AusCERT Week in Review for 19th June 2020

//Week in review - 19 Jun 2020

AusCERT Week in Review for 19th June 2020

Greetings,

Another busy week for everyone, no doubt.

A couple of emails would have landed in your inbox this week: an update on our member tokens for Virtual AusCERT2020 and the June edition of our member newsletter aka The Feed. Be sure to catch up on these details and let us know if you have any further queries and such.

A few important advisories we wanted to highlight for this week:

The ACSC has issued threat advice relating to the targeting of Australian governments and companies by a sophisticated state-based actor.. We’ve provided further commentary on this via our blog HERE.
Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack (known as the Ripple20), our AusCERT bulletin below.
Adobe has released out-of-band security updates to address 18 critical flaws, see highlighted bulletins below.

And with that, we hope that everyone implements these latest patches and start enforcing multi-factor authentication across all areas of your business.

We hope everyone enjoys a safe and restful weekend, until our next Week in Review edition!

…

Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks
Date: 2020-06-19
Author: ACSC | Cyber.gov.au

The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor.

Active ransomware campaign leveraging remote access technologies
Date: 2020-06-16
Author: CERT-NZ

We are aware of attackers accessing organisations’ networks through remote access systems such as remote desktop protocol and virtual private networks, as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched.
The current attacks are believed to be sophisticated and well crafted. These attacks can have severe impacts on business operations, including data being stolen and sold. Recovery from these attacks requires significant investment to fully investigate and remediate the network compromised, and restore encrypted files from backup.

Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks
Date: 2020-06-16
Author: SecurityWeek

[See AusCERT bulletin ESB-2020.2090]
Millions of IoT devices worldwide could be vulnerable to remote attacks due to serious security flaws affecting the Treck TCP/IP stack, Israel-based cybersecurity company JSOF warned on Tuesday.
Treck TCP/IP is a high-performance TCP/IP protocol suite designed specifically for embedded systems. JSOF researchers have discovered that the product is affected by a total of 19 vulnerabilities, which they collectively track as Ripple20.
The vulnerabilities rated critical and high-severity can be exploited for remote code execution, denial-of-service attacks, and for obtaining potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet.

Privacy confusion over COVID Safe Checklist rules for hospitality venues
Date: 2020-06-14
Author: ABC News

Notebooks, spreadsheets and paper forms used to collect personal information at cafes and restaurants are creating fears about privacy breaches and safety concerns.
Queensland Council of Civil Liberties president Michael Cope says State Government guidelines about how businesses must collect and store information about customers are not clear enough.
The COVID Safe Checklist for businesses requires that they keep contact information for all customers, workers and contractors, including names, addresses and mobile phone numbers for at least 56 days.
This information is to be “captured and stored confidentially and securely”.

No, that wasn’t a DDoS attack, just a cellular outage
Date: 2020-06-16
Author: CyberScoop

Neville Ray, chief technology officer at T-Mobile, said Tuesday that the company had fixed the issues.
Security experts quickly pinned the issue on T-Mobile network configuration issues which resulted in the hours of downtime for customers, rather than a malicious DDoS meant to knock services offline by flooding them with internet traffic. Instead of acknowledging the more complicated reality, Anonymous amplified screenshots of a DDoS attack map that the security firm Arbor Networks uses as marketing to create interest in its product.

ESB-2020.2077 – APSB20-37 Security update available for Adobe Illustrator

Adobe released updates for multiple products this week.

ESB-2020.2090 – ICS Advisory (ICSA-20-168-01) Treck TCP/IP Stack

Possibly millions of systems affected.

ESB-2020.2116 – Cisco Webex Meetings Desktop App Vulnerabilities

Cisco released numerous updates this week.

ESB-2020.2104 – New BIND releases are available

The recent BIND vulnerabilities affect multiple products.

Stay safe, stay patched and have a good weekend!

The AusCERT Team.