//Week in review - 31 Jul 2020
AusCERT Week in Review for 31st July 2020
This Thursday started out with a surprise, with a responsible disclosure of GRUB2 vulnerabilities by Eclypsium. A supporting write-up and ASB have been issued by AusCERT to help you wade through the original advisories.
In other news, we are excited to announce our 3rd keynote speaker for AusCERT2020 – Julie Inman-Grant – Australia’s eSafety Commissioner. In this role, Julie leads the world’s first government agency committed to keeping its citizens safer online. We look forward to hosting her on Friday 18th September.
A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise the utilisation of these within our membership group. Details below:
And last but not least, another quick reminder for members to complete the 2020 AusCERT Security Bulletins Survey, due by 5pm AEST Friday 7 August (if you haven’t already done so). We look forward to collating our member thoughts and feedback, thank you in advance for your time and support.
Until next week, have a great weekend and remember to keep washing your hands and stay 1.5m apart in public areas!
Billions of Devices Impacted by Secure Boot Bypass
[Refer to AusCERT bulletin ASB-2020.0135 and blog post on the AusCERT website "There's a hole in the boot"]
The “BootHole” bug could allow cyberattackers to load malware, steal information and move laterally into corporate, OT, IoT and home networks.
Billions of Windows and Linux devices are vulnerable to cyberattacks stemming from a bug in the GRUB2 bootloader, researchers are warning.
GRUB2 (which stands for the GRand Unified Bootloader version 2) is the default bootloader for the majority of computing systems. Its job is to manage part of the start-up process – it either presents a menu and awaits user input, or automatically transfers control to an operating system kernel.
Hacker leaks 386 million user records from 18 companies for free
Author: Bleeping Computer
A threat actor is flooding a hacker forum with databases exposing over 386 million user records that they claim were stolen from eighteen companies during data breaches.
Since July 21st, a seller of data breaches known as ShinyHunters has begun leaking the databases for free on a hacker forum known for selling and sharing stolen data.
ShinyHunters has been involved in or responsible for a wide assortment of data breaches this past year, including Wattpad, Dave, Chatbooks, Promo.com, Mathway, HomeChef, and the breach of Microsoft private GitHub repository.
Of the databases released since July 21st, nine of them were already disclosed in some manner in the past.
The other nine, including Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha, have not been previously disclosed.
CISO concern grows as ransomware plague hits close to home
Ransomware is on a roll.
Garmin is currently wrestling with a ransomware-induced outage, and locally in Australia, 2020 has seen ransomware take out major companies and threaten beer supplies when it hit logistics giant Toll and beverage company Lion. Toll has only recently recovered from its second dose of the year.
These sorts of attacks are starting to ring alarm bells, with APAC CISO of JLL Mark Smink telling ZDNet on Tuesday the ransomware plague has evolved a long way from where it was four or five years ago.
Mystery actor disrupts Emotet malware distribution botnet
Malware payloads replaced with animated GIFs. Security researchers are watching the infrastructure of malware delivery botnet Emotet being compromised by an unknown actor, and disrupting the criminals' activities in the process.
Microsoft cyber security researcher Kevin Beaumont wrote that someone is currently replacing the malware files distributed by Emotet with animated GIF images.
The images include one of Hackerman, who starred in the internet cult classic Kung Fury.
Summary of the GRUB2 bootloader vulnerability "BootHole" which made headlines late this week.
Adobe issued an out-of-band patch for 2 critical and 2 important vulnerabilities in the Magento e-commerce system, which has been famously targeted by MageCart malware in the past.
Cisco's updates this week included an unauthenticated root compromise. Quelle surprise.
SQLite is one of those core software projects - few people think about it, but everybody uses it. This issue was in the query optimisation engine.
Stay safe, stay patched and have a good weekend!
The AusCERT team