Publications

AUSCERT Week in Review for 14th August 2020 Greetings, If you were part of the first 600 delegates who registered for AUSCERT2020, you would have received an email earlier this week with details confirming your entitlement to a complimentary Conference Swag Bag. We trust that you’re as excited as we are that the conference is only 5 weeks away. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise usage of these within our membership group. Our last session pre AUSCERT2020 is detailed below: 19th August – Phishing Takedowns (register HERE) Last but not least, next week marks the National Scams Awareness Week 2020 and as a campaign partner, AUSCERT will be sharing the various messages from this campaign through our social media channels. Until next week, take care and have a great weekend everyone. Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft Date: 2020-08-11 Author: Threatpost [Refer to AUSCERT related bulletins ASB-2020.0139, ASB-2020.0140 and ASB-2020.0145. Member portal login required.] Two Microsoft vulnerabilities are under active attack, according the software giant’s August Patch Tuesday Security Updates. Patches for the flaws are available for the bugs, bringing this month’s total number of vulnerabilities to 120. One of the flaws being exploited in the wild is CVE-2020-1464, a Windows-spoofing bug tied to the validation of file signatures on Windows 10, 7 8.1 and versions of Windows Server. Rated “important,” the flaw allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said. A second zero-day is a remote code-execution bug rated “critical,” which is tied to the Internet Explorer web browser. Tracked as CVE-2020-1380, this is a scripting engine memory-corruption problem. A successful hack gives the attacker same user rights as the current user, the company wrote. NSW govt agencies to face cyber security inquiry Date: 2020-08-12 Author: iTnews A parliamentary inquiry will scrutinise the NSW government’s handling of cyber security incidents, as well as its measures to protect digital infrastructure more generally, following a spate of cyber attacks. The NSW upper house premier and finance committee quietly opened the probe by self-referral earlier this month, just weeks after Labor public services minister Sophie Cotsis called for such an inquiry. The inquiry will look into “cyber security and digital information management in NSW”, including the number of cyber incidents and data breaches experienced by government agencies and the financial cost of those incidents. Upgraded Agent Tesla malware steals passwords from browsers, VPNs Date: 2020-08-10 Author: Bleeping Computer New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014. Travelex Forced into Administration After Ransomware Attack Date: 2020-08-10 Author: Infosecurity Magazine Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed joint administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK. PwC remained upbeat about the future of the company, following its £84 million restructuring. ESB-2020.2680.2 – Cisco AnyConnect client for Windows: Increased privileges Cisco updated last week’s advisory to add that proof-of-concept exploit code is now available. ESB-2020.2803 – Apache Struts: Multiple vulnerabilities Apache Struts is one of those libraries deployed more widely than you’d think, and a previous vulnerability contributed to the infamous Equifax breach. ESB-2020.2780 – Citrix Endpoint Management aka XenMobile Server: Unspecified critical vulnerabilities Citrix released a patch assessed as critical severity without providing detail on the vulnerabilities involved, which is a fun mystery. ESB-2020.2802 – Microsoft Dynamics 365: Remote code execution Microsoft released a separate advisory the day after Patch Tuesday to warn of this RCE and its corresponding patch, also assessed as critical. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 7th August 2020 Greetings, This week we wanted to highlight the blog we’ve written on the topic of the ProctorU breach. Key takeaways include: members are encouraged to assess it in the context of their own organisation, this breach mainly affects educational institutions who used ProctorU (prior to approximately Q3 of 2016) and AUSCERT has notified affected members through their normal incident email alias. Thank you to those who attended our Malicious URL Feed and Security Bulletins webinars. To catch up on the content we’d presented for these, drop by our YouTube channel. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Our last session pre AUSCERT2020 is detailed below: • 19th August – Phishing Takedowns (register HERE) Last but not least, further to the Prime Minister’s press conference with Home Affairs Minister Peter Dutton yesterday, we wanted to share the official launch details of Australia’s 2020 Cyber Security Strategy. The Strategy outlines Australia’s approach to protecting Australians from growing cyber threats and has committed an investment of $1.67 billion over 10 years to achieve this vision. We hope you find this document a useful resource. Until next week, take care and have a restful weekend everyone. Australia’s Cyber Security Strategy 2020 Date: 2020-08-06 Author: Australian Department of Home Affairs The Australian Government has today launched Australia’s Cyber Security Strategy 2020. The Strategy outlines Australia’s approach to keeping families, vulnerable Australians, critical infrastructure providers and business secure online. It is a strategy for all Australians and Australian businesses. Security is a whole-of-community effort, in which we all have a role to play. The Strategy will invest $1.67 billion to build new cyber security and law enforcement capabilities, assist industry to protect themselves and raise the community’s understanding of how to be secure online. This includes the $1.35 billion Cyber Enhanced Situational Awareness and Response (CESAR) package. We encourage all Australians to read the Cyber Security Strategy 2020 and play your part in creating a more secure online world. INTERPOL report shows alarming rate of cyberattacks during COVID-19 Date: 2020-08-04 Author: INTERPOL An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure. With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption. In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners. Hacker leaks passwords for 900+ enterprise VPN servers Date: 2020-08-04 Author: ZDNet A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community. According to a review, the list includes: IP addresses of Pulse Secure VPN servers Pulse Secure VPN server firmware version SSH keys for each server A list of all local users and their password hashes Admin account details Last VPN logins (including usernames and cleartext passwords) VPN session cookies Phishing campaigns, from first to last victim, take 21h on average Date: 2020-08-01 Author: ZDNet A mixed team of security researchers from Google, PayPal, Samsung, and Arizona State University has spent an entire year analyzing the phishing landscape and how users interact with phishing pages. In a mammoth project that involved analyzing 22,553,707 user visits to 404,628 phishing pages, the research team has been able to gather some of the deepest insights into how phishing campaigns work. “We find that the average phishing attack spans 21 hours between the first and last victim visit, and that the detection of each attack by anti-phishing entities occurs on average nine hours after the first victim visit,” the research team wrote in a report they are scheduled to present at the USENIX security conference this month. ESB-2020.2699 – Cisco Identity Services Engine: Access confidential data – Existing account There was a large batch of Cisco bulletins released this week. ESB-2020.2679 – GRUB2: Multiple vulnerabilities Further grub2 patches were released by many linux distros, including fixes for regressions. ESB-2020.2661 – Android: Multiple vulnerabilities Android patches released. ESB-2020.2672 – Whoopsie: Multiple vulnerabilities Isn’t that just a great product name! Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT mailout: ProctorU breach An apparent data breach of the ProctorU service, apparently published by a user named ShinyHunters, has been making news in the last week, including an article yesterday in the Sydney Morning Herald. AUSCERT has acquired a copy of the data and notified affected members. ProctorU gave us the following comment: On Monday July 27, 2020, we were made aware that some information purporting to come from ProctorU.com was posted to an internet message board. Although we are still investigating, none of the data analyzed so far from that posted data was from our active production servers and all of it was at least five years old. Therefore, we currently have no reason to believe that our active production servers or data of current clients and students from the last five years was implicated. We are continuing to investigate and will update you should that understanding change or with any additional information pertinent to you. How bad is it? You will need to assess it in the context of your own organisation. It appears that none of the data is newer than 2016. It includes personal information of ProctorU users, as well as institutional email addresses, and password digests. We’re not sure of the severity of the password digests – digests can be very easy or very difficult to crack depending what they incorporate. There are reports that they are bcrypt hashes.   Was my organisation affected? It affects mainly educational institutions who used ProctorU prior to approximately Q3 of 2016. We’ve notified affected members through their normal incident email alias. An administrator for your organisation can check in the member portal what that’s set to; if it’s current, and you haven’t heard from us, then you’re clear. Not all our educational members are affected.   I’ve received a file and don’t know how to decrypt it Please log in to the member portal and consult this page for the passphrase. You’ll need a program like Kleopatra for Windows or GPG for Linux/Mac. If using the command-line, enter this and type the passphrase: gpg --output your-domain.tsv --decrypt your-domain.tsv.gpg   I’m encountering a GPG error when decrypting the file GPG has some quirks. Please check the directory containing the encrypted file to see whether the decrypted file was created despite the error message. If it’s not there, please double-check the passphrase, and if that doesn’t work, reach out to us at auscert@auscert.org.au and we’ll assist.   How do I view a TSV file? We suggest opening it in Excel or another spreadsheet program, choosing “My file is delimited”, ensuring that it uses the “Tab” as a delimiter, and ensuring that columns are of type “general”. Excel will default to all of these. You’re also welcome to use a command-line utility to split on tab characters.

AUSCERT Week in Review for 31st July 2020 Greetings, This Thursday started out with a surprise, with a responsible disclosure of GRUB2 vulnerabilities by Eclypsium. A supporting write-up and ASB have been issued by AUSCERT to help you wade through the original advisories. In other news, we are excited to announce our 3rd keynote speaker for AUSCERT2020 – Julie Inman-Grant – Australia’s eSafety Commissioner. In this role, Julie leads the world’s first government agency committed to keeping its citizens safer online. We look forward to hosting her on Friday 18th September. A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Details below: • 5th August – Security Bulletins (register HERE) • 19th August – Phishing Takedowns (register HERE) And last but not least, another quick reminder for members to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback, thank you in advance for your time and support. Until next week, have a great weekend and remember to keep washing your hands and stay 1.5m apart in public areas! Billions of Devices Impacted by Secure Boot Bypass Date: 2020-07-29 Author: Threatpost [Refer to AUSCERT bulletin ASB-2020.0135 and blog post on the AUSCERT website “There’s a hole in the boot”] The “BootHole” bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks. Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning. GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel. Hacker leaks 386 million user records from 18 companies for free Date: 2020-07-28 Author: Bleeping Computer A threat actor is flooding a hacker forum with databases exposing over 386 million user records that they claim were stolen from eighteen companies during data breaches. Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data. ShinyHunters has been involved in or responsible for a wide assortment of data breaches this past year, including Wattpad, Dave, Chatbooks, Promo.com, Mathway, HomeChef, and the breach of Microsoft private GitHub repository. Of the databases released since July 21st, nine of them were already disclosed in some manner in the past. The other nine, including Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha, have not been previously disclosed. CISO concern grows as ransomware plague hits close to home Date: 2020-07-28 Author: ZDNet Ransomware is on a roll. Garmin is currently wrestling with a ransomware-induced outage, and locally in Australia, 2020 has seen ransomware take out major companies and threaten beer supplies when it hit logistics giant Toll and beverage company Lion. Toll has only recently recovered from its second dose of the year. These sorts of attacks are starting to ring alarm bells, with APAC CISO of JLL Mark Smink telling ZDNet on Tuesday the ransomware plague has evolved a long way from where it was four or five years ago. Mystery actor disrupts Emotet malware distribution botnet Date: 2020-07-25 Author: iTnews Malware payloads replaced with animated GIFs. Security researchers are watching the infrastructure of malware delivery botnet Emotet being compromised by an unknown actor, and disrupting the criminals’ activities in the process. Microsoft cyber security researcher Kevin Beaumont wrote that someone is currently replacing the malware files distributed by Emotet with animated GIF images. The images include one of Hackerman, who starred in the internet cult classic Kung Fury. ASB-2020.0135 – Linux and Windows: Multiple vulnerabilities Summary of the GRUB2 bootloader vulnerability “BootHole” which made headlines late this week. ESB-2020.2587 – APSB20-47 Security updates available for Magento Adobe issued an out-of-band patch for 2 critical and 2 important vulnerabilities in the Magento e-commerce system, which has been famously targeted by MageCart malware in the past. ESB-2020.2599 – Cisco SD-WAN Solution Software Buffer Overflow Vulnerability Cisco’s updates this week included an unauthenticated root compromise. Quelle surprise. ESB-2020.2561 – SQLite: Multiple impacts SQLite is one of those core software projects – few people think about it, but everybody uses it. This issue was in the query optimisation engine. Stay safe, stay patched and have a good weekend! The AUSCERT team

There's a hole in the boot Introduction Responsible disclosure from Eclypsium has enabled the patches to the GRand Unified Boot Loader (GRUB) to be coordinated on the night of the 29th July 2020. Impact Modifications to the GRUB configuration file can result in the the execution of arbitrary code which can also allow UEFI Secure Boot restrictions to be bypassed.  Subsequently it is then possible to load further arbitrary executable code as well as drivers. To be able to exploit this vulnerability you first must have administrator or physical access to the target machine.  System affected The vulnerability affects Microsoft as well as Linux based distributions as it affect UEFI Secure Boot DBX, along with GRUB2. A non-exhaustive list of operating systems affected has been compiled by Eclypsium being: Microsoft UEFI Security Response Team (USRT) Oracle Red Hat (Fedora and RHEL) Canonical (Ubuntu) SuSE (SLES and openSUSE) Debian Citrix VMware Various OEMs … and others … Mitigation It is recommended that an organisation undertakes their own risk assessment, addressing the severity of the impact of administrative/root control with the need for the attacker to already have administrator or physical access to the target.  Microsoft notes that it is possible to detect this vulnerability using either Key Attestation or Defender ATP Eclypsium has outlined steps to mitigate this vulnerability as follows: Updates to GRUB2 to address the vulnerability. Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims. New shims will need to be signed by the Microsoft 3rd Party UEFI CA. Administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media. Eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot. Advisories AUSCERT has issued out an AUSCERT Security Bulletins (ASB) [ASB-2020.135] and will be issuing out External Security Bulletins (ESB) as they come to hand. Below are excerpts of the Product Security Incident Response Teams (PSIRT) advisory that describe in brief the Impact and vectors of these vulnerabilities. Microsoft Tag Description ADV200011 To exploit this vulnerability, an attacker would need to have administrative privileges or physical access on a system where Secure Boot is configured to trust the Microsoft Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA). The attacker could install an affected GRUB and run arbitrary boot code on the target device. After successfully exploiting this vulnerability, the attacker could disable further code integrity checks thereby allowing arbitrary executables and drivers to be loaded onto the target device.   Linux Distribution Tag Description CVE-2020-10713 Crafted grub.cfg file can lead to arbitrary code execution during boot process CVE-2020-14308 grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow.6.4 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14309 Integer overflow in grub_squash_read_symlink may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14310 Integer overflow in read_section_from_string may lead to heap based overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14311 Integer overflow in grub_ext2_read_link leads to heap based buffer overflow.5.7 (Medium) / CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-15705 Failure to validate kernel signature when booted without shim6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15706 Use-after-free in grub_script_function_create6.4 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15707 Integer overflows in efilinux grub_cmd_initrd and grub_initrd_init leads to heap based buffer overflow5.7 (Medium) /CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H   Sources Media reports Forbes : https://www.forbes.com/sites/daveywinder/2020/07/29/boothole-secure-boot-threat-confirmed-in-most-every-linux-distro-windows-8-and-10-microsoft-ubuntu-redhat-suse-debian-citrix-oracle-vmware/#2537b652666e ZDNet : https://www.zdnet.com/article/boothole-attack-impacts-windows-and-linux-systems-using-grub2-and-secure-boot/ Threatpost : https://threatpost.com/billions-of-devices-impacted-secure-boot-bypass/157843/ Further information Key Attestation : https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation Defender ATP: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection UEFI Forum: https://uefi.org/revocationlistfile Canonical : https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass PSIRT Information Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 Canonical: https://ubuntu.com/security/notices/USN-4432-1 Debian: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot HPE: www.hpe.com/info/security-alerts Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader SUSE: https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ VMware: https://kb.vmware.com/s/article/80181  

AUSCERT Week in Review for 24th July 2020 Greetings, A slightly less hectic one this week. A quick reminder to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback; thank you in advance for your time and support. Thank you also to those members who attended our Malicious URL Feed webinar which took place on Wednesday 22 July; we trust that you benefitted from the session. The good news is, we will be hosting a couple more of these sessions on different topics: 5th August – Security Bulletins (register HERE) 19th August – Phishing Takedowns (registration details TBC) And last but not least, in case you haven’t stumbled across this already, the Australian Government Department of Home Affairs have released their report on Australia’s 2020 Cyber Security Strategy. AUSCERT is very proud to have been involved in the consultation process through our parent organisation, The University of Queensland, late last year. The report included 60 recommendations to bolster Australia’s critical cyber defences which are structured around a framework with five key pillars: Deterrence, Prevention, Detection, Resilience and Investment – all aligned to our core values here at AUSCERT. “Cyber security has never been more important” – we hope you find this report useful. Until next week, have a great weekend everyone! New ‘Shadow Attack’ can replace content in digitally signed PDF files Date: 2020-07-23 Author: ZDNet [The researchers disclosed this in early March, Adobe released a patch in mid-May which we published as ESB-2020.1693, and the researchers have gone public this week with information proofs of concept. This raises the public profile of the vulnerability and increases the chance that it will be exploited; patch your PDF viewer applications!] Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany. Companies should update their PDF viewer apps to make sure the PDF documents they sign can’t be tampered with via a Shadow Attack. 20,000+ new vulnerability reports predicted for 2020, shattering previous records Date: 2020-07-22 Author: Help Net Security Over 9,000 new vulnerabilities have been reported in the first six months of 2020, and we are on track to see more than 20,000 new vulnerability reports this year — a new record, Skybox Security reveals. Why the internet went haywire last week Date: 2020-07-20 Author: ZDNET It was another end of the work week; what could possibly go wrong? Sure, Outlook had failed for a few hours earlier in the week and Twitter lost control of some big-name accounts, but surely nothing else could go awry? Right? Wrong. Bad things come in threes. Starting on Friday afternoon, Cloudflare, the major content delivery network (CDN) and Domain Name System (DNS) service, had a major DNS failure, and tens of millions users found their internet services failing. ESB-2020.2480 – [Win][Mac] Photoshop: Multiple vulnerabilities Adobe’s patch day included arbitrary code execution upon opening a crafted file. ESB-2020.2460 – [Win][UNIX/Linux] Python: Execute arbitrary code/commands – Remote with user interaction Insecure linked library loading in the pliable language led to potential privilege escalation. ESB-2020.2260.7 – UPDATED ALERT [Appliance] F5 Networks: Multiple vulnerabilities F5’s fix for a critical unauthenticated RCE in their Traffic Manager User Interface has received a lot more information this week, including a warning that the Viprion B2250 Blade may have problems with the provided patch. ESB-2020.2464 – [Win][UNIX/Linux] Moodle: Multiple vulnerabilities Moodle released three advisories marked “serious” and one marked “minor”, including teachers for a course being able to assign themselves as a manager of that course and increase their own privileges. ESB-2020.2541 – [Linux] QRadar Advisor: Access confidential data – Console/Physical Just for a change of pace, here’s a simple one: IBM accidentally didn’t obscure the password field in a login form, so someone could read it over your shoulder. CVE-2020-4408. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Week in Review for 17th July 2020 Greetings, Have we been busy! This week has been another tough one for networking vendors. SAP NetWeaver, Windows Server and Cisco’s RV-series routers have all had critical vulnerabilities this week, enabling unauthenticated remote code execution. See the highlighted articles bulletins below for more information, and if you’re affected, we advise applying patches or mitigations ASAP. And last but not least, an AUSCERT membership email would have landed in your inbox this week containing some important updates for July 2020: An invitation to complete the 2020 AUSCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August. We look forward to collating our member thoughts and feedback, thank you in advance for your time and support! An update regarding our Quarter 2; an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. An invitation to attend our Malicious URL Feed webinar taking place next Wednesday 22 July. Until next week, wishing everyone a restful weekend. Critical SAP Recon flaw exposes thousands of systems to attacks Date: 2020-07-13 Author: Bleeping Computer [Refer to AUSCERT bulletin ESB-2020.2381] SAP patched a critical vulnerability affecting over 40,000 systems and found in the SAP NetWeaver Java versions 7.30 to 7.50, a core component of several solutions and products deployed in most SAP environments. The RECON (short for Remotely Exploitable Code On NetWeaver) vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to Onapsis, the company that found and responsibly disclosed RECON to the SAP Security Response Team. Microsoft urges patching severe-impact, wormable server vulnerability Date: 2020-07-15 Author: Ars Technica [Refer to AUSCERT bulletin ASB-2020.0120; member portal login required] Microsoft is urgently advising Windows server customers to patch a vulnerability that allows attackers to take control of entire networks with no user interaction and, from there, rapidly spread from computer to computer. The vulnerability, dubbed SigRed by the researchers who discovered it, resides in Windows DNS, a component that automatically responds to requests to translate a domain into the IP address computers need to locate it on the Internet. By sending maliciously formed queries, attackers can execute code that gains domain administrator rights and, from there, take control of an entire network. The vulnerability, which doesn’t apply to client versions of Windows, is present in server versions from 2003 to 2019. SigRed is formally tracked as CVE-2020-1350. Microsoft issued a fix as part of this month’s Update Tuesday. Cyber experts urge Australia to develop local capability to defend against hackers Date: 2020-07-12 Author: Sydney Morning Herald Cyber experts have urged the federal government to become less reliant on overseas businesses, technologies and expertise for its defences against hackers as it puts the finishing touches on the nation’s new cyber security strategy. Foreign providers are responsible for most of the cyber security products and services in Australia, with no local companies among the 15 largest software providers in the local market. Thousands of shop, bank, and government websites shut down by EV revocation Date: 2020-07-13 Author: Netcraft More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge. On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked. SANS Institute Provides Guidance on Improving Cyber Defense Using the MITRE ATT&CK Framework Date: 2020-07-13 Author: CISION PR Newswire [SANS Institute will be speaking and are a sponsor at AUSCERT2020.] A new report from the SANS Institute, “Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework,” provides expert guidance to help cyber defense professionals learn how to best leverage the MITRE ATT&CK Framework to improve their organization’s security posture. Outlook down? How to fix it Date: 2020-07-15 Author: ZDNet It was just another morning at work on July 15, 2020, for many Windows users. They turned on their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook… Suddenly their day took a turn for the worst. For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem. ESB-2020.2381.2 – UPDATE [ALERT] SAP NetWeaver AS Java: Multiple Vulnerabilities A critical Vulnerability in SAP NetWeaver AS Java is identified and applying critical patches as soon as possible is recommended. ASB-2020.0120 – [ALERT] Windows: Multiple vulnerabilities Microsoft security update resolves the wormable vulnerability “SIGRed” in Windows servers acting as a DNS server. ASB-2020.0121 – Extended Support Update products: Multiple vulnerabilities Windows Server 2008 Extended Support Update (ESU) also gets a SIGRed patch. ESB-2020.2417 – [ALERT] Cisco RV-series routers: Multiple vulnerabilities Cisco update fixes a vulnerability in the web-based management interface of its RV-series routers, leading to unauthenticated root compromise of the device. Stay safe, stay patched and have a good weekend! Vishaka

Q2 2020 report Report and Stats We would like to take this opportunity to thank you for your continued support and share with you the following snapshot of our services stats for Quarter 2 2020. This report provides an overview of the cyber security incidents reported by members, from 1 April – 30 June 2020 and includes a summary of other key achievements this quarter. Attached Documents auscert-q2-2020-report-and-stats.pdf

AUSCERT Week in Review for 10th July 2020 Greetings, This week saw us starting the week with a critical alert for members to urgently patch the multiple vulnerabilities found within F5’s BIG-IP products: CVE-2020-5902. We trust that all necessary steps have been undertaken within your organisation. This week we also learned about CVE-2020-2034, a critical vulnerability in Palo Alto’s PAN-OS. And CVE-2020-1654 affecting Juniper’s SRX Series devices. It’s been a tough week for networking vendors. Having observed a substantial increase in the number of followers within our social media platforms, we thought it was pertinent to share our Glossary of InfoSec Terms & Acronyms again with our readers. This is a resource we’ve had plenty of positive feedback about and hopefully it comes in handy for you too. Keep an eye out for a copy of our member Security Bulletins survey landing in your inbox next week. This survey has been prepared by our team, and the results will be used to strengthen our delivery of this particular service and will be part of a long-term service improvement project. We look forward to collating our member thoughts and feedback! Until next week, we hope everyone has a restful weekend ahead – and to our friends and colleagues in Victoria, we’re thinking of you. Please stay safe and thank you for staying home. Critical F5 BIG-IP vulnerability made public Date: 2020-07-06 Author: ITNEWS [See also AUSCERT bulletin ESB-2020.2260.5.] Users of F5 enterprise and data centre BIG-IP network products are warned to patch the devices as soon as possible to handle a critical, easy to exploit remote code execution vulnerability that has now been made public. Examples of the exploit have now been posted on social media, one of which uses a single line of code that calls a JavaServer Page function to reveal the passwords stored on BIG-IP devices. The vulnerability rates as 10 out 10 on the Common Vulnerabilities Scoring System, and lies in lack of proper access control for the Traffic Management User Interface (TMUI) configuration utility for the devices. Citrix Bugs Allow Unauthenticated Code Injection, Data Theft Date: 2020-07-07 Author: Threatpost [Refer to AUSCERT bulletin ESB-2020.2310] Admins should patch their Citrix ADC and Gateway installs immediately. Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker. The Citrix products ?(formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies. Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO. Exploit developed for critical Palo Alto authentication flaw Date: 2020-07-06 Author: The Daily Swig (Portswigger) Security researchers at Randori have developed a proof-of-concept exploit against a recently discovered flaw in firewalls and VPNs from Palo Alto Networks. The Security Assertion Markup Language (SAML) authentication bypass (CVE-2020-2021) in PAN-OS is configuration specific, but high severity – rating a maximum 10 on the CVSS scale. Randori’s work demonstrates that the vulnerability is not only critical but readily exploitable, a development that underlines the need to apply patches released last week or remove the risk of attack by switching authentication methods. “Organizations leveraging SAML for authentication on affected systems should assume that an adversary may have gained access to their network,” Randori advises. “They should review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise.” Microsoft takes down domains used in COVID-19-related cybercrime Date: 2020-07-07 Author: Bleeping Computer Microsoft took control of domains used by cybercriminals as part of the infrastructure needed to launch phishing attacks designed to exploit vulnerabilities and public fear resulting from the COVID-19 pandemic. The threat actors who controlled these domains were first spotted by Microsoft’s Digital Crimes Unit (DCU) while attempting to compromise Microsoft customer accounts in December 2019 using phishing emails designed to help harvest contact lists, sensitive documents, and other sensitive information, later to be used as part of Business Email Compromise (BEC) attacks. The attackers baited their victims (more recently using COVID-19-related lures) into giving them permission to access and control their Office 365 account by granting access permissions to attacker-controlled malicious OAuth apps. $2.5 billion lost over a decade: ‘Nigerian princes’ lose their sheen, but scams are on the rise Date: 2020-07-06 Author: The Conversation Last year, Australians reported more than A$634 million lost to fraud, a significant jump from $489.7 million the year before. The Australian Competition and Consumer Commission has released its latest annual Targeting Scams report. But despite increased awareness, scam alerts and targeted education campaigns, more Australians are being targeted than ever before. Mozilla suspends Firefox Send service while it addresses malware abuse Date: 2020-07-07 Author: ZDNet Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism. Windows 10’s Microsoft Store Codecs patches are confusing users Date: 2020-07-05 Author: BleepingComputer On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library [known as the HEVC packages]. They stated that they affected both Windows 10 and Windows Server at the time. Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store. Even more confusing, the advisories did not explain what Microsoft Store apps would be updated to resolve the vulnerabilities, leaving users in the dark as to whether they were affected and patched by an update. Microsoft Defender ATP web content filtering is now free Date: 2020-07-06 Author: BleepingComputer The new Microsoft Defender Advanced Threat Protection Web Content Filtering feature will be provided for free to all enterprise customers without the need for an additional partner license. Web Content Filtering is part of Microsoft Defender ATP’s Web protection capabilities and it allows security admins to design and deploy custom web usage policies across their entire organizations, making it simple to track and control access to websites based on their content category. The feature is available on all major web browsers, with blocks performed by Network Protection (on Chrome and Firefox) and SmartScreen (on Edge). ESB-2020.2310 – Citrix: Multiple vulnerabilities Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. These vulnerabilities could result in a number of security issues. ESB-2020.2260.5 – UPDATED ALERT F5 Networks: Multiple vulnerabilities A new mitigation has been developed and published to address an RCE vulnerability in the TMUI. ESB-2020.2339 – Citrix Hypervisor products: Multiple vulnerabilities Hotfixes have been released by Citrix to address two issues in Citrix Hypervisor. ESB-2020.2309 – Android: Multiple vulnerabilities Multiple security vulnerabilities identified affecting Android devices. Security patch levels of 2020-07-05 or later address all of these issues. ESB-2020.2305 – firefox: Multiple vulnerabilities An update has been released to address multiple vulnerabilities in Firefox. ESB-2020.2297 – thunderbird: Multiple vulnerabilities Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. ESB-2020.2296 – php7.0: Multiple vulnerabilities Multiple security issues were found in PHP, which could result in information disclosure, denial of service or potentially the execution of arbitrary code. Stay safe, stay patched and have a good weekend! Vishaka

AUSCERT Week in Review for 03rd July 2020 Greetings, This week we welcomed the announcement of a record $1.35 billion investment in cyber security by the Australian Government. Hopefully this funding package will mean more Australian organisations can identify the ever-present cyber threats and protect themselves against these challenges. As always, AUSCERT is supportive of both the ASD and ACSC in their vital work within this industry and hope to leverage their expertise in our mission to help members prevent, detect, respond to and mitigate cyber-based attacks. Following the discovery of the Palo Alto vulnerability, we wanted to take this opportunity to remind members to update us with all relevant domains and IP ranges – via our member portal – that you want to receive alerts for. In this particular instance, affected members were contacted directly with a tailored email and it would have been a shame to be left off this list. And last but not least, a reminder that tutorial and workshop registrations for Virtual AUSCERT2020 is now open and priority access will be granted to all AUSCERT members. Spots are filling up fast so be sure to get in quick! Until next week, wishing everyone a restful weekend, especially the parents amongst us who are in the midst of or about to start their school holiday breaks. … Inside the hacking attacks bombarding Australia Date: 2020-06-29 Author: ABC News Who are these people? Who is directing them? What are they after? And most important of all — how can they be stopped? Questions like these have been asked more urgently since Scott Morrison announced that a “sophisticated state-based cyber actor” had launched attacks earlier this month on “all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure”. Craig Valli, who left a teaching career 20 years ago for academia and is now Professor of Digital Forensics at Perth’s Edith Cowan University, has many of the answers. It is a complex world that he explains with the sort of patience and relatability learnt from time corralling kids in a classroom. Microsoft releases urgent security updates for Windows 10 Codecs bugs Date: 2020-07-30 Author: Bleeping Computer [Refer to AUSCERT Bulletin ASB-2020.0117, which is member-only content.] Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. Both desktop and server platforms affected. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. Beware “secure DNS” scam targeting website owners and bloggers Date: 2020-06-29 Author: Naked Security If you run a website or a blog, watch out for emails promising “DNSSEC upgrades” – these scammers are after your whole site. The psychology of social engineering—the “soft” side of cybercrime Date: 2020-07-30 Author: Microsoft Security Blog Forty-eight percent of people will exchange their password for a piece of chocolate, 91 percent of cyberattacks begin with a simple phish, and two out of three people have experienced a tech support scam in the past 12 months. What do all of these have in common? They make use of social engineering: when an attacker preys on our human nature in order to defraud. Also in common, these small, very human actions have led to billions of dollars of loss to global business. Over 82,000 Aussies’ details leaked in crypto scam Date: 2020-07-01 Author: ITNews Personal details of tens of thousands of Australians who fell for a fraudulent cryptocurrency investment scheme that used fake media sites and celebrity endorsements have been leaked onto the web. Singaporean security vendor Group-IB discovered 248,926 sets of personally identifable information, of which 82,263 records were from Australian users, leaked by an unknown party. Details leaked include names, email addresses and phone numbers. ESB-2020.2239 – misp: Multiple vulnerabilities A new version of MISP released with a significant refactoring of the STIX import/export along with many improvements. ESB-2020.2234 – chromium-browser: Multiple vulnerabilities An important update for Chromium has been released that fixes a bug in Use After Free in extensions. ESB-2020.2208 – McAfee Enterprise Appliance : Multiple vulnerabilities McAfee Security Bulletin – Enterprise Appliance updates address two vulnerabilities ESB-2020.2271 – Cisco Systems: Multiple Vulnerabilities Cisco has released software updates that address Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability Stay safe, stay patched and have a good weekend! Vishaka

How to use the YARA rules for the "Copy-paste compromises" advisory Regarding today’s “copy-paste compromises” advisory from the ACSC, we’ve had a lot of enquiries on how to download and consume the indicators of compromise (IoCs) provided. This is a how-to guide for YARA rules you may have received. Here is our full commentary on the alert. Downloading the files Feel free to download them from the original source; however, we’ve had some enquiries asking for assistance with this, so have re-published the public files in CloudStor, as well as imported them directly into our member MISP instances for members of the CAUDIT-ISAC and AusMISP agreements. Original ACSC source on cyber.gov.au AUSCERT CAUDIT-ISAC MISP on CAUDIT MISP AUSCERT AusMISP on AusMISP The files comprise a list of IoCs in CSV (comma-separated values) format, plus source code for a web shell in .txt (text) format, as well as PDF and Word versions of the advisory. You may also have received a list of YARA rules under the green level of the Traffic Light Protocol, in which case here’s how to use them. The green level does not permit us to redistribute them. Indicators of compromise in CSV We’re not aware of a single simple way to consume these. You can massage them into a suitable format or formats to search for them, but YARA rules are the standard automated way to do this, and are the focus of this guide. YARA rules YARA rules are a widely-used way to format IoCs in a way which can be used by scanning engines. Some more info, and the official source, and the official documentation. How to use Yara rules on your entire fleet (if you’re prepared and lucky) Many Endpoint Detection and Response (EDR) solutions provide Yara support. If you have one deployed, you can import the Yara rules and run it, which will be relatively quick and easy. If not, you could try using your existing fleet management system to deploy Yara and run a scan. E.g. for Windows, perhaps push out an installation via SCCM or Group Policy and then some kind of group policy background script to run the scan and deliver results. If you try this, we’d love to hear how it goes, and we’d also love any info or scripts you can provide that might help other members. Consider whether this is worth doing for your fleet. Otherwise, keep reading. How to use Yara rules on Windows Official binaries are available so you’re in good shape. Head to their Releases page and grab the latest binary for your architecture (at time of writing, yara-v4.0.1-1323-win32.zip or yara-v4.0.1-1323-win64.zip). Once in, you can scan individual directories or drives, ideally in an admin shell: yara64.exe -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" C: (the yarac.exe binary is for compiling rules, which you probably don’t need to do.) How to use Yara rules on Linux Your distribution’s package manager will likely have a version available. Give that a try first. However, the YARA project notes that the version available in some distros’ repositories is out of date and may contain security vulnerabilities, so check the version – the latest release at time of writing is v4.0.1, updated mid-May 2020. yum install yara apt install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null You may wish to run this as a privileged user to ensure maximum access, but balance this with the security risk of older versions. If your distribution’s version is unacceptable, the Yara project has some information on compiling from source. Compiling from source is an often time-consuming and fiddly process. How to use Yara rules on macOS Homebrew (an unofficial but very widely-used package manager) seems to be the best way other than compiling from source. It has the very latest release, v4.0.1, without the known security issues of older versions. brew install yara To scan your entire system: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / If the error messages for file permissions are giving you more noise than signal, you can mute them: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null  Or only scan specific parts: yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /path/to/likely/folders/or/mounts What to do if you find something Firstly, any rule matches starting with “heuristic” are just that – heuristics. You may wish to investigate them in closer detail, but there will be plenty of false positives, so don’t panic when you see them, and don’t start by investigating them. Consider advising the ACSC that you need assistance. Copying their advice here for convenience: If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371). If you are an AUSCERT member, you can call the 24/7 Member Hotline (login required) for advice. It’s also worth noting that the ACSC’s advisory states that this has been a ramping up of events over time, and our interpretation of that is that most organisations will not need to spend all weekend frantically digging – just make it a priority on Monday.

AUSCERT Week in Review for 26th June 2020 Greetings, This week we’ve observed an increase in business email compromise cases so we thought it was pertinent to share this updated blog post here. Our top 3 tips to combat this threat are listed below; please help us spread this message along to your colleagues: Educate users, particularly those that handle payments, of the nature of the attack Follow up email requests with a telephone call to verify their veracity Implement appropriate checking of financial transactions Following on from the ACSC advisory issued on Friday last week, we would like to feature (and reiterate again) the following blog post containing practical tips on “How to use the YARA rules for the copy-paste compromises”. If you’ve received YARA rules, then this will help you use them. If not, we aren’t able to share them with you. And last but not least, members, a reminder that with the effective establishment of Slack, our member IRC channel will be decommissioned from Wednesday 1st July, 2020. For those of you wanting to join us on Slack, please do so by logging in with your member portal credentials here. We hope that everyone enjoys a safe and restful weekend. NVIDIA patches high severity flaws in Windows, Linux drivers Date: 2020-06-24 Author: Bleeping Computer NVIDIA has released security updates to address security vulnerabilities found in GPU Display and CUDA drivers and Virtual GPU Manager software that could lead to code execution, denial of service, escalation of privileges, and information disclosure on both Windows and Linux machines. Although all the flaws patched today require local user access and cannot be exploited remotely, with attackers having to first get a foothold on the exposed machines to launch attacks designed to abuse these bugs. Once that is achieved, they could take exploit them by remotely planting malicious code or tools targeting one of these issues on devices running vulnerable NVIDIA drivers. Twitter is “very sorry” for a security breach that exposed private data of business accounts Date: 2020-06-24 Author: The Tech Portal Twitter is back in cybersecurity news, as the company reports yet another data breach via its platform. In an email sent to its business users, Twitter said that there is a “possible” data breach that may have exposed private information of these accounts. Business users are generally those accounts which advertise on the platform. Australian security cameras hacked, streamed on a Russian-based website Date: 2020-06-24 Author: ABC News Australians are being filmed through private security cameras that are being streamed on a website based in Russia. Key points: * The Insecam website broadcasts live streams of compromised web-connected security cameras and webcams * The site allows people to control the cameras by zooming in and out and moving the camera around * The group behind the website denied it hacked the cameras Hackers use Google Analytics to steal credit cards, bypass CSP Date: 2020-06-22 Author: Bleeping Computer Hackers are using Google’s servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. New taskforce to push cyber security standards Date: 2020-06-22 Author: iTnews A cross-sector taskforce of experts from the defence, energy, health and financial services sectors has been created to accelerate the adoption of industry cyber security standards across Australia. The taskforce, which held its first meeting on Monday, is the result of an “Australian-first” collaboration between the NSW government, AustCyber and Standards Australia. It follows earlier reports on Monday that the federal government is crafting minimum cyber security standards for businesses, including critical infrastructure, as part of its next cyber security strategy. ESB-2020.2191 – telnet multiple vulnerabilities A serious remote code execution vulnerability found in Cisco IOS XE Software. ESB-2020.2116.2 – Cisco Webex Meetings Desktop App multiple vulnerabilities Another code execution vulnerability was patched in the Cisco Webex Meetings Desktop App. ESB-2020.2206 – kernel multiple vulnerabilities Multiple Nvidia code execution vulnerabilities patched on Ubuntu. Stay safe, stay patched and have a good weekend! The AUSCERT Team