//Week in review - 4 Jun 2021

AusCERT Week in Review for 4th June 2021


National Reconciliation Week (NRW) 2021 concluded on the 3rd of June and AusCERT would like to take this opportunity to recap this year’s theme which was “More than a word. Reconciliation takes action.” To find out more about how we can all be better allies of Australia’s First Nations people, please visit the NRW website here.

Be sure to catch up on our highlighted summary of Security Bulletins and ADIR articles below.

We’re also pleased to share the following blog piece by our AusCERT2021 Member Individual of the Year Winner – Simon Coggins from CQUniversity. Congratulations Simon, well deserved win! In the coming weeks, we will be sharing a couple more of these blog articles featuring our other award winners from AusCERT2021.

Last but not least, excited to be sharing the news that AusCERT is back in the swing of things with respect to our training options. Earlier this week, our Principal Analyst ran a pilot session of the Introduction to Cyber Security for School Professionals course. For those wanting to find out more about our training options, please visit our website for further information or send us an email.

Until next week everyone, have a great weekend.

New sophisticated email-based attack from NOBELIUM
Date: 2021-05-27
Author: Microsoft Threat Intelligence Center (MSTIC)

Microsoft Threat Intelligence Center has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components.
The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity.
In this article, MSTIC have outlined attacker motives, malicious behavior, and best practices to protect against this attack.

ASD using classified capabilities to warn local entities of impending ransomware hit
Date: 2021-06-02
Author: ZDNet

Speaking about the attack on Channel Nine in March, director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates that pre-warning organisations about any precursor activity on their networks or systems is part of ASD’s “value add”.
“We were very engaged with [Channel Nine] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” Noble said.

JBS resumes meat operations after cyber attack halts production
Date: 2021-06-04
Author: ABC News

Earlier this week, JBS USA confirmed the company was targeted by an organised cyber attack on Sunday, which paralysed its operations in North America and Australia.
“Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia,” [JBS] said in the statement.
There is no further information on the source of the attack which is believed to be a Russian crime gang.

RBA to step up cyber resilience with new identity and access management system
Date: 2021-06-02
Author: ZDNet

The Reserve Bank of Australia said it is looking to modernise its identity and access management capabilities by introducing more automated controls to its existing platform.
The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities.
“Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request.
“In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.”
Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration.

Countries are increasing their cyber response budgets — but spending still varies widely
Date: 2021-05-28
Author: The Record by Recorded Future

Nations around the world don’t seem to agree on the appropriate amount of money to earmark for cyber defense and incident response, according to an analysis by The Record. But in recent years, almost every country examined has boosted its cyber spending.

ESB-2021.1884 – BIG-IQ Centralized Management: Multiple vulnerabilities

F5 has released advisory to address remote code execution vulnerability in BIG-IQ Centralized Management module.

ESB-2021.1897 – Firefox: Multiple vulnerabilities

Mozilla has released Firefox 89 addressing multiple security vulnerabilities.

ESB-2021.1905 – Cisco SD-WAN products: Root compromise – Existing account

Cisco has addressed a privilege escalation vulnerability in SD-WAN software.

ESB-2021.1908 – Cisco Webex Player: Multiple vulnerabilities

A vulnerability in Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system.

ESB-2021.1935 – dhcp: Denial of service – Remote/unauthenticated

A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient.

Stay safe, stay patched and have a good weekend!

The AusCERT team