//Week in review - 24 Apr 2020

AusCERT Week in Review for 24th April 2020


Hoping everyone’s had a good week, and that the parents amongst us are managing the juggle of work-life balance, with the Term 2 remote learning of school-aged children commencing this week.

This week, we announced that our annual conference will be taking on a different spin!

Given the current ever-evolving situation with COVID-19 and the advice from our Chief Information Officer, it is with a mixture of nervous energy and excitement that we announce the fact that AusCERT2020 will now go virtual in September. The dates will remain as previously discussed: 15 – 18 September.

While we understand that a virtual event isn’t quite the same as an in-person one, we are still committed as ever to featuring world-class tutorials and presentations from leading experts in the cyber and information security industry. Speaker details can be found here.

In other news this week, we shared the fact that our friends from ENISA (the EU Agency for Cybersecurity) have just published some new training materials on the topic of “Orchestration of CSIRT Tools”. It includes practical usages of MISP, The Hive Project and IntelMQ; these are very SOAR-relevant, and definitely worth a read. Please refer to their website.

Have a great weekend, and thank you for staying home.

Until next time.

Microsoft releases OOB security updates for Microsoft Office
Date: 2020-04-21
Author: Bleeping Computer

[This has been published as AusCERT bulletin ASB-2020.0090]
Microsoft has released an out-of-band security update that fixes remote code execution vulnerabilities in an Autodesk FBX library integrated into Microsoft Office and Paint 3D applications.
Last month, Autodesk issued security updates for their Autodesk FBX Software Development Kit that resolves remote code execution and denial of service vulnerabilities caused by specially crafted FBX files.
An FBX file is an Autodesk file format that is used to store 3D models, assets, shapes, and animations.

Critical bug in Google Chrome – get your update now
Date: 2020-04-17
Author: Sophos

[This has been published as AusCERT bulletin ASB-2020.0088]
The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix.
… [Sophos] recommends going through the update process as as soon as you can.
Go to the About Chrome menu option (or About Chromium if you use the non-proprietary flavour of the browser) and check that you have 81.0.4044.113 or later.

Hackers have breached 60 ad servers to load their own malicious ads
Date: 2020-04-22
Author: ZDNet

A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites. This clever hacking campaign was discovered last month by cyber-security firm Confiant and appears to have been running for at least nine months, since August 2019.
Confiant says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads. Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files – usually disguised as Adobe Flash Player updates.

Who’s Behind the “Reopen” Domain Surge?
Date: 2020-04-20
Author: Krebs on Security

The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created […] urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.
[A neat demo of threat hunting in DomainTools, albeit without the usual phishing/malware bent we focus on at AusCERT.]

ASB-2020.0088- Google Chrome: Execute arbitrary code/commands – Remote with user interaction

Google has issued an update addressing a critical CVE for Chrome Stable Channel for Desktop.

ASB-2020.0090 – Microsoft products utilising the Autodesk FBX library: Multiple vulnerabilities

Microsoft out-of-band security update fixing remote code execution vulnerabilities in Autodesk FBX library.

Stay safe, stay patched and have a good weekend!