//Week in review - 19 Mar 2021

AusCERT Week in Review for 19th March 2021


Another big one for the AusCERT team with several items we’d like to highlight from this week.

We kicked things off on Monday by releasing our Year in Review 2020 piece. Members, we hope you find our review useful and we thank you for your continued support!

Last week we highlighted the following “HAFNIUM special report” courtesy of the team from Shadowserver. Since then, the AusCERT team has conducted a number of analyses based on this information and several follow-up reports from the Shadowserver team. Those of you who’d been affected by the ProxyLogon vulnerabilities would have been contacted throughout this week. Members, please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AusCERT member portal.

In conjunction with the above, our team also released a blog article and a work flow diagram titled “Patching for HAFNIUM is just half of the story” – link to the blog highlighted below. We strongly recommend reading this piece as it has been created by our analyst team and should assist Microsoft Exchange server caretakers to check and see where within this task-flow they are placed at within their organisation’s incident response plan.

Last but not least, another exciting update with respect to AusCERT2021, we’ve updated our Program page to now include all of our tutorials and hands-on workshop offerings.

Members, please note that all nominated Primary and Organisation contact person(s) would have received a reminder email this week pertaining to your member token(s), part of your AusCERT membership perks – please utilise this by 18 April.

Also a reminder that AusCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” To find out more, please visit our conference website here.

Until next week, have a good weekend everyone.

Patching for HAFNIUM is just half of the story
Date: 2021-03-16
Author: AusCERT

On the 2nd of March, a posting by The Department of Homeland Security (U.S.) didn’t mince its words and placed an Emergency Directive to perform a thorough check of any Microsoft Exchange servers at your control.
This article served a guide for “agencies that have the expertise” to “forensically triage artefacts”. Since then there have been a number of tools that have been made available to enable the task of identifying, checking, mitigating, patching, and cleaning of your servers and systems.
The key take-away here is that there has been (and this continues to grow) a huge amount of effort in making sure that caretakers go beyond the simple sole act of patching.

Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
Date: 2021-03-16
Author: Microsoft Security Response Center

Microsoft has provided the latest information for IT Pros and incident response teams with updated tools and investigation guidance to help organizations identify, remediate, defend against attacks associated with the recent Exchange Server vulnerabilities.

Melbourne’s Eastern Health hit by suspected cyber attack
Date: 2021-03-18
Author: iTnews

One of Melbourne’s largest metropolitan public health services has postponed some elective surgery procedures after experiencing a “cyber incident”.
The incident, which took place late on Tuesday, has forced Eastern Health to pull a number of its IT systems offline as a precaution.
Eastern Health operates the Box Hill, Maroondah, Healesville and Angliss hospitals, as well as a number of health services, including Yarra Ranges Health and Wantirna Health.

Microsoft releases one-click Exchange On-Premises Mitigation Tool
Date: 2021-03-15
Author: Bleeping Computer

Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily mitigate the recently disclosed ProxyLogon vulnerabilities.
This month, Microsoft disclosed that four zero-day vulnerabilities were being actively used in attacks against Microsoft Exchange. These vulnerabilities are collectively known as ProxyLogon and are being used by threat actors to drop web shells, cryptominers, and more recently, the DearCry ransomware on exploited servers.
Today, Microsoft released the EOMT one-click PowerShell script so that small business owners who do not have dedicated or security teams can get further help securing their Microsoft Exchange servers.

IC3 Releases 2020 Internet Crime Report
Date: 2021-03-17
Author: FBI (Federal Bureau of Investigation)

The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports.
The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.

Survey: Australia, NZ organisations now realise their security overconfidence
Date: 2021-03-16
Author: CSO Online

It took a global pandemic, but enterprises and government agencies in Australia and New Zealand are now rethinking their approach to cybersecurity—taking it seriously for the first time in a while.
That’s the conclusion of a survey of about 435 people in Australia and about 40 in New Zealand by the Australian arm of the global business services firm BDO and Australia’s AusCERT cybersecurity rapid response team. Fewer organisations (55%) now feel confident in managing cyber incidents, down from 62% just a year earlier, the survey found.

New PoC for Microsoft Exchange bugs puts attacks in reach of anyone
Date: 2021-03-14
Author: Bleeping Computer

A security researcher has released a new proof-of-concept exploit this weekend that requires slight modification to install web shells on Microsoft Exchange servers vulnerable to the actively exploited ProxyLogon vulnerabilities.

Security flaws in Microsoft email software raise questions over Australia’s cybersecurity approach
Date: 2021-03-12
Author: The Conversation

On March 2, 2021, Microsoft published information about four critical vulnerabilities in its widely used Exchange email server software that are being actively exploited. It also released security updates for all versions of Exchange back to 2010.
Microsoft has told cybersecurity expert Brian Krebs it was notified of the vulnerabilities in “early January”. The Australian Cyber Security Centre has also issued a notice on the vulnerabilities.
The situation has been widely reported in the general media as well as specialist cybersecurity sites, but often inaccurately. But the situation also highlights a contradiction in government cybersecurity policy – there is a basic conflict between building offensive cybersecurity capabilities and protecting our own businesses and citizens.

ASB-2021.0048.5 – UPDATE ALERT Microsoft Exchange Server: Execute arbitrary code/commands – Remote/unauthenticated

Microsoft’s out-of-band critical updates address a number of Microsoft Exchange Server Remote Code Execution Vulnerabilities.

ESB-2021.0872.2 – UPDATED ALERT BIG-IP Products: Multiple vulnerabilities

F5 Networks identifies more BIG-IP Products impacted by the Advanced WAF/ASM buffer-overflow vulnerability.

ESB-2021.0906 – ALERT Google Chrome: Multiple vulnerabilities

Google’s update for Google Chrome fixes multiple vulnerabilities.

ESB-2021.0943 – shadow: Multiple vulnerabilities

Several vulnerabilities discovered in the shadow suite of login tools.

ESB-2021.0950 – Cisco Products: Multiple vulnerabilities

Cisco has released software updates that address multiple vulnerabilities in Cisco RV132W VPN Routers.

Stay safe, stay patched and have a good weekend!

The AusCERT team