//Week in review - 18 Jun 2021

AusCERT Week in Review for 18th June 2021


This week, we shared our June 2021 edition of The Feed – the AusCERT membership newsletter. Members, be sure to check your inbox(es) for a copy of this newsletter to catch up on all things related to your AusCERT membership.

We’re pleased to share the following blog piece by our AusCERT2021 Diversity and Inclusion Champion – Phillip “Pip” Jenkinson from Baidam Solutions. Congratulations Pip, a well-deserved win! For those of you based in the Greater Brisbane area and are wanting to hear more about Pip and the work he does at Baidam Solutions, come and join us at our upcoming NAIDOC Week 2021 luncheon on Friday 2 July, 12 – 2pm. For further details and to RSVP, visit the AusCERT website here.

Last but not least, we’re proud to announce that there are currently 11 NEW Member Security Incident Notifications (MISNs) reports generated in the pipeline by our team of analysts – all drawn from the expertise of our various threat intelligence partners and resources. This is a pertinent reminder for members to keep your organisation’s IPs and domains up to date on the AusCERT member portal to make sure you’re able to receive these relevant MSINs as they come through! A recap of how this particular AusCERT service assists our members with mitigating cyber-attacks can be found here “How AusCERT helped its members tackle the recent Microsoft Exchange server critical ProxyLogon vulnerabilities and exploits.”

Until next week everyone, have a great weekend.

Thousands of VMware vCenter Servers Remain Open to Attack Over the Internet
Date: 2021-06-16
Author: Dark Reading

[See related ALERT bulletin ESB-2021.1805 which AusCERT published on the 26th May]
Thousands of instances of VMware vCenter Servers with two recently disclosed vulnerabilities in them remain publicly accessible on the Internet three weeks after the company urged organizations to immediately patch the flaws, citing their severity.
The flaws, CVE-2021-21985 and CVE-2021-21986, basically give attackers a way to take complete control of systems running vCenter Server, a utility for centrally managing VMware vSphere virtual server environments. The vulnerabilities exist in vCenter Server versions 6.5, 6.7, and 7.0.

Nationally-known Australian company lawyered up to resist ASD help
Date: 2021-06-15
Author: ZDNet

The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate, likening it to refusing to cooperate with an air crash investigation.
One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security on Friday.
“It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said.
[…] However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information.

Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign
Date: 2021-06-14
Author: Microsoft Security Intelligence

Microsoft 365 Defender researchers recently uncovered and disrupted a large-scale business email compromise (BEC) infrastructure hosted in multiple web services. Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions.

Qld govt stumps up $40m for cyber security, digital
Date: 2021-06-16
Author: iTnews

The Queensland government will invest almost $40 million in cyber security and digital service delivery over the next five years as the state’s Covid-19 recovery gets underway.

Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Date: 2021-06-16
Author: Mandiant

Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk.

ESB-2021.2130 – ImageMagick: Multiple vulnerabilities

34 vulnerabilities were addressed in ImageMagick, some of which could lead to code execution.

ESB-2021.2141 – Nessus Agent: Increased privileges – Existing account

Tenable released an update to address privilege escalation vulnerabilities in their Nessus Agent for Windows.

ESB-2021.2173 – ALERT [Win][UNIX/Linux] Google Chrome: Execute arbitrary code/commands – Remote with user interaction

Another week, another zero-day in Google Chrome. Google reports that this been exploited in the wild so this should be patched as soon as possible.

Stay safe, stay patched and have a good weekend!

The AusCERT team