//Week in review - 1 Apr 2021

AusCERT Week in Review for 1st April 2021


Here we are, at the end of Quarter 1 2021. What a year it’s been for our sector so far! The wave of vulnerabilities and associated attacks we’ve observed has certainly kept all of us busy.

This week we saw an urgent out-of-band Apple security update for its iOS and iPadOS mobile operating system, see bulletin details below. We also witnessed Nine Media recovering from what’s been described as a “significant and complex” cyber-attack, a timely prompt to re-visit “The Essential Eight” a prioritised list of mitigation strategies issued by the ACSC.

Last week, the AusCERT team were privileged to attend our first in-person conference event in over a year – BrisSEC21, an event hosted by the AISA Brisbane chapter. Our Director, Dr David Stockdale presented a talk on the theme of cybercrime at the event. An article based on this talk will be submitted to the next edition of the Women in Security magazine and we will share it when it’s published.

We look forward to our next event, our very own annual conference, AusCERT2021. On that note, members – a reminder that all nominated Primary and Organisation contact person(s) would have received details regarding your organisation’s member token(s), part of your AusCERT membership perks which allows you to attend our annual conference for free or as a partially subsidised delegate – please make sure you utilise the token(s) by 18 April. Conference registrations can be done via our website here.

AusCERT will maintain minimal coverage for the Easter holidays from Friday 2 April to Monday 5 April. AusCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AusCERT member with an emergency may contact on-call AusCERT staff on the AusCERT Incident Hotline, details available here.

Until next week, have a good long Easter weekend everyone. Stay safe and let’s keep up with our Covid-safe practices.

Apple patches exploited iOS, iPadOS zero-day
Date: 2021-03-28
Author: iTnews

Apple has issued an urgent out-of-band security update for its iOS and iPadOS mobile operating system, after a zero-day vulnerability that is under active exploitation was found.
The vulnerability in the WebKit browser engine can lead to universal site cross-scripting, Apple said.
Cross-scripting allows attackers to inject their own scripts via maliciously crafted web page content.

VMware fixes bug allowing attackers to steal admin credentials
Date: 2021-03-30
Author: Bleeping Computer

VMware has published security updates to address a high severity vulnerability in vRealize Operations that could allow attackers to steal admin credentials after exploiting vulnerable servers.
vRealize Operations is an AI-powered and “self-driving” IT operations management for private, hybrid, and multi-cloud environments, available as an on-premises or SaaS solution.

Automated Clean-up of HAFNIUM Shells and Processes with Splunk Phantom
Date: 2021-03-26
Author: Splunk

The Splunk team have released a couple of blogs on this topic, concentrated on two things:
1. Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk: Explaining the vulnerabilities and associated exploits
2. Detecting Microsoft Exchange Vulnerabilities – 0 + 8 Days Later…: Sharing SPL to detect and hunt for malicious behavior withrelated to the exploits and detections you can use with Splunk Enterprise Security

Docker Hub images downloaded 20M times come with cryptominers
Date: 2021-03-29
Author: Bleeping Computer

Researchers found that more than two-dozen containers on Docker Hub have been downloaded more than 20 million times for cryptojacking operations spanning at least two years.
Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects.

Holding the news to ransom? What we know so far about the Channel 9 cyber attack
Date: 2021-03-30
Author: The Conversation

As is often the case in the early stages of a major cyber incident, details are scarce, and it’s very hard to know who is behind it.
What happened?
There is no official statement of cause, but it is clear that malware spread between devices at Channel 9’s Sydney headquarters, leaving data and production systems inaccessible.

ESB-2021.1067 – ALERT Apple Products: Cross-site scripting – Remote with user interaction

The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches.

ESB-2021.1082 – Cisco Products: Multiple vulnerabilities

Multiple vulnerabilities on OpenSSL affecting Cisco Products.

ESB-2021.1087 – VMWare Products: Multiple vulnerabilities

VMware vRealize Operations updates address server side request forgery and arbitrary file write vulnerabilities.

ESB-2021.1107 – Google Chrome: Multiple Vulnerabilities

Google released stable channel update for Chrome addressing multiple vulnerabilities.

ESB-2021.1116 – GitLab: Multiple vulnerabilities

Gitlab released new versions for GitLab CE and EE to address multiple vulnerabilities.

Stay safe, stay patched and have a good weekend!

The AusCERT team