//Week in review - 24 Jan 2020

Week in Review for 24th January 2020


The AusCERT team would like to wish all of you a relaxing Australia Day long weekend; and a Happy Lunar New Year to those who celebrate. A reminder that the auscert@auscert.org.au mailbox will not be monitored on Monday 27 January as it is a nationwide public holiday. However, we will staff the 24/7 member incident hotline as usual, so do call us for any urgent matters during this period.

Fraudsters impersonate Chinese consulate in scam targeting international students
Date: 2020-01-23
Author: ABC News

Police say scores of international students in Queensland have been stung in a scam where fraudsters impersonated the Chinese consulate and demanded thousands of dollars to avoid deportation.

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices
Date: 2020-01-20
Author: ZDNet

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices.
The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.
According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

5 tips to avoid spear-phishing attacks
Date: 2020-01-17
Author: Naked Security

Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.
The good news is that most of us have learned to spot obvious phishing attacks these days.
The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.
You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.

Inside Pwn2Own’s High-Stakes Industrial Hacking Contest
Date: 2020-01-24
Author: WIRED

On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation.

Former ACSC chief MacGibbon blasts calls to legitimise screen scrapers
Date: 2020-01-21
Author: iTnews

Australia’s high profile former cybersecurity tsar Alastair MacGibbon has waded into the increasingly heated debate over the use of screen scrapers by fintech firms, warning any weakening of security controls under open banking will create an instant target list for hackers.

NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance
Date: None
Author: Help Net Security

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk.
The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.
The publication also provides clarification about privacy risk management concepts and the relationship between the Privacy Framework and NIST’s Cybersecurity Framework.

Microsoft Exposed 250 Million Customer Support Records
Date: 2020-01-20
Author: SecurityWeek

Nearly 250 million Microsoft Customer Service and Support records were found exposed to the Internet in five insecure Elasticsearch databases, Comparitech reports.
The records on those servers contained 14 years’ worth of logs of conversations between support agents and customers, all of which could be accessed by anyone directly from a browser, without any form of authentication.
In an update, Microsoft says that the exposure was the result of a misconfiguration that occurred on December 5, but that its investigation into the incident did not reveal malicious use.

ESB-2019.4708.7 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway

The RCE in Citrix NetScaler which has been making headlines lately & was updated this week with patches for specific versions.

ESB-2020.0262 – Red Hat kernel security and bug fix update

Linux kernel upgrades patching severe vulnerabilities reaches RHEL 8 for SAP

ESB-2020.0261 – Red Hat chromium-browser security update

Red Hat releases an Important update for chromium-browser

Stay safe, stay patched and have a good weekend!