//Week in review - 8 May 2020

AusCERT Week in Review for 8th May 2020


This week, we launched our long-awaited AusCERT – Members Slack. An email was sent out to members earlier this week, Tuesday 5 May to be specific; detailing the necessary steps to join us and other AusCERT members in conversation. Be sure to check your inbox(es) for further details. Many of our members informed us through the 2019 Annual Survey that they would like to stay connected through a quicker, more effective (but secure) communication platform and we’ve delivered!

Also for our members – keep an eye out for an email from our conference team early next week. This communication will provide you with some updates on member token details for Virtual AusCERT2020. We can’t wait to see you in September.

Last but not least, this week has seen us supporting the team from the Office of the Australian Information Commissioner in their Privacy Awareness Week 2020 campaign initiative to promote the importance of privacy and keeping your personal information safe. We’ve shared a number of posts on our social media channels using the following hashtags #PAW2020 #RebootYourPrivacy so please do check them out. In summary, Privacy Awareness Week 2020 is an important reminder to reboot your privacy:

> Check and update your privacy controls

> Consider the alternative when giving or asking for personal information

> Delete any data from old devices and securely destroy or de-identify personal information if it’s no longer needed for a legal purpose.

Again, well done Australia for staying home. We hope that everyone has some lovely plans lined up with the ease of Covid-19 restrictions in most parts of the country – just in time for Mother’s Day on Sunday.

Until next week.

New Kaiji Botnet Targets IoT, Linux Devices
Date: 2020-05-05
Author: Threatpost

The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language.
A new botnet has been infecting internet of things (IoT) devices and Linux-based servers, to then leverage them in distributed denial-of-service (DDoS) attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today.

Samsung patches 0-click vulnerability impacting all smartphones sold since 2014
Date: 2020-05-06
Author: ZDNet

South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014.
The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014.
Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device.

Toll Group suffers second ransomware attack this year
Date: 2020-05-05
Author: iTnews

Toll Group has revealed it is suffering its second ransomware attack this year, attributing the current infection to a type of malware known as Nefilim.
The admission comes less than a day after iTnews reported exclusively that the logistics giant had shut down its IT systems after detecting “unusual activity” on an undisclosed number of servers.

New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into Speakers
Date: 2020-05-04
Author: The Hacker News

Cybersecurity researcher Mordechai Guri from Israel’s Ben Gurion University of the Negev recently demonstrated a new kind of malware that could be used to covertly steal highly sensitive data from air-gapped and audio-gapped systems using a novel acoustic quirk in power supply units that come with modern computing devices.
Dubbed ‘POWER-SUPPLaY,’ the latest research builds on a series of techniques leveraging electromagnetic, acoustic, thermal, optical covert channels, and even power cables to exfiltrate data from non-networked computers.

GoDaddy notifies users of breached hosting accounts
Date: 2020-05-04
Author: Bleeping Computer

GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH.
The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts’ hosting.

Maze Ransomware Operators Step Up Their Game
Date: 2020-05-06
Author: Dark Reading

Investigations show Maze ransomware operators leave “nothing to chance” when putting pressure on victims to pay.
Maze ransomware made headlines when it targeted IT services firm Cognizant in April. Incident response experts who investigated this and previous Maze attacks report new insights on ransomware tactics that could make it harder for businesses to defend themselves.

ESB-2020.1614 – Cisco Firepower: Multiple vulnerabilities

Multiple high severity vulnerabilities which could result in information disclosure, root compromise, denial of service or unauthorized access to Cisco Firepower appliances.

ESB-2020.1624 – Google Chrome: Multiple vulnerabilities

Two Remote code execution and denial of service vulnerabilities.

ESB-2020.1607.2 – Salt: Multiple vulnerabilities

Execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts.

Stay safe, stay patched and have a good weekend!