//Week in review - 21 Aug 2020

AusCERT Week in Review for 21st August 2020


Members, keep an eye out for a copy of the August edition of our membership newsletter “The Feed” landing in your inbox today.

This week we supported the National Scams Awareness Week 2020 as a campaign partner and shared the various messages through our social media channels, don’t forget to visit this campaign page for further details and tips on how to protect yourself against scams.

In lieu of the various member meet-ups we have been unable to host this year, our team hosted a series of webinars featuring our range of services with the focus on how to maximise the utilisation of these services. Topics covered: Malicious URL Feed, Security Bulletins and Phishing Take-Down. To catch up on the recordings of these sessions, visit our YouTube channel here.

Last but not least, we’d previously shared this on our LinkedIn page – the Australian Department of Home Affairs is inviting you to have your say on the Protecting Critical Infrastructure and Systems of National Significance Package 2020. This initiative is particularly relevant to members from the following critical infrastructure sectors:

  • Banking and Finance
  • Communications
  • Data and the Cloud
  • Defence industry
  • Education, Research and Innovation
  • Energy
  • Food and Grocery
  • Health
  • Space
  • Transport
  • Water

Until next week, take care and have a great weekend everyone.

Over 25% of all UK universities were attacked by ransomware
Date: None
Author: Bleeping Computer

A third of the universities in the United Kingdom responding to a freedom of information request admitted to being a victim of a ransomware attack. These represent more than 25% of the universities and colleges in the country.
The incidents occurred in the past decade, most of them between 2015 and 2017. Several educational institutions suffered at least two file-encrypting attacks over the past decade, one of them recording more than 40 since 2013.
Digital PR and SEO agency TopLine Comms on June 29 submitted an FOI request to 134 universities in the U.K., asking if they had recorded a ransomware attack, when it happened, if they paid a ransom or not, and what the amount was if they did pay.

University of Utah pays $450K ransom to stop leak of stolen data
Date: 2020-08-20
Author: Bleeping Computer

The University of Utah has paid a $457,000 ransomware to prevent threat actors from releasing files stolen during a ransomware attack.
Since the end of 2019, ransomware operators have started stealing unencrypted files before deploying their ransomware. The ransomware gang then threatens the victims by saying they will publicly leak the stolen files if a ransom is not paid.

ACT Education blocks student Gmail access after spam email storm
Date: 2020-08-14
Author: ITNews

ACT’s Education Directorate has blocked all public school students from accessing their Google email accounts after they were spammed en masse on Friday.
The spam campaign emerged on Friday afternoon with an undisclosed number of students receiving dozens of emails, resulting in a reply-all “email storm”.
iTnews understands some of the emails link to lewd websites and Instagram accounts, while other messages tried to solicit inappropriate images.

World’s largest cruise line operator Carnival hit by ransomware
Date: None
Author: Bleeping Computer

Cruise line operator Carnival Corporation has disclosed that one of their brands suffered a ransomware attack over the past weekend.
Carnival Corporation is the largest cruise operator in the world with over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn.
In an 8-K form filed with the Securities and Exchange Commission, Carnival Corporation has disclosed that one of its brands suffered a ransomware attack on August 15th, 2020.
As part of the attack, Carnival states data was likely stolen and could lead to claims from those affected by the potential data breach.

ESB-2020.2832 – GitLab: Access confidential data – remote/unauthenticated

GitLab released new versions to fix a critical issue with deploy token access control, but owing to a packaging error, they didn’t contain the fix. A second set of versions was released soon after.

ESB-2020.2809 – Jenkins core and plugins: Multiple vulnerabilities

Sentences like these really show the complexity of software: “Jenkins […] does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability.”

ESB-2020.2852 – Cisco vWAAS: Administrator compromise – remote/unauthenticated

“A vulnerability in vWAAS … could allow an unauthenticated, remote attacker to log into the CLI … by using accounts that have a default, static password.” Cisco have rooted out countless issues like these in recent years.

ESB-2020.2680.2 – Cisco AnyConnect for Windows: Multiple vulnerabilities

This was updated with Cisco’s advice that proof-of-concept exploit code has been published.

Stay safe, stay patched and have a good weekend!

The AusCERT team