//Week in review - 28 Jan 2022


This coming Monday, 31 January 2022, AusCERT’s own Impact and Access Assessment is being replaced by the industry standard CVSS score in our Security Bulletins Service. You can filter (or use scripts) for “CVSS (Max)” and “ALERT” to prioritise vulnerability management.

For more info see:

Earlier this week, AusCERT released the latest podcast episode, the first for 2022! We were delighted to have Amy Holden and Garrett O’Hara from Mimecast as our special guests. Amy and Garrett talk about podcasts and communication in cyber including lessons learnt from their podcast “The Get Cyber Resilient Show” as well as Cyber Resilience.

In follow-up, Mike talks about how AusCERT is focused on collaboration and layered security as well as excitement building for AusCERT2022.

Speaking of which, it’s the final call for submissions to this year’s conference. The call for presentations and tutorials closes this Sunday, January 30, and we’re on the lookout for unique topics, extraordinary projects or perhaps a clever way of optimising processes.

So if you, or someone you know, has something to say and would like to share it, complete your submission online. AusCERT is also able to assist in covering the travel and accommodation costs for one speaker per successful submission (conditions apply).

Apple fixes new zero-day exploited to hack macOS, iOS devices
Date: 2022-01-26
Author: Bleeping Computer

Apple has released security updates to fix two zero-day vulnerabilities, with one publicly disclosed and the other exploited in the wild by attackers to hack into iPhones and Macs.
The first zero-day patched today (tracked as CVE-2022-22587) [1, 2] is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey.
Successful exploitation of this bug leads to arbitrary code execution with kernel privileges on compromised devices.

Over 90 WordPress themes, plugins backdoored in supply chain attack
Date: 2022-01-21
Author: Bleeping Computer

[Described in AusCERT bulletin ESB-2022.0325, released Jan 24]
A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites.
In total, threat actors compromised 40 themes and 53 plugins belonging to AccessPress, a developer of WordPress add-ons used in over 360,000 active websites.
The attack was discovered by researchers at Jetpack, the creators of a security and optimization tool for WordPress sites, who discovered that a PHP backdoor had been added to the themes and plugins.
Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites.

Google warns Aussie libel ruling could force it to censor search results
Date: 2022-01-24
Author: iTnews

Google has warned that it could be forced to “censor” search results if an Australian court ruling, which found it liable for defamatory material contained in hyperlinks, is not overturned.
The web giant made the comments in submissions to the High Court, where it is appealing a defamation ruling that saw $40,000 in damages awarded to prominent Victorian criminal lawyer George Defteros.

Staying insurable for your cyber security insurance policy
Date: 2022-01-25
Author: Consultancy

As the risk of cyber threats and its impact continues to rise, insurance companies are tightening their policy conditions. Murray Mills, a Manager at Tecala, outlines what Australian organisations can do to stay insurable against the threat of ransomware and other attacks.
Growing increasingly tired of the operating environment, and in particular, the never-ending flood of ransomware infections, are the insurers whose role it often is to help victim organisations pick up the pieces and pay for much of the damage done. In 2022 changes to how insurers assess risk and determine premiums and coverage could become a problem for some organisations.

Prime Minister Scott Morrison’s WeChat account is hijacked and renamed
Date: 2022-01-24
Author: ABC News

Senior Coalition MPs have accused China’s government of foreign interference after the Prime Minister’s account on the ubiquitous Chinese language messaging app WeChat was hijacked.
As first reported by NewsCorp Australia, Scott Morrison’s account on the massive Chinese social media platform WeChat has been renamed and the account description changed.

Singapore gives banks two-week deadline to fix SMS security
Date: 2022-01-20
Author: The Register

A widespread phishing operation targeting Southeast Asia’s second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry.
Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower.

How I Got Pwned by My Cloud Costs
Date: 2022-01-24
Author: Troy Hunt

I have been, and still remain, a massive proponent of “the cloud”. I built Have I Been Pwned (HIBP) as a cloud-first service that took advantage of modern cloud paradigms such as Azure Table Storage to massively drive down costs at crazy levels of performance I never could have achieved before. I wrote many blog posts about doing big things for small dollars and did talks all over the world about the great success I’d had with these approaches. One such talk was How I Pwned My Cloud Costs so it seems apt that today, I write about the exact opposite: how my cloud costs pwned me.
It all started with my monthly Azure bill for December which was way over what it would normally be. It only took a moment to find the problem.

Linux version of LockBit ransomware targets VMware ESXi servers
Date: 2022-01-26
Author: Bleeping Computer

LockBit is the latest ransomware gang whose Linux encryptor has been discovered to be focusing on the encryption of VMware ESXi virtual machines.
The enterprise is increasingly moving to virtual machines to save computer resources, consolidate servers, and for easier backups.
Due to this, ransomware gangs have evolved their tactics to create Linux encryptors that specifically target the popular VMware vSphere and ESXi virtualization platforms over the past year.

ESB-2022.0329 – chromium: Multiple vulnerabilities

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure

ESB-2022.0346 – ipython: Execute arbitrary code/commands – Existing account

A potential arbitrary code execution vulnerability discovered in IPython (the interactive Python shell)

ESB-2022.0352 – polkit: Increased privileges – Existing account

Polkit vulnerability provides increased privileges on Linux systems

ESB-2022.0399 – ALERT macOS Monterey 12.2: Multiple vulnerabilities

Apple releases multiple updates including for macOS Monterey 12.2

ASB-2022.0048 – AusCERT Bulletin Impact /Access Assessment to CVSS Migration

AusCERT’s own Impact and Access Assessment is being replaced by the industry standard CVSS score in our Security Bulletins Service. You can filter (or use scripts) for “CVSS (Max)” and “ALERT” to prioritise vulnerability management

Stay safe, stay patched and have a good weekend!

The AusCERT team