Publications

AUSCERT Week in Review for 16th August 2019 Greetings, Windows’ Remote Desktop Services is in the spotlight this week, with two separate announcements. Firstly, the ACSC issued a warning on Monday night that May’s “BlueKeep” vulnerability was being exploited in the wild. Then, Microsoft warned on Patch Tuesday (or Wednesday for us antipodeans) that it had found two more similar vulnerabilities, with patches available immediately. In other news, F-Secure have written up a novel injection attack. While injection attacks are famously seen in carelessly-written SQL and shell scripts, this week brought a blog post documenting how vendor F5’s own example configuration code often contained vulnerable Tcl. While F5 released an advisory in May to this effect, F-Secure’s post brings greater notoriety to the issue. While scripting languages are on your mind, consider ShellCheck. Yours truly will always recommend an extra pair of eyes on any shell scripts being written. ASD upgrades BlueKeep Win. RDP warning, 50K Aust. devices at riskAuthor: iTnewsDate published: 2019-08-13 The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a late evening warning to business and government that a recently revealed legacy Windows exploit has jumped ‘research’ quarantine and is expected to start fanging victims imminently. New Bluetooth KNOB Flaw Lets Attackers Manipulate TrafficAuthor: BleepingComputerDate published: 2019-08-13 A new Bluetooth vulnerability named “KNOB” has been disclosed that allows attackers to more easily brute-force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. ‘Cyber paramedics’ keep Vic agencies safeAuthor: Government NewsDate published: 2019-08-12 When David Cullen took up the job of Principal Advisor of Cyber Incidents and Emergency Management at the Victorian Department of Premier and Cabinet a year ago he was told there had been just 13 cyber-attacks in the history of the organisation.“I scratched my head and thought, ‘what a ripping job I’ve landed in’,” he told delegates at a Technology in Government conference in Canberra last week.He soon found out those 13 attacks weren’t “even close to the tip of the iceberg”.After conducting a whole of government survey it became apparent that hackers were attempting to breach government systems every 45 seconds and that nine in 10 Victorian government organisations had experienced a cyber incident. WordPress team working on daring plan to forcibly update old websitesAuthor: ZDNetDate published: 2019-08-08 The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases.The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Hidden Injection Flaws Found in BIG-IP Load BalancersAuthor: SecurityWeekDate published: 2019-08-09 The issue cannot be patched. “This is not a vulnerability in Tcl, or F5 products, but rather an issue relating to coding practices used when writing Tcl code,” explained F5 in its advisory. The effect, however, could give an attacker access to the load balancer and its hosting device, the ability to read passing traffic (including user credentials), and the potential to use this as a beachhead for gaining access to the internal network. The inability to patch the problem and the difficulty for companies to know whether their own code exposes the problem, prompted the flaw finder, F-Secure’s senior security consultant Christoffer Jerkeby, to publish a paper on his findings. ShellCheck This free tool is available online and as a binary, and scours your shell scripts for common mistakes. It’s also available as a plug-in for your favourite editor. This week’s noteworthy bulletins: 1. ESB-2019.3059 – [Appliance] FortiOSJavaScript files used in the appliance’s web UI would reveal OS version information even to unauthenticated users. 2. ASB-2019.0238 – [Windows] Microsoft Windows (login wall)Microsoft’s Patch Tuesday included two “wormable” RCEs in Remote Desktop Services, similar to the BlueKeep bug patched in May.Two more RCEs were also patched in the Windows DHCP client. 3. ESB-2019.3092 – [Windows] [macOS] Adobe Acrobat and ReaderOpening a crafted file could execute arbitrary code. A good reminder not to open suspicious files. 4. ESB-2019.3116 – [Windows] [UNIX/Linux] nginxMultiple DoS vulnerabilities were found in HTTP/2 servers by a researcher at Netflix.Nginx happens to be the first to release a fix. Stay safe, stay patched, try out ShellCheck, and have a great weekend!David

AUSCERT Week in Review for 9th August 2019 Greetings, Two sagas continue this week, and neither one is Star Wars. The Spectre family tree has gained a new member called SWAPGS. It was announced at Black Hat and allows access to protected data in the CPU cache. Another two vulnerabilities have also been added to the Dragonblood family, affecting the cutting-edge WPA 3 WiFi standard. A million-dollar email should serve as a reminder to your staff to always consider whether BCC is a better tool for mass-mail than CC. ——————————————————————————– SWAPGS Vulnerability in Modern CPUs Fixed in Windows, Linux, ChromeOSAuthor: BleepingComputerDate published: 06/08/2019 At BlackHat today, Bitdefender disclosed a new variant of the Spectre 1 speculative execution side channel vulnerabilities that could allow a malicious program to access and read the contents of privileged memory in an operating system.This SWAPGS vulnerability allows local programs, like malware, to read data from memory that is should normally not have access to, such as the Windows or Linux kernel memory.During the July 2019 Patch Tuesday security updates, Microsoft secretly patched the new SWAPGS speculative vulnerability using software mitigations.  [Red Hat and Google have also released advisories and patches.] App that patients use to book GP appointments now facing millions in fines for selling health dataAuthor: ABC NewsDate published: 07/08/2019 Australia’s biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling users’ personal health information to law firms. The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege. New Dragonblood vulnerabilities found in WiFi WPA3 standardAuthor: ZDNetDate published: 03/08/2019 Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance’s recently launched WPA3 WiFi security and authentication standard. Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard. The two researchers — Mathy Vanhoef and Eyal Ronen — found these two new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks. When ‘CC’ should have been ‘BCC’: How an email gaffe cost one Australiancompany dearlyAuthor: The AgeDate published: 02/08/2019 It started as a simple oversight, but quickly ended as a six-figure mistake. At the heart of the tale is a global real estate company, where one marketing email sent by an employee to just 300 customers exposed a major gap in the firm’s cyber security governance.The problem began when the employee mistakenly pasted 300 email addresses in the “carbon copy” or “CC” email field, instead of the “blind copy” or “BCC” field, a technological misstep familiar to almost anyone using email in 2019. ——————————————————————————– This week’s noteworthy bulletins: 1. [ALERT] Cisco Enterprise NFV Infrastructure Software: Multiple vulnerabilitiesAuthentication bypass and command injection attacks leading to anunauthenticated administrator compromise. 2.  keycloak-httpd-client-install: Multiple vulnerabilitiesInstall scripts can have significant vulnerabilities too! This one usedinsecure temp files to enable privilege escalation. 3. LibreOffice: Execute arbitrary code/commands – Remote with user interactionNooo don’t open that file! 4. IBM Business Automation Workflow: Access confidential data – Remote/unauthenticated“Reverse tabnabbing” is a little-seen web vulnerability. Stay safe, stay patched and have a great weekend!David

AUSCERT Week in Review for 26th July 2019 AUSCERT Week in Review26 July 2019 Greetings, Concerns continue about development of exploits for the Windows RDP vulnerability (BlueKeep) which has the potential to become a self replicating worm. This week more information become available which closes the gap towards successful exploitation of this vulnerability. For more info see: https://www.theregister.co.uk/2019/07/24/bluekeep_code_release/ If you still haven’t patched this yet note the time to successful exploitation with remote code execution is drawing ever closer! This week also saw a warning from the ACSC about a class of scams being called “freight forwarding scams”. A number of AUSCERT members have been hit by this and ACSC note some businesses have closed due to the losses. See: https://www.cyber.gov.au/news/business-email-compromise-freight-forwarding-scam Here are some of the week’s noteworthy security stories (in no particular order): Australia’s Consumer Data Right to finally make its way through ParliamentAuthor: Asha BarbaschowDate: 2019-07-23 Excerpt: “The federal government this week plans to introduce legislation ithas touted as opening up competition between banks, utilities, andtelecommunications providers, as well as allowing consumers to easilyswitch between providers. The Consumer Data Right (CDR) — through the passage of the Treasury LawsAmendment (Consumer Data Right) Bill — will allow individuals to “own”their data by granting them open access to their banking, energy, phone,and internet transactions, in addition to gaining the right to controlwho can have it and who can use it.” Law Council wants warrants and crime threshold for metadata retention schemeAuthor: Chris DuckettDate: 2019-07-23 Excerpt: “The Law Council of Australia has called for the introduction of warrantswhen the nation’s enforcement agencies seek to access metadata stored inthe data retention systems of Australia’s telcos. Currently, enforcement agencies have access to two years’ worth of customers’call records, location information, IP addresses, billing information,and other data stored by carriers without the need for a warrant.” BEC Scammers Trick Employees Into Giving Away Customer InfoAuthor: Sergiu GatlanDate: 2019-07-23 Excerpt: “Business email compromise (BEC) scammers are now targeting a company’scustomers using a new indirect attack method designed to collectinformation on future scam targets by asking for aging reports fromcollections personnel.”   Hundreds of Australians have been fleeced over bogus tax debtsAuthor: Sian Johnson, et alDate: 2019-07-24 Excerpt: “Ms Wilson is one of hundreds of Australians taken in by dodgy phone callsdemanding payment for bogus tax debts, with a record number of more than800 Australians fleeced of a total of $3 million in 2018 alone.” Microsoft to Improve Office 365 Malicious Email AnalysisAuthor: Sergiu GatlanDate: 2019-07-24 Excerpt: “Microsoft is currently in the process of developing significantly bettermanual threat hunting features for the Office 365 Threat Explorer, to berolled out to all environments during August.”

AUSCERT Week in Review for 19th July 2019 AUSCERT Week in Review19 July 2019 Greetings, Oracle’s Critical Patch Update for July landed on Wednesday. Check outour bulletins to see if you’re running anything in need of a fix. Credential stuffing even made it into prominent webcomic xkcd this week,in a very easy-to-follow way (https://xkcd.com/2176/) Here are some of the week’s noteworthy security stories (in no particularorder): NCSC Issues Alert About Active DNS Hijacking AttacksAuthor: Ionut IlascuDate: 2019-07-15 Excerpt: “Following recent reports about mass-scale attacks aimed at modifyingDomain Name System records, UK’s National Cyber Security Centre (NCSC)released an advisory with mitigation options for organizations to defendagainst this type of threat.” FBI Releases Master Decryption Keys for GandCrab RansomwareAuthor: Lawrence AbramsDate: 2019-07-17 Excerpt: “In an FBI Flash Alert, the FBI has released the master decryption keysfor the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Usingthese keys, any individual or organization can create and release theirvery own GandCrab decryptor.” Home Affairs could tap telcos for MAC and IP addresses, port numbersAuthor: Ry Crozier Excerpt: “The Department of Home Affairs has raised the prospect of forcing Australiantelcos to capture an expanded range of user data including MAC addresses,IP addresses and port numbers under mandatory data retention laws.” Oracle’s July 2019 CPU Includes 319 FixesAuthor: Ionut ArghireDate: 2019-07-17 Excerpt: “Oracle this week published its July 2019 Critical Patch Update (CPU),which brings a total of 319 security fixes across numerous product families. While fewer than 200 of these vulnerabilities can be exploited remotelywithout authentication, over 50 of them are rated Critical severity,almost all of them featuring a CVSS score of 9.8.”

AUSCERT celebrates launch of new website AUSCERT is Australia’s original, and one of the world’s longest-serving, Cyber Emergency Response Teams (CERT). This year marks 26 years since we launched our specialist cyber-security services through The University of Queensland in 1993. Business Team Leader, Bek Cheb, said “We’ve seen so much change in the cyber-security industry over the past two and a half decades. In particular, the technology and people skills essential to providing high-quality cyber safety, data security and data protection have evolved radically. To mark our 26-year milestone, AUSCERT has launched a new brand image and website to further enhance the service we provide to members. The new site is easier to navigate and provides better access to security information. Members can download PGP/GPG signed versions of Security Bulletins; access information about member meetups hosted by AUSCERT; and keep up to date with industry news and the latest in information security issues. AUSCERT is a member-based not-for-profit organisation, so offers one of the best value threat intelligence and incident response services available. We are trusted by 500+ clients, including every university in Australia, a number of government departments and a variety of private companies. The AUSCERT services are numerous but revolve around providing specialist security support to help prevent, detect, respond to and mitigate cyber-based attacks. AUSCERT members receive timely threat and vulnerability alerts and access to a range of services including: Incident Management Service The Incident Management Service includes coordination and handling, providing assistance and expertise to help detect, interpret and respond to attacks from around the globe. AUSCERT acts as a trusted intermediary, coordinating communication about incidents between affected parties. Phishing Take-Down Service AUSCERT’s Phishing Take-down service works to reduce brand damage by requesting the removal of fraudulent websites. The service puts the safety of your brand at the forefront by detecting and acting immediately if your organisation is affected. Security Bulletin Service AUSCERT Security Bulletins contain information about threats, vulnerabilities, patches and workarounds of an IT security nature that AUSCERT believes would be of interest to our members (and the public). AUSCERT provides up-to-date information on a range of software and hardware products, published in a standardised format with a consistent approach to classifications of vulnerabilities, impacts and related operating systems. Member Security Incident Notifications (MSINs) AUSCERT provides Member Security Incident Notifications (MSINs) to members. These notifications are relevant and customised security reports containing notifications for organisations’ domains and IP ranges. These notifications can include more than one incident, so you remain up-to-date on the latest threats and vulnerabilities. A full list of services can be found here.

AUSCERT Week in Review for 12th July 2019 AUSCERT Week in Review12 July 2019 Greetings, This week we saw numerous Microsoft vulnerability reports and fixes as part of Patch Tuesday.We also saw a larger than normal collection of advisories from Juniper and ICS-CERT this week. There are a number of events occuring in our neighbourhood in the next few weeks that may be of interest: “Celebrating Diversity and Inclusion in Queensland’s ICT security sector”https://wordpress-admin.auscert.org.au/events/2019-07-18-naidoc-week-2019-auscert-and-baidam-solutions-event “Cyber Security Public Lecture with Corey Schou”https://www.eait.uq.edu.au/cyber-security-public-lecture-corey-schou — Here are some of this week’s noteworthy security bulletins (in no particular order): ACSC Releases Updated Essential Eight Maturity ModelAuthor: US-CERTDate: 05-07-2019 Excerpt: “The Australian Cyber Security Centre (ACSC) has released updates to its Essential Eight Maturity Model. The model assists organizationsin determining the maturity of their implementation of the Essential Eight–ACSC’s list of the top mitigation strategies to help organizationsprotect their systems against adversary threats.” British Airways faces record-breaking GDPR fine after data breachAuthor: Jon PorterDate: 08-07-2019 Excerpt: “The UK’s data watchdog has announced plans to fine the airline British Airways a record ?183 million over last year’s data breach.” Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!Author: Jonathan LeitschuhDate: 09-07-2019 Excerpt: “A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes upto 750,000 companies around the world that use Zoom to conduct day-to-day business.” Patch Tuesday Lowdown, July 2019 EditionAuthor: Brian KrebsDate: 09-07-2019 Excerpt: “Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them arefixes for two zero-day flaws that are actively being exploited in the wild” German banks are moving away from SMS one-time passcodesAuthor: Catalin CimpanuDate: 11-07-2019 Excerpt: “Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transactionverification method.” — Here are some of this week’s noteworthy security bulletins (in no particular order): Title: ASB-2019.0190 – [Win][UNIX/Linux] Mozilla Firefox and MozillaFirefox ESR: Multiple vulnerabilitiesDate: 10 July 2019URL: http://www.auscert.org.au/84211 “Mozilla advises upgrading to Firefox 68 or Firefox ESR 60.8 to address this vulnerability.” Title: ASB-2019.0187 – ALERT [Win] Microsoft Windows: MultiplevulnerabilitiesDate: 10 July 2019URL: http://www.auscert.org.au/84193 “CVE-2019-1132 is has been seen exploited in the wild” Title: ESB-2019.2574 – [Win] Siemens SIMATIC WinCC and PCS7: Multiple vulnerabilitiesDate: 12 July 2019URL: http://www.auscert.org.au/84331 “The SIMATIC WinCC DataMonitor web application of the affected products allows an authenticated user with network access to the WinCC DataMonitorapplication to upload arbitrary ASPX code.” Title: ESB-2019.2572 – [Win][UNIX/Linux] Jenkins: Multiple vulnerabilitiesDate: 12 July 2019URL: http://www.auscert.org.au/84327 “Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master.” Title: ESB-2019.2563 – [Juniper] Junos OS: Multiple vulnerabilitiesDate: 12 July 2019URL: http://www.auscert.org.au/84309 “Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow” — Stay safe, stay patched and have a great weekend,Marcus. —

AUSCERT at 2019 FIRST Conference I had the absolute pleasure of attending the 2019 FIRST Conference for the first time (no pun intended!) recently. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This year’s conference theme was “Defending the Castle” and there were approximately 1100 delegates, a very full program over 5 days and plenty of opportunities to meet other cyber security teams and share ideas across the board. One of the aspects I enjoyed thoroughly was my introduction to other CERTs from the Asia Pacific region and gaining a greater understanding of the role AUSCERT plays in this community.   (Photo credit: APCERT) I also wanted to take this opportunity to highlight a couple of my favourite speaker sessions here: “Waking up the Guards – Renewed Vigilance Needed to Regain Trust in Fundamental Building Blocks” by Merike Kaeo of Double Shot Security was my favourite keynote. Merike spoke about the days when trust was inherent and how we now see exploitation of fundamentals such as routing, DNS and certificates. She invoked the question of ‘How can we regain trust and control of where our data goes and by whom it is seen?’ and it really got me into thinking about the current cyber security landscape and how we can all do better in this space. The other speaker session I enjoyed was the talk presented by the Cisco Umbrella research team on the topic of “Detecting Covert Communication Channels via DNS”. I thought this was an absolutely fascinating subject and one that is worth further research within AUSCERT.  As the conference wrapped up at the end of last week, I walked away feeling very inspired about the fact that there is such a strong community spirit that fosters great collaboration within our industry. I am certain that AUSCERT and UQ can AND need to play an even more active role in the future! David Stockdale Director

AUSCERT2019: that’s a wrap! The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.   Sensational Keynotes AUSCERT2019 featured three legendary keynote speakers; Mikko Hypponen, Troy Hunt and Jessy Irwin. Each covered a different area within cyber security and shared their knowledge and expertise generously. Mikko is a globally-renowned tech security guru working as the CRO of F-Secure. He has written research for the New York Times, Wired and Scientific America also, frequently appearing on international TV. At the conference he spoke on ‘Computer Security: Yesterday, Today and Tomorrow’. A key takeaway from Mikko was on IoT devices. When observing data security, it is likely that in the future these devices will no longer tell you they are connecting to the internet, but will pass your data straight to the manufacturer. To view Mikko’s presentation, you can visit the AUSCERT YouTube channel here. Troy is an independent security trainer, speaker and Microsoft Regional Director. He’s most commonly recognised as the founder of the data breach monitoring and notification service ‘Have I Been Pwned’ (HIBP). Troy spoke on ‘The Data Breach Pipeline: How Our Data is Stolen, Distributed and Abused’. A key takeaway from his presentation was on password managers and how they can solve a lot of password-breach related issues. Changing your password regularly is no longer enough, you need more complex solutions. To find out more about Troy’s keynote, you can view his presentation here. Jessy is a security expert and Head of Security at Tendermint. Her role means she excels within translating complex cybersecurity problems into relatable terms and she also develops, maintains and delivers on comprehensive security strategy. Jessy spoke on ‘How Security Teams Can Evolve to Win Friends and Influence People’. Jessy’s intention was to challenge some standard ways of thinking within the cyber and information security industry and she certainly succeeded in doing so. To download a copy of Jessy’s presentation, please click here. Jessy’s presentation can be viewed here.   Networking Events The ‘Beers of the World’ session is the ceremonial welcome to all delegates attending AUSCERT2019. Attendees are encouraged to mingle with vendors, sponsors and other industry professionals while tasting an array of beers from around the globe. This is a great opportunity to connect with other industry professionals in a relaxing environment. On Thursday evening conference delegates were entertained at the venue’s poolside bar by the phenomenal crew from Jetpack Events who showcased their acrobatic prowess and delighted the audience with an amazing fireworks display. This year, the Gala Dinner theme ‘Legend of the Gala’ paid a subtle homage to our main conference theme and is derived from the ever popular Legend of Zelda video game franchise. We even saw a number of Zelda enthusiasts in full costume, kudos to them! Dinner guests were entertained by the talented speed painter Brad Blaze who wowed the audience with his Zelda inspired artworks.     Sponsors Booths Alongside the array of speakers were more than 50 sponsors and supporters of AUSCERT.. Each had their own designated booth space where they spoke to delegates and showcased their services. Some sponsors also engaged with delegates through interactive games and demos at their booth. There were hackathons, drone prizes and darts to name a few. A special shout-out to colleagues from Context Information Security who ran a PWNtoDrone CTF challenge which delegates enjoyed immensely. In between sessions, delegates were also able to engage in the annual lock-picking and lego building sessions. These interactive activities  provide a nice break for delegates to unleash their building and lock-picking skills; not to mention keeping the lego when you build it. Overall, AUSCERT2019 was huge success. We trust that all attendees enjoyed their time and ultimately learned new skills and strategies to keep their data and network safe in the new digital and mass-data era!

AUSCERT Week in Review for 5th July 2019 AUSCERT Week in Review05 July 2019 Greetings, I hope you are all enjoying the holiday period, whether it be having abreak, less students/customers, or quieter roads. This week we again saw a wide variety of vulnerabilities revealed andpatches released, including several root compromises and numerous remotelyexploitable issues. — Here are some of this week’s noteworthy security bulletins (in no particularorder): Germany to publish standard on modern secure browsers Author: Catalin CimpanuDate:   01-07-2019 Excerpt: “Germany’s cyber-security agency is working on a set of minimum rules thatmodern web browsers must comply with in order to be considered secure.The new guidelines are currently being drafted by the German FederalOffice for Information Security (or the Bundesamt fur Sicherheit in derInformationstechnik — BSI), and they’ll be used to advise governmentagencies and companies from the private sector on what browsers are safeto use.” Morrison sells Australia’s terrorism video streaming plan to the G20 Author: StilgherrianDate:   01-07-2019 Excerpt: Led by Australia, the G20 nations have urged online platforms to “meet ourcitizens’ expectations” to prevent terrorist and violent extremism conduciveto terrorism (VECT) content from being streamed, uploaded, or re-uploaded.“Platforms have an important responsibility to protect their users,”read the Leaders’ Statement [PDF] issued in Osaka on Saturday. Poison certs imperils GnuPG checking of Linux software Author: Juha SaarinenDate:   01-07-2019 Excerpt: “An attack has been unleashed against the global synchronising keyserver(SKS) network used by the popular OpenPGP encryption standard, withdevelopers saying there is currently no mitigations available and thatthe problem is likely to get worse.” China Is Forcing Tourists to Install Text-Stealing Malware at its Border Author: Joseph CoxDate:   03-07-2019 Excerpt: “The malware downloads a tourist’s text messages, calendar entries,and phone logs, as well as scans the device for over 70,000 different files.” US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks Author: Catalin CimpanuDate:   02-07-2019 Excerpt: The idea is to use “retro” technology to isolate the grid’s most importantcontrol systems, to limit the reach of a catastrophic outage.“Specifically, it will examine ways to replace automated systems withlow-tech redundancies, like manual procedures controlled by human operators,” YouTube mystery ban on hacking videos has content creators puzzled Author: Thomas ClaburnDate:   03-07-2019 Excerpt: It forbids: “Instructional hacking and phishing: Showing users how tobypass secure computer systems or steal user credentials and personal data.” First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol Author: Catalin CimpanuDate:   03-07-2019 Excerpt: “The DoH (DNS) request is encrypted and invisible to third-party observers,including cyber-security software that relies on passive DNS monitoringto block requests to known malicious domains.” — Here are some of this week’s noteworthy security bulletins (in no particularorder): 1. ESB-2019.1280 – [Linux][OSX] Webkit: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/79038“Processing maliciously crafted web content may lead to arbitrary codeexecution.” 1. ESB-2019.2443 – [Appliance] Cisco IP Phone 7800 and 8800 Series: Denialof service – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2443/“A vulnerability in Cisco SIP IP Phone Software for Cisco IP Phone 7800Series and 8800 Series could allow an unauthenticated, remote attacker tocause a denial of service (DoS) condition on an affected phone.” 2. ESB-2019.2433 – [Virtual] VMware Products: Denial of service –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2433/“Several vulnerabilities in the Linux kernel implementation of TCPSelective Acknowledgement (SACK) have been disclosed. These issues mayallow a malicious entity to execute a Denial of Service attack againstaffected products.” 3. ESB-2019.2413 – [Appliance] F5 Products: Denial of service –Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/ESB-2019.2413/“An attacker may exhaust file descriptors available to the named process;as a result, network connections and the management of log files or zonejournal files may be affected.” 4. ESB-2019.2370 – [Win][Mac] Symantec Endpoint Encryption: Increasedprivileges – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2370/“Symantec Endpoint Encryption and Symantec Encryption Desktop may besusceptible to a privilege escalation vulnerability” 5. ESB-2019.2474 – [FreeBSD] cd_ioctl: Root compromise – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2474/“A user in the operator group can make use of this interface to gain rootprivileges on a system with a cd(4) device when some media is present inthe device.” — Stay safe, stay patched and have a great weekend,Marcus.

AUSCERT Week in Review for 28th June 2019 AUSCERT Week in Review for 28th June 2019 Greetings,  As the week ending Friday 28th June comes to a close, we take a look at some articles from this week that highlight constant tug-of-war between the bad guys (them!) and the good guys (us!). From Angler phishing to using RasPis to hack into a national US space agency, the bad guys are constantly trying to break through our defences. On the flip side the Algorithm Vaccination article highlights the defenders’ equal determination to overcome their adversaries. Don’t give up the fight! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: What is angler phishing? Date published: 24/06/2019  Author: Luke Irwin Excerpt: “Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts. This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.” Raspberry Pi Used in JPL Breach Date published: 24/06/2019 Author: Staff, Dark Reading Excerpt: “Auditors’ reports tend to make for dry reading. But NASA’s Inspector General has delivered a report on “Cybersecurity Management and Oversight at the Jet Propulsion Laboratory” that includes twists and turns — like a hacker using a vulnerable, unapproved Raspberry Pi as a doorway into JPL systems. That Raspberry Pi was responsible for 500 megabytes of NASA Mars mission data leaving JPL servers. The intrusion resulted in an advanced persistent threat (APT) that was active in JPL’s network for more than a year before being discovered. This was the most recent breach listed in the report. Other breaches noted date back to 2009 and include exfiltration totaling more than 100 gigabytes of information. Several of the intrusions feature command-and-control servers with IP addresses located in China, though the responsibility for the latest attack was not assigned to any country or actor.” Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory Date published: 25/06/2019 Author: Pierluigi Paganini Excerpt: ““This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.   One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.” Researchers develop a technique to vaccinate algorithms against adversarial attacks Date published: 24/06/2019 Author: Helpnet Security Excerpt: “Dr Richard Nock, machine learning group leader at CSIRO’s Data61 said that by adding a layer of noise (i.e. an adversary) over an image, attackers can deceive machine learning models into misclassifying the image. “Adversarial attacks have proven capable of tricking a machine learning model into incorrectly labelling a traffic stop sign as speed sign, which could have disastrous effects in the real world. “Our new techniques prevent adversarial attacks using a process similar to vaccination,” Dr Nock said.”   Here are this week’s noteworthy security bulletins: 1) F5 BIG-IP Controller for Cloud Foundry: Root compromise – Remote/unauthenticated https://portal.auscert.org.au/bulletins/ESB-2019.2286/ F5 released an update for its BIG-IP Controller for Cloud Foundry, which addressed a vulnerability in Alpine Docker Images (version 3.3 and up), which led to systems deployed using those versions to accept a NULL ‘root’ user password. The vulnerability had been introduced in December 2015! 2) Tenable Nessus: Cross-site scripting – Remote with user interaction https://portal.auscert.org.au/bulletins/ASB-2019.0168/ Tenable issued an update for its Nessus Vulnerability Assessment solution to fix XSS vulnerability. 3) McAfee Enteprise Security Manager (ESM): Multiple vulnerabilities https://portal.auscert.org.au/bulletins/ASB-2019.0169/ McAfee updated its Enteprise Security Manager (ESM) SIEM product to address a number of vulnerabilities. 4) Medtronic MiniMed 508 and Paradigm Series Insulin pumps – Multiple impactshttps://portal.auscert.org.au/bulletins/ESB-2019.2351/ Yet again, vulnerabilities in medical equipment allow bad people to play with lives by manipulating insulin doses or provided incorrect information to those devices. Stay safe, stay patched and have a good weekend!  Nick

AUSCERT Week in Review for 21st June 2019 Greetings, This week the Australian government performed an rm -rf to a top government cyber security position and zero days for both Firefox and Oracle Weblogic were dropped.Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Mozilla patches Firefox zero-day abused in the wildDate Published: 18 June 2019Author: Catalin CimpanuExcerpt: “The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop, Mozilla engineers wrote in a security advisory posted today. ‘This can allow for an exploitable crash,’ they added. ‘We are aware of targeted attacks in the wild abusing this flaw.'” —–Title: Oracle patches another actively-exploited WebLogic zero-dayDate Published:  June 19, 2019URL: Author: Catalin CimpanuExcerpt: “Oracle released an out-of-band security update to fix a vulnerability in WebLogic servers that was being actively exploited in the real world to hijack users’ systems. Attacks using this vulnerability were first reported by Chinese security firm Knownsec 404 Team on June 15, last Saturday. The initial report from Knownsec claimed the attacks exploited a brand new WebLogic bug to bypass patches for a previous zero-day tracked as CVE-2019-2725 — which was also exploited in the wild for days in April before Oracle released an emergency security patch for that one as well.” —–Title: Home Affairs deletes top govt cyber advisor positionDate Published: 21 June 2019Author: MSRC TeamExcerpt:“Australia’s top government cyber security policy job has quietly disappeared from the Department of Home Affairs following the shock departure of former cyber tsar Alastair MacGibbon. The department’s most recently issued organisation chart reveals the national cyber security advisor role has been shredded and the wider cyber security policy function absorbed within its policy directorate. Orignally established as the Prime Minister’s special advisor on cyber security, the high profile  public-facing role was established within the PM’s department as part of the heavily publicised May 2016 national cyber security strategy.” —–Title: Critical Vulnerabilities Patched in Cisco SD-WAN, DNA Center ProductsDate Published: June 20, 2019 Author: Eduard Kovacs Excerpt: “Cisco on Wednesday released patches for several critical and high-severity vulnerabilities affecting its SD-WAN, DNA Center, TelePresence, StarOS, RV router, Prime Service Catalog, and Meeting Server products. According to Cisco, the Digital Network Architecture (DNA) Center is affected by a critical vulnerability that allows a network attacker to bypass authentication and access critical internal services. The company’s SD-WAN solution, specifically its command-line interface (CLI), is affected by a critical flaw that can be exploited by a local attacker to elevate privileges to root and change the system configuration.” —–Title: Samba Vulnerability Can Crash Active Directory ComponentsDate Published: 20 June 2019Author: Lonut LlascuExcerpt: “A couple of bugs in some versions of Samba software can help an attacker crash key processes on the network in charge of providing directory, application, and other services. The two vulnerabilities can be leveraged separately to crash the LDAP (Lightweight Directory Access Protocol) and the RPC (remote procedural call) server processes in Samba Active Directory Domain Controller, supported since version 4.0 of the software.” —– Here are this week’s noteworthy security bulletins:1) [ESB-2019.2230] Apache Tomcat: Denial of service – Remote/unauthenticated     Clients are able to cause server-side threads to block, eventually leading to thread exhaustion and a denial of service. 2) [ESB-2019.2225] Bind: Denial of service – Remote/unauthenticated   Bind could be made to crash if it received specially crafted network traffic. 3) [ESB-2019.2220] libvirt: Multiple vulnerabilities   Mulitple denial of service and code execution vulnerabilities found in libvirt.   Stay safe, stay patched and have a great weekend,Rameez Agnew

AUSCERT Week in Review for 14th June 2019 Greetings, Happy Microsoft patch week!  An updated Windows computer is a happy Windows computer (and will make us happy too!) In other news, if you recall the Exim vulnerability we mentioned last week, it’s now being exploited in the wild so please patch as soon as you can! Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Exim email servers are now under attackDate Published: 14/06/2019https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/ Excerpt: “Exim servers, estimated to run nearly 57% of the internet’s email servers, are now under a heavy barrage of attacks from hacker groups trying to exploit a recent security flaw in order to take over vulnerable servers, ZDNet has learned. At least two hacker groups have been identified carrying out attacks, one operating from a public internet server, and one using a server located on the dark web.” —–RAMBleed (CVE-2019-0174)Date Published: 12/06/2019https://rambleed.com/ Excerpt: “RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.” —–Google decloaks Win-DoS bug before patch is releasedDate Published: 12/06/2019https://www.itnews.com.au/news/google-decloaks-win-dos-bug-before-patch-is-released-526549 Excerpt: “Google’s Project Zero security team has decided to reveal the details of a denial of service (DoS) bug in Windows, after Microsoft said it would provide a patch outside the 90-day disclosure deadline. Project Zero lifted the veil on the flaw, 91 days after it was disclosed to Microsoft. The bug is found in the Windows cryptographic application programming interface, affecting the SymCrypt library arithmetic routines, Project Zero researcher Tavis Ormandy said.” —– 8.4TB in email metadata exposed in university data leakDate Published: 10/06/2019https://www.zdnet.com/article/8-4tb-in-email-metadata-exposed-in-university-data-leak/ Excerpt: “An exposed database belonging to Shanghai Jiao Tong University exposed 8.4TB in email metadata after failing to implement basic authentication demands. As described on the Rainbowtabl.es security blog, Paine found the ElasticSearch database through a Shodan search. The open database contained 9.5 billion rows of data and was active at the time of discovery, given that its size increased from 7TB on May 23 to 8.4TB only a day later.” —-Project Svalbard: The Future of Have I Been PwnedDate Published: 11/06/2019https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/ Excerpt: “Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I’ve met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day. It wasn’t a hard decision to make – I needed help and theyhad the right experience and the right expertise.” Here are this week’s noteworthy security bulletins: 1) ASB-2019.0156 – Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/ASB-2019.0156/ 2) ESB-2019.2084 – vim: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2084/ 3) ESB-2019.2090 – Adobe Flash Player: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2090/ 4) ESB-2019.2101 – Intel Microprocessors: Access privileged data – Existing accounthttps://portal.auscert.org.au/bulletins/ESB-2019.2101/ 5) ESB-2019.2102 – Cisco IOS XE Software Web UI: Cross-site request forgery – Remote with user interactionhttps://portal.auscert.org.au/bulletins/ESB-2019.2102/ Stay safe, stay patched and have a good weekend! Charelle