Week in review

AUSCERT Week in Review for 28th July 2017

28 Jul 2017

AUSCERT Week in Review for 28th July 2017 Greetings, As Friday 28th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: WikiLeaks drops another cache of ‘Vault7’ stolen toolsDate Published: 26/07/2017URL: https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-of-vault7-stolen-tools/Author: Taylor ArmerdingExcerpt: “The WikiLeaks “Vault 7” almost-weekly drip-drip-drip of confidential information on the cybertools and tactics of the CIA continued last week. The latest document dump is a trove from agency contractor Raytheon Blackbird Technologies for the so-called “UMBRAGE Component Library” (UCL) Project, which includes reports on five types of malware and their attack vectors.” —– Title: Joint international operation sees US citizen arrested for denial of service attacks on IT systems Date Published: 28/07/2017 URL: https://www.afp.gov.au/news-media/media-releases/joint-international-operation-sees-us-citizen-arrested-denial-serviceAuthor: AFPExcerpt: “A two and a half year joint operation between the Australian Federal Police (AFP), Federal Bureau of Investigation (FBI) and Toronto Police Department has resulted in a 37-year-old Seattle man being arrested in connection with serious offences relating to distributed denial of service attacks on IT systems.” —– Title: Australia’s war on maths blessed with gong at Pwnie AwardsDate Published: 27/07/2017URL: https://www.computerworld.com.au/article/625351/australia-war-maths-blessed-gong-pwnie-awards/Author: Rohan PearceExcerpt: “Australia’s own Malcolm Turnbull has been recognised at the Pwnie Awards in Las Vegas, with the prime minister taking out the ‘Pwnie for Most Epic FAIL’. The annual awards, staged at the BlackHat security conference, recognise security successes and failures.” —–Title: Flash Player death warrant signed by AdobeDate Published: 27/07/2017URL: http://technology.inquirer.net/65543/flash-player-death-warrant-signed-by-adobeAuthor: INQUIRER.netExcerpt: “Adobe is making a move to permanently terminate it’s Flash Player feature—which many believe should have been done a while back. According to an Adobe press release, the end-of-life (EOL) of the multimedia software platform is already in the works, as they are working with various technology partners like Apple, Facebook, Google, Microsoft and Mozilla, to create a smooth transition into open web platform.” —–Title: Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. GoxDate Published: 26/07/2017URL: https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-allegedAuthor: Department of JusticeExcerpt: “SAN FRANCISCO – A grand jury in the Northern District of California has indicted a Russian national and an organization he allegedly operated, BTC-e, for operating an unlicensed money service business, money laundering, and related crimes.” —–Here are this week’s noteworthy security bulletins: 1) ESB-2017.1841 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50358 Cisco has released information about three vulnerabilities (CVE-2017-6665, CVE-2017-6664, CVE-2017-6663) that do not have any patches currently. 2) ASB-2017.0125 – [Win][UNIX/Linux] Joomla!: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50350 Two vulnerabilities have been fixed in Joomla! core, the first is a fix to the CMS Installer itself and the second is a fix in the lack of proper filtering of potentially malicious HTML tags. 3) ESB-2017.1852 – ALERT [Cisco] Cisco Products: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/50402 Multiple Cisco Products are susceptible to an OSPF LSA Manipulation Vulnerability. This allows an attacker to take full control of the OSPF AS routing table. AUSCERT in the Media: Title: The Methodology of Improving Incident ResponseURL: http://www.bankinfosecurity.com/methodology-improving-incident-response-a-10124Author: Tom FieldExcerpt: “AUSCERT is one of the oldest CERT’s in the world, and Phil Cole says the independent organization is now laser-focused on helping enterprises across sectors to fundamentally improve their strategies and solutions for incident response.”—-Title: Is your company and customer data being sold on the darknet?URL: https://www.cio.com.au/article/621699/your-company-customer-data-being-sold-darknet/Author: George NottExcerpt: “Increasingly businesses are monitoring the darknet for clues that their company and customer data is being exposed. But it’s no easy task. Last week, The Guardian reported that Australians’ Medicare numbers were being offered for sale on a darknet marketplace for the equivalent of $30 in Bitcoins each.” Stay safe, stay patched and have a good weekend! Ananda

Learn more

Week in review

AUSCERT Week in Review for 21st July 2017

21 Jul 2017

AUSCERT Week in Review for 21st July 2017 As Friday 21st July comes to a close along with the latest Oracle and Apple security updates, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Cisco patches critical bug in WebEx plug-in for Chrome, Firefox on WindowsDate Published: July 18 2017URL: http://www.zdnet.com/google-amp/article/cisco-patches-critical-bug-in-webex-plug-in-for-chrome-firefox-on-windows/Author: Liam TungExcerpt: “Google’s Project Zero researcher Tavis Ormandy reported the bug to Cisco earlier this month. It was discovered by him and Chris Neckar of Divergent Security, a former member of the Chrome security team. Ormandy earlier this year found two other flaws in the WebEx extension that allowed remote code execution. WebEx is a popular video conferencing tool in the enterprise. Ormandy notes that the WebEx extension for Chrome alone has 20 million active users. It’s also installed on 731,000 Firefox instances.” Title: Issues found via fuzzing by Guido VrankenDate Published: July 17 2017URL: http://freeradius.org/security/fuzzer-2017.htmlAuthor: FreeRADIUS Excerpt:“In order to improve the security of FreeRADIUS, we asked Guido to try fuzzing FreeRADIUS. He spent a week working with us, and managed to find a number of issues. We worked together to create and validate fixes for all of them. His blog contains a short note on the subject. The short summary is that if your RADIUS server is on a private network, accessible only by managed devices, you are likely safe. If your RADIUS server is part of a roaming consortium, then anyone within that consortium can attack it. If your RADIUS server is on the public internet, then you are not following best practices, and anyone on the net can attack your systems.” Title: Oracle e-business suite flaw allows downloads of documentsDate Published: July 18 2017URL: https://threatpost.com/oracle-e-business-suite-flaw-allows-downloads-of-documents/126897/Author: Michael MimosoExcerpt:“Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication. The vulnerability, CVE-2017-10244, was addressed in today’s quarterly Critical Patch Update, but given the critical apps and data moving through the suite, and the potential downtime required to patch, it’s unknown how long it would take for the bulk of installations to be update and the risk be mitigated completely.” Title: Apple patches BROADPWN bug in IOS 10.3.3Date Published: July 20 2017 URL: https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/Author: Tom SpringExcerpt:“Apple released iOS 10.3.3 Wednesday, which serves as a cumulative update that includes patches for multiple vulnerabilities including the high-profile BroadPwn bug that allowed an attacker to seize control of a targeted iOS device. BroadPwn was revealed earlier this month as a flaw in Broadcom Wi-Fi chipsets used in Apple and Android devices. Apple said the vulnerability affected the iPhone 5 to iPhone 7, the fourth-generation iPad and later versions, and the iPod Touch 6th generation.” —- Here are this week’s noteworthy security bulletins: 1) ESB-2017.1765 – ALERT [Win] Cisco WebEx extensions: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/49958 WebEx is one the most widely used meeting and collaboration tools in use today. If you use the Google Chrome or Firefox WebEx extension on Windows, then upgrade as soon as possible. This vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected browser on the affected system. 2) ESB-2017.1767 – ALERT [UNIX/Linux][BSD][RedHat] freeradius: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49966 FreeRADIUS is a Remote Authentication Dial In User Service (RADIUS) server. It provides centralised authentication and authorization for many Fortune-500 companies and ISPs. It’s also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in the academic community, including eduroam. A remote attacker could crash the FreeRADIUS server or execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. For more information see the article we referenced earlier. 3) ASB-2017.0121 – ALERT [Appliance][Solaris] Oracle Sun Systems: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50066 If you have Oracle Sun Solaris systems in your environment, we advise patching as soon as possible to mitigate a shadowbrokers EASYSTREET (CVE-2017-3632) vulnerability. This easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to completely take over the system. 4) ASB-2017.0106 – ALERT [Win][UNIX/Linux] Oracle E-Business Suite: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/50006 An easily exploitable vulnerability (CVE-2017-10244) would allow an unauthenticated attacker with network access to access any document stored there with a single HTTP request. 5) ASB-2017.0104.2 – UPDATE ALERT [Win][UNIX/Linux] Oracle Fusion Middleware: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49998 This easily exploitable vulnerability (CVE-2017-10137) is rated 10.0 and allows the unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server. 6) ESB-2017.1783 – [Apple iOS] Apple iOS: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/50118 Of interest is the BroadPwn vulnerability (CVE-2017-9417). An attacker within range of an iPhone, iPad or IPod touch may be able to execute arbitrary code on the Wi-Fi chip. See more information in the article we referenced earlier. —- Stay safe, stay patched and have a good weekend! Danny  

Learn more

Week in review

AUSCERT Week in Review for 14th July 2017

14 Jul 2017

AUSCERT Week in Review for 14th July 2017 As Friday 14th July comes to a close along with the monthly Microsoft Security Update, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Microsoft Patches 19 Critical Vulnerabilities in July Patch Tuesday UpdateDate Published: July 12 2017URL: http://www.esecurityplanet.com/endpoint/microsoft-patches-19-critical-vulnerabilities-in-july-patch-tuesday-update.htmlAuthor: Sean Michael KernerExcerpt: “Microsoft released its latest monthly Patch Tuesday update on July 11, patching a total of 54 vulnerabilities, of which 19 were rated as critical. Microsoft’s HoloLens Virtual Reality (VR) technology received its first patch this month, for a critical remote code execution vulnerability identified as CVE-2017-8584. The vulnerability could have been triggered by an attack that sent a malicious WiFi packet to the HoloLens.” —– Title: The laws of Australia will trump the laws of mathematics: TurnbullDate Published: July 14 2017 URL: http://www.zdnet.com/article/the-laws-of-australia-will-trump-the-laws-of-mathematics-turnbull/Author: Chris Duckett and Asha McLeanExcerpt: “Regardless of what the laws of mathematics state around breaking into end-to-end encryption, the Australian government is determined to bring in laws that go against them, with the Prime Minister of Australia telling ZDNet that the laws produced in Canberra are able to trump the laws of mathematics. ‘The laws of Australia prevail in Australia, I can assure you of that,’ he said on Friday. ‘The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.’ On Friday, the government unveiled plans to introduce legislation this year that would force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.” —– Title: Let’s Encrypt Wildcard Certificates a ‘Boon’ for Cybercriminals, Expert SaysDate Published: July 12 2017URL: http://www.securityweek.com/lets-encrypt-wildcard-certificates-boon-cybercriminals-expert-saysAuthor: Ionut ArghireExcerpt: “The organization will be offering wildcard certificates free of charge via an upcoming ACME v2 API endpoint. Only base domain validation via DNS will be supported in the beginning, but the CA may explore additional validation options over time. Let’s Encrypt’s goal might be improved security and privacy for all users, but it doesn’t mean that its certificates can’t be misused. In March 2017, encryption expert Vincent Lynch revealed that, over a 12-month period, Let’s Encrypt issued over around 15,000 security certificates containing the term PayPal for phishing sites.“ —– Title: China orders complete block on VPNs to begin by February 2018Date Published: 11 July 2017URL: https://www.v3.co.uk/v3-uk/news/3013611/china-orders-complete-block-on-vpns-to-begin-by-february-2018Author: Graeme BurtonExcerpt: “The Chinese government has ordered the country’s big-three telecoms and internet service providers, China Mobile, China Telecom and China Unicom, to completely block access to virtual private networks (VPNs) by February 2018 in the latest stage of its campaign to prevent web users from circumventing the ‘great firewall of China’.” —– Here are this week’s noteworthy security bulletins: 1) ESB-2017.1714 – ALERT [Win][UNIX/Linux] Apache Struts: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/49726 This *new* Apache struts issue went largely unnoticed by mainstream media despite there being POCs available and vulnerable servers visible in Google search. AUSCERT advises members to inform web developers and users to check if sites are vulnerable. 2) ESB-2017.1715 – [UNIX/Linux][Debian] xorg-server: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49730 This was another vulnerability that went largely unnoticed. Two security issues were discovered in the X.org X server, the worst leading to privilege escalation. Since X server in most environments runs as root this vulnerability could potentially lead to root compromise. 3) ESB-2017.1721 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49754 Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. AUSCERT advises members to remove Adobe Flash if possible otherwise to keep Adobe products upgraded. 4) ASB-2017.0100 – [Win] Microsoft Windows: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49782 Our hundredth ASB for 2017 is fittingly for Microsoft Windows and includes an unusual vulnerability – a critical remote code execution vulnerability in Microsoft’s HoloLens Virtual Reality (VR) technology. Refer to our first interesting article of the week for more details. —- Stay safe, stay patched and have a good weekend! Danny

Learn more

Blogs

How to check if your site is vulnerable to a POODLE attack

12 Jul 2017

How to check if your site is vulnerable to a POODLE attack How to check if your site is vulnerable to a POODLE attack Following the introduction of AUSCERT’s new Member Security Incident Notifications (MSINs), some members have asked us how they can confirm the accuracy of the POODLE reports. This is the incident type with the highest occurrence rate among AUSCERT members. The Padding Oracle On Downgraded Legacy Encryption or POODLE attack can lead to decryption of HTTPS connections between clients and servers by exploiting a weakness in SSL 3.0 with cipher-block chaining (CBC) mode ciphers enabled. While we’re confident that our data sources are high quality, you can use the methods below to manually check your publicly facing services for poodle exposure if you wish. If you believe the information we have provided in the report is incorrect then please let us know. Manual methods for testing poodle exposure Qualys SSL Labs test Note that as at 23 September 2015, the information contained in the SSL Labs report requires careful analysis to interpret correctly. The “Summary” section may indicate “This server uses SSL 3, which is obsolete and insecure” when a poodle attack is possible. Later in the report a line entry may indicate “poodle (SSLv3): No, mitigated” if the service supports a secure protocol upgrade.  However, since this relies upon the client correctly negotiating one of the secure protocols, the service should still be considered vulnerable to poodle attacks. OpenSSL and nmap Use the command-line OpenSSL client and an nmap scan to attempt connection using SSL 3.0 and enumerate available ciphers.  The OpenSSL command just checks if SSLv3 is enabled; nmap returns all possible ciphers with SSL v3, TLS1.0, TLS1.1 or TLS1.2. OpenSSL can be used to check each individual cipher but it would take more time. ~$ openssl s_client -ssl3 -connect your.domain.here:443 A successful connection indicates that SSL 3.0 is enabled and that a poodle attack is possible. ~$ nmap --script ssl-enum-ciphers -p 443 your.domain.here A server should be considered vulnerable to a poodle attack if CBC ciphers are offered while using SSLv3.  Please note that CBC ciphers, AES128-SHA and AES256-SHA, often don’t mention CBC in their names, but their presence does indicate a poodle vulnerable service. If no CBC ciphers are offered then it wouldn’t be vulnerable to a poodle attack (but most other ciphers are vulnerable to different attacks like RC4:BEAST). As you’ll already be aware, there is currently no fix for the vulnerability SSL 3.0 itself therefore disabling SSL 3.0 support is the most viable solution currently available. This means that even with up-to-date patches applied, it is possible to fail a poodle vulnerability scan if SSL 3.0 is still enabled. References and additional information https://www.us-cert.gov/ncas/alerts/TA14-290A https://www.openssl.org/~bodo/ssl-poodle.pdf https://www.ssllabs.com/ssltest https://www.tinfoilsecurity.com/blog/how-to-fix-poodle-and-why-you-are-probably-still-vulnerable

Learn more

Member information

A guide to AUSCERT Member Security Incident Notifications: MSIN

11 Jul 2017

A guide to AUSCERT Member Security Incident Notifications: MSIN Introduction As part of its ongoing efforts to enhance member services, AUSCERT has launched its Member Security Incident Notification services. What’s an MSIN? An MSIN is a daily customised composite security report targeted towards AUSCERT member organizations. It contains a compilation of “security incident reports” as observed by AUSCERT through its threat intelligence platforms. Daily MSINs are issued on a daily basis. They are only issued to a member if at least one incident report specific to the member is detected within the past 24-hour period. This also means, if there are no incidents to report, you will not receive an MSIN! So it follows, the more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN, the larger the MSIN you receive! Customised MSINs are tailored for each member organization, based on: IPs and Domains provided To receive accurate and useful MSINs, it’s important you keep this information updated (see FAQ) Composite Each MSIN could potentially consist of multiple incident TYPE reportsFor example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack. Each incident type report could also include multiple incident reportsFor example, this “infected hosts” report contains 2 incidents: Incidents Reported     Timestamp:                      2015-08-25T00:20:34+00:00     Drone IP:                       123.456.789.abc     Drone Port:                     13164     Drone Hostname:                 abc.xxx.xxx.xxx.au     Command and Control IP:         aaa.bbb.ccc.ddd     Command and Control Hostname:   imacnc1.org     Command and Control Port:       80     Malware Type:                   redyms     Timestamp:                      2015-08-25T00:20:34+00:00     Drone IP:                       321.654.987.cba     Drone Port:                     2343     Drone Hostname:                 def.xxx.xxx.xxx.au     Command and Control IP:         ddd.eee.fff.ggg     Command and Control Hostname:   imacnc2.org     Command and Control Port:       123     Malware Type:                   dyre All timestamps are in UTC It is imperative these incidents be reviewed and handled individually. Structure An MSIN has the following basic structure. ==================HEADING FOR INCIDENT TYPE 1============== Incident Type Name of the incident and any known exploited vulnerabilities and associated CVEs. Incident Description Further information on potential attack vectors and impacts. Incidents Reported List of individual reports sighted by AUSCERT Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future. References Links to resources referenced within the report Additional Resources Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques. =============================END OF REPORT========================= =====================HEADING FOR INCIDENT TYPE 2==================== Incident Type Incident Description Incidents Reported Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations References Additional Resources =============================END OF REPORT========================= … … =====================HEADING FOR INCIDENT TYPE X==================== =============================END OF REPORT========================= Frequently Asked Questions How can I update domain/IP information for my organization?If you are a Primary AUSCERT contact simply write to AUSCERT Membership at membership@auscert.org.au and provide the updated information. If you have a privileged account in the Member portal you can request changes through the portal. AUSCERT will perform a validation check to ensure the domains are under your organization’s ownership or control prior to including them in the monitoring list. Where does the information in an MSIN come from?  AUSCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means. The trust relationship between AUSCERT and third parties entails conditions which prevent  disclosure of the source(s) of information.

Learn more

Member information

AUSCERT Bulletin Formats

11 Jul 2017

AUSCERT Bulletin Formats AUSCERT sends out two forms of bulletin – AUSCERT Security Bulletins (or ‘ASB’s) and External Security Bulletins (or ‘ESB’s). Previously, there were four types of bulletin – External Security Bulletins (ESB), AUSCERT Advisories (AA), AUSCERT Alerts (AL) and AUSCERT Updates (AU). The new two-type system allows a simpler differentiation between bulletin types – ASB’s are written in-house, referencing information available that may not have a current coherent source, while ESB’s are bulletins written by other vendors that we have summarised and re-released. Both ASBs and ESBs contain ‘header information’ that quickly summarise the contents and allow readers to determine important information at a glance. Document Titles and Subject Lines Bulletin titles (which is also used as the subject line of mailouts) are formatted to indicate basic information in as short a format as possible. The titles include the AUSCERT bulletin ID (for instance ASB-2009.0001 or ESB-2009.0123), revision number if applicable (eg. ESB-2009.0123.2) and an ‘ALERT’ flag if the contents of the bulletin are time critical or reference an actively exploited vulnerability. Titles also include a list of ‘environment’ tags that list operating systems or hardware types the vulnerability affects. Unless the vulnerability is very specific this will usually only contain operating system families such as Windows ([Win]) and Linux ([Linux]). The rest of the title is either the product or publisher along with the most severe impact of the vulnerability. In the case of a bulletin regarding multiple vulnerabilities this will be replaced with ‘Multiple Vulnerabilities’. For instance, previously what might have been sent out with a subject line of: (AUSCERT AL-2009.0000) [Win] Critical vulnerabilities in ImportantProgram may result in data loss would now have a subject line like: ESB-2009.0000 – ALERT [Win] ImportantProgram: Delete arbitrary files – Remote/unauthenticated or ESB-2009.0000 – ALERT [Win] ImportantProgram: Multiple vulnerabilities Bulletin Header Since more information is now included in the bulletin title the header will only include the bulletin ID, date and a short descriptive sentence. In the case of ESBs, this is often the subject of the original bulletin. Bulletin Summary The bulletin summary is an index of the important information in the bulletin. Both ESBs and ASBs contain a summary, although some fields may only be found in one type. A description of each field is below. Product The product field gives the names and version numbers of products affected by the bulletin. The product may be an operating system, in which case no Operating System field will be given. Both ESBs and ASBs will have a Product field. Publisher Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. Often this is an operating system vendor (like Microsoft or Red Hat), but it may be another security team or research group. Operating System This field gives a list of operating systems or operating system families that are affected by the vulnerability. The operating systems themselves are not affected by the vulnerability, but the program that is affected will run on those operating systems. Platform A rarely used field, platform will specify particular architectures (eg i386, SPARC) that are affected by this vulnerability in a similar fashion to the Operating System field. In order to be brief, the Platform field will only be used if the architectures affected is a subset of the architectures that the operating systems affected run on. Impact and Access Previously separate as two fields, the Impact and Access matrix list the impacts of the vulnerabilities along with the associated access required to exploit them. Impact Values There are several predefined values for the Impact. The values and their meanings are below. Root Compromise The root account in a Unix or Linux based system can be accessed. This is a serious issue and may result in an attacker taking complete control of the affected machine. Administrator Compromise An administrator account (for instance within Windows or within an administration application) can be accessed. This is a serious issue and may result in an attacker taking over the affected machine. Note that in Windows this may also be a compromise of the SYSTEM account. Execute Arbitrary Code/Commands An attacker can execute commands beyond what is usually possible. This can include machine code, interpreted code such as Java or Javascript or SQL. Increased Privileges An attacker can increase their privilege level on the affected system. This may allow them to gain normal user access to a machine they should have no access to, or allow them to access the data or privileges of another user on the system. Access Privileged Data An attacker can read (and possibly write) data on the system that would otherwise be protected by a security measure. The attacker may not be able to perform any other action or gain the use of the priveleges they would otherwise require to view this content. Modify Permissions An attacker can add or remove permissions from an object. This may allow them to deny access to a valid user, or allow them to access something they would otherwise be blocked from. Modify Arbitrary Files An attacker can read, write or delete arbitrary files. The files they can access may be limited. Overwrite Arbitrary Files An attacker can replace the contents of arbitrary files. This may lead to a denial of service if important system files are replaced, or allow further access. Create Arbitrary Files An attacker can create files that they would otherwise not be allowed to. This may be leveraged to perform other attacks or gain access. Delete Arbitrary Files An attacker can delete files. This may allow a denial of service, or weaken existing defenses and allow further attacks. Cross-site Scripting A specific form of code execution, cross-site scripting may allow an attacker to inject their own HTML into an affected site’s code. This is not restricted to public facing websites – an attacker may be able to insert code that is activated when an administrator examines logs or uses some other administrative interface. Denial of Service An attacker can block access to resources from legitimate users. This may include causing a program to crash or freeze and not recover, causing an entire system to crash or simply using up all of the resource (for instance network bandwidth). Website Defacement A specific form of Modify Arbitrary Files, this impact allows an attacker to change a website. The change may not be obvious – an attacker might use such a vulnerability to spread malware to visitors of the affected site. Provide Misleading Information An attacker may be able to force a program or protocol to produce incorrect information. This may be to hide an attacker’s activity or trick a user into performing an unsafe action. Read-only Data Access An attacker may be able to read data they would otherwise not have access to. This may include files, segments of memory or network traffic. Access Confidential Data An attacker may be able to access data that would otherwise be hidden or inaccessible. This differs from Access Privileged Data in that the data may not be directly protected by access restrictions, but is still important. For instance, if a vulnerability allowed access to credit card details before those details were protected or deleted that would be Access Confidential Data. Unauthorised Access An attacker is able to access data in a way that is otherwise disallowed. This is a more generic version of other access-based impacts. Reduced Security A catch-all impact – the security level of the systems involved is weakened. This is used when an exact impact is unknown, or if the impact doesn’t match any of the others. Access Values There are several possible values for the access required to exploit a vulnerability. Generally the less access required the worse the vulnerability. Remote/Unauthenticated The only access required is that a connection can be made to the affected system. Remote with User Interaction The attacker requires no access themselves, but they need to trick a legitimate user into initiating the exploit (for instance by visiting a website or opening a file). Existing Account The attacker must have an existing user account on the system and must authenticate to exploit the vulnerability. Console/Physical The attacker must have direct physical access to the system. This is usually related to a vulnerability in a screen saver or other physical locking system. Unknown/Unspecified No access information is currently known. Resolution The Resolution field gives a quick indication on how to protect against the vulnerability. The possible values are: None No resolution is currently available. Patch/Upgrade A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation. Mitigation There are mitigation steps available that may be used, however there is no specific fix to the vulnerability Alternate Program Another program with similar functionality is available that is not vulnerable. CVE This field lists any CVE identifiers that relate to this vulnerability. CVE’s are an excellent way of tracking vulnerabilities that affect multiple products. Reference This fields lists other AUSCERT bulletin ID’s that are related to this vulnerability. These ID’s should also appear as links at the top of the page so that related bulletins can be navigated to easily. Bulletin URL Only available in ESB’s, this field lists URLs of the original bulletin source. Often the original bulletin will have further links and information that might be of use. Bulletin Versioning If new information becomes available regarding a bulletin we have already released we will update information on our website and may resend the bulletin if the information is important. Previously only the most recent version of the bulletin was available on our website, however now previous versions will be available as attachments to the current version. Updates will have a version number appended to the bulletin ID. For instance, the second version of ESB-2009.0000 is ESB-2009.0000.2. After an update is done the original version will be renamed to ESB-2009.0000.1. If a new version is considered to contain important information, the bulletin will be resent with an extra tag of ‘UPDATE’ in the subject line. For bulletins that were already tagged with ‘ALERT’, this will become ‘UPDATED ALERT’. Example An example bulletin under the new system is below. =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0001 A critical vulnerability in ImportantProgram may allow code execution 16 April 2009 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: ImportantProduct Publisher: ExamplePublisher Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Patches Available: Yes CVE Names: CVE-2009-0000 Original Bulletin: http://www.example.com/example?id --------------------------BEGIN INCLUDED TEXT-------------------- This is an example bulletin. Normally the details of the vulnerability and how to fix it would be here. --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================

Learn more

Week in review

AUSCERT Week in Review for 7th July 2017

7 Jul 2017

AUSCERT Week in Review for 7th July 2017 As Friday 7th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Westpac joins Swift blockchain testDate Published: 06/07/2017URL: https://www.itnews.com.au/news/westpac-joins-swift-blockchain-test-467746Author: Staff Writers Excerpt: “Second Aussie bank after ANZ to take part.Westpac has become the second Australian bank to join a proof-of-concept by payment messaging service Swift that aims to test blockchain for facilitating cross-border payments.It is one of 22 global banks to join the PoC today, adding to the six foundational banking participants, one of which is ANZ Bank.” —–Title: Microsoft to cut ‘thousands’ of jobsDate Published: 07/07/2016URL: http://www.bbc.com/news/business-40523172Author: BBCExcerpt: “Microsoft is to cut “thousands” of jobs worldwide as it attempts to beef up its presence in the cloud computing sector.The technology giant wants to strengthen its cloud computing division but is facing intense competition from rivals such as Amazon and Google.” —–Title: Australia stuck with higher cost of deploying FttP: NBN CoDate Published: 06/07/2017URL: https://www.itwire.com/telecoms-and-nbn/78880-australia-stuck-with-higher-cost-of-deploying-fttp-nbn-co.htmlAuthor: Peter DinhamExcerpt: “NBN Co, the builder of the national broadband network, has moved to defend the higher costs of deploying fibre-to-the-premises in Australia and “set the record straight” on recent media claims about the local cost of FttP compared to other operators around the world.” —–Title: Ukrainian police seize computers that spread global NotPetya attackDate Published: 05/07/2017URL: http://www.itworld.com/article/3205810/malware/ukrainian-police-seize-computers-that-spread-global-notpetya-attack.htmlAuthor: Peter Sayer Excerpt: “Ukraine’s Cyber Police have intervened to prevent further cyberattacks in the wake of last week’s global attack, initially considered to be ransomware and called by various names including NotPetya.” —–Title: Govt blames Medicare card breach on ‘traditional’ crimsDate Published: 04/07/2017URL: https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502Author: Allie Coyne Excerpt: “Not wide-scale, and no IT breach, says minister. The federal government says there has been no breach of the Department of Human Services’ IT systems and the Medicare card data currently on sale likely affects only a small number of people.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1655 – [SUSE] Xen: Multiple vulnerabilities 2017-06-30https://portal.auscert.org.au/bulletins/49486Quite a few Xen Vulnerabilities, if you are running Xen it is time to check for updates. 2) ESB-2017.1659 – [Debian] libgcrypt20: Unauthorised access – Existing account 2017-07-03https://portal.auscert.org.au/bulletins/49510Side channel attacks are getting rather popular. 3) ESB-2017.1676 – [SUSE] sudo: Root compromise – Existing account 2017-07-05https://portal.auscert.org.au/bulletins/49570Regression fix for CVE-2017-1000368, this has been repeated in a few products. 4) ESB-2017.1682 – [Win][UNIX/Linux] samba: Denial of service – Remote/unauthenticated 2017-07-06https://portal.auscert.org.au/bulletins/49594Remote Samba denial of service, that has to be able to affect a lot of people. —- Stay safe, stay patched and have a good weekend! Peter

Learn more

Blogs

Phone scams targeting a variety of organisations in the Health industry

7 Jul 2017

Phone scams targeting a variety of organisations in the Health industry AUSCERT has recently received numerous reports of phone scams targeting a variety of organisations in the Health industry. The exact nature of the unsolicited calls varies but has included conference and event invites, training sessions, and attempts to confirm personal details of the callee or others in the organisation.  The callers have claimed to be associated with varied groups including GE Healthcare (who have been alerted to this), NEOH and the called organisation itself. Organisations should also be aware that fraudsters claiming to be from various GE businesses (including public reports of criminals using the name of GE Healthcare) often commit recruitment fraud and may do so as part of this activity. While phone scams such as these are ever present this recent spate of reports we have received specifically from the Health industry suggests the current need for increased awareness amongst Health industry organisatons. AUSCERT encourages members to review their current security awareness of their staff in relation to phone scams and consider alerting staff to this current activity. Guidelines for staff would include what steps to take when receiving unsolicited calls, the type of information that can and can not be provided, and any reporting guidelines. AUSCERT recommends staff are encouraged to report unsolicited or suspicious calls so that organisations can monitor for concerted attacks. AUSCERT has received reports of numerous calls to the same organisation (and individual) over a very short period of time. Information on what to do should also be provided for staff that have been defrauded or provided personal or organisational information. Useful resources include: https://www.scamwatch.gov.au/ https://www.staysmartonline.gov.au/ http://www.fairtrading.nsw.gov.au/ftw/Businesses/Scams/Business_scams To help gauge how wide spread this activity is AUSCERT would appreciate any feedback from organisations that have been targeted.  

Learn more

Major security incidents

Wannacry ransomware incident

30 Jun 2017

Wannacry ransomware incident [For a short version of this alert, please read just the THREAT and RECOMMENDED ACTION sections below] UPDATE 1: Microsoft published a blog that will serve as their centralized resource for these attacks. [10], and have made patches available for previously unsupported systems. There is now no reason NOT to patch “we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download” [10] UPDATE 2: see APPENDIX for scripts to find vulnerable systems in your network and also to also identify infected systems in your network UPDATE 3: See Introduction for update on affected organisations and information on the malware’s operational aspects. See the Recommended Actions section for additional information on applying IOCs. UPDATE 4: A Wannacry in-memory key recovery for WinXP document has been released. [17] INTRODUCTION An ongoing widespread ransomware worm attack has occurred against organisations in approximately 150 countries. AUSCERT has not received any local reports of such attacks at the moment. Confirmed reports of WannaCry infections have been received from countries in the APAC region. Indonesia is the closest such example with Healthcare organisations being targeted. Attacks have been reported against the NHS, University of Waterloo, Nissan in the UK, the Interior Ministry, banks, railroads in Russia, Telefonica users in Spain, German Rail, a mall in Singapore and ATMs in China, among others. The attacks do not appear to target any particular industry sectors. [1, 14]. The worm part of the malware launches the EternalBlue exploit against Windows hosts vulnerable to CVE-2017-0144. This achieves privilege escalation and Remote code execution within the target host. The worm then proceeds to download the ransomware component. The Double Pulsar exploit is launched to install a backdoor in infected hosts, thereby gaining persistent access. Analyses flag encrypted files containing different extensions. Encrypted file extensions are renamed to “.wnry”, “.wcry”, “.wncry” and “.wncrypt”, likely due to variants of the ransomware. The ransomware targets files with the following extensions: .123,.3dm,.3ds,.3g2,.3gp,.602,.7z,.ARC,.PAQ,.accdb,.aes,.ai,.asc,.asf,.asm,.asp,.avi,.backup,.bak, .bat,.bmp,.brd,.bz2,.cgm,.class,.cmd,.cpp,.crt,.cs,.csr,.csv,.db,.dbf,.dch,.der,.dif,.dip,.djvu,.doc,.docb, .docm,.docx,.dot,.dotm,.dotx,.dwg,.edb,.eml,.fla,.flv,.frm,.gif,.gpg,.gz,.hwp,.ibd,.iso,.jar,.java,.jpeg, .jpg,.js,.jsp,.key,.lay,.lay6,.ldf,.m3u,.m4u,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mp3,.mp4, .mpeg,.mpg,.msg,.myd,.myi,.nef,.odb,.odg,.odp,.ods,.odt,.onetoc2,.ost,.otg,.otp,.ots,.ott,.p12, .pas,.pdf,.pem,.pfx,.php,.pl,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.ps1, .psd,.pst,.rar,.raw,.rb,.rtf,.sch,.sh,.sldm,.sldx,.slk,.sln,.snt,.sql,.sqlite3,.sqlitedb,.stc,.std,.sti,.stw, .suo,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.vb,.vbs,.vcd,.vdi,.vmdk, .vmx,.vob,.vsd,.vsdx,.wav,.wb2,.wk1,.wks,.wma,.wmv,.xlc,.xlm,.xls,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.zip RECOMMENDED ACTIONS: AlienVault’s Open Threat eXchange (OTX) has a number of threat indicators. [2] (A zip file of the threat indicators is available for download at the end of this publication – wannacry_ioc.zip ) Members are strongly advised to apply these threat indicators, which include: 1. Domains In general domains should be blocked outbound, as these represent C&C servers to which the ransomware attempts to connect. However, among these are two domains that are kill switches for the ransomware. If infected hosts can resolve these domains, the malware exits and propagation ceases. The domains are iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It is advisable to not block outbound traffic to these sinkholed domains because they can help identify infected hosts. Caution: Updated malware is likely to omit the killswitch feature or amend it. 2. Remote IPs/ports Apply blocks/checks in ACLs,IPS/IDS, network firewalls both inbound and outbound. The IPs represent C&C servers for the ransomware, additional resource download URLs and Bitcoin payment sites. 3. Hostnames Same as above. 4. File paths Applied to Host IDS and/or integrity checkers helps identify known dropped files for the ransomware. 5. Registry keys Applied to Host IDS and/or integrity checks can help identify creation or modifications of registry keys by the ransomware. 6. Snort Applied to IDS/IPS, helps detect EternalBlue exploit activity. 7. Yara YARA signature(s) to detect the presence of ransomware in hosts. [15] 8. BTC Known Bitcoin wallet addresses that are used to receive ransom payments. Outbound traffic to these URLs could help identify infected hosts attempting payment. The accessed URLs will be of the form: https://blockchain.info/address/ + BTC Wallet 9. File Hashes (MD5, SHA1, SHA256) Network security devices such IDS/IPS, SIEMS, Firewalls should be tuned to block these domains, IPs and Host names, both inbound and outbound. Host IDSs should be tuned to monitor changes in Windows hosts for the indicated file paths, file hashes. The malware targets a remote code execution vulnerability in SMB (CVE-2017-0144). This vulnerability was addressed in Microsoft’s update MS17-010. [3] All Windows hosts should be patched immediately, to address this vulnerability if they already haven’t. (See the AUSCERT Security bulletin). [4] Organisations that are unable to patch certain systems, for example, hospitals operating specialised equipment, are advised to consider implementing Private VLANs to isolate such systems. This would help prevent lateral movement. ADDITIONAL RECOMMENDATIONS MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware. MS-ISAC has provided the following recommendations to mitigate the vulnerabilities: “Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources. Apply the Principle of Least Privilege to all systems and services.” [5] AUSCERT recommends the following measures to mitigate risk of exposure: Anti-virus signatures should be updated immediately If patching is not possible, make a business decision to disable SMB. [6] Block SMB traffic from all but necessary and patched systems (Firewall ports 445/139 ). Segment your networks. Disable or restrict Remote Desktop Protocol (RDP) access – see http://support.eset.com/kb3433/#RDP A snort rule for ETERNALBLUE was released by Cisco as part of the “registered” rules set. Check for SID 41978. [7] Emerging threats has an IDS rule that catches the ransomware activity: (ID: 2024218). [8] AUSCERT has compiled a list of indicators of compromise based on analyses conducted by external parties [11-13]. AUSCERT will continue to issue additional alerts as and when new information becomes available. POST-INFECTION For ransomware, prevention is the best possible outcome. However, if a ransomware infection has occurred, consider the following measures: 1. Immediately isolate the infected host from the network to prevent lateral movement 2. Submit samples of infected files to Crpyto-sheriff. This might help identify a decryptor to recover encrypted files. [16] REFERENCES: [1] http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/ [2] https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6/ [3] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [4] https://portal.auscert.org.au/bulletins/45238 [5] https://msisac.cisecurity.org/advisories/2017/2017-024.cfm [6] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 [7] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/ [8] https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ [9] https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ [10] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ [11] https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware [12] https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ [13] https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/ [14] https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 [15] https://blog.malwarebytes.com/threat-analysis/2013/10/using-yara-to-attribute-malware/ [16] https://www.nomoreransom.org/crypto-sheriff.php [17] https://github.com/aguinet/wannakey APPENDIX Please read the DISCLAIMER [17] before using these scripts. IDENTIFICATION OF VULNERABLE SYSTEMS To detect systems on a network (x.x.x.x/xx) that are vulnerable (i.e that are not patched to mitigate MS17-010) a python script is available https://github.com/RiskSense-Ops/MS17-010 This is a standalone version of a corresponding METASPLOIT detection module – https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_ms17_010 UBUNTU installation/Usage $ sudo apt-get install prips $ wget https://github.com/RiskSense-Ops/MS17-010/raw/master/scanners/smb_ms17_010.py $ prips x.x.x.x/xx | xargs -l1 python ./smb_ms17_010.py # If the above script is too slow, then you can identify just the Windows servers in you network to pass to smb_ms17_010.py <ip> with the nbtscan tool. $ sudo apt install nbtscan $ nbtscan x.x.x.x/xx IDENTIFICATION OF INFECTED SYSTEMS To detect systems on a network (x.x.x.x/xx) that are already infected (by virtue of DOUBLEPULSAR malware also being installed as part of the worm), another detection script is available: UBUNTU Installation/Usage $ pip install netaddr –user $ git clone git@github.com:countercept/doublepulsar-detection-script.git $ cd doublepulsar-detection-script/ $ python detect_doublepulsar_smb.py –net x.x.x/xx REVISION HISTORY Version Published Changes 1.0 13th May 2017 Original version published 2.0 13th May 2017 Update 1 – Microsoft issues out of band patches 3.0 14th May 2017 Update 2 – Appendix added 4.0 15th May 2017 Update 3 – Additional campaign related information, Indicators of Compromise and reference resources. Post-infection section added 5.0 17th May 2017 Update4 – Wannacry in-memory key recovery for WinXP released AUSCERT Team [17] DISCLAIMER AUSCERT has made every effort to ensure that the information provided is accurate and the advice is appropriate based on the information we have received. However, the decision to use or rely upon the information or advice is the responsibility of each organisation and should be considered in accordance with your organisation’s site policies and procedures. AUSCERT takes no responsibility for adverse consequences which may arise from following or acting on the information or advice provided.   Attached Documents wannacry_ioc.zip

Learn more

Week in review

AUSCERT Week in Review for 30th June 2017

30 Jun 2017

AUSCERT Week in Review for 30th June 2017 Hope you all have had a chance to investigate the new website. Please email us at auscert@auscert.org.au or call 07 3365 4417 with any questions or concerns about the new website. As Friday 30th June comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: The Petya ransomware is starting to look like a cyberattack in disguiseDate Published: 28/06/2017 URL: https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russiaAuthor: Russell Brandom Excerpt: “The haze of yesterdays massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hacks reach touched some of the countrys most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.” —– Title: Google Slapped With Record $3.6 Billion Fine In Europe For Manipulating Shopping Results Date Published: 28/06/2017URL:  https://www.gizmodo.com.au/2017/06/google-slapped-with-record-3-6-billion-fine-in-europe-for-manipulating-shopping-results/Author: Matt Novak Excerpt: “Yesterday, government regulators in Europe hit Google with a record 2.42 billion fine, roughly the equivalent of $3.5 billion. The search engine company was found to be manipulating search results to favour its own shopping service, a violation of antitrust laws. And if it doesn’t fix the problem within 90 days it faces an additional 12.5 million ($18.7 million) fine per day.” —– Title: Defence launches ‘Information Warfare Division’ Date Published: 30/06/2017 URL: https://www.computerworld.com.au/article/621324/defence-launches-information-warfare-division/Author: George Nott Excerpt: “The Australian Defence Force is launching a new Information Warfare Division responsible for electronic warfare, the government announced today.” —– Title: Turnbull government continues push against online encryption ahead of Five Eyes meeting Date Published: 26/06/2017 URL: http://www.news.com.au/technology/online/security/turnbull-government-continues-push-against-online-encryption-ahead-of-five-eyes-meeting/news-story/cae2303d24bcfe90cf3d490083c208e9Author: Nick Whigham and AAP Excerpt: “AUSTRALIA will be leading the discussion on an encrypted technology crack down when ministers meet with FiveEyes nations to talk terror prevention. Leaders from Australia, the United States, United Kingdom, Canada and New Zealand, will meet in the Canadian city of Ottawa where they will discuss tactics to combat terrorism and the spread of extremism.” —– Title: Qld ex-cop charged with 44 counts of database snooping Date Published: 28/06/2017 URL: https://www.itnews.com.au/news/qld-ex-cop-charged-with-44-counts-of-database-snooping-466817Author: Allie Coyne Excerpt: “The Queensland Crime and Corruption Commission has charged a former police officer with accessing information in the force’score crimes database 44 times over six years without authorisation.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1639 – [Ubuntu] Kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49422 USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. That is a lot of regressions 🙁 2) ESB-2017.1643 – [Win] OpenSource Apache Struts: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49438 Struts is in all sorts of products. 3) ESB-2017.1644 – [Appliance] Cisco IOS and IOS XE Software: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49442 Root compromise that is significant. 4) ESB-2017.1602 – [Win][Linux][AIX] IBM Java SDK: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49270 Oh no not Java vulnerabilities —- Stay safe, stay patched and have a good weekend! Peter

Learn more