//Week in review - 22 Jan 2021

AusCERT Week in Review for 22nd January 2021


Don’t forget – our AusCERT2021 Call for Papers initiative is still open; this is your LAST CHANCE to submit as we will be closing the portal on Tuesday 26th January. We welcome submissions in line with this year’s theme which focuses on automation of the cyber security response, whether these stories are big or small.

We also issued a couple of alerts in relation to Cisco products: further details can be found below.

And last but not least, a call-out from our team seeking voluntary feedback on the preliminary stages regarding upcoming changes to the AusCERT Security Bulletins. As a result of the feedback AusCERT gathered via a member survey, it was concluded that:

  1. Members showed overwhelming support to migrate to CVSS replacing the current Impact/Access statements.
  2. The AusCERT team is currently exploring suitable formats in order to enable the transition from Impact/Access to CVSS. If you’re a member who would like to be a part of this preliminary assessment team, feel free to reach out to membership@auscert.org.au by 31 January 2021.

Until next week, folks. Have a good weekend.

Critical Cisco SD-WAN Bugs Allow RCE Attacks
Date: 2021-01-20
Author: Threatpost

[See related AusCERT security bulletins ESB-2021.0240, ESB-2021.0241 and ESB-2021.0243.]
Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks solutions for business users.
Cisco issued patches addressing eight buffer-overflow and command-injection SD-WAN vulnerabilities. The most serious of these flaws could be exploited by an unauthenticated, remote attacker to execute arbitrary code on the affected system with root privileges.

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Date: 2021-01-20
Author: Microsoft Security Blog

More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence.
We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.

AusCERT statement on “QuoVadis Global SSL ICA G3” issue impacting multiple customers
Date: 2021-01-15
Author: AusCERT

The AusCERT team was made aware that a number of our Certificate Services clients were and continue to be experiencing problems with the above intermediate certificate, QuoVadis Global SSL ICA G3, since approximately 8.30am AEST on Friday 15 January 2021.
A statement (blog post) was released to assist with this issue.
AusCERT is continuing to work with DigiCert + QuoVadis to ensure that they provide all required further assistance for full remediation with our clients and members.

Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach.
Date: 2021-01-19
Author: Malwarebytes

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor.
We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.
After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

ESB-2021.0240 – Cisco Smart Software Manager Satellite: Multiple vulnerabilities

Critical web UI injection vulnerabilities

ESB-2021.0241 – Cisco SD-WAN: Multiple vulnerabilities

Critical bugger overflow and command injection vulnerabilities

ESB-2021.0243 – Cisco DNA Center: Multiple vulnerabilities

Critical command injection and CSRF vulnerabilities

Stay safe, stay patched and have a good weekend!

The AusCERT team