//Week in review - 9 Sep 2022


The Asia Pacific Computer Emergency Response Team (APCERT) recently conducted its annual drill, a means of maintaining and improving awareness and skills within the cyber security community through this collaborative undertaking.

The APCERT drill aims to maintain and progress internet security and safety with the exercise, allowing participants to improve communication protocols, technical responses, and the overall quality of incident responses.
Our recent blog provides insight into what took place and what was learnt, including solutions to real-world situations and challenges.

You can read more about this year’s APCERT Cyber Drill HERE.

R U OK? Day was held yesterday, September 8, which promoted the power and importance a question can have. It has been demonstrated that a conversation can change a life and we at AusCERT had one of our own with Dr Carla Rogers.

A renowned Holistic Psychologist, Dr Rogers is featured in our latest episode of Share Today, Save Tomorrow where she discusses the connection between mind and body along with techniques to help individuals identify, treat and overcome challenges in the workplace.

Lastly, AusCERT is really interested in how you and your organisation use Cyber Threat Intelligence (CTI). We want to know about this to inform the services we provide to our members, and to ensure we’re doing the best we can to meet your needs.

We’re running some short (1 hour) information gathering sessions via video conference so we can pick your brain about CTI.

What’s in it for you?

  • You’ll get to contribute your opinion about CTI so we can improve the services we provide to you and your organisation.
  • You’ll have the opportunity to exchange information with other AusCERT members and learn from their experiences.
  • You’ll get the lovely warm* inner glow that comes from knowing you have performed a good deed by helping us help you.

Please register your interest here.

*Actual amount of warm inner glow varies from person to person.

Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability
Date: 2022-09-03
Author: The Hacker News

[Refer to Security Bulletin ESB-2022.4344]
Google on Friday shipped emergency fixes to address a security vulnerability in the Chrome web browser that it said is being actively exploited in the wild.
The issue, assigned the identifier CVE-2022-3075, concerns a case of insufficient data validating in Mojo, which refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).
An anonymous researcher has been credited with reporting the high-severity flaw on August 30, 2022.

New EvilProxy service lets all hackers use advanced phishing tactics
Date: 2022-09-05
Author: Bleeping Computer

A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI.
The service enables low-skill threat actors who don’t know how to set up reverse proxies to steal online accounts that are otherwise well-protected.
Reverse proxies are servers that sit between the targeted victim and a legitimate authentication endpoint, such as a company’s login form. When the victim connects to a phishing page, the reverse proxy displays the legitimate login form, forwards requests, and returns responses from the company’s website.

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan
Date: 2022-09-05
Author: The Hacker News

The notorious Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps.
“This new dropper doesn’t rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware,” NCC Group’s Fox-IT said in a report. “Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.”
The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria.

Home Affairs Could Be Looking Into TikTok’s Data Practices
Date: 2022-09-05
Author: Gizmodo

Back in July, we brought it to your attention that an investigation found that using TikTok on your phone gives the app access to your personal information. A lot of it, in fact.
Analysis by Australian cybersecurity firm Internet 2.0 found TikTok requests almost complete access to the contents of a phone while the app is in use. That data includes calendar, contact lists and photos.
As a result, the Australian Department of Home Affairs is going to be looking into the data harvesting practices of both TikTok and WeChat.

QNAP patches zero-day used in new Deadbolt ransomware attacks
Date: 2022-09-05
Author: Bleeping Computer

QNAP is warning customers of ongoing DeadBolt ransomware attacks that started on Saturday by exploiting a zero-day vulnerability in Photo Station.
The company has patched the security flaw but attacks continue today.
“QNAP® Systems, Inc. today detected the security threat DEADBOLT leveraging exploitation of Photo Station vulnerability to encrypt QNAP NAS that are directly connected to the Internet,” explains the security notice.

Ransomware gang’s Cobalt Strike servers DDoSed with anti-Russia messages
Date: 2022-09-07
Author: Bleeping Computer

Someone is flooding Cobalt Strike servers operated by former members of the Conti ransomware gang with anti-Russian messages to disrupt their activity.
The operators of Conti ransomware completed turning off their internal infrastructure in May this year but its members have dispersed to other ransomware gangs, such as Quantum, Hive, and BlackCat.
However, former Conti members continue to use the same Cobalt Strike infrastructure to conduct new attacks under other ransomware operations.

Microsoft mistakenly rated Chromium, Electron, as malware
Date: 2022-09-05
Author: The Register

Microsoft appears to have fixed a problem that saw its Defender antivirus program identify apps based on the Chromium browser engine and/or Electron JavaScript framework as malware, and suggest users remove them.
Numerous social media and forum posts made over the weekend detail how Windows has produced a warning of “Behavior:Win32/Hive.ZY” when users run everyday applications like Google’s Chrome browser or the Spotify music streamer.

ESB-2022.4345 – WordPress: CVSS (Max): None

WordPress has released WordPress 6.0.2 which includes 12 bug fixes on Core, 5 bug fixes for the Block Editor, and 3 security fixes.

ESB-2022.4460 – Android OS: CVSS (Max): 9.8*

Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform.
Google encourages all users to update to the latest version of Android where possible.

ESB-2022.4472 – Linux kernel (Raspberry Pi): CVSS (Max): 8.2

Ubuntu reports the security issues detected in Linux kernel for Raspberry Pi systems can be fixed by applying the latest updates.

Stay safe, stay patched and have a good weekend!

The AusCERT team