//Week in review - 30 Apr 2021

AusCERT Week in Review for 30th April 2021


This week, we’re thrilled to announce the opening keynote at AusCERT2021!

To celebrate the return of in-person events, we will kick off the 20th anniversary of our conference with a panel discussion on how SOAR can help with your security transformation strategy. The panel will feature experts from Splunk (James Young), Microsoft (Jess Dodson), Bugcrowd (Casey Ellis) and Airservices Australia (Anthony Kitzelmann). Places selling fast, the conference will be delivered in hybrid mode so you can still join us from the comfort of your own home/office. Don’t forget to register before we sell out!

Another busy week has gone past for our analyst team with alerts sent out for multiple products. On that note, be sure to review our highlighted security bulletins and articles below.

Members, please keep an eye out for a copy of our membership newsletter The Feed which landed in your inbox on Tuesday this week. It was a bumper edition, on it we shared a copy of our Quarter 1, 2021 report and a piece on how we tackled the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits and helped our members – the latter was also covered in Edition 2 of the Women in Security magazine, a publication from team Source2Create.

Next week will see us supporting Privacy Awareness Week 2021, follow us on our social media channels for information around this year’s campaign.

Last but not least, thank you to those who joined us yesterday as we discussed the 2020 BDO and AusCERT Cyber Security Survey insights. A copy of the webinar recording can be found here.

AusCERT will maintain minimal coverage for Labour Day long weekend in Queensland. Our staff will be on-call for emergencies only and email will not be monitored during this time. Any AusCERT member with an emergency may contact on-call AusCERT staff on the AusCERT Incident Hotline, details available here.

Until next week everyone, have a good and restful weekend.

UnitingCare Queensland hit by cyber attack
Date: 2021-04-26
Author: iTnews

UnitingCare Queensland, a provider of hospital and aged care services, said some of its digital and technology systems were rendered “inaccessible” by a cyber attack on Sunday.
9News in Queensland reported the attack as a ransomware infection that all hospitals and aged care homes run by the organisation with IT systems.
Hospitals run by UnitingCare Queensland include The Wesley Hospital and St Andrews War Memorial Hospital, both in Brisbane, St Stephen’s Hospital in Hervey Bay, and Buderim Private Hospital on the Sunshine Coast.

A software bug let malware bypass macOS’ security defenses
Date: 2021-04-27
Author: TechCrunch

Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS’ newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple’s watch.
Worse, evidence shows a notorious family of Mac malware had been exploiting this vulnerability for months before it was subsequently patched by Apple this week.

Ransomware gang targets Microsoft SharePoint servers for the first time
Date: 2021-04-27
Author: The Record by Recorded Future

Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.
SharePoint now joins a list that also includes Citrix gateways, F5 BIG-IP load balancers, Microsoft Exchange email servers, and Pulse Secure, Fortinet, and Palo Alto Network VPNs.
The group behind the attacks targeting SharePoint servers is a new ransomware operation that was first seen at the end of 2020.
The group is tracked by security vendors under the codenames of Hello or the WickrMe ransomware—because of its use of Wickr encrypted instant messaging accounts as a way for victims to reach out and negotiate the ransom fee.
Typical Hello/WickrMe attacks usually involve the use of a publicly known exploit for CVE-2019-0604, a well-known vulnerability in Microsoft’s SharePoint team collaboration servers.

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU
Date: 2021-04-27
Author: Troy Hunt

Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world’s most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before eventually being brought to a halt in February.

University of Minnesota responds to Linux security patch requests
Date: 2021-04-27
Author: ZDNet

The UMN wants to make peace with the Linux kernel developer community after an annoying Linux code security research blunder.

ESB-2021.1408.2 – UPDATED ALERT Apple iOS products: Multiple vulnerabilities

The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches.

ESB-2021.1416 – ALERT macOS Catalina: Multiple vulnerabilities

Apple has released security patches for multiple vulnerabilities including a zero day bypass vulnerabilty.

ESB-2021.1439 – ALERT FortiWAN: Multiple vulnerabilities

FortiGuard has released security update to patch authentication bypass vulnerability.

ESB-2021.1440 – ALERT ShareFile: Root compromise – Remote/unauthenticated

A security issue in Citrix ShareFile could allow a remote attacker to compromise the storage zones controller.

ASB-2021.0100 – Microsoft Edge: Multiple vulnerabilities

Microsoft has released security update to address multiple vulnerabilities in Microsoft Edge.

Stay safe, stay patched and have a good weekend!

The AusCERT team