//Week in review - 13 Aug 2021

AusCERT Week in Review for 13th August 2021


Anyone else feel like we are stuck in Groundhog Day? Another Patch Tuesday and PrintNightmare refuses to leave us.

Microsoft released updates for at least 44 security vulnerabilities including another Print Spooler flaw. Since the update earlier this week, another bug has been identified with no patch yet released. For more details and a work around check out this great write up from ZDNet.

Following on from the Apple Announcement last week about about their new technology for scanning individual users’ iCloud photos for Child Sexual Abuse Material (CSAM) content, check out the Schneier on Security blog for a great collation of articles and information.

We are excited to share Episode 4 of the AusCERT “Share today, save tomorrow” podcast series! Episode 4 titled “Cyber security awareness and team culture” features Brian Hay from Cultural Cyber Security and Tracey Weeks from Queensland Health.

The AusCERT podcast can be found on Spotify, Apple Podcasts and Google Podcasts

Have a great weekend everyone.

Microsoft Exchange servers scanned for ProxyShell vulnerability; patch now
Date: 2021-08-07
Author: Bleeping Computer

[See ASB-2021.0127 and 0103]
Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference.
ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together. […] While both CVE-2021-34473 and CVE-2021-34523 were first disclosed in July, they were actually quietly patched in April’s Microsoft Exchange KB5001779 cumulative update.
Threat actors are actively trying to exploit this vulnerability, with little success so far. However, it is only a matter of time until successful exploitation is achieved in the wild.

Microsoft fixes Windows Print Spooler PrintNightmare vulnerability
Date: 2021-08-10
Author: Bleeping Computer

Microsoft has fixed the PrintNightmare vulnerability in the Windows Print Spooler by requiring users to have administrative privileges when using the Point and Print feature to install printer drivers.
In June, a security researcher accidentally disclosed a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527). When exploited, this vulnerability allowed remote code execution and the ability to gain local SYSTEM privileges.
Microsoft soon released a security update that fixed the remote code execution component but not the local elevation of privileges portion.
However, researchers quickly found that it was possible to exploit the Point and Print feature to install malicious print drivers that allowed low-privileged users to gain SYSTEM privileges in Windows.
Microsoft warns that this change may impact organizations that previously allowed non-elevated users to add or update printer drivers, as they will no longer be able to do so.

Opinion: Why Australia’s Online Safety Act is an abdication of responsibility
Date: 2021-08-12
Author: ZDNet

The Australian government reckons the internet is full of bad things and bad people, so it must therefore surveil everyone all the time in case anyone sees the badness — but someone else can figure out the details and make it work.
This brain package always includes two naive and demonstrably false beliefs.
One is that safe backdoors exist so that all the good guys can come and go as they please without any of the bad guys being able to do the same.
The other is that everyone will be nice to each other if we know their names.
This big bad box of baloney blipped up again this week as part of the government’s consultation for the Online Safety (Basic Online Safety Expectations) Determination 2021 (BOSE) — the more detailed rules for how the somewhat rushed new Online Safety Act 2021 will work.

FlyTrap Android Malware Used to Compromise Facebook Accounts
Date: 2021-08-10
Author: PCMag Australia

Zimperium has revealed new Android malware said to have compromised the Facebook accounts of more than 10,000 people across 144 countries since March. The company dubbed this malware FlyTrap and said that until recently it was listed on the official Google Play Store.
FlyTrap masqueraded as a variety of mobile apps dedicated to “free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player,” Zimperium said, and “tricked users into downloading and trusting the application with high-quality designs and social engineering” before attempting to gain access to their Facebook accounts.

Hacker is returning $600M in crypto, claiming theft was just “for fun”
Date: 2021-08-13
Author: Ars Technica

The hacker who breached the Poly Network crypto platform says the theft was just “for fun :)” and that the hacker is now returning the stolen coins. The hacker also claimed that the tokens had been transferred to the hacker’s own wallets to “keep it safe.”

ESB-2021.2679 – MISP: Cross-site scripting – Remote with user interaction

MISP 2.4.148 released including many bugs fixed along with security fixes.

ASB-2021.0168 – Microsoft Office Products & Services and Web App Products: Multiple vulnerabilities

SOC analyst: Are you going to fix PrintNightmare Microsoft? Microsoft: No sir! but here is something you also need to worry about.

ASB-2021.0173 – Azure Products: Multiple vulnerabilities

SOC analyst: *finally finished with the update of Office Products* Microsoft: Excuse me sir! This one too.

ASB-2021.0174 – Microsoft Print Spooler: Execute arbitrary code/commands – Existing account

SOC Analyst: OK! I have patched the Office and Azure products. PrintNightmare: Did you miss me?

ESB-2021.2686 – Firefox: Multiple vulnerabilities

Chrome: We have released multiple patches this month. Firefox: Hold my beer!

ESB-2021.2705 – Intel Ethernet Linux Driver: Multiple vulnerabilities

Potential security vulnerabilities in some Intel Ethernet Controllers have been addressed in the recent update. Win/Mac users: Oh no! Anyway!

Stay safe, stay patched and have a good weekend!

Bek and Narayan on behalf of
The AusCERT team