//Week in review - 14 Aug 2020

AusCERT Week in Review for 14th August 2020


If you were part of the first 600 delegates who registered for AusCERT2020, you would have received an email earlier this week with details confirming your entitlement to a complimentary Conference Swag Bag. We trust that you’re as excited as we are that the conference is only 5 weeks away.

A reminder that in lieu of the various member meet-ups we have been unable to host this year, our team will instead be hosting a series of webinars featuring our range of services and focusing on how to maximise usage of these within our membership group. Our last session pre AusCERT2020 is detailed below:

Last but not least, next week marks the National Scams Awareness Week 2020 and as a campaign partner, AusCERT will be sharing the various messages from this campaign through our social media channels.

Until next week, take care and have a great weekend everyone.

Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft
Date: 2020-08-11
Author: Threatpost

[Refer to AusCERT related bulletins ASB-2020.0139, ASB-2020.0140 and ASB-2020.0145. Member portal login required.]
Two Microsoft vulnerabilities are under active attack, according the software giant’s August Patch Tuesday Security Updates. Patches for the flaws are available for the bugs, bringing this month’s total number of vulnerabilities to 120.
One of the flaws being exploited in the wild is CVE-2020-1464, a Windows-spoofing bug tied to the validation of file signatures on Windows 10, 7 8.1 and versions of Windows Server. Rated “important,” the flaw allows an adversary to “bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said.
A second zero-day is a remote code-execution bug rated “critical,” which is tied to the Internet Explorer web browser. Tracked as CVE-2020-1380, this is a scripting engine memory-corruption problem. A successful hack gives the attacker same user rights as the current user, the company wrote.

NSW govt agencies to face cyber security inquiry
Date: 2020-08-12
Author: iTnews

A parliamentary inquiry will scrutinise the NSW government’s handling of cyber security incidents, as well as its measures to protect digital infrastructure more generally, following a spate of cyber attacks.
The NSW upper house premier and finance committee quietly opened the probe by self-referral earlier this month, just weeks after Labor public services minister Sophie Cotsis called for such an inquiry.
The inquiry will look into “cyber security and digital information management in NSW”, including the number of cyber incidents and data breaches experienced by government agencies and the financial cost of those incidents.

Upgraded Agent Tesla malware steals passwords from browsers, VPNs
Date: 2020-08-10
Author: Bleeping Computer

New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.
Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.

Travelex Forced into Administration After Ransomware Attack
Date: 2020-08-10
Author: Infosecurity Magazine

Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go.
PwC announced late last week that it had been appointed joint administrators of the currency exchange business.
Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring.
“The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news.
The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.
PwC remained upbeat about the future of the company, following its £84 million restructuring.

ESB-2020.2680.2 – Cisco AnyConnect client for Windows: Increased privileges

Cisco updated last week’s advisory to add that proof-of-concept exploit code is now available.

ESB-2020.2803 – Apache Struts: Multiple vulnerabilities

Apache Struts is one of those libraries deployed more widely than you’d think, and a previous vulnerability contributed to the infamous Equifax breach.

ESB-2020.2780 – Citrix Endpoint Management aka XenMobile Server: Unspecified critical vulnerabilities

Citrix released a patch assessed as critical severity without providing detail on the vulnerabilities involved, which is a fun mystery.

ESB-2020.2802 – Microsoft Dynamics 365: Remote code execution

Microsoft released a separate advisory the day after Patch Tuesday to warn of this RCE and its corresponding patch, also assessed as critical.

Stay safe, stay patched and have a good weekend!