//Week in review - 5 Mar 2021

AusCERT Week in Review for 5th March 2021


This week we would like to congratulate the team from Source2Create on the launch of their 1st edition of the Women In Security magazine. Our team were lucky to have been given the opportunity to spread the word about our upcoming AusCERT2021 conference as well as publish an article covering the work of the various women in security involved in making AusCERT2020 a success last year! In honour of International Women’s Day, we will be sharing this piece on our social media channels next Monday 8th March. If you haven’t already, please do subscribe to the Women In Security magazine here.

Members, please look out for an email which would have landed in your inbox earlier this week detailing your member token details – part of your AusCERT membership perks. These tokens can be applied against both modes of registrations: In-Person OR Remote (Virtual). Should you have any further queries regarding these tokens, please feel free to reach out to our membership team.

Be sure to catch up on our summary of critical vulnerability and advice on Microsoft Exchange this week. The relevant details can be found below.

Last but not least, thank you to those who supported our partnership with the team from Tessian.. The Human Layer Security Summit was a successful virtual event and for those of you who missed the live event, you’ll be able to catch up on all of its content on-demand.

To our friends and colleagues in Sydney, Happy Mardi Gras weekend and stay safe.

Until next week, have a good weekend.

Google patches actively exploited Chrome browser zero-day vulnerability
Date: 2021-03-03
Author: ZDNet

[ Additional resource available here, Google’s Project Zero tracking sheet: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit?usp=sharing.]
Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.
The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.”
Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release.

Microsoft issues emergency patches for 4 exploited 0-days in Exchange
Date: 2021-03-03
Author: Ars Technica

[Please refer to the following AusCERT security bulletin: ASB-2021.0048.]
Microsoft is urging customers to install emergency patches as soon as possible to protect against highly skilled hackers who are actively exploiting four zero-day vulnerabilities in Exchange Server.
The software maker said hackers working on behalf of the Chinese government have been using the previously unknown exploits to hack on-premises Exchange Server software that is fully patched. So far, Hafnium, as Microsoft is calling the hackers, is the only group it has seen exploiting the vulnerabilities, but the company said that could change.

Universal Health Services lost $67 million due to Ryuk ransomware attack
Date: 2021-03-01
Author: Bleeping Computer

[Additional reading: an English version of the CERT-FR Ryuk ransomware report is now available for perusal via https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-006/]
Universal Health Services (UHS) said that the Ryuk ransomware attack it suffered during September 2020 had an estimated impact of $67 million.
UHS, a Fortune 500 hospital and healthcare services provider, has over 90,000 employees who provide services to roughly 3.5 million patients each year in more than 400 US and UK healthcare facilities.
UHS said last week that the Ryuk ransomware attack “had an aggregate unfavorable pre-tax impact of approximately $67 million during the year ended December 31, 2020.”
“The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,” UHS added.

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC
Date: 2021-03-02
Author: ZDNet

The Office of the Australian Information Commissioner (OAIC) has labelled the powers given to two law enforcement bodies within three new computer warrants as “wide-ranging and coercive in nature”.
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) the new warrants for dealing with online crime.
The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.

ESB-2021.0803 – ALERT Google Chrome: Multiple vulnerabilities

Google reports that an exploit for CVE-2021-21166 exists in the wild.

ASB-2021.0048.3 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated

There are reports that these zero-day RCE vulnerabilities are being exploited in the wild.

ESB-2021.0780 – Cisco Network Services Orchestrator (NSO): Access confidential data – Remote/unauthenticated

Cisco released a raft of advisories and updates this week, including this one.

ESB-2021.0748 – grub2: Multiple vulnerabilities

These grub2 issues affect many linux and unix-like systems.

Stay safe, stay patched and have a good weekend!

The AusCERT team