Publications

AUSCERT Week in Review for 13th April 2018 Greetings, Happy Friday the 13th all! Well, Cisco’s Smart Install protocol vulnerability that potentially leads to Remote denial of service and code execution attacks, now has a publicly available exploit. So get fixing it! AUSCERT members exposed to this vulnerability will receive MSINs addressing the issue.  Microsoft had 5 security updates addressing it’s browsers, Windows OS and Office products. None had known publicly available exploits at the time. Then, there’s the lighter side of things, like PUBG ransomware (PUBG doesn’t stand for pub games unfortunately). It requires victims to play Player Unknown’s Battleground for 1 hour to decrypt it, but wait, there’s more! Read on. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Researchers discovered several flaws that expose electrical substations to hack Date Published: 12/04/2018 Author: Pierluigi Paganini, Security Affairs Excerpt: “By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment.”   The most severe vulnerability (rated high severity), tracked as CVE-2018-4840 can be exploited by a remote and unauthenticated attacker to modify the device’s configuration and overwrite access passwords.   “The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. ” reads the security advisory published by Siemens.   The second flaw, tracked as CVE-2018-4839, is a medium severity issue that could be exploited by a local or network attacker to recover the access authorization password by intercepting network traffic or obtaining data from the targeted device. Once the attacker has obtained the password he can use it to gain complete access to a device.” —– Title: Health holds crown as the most breached sector in Australia Date Published: 11/04/2018 Author: Asha McLean, ZDNet Excerpt: “The Quarterly Statistics Report: January 2018-March 2018 revealed that health service providers accounted for 15 breaches; legal, accounting, and management services suffered 10; finance, including superannuation, reported eight breaches; education suffered six; and charities four.   The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm” as soon as practicable after becoming aware of a breach.   According to the OAIC report [PDF], 73 percent of eligible data breaches reported involved the personal information of less than 100 individuals, with just over half of the notifications involving the personal information of between one and nine individuals.” —– Title: Barracuda Threat Spotlight: New URL File Outbreak Could be a Ransomware Attempt Date Published: 10/04/2018 Author: Jonathan Tanner, Barracuda Excerpt: “Multiple downloaders, malicious apps that download further malicious apps to infected devices, have made it onto the Google Play Store. The downloaders are capable of downloading further apps that pose as system apps, some of which are capable of stealing Facebook login credentials. To do so, the malicious apps use social engineering tactics to trick victims into giving them up.” —– Title: PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown’s Battlegrounds Date Published: 09/04/2018 Author: Lawrence Abrams, Bleeping Computer Excerpt: “Once a user plays the game and the process is detected, the ransomware will automatically decrypt the victim’s files.  This ransomware is not too advanced as it only looks for the process name and does not check for other information to confirm that the game is actually being played. That means you can simply run any executable called TslGame.exe and it will decrypt the files. This is not the first time a joke ransomware has been created that requires you to play a game before files will be encrypted. In 2017, MalwareHunterTeam also found RensenWare, which required you to play the TH12 Game and score .2 billion points in order to get recover your files.” —- Title: Major uptick in mobile phishing URL click rate Date Published: 10/04/2018 Author: HelpNet Security Excerpt: “Phishing attacks are particularly effective on mobile devices because hidden email headers and URLs make it easy to spoof email addresses and websites while new vectors, including SMS and messaging apps, enable attackers to make their campaigns personal. “It’s critical for enterprises to realize that when it comes to mobile devices, email is not the only phishing attack vector,” said Cockerill. “Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organizations at risk.”” Here are this week’s noteworthy security bulletins: 1) ESB-2018.1122 – [Cisco] Cisco IOS and IOS XE: Multiple vulnerabilities Leading the way is this advisory from Cisco addressing multiple vulnerabilities in its Smart Install Client and related protocol that can be exploited to result in Remote code execution or denial of service. An exploit is publicly available. Immediate patching is highly advised. 2) ESB-2018.1080 – [Win][Linux][OSX] Adobe Flash Player: Multiple vulnerabilities More code execution vulnerabilities fixed in Adobe Flash Player. 3) ASB-2018.0075.2 – UPDATE [Win] Microsoft Windows: Multiple vulnerabilities This update for Microsoft Windows addressed a number of vulnerabilities including a two-year old privilege escalation vulnerability that affects Windows 10 as well. Stay safe, stay patched, stay cool and have a good weekend! Nicholas

Russia, diplomacy and potential repercussions in Australian cyberspace Background We recently witnessed the “largest expulsion of Russian diplomats” by 27-odd countries in support of the UK, following the attempted murder of a Russian double agent on British soil. Russia in turn directed threats of retaliatory action to the countries involved, including Australia. Australia has signalled intent to boycott the World Cup, which will be held in Russia this year. With the Gold Coast Commonwealth Games on right now, that may be just be sufficient cause for Russian “cyber activists” to direct some nasty traffic our way.   Russia’s track record of using cyber attacks in support of its political agenda [1] 2007, Estonia. Large scale DDoS attack.            Triggered by planned relocation of a Russian World War 2 memorial. 2008, Lithuania. Government site defacements.            Triggered by the Lithuanian government banning display of Soviet symbols. 2008, Georgia. Internal communications shutdown.            Triggered by Georgia sending troops to reclaim a breakaway republic supported by Russia. This was followed by a Russian military invasion. 2009, Kygyzstan. DDoS against two ISPs.            Triggered by the need to exert pressure on the government to evict a US military base. It worked! 2009, Kazhakstan. DDoS on media outlet.            Triggered by release of an article that was critical of Russia. 2009, Georgia. DoS of Twitter and Facebook in Georgia.            Triggered by the first anniversary of the invasion of  Georgia! 2014, Ukraine. DoS on Ukrainian election commission.            Triggered by attempts to create chaos in support of the pro-Russian candidate. 2015, Germany. Compromise of German Bundestag.            Triggered by an attempt to retrieve information on German and NATO leaders. 2015, Holland – Pull out reports on MH17 investigation. 2015, USA. Compromise of Democratic Party computers.            Triggered by attempts to undermine elections. 2016, Finland. Compromise of Finnish foreign ministry computers. 2016, Germany. Emerging claims of malicious activity being conducted by Russian hackers to discredit incumbent chancellor, Angela Merkel.   Increasing confidence The above sequence indicates an increasingly confident nation state, reaching further and deeper into foreign spheres to satisfy its political agenda. One common thread in all the above attacks is an attempt to highlight weaknesses in the targeted country’s government and/or commercial infrastructure. Even stealthy attacks, once exposed to the media, serve to question the security posture of the victim nation.  While the above list contains all the acts attributed to Russia, other nation states, such as North Korea have also been attributed with malicious acts against other nations. Perhaps most significant in the context of the Commonwealth Games is the “Olympic Destroyer” [2] malware that was deployed against South Korea during the Pyeongchang winter Olympics. This malware was capable of permanently damaging computer systems employed in the games.   What does this mean for us? Possibly a two prong approach: Noisy hacktivist type attacks Government website defacements (e.g. foreign ministry) Commonwealth games site defacement Denial of Service attacks against Commonwealth Games infrastructure (similar to Olympic Destroyer) Stealthy attacks Advanced Persistent Threats (APTs) to obtain sensitive data from Government and commercial entities Harvesting Commonwealth Games visitor information (which the Gold Coast City Council admitted doing, by collecting user’s Facebook accounts when they connect to the high-speed public Wi-Fi network) How can we protect ourselves? Tune preventive controls to indicators of exploit traffic, DDoS traffic, and APTs. Have a DDoS response plan. [3] Watch for acts of cyber-aggression against countries threatened with retaliation as a potential indicator of elevated threats again Australia Don’t use unprotected public Wi-Fi networks (or “protected” public Wi-Fi networks). If you absolutely must, use encrypted chat channels and mail clients for communication. Elevated monitoring of Industrial Control System processes and infrastructure for anomalous behaviour. Read Security bulletins for the latest vulnerabilities affecting devices and software in your environment that might be exploited, and take necessary measures to patch them based on a risk-based prioritisation schedule   References https://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111 http://blog.talosintelligence.com/2018/02/olympic-destroyer.html https://zeltser.com/ddos-incident-cheat-sheet/  

AUSCERT Week in Review for 6th April 2018 AUSCERT Week in Review6 April 2018 Greetings, As Friday the 6th of April closes, kernel updates and Spectre Meltdown patches looks to be an ongoing source of bulletins.  On the note of patches, it seems that Easter was the time of giving, with PSIRTs providing all their Easter gifts over the long weekend, resulting in a solid volume of bulletins this week. At least the onslaught of patches was expected, of sorts, and an impact that is expected loses most of its sting.Perhaps this is the same for EU’s GDPR and the expected impact of businesses dealing with Europe.  It could be that the implementation of the Privacy Act Amendment here in Australia may have provided the impetus for concerned companies about assessing their processes and risks in using and storing private information. As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——- Title:   Intel admits a load of its CPUs have Spectre v2 flaw that can’t be fixedURL:    http://www.theregister.co.uk/2018/04/04/intel_spectre_microcode_updates/Date:   4th April 2018Author: Simon Sharwood Excerpt:“Intel has issued fresh “microcode revision guidance” that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it’s too tricky to remove the Spectre v2 class of vulnerabilities. The new guidance, issued April 2, adds a “stopped” status to Intel’s “production status” category in its array of available Meltdown and Spectre security updates. “Stopped” indicates there will be no microcode patch to kill off Meltdown and Spectre.” ——- Title:  The EU’s General Data Protection Regulation, explainedURL:    https://www.cnet.com/how-to/gdpr-eu-general-data-protection-regulation-explained/Date:   4th April 2018Author: Justin Jaffe Excerpt:“The European Union is raising the standards — and stakes — of personal data privacy. In May 2018, the General Data Protection Regulation (GDPR), will take effect and change the rules of the road for companies that collect, store or process large amounts of user information. That means you, Facebook.” ——- Title:   GDPR is Not a Ticking Timebomb for Huge FinesURL:     https://www.infosecurity-magazine.com/opinions/gdpr-timebomb-huge-fines/Date:    5th April 2018Author:  Jason Coggins Excerpt:“One of the biggest misconceptions that organizations have is that if an incident occurs then you will automatically be faced with a fine. I was reading a blog written by Elizabeth Denham of the ICO recently, and she made the point that fines are a last resort. The point of GDPR is to ensure fair and proportionate (proportionate being the operative word here) action is taken against those that fail to meet the agreed standards. There are warnings, recommendations and finally fines for those worst-case scenarios.” ——- Title:  Facebook: It wasn’t 50M hit by Cambridge Analytica breach, but rather 87MURL:    https://arstechnica.com/tech-policy/2018/04/facebook-now-says-87-million-people-affected-by-cambridge-analytica-breach/Date:   5th April 2018Author: Cyrus Farivar and Sean Gallagher Excerpt:“At the end of a lengthy piece, authored by Facebook CTO Mike Schroepfer, the company said simply: “In total, we believe the Facebook information of up to 87 million people—mostly in the US—may have been improperly shared with Cambridge Analytica.” Last month, the British data analytics contractor which worked with Donald Trump’s presidential campaign retained private data from 50 million Facebook users despite claiming to have deleted it. The scandal has spawned numerous lawsuits, and it has put significant pressure on Cambridge Analytica and Facebook.” ——- Title:  CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AVURL:    https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/Date:   4th April 2018Author: Lawrence Abrams Excerpt:“Windows has a built-in program called CertUtil, which can  be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. One of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL and save it as a local file using the syntax “certutil.exe -urlcache -split -f [URL] output.file”.”——- Title:  Researchers Hijack Over 2,000 Subdomains From Legitimate Sites in CloudFront ExperimentURL:    https://www.bleepingcomputer.com/news/security/researchers-hijack-over-2-000-subdomains-from-legitimate-sites-in-cloudfront-experiment/Date:   5th April 2018Author: Catalin Cimpanu Excerpt:“Experts found that CloudFront’s CDN routing mechanism that linked a site’s domain and subdomains to a specific server contained a flaw that allowed attackers to point misconfigured subdomains to their own endpoint instead, effectively hijacking the subdomain from legitimate CloudFront users.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ASB-2018.0066 – [Win] Microsoft Windows: Administrator compromise – Existing account https://portal.auscert.org.au/bulletins/60506 Windows 7 and 2008 server ulnerable to a Windows Kernel Elevation of Privilege Vulnerability. 2.    ESB-2018.0999 – [Win] Microsoft Malware Protection Engine: Administrator compromise – Remote with user interactionhttps://portal.auscert.org.au/bulletins/60678 A remote code execution vulnerability patched in the Microsoft Malware Protection Engine. 3.    ESB-2018.0967 – [Mac] High Sierra: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/60546 A malicious application may be able to execute arbitrary code with kernel privileges. 4.    ESB-2018.1040 – [Appliance] Moxa MXview: Access privileged data – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/60850 The private key of the web server is able to be read and accessed via an HTTP GET request. 5.    ESB-2018.1042 – [RedHat] python-paramiko: Execute arbitrary code/commands – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/60862 A customized SSH client can simply skip the authentication step. — Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 29th March 2018 AUSCERT Week in Review29 March 2018 Greetings, As Thursday the 29th of March closes, there are a few things on the AUSCERT’s team’s mind.First and foremost is the two (2) days of AUSCERT Conference at the Gold Coast on Thursday May 30, and Friday June 1st.  Equally important is that the registration for the AUSCERT tutorials that precede the conference is out and remember that tutorials are complimentary for anyone who holds a Full Conference Registration. You can find further information on each of the tutorials via https://conference.auscert.org.au/conference-program/  The conference is a big event but there is also another big event at the Gold Coast which may draw unwanted interest from spammers. This is the GC2018 Commonwealth Games.  So making your users aware that spammers may make the most of events and craft emails in ways that entice them to open attachments or follow link, could be worth the while. And to make a difference, on the first hour of the last day of the week, instead of the last hour of the last day of the week, Drupal Core has a patch available where by they expect the PoC to come out “hours or days” after the disclosure.  So I do hope you got the SMS from AUSCERT’s Bulletin service this morning.   As for news, here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: ——- Title:  Drupal Fixes Drupalgeddon2 Security Flaw That Allows Hackers to Take Over SitesURL:    https://www.bleepingcomputer.com/news/security/drupal-fixes-drupalgeddon2-security-flaw-that-allows-hackers-to-take-over-sites/Date:   March 28, 2018Author: Catalin Cimpanu Excerpt:“The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL.Drupal site owners should immediately —and we mean right now— update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they’re running.The Drupal team pre-announced today’s patches last week when it said “exploits might be developed within hours or days” after today’s disclosure” ——- Title:  Don’t get hacked during the Games  URL:    https://www.technologydecisions.com.au/content/security/news/don-t-get-hacked-during-the-games-634148475Date:   March 23, 2018 Author: Technology Decisions Excerpt:“It is expected that the Gold Coast Commonwealth Games will attract high levels of cybercrime, with businesses urged to stay alert for the possibility…Potential attacks to be aware of during the 2018 Commonwealth Games include: o hacks through public Wi-Fi hotspots that will be available throughout the Games; o email-based spear phishing campaigns that trick people into divulging personal information or clicking on links that release malware into their systems; o hacked social media and business websites; o point-of-sale attacks that let cybercriminals obtain credit card details; o ransomware attacks that prey on the time-sensitive nature of Games-related activities to force victims to pay higher ransoms, fast; o fraudulent invoices and payment details.”“——- Title:  In-Browser Cryptojacking Is Getting Harder to DetectURL:    https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/Date:   March 27, 2018Author: Catalin Cimpanu Excerpt:“Cyber-criminals aren’t stupid. If you find a way to block their code, they’re going to find a way to around your block.That’s how it’s been for decades in the antivirus business, and this is exactly what’s happening right now on the in-browser cryptocurrency mining (cryptojacking) scene…” ——- Title:  Intel CPUs Vulnerable to New ‘BranchScope’ AttackURL:    https://www.securityweek.com/intel-cpus-vulnerable-new-branchscope-attackDate:   March 27, 2018 Author: Eduard Kovacs Excerpt:“Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.” ——- Title:  Crooks infiltrate Google Play with malware in QR reading utilitiesURL:    https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/Date:   March 23, 2018Author: Paul Ducklin Excerpt:“…First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.In other words, if you were just trying out apps for fun, or for a one-off purpose, you’d be inclined to judge them by their own descriptions.Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.” ——- Title:  Thousands of etcd installations are currently leaking 750MB worth of passwords, keys, and sensitive data.URL:    http://securityaffairs.co/wordpress/70611/hacking/etcd-installs-data-leak.htmlDate:   March 25, 2018Author: Pierluigi Paganini Excerpt:“Thousands of servers belonging to private businesses and organizations are leaking credentials and potentially sensitive data.It is quite easy for hackers to use the credentials to access the servers and steal sensitive data or use the machines to power cyber attacks.According to the researcher Giovanni Collazo, querying the popular Shodan search engine he found almost 2,300 servers exposed online that were running etcd, which is a distributed key value store that provides a reliable way to store data across a cluster of machines.” ——- Title:  Facebook Collected Call and SMS Metadata From Some Users’ SmartphonesURL:    https://www.bleepingcomputer.com/news/technology/facebook-collected-call-and-sms-metadata-from-some-users-smartphones/Date:   March 24, 2018Author: Catalin Cimpanu Excerpt:“Several Facebook users who downloaded an archive of their Facebook data in the wake of the Facebook-Cambridge Analytica scandal discovered this week that the social network’s mobile applications have been recording —in some cases— much more information than most people were expecting. Logged information includes data on all phone calls made on the phone, the start time o each call, its duration, and the contact’s name. The Facebook app did not log phone calls to and from numbers not saved in the phone’s address book.” ——- Here are this week’s noteworthy security bulletins (in no particular order): 1.    ESB-2018.0844 – [SUSE] kernel: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/60038 The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.120 to receive various security and bugfixes including executing code. 2.    ESB-2018.0863 – [Win][UNIX/Linux][RedHat] slf4j: Execute arbitrary code/commands – Remote/unauthenticated https://portal.auscert.org.au/bulletins/60114 Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution. 3.    ESB-2018.0883 – [SUSE] LibVNCServer: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/60198 Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code. 4.    ASB-2018.0063 – [Win][UNIX/Linux] Mozilla Firefox: Execute arbitrary code/commands – Remote with user interactionhttps://portal.auscert.org.au/bulletins/60158 Use-after-free in compositor results in a potentially exploitable crash. 5.    ESB-2018.0888 – [Win][UNIX/Linux][Debian][Apple iOS][Android] mupdf: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/60218 Two vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book viewer, which may result in denial of service or remote code execution. —And lastly for an even more up-and-coming event, a long four (4) day weekend looks nice, but beware little emails bearing easter eggs, and please get your Drupal site patched.   Wishing you the best from AUSCERT and hope to see you safe next week,Geoffroy

AUSCERT Week in Review for 23rd March 2018 Greetings! This week Cambridge Analytica and Facebook were a hot topic, so all I’d like toadd is a link to this Facebook blocklist that some may find useful: https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: —- Title: ‘I made Steve Bannon’s psychological warfare tool’: meet the data war whistleblower Date Published: Sun, 18 Mar 2018 Author: Carole Cadwalladr Excerpt: “For more than a year we’ve been investigating Cambridge Analytica and its links to the Brexit Leave campaign in the UK and Team Trump in the US presidential election. Now, 28-year-old Christopher Wylie goes on the record to discuss his role in hijacking the profiles of millions of Facebook users in order to target the US electorate.” —– Title: Don’t waste the Cambridge Analytica scandal: it’s a chance to take control of our data Date Published: Fri, 23 Mar 2018 Author: Scott Ludlam Excerpt:  “The real question is whether we are ready, collectively, to draw a line under surveillance capitalism itself, and start taking back a measure of control.” —– Title: 15-Year-old Finds Flaw in Ledger Crypto Wallet Date Published: Tues, 20 Mar 2018 Author: Brian Krebs Excerpt: “Rashid discovered that a reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account(s) when the user goes to use it.” —– Title: Hackers ‘led warplanes to Syrian hospital’ after targeting British surgeon’s computer Date Published: Tues, 20 Mar 2018 Author: Hayley Dixon, Aisha Majid, and Steven Swinford Excerpt: “Now the International Committee of the Red Cross is to hold a meeting with staff to warn about the dangers of hacking, using Mr Nott’s fears as an example, it is understood. “Mr Nott said on Tuesday: “The thing that gets me is that we now cannot help doctors in war zones, if somebody is watching what we are doing and blows up the hospital then that is a war crime.” —– Title: Driverless cars and the 5 ethical questions on risk, safety and trust we still need to answer Date Published: Wed, 21 Mar 2018 Author: Ariel Bogle Excerpt: “Car manufacturers need to decide whether they want to reveal how cars are ethically programmed. Or whether their customers should even have a choice.” —– Title: Nine years on, Firefox’s master password is still insecure Date Published: Tue, 20 Mar 2018 Author: John E Dunn Excerpt: “Choosing an iteration count is a matter of balancing the inconvenience you’re prepared to inflict on users when they log in against the amount of obstruction you want to put in a password cracker’s way. “The good news is you don’t have to pick one iteration count and stick to it –you can increase the iteration count over time to keep pace with improvements in hardware. “Unfortunately, Palant noticed, Firefox performs just one iteration.” —– Title: What’s your availability? DoS attacks and more Date Published: Mon, 19 Mar 2018 Author: Mike Bursell Excerpt: “The attacks we’re talking about here are those most often overlooked: attempts to degrade the availability of a service. There’s an overlap with the related discipline of resilience here, but I think that the key differentiator is that in security we’re generally talking about intentional degradation of availability, whereas resilience also covers (and maybe focuses on) unintentional degradation.” —– Here are this week’s noteworthy security bulletins: 1) Drupal: Reduced security – Unknown/unspecified Drupal have announced a highly critical security release for Drupal 7 and 8 core. 2) Mozilla Firefox, Firefox ESR: Multiple vulnerabilities An out of bounds memory write in libvorbis and libtremor has caused critical vulnerabilities in Mozilla Firefox. 3) Tenable Nessus : Increased privileges – Existing account Installing Nessus to a directory outside of the default location could potentially allow local privilege escalation. 4) Geutebruck IP Cameras: Multiple vulnerabilities Several vulnerabilities in the firmware of Geutebruck IP Cameras have been patched. Stay safe, stay patched and have a good weekend! Charelle

AUSCERT Week in Review for 16th March 2018 AUSCERT Week in Review16 March 2018 Greetings, Another week is coming to a close and this week brought us many new vulnerabilities to remediate and patch. Samba released fixes for two vulnerabilities, one of which is terrifying if you run Samba as your AD as unprivileged authenticated users are able to change any other users’ passwords, including admin users, over LDAP. Microsoft fixed 74 security vulnerabilities, Mozilla fixed 18 vulnerabilities with their update to Firefox 59, and Adobe also fixed vulnerabilities in Flash player (as usual), Connect and Dreamweaver CC. The first public disclosure under the new Australian Mandatory Data Breach Notification scheme has been made public, shipping company Svizter Australia, revealed that details of its employees were leaked by email. According to OAIC it has received 31 notifications in the first three weeks of the scheme being in operation. To make this post a bit less grimm: The AUSCERT2018 Cyber Security Conference program is now live!! Be sure to register as soon as possible in order to secure your spots for the Tutorials! Many of them sell out extremely quickly. The Hak5 workshop is extremely popular, Darren and Sebastian always do an amazing job. https://conference.auscert.org.au/conference-program/ Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: First data breach publicised under Australian notice scheme Date: 16/03/2018 Author: Staff Writers @ itnews Excerpt: “Svizter reveals email leak. Shipping company Svizter Australia has revealed a data breach that saw the personal information of half of its employees leaked outside the company. Yesterday it revealed that up to 60,000 emails from three accounts in finance, payroll and operations were secretly auto-forwarded to two external accounts between May 27 2017 and March 1 this year.” ———– Title: Chinese Intelligence Agencies Are Doctoring the Country’s Vulnerability Database Date: 10/03/2018 Author: Catalin Cimpanu Excerpt: “Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future. The US company says it noticed in recent months mass edits to the CNNVD website. Recorded Future says CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.” ———– Title: Necurs and Gamut Botnets Account for 97% of the Internet’s Spam Emails Date:  Catalin Cimpanu Author: 12/03/2018 Excerpt: “Just two botnets accounted for 97% of all spam emails in the last three months of 2017, according to a McAfee report released earlier today. For most of these months, Necurs has spent its time churning out “lonely girl” spam lures for adult websites, pump-and-dump schemes [1, 2], and delivering ransomware payloads. Overall, nearly two out of three spam emails sent in the last quarter of 2017 were sent from the infrastructure of this mammoth botnet.” ———– Title: One in Five Healthcare Employees Would Be Willing to Sell Sensitive Data, Reveals Survey Date: 09/03/2018 Author: David Bisson Excerpt: “A new survey reveals that nearly one in five healthcare employees would be willing to sell confidential data to an unauthorized party. According to Accenture’s 2018 Healthcare Workforce Survey on Cybersecurity, 18 percent of employees that work at healthcare providers and payers would be willing to sell sensitive data to unauthorized individuals. Respondents from providers were more open to the idea of a sale than payers at 21 percent and 12 percent, respectively. Those willing to sell would generally expect to receive between $500 and $1,000 in the process. The threat of an unauthorized data sale is not theoretical in nature, either. Almost a quarter (24 percent) of respondents know of someone in their organization who has already sold off confidential information.” ———– Title: On AMD Flaws from CTS Labs Date: 13/03/2018 Author: Kevin Beaumont Excerpt: “On AMD Flaws from CTS Labs You may have seen media reports about flaws in AMD chipsets. AMD are currently reviewing the report, as they were given less than a day notice of vulnerabilities that CTS Labs claim put lives at risk (via their website, AMDflaws.com). This is a highly unusual and reckless disclosure of security flaws.” ———– And lastly, here are this week’s noteworthy security bulletins (in no particular order): ESB-2018.0731 – ALERT [Win][UNIX/Linux] samba: Multiple vulnerabilities On a Samba 4 AD DC any authenticated user can change other users’ passwords over LDAP, including the passwords of administrative users and service accounts. ESB-2018.0742 – [Win][Linux][Mac] Flash Player: Execute arbitrary code/commands – Remote with user interaction Two remote code execution vulnerabilities have been identified in Adobe Flash Player. ESB-2018.0746 – [Appliance] GE medical devices: Unauthorised access – Remote/unauthenticated Default and hard coded credentials for GE Medical Devices have been discovered. ASB-2018.0057.2 – UPDATE [Win][Linux][Android][Mac] Firefox: Multiple vulnerabilities 16 vulnerabilities have been fixed in Firefox’s latest version. ASB-2018.0059 – [Win][UNIX/Linux] Joomla!: Execute arbitrary code/commands – Existing account An SQL Injection vulnerability has been patched in Joomla! Stay safe, stay patched and have a good weekend! Ananda

AUSCERT Week in Review for 9th March 2018 Greetings, As Friday draws to a close, here are some of the more interesting Infosecstories we’ve seen this week: Title: Kali Linux for WSL now available in the Windows StoreDate Published: Mar 05 2018URL: https://blogs.msdn.microsoft.com/commandline/2018/03/05/kali-linux-for-wsl/Author: Tara RajExcerpt: “Our community expressed great interest in bringing Kali Linuxto WSL in response to a blog post on Kali Linux on WSL. We are happy toofficially introduce Kali Linux on WSL.” ——- Title: Vulnerability Affects Half of the Internet’s Email ServersDate Published: March 06 2018URL: https://www.bleepingcomputer.com/news/security/vulnerability-affects-half-of-the-internets-email-servers/Author: Catalin CimpanuExcerpt: “A critical vulnerability affects hundreds of thousands of emailservers. A fix has been released but this flaw affects more than half ofthe Internet’s email servers, and patching the issue will take weeks ifnot months.” ——- Title: BoM IT staffers questioned by police over cryptocurrency miningDate Published: March 08 2018URL: https://www.itnews.com.au/news/bom-it-staffers-questioned-by-police-over-cryptocurrency-mining-486546Author: Allie CoyneExcerpt: “Two IT workers within the Bureau of Meteorology have beenquestioned by police over the alleged use of the agency’s IT infrastructureto mine cryptocurrencies. AFP officers raided the bureau’s Melbourneheadquarters last Wednesday, as first reported by the ABC, and spoke withtwo of the agency’s IT workers.” ——- Title: APRA to give banks stricter cyber security rulesDate Published: Mar 07 2018URL: https://www.itnews.com.au/news/apra-to-give-banks-stricter-cyber-security-rules-486477Author: Allie CoyneExcerpt: “the Australian Prudential Regulation Authority (APRA) now wantsto create a dedicated prudential standard for cyber security to ensurefinancial services firms are keeping their systems secure against thelatest trends in attack.” ——- Here are this week’s noteworthy security bulletins: 1) ESB-2018.0620 – [Debian] simplesamlphp: Multiple vulnerabilitiesSeveral vulnerabilities have been discovered in SimpleSAMLphp, aframework for authentication, primarily via the SAML protocol. 2) ESB-2018.0681 – ALERT [Virtual][Cisco] Cisco Prime Collaboration: Root compromise – Remote/unauthenticatedA hardcoded password in Cisco Prime Collaboration could allow attackers toaccess the underlying Linux operating system. 3) ESB-2018.0679 – [UNIX/Linux][FreeBSD] ntp: Multiple vulnerabilitiesVarious vulnerabilities in the ntp suite of programs can allow hackers toaffect the system clocks of hosts using these programs. Stay safe, stay patched and have a good weekend!Anthony

25 Years of AUSCERT AUSCERT celebrates 25 years today There has been a lot of growth in the industry since the original SERT (Security Emergency Response Team) was formed in 1993. Three Brisbane based universities formed the SERT originally, Queensland University of Technology, Griffith University and The University of Queensland. Originally the SERT was formed for several reasons. One was in response to Australia being recognised as a targeted geographical location for cyber security threats. Also, back in 1992, Australia was the origin of an increasing number of these attacks, which targeted overseas websites. Relationship building with international CERTs began at this time, with the CERT Coordination Centre in Pittsburgh and the DFNCERT team in Germany being incredibly vital to the growth of Australia’s first CERT. In the early days an exercise book was used to log all incoming calls, including wrong numbers. Indeed one of those original staff members, whose initials are inscribed in that book, is an AUSCERT employee today. AUSCERT began in name on the 1st April, 1994, this was made possible by a collaboration with AARNet, who at that time were quite new themselves, only having been in operation for several years. AUSCERT became a member organisation in the late nineties, and has since been funded by our members.   The AUSCERT team is driven by a passion to protect, assist and engage with the information security community. We will continue to provide first class threat intelligence, unique membership options and advice now, and in the future.  

AUSCERT Week in Review for 2nd March 2018 Greetings, This week saw Trustico revoke more than 20,000 SSL certificates it issued, gaining them the attention of the infosec community, who were quick to offer unsolicited, complimentary penetration testing services for their website. GitHub has achieved the dubious (but well-handled) honour of being the biggest DDoS recipient, taking the crown from Dyn – dealing with 1.35Tbps of traffic at its peak. This attack was made possible by a memcached UDP amplification attack. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: The UK and Australian Governments Are Now Monitoring Their Gov Domains on Have I Been PwnedDate Published: 02 March 2018Author: Troy HuntExcerpt: “As of now, all UK government domains are enabled for centralised monitoring by the National Cyber Security Centre (NCSC) and all Australian government domains by the Australian Cyber Security Centre (ACSC).”   ——- 23,000 HTTPS certs will be axed in next 24 hours after private keys leakDate Published: 01 March 2018Author: John LeydenExcerpt: “This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.” ——- Financial Cyber Threat Sharing Group PhishedDate Published: 01 March 2018Author: Brian KrebsExcerpt: “The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.” ——- GitHub hit with largest ever DDoS attackDate Published: 02 March 2018Author: Allie CoyneExcerpt: “Developer platform Github has been hit with the most powerful distributed denial of service attack on record, managing to survive 1.35 Tbps of traffic flooded to its website relatively unscathed.” ——- Memcrashed – Major amplification attacks from UDP port 11211Date Published: 27 February 2018Author: Marek MajkowskiExcerpt: “Amplification attacks are effective, because often the response packets are much larger than the request packets. A carefully prepared technique allows an attacker with limited IP spoofing capacity (such as 1Gbps) to launch very large attacks (reaching 100s Gbps) “amplifying” the attacker’s bandwidth.” ——- Here are this week’s noteworthy security bulletins: 1) ESB-2018.0571 – ALERT [Win][UNIX/Linux][Apple iOS][Android] SAML libraries: Multiple vulnerabilitiesSAML signature generation and parsing libraries did not standardise behaviour, and thus it was possible to use comments to gain valid SAML assertions they were not authorised for. 2) ESB-2018.0538.2 – UPDATE [Win][UNIX/Linux] Drupal Core: Multiple vulnerabilitiesA number of vulnerabilities in Drupal’s core modules have been fixed, including XSS vectors. 3) ESB-2018.0603 – [Linux][Debian] freexl: Multiple vulnerabilitiesA library for manipulating Excel data is vulnerable to RCE if given a maliciously malformed document.   Stay safe, stay patched and have a good weekend!Tim

AUSCERT Week in Review for 23rd February 2018 Greetings, I hope you all had a good week and can enjoy the upcoming weekend. This week, the Mandatory Data Breach Notification Scheme came into effect,and we have an informative blog entry regarding this on the AUSCERTwebsite at: https://wordpress-admin.auscert.org.au/blog/2018-02-22-mandatory-data-breach-notification-scheme Here’s a summary (including excerpts) of some of the more interestingstories we’ve seen this week: Tesla Internal Servers Infected with Cryptocurrency MinerDate Published: 20 Feb 2018https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-minerAuthor: Catalin CimpanuExcerpt: “Hackers have breached Tesla cloud servers used by the company’s engineers and have installed malware that mines the cryptocurrency.” ——- Null Character Bug Lets Malware Bypass Windows 10 Anti-Malware Scan InterfaceDate Published: Feb 19 2018https://www.bleepingcomputer.com/news/security/null-character-bug-lets-malware-bypass-windows-10-anti-malware-scan-interfaceAuthor: Catalin CimpanuExcerpt: “Malware that embeds a null character in its code can bypass security scans performed by the Anti-Malware Scan Interface (AMSI) on Windows 10 boxes.” ——- Internet of Babies – When baby monitors fail to be smartDate Published: Feb 21 2018https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.htmlAuthor: Mathias Frank / www.sec-consult.comExcerpt: “An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected” ——- Until last week, you could pwn KDE Linux desktop with a USB stickDate Published: Feb 12 2018https://www.theregister.co.uk/2018/02/12/kde_naming_usb_drive_vulnAuthor: John LeydenExcerpt: “A recently resolved flaw in the KDE Linux desktop environment meant that files held on a USB stick could be executed as soon as they were plugged into a vulnerable device.” ——- Here are this week’s noteworthy security bulletins: 1) ESB-2018.0526 – [Virtual] Cisco Elastic Services Controller ServicePortal: Administrator compromise – Remote/unauthenticatedhttps://portal.auscert.org.au/bulletins/58722Administrator access allowed with empty password value! 2) ESB-2018.0494 – [UNIX/Linux][Debian] plasma-workspace: Execute arbitrarycode/commands – Console/physicalhttps://portal.auscert.org.au/bulletins/58594This describes the Debian 9 fix to the KDE USB vulnerability referred toin the Register’s article above. 3) ESB-2018.0541 – [Linux] IBM Security Guardium: Access privileged data –Existing accounthttps://portal.auscert.org.au/bulletins/58790We are still seeing Spectre fixes making their way into various products. 4) ESB-2018.0486 – [Apple iOS][Android] Schneider Electric IGSS Mobile:Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/58562Android and iOS application design and security issues are still veryprevalent.   Stay safe, stay patched and have a good weekend! Marcus.

Mandatory Data Breach Notification Scheme MANDATORY DATA BREACH NOTIFICATION SCHEME How it affects you   Introduction It’s official! The Notifiable Data Breaches scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017, will be officially enforced from the 22nd of February 2018.   What is it? It is a legal obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.   Does my organisation need to comply? When do I need to report a data breach and how?        IF your organisation is described in “Entities covered by the NDB scheme”        AND        2. Your organisation collects, retains, handles and transmits ‘personal information’        AND        3. Your organisation has been subjected to an eligible data breach [4], and there are no applicable exceptions to notification obligations       THEN You need to complete assessing the suspected data breach within 30 calendar days of becoming aware of the suspected breach. A suggested three-step assessment procedure contains the following stages:        a. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it        b. Investigate: quickly gather relevant information about the suspected breach including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and        c. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).        IF           reasonable evidence exists to believe an eligible data breach has occurred,        THEN You need to notify: a. Affected individuals b. The Australian Information Commissioner, by submitting a Notifiable Data Breach statement – Form available at https://www.oaic.gov.au/NDBform/.       2. The following information must be included in an eligible data breach statement:           a. the identity and contact details of the organisation           b. a description of the data breach           c. the kinds of information concerned and;           d. recommendations about the steps individuals should take in response to the data breach.      3. Special conditions for notification exist where the breached data is in the custody of more than one party.    An excellent resource covering this topic is available here.   Additional Resources https://www.youtube.com/watch?v=BZXzNLlW2vA   Legal AUSCERT has made every effort to ensure that the information contained on this web site is accurate. However, the decision to use or follow any information or advice referenced here is the responsibility of each user or organisation. The appropriateness of any information or advice for an organisation or individual system should be considered before application in conjunction with the organisation’s local policies and procedures. AUSCERT takes no responsibility for the consequences of applying or following the information or advice on this web site.

AUSCERT Week in Review for 16th February 2018 Greetings, Hopefully you have all had a rewarding and productive week.   As usual, there is always a deluge of new vulnerabilities and patches to consider.  Of course Microsoft’s “Patch Tuesday” this week added significantly to that. Please note that there is an Information Security Incident Response Planning workshop held next week in Melbourne with discounted member pricing and places still available: https://wordpress-admin.auscert.org.au/events/2018-02-21-melbourne-training-information-security-incident-response-planning Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title:  2 Billion Files Leaked in US Data Breaches in 2017Date Published:  15 Feb 2018Author: Tara SealsExcerpt:“Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.” —– Title:  Australian govt sites hijacked by crypto minerDate Published:  12 Feb 2018Author: Allie CoyneExcerpt:“More than 4000 Australian and global government websites have been hijacked to run the Coinhive crypto currency mining software after a popular accessibility tool was compromised by attackers.” —– Title: Australian Government attribution of the ‘NotPetya’ cyber incident to RussiaDate Published: 16 Feb 2018Author: The Hon Angus Taylor MP Minister for Law Enforcement and CybersecurityExcerpt:“The Australian Government has joined the governments of the United States and the United Kingdom in condemning Russia’s use of the ‘NotPetya’ malware to attack critical infrastructure and businesses in June 2017.” —– Here are this week’s noteworthy security bulletins: 1) ASB-2018.0047 – ALERT [Win] Microsoft Windows: Multiple vulnerabilities 2018-02-14Microsoft has released its monthly security patch update for the month of February 2018.  Most notable is an Administrator Compromise vulnerability. 2) ASB-2018.0046 – [Win] ChakraCore: Execute arbitrary code/commands – Remote with user interaction 2018-02-14ChakraCore from Microsoft has been patched for eleven (11) vulnerabilities all being remote code execution.   3) ASB-2018.0045 – ALERT [Win][Mac] Microsoft Office Services and Web Apps: Multiple vulnerabilities 2018-02-14Microsoft Office and Sharepoint similarly were patched for a variety of remote code execution, privilege escalations and information disclosures. 4) ASB-2018.0044 – ALERT [Win] Microsoft Edge: Multiple vulnerabilities 2018-02-14 Microsoft Edge was remediated for a number of vulnerabilities including remote code execution, information disclosure and security feature bypass. Stay safe, stay patched and have a good weekend! Marcus