19 May 2023

Week in review

Greetings,

Although our bodies are feeling a bit worse for wear from last week’s conference our minds are buzzing with new information, skills, and possibilities! After the amazing week we had last week it’s safe to say the AUSCERT team was a little slower this week, taking vital time to rest and recover after all the shenanigans. Although it was all worth it to catch up with past members, meet new members and strengthen our community bond! In addition to providing cutting-edge education, one of the most significant attractions of the conference lies in its vibrant community, fostering idea sharing and facilitating valuable networking opportunities.

Google has sparked a lot of controversy with its roll out of new ‘.zip’ and ‘.mov’ top level domains (TLDs). The reason for the concern is that these domains are commonly used for file extensions and may aid threat actors in misleading potential victims. Cybersecurity researchers and professionals are concerned that this will add unnecessary risk to an already risky environment and increase phishing scams and malware downloads. Threat actors could potentially obtain a ZIP domain with the same name as other trusted brands and create fake sites to manipulate unknowing consumers into providing personal information or transferring funds. This has triggered a controversial debate online with many researchers also rebutting these arguments and claiming it’s not that bad and everyone shouldn’t panic. Google mimicked these arguments by saying it takes phishing and malware seriously and has existing mechanisms in place to protect users if new threats emerge. Only time will tell whether this was a smart move by Google or whether it will give further ammunition to scammers.

In more positive news, the federal government has announced it will spend $58 million to create the national anti-scams centre to report scams and distribute information more efficiently to banks, law enforcement and vulnerable communities. This will facilitate faster responses to reported scams by establishing a team of industry and law enforcement experts to act efficiently on scam trends. After the ACCC reported a loss of billions due to scams last year, the government and banks have been put under considerable pressure by consumers to develop safer systems, including a new method of dealing with fraudulent transactions. The Australian Banking Association has announced its new digital platform called ‘Fraud Reporting Exchange’, which will allow banks to share information about scam transactions quickly between each other. At least we are taking steps in the right direction to work together to put a stop to scammers.


TechnologyOne still investigating impact of M365 cyber incident
Date: 2023-05-12
Author: iTnews

TechnologyOne said it had managed to contain an incident that impacted its internally-used Microsoft 365 instance earlier this week, and that the system is operating again.
In an update [pdf], the software maker said M365 was “successfully restored and is fully operational”.
On Wednesday, TechnologyOne disclosed there had been unauthorised access to its M365 instance.
It said that “security experts” had since “confirmed our Microsoft 365 system is secure”.

Google's .zip Top Level domain is already used in phishing attacks
Date: 2023-05-15
Author: ghacks.net

Google released the top-level domain .zip to the public recently, which means that interested organizations and users may register .zip domains. Cyber criminals are already using .zip domains in phishing campaigns.
According to the SANS Internet Storm Center, about 1230 names have been registered so far. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public registration alongside seven other domain extensions.
It seems that Google has reduced the registration price to $15 per year for a .zip domain last week, which appears to be less than halve the previous price.

Drug and alcohol tests of graduate paramedics revealed in Ambulance Victoria data breach
Date: 2023-05-12
Author: The Guardian

The confidential drug and alcohol test results of graduate paramedics were available for every Ambulance Victoria staff member to view under a significant breach that has been reported to the state’s privacy watchdog.
The Ambulance Victoria chief executive, Jane Miller, confirmed on Friday afternoon that the “unacceptable” breach involved 600 test results relating to a “few hundred” people, and offered her unreserved apology to those impacted.

Parental control app with 5 million downloads vulnerable to attacks
Date: 2023-05-16
Author: Bleeping Computer

Kiddowares 'Parental Control – Kids Place' app for Android is impacted by multiple vulnerabilities that could enable attackers to upload arbitrary files on protected devices, steal user credentials, and allow children to bypass restrictions without the parents noticing.
The Kids Place app is a parental control suite with 5 million downloads on Google Play, offering monitoring and geolocation capabilities, internet access and purchasing restrictions, screen time management, harmful content blocking, remote device access, and more.

MalasLocker ransomware targets Zimbra servers, demands charity donation
Date: 2023-05-17
Author: Bleeping Computer

A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.
The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.

Microsoft is scanning the inside of password-protected zip files for malware
Date: 2023-05-16
Author: Ars Technica

Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday.
Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code.


ESB-2023.2867 – WordPress: CVSS (Max): None

WordPress released WordPress 6.2.1 that features 20 bug fixes in Core and 10 bug fixes for the block editor.

ESB-2023.2892 – Cisco Small Business Series Switches: CVSS (Max): 9.8

Cisco has released software updates that address multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches.

ESB-2023.2910 – Google Chrome: CVSS (Max): None

Google released Chrome 113.0.5672.126 for Mac and Linux and 113.0.5672.126/.127 for Windows that contains 12 security fixes.

ESB-2023.2911 – Jenkins Plugins: CVSS (Max): 8.8

Multiple vulnerabilities affecting various Jenkins plugins have been addressed by Jenkins


Stay safe, stay patched and have a good weekend!

The AUSCERT team