band security update fixing remote code execution vulnerabilities in Autodesk FBX library. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 17th April 2020 Greetings, Hoping everyone’s come off the sugar rush that was the Easter long weekend! This week, we announced that our member newsletter; circulated every other month – will now be called The Feed. We think this better reflects our mission, readers and the content we share. The April 2020 edition was sent in the mail yesterday (Thursday 16.04) so be sure to check your inbox to stay up-to-date with the on goings at AUSCERT. In other news this week, we’ve published a snapshot of our services stats for Quarter 1 2020. To find this information, please visit the Blogs & Publications section of our website. This report provides an overview of the cyber security incidents reported by members, from 1 January – 31 March 2020. Last but not least, a final reminder that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. Affected members have been emailed directly. Feel free to reach out to us should you require further assistance or clarification regarding this change. Stay well (and thank you for staying home), until next time. Microsoft April 2020 Patch Tuesday comes with fixes for three zero-days Date: 2020-04-14 Author: ZDNet [Please refer to the following AUSCERT Security Bulletins for more information: ASB-2020.0077 to 86] Microsoft has published today its monthly roll-up of security updates known as Patch Tuesday. This month’s updates are a bulky release. The OS maker has made available patches today for 113 vulnerabilities across 11 products, including three zero-day bugs that were being actively exploited in the wild. As always, details remain scant for the time being. Details about zero-day attacks are usually kept under wraps for days or weeks, to give users time to patch and prevent attackers from developing proof-of-concept code. When corporate communications smell phishy: Why customers don’t trust your emails Date: 2020-04-08 Author: The Daily Swig We are constantly urged to stay vigilant to spam and malicious emails. Threat actors’ increasingly sophisticated tactics and mimicry of organizations poses a serious problem for businesses attempting to engage with their customers without appearing to be scammers. However, some of the tactics employed by phishers are also used by genuine companies to promote consumer engagement or simply within the workplace between teams, which can lead to confusion and legitimate emails being reported as fraudulent. Coronavirus tracing tech policy ‘more significant’ than the war on encryption Date: 2020-04-15 Author: ZDNet COVID-19 apps that track individuals’ movements and report them to a government server? What could possibly go wrong? Digital rights activists are starting to push back. Tech-savvy individuals and firms have been eager to apply their skills to the coronavirus pandemic, as they should be. Some of them are working with governments who have flexed their “special powers” and public health muscles, as governments should do. Much of this tech effort, from all sides, has been put into contact tracing, which aims to find out who might have been exposed to the virus from an infectious person. ASB-2020.0082 – Microsoft Patch Tuesday update for Windows for April 2020 Microsoft’s Patch Tuesday included updates to resolve 66 vulnerabilities from Windows products. ASB-2020.0076 – Oracle CPU April 2020 for Java SE Oracle Java SE had a critical patch update with 15 new security patches made available. Stay safe, stay patched and have a good weekend! Mal.

Q1 2020 report Report and Stats We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 1 2020. This report provides an overview of the cyber security incidents reported by members, from 1 January – 31 March 2020. Attached Documents auscert-q1-2020-report-and-stats.pdf