2 June 2022 – “Follina” Critical Cyber alert in Microsoft Support Diagnostic Tool (MSDT)

A critically rated vulnerability with the Microsoft Windows Support Diagnostic Tool (MSDT) requires urgent investigation and action by organisations that use Microsoft Windows with MSDT enabled.

What is the vulnerability?

The vulnerability, known as “Follina” or CVE-2022-30190, is a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). Thus far, the vulnerability has only been observed being exploited via malicious Microsoft Word documents, but could also be exploited via other Office applications or techniques as the attack develops in future.

Why should I be concerned?

A remote code execution vulnerability enables a third party to remotely access your system and potentially view, change or delete data, gain on-going access to your server/network and launch future attacks, like a ransomware attack. In this case the usage of the word remote refers to the location of the attacker. The attack itself is carried out locally. For example, social engineering could be used to convince a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

Cybercriminals frequently use security weaknesses in computer software to get access to your computer and the information on it. There are several reports of this vulnerability being actively exploited online and swift action is encouraged, as cybercriminals can maintain access even after patching, once a system is compromised.

Who is affected?

The ACSC is aware of active exploitation of the Follina vulnerability targeting Australian organisations as detailed in their advisory. Any organisation that has the Microsoft Support Diagnostic Tool (MSDT) enabled on their Windows based machines is affected.

This attack is currently being exploited via malicious Microsoft Office Word documents. It is important to note that disabling Microsoft Office Macros does not prevent exploitation of this vulnerability.

What can I do?

A patch is not currently available. The ACSC advisory is recommending impacted organisations review their system configurations and should follow Microsoft’s guidance on implementing a workaround until a patch is made available. This includes:

Further information

For more information or ongoing updates, you can refer to the advisory published by the ACSC or visit Microsoft’s Security Response Centre website.

For more guidance on how to manage vulnerabilities, refer to further information published by the ACSC, and consider registering as a partner to receive ongoing updates and alerts.

28 Feb 2022 - ACSC Alert – Urgent alert for Australian organisations to adopt an enhanced cyber security posture.

Cyber tactics used in current global conflicts have the potential to spill over into non-conflict regions globally. Organisations should be alert, and ensure adequate protections are in place.

What is the concern?

The Australian Cyber Security Centre (ACSC) is aware of reporting that threat actors have deployed destructive malware to target organisations in Ukraine.  

Destructive malware aims to disable computer systems rendering them useless and can present a threat to an organisation’s daily operations, by impacting the availability of systems and critical business data.

ACSC is concerned that malicious cyber activity could impact Australian organisations through unintended disruption or uncontained malicious cyber activities.

Who is affected?

The ACSC have advised that threat actors have claimed they will target unspecified critical infrastructure. However, the ACSC has also advised that all Australian organisations should continue to maintain vigilance and urgently adopt an enhanced cyber security posture.

What can I do?

ACSC recommends organisations implement the Essential Eight mitigation strategies.

Some general guidance that organisations should consider includes:

  • Ensure you have an offline backup of critical files/systems and a tested method of restoring them.
  • Ensure you have a routine process for installing device and software updates.
  • Ensure staff have increased awareness against phishing campaigns, particularly via email.
  • Ensure your business continuity plans reflect situations where some or all of your systems are unavailable for extended periods of time.

As the situation is continually evolving, continue to review the on-going and updated technical advice at cyber.gov.au.

Further information

For more information you can refer to the alert published by the ACSC, and consider registering as a partner to receive ongoing updates and future alerts. 

15 December 2021 – “Log4Shell” Critical Cyber alert for Java-based software

A critically rated vulnerability with the Apache Log4j2 library requires urgent investigation and action by organisations who run Java-based applications or servers.

What is the vulnerability?

The vulnerability, known as “Log4Shell” or CVE-2021-44228, is a remote code execution vulnerability in the Apache Log4j2 library, which is one of the most widely used Java-based logging utilities globally. Due to widespread use in popular frameworks a large number of third-party apps may also be vulnerable to exploits.

Why should I be concerned?

A remote code execution vulnerability enables a third party to remotely access your system and potentially view, change or delete data, gain on-going access to your server/network and launch future attacks, like a ransomware attack.

Cybercriminals frequently use security weaknesses in computer software to get access to your computer and the information on it. There are several reports of this vulnerability being actively exploited online and this is almost certainly likely to increase over the holiday period. Swift action is encouraged, as cybercriminals can maintain access even after patching, once a system is compromised.

Who is affected?

Any organisation running Java-based applications with the Apache Log4j2 library enabled is affected. This includes bespoke software, but also extends to software or applications run by third party software providers. A link to a summary of vulnerable and patchable software is hosted on GitHub and available through the Australian Cyber Security Centre (ACSC) alert page. If you or your organisation have developed custom software, it is important to review to understand if it is also vulnerable.

For individuals, Log4j2 is almost certainly a part of the apps or online services you use day-to-day. The best way to protect yourself personally is to ensure your devices and apps are as up to date as possible, particularly over the next few weeks.

What can I do?

The ACSC is recommending organisations who utilise Apache Log4j2 should update to the latest available version. However, where a patch cannot be applied immediately Australian organisations should make use of the mitigation suggestions recommended by the ACSC.

If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available.

Further information

For ongoing updates, you can refer to the guidance published by the ACSC or visit the “Log4Shell” vulnerability website.

For more guidance on how to manage vulnerabilities, refer to further information published by the ACSC, and consider registering as a partner to receive ongoing updates and alerts.

14 July 2021 - Cyber alert for Windows Print Spooler 

All Microsoft users must urgently apply updates to stay safe and prevent unauthorised remote access. 

A vulnerability with the Print Spooler service requires urgent action by users of all Windows operating systems.

What is the vulnerability?

The Print Spooler “PrintNightmare” vulnerability (CVE-2021-34527) is a remote code execution vulnerability, which if used could enable an unwanted third party to remotely access your system and potentially view, change or delete data, or create new accounts with a high level of permissions. 

This is also related to other Print Spooler bugs CVE-2021-1675 and CVE-2021-36958.

What to do

Microsoft is recommending you check for system updates from Microsoft for any device running on any version of Microsoft Windows at work and at home now, and download and install them immediately. 

You can refer to the guidance published by Microsoft about this issue for more information, including additional protective measures to ensure your system is secure. 

Applying these updates is a process called “patching” or vulnerability management - it is an important protective measure to keep yourself, your family, your business and your customers safe.

Why do I need to pay attention? 

Cybercriminals frequently use security weaknesses in computer software to get access to your computer and the information on it. They can exploit these weaknesses to deliver, install and run malicious code, and get access to your emails and other information to steal it or hold it to ransom.

Tips for keeping your internet-connected devices up to date

  1. Ensure that you’re running the latest version of your operating system (eg. Windows, macOS, iOS or Android) on all your computers, laptops, tablets, phones and any other internet-connected devices; consider upgrading or replacing devices that can no longer be updated to newer models.
  2. Ensure that you’re running the latest version of any applications installed, and uninstall any applications that are no longer needed.
  3. Switch on automatic updates for your operating systems and applications if they’re available. You may wish to refer to the  Australian Cyber Security Centre's guides on how to do this.
  4. Create an inventory of all of your internet-connected devices and the software (operating systems and applications) running on those devices and periodically review this list and when they were last updated.
  5. Monitor for potential threats and be ready to install updates as soon as they become available.

For more guidance on how to manage vulnerabilities, refer to further information published by the Australian Cyber Security Centre.

Microsoft Exchange Server vulnerability

  • UPDATE: On 13 April 2021 Microsoft released security updates to mitigate significant newly discovered vulnerabilities in Microsoft Exchange 2013, 2016 and 2019.

    The new vulnerabilities are: 

    The patches previously released by Microsoft in March 2021 do not remediate these new vulnerabilities and organisations must apply Microsoft’s 13 April 2021 updates to prevent potential compromise.

    The vulnerabilities previously identified were: 

    • CVE-2021-26855 - server-side request forgery (SSRF) vulnerability in Exchange.
    • CVE-2021-26857 - insecure deserialization vulnerability in the Unified Messaging service.
    • CVE-2021-26858 - post-authentication arbitrary file write vulnerability in Exchange.
    • CVE-2021-27065 - post-authentication arbitrary file write vulnerability in Exchange.

     

  • What do I need to do?

    Microsoft has released security updates for vulnerabilities found in:

    • Microsoft Exchange Server 2013
    • Microsoft Exchange Server 2016
    • Microsoft Exchange Server 2019

    Additional details relating to the April 2021 patches are available here, whilst information regarding the March 2021 patches are available here

    Organisations should apply new patches as soon as possible and also undertake detection steps outlined in Microsoft guidance.

    These vulnerabilities affect Microsoft Exchange Server. Exchange Online customers are already protected and do not need to take any action.

    For additional information, please see the Australian Cyber Security Centre guidance.

  • What could happen if my business doesn’t apply the patches?

    If the patches aren’t applied, these vulnerabilities could be used by cyber attackers to compromise your business’ information and operations.

    A range of cyber attackers – including some in the business of ransomware – were quick to take advantage of businesses that had failed to apply the March updates, which is why it’s critical to apply patches as soon as possible.

    To find out more, visit cyber.gov.au.

Things you should know