//Week in review - 27 Mar 2020

AusCERT Week in Review for 27th March 2020


Hoping this lands in your inbox while you’re reading it in the comfort of your home office.

A reminder that we are here for you; it is business as usual for our team, and our member incident hotline continues to operate 24/7 in these extraordinary times. Details can be found on our website by logging in to our member portal.

In other news this week, we wanted to let you know that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal.

To find out if any of your email addresses are going to be affected, please see below:

a) If you currently receive our AusCERT Bulletins with the acronym “AMPBE” in the email subject line, then you/your organisation is not affected.

b) If the above acronym is missing, then be prepared to see it included in the subject line from Monday 20th April 2020 onwards. You will then be able to see that email address though the member portal in the Bulletins subscription section, when logged in as a privileged user.

Be sure to check your email filters if you fall into category b). Feel free to reach out to us via auscert@auscert.org.au should you require further assistance or clarification.

Windows code-execution zero-day is under active exploit, Microsoft warns
Date: 2020-03-24
Author: Ars Technica

Attackers are actively exploiting a Windows zero-day vulnerability that can execute malicious code on fully updated systems, Microsoft warned on Monday.
The font-parsing remote code-execution vulnerability is being used in “limited targeted attacks,” the software maker said in an advisory published on Monday morning. The security flaw exists in the Adobe Type Manager Library, a Windows DLL file that a wide variety of apps use to manage and render fonts available from Adobe Systems. The vulnerability consists of two code-execution flaws that can be triggered by the improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a booby-trapped document or viewing it in the Windows preview pane.
[AusCERT published this alert the same day in ASB-2020.0066.]

Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps
Date: 2020-03-23
Author: Bleeping Computer

A new cyber attack is hijacking router’s DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware.
For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a ‘COVID-19 Inform App’ that was allegedly from the World Health Organization (WHO).
After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers.

Cybercrime and Social Engineering Threats – COVID-19
Date: 2020-03-25
Author: Brian Hay

Criminals thrive during tough fiscal times because they’re adept and skilled at exploiting people’s emotions who desire a better life, wish for better times, or are seeking a solution to the troubles they’re currently facing.
They know how to take advantage of the confusion, the breakdown of “normal” procedures, the proliferation of “misinformation” and they also understand the hunger for people to know more about what is going on – so more people are likely to click on a link to find out the latest “news”. Appealing to people’s sense of curiosity is a powerful weapon and it is a difficult behavioural pattern for many of us to control.

Three More Ransomware Families Create Sites to Leak Stolen Data
Date: 2020-03-24
Author: ZDNet

Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches.
Ever since Maze created their “news” site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow.

Minister backflips on myGov DDoS attack claim
Date: 2020-03-23
Author: iT News

Government services minister Stuart Robert has quickly walked back his claim that the online services portal myGov suffered a “significant distributed-denial-of-service attack”.

ASB-2020.0066.2 – Windows: RCE – Remote with user interaction

A critical vulnerability in Windows’ font handling was announced out of the usual cycle. At time of writing, no fix is available, and versions of Windows below 10 are strongly recommended to configure the provided mitigations.

ESB-2020.1042 – macOS: Multiple vulnerabilities

Apple released multiple security updates this week, including some spicy-looking vulnerabilities in macOS.

ESB-2020.1057 – Adobe Creative Cloud Desktop for Windows: Arbitrary file deletion – Remote with user interaction

Adobe called this critical; users opening a crafted file could find other files deleted.

Stay safe, stay patched and have a good weekend!