//Week in review - 9 Apr 2020

AusCERT Week in Review for 9th April 2020


How glad are we that it’s a short week?

Our member incident hotline continues to operate 24/7 over the long weekend (this one in particular will be fuelled by chocolate!). Details can be found on our website by logging in to our member portal.

Also, a reminder that on Monday 20th April 2020, members will be able to manage all relevant email addresses that are linked to your organisation’s bulletins subscription through our member portal. To find out if any of your email addresses are going to be affected, please see below:

a) If you currently receive our AusCERT Bulletins with the acronym “AMPBE” in the email subject line, then you/your organisation is not affected.

b) If the above acronym is missing, then be prepared to see it included in the subject line from Monday 20th April 2020 onwards. You will then be able to see that email address though the member portal in the Bulletins subscription section, when logged in as a privileged user.

Be sure to check your email filters if you fall into category b). Feel free to reach out to us via auscert@auscert.org.au should you require further assistance or clarification.

Last but not least, it’s been brought to our attention that 80% of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability. Please apply this patch if you haven’t done so already. Our related bulletin info can be found here.

We hope everyone stays safe and are being creative with their long weekend plans.

80% of all exposed Exchange servers still unpatched for critical flaw
Date: 2020-04-06
Author: Bleeping Computer

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.
This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.
“There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,” Rapid7 Labs senior manager Tom Sellers further explained.

Beyond Zoom: How Safe Are Slack and Other Collaboration Apps?
Date: 2020-04-06
Author: Threatpost

COVID-19’s effect on work footprints has created an unprecedented challenge for IT and security staff. Many departments are scrambling to enable collaboration apps for all — but without proper security they can be a big risk.
As the coronavirus pandemic continues to worsen, remote-collaboration platforms – now fixtures in many workers’ “new normal” – are facing more scrutiny. Popular video-conferencing app Zoom may currently be in the cybersecurity hot seat, but other collaboration tools, such as Slack, Trello, WebEx and Microsoft Teams, are certainly not immune from cybercriminal attention.

Australia on the cyber offence to bring down COVID-19 scammers
Date: 2020-04-06
Author: ZDNet

Australia has launched a cyber offence against offshore criminals, targeting those responsible for scams related to the COVID-19 outbreak.
Minister for Defence Linda Reynolds said in a statement that the Australian Signals Directorate (ASD) had mobilised its offensive cyber capabilities to disrupt the foreign cyber criminals behind the spate of malicious activities that have come out of the global pandemic.
“Cyber criminals that are using the cover of cyberspace and international borders to target Australians are not beyond our reach,” Reynolds said.

Atlassian issues advice on how to keep your IT service desk secure… after hundreds of portals found facing the internet amid virus lockdown
Date: 2020-04-07
Author: The Register

As companies move their staff to remote working amid the COVID-19 coronavirus pandemic, some IT teams have made internal platforms, such as tech support desks, face the public internet.
The hope, presumably, is that this ensures employees can easily reach these services from their homes, allowing them to raise support tickets and the like. However, organizations are leaving themselves open to mischief or worse by miscreants, we’re told, because the portals are not fully secured. Strangers on the internet can create new accounts, impersonate staff, submit requests for bogus work, potentially access sensitive information, such as payroll details and documentation, and so on.

NASA under ‘significantly increasing’ hacking, phishing attacks
Date: 2020-04-07
Author: Bleeping Computer

NASA has seen “significantly increasing” malicious activity from both nation-state hackers and cybercriminals targeting the US space agency’s systems and personnel working from home during the COVID-19 pandemic.
Mitigation tools and measures set in place by NASA’s Security Operations Center (SOC) successfully blocked a wave of cyberattacks, the agency reporting double the number of phishing attempts, an exponential increase in malware attacks, and double the number of malicious sites being blocked to protect users from potential malicious attacks.

ESB-2020.1208 – ALERT Firefox & ESR: Multiple vulnerabilities

Security vulnerabilities that are being exploited by targeted attacks have been fixed in Firefox 74.0.1 and Firefox ESR 68.6.1.

ESB-2020.1218 – telnet: Multiple vulnerabilities

Telnet is affected by a RCE & DOS vulnerability across multiple Red Hat versions; it is possible this also affects other OSes. Red Hat have addressed this via updates.

Stay safe, stay patched and have a good weekend!