Publications

AUSCERT Week in Review for 10th January 2020 Greetings, The big headline this week is the opening of physical hostilities between the US and Iran, one of its long-standing cyber-adversaries (remember Stuxnet?). While we’re staying out of the politics, it does mean that there might be more cyber-attacks flying around on the internet than usual. Maybe Iran’s Silent Librarian APT will take a break from targeting universities for IP and focus their efforts in that direction. There’s also been a lot of ransomware in the news recently, so we’ve collated a few of the bigger stories. The cyber pirates of the Caribbean Date: 2020-01-06 Author: ABC News When Jane Smith invested $670,000 to boost her retirement savings, it was flushed into a river of stolen cash flowing out of Australia and into the pockets of criminals. An ABC investigation has tracked down where the money went. DHS: Iran maintains a robust cyber program and can execute cyber-attacks against the US Date: 2020-01-07 Author: ZDNet The US government has issued a security alert over the weekend, warning of possible acts of terrorism and cyber-attacks that could be carried out by Iran following the killing of a top general by the US military on Friday. The warning comes in the form of a rare NTAS (National Terrorism Advisory System) alert, of which the US government has issued only a handful since 2011 when the system was put into place. According to the DHS’ NTAS alert, possible attack scenarios could include “scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.” DeathRansom Campaign Linked to Malware Cornucopia Date: 2020-01-07 Author: Threatpost An ongoing DeathRansom malware campaign has been found by researchers to be part of a larger collection of malicious offensives, all carried out by an actor going by the nickname “scat01”. According to Artem Semenchenko and Evgeny Ananin at FortiGuard Labs, evidence found on Russian underground forums and in their forensic investigations points to a significant connection between ongoing DeathRansom and various infostealing malware campaigns, all likely directed by one Russian-speaking individual living in Italy. Christmas cyber attack spelled early holidays for council staff, nightmare for IT workers Date: 2020-01-06 Author: ABC News A council in Adelaide’s south is up and running again after cyber attack just before Christmas locked down its IT systems and forced staff to start their holidays earlier than planned. City of Onkaparinga mayor Erin Thompson said its systems fell victim to the so-called Ryuk ransomware, which has also hit “other government organisations around the world”, on December 14. REvil ransomware exploiting VPN flaws made public last April Date: 2020-01-09 Author: Naked Security Researchers report flaws, vendors issue patches, organisations apply them – and everyone lives happily ever after. Right? Not always. Sometimes, the middle element of that chain – the bit where organisations apply patches – can takes months to happen. Sometimes it doesn’t happen at all. It’s a relaxed patching cycle that has become security’s unaffordable luxury. Take, for instance, this week’s revelation by researcher Kevin Beaumont that serious vulnerabilities in Pulse Secure’s Zero Trust business VPN system are being exploited to break into company networks to install the REvil (Sodinokibi) ransomware. ESB-2020.0094 – Cisco Webex Video Mesh Node: Root escalation An administrative user in the software could execute commands with root privileges on the underlying Linux system. ESB-2020.0075 – Node.JS 8: Arbitrary file overwrite Arbitrary file overwrite in one of the internet’s favourite application languages. ESB-2020.0078 – [ALERT] Firefox & Firefox ESR: RCE Shortly after releasing v72.0, Mozilla issued v72.1 to address an RCE which was being used in targeted attacks in the wild. ASB-2020.0002 – Android: January patch level The usual crop, and notably a privileged RCE using physical proximity and the Realtek wifi driver. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 3rd January 2020 Greetings, 2020 has begun, and with it, the end of party time. Here is this week’s Week in Review. Cisco DCNM Users Warned of Serious Vulnerabilities Date: 2020-01-02 Author: SecurityWeek Cisco on Thursday informed customers that it has released software updates for its Data Center Network Manager (DCNM) product to address several critical and high-severity vulnerabilities. Two tips to make multifactor authentication for Office 365 more effective Date: 2020-01-02 Author: CSO Online Multifactor authentication (MFA) is a key tool in ensuring that your Office 365 and any online application will be secure in the cloud. For those with Microsoft 365 here are some tips to ensure you provide maximum protection to your Office 365 deployment without sacrificing usability. Microsoft takes down 50 domains operated by North Korean hackers Date: 2019-12-30 Author: ZDNet Microsoft announced today [December 30th] that it successfully took down 50 web domains previously used by a North Korean government-backed hacking group. The OS maker said the 50 domains were used to launch cyberattacks by a group the company has been tracking as Thallium. Sextortion Email Scammers Try New Tactics to Bypass Spam Filters Date: 2019-12-31 Author: Bleeping Computer Sextortion scams have become so common that spam filters and secure mail gateways have been doing a good job at preventing them from being delivered to their recipients. To bypass these filters, attackers have started to utilize new tactics such as sending sextortion emails in foreign languages and splitting bitcoin addresses into two parts. 7 Tips for Maximizing Your SOC Date: 2019-12-31 Author: Threatpost Use the seven points listed above to create an effective and efficient operational workflow and, importantly, happier analysts who aren’t buried at the bottom of a pile of mostly irrelevant data. Cisco (DCNM): Execute arbitrary code/commands Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager. typo3 Execute arbitrary code Multiple vulnerabilities which could lead to code execution have been found in typo3, an open-source web content management system. libxml2 Denial of service A denial of service vulnerability in libxml2, the GNOME XML parsing library. Stay safe, stay patched and best wishes from all of us, Rameez and the team at AUSCERT

AUSCERT Week in Review for 20th December 2019 Greetings, This week may be drawing to a close, but there’s some life left in 2019! If you’re looking for something creative to do during the upcoming break, why not submit a presentation or tutorial idea to our Call For Presentations for the AUSCERT2020 Cyber Security Conference? If selected, we’ll cover your travel and accommodation costs and we’re especially keen to see presentations by AUSCERT members. Just a reminder that although AUSCERT remains on call for emergency assistance via the 24/7 member hotline, the Membership Team are taking a break until Monday 6 January. Similarly AUSCERT’s Operations Team will close from 25 December to 1 January, so the auscert@auscert.org.au email address (and IRC) will not be monitored during that time. And now here’s some reading material to ease you into the weekend: Microsoft: We never encourage a ransomware victim to pay Date: 2019-12-17 Author: ZDNet Microsoft advocates for organizations to take preemptive measures. Says companies should treat cyberattacks “as a matter of when” and not “whether.” Chrome Will Automatically Scan Your Passwords Against Data Breaches Date: 2019-12-16 Author: WIRED Google’s password checking feature has slowly been spreading across the Google ecosystem this past year. It started as the “Password Checkup” extension for desktop versions of Chrome, which would audit individual passwords when you entered them, and several months later it was integrated into every Google account as an on-demand audit you can run on all your saved passwords. Now, instead of a Chrome extension, Password Checkup is being integrated into the desktop and mobile versions of Chrome 79. 10 cyber security trends to look out for in 2020 Date: 2019-12-19 Author: Information Age When looking for possible cyber security trends in 2020, it is clear to see that 2019 was an interesting year for all things cyber security. It was the year that brought major breaches pretty much every week. Recently, it was found that charities reported over 100 data breaches to the ICO in the second quarter of 2019-20 alone. Cyber security is still the issue on every business leaders mind. This year, the need for organisations to keep GDPR in mind has remained prominent. The stakes for protecting your organisation from cyber threats have never been higher. So, what cyber security trends can we expect to see in 2020 then? Here are some things to consider. Inside Evil Corp, a $100M Cybercrime Menace Date: 2019-12-17 Author: Krebs on Security So, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the computer and view the messages Aqua and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob. [This is a very narrative dive into payroll compromises and money mules.] debian-edu-config: Unauthorised access – Existing account An insecure configuration allowed every user to change other users’ passwords, which is less than ideal. Citrix Application Delivery Controller and Citrix Gateway: Execute arbitrary code/commands – Remote/unauthenticated An unauthenticated attacker may be able to execute arbitrary code via this vulnerability. python-django: Unauthorised access – Remote/unauthenticated A case insensitive query on Django’s password reset form for email addresses could result in unauthorised access. Firefox: Multiple vulnerabilities Nine CVEs are patched in this Firefox update. We wish you and your loved ones all the best for the holiday season and look forward to returning in 2020, reinvigorated and ready to conquer new cyber security challenges with you! Kind regards, Mike and the AUSCERT Team

AUSCERT Week in Review for 13th December 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. … Microsoft to help Office 365 customers track entire phishing campaigns, not just lone emails Date: 2019-12-10 Author: ZDNet Microsoft is launching today a new security feature in public preview. Named “Campaign Views,” this is a new feature that will be available for Office 365 Advanced Threat Protection (ATP) […] Until today, Office 365 ATP users could only see details about each of the individual malicious emails that reached users. Campaign Views will show details about the entire phishing campaign and all the tricks and infrastructure it uses. The goal is to give security teams an idea of what other tricks the same attacker might be using, so they can put filters and security protections in place. Phishing Campaign Uses Malicious Office 365 App Date: 2019-12-11 Author: Phishlabs Blog Most phishing campaigns attempt to take over accounts by tricking the victim into divulging their credentials. PhishLabs has uncovered a previously unseen tactic by attackers that uses a malicious Microsoft Office 365 App to gain access to a victim’s account without requiring them to give up their credentials to the attackers. Australia Post SMS scam targeting Australians Date: 2019-12-12 Author: Stay Smart Online With millions of parcel deliveries expected around the country, Australia Post is seeing widespread scam text (SMS) messages being sent to people, using their brand. These fake SMS messages may tell you that your parcel is “detained”, you’ve “missed a delivery” or there’s an “important update” to your delivery – and include a link to click on for more details. As scammers use technology that imitates a caller ID, these scam texts can even appear in the same conversation thread as a legitimate Australia Post conversation. Amazon Battles Leaky S3 Buckets with a New Security Tool Date: 2019-12-09 Author: Bit Defender Anyone who has been following security trends in recent years cannot fail to have noticed the preponderance of data breaches which have stemmed from unsecured Amazon S3 buckets. Many well-known organisations, including FedEx, Capital One bank, Verizon, and even US defense contractors, have left confidential and sensitive data publicly exposed by not having properly configured the security of their cloud-based storage servers. Chrome now warns you if your password has been stolen Date: 2019-12-12 Author: WeLiveSecurity Google has added a new feature to its Chrome web browser that will alert users if their login credentials have been compromised in a security breach, according to the company’s announcement. Intel Processors Intel CPU vulnerability, which could allow an attacker to extract highly-sensitive information, such as encryption keys from affected processors by altering their voltage. Xen Multiple privilege escalation and guest escape vulnerabilities. Adobe Multiple Remote code execution, privilege escalation and information disclosure vulnerabilities. Stay safe, stay patched and have a good weekend! Rameez Agnew

AUSCERT Week in Review for 22nd November 2019 Greetings, Welcome to the new format for the Week in Review. We hope you like it! AUSCERT’s Week in Review will move to a new mailing list known as the AUSCERT Daily Intelligence Report. This consists of a daily report on Mondays to Thursdays, and a weekly report on Fridays. If you don’t want this, please click the “unsubscribe” link at the bottom of the email. If you encounter any problems, please email <membership@auscert.org.au>. “Sic Transit Gloria Mundi”, and so our perception of a secure system does erode away with time. Well, systems do not form security cracks over time but there is an enormous amount of effort being made to find them and then patch them. So don’t let your systems security fade: keep the patches up to date. Microsoft Outlook for Android Bug Opens Door to XSS Date: 2019-11-21 Author: Threatpost Users of the Microsoft Outlook for Android app should update their apps to avoid a range of attacks. The bug (CVE-2019-1460) would allow an attacker to perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user, according to Microsoft’s advisory on the bug. XSS occurs when malicious parties inject client-side scripts into web pages, which trick the unsuspecting user’s browser into thinking that the script came from a trusted source. Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies Date: 2019-11-17 Author: VICE An infamous vigilante hacker known for their hits on surveillance companies is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks. In their new manifesto, Phineas Fisher also claimed to have hacked an offshore bank and called on other hacktivists to join in the fight against inequality and capitalism. The hacker said that in 2016 they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. The hacker said they were able to steal money, documents, and emails from the bank. The hacker shared the stolen documents and emails from the bank to the leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best, who said they uploaded 640,000 emails, in what is “the most detailed look at international banking that the public will have ever had access to.” Get ahead of the cybersecurity curve Date: 2019-11-18 Author: SC Magazine Experienced cybersecurity leaders are beginning to call for a move from reactive detection to proactive prevention. It’s clear that the need to get ahead of the cybersecurity curve is real. Over the past decade, experts talked about the number of days that malware is in your system, and now the discussion is fast becoming how many seconds you have between detection and disaster. There is no longer time to call the boss, check your files or phone a friend. Victims are literally watching their systems being taken over, and they are powerless to stop it despite massive budgets and plans. Clearly, spending on an arms race with dollars, people and technology is not an effective long-term solution. We need a different approach. Enter proactive prevention, the concept behind this move toward flipping the script and finally getting ahead of our adversaries. Twitter will finally let users disable SMS as default 2FA method Date: 2019-11-22 Author: ZDNet Twitter announced today that users will finally be able to disable SMS-based two-factor authentication (2FA) for their accounts, and use an alternative method only, such as a mobile one-time code (OTP) authenticator app or a hardware security key. Google will pay $1.5 million for the most severe Android exploits Date: 2019-11-22 Author: Ars Technica Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said. Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday. The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen. Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin Date: 2019-11-20 Author: Bleeping Computer Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1. You can update your installation to the 7.9.1 version through your dashboard, or manually download the Jetpack 7.9.1 release. ANU students forced to re-sit exam after data leak Date: 2019-11-19 Author: The Riot ACT Students in the Digital Analysis course at the ANU will be forced to re-take an exam, potentially delaying their graduation, after the university confirmed a data leak last week. “The need for a class to re-sit an exam is extremely rare, and is only undertaken when absolutely required,” an ANU spokesperson said after security protocols successfully identified that a breach had occurred. Noteworthy bulletins this week: ESB-2019.4421 – [Win][UNIX/Linux] Asterisk: Multiple vulnerabilities Denial of Service from Remote Unauthenticated Sessions ESB-2019.4410 – [UNIX/Linux] BIND: Denial of service – Remote/unauthenticated “… the load on the server releasing these multiple resources can cause it to become unresponsive …” ESB-2019.4400 – [Cisco] Cisco Small Business Routers: Access confidential data – Remote/unauthenticated “… could allow an unauthenticated, remote attacker to view information displayed in the web-based management interface …” ESB-2019.4384 – [Win][Linux][Mac] Flexera FlexNet Publisher: Multiple vulnerabilities “… could allow the attacker to deny the acquisition of a valid license …” ESB-2019.4379 – [Linux] Apache Solr: Execute arbitrary code/commands – Remote/unauthenticated “… which may in turn allow them to upload malicious code for execution on the Solr server.” Stay safe, stay patched and have a good weekend! Geoff

AUSCERT Membership and Service Terms See the attached AUSCERT Membership and Services Terms, version 23 February 2018.   Attached Documents AUSCERT Membership Terms – 23Feb2018

AUSCERT Week in Review for 29th November 2019 Greetings, It’s been a week for embarrassing mistakes in the cyber world. Splunk and Hewlett-Packard have both announced show-stopping (but silly) bugs with how their systems keep track of time, and Australian parliamentarians have been told that they’ll undergo phishing simulations to prevent them from making the same mistakes as in the breach earlier this year. Then again, who among us is immune to the most careful, targeted phishing attacks? We heard tell recently of one large organisation conducting a test by sending forged emails to its developers, which told them to update their system by running $(curl | bash) – downloading a shell script from the internet and executing it immediately. Some cautious developers tried to fetch the script with curl before piping it to bash, but the remote host could tell that it was not going straight to a shell, and returned an innocent-seeming script. Developers who executed the command as given did receive a malicious payload and a slap on the wrist. Stay sharp, but stay forgiving. Splunk customers should update now to dodge Y2K-style bug Date: 2019-11-27 Author: Naked Security If you’re a Splunk admin, the company has issued a critical warning regarding a showstopping Y2K-style date bug in one of the platform’s configuration files that needs urgent attention. According to this week’s advisory, from 1 January 2020 unpatched instances of Splunk will be unable to extract and recognise timestamps submitted to it in a two-digit date format. Pollies to face phishing tests after Parliament breach Date: 2019-11-28 Author: iTnews Parliamentarians and their staff will be subject to phishing email simulations in the wake of the state-sponsored cyber attack against Parliament House earlier this year. The Department of Parliamentary Services will conduct the simulations as part of a new program to test the cyber security awareness of its more than 4000 parliamentary computing network users. My Health Record: Australian healthcare scheme grades poorly on cybersecurity Date: 2019-11-28 Author: The Daily Swig A review of Australia’s controversial My Health Record scheme has concluded that it does, as experts have warned, present security risks to the public. In its review of the system, published on Monday, the Australian National Audit Office (ANAO) concluded that the A$1.5 billion project is “largely effective”, although poor management of shared cybersecurity risks, including inadequate controls over access to patients’ records, remains a pressing issue. In terms of privacy, the ANAO found, emergency access to patients’ records was widely being misused. Meanwhile, healthcare providers are not all achieving minimum levels of cybersecurity, says the ANAO, with the Australian Digital Health Agency failing to monitor compliance effectively. It has also failed to check whether third-party software providers to healthcare agencies are complying with the government’s cybersecurity framework. HP Warns That Some SSD Drives Will Fail at 32,768 Hours of Use Date: 2019-11-26 Author: BleepingComputer HP released firmware updates for a number of its Serial-Attached SCSI solid-state drives to prevent their failure at exactly 32,768 hours of operation time. The devices are used in multiple server and storage products for enterprise, such as HPE ProLiant, Synergy, Apollo, JBOD D3xxx, D6xxx, D8xxx, MSA, StoreVirtual 4335 and StoreVirtual 3200. The abnormal expiration time translates to 3 years, 270 days and 8 hours, a lot less than the normal lifespan of these products. For some of them, the warranty can be extended to up to five years. Silly Phishing Spotlight: Login to Unblock Microsoft Excel Date: 2019-11-24 Author: BleepingComputer As part of our ongoing series to educate users about some of the more silly phishing scams out there, we bring a new one that states Excel is blocked unless you login and verify your details. As people get more educated about phishing scams and how to spot them, we continue to see scammers create outlandish campaigns in order to bait people into entering their login credentials. Such is the case with this new phishing email that states you won’t be able to use your Excel due to a “system delay” unless you first login. ESB-2019.4501 – GitLab GitLab released an update for the 12.5, 12.4 and 12.3 branches and almost immediately realised it omitted the important security fix they intended. If you only installed 12.5.1, 12.4.4 or 12.3.7 then ensure you update again to catch this. ESB-2019.4475 – FreeRDP on SUSE: Unauthenticated memory leaks Expect this fix to reach other distros soon. ESB-2019.4441 – Symantec Critical System Protection: Authentication bypass Symantec’s CSP software scored a 9.4/10 on the CVSSv3 scale for letting an attacker stroll through its controls. ESB-2019.4460: Mailman on SUSE: Privilege escalation The GNU mailing list manager contained a privilege escalation from the wwwrun user to root. Stay safe, stay patched and have a good weekend! David

AUSCERT Week in Review for 15th November 2019 Greetings, Emotet is up officially by 730%. It feels better when things are officially reported by researchers. By the time the report is out most of the front line people would have already felt and dealt with the effects of this campaign. Criminals are going where the money is, no not the banks, but server of all flavour for their processing power. Also this week Bash got bashed and Intel says we can’t tell about their intel until they say so but what they say may have been fixed six months ago, a story that did not sell well with some Dutch security boffins. Feels like things are going fast, well I’ll play the researcher and tell you post-priori they certainly are and that security automation and response is the future. Oh hang on you also knew that too. Fact is that when you are at the front lines you get front row seat to the details as they happen. That’s why keeping communication lines open to AUSCERT, either push by report, or pull from feeds such as Malicious URL, MSIN, and MISP feeds provides you the intelligence the moment it happens. As for news, here’s a summary (including excerpts) of some of the moreinteresting stories we’ve seen this week: ——- Title: PureLocker Ransomware Can Lock Files on Windows, Linux, and macOSAuthor: Ionut IlascuDate Published: November 13th, 2019 Excerpt: “Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers. The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks. Built to dodge detection. The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback.” Title: Lateral Phishing Makes for Dangerous Waters, Here’s How You Can Avoid Getting Caught in the NetAuthor: Anurag KaholDate: November 13th, 2019 Excerpt: “Like regular phishing, a lateral phishing attack has the goal of gaining access to private information and begins with a user receiving an email that is attempting to extract login credentials or PII. However, the main differentiator between the two attack methods is that lateral phishing is conducted from a compromised email address within an organization. Once a hacker gains access to a legitimate email account, whether it belongs to a CEO or an intern, the hacker can then use it to target individuals within the company. Lateral phishing techniques are highly effective. When hackers impersonate someone that the recipient knows and trusts, said recipient tends to lower her or his guard, making it more likely that sensitive information will be surrendered.” Title: Researchers Discover Massive Increase in Emotet Activity Author : Helpnet SecurityDate: November 13th, 2019 Excerpt: “Emotet had a 730% increase in activity in September after being in a near dormant state, Nuspire discovered. Emotet, a modular banking Trojan, has added additional features to steal contents of victim’s inboxes and steal credentials for sending outbound emails. Those credentials are sent to the other bots in its botnet which are used to then transmit Emotet attack messages. When Emotet returned in September, it appeared with TrickBot and Ryuk ransomware to cause the most damage to a network.” Title: Microsoft Patch Tuesday Updates Fix CVE-2019-1429 Flaw Exploited in the WildAuthor: Pierluigi PaganiniDate: November 13th, 2019 Excerpt: “Microsoft’s Patch Tuesday updates for November 2019 address 74 flaws, including an Internet Explorer vulnerability, tracked as CVE-2019-1429, that has been exploited in the wild. Microsoft doesn’t provide any information on the nature of the active attacks, it only pointed out that they are likely limited at this time. The CVE-2019-1429 zero-day is a scripting engine memory corruption vulnerability that affects Internet Explorer 9, 10 and 11. Microsoft. “A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same use rights as the current user.” read the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” Title: Intel launches security blog, pushes security patchesAuthor: Doug OlenickDate: November 13th, 2019 “Intel has joined the Patch Tuesday crowd with a platform update that covered 77 vulnerabilities, two of which were rated critical.The chip maker noted the security updates in a new blog the company said it will use to disseminate security updates, bug bounty topics, new security research, and engagement activities within the security research community.Intel is dividing its updates by advisory with each covering a single or set of products.” Title: Intel Fixes a Security Flaw It Said Was Repaired 6 Months AgoAuthor : Kim ZetterDate : November 12th, 2019 Excerpt:“Last May, when Intel released a patch for a group of security vulnerabilities researchers had found in the company’s computer processors, Intel implied that all the problems were solved. But that wasn’t entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found.”   Here are this week’s noteworthy security bulletins (in no particular order): 1. ESB-2019.4311 – [Appliance] Phillips IntelliBridge EC40 and Phillips IntelliBridge EC80: Access privileged data – Remote/unauthenticated“…to execute software, modify system configuration, or view/update files, including unidentifiable patient data.” 2. ESB-2019.4300 – [Cisco] Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD): Root compromise – Existing account “.. to execute arbitrary code with root privileges on the underlying Linux operating system.” 3. ASB-2019.0337 – [Win] McAfee Data Loss Prevention ePO: Access confidential data – Existing account“…remote attackers with access to the network to collect login details to the LDAP server..” 4. ESB-2019.4289 – [Virtual] microcode: Access privileged data – Existing account“..speculative execution may be able to infer the value of data in the microarchitectural structures..” Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 8th November 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. BlueKeep attacks are happening, but it’s not a worm Date published: 03/11/2019 Author: Catalin Cimpanu Excerpt: “This BlueKeep campaign has been happening at scale for almost two weeks, but it’s been only spotted today by cybersecurity expert Kevin Beaumont. The British security expert said he found the exploits in logs recorded by honeypots he set up months before and forgot about. First attacks date back to October 23, Beaumont told ZDNet. Beaumont’s discovery was confirmed by Marcus “MalwareTech” Hutchins, the security researcher who stopped the WannaCry ransomware outbreak, and who’s a recognized expert in the BlueKeep exploit.” QSnatch malware already infected thousands of QNAP NAS devices Date published: 04/11/2019 Author: Pierluigi Paganini Excerpt: “A couple of weeks ago, the experts at the National Cyber Security Centre of Finland (NCSC-FI), published a report on the QSnatch malware. The experts were alerted about the malware in October and immediately launched an investigation. “NCSC-FI received reports via the Autoreporter service during mid October of infected devices attempting to communicate to specific command and control (C2) servers.” reads the report. “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.” Trend Micro reveals that customer data was illegally sold following inside-job ‘security incident’ Date published: 06/11/2019 Author: Mark Wyci?lik-Wilson Excerpt: “Security firm Trend Micro has revealed details of an inside scam which led to personal details of its customers being exposed. The security incident dates back to August this year, and the company says that it was made aware of customers being contacted by fake Trend Micro support staff. Following an investigation lasting until the end of October, it was determined that it was a member of staff that had fraudulently gained access to a customer database and sold personal data to a third party.” Buran Ransomware; the Evolution of VegaLocker Date published: 05/11/2019 Authors: Alexandre Mundo and Marc Rivero Lopez Excerpt: “This ransomware was announced in a well-known Russian forum with the following message: “Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7. Functional: Reliable cryptographic algorithm using global and session keys + random file keys; Scan all local drives and all available network paths; High speed: a separate stream works for each disk and network path; Skipping Windows system directories and browser directories; Decryptor generation based on an encrypted file; Correct work on all OSs from Windows XP, Server 2003 to the latest; The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;” The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment.” Critical Remote Code Execution Flaw Found in Open Source rConfig Utility Date published: 04/11/2019 Authors: Tom Spring Excerpt: “Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication. RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website. The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.” Here are this week’s noteworthy security bulletins: 1) Tenable.sc: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0310/ Tenable Security Center received stand-alone patches that address multiple vulnerabilities affecting PHP. The most severe of these could lead to a remote denial of service attack and Cross-Site Scripting attacks. 2) Android: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0311/ Android received its monthly update that addresses 38 vulnerabilities. These include a remote code execution and privilege escalation vulnerabilities. 3) Cisco Web Security Appliance: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ESB-2019.4172/ Cisco Web Security Appliance received fixes for a couple of vulnerabilities. This particular bulletin addresses an update for fixing a reflected XSS vulnerability. 4) IBM QRadar SIEM: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ESB-2019.4193/ Last, but most certainly not least, IBM’s QRadar SIEM received fixes for over 39 vulnerabilities, including local arbitrary code execution, remote Denial of Service, and remote information disclosure. ..and with that, have a great weekend all!  Nick

AUSCERT Week in Review for 1st November 2019 Greetings, As the week comes to a close, here are some articles that may help ease you into the weekend. xHelper Trojan Variant Reinstalls Itself After Removal, Infects 45K Date published: 29/10/2019 Author: Sergiu Gatlan Excerpt: “While the infection vector used by the threat actor behind the new xHelper variant is not yet known, Symantec’s research team suspects that the app component that bundles the xHelper payloads is downloaded by a malicious system app that might come pre-installed on some smartphone brands. The fact that “numerous users have been complaining on forums about the persistent presence of this malware on their devices, despite performing factory resets and manually uninstalling it,” seems to further consolidate their hypothesis. — xHelper reports can be found on Reddit and Google Play’s Help forums. The number of devices infected with the xHelper Android malware grows each day, since “in the past month alone, there was an average of 131 devices infected each day, and an average of 2,400 devices persistently infected throughout the month,” as Symantec’s research team adds.” Facebook Sues Israeli NSO Spyware Firm For Hacking WhatsApp Users Date published: 29/10/2019 Author: Swati Khandelwal Excerpt: “Developed by NSO Group, Pegasus allows access to an incredible amount of data from victims’ smartphones remotely, including their text messages, emails, WhatsApp chats, contact details, calls records, location, microphone, and camera. Pegasus is NSO’s signature product that has previously been used against several human rights activists and journalists, from Mexico to the United Arab Emirates two years ago, and Amnesty International staffers in Saudi Arabia and another Saudi human rights defender based abroad earlier last year. Though NSO Group always claims it legally sells its spyware only to governments with no direct involvement, WhatsApp head Will Cathcart says the company has evidence of NSO Group’s direct involvement in the recent attacks against WhatsApp users.” Industrial equipment to come under fire at the world’s largest hacking contest Date published: 28/10/2019 Author: Catalin Cimpanu Excerpt: “Industrial equipment will be the primary focus of the next edition of Pwn2Own, the world’s largest and most well-known hacking contest. This is the first time that security researchers will be allowed to hack ICS (industrial control systems) software and protocols at Pwn2Own. For most of its 12-year history, the contest has featured browsers and operating systems as the primary targets for white-hat hackers looking to make a name for themselves and earn huge cash rewards. In recent years, contest organizers have been diversifying the target portfolio with virtual machines, Tesla cars, and even Facebook Portal devices. Now, the organizers, Trend Micro’s Zero-Day Initiative (ZDI) project, say the next Pwn2Own contest will be solely focused on ICS devices and their respective software.” Johannesburg Authorities Refuse to Pay Hackers’ Bitcoin Ransom Date published: 30/10/2019 Authors: Marie Huillet Excerpt: “Authorities in Johannesburg are holding firm in their refusal to pay a ransom of 4 Bitcoin to hackers who targeted municipal systems last week. In a statement posted to its official Twitter handle on Oct. 28, the Johannesburg city council confirmed the attack had affected services that included billing, property valuation and land information systems, as well as its eHealth and Libraries services. The breach, which occurred on Oct. 24, was accompanied by a ransom demand of 4 Bitcoin (BTC) — worth close to $37,000 to press time — payable by Oct. 28.” New Adwind Variant Targets Windows, Chromium Credentials Date published: 29/10/2019 Authors: Lindsey O’Donnell Excerpt: “Once delivered, this new Adwind variant obfuscates the initial JAR file, blocking against any signature-based detection methods. “Malware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the web,” researchers with Menlo Security said in a Tuesday post. “In fact, any effort to block or limit Java would result in much of the internet breaking down — a non-starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities.” The JAR file then decrypts and loads a loader, which then loads an initial set of modules and sends out a request that is responsible for initializing the RAT with the command-and-control (C2) server.” Here are this week’s noteworthy security bulletins: 1) ALERT php5: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/ESB-2019.3963/ Debian released an update to address a buffer underflow vulnerability in its php5-fpm implementation. The vulnerability, CVE-2019-11043, is being actively exploited in the wild to perform remote code execution. PHP 5.6 reached End Of Life on 1st January 2019. Updates to address the same vulnerability followed for php7.0, php7.3 on Debian, Ubuntu and SUSE. 2) Fortiguard FortiClient: Root compromise – Existing account https://portal.auscert.org.au/bulletins/ESB-2019.4008/ Forticlient end point protection solution for Mac OS received a fix to address a local security check bypass. This could result in local command execution with root privileges. The vulnerability arose due to improper sanitisation of special elements in a command. 3) Apple MacOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ESB-2019.4010/ Apple released a bunch of security fixes for its products; MacOS, iOS, iPadOS, TV, Watch and Safari. Needless to say, the fixed vulnerabilities ranged from UI spoofing to remote code execution. 4) sudo: Root compromise – Existing account https://portal.auscert.org.au/bulletins/ESB-2019.3979/ Red Hat released an update to fix a privilege escalation vulnerability which allowed a local attacker to execute privileged commands by leveraging the “Runas” specification, effectively bypassing the need to authenticate as root. Red Hat has stated: “This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example: someuser myhost = (ALL, !root) /usr/bin/somecommand” ..and with that, have a great weekend all!  Nick

2019 Cyber Security Survey Complete the 2019 Cyber Security Survey The cyber landscape is constantly changing, and the number and level of sophistication of attacks are increasing.  Being aware of the latest cyber security threats and trends in the industry can help your organisation put the right measures in place to protect against cyber threats.  Is your organisation prepared to manage the impact of a significant cyber event?  How do your cyber practices stack up against other organisations in your industry? The fourth BDO and AUSCERT Cyber Security Survey is now open. This annual survey, aimed at key decision makers, identifies the current cyber security trends, issues and threats facing businesses in Australia and New Zealand. Participation gives you direct access to our survey report, allowing you to: Compare your organisation’s cyber maturity against peers Benchmark your business’ current cyber security efforts with trends in your industry Identify potential gaps in your organisation’s cyber security approach Determine ways to improve your organisation’s cyber security culture, planning and response measures. Take part now Don’t miss out on your chance to gain free insight into the maturity of your organisation’s cyber security approach. The survey closes at midnight on Friday 1 November. The survey is anonymous and takes less than 10 minutes to complete. The survey also offers the chance to win one of three Apple Watches.* For more information about this survey contact our team: membership@auscert.org.au * Refer to the survey competition terms and conditions.    

AUSCERT Week in Review for 25th October 2019 Greetings, This week we saw both Google and Mozilla release updates to patch multiple vulnerabilities in the Chrome and Firefox browsers, part of the on-going battle to ensure we are a little safer whilst we battle the web. Additionally, with consumer protection in mind, Apple pulled eighteen malicious apps from the iOS store, whilst on Google Play Store, forty two adware Android apps were removed.  However, despite measures taken by vendors to protect us from the ‘evilz’, we must still remember that have to take responsibility for our own actions and choices.  Be vigilant with your app choice and always perform due diligence. Every day we are more invested in staying connected to both people and systems, and Naked Security informed audiences in an article this week that people still think of phishing as being solely an email borne scam. However, the article correctly reminded readers that the technique is applied by scammers to communications streams available on our electronic devices, including social message, instant messaging and SMS text messages. Please feel free to dive into the associated articles:——————————————————————————– iBye, bad guy: Apple yanks 18 iOS store apps that sheltered advert-mashing malwareDate: October 24Author: The Register 42 Adware Apps with 8 Million Downloads Traced Back to Vietnamese StudentDate: October 24Author: The Hacker News Phishy text message tries to steal your cellphone accountDate: October 18Author: Naked Security ——————————————————————————– Here are four of this week’s interesting security bulletins: ASB-2019.0308Google Chrome was patched to resolve multiple vulnerabilities which when unpatched offered an interesting selection of impact/access factors. ESB-2019.3941Mozilla also patched multiple vulnerabilities in Firefox, resolving a bunch of ‘Remote with User Interaction’ associated impacts. ESB-2019.3947Red Hat plugged a nifty vulnerability related to little old sudo which researchers found would lead to root compromise when exploited. ESB-2019.3958VMware issued update to resolve a vulnerability associated with its vCenter Server Appliance, addressing a sensitive information disclosure vulnerability (remote unauthenticated) in backup and restore. ——————————————————————————– As always, stay safe, stay patched, and make it a good weekend! Best regards,Colin and Patch the AUSCERT cat