//Week in review - 18 Dec 2020

AusCERT Week in Review for 18th December 2020


This week saw the sector abuzz with the news regarding FireEye’s Discovery of the Trojanised SolarWinds Software (aka “Sunburst” malware). Our team has blogged about this trending topic here. Please revisit the blog periodically as updates do get posted as relevant.

This holiday season, many of us will be purchasing gifts for loved ones online. This is a timely reminder to be wary of online shopping scams and increased exploitation by cyber criminals. We’d like to take this opportunity to re-share the following “Don’t give too much away this Christmas!” article.

A reminder of our scheduled shutdown over the Christmas and New Year period:

Membership – will be closed from Saturday 19th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021.

Operations – will be closed from Friday 25th of December until Sunday 3rd of January 2021. We will reopen on Monday, 4th of January 2021. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period.

And last but not least, don’t forget – our AusCERT2021 Call for Papers initiative is still open over the holiday season. Perhaps some writing to help break up the routine? Help us celebrate the 20th anniversary of Australia’s original and oldest information security conference.

Until next week, have a wonderful and restful weekend. Stay safe and let’s remember to keep washing our hands and practise those good Covid-safe habits!

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Date: None
Author: FireEye Inc

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world.
They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing.
Post compromise activity following this supply chain compromise has included lateral movement and data theft.
The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

Healthcare security woes: More than 45 million medical images openly accessible online
Date: None
Author: The Daily Swig

Millions of medical images such as X-rays, MRIs, and CT scans are available unsecured on the open web, an investigation by threat intelligence firm CybelAngel has revealed.
The research team says it found unprotected connected storage devices with ties to hospitals and medical centers worldwide that were leaking more than 45 million unique imaging files.
“It’s important to remember that no hacking tools were used,” David Sygula, senior cybersecurity analyst at CybelAngel, told The Daily Swig. “Millions of images were unencrypted and could be accessed without password protection.
“We were surprised to see the extent to which sensitive images were left unprotected, despite the regulations governing health data.”

Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems
Date: None
Author: ZDNet

Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card.
Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel.
Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems.

Scam bitcoin ads using unauthorised Australian celebrity images traced to Moscow addresses
Date: None
Author: The Guardian

Scam bitcoin ads trading off unauthorised images of Dick Smith, Andrew Forrest and other celebrities, which have taken in tens of thousands of Australians, are part of a highly organised global business that uses five addresses in the centre of Moscow, a Guardian investigation has found.
The sheer scale of the scam has made it difficult for Google to block them, and for Australian regulators to take action.
The fake celebrity ads have run on news websites since at least 2018, but with people stuck at home during the Covid-19 pandemic, many more have been caught out by the scams.
IDCare, a registered charity that offers support to people scammed online, has been hearing from a victim every business hour since March, its managing director told Guardian Australia.

Service NSW finds cyber attack impacted 80,000 fewer customers
Date: None
Author: iTNews

Service NSW has revised down the number of customers impacted by an email compromise attack against 47 staff members earlier this year, but not before wrongly notifying 25,000 people.
In September, the one-stop shop for NSW government services revealed – after a four-month long investigation – that 186,000 customers had their information stolen by unknown attackers.
The breach, which took place in March, exposed 736GB of data, encompassing 3.8 million documents such as handwritten notes, forms, scans and records of transaction applications.

ESB-2020.4474 – Thunderbird: Multiple vulnerabilities

Thunderbird, Mozilla’s email client, was host to multiple vulnerabilities including remote code execution and denial of service.

ESB-2020.4464 – Red Hat Fuse 7.8.0: Multiple vulnerabilities

Contained a multitude of vulnerabilties including remote code execution, denial of service, cross-site scripting, privilege escalation, and unauthorised access to both confidential and privileged data.

ESB-2020.4447 – Firefox: Multiple vulnerabilities

Popular browser contained multiple vulnerabilities which granted attackers abilities to execute remote code, cause denial of service, and have unauthorised access to confidential data.

ESB-2020.4436 – Samba: Multiple vulnerabilities

Samba was affected by vulnerabilities which prior to fix had provided unauthorised access, denial of service and Root compromise.

Stay safe, stay patched and have a good weekend!

The AusCERT team