//Week in review - 2 Jul 2021

AusCERT Week in Review for 2 July 2021


Folks, welcome to the second-half of 2021. The start of July marks a new financial year here in Australia – which means, tax time is here! We’re sharing this “Is it a scam?” piece by our AusCERT2021 Member Organisation of the Year, the folks from Australian Taxation Office.

Of note this week, Microsoft has released an out-of-band critical update to address a Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527. This vulnerability has received significant media attention in the past day or so. Be sure to catch up on this alert via our highlighted AusCERT Security Bulletin details below.

Some mitigation notes and recommendations:

  1. Apply the latest security updates released on June 8, 2021 AND determining if the Print Spooler service is running; either disabling it or disabling inbound remote printing through Group Policy.

  2. Microsoft acknowledges this vuln is similar to but DISTINCT from the recent Print Spooler vuln reported as CVE-2021-1675 and addressed by the June 2021 Patch Tuesday updates. They are still investigating the issue and will update the page as more information becomes available.

AusCERT members, be sure to hop on our Slack space for some tips and notes regarding this issue from fellow AusCERT members. It’s always an awesome space for information sharing! To sign in, please do so via our member portal here.

And last but not least, for those of you based in the Greater Brisbane area and were intending to attend our proposed NAIDOC Week 2021 luncheon, please note we will be sharing a new date for this special event soon. In the meantime, please stay safe and continue to follow the latest Government advice.

Until next week everyone, have a great weekend.

CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability
Date: 2021-06-29
Author: Tenable

[CVE-2021-1675 was patched as part of Microsoft’s Patch Tuesday release on June 8, 2021. See related AusCERT bulletin ASB-2021.0115. Vulnerabilities like this are most likely to be used in targeted attacks, but all users and organizations are encouraged to patch quickly.]
Researchers published and deleted proof-of-concept code for a remote code execution vulnerability in Windows Print Spooler, called PrintNightmare, though the PoC is likely still available.

CISA releases new ransomware self-assessment security audit tool
Date: 2021-06-30
Author: Bleeping Computer

The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET).
RRA is a security audit self-assessment tool for organizations that want to understand better how well they are equipped to defend against and recover from ransomware attacks targeting their information technology (IT), operational technology (OT), or industrial control system (ICS) assets.
This CSET module was tailored by RRA to assess varying levels of ransomware threat readiness to be helpful to all orgs regardless of their cybersecurity maturity.

Microsoft Edge Bug Could’ve Let Hackers Steal Your Secrets for Any Site
Date: 2021-06-28
Author: The Hacker News

Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website.
Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the browser’s built-in feature via Microsoft Translator.

Cyber insurance isn’t helping with cybersecurity, and it might be making the ransomware crisis worse, say researchers
Date: 2021-06-28
Author: ZDNet

“According to a research paper examining cyber insurance and the cybersecurity challenge by defence think tank Royal United Services Institute (RUSI), this practice [paying ransom demands] isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, which warns ransomware has become an existential threat for some insurers.”
Note: this article includes commentary stating that paying a ransomware extortion demand is not illegal. This may not be true in some jurisdictions and readers are encouraged to seek legal counsel.

Cisco ASA vulnerability actively exploited after exploit released
Date: 2021-07-27
Author: Bleeping Computer

Hackers are scanning for and actively exploiting a vulnerability in Cisco ASA devices after a PoC exploit was published on Twitter.
This Cisco ASA vulnerability is cross-site scripting (XSS) vulnerability that is tracked as CVE-2020-3580.
Cisco first disclosed the vulnerability and issued a fix in October 2020. However, the initial patch for CVE-2020-3580 was incomplete, and a further fix was released in April 2021.

ASB-2021-0123 – ALERT Windows Print Spooler: Execute arbitrary code/commands – Existing

Zero-day Vulnerability (PrintNightmare) can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Proof of concept exploit code has reportedly been released.

ESB-2021.2240 – Thunderbird: Multiple vulnerabilities

Thunderbird contained a multitude of vulnerabilties causing reduced security including remote code execution and denial of service.

ESB-2021.2279 – Nessus Agent: Administrator compromise – Existing account

Nessus Agent versions 8.2.5 and earlier were found to contain a privilege escalation vulnerability which could lead to gaining administrator privileges on the Nessus host.

ESB-2021.2297 – htmldoc: Multiple vulnerabilities

A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code and denial of service.

Stay safe, stay patched and have a good weekend!

The AusCERT team