//Week in review - 10 Dec 2021

AusCERT Week in Review for 10th December 2021


The Call for Presentations for the AusCERT2022 Conference is NOW OPEN. The Conference will be held as a hybrid event from Tuesday, 10th May – Friday, 13th May 2022 at The Star Gold Coast, Broadbeach and online via the OnAIR Virtual Conferencing Platform.

If you or someone you know has a great story to tell, we would like to hear it!

It could be something unique to say on a topic of interest to our community or, an extraordinary project that others would benefit from. Perhaps it’s a clever way of optimising a process that is otherwise time-consuming?

Submit to AusCERT2022. Call for Presentations and Tutorials, due in January 2022. Submit by 10 January to receive feedback from our committee for further improvements before the final deadline of 30 January.

AusCERT was proud to be a Bronze sponsor of the 2021 Australian Women in Security Awards which were handed out earlier this week.

Once a year, the security industry gathers to celebrate and raise the profile of the Australian IT Security, Cyber, and Protective Security industry to inspire young women and men to consider a career in this sector.

This is done by honouring their accomplishments, value, and contributions to the Australian market and giving the recognition they deserve.

This week, it was announced that Queensland borders would open to the rest of Australia on Monday, December 13 at 1:00am. As part of the ongoing focus on community safety, we’re all being reminded and encouraged to check-in when out and about in the community.

With the growth in the number of phishing messages delivered to smart phones, it’s imperative to use the official apps from respective government bodies when visiting venues and using services (such as ride share).

Queensland government energy generator says ransomware attack not state-based
Date: 2021-12-09
Author: ZDNet

Queensland government-owned energy generator CS Energy provided an update on Wednesday that those behind its November ransomware incident was unlikely to be a state-based actor.
On the same morning, Sydney’s Daily Telegraph landed with a front page claiming China was behind the incident.
Thanks to the appearance of CS Energy on a leak site listing victims of Conti ransomware run by the Wizard Spider group for the purposes of double extortion, the claims made by News Limited would appear to be unfounded.

Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Date: 2021-12-07
Author: Bleeping Computer

In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent.
Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which is then used to steal email and deploy further malware on the device.
Historically, Emotet would install the TrickBot or Qbot trojans on infected devices. These Trojans would eventually deploy Cobalt Strike on an infected device or perform other malicious behaviour.

SolarWinds hackers have a whole bag of new tricks for mass compromise attacks
Date: 2021-12-07
Author: Ars Technica

Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.
[…] The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.

Hackers infect random WordPress plugins to steal credit cards
Date: 2021-12-08
Author: Bleeping Computer

According to a new report by Sucuri, hackers performing credit card theft are first hacking into WordPress sites and injecting a backdoor into the website for persistence.
These backdoors allow the hackers to retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins.
When the attackers use the backdoor in the future, it will scan for a list of administrator users and use their authorization cookie and current user login to access the site.

AWS outage impacts Ring, Netflix, and Amazon deliveries
Date: 2021-12-07
Author: Bleeping Computer

Amazon AWS in the US-EAST-1 Region is suffering an outage that affected numerous online services, including Ring, Netflix, Amazon Prime Video, and Roku.
The ongoing outage started at approximately 12 PM EST and is caused by problematic network equipment affecting the US-EAST-1 AWS region, which feeds a good portion of the connectivity for people in the northeastern part of the United States.

FBI warning: Hackers targeting flaw in Zoho ManageEngine ServiceDesk Plus
Date: 2021-12-03
Author: ZDNet

The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are warning about the ‘active exploitation’ of a bug in Zoho ManageEngine ServiceDesk Plus before 11306.
“Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration,” CISA and the FBI note about the vulnerability tracked as CVE-2021-44077.

Cryptocurrency scams targeting Australians as scammers bank more than $100 million
Date: 2021-12-08
Author: ABC News

Australian Federal Police say cryptocurrency scams have “exploded” during the pandemic, with new figures from the Australian consumer watchdog showing a 172 per cent increase in losses between January and November this year, totalling $109 million.
The scams are run by global syndicates, and the money trail is murkier than ever.

A mysterious threat actor is running hundreds of malicious Tor relays
Date: 2021-12-03
Author: The Record

Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users.
Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.
Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network.

ASB-2021.0244 – ALERT log4j: Execute arbitrary code/commands – Remote/unauthenticated

log4j, a popular java logging package, has been reported to be vulnerable to remote code execution

ESB-2021.4107 – NGINX ModSecurity WAF: Denial of service – Existing account

An attacker using specifically formatted JSON messages can cause high resource utilization and potentially denial-of-service (DoS) on NGINX ModSecurity WAF

ESB-2021.4120 – openssh: Increased privileges – Existing account

Openssh privilege escalation vulnerability fixed on newest SUSE security update

ESB-2021.4131 – Wireshark: Denial of service – Remote with user interaction

Wireshark network protocol analyzer tool released a new update that fixes 8 vulnerabilities

ESB-2021.4160 – Firefox and Firefox ESR : Multiple vulnerabilities

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash

Stay safe, stay patched and have a good weekend!

The AusCERT team