//Week in review - 29 Jan 2021

AusCERT Week in Review for 29th January 2021


Thank you to those of you who submitted to our AusCERT2021 Call for Papers initiative. Our team is looking forward to the review process and will be looking at launching our program by early March.

This week also saw a number of critical vulnerabilities affecting SonicWall, sudo and Apple. The list of relevant bulletins and further details can be found below.

Our team is excited to announce our very first event for the year – a joint webinar session with the folks from Digital Shadows. The topic of this webinar will be “Automation when you can’t automate – the human process journey”, further details and the link to register can be found here.

And last but not least, we would like to bring your attention to the upcoming Safer Internet Day initiative which we will be supporting as an organisation. The theme for its 18th edition will once again be “Together for a better Internet” and we look forward to sharing further resources around maintaining a better online world.

Until next week folks, have a good weekend.

New Linux SUDO flaw lets local users gain root privileges
Date: 2021-01-26
Author: Bleeping Computer

[See related AusCERT security bulletin ASB-2021.0036, login not required.]
A now-fixed Sudo vulnerability allowed any local user to gain root privileges on Unix-like operating systems without requiring authentication.
The Sudo privilege escalation vulnerability tracked as CVE-2021-3156 (aka Baron Samedit) was discovered by security researchers from Qualys, who disclosed it on January 13th and made sure that patches are available before going public with their findings.

SonicWall Breach
Date: 2021-01-25
Author: Australian Cyber Security Centre (ACSC)

On 22 January 2021, cyber security vendor SonicWall identified an internal systems breach using a likely zero-day in the SonicWall NetExender VPN client and Secure Mobile Access (SMA) products.
On 23 January 2021, SonicWall provided an updated stating that only the SMA 100 Series is potentially vulnerable and customers may continue to use the NetExtender component for remote access as it is not susceptible to exploitation.

Insurers ‘funding organised crime’ by paying ransomware claims
Date: 2021-01-25
Author: The Guardian

[Ciaran Martin will be presenting as a keynote at AusCERT2021.]
Insurers are inadvertently funding organised crime by paying out claims from companies who have paid ransoms to regain access to data and systems after a hacking attack, Britain’s former top cybersecurity official has warned.
Ciaran Martin, who ran the National Cyber Security Centre until last August, said he feared that so-called ransomware was “close to getting out of control” and that there was a risk that NHS systems could be hit during the pandemic.
The problem, he said, is being fuelled because there is no legal barrier to companies paying ransoms to cyber gangs – typically from Russia and some other former Soviet states – and claiming back on insurance. “People are paying bitcoin to criminals and claiming back cash,” Martin said.

Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021
Date: 2021-01-27
Author: ZDNet

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021.
The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today’s largest malware botnet.

Apple fixes another three iOS zero-days exploited in the wild
Date: 2021-01-26
Author: ZDNet

[See related AusCERT security bulletin ESB-2021.0298.]
Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS.
However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days. Apple also declined to comment further.

ASB-2021.0036 – ALERT sudo: Root compromise – Existing account

Affects most Linux and Unix-based systems.

ESB-2021.0298 – Apple iOS and iPadOS: Multiple vulnerabilities

These zero-days have been reportedly exploited in the wild.

ESB-2021.0319 – IBM QRadar SIEM: Multiple vulnerabilities

This report collates 8 IBM advisories.

ESB-2021.0272 – vlc: Multiple vulnerabilities

Remote Code Execution issues in vlc.

Stay safe, stay patched and have a good weekend!

The AusCERT team