//Week in review - 26 Nov 2021

AusCERT Week in Review for 26th November 2021


Did you know that the first known computer virus was called the Creeper Virus? It affected the Advanced Research Projects Agency Network (ARPANET), the precursor to today’s internet.

Since then, many more cyber attacks have occurred all over the world and have grown in sophistication and potential impact. Tuesday 30 November is Computer Security Day, a timely reminder for individuals and businesses to stay on top of cyber security, ensuring the necessary steps are taking to protect their data.

Some suggestions to help you include changing your passwords across all platforms, devices, and services and sign-up to a trusted password manager so you don’t have to remember them all! Update your spyware and malware protection software and review your security strategy and best practices for staff, checking their understanding of what to do, when and how.

Time is running out to complete the 2021 BDO and AusCERT Cyber Security Survey, closing at midnight on Friday, 3 December 2021.

The 10-minute survey is an opportunity to benchmark your organisation’s cyber security efforts, by gaining access to valuable data and insights into the cyber threats faced by your industry peers.

Don’t forget, survey respondents will go in the draw to win an Apple Watch so, take part now for your chance to win!

Australia has a cybercrime under-reporting problem
Date: 2021-11-22
Author: Consultancy.com.au

When global IT and cybersecurity association ISACA [Information Systems Audit and Control Association] declared that “under-reporting [of] cybercrime – even when disclosure is legally mandated – appears to be the norm” back in 2019, it rang alarm bells and led to a flurry of headlines. “Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so,” ISACA reported.

GoDaddy’s Latest Breach Affects 1.2M Customers
Date: 2021-11-22
Author: Threat Post

The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins.

Ransomware warning: Hackers see holidays and weekends as a great time to attack
Date: 2021-11-23
Author: ZDNet

Ahead of Thanksgiving this Thursday, the US Cybersecurity and Infrastructure Agency (CISA) and the FBI have released a warning for critical infrastructure providers to stay vigilant on holidays and weekends, because hackers don’t plan on taking a holiday break.
The agency issued a similar warning in August ahead of the Labor Day weekend, warning that ransomware attackers often choose to launch attacks on holidays and weekends, specifically when businesses are likely to be closed.

Apple sues spyware-maker NSO Group, notifies iOS exploit targets
Date: 2021-11-23
Author: Bleeping Computer

Apple has filed a lawsuit against Pegasus spyware-maker NSO Group and its parent company for the targeting and spying of Apple users with surveillance tech.
The company says the state-sponsored attacks that used NSO’s spyware only targeted “a very small number” of individuals, across multiple platforms, including iOS and Android.
The exploits used to deploy NSO Group’s Pegasus spyware were used to hack and compromise the devices of high-profile targets such as government officials, diplomats, activists, dissidents, academics, and journalists worldwide.

Black Friday: Online retailers exposed to email fraud and domain impersonation
Date: 2021-11-23
Author: Cyber Security Connect

Proofpoint has released new research that found one in four of the top online retailers in Australia today are wide open to email fraud and domain impersonation, with days to go until the start of the shopping spree of Black Friday and Cyber Monday.
The study looked at the DMARC (domain-based message authentication reporting and conformance) records of the top 100 shopping websites ranked by Power Retail. It found that 27 companies have no DMARC protocol, leaving their customers, employees, partners and vendors exposed to receiving emails from scammers posing as trusted retailers. To date, only 16 top online retailers have achieved the highest level of DMARC protection, allowing these companies to block fraudulent emails from reaching inboxes.

Coin mining, ransomware, APTs target cloud: GCAT report
Date: 2021-11-24
Author: Google Cloud

While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation. Most recently, our internal security teams have responded to cryptocurrency mining abuse, phishing campaigns, and ransomware. Given these specific observations and general threats, organizations that put emphasis on secure implementation, monitoring and ongoing assurance will be more successful in mitigating these threats or at the very least reduce their overall impact.
The [Threat Horizons] report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats. In this and future threat intelligence reports, the Google Cybersecurity Action Team will provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action.

ESB-2021.3963 – php72: Root compromise – Existing account

The new update for php72 fixes local privilege escalation via PHP-FPM and is available for install now

ESB-2021.3958 – ALERT salt: Multiple vulnerabilities

Multiple security vulnerabilities have been discovered in Salt execution manager which is open-source software for data-driven orchestration and remote execution

ESB-2021.3965 – MozillaFirefox: Multiple vulnerabilities

Multiple Mozilla Firefox vulnerabilities have been discovered which are capable of resulting in the execution of code

ASB-2021.0242 – Microsoft Edge (Chromium-based): Execute arbitrary code/commands – Remote with user interaction

Microsoft addressed Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability on their newest update

ESB-2021.3999 – VMware vCenter Server and Cloud Foundation: Multiple vulnerabilities

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware and their new updates addressed arbitrary file read and SSRF vulnerabilities on affected products

Stay safe, stay patched and have a good weekend!

The AusCERT team