//Week in review - 26 Mar 2021

AusCERT Week in Review for 26th March 2021


This week we released the results from our joint 2020 AusCERT and BDO in Australia Cyber Security Survey. Thank you to all those who helped us with this endeavour! For the fifth year in a row, we surveyed member organisations across Australia and New Zealand, allowing us to clearly unpack the COVID-19 pandemic’s impacts on cyber – detailing significant shifts in the way organisations are impacted by, and responding to, evolving cyber threats. “Adaptation is key to winning the battle.” Download a copy of the report here.

Also this week, the AusCERT team conducted yet another analysis on the evolving MS Exchange ProxyLogon vulnerabilities based on a latest report from the Shadowserver team – this report (article) has been highlighted below. Those of you who’d been affected would have been contacted on Wednesday. Members, please check your inbox. This is also a timely reminder to keep your organisation’s IPs and domains up to date on the AusCERT member portal.

Members, a reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AusCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate – please utilise the token(s) by 18 April. Conference registrations can be done via our website here.

Also a reminder that AusCERT2021 has been approved to be a part of the Australian Government’s “Restarting Australia’s Business’ opportunity grant application scheme.” Applications for this grant scheme are due on Tuesday 30th March. To find out more about our sponsorship options, please visit our conference website here.

Until next week, have a good weekend everyone.

RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Date: 2021-03-18
Author: NCC Group Research

On Thursday (Friday, Australian time) cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices.

Shadowserver Special Report – Exchange Scanning #5
Date: 2021-03-24
Author: The Shadowserver Foundation

Over the past 12 days we have published 5 one-off Special Reports that provided information about the recently patched recently patched zero-day vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).
This latest Special Report represents our most comprehensive effort yet to enumerate as many vulnerable and compromised Microsoft Exchange Servers as possible. Much of the detection of potentially vulnerable Microsoft Exchange servers performed to date has been based on internet-wide scanning of all ~4 billion IPv4 addresses (IPv4 /0 scanning), which is effective at identifying Exchange/OWA environments which are configured to use the default IP address.
However, this kind of mass scanning will not always identify potentially vulnerable Microsoft Exchange servers, since they can also be configured to use web server virtual hosting on fully qualified domain names (FQDNs), rather than simply binding to the default web site instance or a server’s main IP address.
In such cases, it is possible that virtual host-based Microsoft Exchange Server instances may be missed during IPv4 /0 scans.

Cisco addresses critical bug in Windows, macOS Jabber clients
Date: 2021-03-24
Author: Bleeping Computer

Cisco has addressed a critical arbitrary program execution vulnerability impacting several versions of Cisco Jabber client software for Windows, macOS, Android, and iOS.
Cisco Jabber is a web conferencing and instant messaging app that allows users to send messages via the Extensible Messaging and Presence Protocol (XMPP).
The vulnerability was reported by Olav Sortland Thoresen of Watchcom. Cisco’s Product Security Incident Response Team (PSIRT) says that the flaw is not currently exploited in the wild.
Additionally, the vulnerability does not affect Cisco Jabber client software configured for Team Messaging or Phone-only modes.

University of Queensland uplifts its vulnerability management
Date: 2021-03-23
Author: iTnews

The University of Queensland has upgraded its vulnerability management tooling as part of an ongoing security improvements program.
The university said it had selected cloud-based Tenable.io to “to see, predict and act to reduce cyber risk across its domestic campuses.”
Tenable.io is used to scan the university’s “complex environment made up of tens of thousands of personal devices, vendor partnerships and connections to remote teams and other institutions,” information technology services deputy director Dr David Stockdale said in a statement.

Australian firms to spend $4.9b on infosec, risk management in 2021
Date: 2021-03-23
Author: iTWire

Organisations in Australia are forecast to spend more than $4.9 billion on enterprise information security and risk management products and services in 2021, an increase of 8% year-on-year, the technology analyst firm Gartner says.
The forecast was made during the online Gartner Security & Risk Management Summit APAC which is being held this week.
Senior research director Richard Addiscott said the focus on security and risk was due to major attacks like the SolarWinds supply chain incident, proposed legislation such as the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and regulatory obligations
“Many of the conversations we’re having with government and private sector clients in Australia revolve around the Essential Eight, varying state government cyber security frameworks, and regulatory instruments such as APRA’s Prudential Standard CPS 234,” said Addiscott.

ESB-2021.1010 – ALERT Cisco Jabber: Multiple vulnerabilities

Multiple Vulnerabilities in Cisco Jabber could allow for Arbitrary Code Execution.

ESB-2021.1003 – Firefox: Multiple vulnerabilities

Mozilla has released Firefox 87 fixing multiple vulnerabilities including Remote Code Execution.

ESB-2021.1043 – McAfee Data Loss Prevention (DLP) Endpoint for Windows: Increased privileges – Existing account

McAfee released update to address privilege escalation vulnerability for Windows.

ESB-2021.1056 – OpenSSL: Multiple vulnerabilities

OpenSSL version 1.1.1h and newer are affected with multiple vulnerabilities.

ESB-2021.1012 – sudo: Root compromise – Existing account

An update that addresses one vulnerability in Sudo is now available for Suse products.

Stay safe, stay patched and have a good weekend!

The AusCERT team