Publications

AUSCERT Week in Review for 13th March 2020 Greetings, We understand that this is a worrying time for many in our community and wanted to broach the subject of how COVID-19 (Coronavirus) impacts AUSCERT. Our team will continue to support our members through our range of services. A reminder that our member incident hotline continues to operate 24/7 and details can be found on our website by logging in to our member portal.  Because we are a part of The University of Queensland, we are aligning ourselves with the University by responding to the situation as it evolves and are also planning for contingencies to continue delivering our services. In other news this week, AUSCERT took part as the leading team in the annual Asia Pacific Computer Emergency Response Team (APCERT) drill. This drill tests the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. To find out more about this annual endeavour, please visit our site here. Last but not least, we are pleased to announce that our conference website is now updated with a list of speakers and program details will be announced soon. Microsoft emits SMBv3 worm-cure crisis patch Date: 2020-03-12 Author: The Register Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw designated CVE-2020-0796. The bug can be exploited by an unauthenticated attacker to execute malicious code, at administrator level, on an un-patched system simply by sending the targeted system specially crafted compressed data packets. Systems running 32 and 64-bit Windows 10 v1903, Windows 10 v1909, Windows Server v1903 (Server Core), and Windows Server v1909 (Server Core) – and just those versions – need to get patched right now. Coronavirus map used to spread malware Date: 2020-03-09 Author: Graham Cluley Be careful about which websites you trust. A malicious site appears to have copied the look-and-feel of a legitimate Coronavirus map from Johns Hopkins University. Security researchers at Malwarebytes say that they have found malicious code hiding behind the fake website that claimed to show an up-to-date global heatmap of Coronavirus reports. The malicious code skims for passwords and payment card details, as a variant of the AzorUlt spyware. Be careful what programs you install and run on your computers folks… or you might be putting yourself at risk. Coronavirus: How hackers are preying on fears of Covid-19 Date: 2020-03-13 Author: BBC News Cyber-criminals are targeting individuals as well as industries, including aerospace, transport, manufacturing, hospitality, healthcare and insurance. Phishing emails written in English, French, Italian, Japanese, and Turkish languages have been found. The BBC has tracked five of the campaigns. March 2020 Patch Tuesday: Microsoft fixes 115 vulnerabilities, Adobe none Date: 2020-03-10 Author: Help Net Security It’s March 2020 Patch Tuesday, Adobe seems to have skipped releasing any patches, whilst Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The 26 critical flaws all allow remote code execution, but some are more easily exploited than others. The good news is that no active attacks have been observed for any of the vulnerabilities at this time. Preparing for Covid-19 and beyond Date: 2020-03-06 Author: Beta News The threat of a global pandemic is alarming, but at least in this case, IT has some advance notice to prepare for the worst-case scenario. You do not want to be caught without a plan if local governments institute a quarantine or local schools are closed for several weeks. And even if we avoid a pandemic — fingers crossed — the planning you did won’t be in vain. It’s important for every organization to always have a plan to deal with disasters large and small, whether it’s flooding, inclement winter weather or a particularly bad cold that sends half your team home. Here are the steps you should take to put together your plan and prepare for a potential pandemic. ESB-2020.0862.2 – UPDATED ALERT SMBv3: Execute arbitrary code/commands – Remote/unauthenticated Microsoft released an out-of-bounds emergency patch today for a vulnerability identified as wormable. See article above. ESB-2020.0868 – Firefox ESR: Multiple vulnerabilities Firefox update patches Airpod information disclosure vulnerability. ASB-2020.0054 – Windows: Multiple vulnerabilities Microsoft Patch Tuesday resolves 78 vulnerabilities for Windows. Stay safe, stay patched and have a good weekend! Sean

AUSCERT and the APCERT CYBER DRILL 2019   “Catastrophic Silent Draining in Enterprise Network”   Exactly a week a week ago, our team was involved in the 2019 APCERT Cyber Drill.    AUSCERT is proud to announce that we had some staff members as part of the running committee tasked with assisting the organization responsible for this drill and various other staff members as participants. Last but not least, AUSCERT will be running this drill next year in 2020 and the entire team is excited and looking forward to this opportunity.   Please see below for a copy of the official media release:      APCERT Secretariat: JPCERT/CCJapan Computer Emergency Response Team Coordination CenterContact: apcert-sec@apcert.orgURL: www.apcert.org   31 July 2019 MEDIA RELEASE The Asia Pacific Computer Emergency Response Team (APCERT) today has successfully completed its annual drill to test the response capability of leading Computer Security Incident Response Teams (CSIRT) within the Asia Pacific economies. The theme of this year’s APCERT Drill is “Catastrophic Silent Draining in Enterprise Network.” This exercise reflects real incidents and issues that exist on the Internet. This year’s scenario was inspired by a latest security attack on an organization, which relates to the vulnerability that could allow attackers to completely take over vulnerable websites to deliver malware backdoor and cryptocurrency miners. This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. Throughout the exercise, the participating teams activated and tested their incident handling arrangements.  This drill included the need for the teams to interact locally and internationally, with CSIRTs/CERTs and targeted organizations, for coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities. This incident response exercise, which was coordinated across many economies, reflects the collaboration amongst the economies in mitigating cyber threats and validates the enhanced communication protocols, technical capabilities and quality of incident responses that APCERT fosters in assuring Internet security and safety. 26 CSIRTs from 20 economies of APCERT (Australia, Bhutan, Brunei Darussalam, People’s Republic of China, Chinese Taipei, Hong Kong, India, Indonesia, Japan, Korea, Lao People’s Democratic Republic, Macao, Malaysia, Mongolia, Myanmar, New Zealand, Singapore, Sri Lanka, Thailand, and Vietnam) participated in the drill. Original copy of this media release can be found HERE  

AUSCERT Week in Review for 6th March 2020 Greetings, Welcome to March. This month sees us turning 27. As an organisation, we have come a long way since the day that student hacked into NASA in their spare time in 1993! 27 years later, we are still preaching our greater good ethos and are proud to be serving our members daily. Soon, we will be sharing with you a copy of our Year in Review 2019 publication. This is something we have put together to help our members (and the public) understand the current trends in our industry – from AUSCERT’s unique perspective; it will also provide an oversight of our operations and offers a preview of our automation-focused road map for 2020 and beyond. Last but not least, Happy International Women’s Day to all our readers. To celebrate and pay homage to our female colleagues, AUSCERT will be featuring a Women of AUSCERT series on our LinkedIn page throughout next week. The Let’s Encrypt CAA Code Bug – A Plain View Date: 2020-03-05 Author: AUSCERT Blog Let’s Encrypt recently found a bug in their CAA checking code and after remediating the bug on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), announced they would revoke approximately 2.6% of their active certificates that were potentially affected by the bug, totaling approximately 3 million certificates. Whilst this might not be seen as critical on the surface, a certificate is fundamentally used to establish and maintain site trustworthiness between two parties. Essentially, certificates are used by browsers to ensure that the site we intended to visit is really the one we’ve arrived at. Leaving a revoked certificate in-place could trigger errors in browsers and other applications, cause loss availability and/or trust, all potentially causing harm to the companies that rely on them. Social Engineering Risks: How to Patch the Humans in Your Organization Date: 2020-02-28 Author: PenTest Magazine Employees have long been presumed as the weakest link in the corporate cybersecurity chain. But new research from Proofpoint’s Human Factor report claims that over 99% of email-borne cyber-attacks require human intervention to work. Hackers are targeting primarily people, rather than technology systems, to get what they want. Technically anyone in your organization could be on the receiving end of such an attack. Organizations need to do better at protecting and educating these Very Attacked People (VAPs) in their midst. As always, a defense-in-depth approach makes the best sense. This should start with user awareness training and education, but not rely 100% on it. By adding in other steps, you stand a better chance of knocking back the hackers in the event that they manage to trick an employee or bypass a security solution. Citrix vulnerability used for potential Defence recruitment database access Date: 2020-03-04 Author: ZDNet The Australian Signals Directorate (ASD) has revealed that a vulnerability in Citrix, announced over Christmas, could have been used by malicious actors to access a database of Australian Defence recruitment details. “On the 24th of January … through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue,” newly installed director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates on Wednesday night. Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability. Fraud Prevention Month: How to protect yourself from scams Date: 2020-03-04 Author: WeLiveSecurity Businesses and citizens lead busy lives and it is very easy to keep items that may not immediately affect us towards the bottom of the to-do list. Fraud is potentially one of those items, we may appreciate it can happen but unless it’s happening to us at this moment in time then we can often be guilty of delaying preventative action. And for businesses the risk is compounded; fraud may affect the daily operations of the business and if it requires public disclosure can lead to loss of reputation and potentially create a distrust atmosphere with customers. Banking fraud and identity theft are intrinsically linked, as you would expect. Here are some tips on what should be the beginning of your plan to protect your identity. ASB-2020.0051 – Android: Multiple vulnerabilities The March 2020 patch level for Android includes fixes for multiple critical vulnerabilities. ESB-2020.0769 – zsh: Increased privileges The commonly-used zsh shell had a flaw in its –no-PRIVILEGED option. ESB-2020.0746 – Salt: Unauthenticated RCE A SecOps product fixed an unauthenticated command injection vulnerability. Stay safe, stay patched and have a good weekend! Sean & Mal

The Let's Encrypt CAA Code Bug – A Plain View What happened Let’s Encrypt recently found a bug in their CAA checking code and after remediating the bug [1] on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), announced they would revoke approximately 2.6% of their active certificates that were potentially affected by the bug, totalling approximately 3 million certificates [2]. Let’s Encrypt company engineers provided a technical update [1]: “ On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking. The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt. We confirmed the bug at 2020-02-29 03:08 UTC, and halted issuance at 03:10. We deployed a fix at 05:22 UTC and then re-enabled issuance. Our preliminary investigation suggests the bug was introduced on 2019-07-25. We will conduct a more detailed investigation and provide a postmortem when it is complete. “   Cert Revocation, Renewal and Replacement Let’s Encrypt report they are aiming to “complete revocations before the deadline of 2020-03-05 03:00 UTC, we are planning to start revoking affected certificates at 2020-03-04 20:00 UTC (3:00pm US EST)”. Those affected should continue to renew and replace affected with new certificates. [3]   Impact Whilst this might not be seen as critical on the surface, a certificate is fundamentally used to establish and maintain site trustworthiness between two parties.  Essentially, certificates are used by browsers to ensure that the site we intended to visit is really the one we’ve arrived at. Leaving a revoked certificate in-place could trigger errors in browsers and other applications, cause loss availability and/or trust, all potentially causing harm to the companies that rely on them.   Impacted Customer Communications From Let’s Encrypt Let’s Encrypted reported they “have sent notification emails to affected subscribers who have registered an email address”, although believe some customers “may not have received an email if they did not provide an email address while registering” their ACME account. [3] In this latter scenario, Let’s Encrypt are directing customers with any need to re-subscribe to email notifications to https://letsencrypt.org/docs/expiration-emails/ . [3] It is worth considering that email delivery issues or spam filtering may also be the cause of missing the email which ultimately advises affected customers to renew their certificates. [3]   If you are looking for the missing email you can search for the following subject line within your mailbox or email gateway logs: “ACTION REQUIRED: Renew these Let’s Encrypt certificates by March 4”   If you are unsure whether your hostname is affected, use the checking tools described in this post.   Via AUSCERT As a passionate not-for-profit CERT organisation, we routinely monitor industry updates, news and other intel feeds. Due to this practice, we were promptly aware of the public bug announcement from Let’s Encrypt and following a proactive course of action, we identified AUSCERT Members with affected certificates and are currently working with them.   Identifying an affected certificate Let’s Encrypt have published a page hosting the list of affected serial numbers relating to the 2020.02.29 CAA Rechecking Incident [3].  That page details the downloadable file contains a list of all affected certs, sorted by account ID. [4] Checking Tools/methods There are several methods or tools providing a means to check for an affected certificate. Online Common Tools Curl OpenSSL Purpose built script   Online If you want to double check whether a given hostname still needs its certificate replaced, you can use the tool seen in the screenshot below available at: https://checkhost.unboundtest.com/ .   Common Tools Curl The curl command on a linux system can be used in conjunction with online tool https://checkhost.unboundtest.com/ against a target website to show its current certificate serial number. The following two example indicate affected and non-affected certificate responses. Response 1: Affected Certificate $ curl -XPOST -d ‘fqdn=www.REDACTED.au’ https://checkhost.unboundtest.com/checkhost The certificate currently available on www.REDACTED.au needs renewal because it is affected by the Let’s Encrypt CAA rechecking problem. Its serial number is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. See your ACME client documentation for instructions on how to renew a certificate. Response 2: Non-Affected Certificate $ curl -XPOST -d ‘fqdn=letsencrypt.org’ https://checkhost.unboundtest.com/checkhost The certificate currently available on letsencrypt.org is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 03a1c95bdaa36a8268327f2253cbd3ba2436   OpenSSL As seen in the following examples, the openssl command (linux) can be used against a target website to show its current certificate serial number: openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d : Response:         Serial Number             0fd078dd48f1a2bd4d0f2ba96b6038fe   openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org -showcerts </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial Number | tr -d : Response:         Serial Number             03a1c95bdaa36a8268327f2253cbd3ba2436   Purpose-Built Script Github – Let’s Encrypt CAA (lecaa) checking scripts [5] A purpose-built script hosted on Github [5] and created by Hanno Böck [6] “…allows you to efficiently check affected hosts”. Hanno Böck advised on his github page that the script was created after “Let’s Encrypt announced a bug in their system’s CAA checks, which forced them to revoke 3 million certificates on very short notice”.   Let’s Encrypt credit the lecaa script as useful tool and refer customer to use it by advising “if you have a large list of domains you need to check, this tool will be more effective. [3]   Where certificates are found that are not affected, Let’s Encrypt said “even if you received an email, it’s possible that the affected certificates have been replaced by newer certs not affected by the bug. (Either due to being issued in the last few days since it was fixed, or simply by not meeting the specific timing criteria necessary for the bug to trigger.) In that case, it’s not necessary to renew them again”. [3]   Questions Anyone who has questions should review the Q & A’s seen on Let’s Encrypt’s FAQ [2], then should questions remain after such review, they should contact Let’s Encrypt directly.   References [1] 2020.02.29 CAA Rechecking Bug https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 [2] Revoking certain certificates on March 4 https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864 [3] Download affected certificate serials for 2020.02.29 CAA Rechecking Incidenthttps://letsencrypt.org/caaproblem/ [4] File containing serial number of the affected certificates https://d4twhgtvn0ff5.cloudfront.net/caa-rechecking-incident-affected-serials.txt.gz [5] Github – Purpose Built Checker (lecaa) https://github.com/hannob/lecaa [6] Hanno Böck https://hboeck.de/  

AUSCERT Week in Review for 28th February 2020 Greetings, Just a reminder that on Monday 2 March the AUSCERT External Security Bulletins (ESB) and AUSCERT Security Bulletins (ASB) are going to be sent from bulletins@auscert.org.au. You will still receive the bulletin service as usual but the source email address will be changed to bulletins@auscert.org.au. This change is being executed to allow for easier filtering of one of our largest volumes of email correspondence. However, if you are currently automating the bulletins you receive from auscert@auscert.org.au, make sure you tweak your scripts / update your mail rules to match on Monday 2 March. Last but not least, AUSCERT as an ally for the LGBTIQ+ community would like to wish all members a safe and enjoyable Mardi Gras weekend. Apple Takes Heat Over ‘Vulnerable’ iOS Cut-and-Paste Data Date: 2020-02-24 Author: Threatpost Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email. Shedding light onto the potential harm of this scenario is German software engineer, Tommy Mysk. Mysk said that any app that can constantly read a device’s clipboard can easily abuse the data. One caveat to the developer’s research was that iOS can only allow apps to read clipboard data when the apps are active and in the foreground. Apple is no strangers to clipboard concerns. Three years ago a Reddit user pleaded; “Apple should fix the clipboard on iOS to make accessing it require Permission. This is a massive opening for malicious apps.” Australian Government attacked over ransomware ‘epidemic’ Date: 2020-02-25 Author: Micky The shadow assistant minister for cyber security Tim Watts has taken aim at the Federal Government over a lack of attention to the ransomware epidemic. In an opinion piece published in the Australian Financial Review, Watts cited last year’s attack on hospitals in the Gippsland Health Alliance and the South West Alliance of Rural Health, as well as the more recent attack on global transport company Toll, as warning signs the threat was increasing. As Coronavirus Spreads, So Does Covid-19 Themed Malware Date: 2020-02-27 Author: Bleeping Computer Threat actors are still taking advantage of the ongoing COVID-19 global outbreak by attempting to drop Remcos RAT and malware payloads on their targets’ computers via malicious files that promise to provide Coronavirus safety measures. Yoroi researchers recently spotted a suspicious CoronaVirusSafetyMeasures_pdf.exe executable after it was submitted to their free sandbox-based file analysis service. As the Yoroi research team later discovered, the executable is an obfuscated Remcos RAT dropper that would drop a Remcos RAT executable on the compromised computer, together with a VBS file designed to run the RAT. Essentially, COVID-19 is a popular phishing bait right now. The World Health Organization (WHO) recently warned of active Coronavirus-themed phishing attacks that impersonate the organization with the end goal of delivering malware and stealing sensitive information. Massive DDoS Attack Shuts Down Iran’s Internet, Tehran Blames Washington Date: 2020-02-21 Author: CPO Magazine The head of Iran Civil Defense has accused Washington of the latest large-scale cyber-attack that targeted Iranian infrastructure. The coordinated Distributed Denial of Service attack affected two mobile operators and partially shut down Iran’s internet for hours. Corruption watchdog calls for mandatory data breach laws in Qld Date: 2020-02-26 Author: iTnews Queensland’s corruption watchdog has called for state government agencies to be subjected to a mandatory data breach notification scheme after uncovering corruption risks around confidential information. The Crime and Corruption Commission made the recommendation in its Operation Impala report into the misuse of confidential information in the state’s public sector. The inquiry found “potential corruption risks associated with confidential information” at seven government agencies, including police, health, transport, education and corrective services. The report, handed down on Friday, has recommended the mandatory data breach scheme be developed and managed by the Office of the Information Commissioner Queensland (OIC). ASB-2020.0049 – ALERT [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities There have been reports of active exploits in the wild. ASB-2020.0050 – ALERT [Win] Microsoft Edge: Multiple vulnerabilities The corresponding advisory from Microsoft as Edge is now based on Chrome. ESB-2020.0712 – [Cisco] Cisco Wi-Fi Products: Multiple vulnerabilities A concerning vulnerability affecting multiple Cisco Wi-Fi devices. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

AUSCERT Week in Review for 21st February 2020 Greetings, On Monday 2 March the AUSCERT External Security Bulletins (ESB) and AUSCERT Security Bulletins (ASB) are going to be sent from bulletins@auscert.org.au. You will still receive the bulletin service as usual but the source email address will be changed to bulletins@auscert.org.au. This change is being executed to allow for easier filtering of one of our largest volumes of email correspondence. However, if you are currently automating the bulletins you receive from auscert@auscert.org.au, make sure you tweak your scripts / update your mail rules to match on Monday 2 March. Please see below for a selection of this week’s interesting news articles and security advisories. China seeks help of national tech giants to track coronavirus with QR codes Date: 2020-02-18 Author: iTnews China’s government is enlisting the help of Alibaba Group Holding Ltd and Tencent Holdings Ltd to expand colour-based systems for tracking individuals affected with the coronavirus nationwide. On Wednesday, Alipay, the payment app operated by Alibaba’s financial division Ant Financial, released a feature in collaboration with the government that assigns a coloured QR code representing the health of residents in Hangzhou. APIs are becoming a major target for credential stuffing attacks Date: 2020-02-19 Author: CSO Online New research shows that attackers use APIs to automate credential stuffing attacks. The financial sector is particularly vulnerable. South Korea sees rise in smishing with coronavirus misinformation Date: 2020-02-17 Author: ZDNet The South Korean government has warned the public of a sharp rise in smishing attempts — scam text messages — that use misinformation about the novel coronavirus outbreak. Firmware Weaknesses Can Turn Computer Subsystems Date: 2020-02-19 Author: Dark Reading Network cards, video cameras, and graphics adapters are a few of the subsystems whose lack of security could allow attackers to turn them into spy implants. Why fixing security vulnerabilities in medical devices, IoT is so hard Date: 2020-02-20 Author: Ars Technica When your family opened up that brand-new computer when you were a kid, you didn’t think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn’t have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day. The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space. Samsung freaks out smartphone owners with mysterious ‘1’ notification Date: 2020-02-20 Author: Graham Cluley Many owners of Samsung smartphones have received an odd notification from the Find My Mobile app. Curious users who clicked on the notification message found that it simply disappeared, leaving them none the wiser. The truth, however, is this – no, it’s nothing malicious. It was just an accident, as Samsung explained on Twitter, and it’s not the first time a test message has accidentally gone to the wider public. ESB-2020.0537 – chromium-browser security update Keep those browsers updated! ESB-2020.0536 – firefox security update As above. ESB-2020.0548 – sudo security update Another sudo vulnerability. ESB-2020.0601 – USN-4289-1: Squid vulnerabilities DOS, bypass and possibly RCE in a popular web proxy product. Stay safe, stay patched and have a good weekend! The AUSCERT Team.

2019 Membership Annual Survey results We would like to take this opportunity to thank all members for their continued support and appreciate their contribution to the growth of the current cyber security practice and industry in the ANZ region. We are pleased to share some insights from the survey here and aim to drive our strategic plans and commitment for 2020/21 according to the various feedback provided by our members.  Key findings: Members gave us valuable feedback on potential new services with the top 3 being: Threat Intelligence Reports, Self Service URL Analysis and a Fixed-Scope Remote Service. Our members’ preferred method of hearing from us is via email and they would like us to introduce Slack as an additional form of communication. The majority of our members were either satisfied or very satisfied with their AUSCERT membership value and gave us an average score of 4.2/5.0

AUSCERT Week in Review for 14th February 2020 Happy Friday (and Valentine’s Day for those who celebrate)! If you’re still looking for a last-minute gift inspiration, we recommend giving your significant other the gift of security and help them set up two-factor authentication on their accounts (Credit: CERT NZ). In addition to our weekly summary below, please keep an eye out for a copy of our membership newsletter in your inbox today; some important messages on there including a copy of our survey results and some upcoming changes to how we send security bulletins. From Monday 2nd of March we will be sending bulletins from bulletins@auscert.org.au rather than auscert@auscert.org.au. Get ready to update your mail rules. Until next week. Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches Date: 2020-02-11 Author: Threatpost Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important. Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm Date: 2020-02-10 Author: Threatpost The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops. Puerto Rico govt loses $2.6M in phishing scam Date: 2020-02-13 Author: AP News Puerto Rico’s government has lost more than $2.6 million after falling for an email phishing scam, according to a senior official. The finance director of the island’s Industrial Development Company, Rubén Rivera, said in a complaint filed to police Wednesday that the agency sent the money to a fraudulent account. Dangerous Domain Corp.com Goes Up for Sale Date: 2020-02-08 Author: Krebs on Security As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe. During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks. ASB-2020.0043 – Windows Malicious Software Removal Tool Microsoft’s Patch Tuesday included fixes for the Windows Malicious Software Removal Tool. ASB-2020.0038 – Microsoft Patch Tuesday updates for Windows (February 2020) Microsoft’s Patch Tuesday also included fixes for 81 Windows vulnerabilities. ESB-2020.0480 – Security Updates Available for multiple Adobe products This bulletin contains 5 Adobe security advisories. Stay safe, stay patched and have a good weekend! Mal

AUSCERT Week in Review for 7th February 2020 Greetings, The AUSCERT team would like to thank all members who completed our 2019 Annual Survey. All completed non-anonymous survey respondents will receive a branded wireless charging mouse pad; and our survey results will be shared next week. And last but not least, our AUSCERT2020 Early Bird registrations and ticket sales are now in full swing so be sure to tap into your membership benefits. Please note that our membership team will be sending out member token emails in coming weeks so be sure to look out for these in your inbox. CDPwn: 5 Zero-Days in Cisco Discovery Protocol Date: 2020-02-06 Author: Armis Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. [See ESB-2020.0424.2, which was sent as an AUSCERT alert bulletin.] Apple proposes simple security upgrade for SMS 2FA codes Date: 2020-02-03 Author: Naked Security Apple engineers think they’ve come up with a simple way to make SMS two-factor authentication (2FA) one-time codes less susceptible to phishing attacks: agree a common text format so their use can be automated without the need for risky user interaction. The concept proposed by the company’s Safari WebKit team is that apps such as mobile browsers will automatically process SMS text codes as they are received, submitting them to the correct website. This dodges today’s hazard that phishing websites can first fool people into entering their password and username, before asking them to submit the correct 2FA code sent to their phone to the same bogus site. Update: Toll says IT systems infected by new variant of ‘Mailto’ ransomware Date: 2020-02-06 Author: CSO Online Australian logistics and delivery firm Toll has confirmed the ransomware attack that forced it to take its IT systems offline was a new variant of the Mailto ransomware. Toll Group took some key IT systems offline last Friday after detecting the cyber attack and has gradually released more information about the attacks and their impact, on Monday confirming it was a ransomware attack. The latest update confirms its systems were infected by the Mailto ransomware. Hackers are hijacking smart building access systems to launch DDoS attacks Date: 2020-02-02 Author: ZDNet Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall. The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control. Anatomy of a rental phishing scam Date: 2020-02-04 Author: Jeffrey Ladish I was recently the (unsuccessful) target of a very well-crafted phishing scam. As part of a housing search a few weeks ago, I was trawling craigslist and zillow for rental opportunities in the SF bay area. I reached out to a beautiful looking rental place to inquire about a tour. Despite my experience as a security professional, I didn’t realize this was a scam until about the third email! Below I will account the story in excessive detail including screenshots. ESB-2020.0424.2 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability These are the “CDPwn” suite of vulnerabilities. ESB-2020.0421 – Cisco IOS XR Software Intermediate System-to-Intermediate System DoS Vulnerability DoS vulnerability for IS-IS routing protocol functionality in Cisco IOS XR Software. Stay safe, stay patched and have a good weekend! Mal

AUSCERT RFC2350 See the attached AUSCERT RFC2350 document, version 04 February 2020.   Attached Documents auscert_rfc2350_i77A4xg.pdf

AUSCERT Week in Review for 31st January 2020 Greetings, It is the end of another week, and another month – 2020 seems to be moving fast! Call for Presentations and Tutorials – AUSCERT Conference Date: 2020-01-31 Author: AUSCERT2020 Do YOU or someone YOU KNOW have a great story to tell? We would like to hear it! Our AUSCERT2020 Call for Presentations and Tutorials close at midnight AEST and submissions can be entered here. The AUSCERT2020 Program Committee welcomes original contributions for presentations not previously published nor submitted in parallel for publication to any other conference or workshop taking place in proximity of the conference. Citrix rolls out final patches to defend against the CVE-2019-19781 vulnerability Date: 2020-01-27 Author: The Daily Swig Citrix has completed the process of releasing patches for all supported versions of its technology affected by the CVE-2019-19781 vulnerability. The now-infamous security flaw (CVE-2019-19781), which affects Citrix Application Delivery Controller (ADC) and Gateway products, first surfaced in mid-December. Proof-of-concept exploit code dropped earlier this month. This prompted Citrix to double down on its patch release schedule – a process it completed on Friday. Immediate patching is strongly recommended. [See AUSCERT ESB-2019.4708.8 for what may be the final version of Citrix’s advisory.] What ‘Have I been Pwned?’ taught DHS’s internal cyber chief about passwords Date: 2020-01-28 Author: CyberScoop A website that informs users if their email address has been swept up in a data breach isn’t just popular with vigilant business owners or private security sleuths. The man charged with protecting the Department of Homeland Security’s systems from hackers also maintains an account on the “Have I been Pwned?” website, and it regularly reminds him of the risks passwords pose. “I get emails from this website…on a monthly or bimonthly basis,” DHS CISO Paul Beckman said Tuesday at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop. “That is how often my username and password is getting compromised.” Beckman said he registered both his personal and DHS email addresses on the website. The good news for him is that he uses a “second factor” – something like a SMS message or an authentication app – to log into his accounts and keep hackers out of them. United Nations Confirms ‘Serious’ Cyberattack With 42 Core Servers Compromised Date: 2020-01-30 Author: Forbes One week after the United Nations called for an investigation into the claims that Jeff Bezos’ smartphone was hacked by Saudi Crown Prince Mohammed bin Salman, a claim that I first reported in March 2019, another investigation has revealed that the UN itself has been hacked. The leak of an internal UN report to investigators at The New Humanitarian shows that core infrastructure servers were compromised during a successful cyberattack last year. Although not yet attributed, attack fingerprint suggests sophisticated APT actors. It’s further understood that the hackers used a known vulnerability (CVE-2019-0604) in an internet-facing Microsoft SharePoint server, a web-based collaborative platform integrated with Microsoft Office. UN spokesperson confirms decision not to disclose was taken. Legacy TLS is on the way out: Start deprecating TLSv1.0 and TLSv1.1 now Date: 2020-01-23 Author: Scott Helme With TLS having taken some great steps forwards in recent years, with TLSv1.2 in 2008 and TLSv1.3 in 2018, it’s time to start dropping support for the legacy versions of TLS. It would be good to remove these legacy versions now but it’s more important we upgrade to support higher versions and we do have some encouragement beyond me telling you it’s a good idea. Chrome is now warning users about sites that they visit that are using either TLSv1.0 or TLSv1.1 for the connection. It’s not just Chrome either, Firefox announced they are going to drop all support for both TLSv1.0 and TLSv1.1 in March 2020 and they announced this all the way back in October 2018! Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina Date: 2020-01-29 Author: SecurityWeek Apple this week released software updates to address tens of security flaws in iOS, iPadOS, macOS Catalina, and other products. A total of 23 vulnerabilities were addressed in iOS 13.3.1 and iPadOS 13.3.1, now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation. The flaws impact components such as Audio, FaceTime, ImageIO, IOAcceleratorFamily, IPSec, Kernel, libxpc, Mail, Messages, Phone, Safari Login AutoFill, Screenshots, and wifivelocityd. ESB-2020.0282 – Cisco Webex Meetings Suite and Cisco Webex Meetings Online “A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password.” ESB-2020.0310 – USN-4256-1: Cyrus SASL vulnerability “Cyrus SASL could be made to crash or execute arbitrary code if it received a specially crafted LDAP packet.” ESB-2020.0273 – git security update Multiple git issues addressed ESB-2020.0291 – Intel Processors Data Leakage Advisory “Potential security vulnerabilities in some Intel Processors may allow information disclosure.” ESB-2020.0351 – macOS: Multiple vulnerabilities Multiple issues addressed Stay safe, stay patched and have a good weekend! The AUSCERT team.

Week in Review for 24th January 2020 Greetings, The AUSCERT team would like to wish all of you a relaxing Australia Day long weekend; and a Happy Lunar New Year to those who celebrate. A reminder that the auscert@auscert.org.au mailbox will not be monitored on Monday 27 January as it is a nationwide public holiday. However, we will staff the 24/7 member incident hotline as usual, so do call us for any urgent matters during this period. Fraudsters impersonate Chinese consulate in scam targeting international students Date: 2020-01-23 Author: ABC News Police say scores of international students in Queensland have been stung in a scam where fraudsters impersonated the Chinese consulate and demanded thousands of dollars to avoid deportation. Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices Date: 2020-01-20 Author: ZDNet A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices. The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet. According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations. 5 tips to avoid spear-phishing attacks Date: 2020-01-17 Author: Naked Security Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself. The good news is that most of us have learned to spot obvious phishing attacks these days. The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name. You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company. Inside Pwn2Own’s High-Stakes Industrial Hacking Contest Date: 2020-01-24 Author: WIRED On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation. Former ACSC chief MacGibbon blasts calls to legitimise screen scrapers Date: 2020-01-21 Author: iTnews Australia’s high profile former cybersecurity tsar Alastair MacGibbon has waded into the increasingly heated debate over the use of screen scrapers by fintech firms, warning any weakening of security controls under open banking will create an instant target list for hackers. NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance Date: None Author: Help Net Security Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework. Microsoft Exposed 250 Million Customer Support Records Date: 2020-01-20 Author: SecurityWeek Nearly 250 million Microsoft Customer Service and Support records were found exposed to the Internet in five insecure Elasticsearch databases, Comparitech reports. The records on those servers contained 14 years’ worth of logs of conversations between support agents and customers, all of which could be accessed by anyone directly from a browser, without any form of authentication. In an update, Microsoft says that the exposure was the result of a misconfiguration that occurred on December 5, but that its investigation into the incident did not reveal malicious use. ESB-2019.4708.7 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway The RCE in Citrix NetScaler which has been making headlines lately & was updated this week with patches for specific versions. ESB-2020.0262 – Red Hat kernel security and bug fix update Linux kernel upgrades patching severe vulnerabilities reaches RHEL 8 for SAP ESB-2020.0261 – Red Hat chromium-browser security update Red Hat releases an Important update for chromium-browser Stay safe, stay patched and have a good weekend!