Week in review

AUSCERT Week in Review for 12th September 2025

Greetings, This week, a major phishing campaign has led to a large supply chain compromise, targeting the npm (node package manager) ecosystem. Npm is a critical registry hosting over two million reusable code packages used worldwide by developers. The incident began when attackers registered a lookalike domain, npmjs.help, and sent out emails designed to mimic official npm security communications. These emails urged developers to update their two-factor authentication (2FA) credentials. At least one prominent developer fell victim to the phishing attempt, allowing attackers to take control of his account. With access secured, the attackers injected malicious code into at least 18 widely used npm packages, collectively downloaded 2.7 billion times per week. According to security vendor Aikido, the injected code was designed to run on client websites, silently intercepting cryptocurrency and web3 activity. The code manipulated wallet interactions and rewrote payment destinations so that funds and approvals were redirected to attacker-controlled accounts. The attack was particularly insidious because it operated without obvious signs, making detection difficult for end users. The compromise has since been identified and cleanup efforts are underway, though researchers warn that additional developers are being targeted by the same unknown threat actor. The scale of the incident has raised significant concerns across the development community, given how widely npm packages are integrated into both small projects and large-scale enterprise systems. Critical SAP S/4HANA vulnerability now exploited in attacks Date: 2025-09-05 Author: Bleeping Computer A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn. The flaw, tracked as CVE-2025-42957, is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA, allowing low-privileged authentication users to inject arbitrary code, bypass authorization, and fully take over SAP. Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts Date: 2025-09-10 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.6320/] Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts. The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of any exploits in the wild. More npm packages poisoned, but would-be thieves get little Date: 2025-09-09 Author: The Register During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. But crypto-craving crims did little more than annoy defenders. Microsoft Patch Tuesday addresses 81 vulnerabilities, none actively exploited Date: 2025-09-09 Author: CyberScoop [AUSCERT has published security bulletins for these Microsoft updates] The most severe defect disclosed this month — CVE-2025-55232 — is a deserialization of untrusted data vulnerability affecting Microsoft High Performance Compute Pack with a CVSS rating of 9.8. Microsoft said exploitation is less likely, but researchers warned organizations to prioritize patching. Fortinet, Ivanti, Nvidia Release Security Updates Date: 2025-09-10 Author: Security Week [AUSCERT has published security bulletins for these Fortinet updates] Fortinet, Ivanti, and Nvidia on Tuesday announced security updates that address over a dozen high- and medium-severity vulnerabilities across their product portfolios. Ivanti resolved two high-severity insufficient filename validation issues in Endpoint Manager (EPM) that could be exploited remotely, without authentication, to execute arbitrary code. The exploitation of both defects, however, require user interaction. ASB-2025.0158 – Microsoft Azure: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of September 2025, which resolves 3 important vulnerabilities with Azure Connected Machine Agent and HPC Pack 2019. Microsoft recommends updating the software to the latest available version available on the Microsoft Update Catalog. ESB-2025.6253 – IBM MQ container software: CVSS (Max): 9.8 Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images, such as memory corruption issues, crashes and denial of service. IBM strongly recommends applying the latest container images. ESB-2025.6435 – kernel: CVSS (Max): 7.8 An update for kernel is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, resolving various security issues and exploited vulnerability as identified on the CISA KEV list. ESB-2025.6441 – Daikin Security Gateway: CVSS (Max): 9.8 A weak password recovery mechanism for forgotten passwords has been identified in this product. Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the system. Daikin has reported they will not fix this vulnerability and will respond directly to user inquiries. ESB-2025.6437 – imagemagick: CVSS (Max): 9.8 Multiple memory corruption vulnerbilities were discovered in imagemagick, a software suit used for editing and manipulating digital images, which could lead to information leak, denial of service, and potentially arbitrary code execution. It is recommended that you upgrade your imagemagick packages. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 5th September 2025

Greetings, We’re excited to release a brand-new episode of the Share Today, Save Tomorrow podcast, Episode 44: Security2Cure – Where Cyber Meets Health Planning. In this powerful episode, host Bek Cheb speaks with Zane Jarvis, founder of the charity Security2Cure, an initiative born from personal tragedy and driven by a mission to raise awareness around cancer, health planning, and digital preparedness. Zane shares his deeply personal story and explains how core cyber security principles have inspired a unique framework for personal wellbeing and future planning. With Security2Cure’s upcoming Brisbane conference on the 10th October, this episode offers the perfect opportunity to explore the charity’s mission and learn more about their work. This is an episode you won’t want to miss, and it’s available on Spotify, Apple Podcasts, and YouTube now. This week, a widespread supply chain attack linked to Salesloft Drift has impacted hundreds of organisations, including Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud. While Salesloft initially claimed exposure was limited to Salesforce-integrated customers, Google’s Threat Intelligence Group and Mandiant have warned that any platform integrated with Drift may be compromised. The attack, attributed to threat group UNC6395, led to the exposure of sensitive customer data such as business emails, phone numbers, support case details, and, in some cases, credentials. While no core products or infrastructure were directly breached, many companies are rotating tokens, tightening security, and investigating potential impacts. Salesloft announced that Drift will be taken offline to strengthen security and conduct a full review. The incident highlights the growing risks of third-party integrations, with more than 700 organizations potentially affected. Google warns Salesloft breach impacted some Workspace accounts Date: 2025-08-28 Author: Bleeping Computer Google now reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts in addition to stealing data from Salesforce instances. "Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,' warns Google. "We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised." NIST Enhances Security Controls for Improved Patching Date: 2025-09-02 Author: Dark Reading Addressing the ongoing patch management problem requires more finessing, especially to protect the software supply chain. The US National Institute of Standards and Technology (NIST) revised its Security and Privacy Control catalog to help vendors and organizations improve software update and patch release protocols. Originally published in 2020, the Security and Privacy Control catalog details security and privacy safeguards to help organizations mitigate cyber-risks. Federal information systems are required to implement the controls, but the catalog is intended for the private and public sectors. It covers access, authentication, incident response, and supply chain risk management. WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices Date: 2025-08-30 Author: The Hacker News WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The vulnerability, CVE-2025-55177 (CVSS score: 8.0 [CISA-ADP]/5.4 [Facebook]), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug. The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device." Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication Date: 2025-08-29 Author: The Hacker News Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts. The campaign used "compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow," Amazon's Chief Information Security Officer CJ Moses said. Melbourne dev finds gift card PINs can be brute-forced Date: 2025-09-03 Author: itnews Gift cards sold in Australian supermarkets can have their PINs easily guessed, thanks to a vulnerability on the issuer's website, opening them up to redemption by thieves who only need to know the card number to access the stored funds. The vulnerability was discovered by Melbourne developer Simon Dean who bought two gift cards worth $500 each, which he intended to use to purchase a laptop at JB Hi-Fi with. After buying the cards, Dean ran into trouble redeeming them as the cards had had the last four digits scratched off them. ESB-2025.6241 – Ruby It was discovered that Ruby incorrectly handled certain IO stream methods. A remote attacker could use this issue to cause Ruby to crash, resulting in a denial of service, or possibly obtain sensitive information. ASB-2025.0156.2 – Salesloft Drift Several major firms, including ZScaler, Cloudflare, and Palo Alto Networks, confirmed breaches of their Salesforce databases. The incidents stem from a data theft campaign exploiting the third-party Salesloft Drift integration with Salesforce. ESB-2025.6176 – Google Android The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. ESB-2025.6205 – Cisco Products A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 29th August 2025

Greetings, The team are already hard at work planning another amazing AUSCERT conference, and we’re excited to share these key dates with you! AUSCERT2026 will run from 19–22 May at The Star, Gold Coast. Tutorials will take place on 19 and 20 May, followed by the main conference on 21 and 22 May. Don’t miss the Welcome Reception at 5:00 PM on 20 May, or the Gala Dinner on 21 May. Stay tuned for more details, including the Call for Tutorials in October and the Call for Presentations in November. We can’t wait to see you there! This week marked Scams Awareness Week, a nationwide campaign aimed at helping Australians stay safe online. This year’s theme, “Stop. Check. Protect.” encourages us all to pause before clicking, verify information, and take proactive steps to safeguard our personal and financial details. The Scamwatch “Scam Statistics” page is a standout resource, providing an interactive dashboard that allows you to explore real-time data on scam reports. Every report feeds into a national intelligence network that contributes to early detection and disruption efforts. You can see which scams are growing, which methods are being used most effectively, and where education and awareness are making an impact. Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3 Date: 2025-08-25 Author: The Hacker News Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container. The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775 Date: 2025-08-27 Author: Security Affairs [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5974] Experts at the Shadowserver Foundation warn that more than 28,200 Citrix instances are vulnerable to the vulnerability CVE-2025-7775, which is under active exploitation. CVE-2025-7775 (CVSS score: 9.2) is a memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service. This week, Citrix addressed three security flaws (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) in NetScaler ADC and NetScaler Gateway, including one (CVE-2025-7775) that it said has been actively exploited in the wild. CISA warns of actively exploited Git code execution flaw Date: 2025-08-26 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5077] The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system. The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has set the patch deadline for federal agencies to September 15th. Git version control system allows software development teams to track codebase changes over time. The library is the backbone of modern software collaboration, serving as the basis for platforms such as GitHub, GitLab, and Bitbucket. High-severity vulnerability in Passwordstate credential manager. Patch now. Date: 2025-08-29 Author: Ars Technica The maker of Passwordstate, an enterprise-grade password manager for storing companies’ most privileged credentials, is urging them to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. The authentication bypass allows hackers to create a URL that accesses an emergency access page for Passwordstate. From there, an attacker could pivot to the administrative section of the password manager. A CVE identifier isn’t yet available. A hacker used AI to automate an 'unprecedented' cybercrime spree, Anthropic says Date: 2025-08-27 Author: NBC News A hacker has exploited a leading artificial intelligence chatbot to conduct the most comprehensive and lucrative AI cybercriminal operation known to date, using it to do everything from find targets to write ransom notes. In a report published Tuesday, Anthropic, the company behind the popular Claude chatbot, said that an unnamed hacker “used AI to what we believe is an unprecedented degree” to research, hack and extort at least 17 companies. ESB-2025.5938 – Atlassian Products: CVSS (Max): 9.4 Atlassian monthly bulletin addresses 14 high-severity and 1 critical-severity vulnerabilities. Users are advised to upgrade their Server/Data Center instances to the latest versions. ESB-2025.5966 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM has addressed vulnerable open-source components such as Linux kernel and Python libraries in QRadar SIEM which may be exploitable via automated scanning tools. ESB-2025.5974 – Citrix Products: CVSS (Max): 9.2 Citrix has released urgent patches addressing three serious vulnerabilities in NetScaler ADC and NetScaler Gateway—including a critical zero-day memory-overflow flaw actively exploited in the wild, and additional memory-overflow & management-interface access control issues. ESB-2025.6029 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 6.5 GitLab delivered patch releases 18.3.1, 18.2.5, and 18.1.5 for both CE and EE, addressing multiple security and bug fixes, and strongly urges all self-managed users to upgrade immediately. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 22nd August 2025

Greetings, We are excited to announce the release of a new episode of Share Today, Save Tomorrow – Episode 43: Behind the Code: Josh Hopkins on Building, Leading, and Leveling Up AUSCERT. In this episode, host Bek Cheb sits down with Josh, our Team Leader of Development, for an open and insightful chat about life behind the screens in cyber defence. From his unexpected journey into cyber security to leading a dynamic development team, Josh reflects on the twists and turns of his career, describes the sometimes-unpredictable nature of a typical working day, and how experimentation, collaboration, and a passion for building innovation within the team makes working at AUSCERT so unique. This episode is available on Spotify and Apple Podcasts. This week, iiNet, owned by TPG Telecom, has confirmed that an unknown third party gained unauthorised access to iiNet’s order management system on Saturday, August 16, 2025. The breach led to the extraction of approximately 280,000 email addresses, along with 10,000 usernames, phone numbers, and nearly 1,700 modem setup passwords, though no financial or identity documents were compromised. TPG responded swiftly by isolating the breach, engaging external cyber security experts, and initiating its incident response plan immediately upon discovery. Customers are being contacted directly and urged to remain vigilant against phishing attempts. Apple fixes new zero-day flaw exploited in targeted attacks Date: 2025-08-20 Author: Bleeping Computer [AUSCERT has published security bulletins for these Apple updates] Apple has released emergency updates to patch another zero-day vulnerability that was exploited in an "extremely sophisticated attack." Tracked as CVE-2025-43300, this security flaw is caused by an out-of-bounds write weakness discovered by Apple security researchers in the Image I/O framework, which enables applications to read and write most image file formats. Cisco Patches Critical Vulnerability in Firewall Management Platform Date: 2025-08-15 Author: Security Week [AUSCERT has published security bulletins for these Cisco updates] Cisco has published more than 20 security advisories as part of its August 2025 bundled publication for Secure Firewall Management Center (FMC), Secure Firewall Threat Defense (FTD), and Secure Firewall Adaptive Security Appliance (ASA) products. The most serious vulnerability — based on its severity rating — is CVE-2025-20265, a critical flaw affecting the Secure FMC platform designed for managing and monitoring Cisco FTD appliances and other security solutions. TPG Telecom reveals iiNet order management system breached Date: 2025-08-19 Author: iTnews TPG Telecom has revealed that iiNet’s order management system was breached by an unknown attacker who abused legitimate credentials to gain access. The telco said that it “appears” that a list of email addresses and phone numbers was extracted from the system. The order management system is used to create and track orders for iiNet services. Microsoft: Recent Windows updates may fail to install via WUSA Date: 2025-08-18 Author: Bleeping Computer Microsoft has mitigated a known issue that caused Windows update failures when installing them from a network share using the Windows Update Standalone Installer (WUSA). WUSA is a built-in command-line tool that helps IT admins install and uninstall Microsoft Standalone Update (.msu) files through the Windows Update Agent API to deploy and remove patches, hotfixes, and updates. This known issue affects Windows 11 24H2 and Windows Server 2025 systems on enterprise networks, as WUSA isn't a common method for installing Windows updates on home devices. HR giant Workday discloses data breach after Salesforce attack Date: 2025-08-18 Author: Bleeping Computer Human resources giant Workday has disclosed a data breach after attackers gained access to a third-party customer relationship management (CRM) platform in a recent social engineering attack. As the company revealed in a Friday blog, the attackers gained access to some of the information stored on the compromised CRM systems, adding that no customer tenants were impacted. ESB-2025.5731 – Cisco Secure Firewall Management Center Software: CVSS (Max): 10.0 A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. Cisco has released software updates that address this vulnerability. ESB-2025.5888 – firefox-esr: CVSS (Max): 9.8 Multiple security issues have been found and patched in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. ESB-2025.5881 – Linux kernel (IoT): CVSS (Max): 9.8* Several security issues were discovered and patched in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.5710 – IBM Security QRadar SIEM: CVSS (Max): 9.4 Vulnerable components in IBM Security QRadar SIEM (e.g., framework libraries) have been identified that may be exploited with automated tools. IBM QRadar Data Synchronization app for IBM QRadar SIEM has addressed the applicable CVEs. ESB-2025.5788 – Apache HTTP Server: CVSS (Max): 9.1 Several security issues were fixed in Apache HTTP Server that potentially allowed remote attackers to perform HTTP response splitting attacks, send outbound proxy requests to an arbitrary url, insert escape characters into log files, bypass access control, denial of service, or perform configuration changes in certain environments. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 15th August 2025

Greetings, Over the weekend of August 10–11, the University of Western Australia (UWA) was forced to lock thousands of staff and students out of its systems after detecting unauthorised access to password information. The breach prompted an immediate and large-scale security response, with all users required to reset their credentials before regaining access. The university’s critical incident management team worked through the weekend to contain the threat and has confirmed there is currently no evidence that any data beyond password details was compromised. UWA notified authorities immediately, and a full investigation is underway alongside a review of existing security measures to strengthen defences. UWA has issued an apology to those affected, stressing its commitment to swift action and transparency. This incident comes amid heightened scrutiny of data protection in Australia, following recent legal proceedings against Optus over its 2022 breach. Whilst this incident did not involve personal or sensitive information, it highlights the growing urgency for educational institutions to protect such data against evolving cyber threats. Zoom and Xerox Release Critical Security Updates Fixing Privilege Escalation and RCE Flaws Date: 2025-08-13 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5516/] Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution. The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation. Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code Date: 2025-08-13 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.5593.2/] Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild. The vulnerability, tracked as CVE-2025-25256, carries a CVSS score of 9.8 out of a maximum of 10.0. “An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests,” the company said in a Tuesday advisory. Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws Date: 2025-08-12 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] The monthly Microsoft Patch Tuesday for August contains 107 flaws, including 13 critical vulnerabilities and one publicly disclosed zero-day vulnerability in Window Kerberos. Of the 13 critical vulnerabilities, 9 are remote code execution (RCE) vulnerabilities, 3 are information disclosure, and 1 is elevation of privileges. The zero-day is a flaw in Microsoft SQL Server. Trend Micro reports two critical CVEs under active exploit Date: 2025-08-10 Author: The Register A critical vulnerability in the on-prem version of Trend Micro’s Apex One endpoint security platform is under active exploitation, the company admitted last week, and there’s no patch available. Trend Micro last week warned Apex One 2019 customers about CVE-2025-54948 and CVE-2025-54987, both with a CVSS score of 9.4 and both present in the platform’s web-based managed console. Australian Regulator Sues Optus Over 2022 Data Breach Date: 2025-08-08 Author: Infosecurity Magazine The Australian Information Commissioner (AIC) has launched civil action against Optus for a 2022 data breach that exposed the personal details of 9.5 million Australians. The lawsuit alleges that telecommunications firm Optus failed to take reasonable steps to protect victims’ personal information from unauthorized access and disclosure, in breach of Australia’s Privacy Act 1988. ESB-2025.5593.2 – Fortinet FortiSIEM An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests. ESB-2025.5622 – Cortex XDR Broker VM A credential management flaw in Palo Alto Networks Cortex XDR Broker VM causes different Broker VM images to share identical default credentials for internal services. ASB-2025.0155 – Microsoft Windows Microsoft has released its monthly security patch update for the month of August 2025. This update resolves 67 vulnerabilities. ESB-2025.5516 – Zoom Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 8th August 2025

Greetings, New insights suggests that the recent Qantas data breach impacting an estimated 5.7 million customers may be the work of the notorious ShinyHunters hacking collective, rather than Scattered Spider, as was initially suspected. Investigators are now drawing connections between ShinyHunters and a growing wave of cyber attacks targeting Salesforce CRM platforms. Recent victims of similar attacks include Allianz Life, LVMH, Adidas, Google and now, potentially, Qantas. Reports suggest that the threat actors employed vishing techniques (voice phishing) in conjunction with modified versions of Salesforce’s Data Loader tool to extract sensitive customer records. This method demonstrates the group’s ability to combine social engineering with technical exploitation to bypass conventional security measures. Recent reports also reveal that Google suffered a breach in this same wave of attacks, with ShinyHunters allegedly using identical techniques to access Salesforce data linked to customer support operations. This reinforces the theory that the group is systematically exploiting CRM platforms and supply chain connections across multiple sectors. The Qantas breach highlights the evolving nature of cyber criminal alliances and the growing risks associated with cloud-based platforms, particularly when combined with sophisticated social engineering campaigns. Organisations using Salesforce and similar CRM systems are being urged to review access controls, monitor for anomalous activity, and strengthen employee awareness programs to reduce the risk of compromise. Organizations Warned of Vulnerability in Microsoft Exchange Hybrid Deployment Date: 2025-08-07 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0144/] Microsoft on Wednesday informed organizations about a high-severity vulnerability affecting hybrid deployments of Exchange Server. According to Microsoft, the vulnerability, tracked as CVE-2025-53786, can be exploited by an attacker to escalate privileges. “In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft explained. Mozilla flags phishing wave aimed at hijacking trusted Firefox add-ons Date: 2025-08-04 Author: The Register Mozilla is warning of an ongoing phishing campaign targeting developers of Firefox add-ons. The browser maker urged devs to "exercise extreme caution and scrutiny" when reviewing seemingly legitimate emails from senders pretending to be Mozilla or AMO (addons.mozilla.org). Although phishing emails can take many forms, Moz said this campaign usually lures devs into clicking through a malicious link to update their account. Failure to do so, or so the crims claim, would result in the dev losing access to developer features. Cisco discloses data breach impacting Cisco.com user accounts Date: 2025-08-05 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0143/] Cisco has disclosed that cybercriminals stole the basic profile information of users registered on Cisco.com following a voice phishing (vishing) attack that targeted a company representative. After becoming aware of the incident on July 24th, the networking equipment giant discovered that the attacker tricked an employee and gained access to a third-party cloud-based Customer Relationship Management (CRM) system used by Cisco. Perplexity vexed by Cloudflare's claims its bots are bad Date: 2025-08-05 Author: The Register AI search biz Perplexity claims that Cloudflare has mischaracterized its site crawlers as malicious bots and that the content delivery network made technical errors in its analysis of Perplexity's operations. Akira Ransomware Hits SonicWall VPNs, Deploys Drivers to Bypass Security Date: 2025-08-06 Author: Hack Read GuidePoint Security uncovers a new Akira ransomware tactic targeting SonicWall VPNs. The group’s use of drivers to disable defenses is a significant threat to businesses. A new report by cybersecurity firm GuidePoint Security reveals a clever new method used by the Akira ransomware group to attack computer networks. Researchers found that following initial access into systems, the hackers have been using two specific software drivers to secretly disable security tools, a key step before deploying their ransomware. ESB-2025.5345 – Google Android: CVSS (Max): 8.6* Google patches critical remote code execution vulnerability in the System component in Android 10, which can be exploited without user interaction or extra privileges. ESB-2025.5401 – Adobe Experience Manager (AEM) Forms on JEE: CVSS (Max): 10.0 Adobe released a critical security update for Adobe Experience Manager (AEM) Forms on JEE (versions 6.5.23.0 and earlier) to address two severe vulnerabilities: an XXE flaw allowing arbitrary file system reads, and a misconfiguration‑based flaw enabling arbitrary code execution. ASB-2025.0143 – Salesforce: CVSS (Max): None Threat actors are impersonating Salesforce IT support via vishing and phishing to trick users into installing malicious connected apps, enabling data exfiltration. Impacted organizations face delayed extortion attempts and potential lateral movement to cloud services like Microsoft 365 and Okta. ASB-2025.0144 – Microsoft Exchange Server: CVSS (Max): 8.0 Microsoft has issued a warning about a high-severity vulnerability (CVE‑2025‑53786) affecting hybrid Exchange deployments, where on-premises servers share a service principal with Exchange Online. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 1st August 2025

Greetings, This week, our team participated in the annual APCERT Cyber Drill 2025 alongside 24 Computer Incident Response Teams (CIRTs) from 18 economies This year’s theme “When Ransomware Meets Generative AI” tested the response capabilities of leading Asia-Pacific teams, emphasising the growing risks from the malicious use of this rapidly evolving technology. The simulated scenario, involving AI-generated malicious code and exploited open-source vulnerabilities, challenged participants to review and strengthen their incident response procedures. The drill highlighted the need for proactive preparedness as Generative AI reshapes the cyber threat landscape. AUSCERT is proud to support APCERT’s vision of fostering a safe and reliable cyberspace across the Asia–Pacific through global collaboration and shared expertise. The ACSC, alongside the FBI, CISA and NCSC UK, has released a new advisory on Scattered Spider — one of 2025’s most active and dangerous cybercrime groups. Linked to major breaches, the group targets large enterprises using identity-based attacks and sophisticated social engineering, including phishing, vishing, MFA fatigue, and SIM swaps. Once in, they hide behind legitimate remote access tools (AnyDesk, TeamViewer, Teleport), steal credentials, and deploy DragonForce ransomware with the intention of executing large-scale data theft. The advisory urges organisations to act now: adopt phishing-resistant MFA (like hardware keys), drop SMS or push-only authentication, tighten helpdesk verification, and monitor or restrict remote access tools. Offline, tested backups, detailed logging, and updated detection using IOCs and MITRE ATT&CK are also critical. Scattered Spider’s tactics are evolving fast. Strengthening MFA, access controls, helpdesk security and maintaining public awareness and education is essential to staying ahead. High-Severity SQL Injection (CVE-2025-52914) in Mitel MiCollab Allows Data Access, Command Execution Date: 2025-07-25 Author: Securityonline.info [AUSCERT has notified potentially affected members via email (where possible)] Mitel has released a security advisory addressing a high-severity SQL injection vulnerability in its MiCollab platform—an issue that could allow authenticated attackers to execute arbitrary database commands and compromise user provisioning data. Tracked as CVE-2025-52914, the vulnerability carries a CVSS score of 8.8. The vulnerability resides in the Suite Applications Services component of MiCollab, a key unified communications platform used by businesses worldwide. Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments Date: 2025-08-24 Author: The Hacker News Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign. The activity, observed this year, is primarily designed Now to infiltrate organizations' VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today. CISA Warns of Exploited Vulnerabilities in Cisco Products Date: 2025-08-29 Author: Infosecurity Magazine [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.4160.4] The US Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 28. These include two highly critical vulnerabilities in Cisco Identity Services Engine (ISE) Software, a network security policy management platform that provides secure access control, authentication, authorization and accounting (AAA) services for users and devices connecting to enterprise networks. Both vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20337, were discovered by security researchers working with the Trend Micro Zero Day Initiative and disclosed by Cisco on June 25. What if your passkey device is stolen? How to manage risk in our passwordless future Date: 2025-08-28 Author: ZDNET Part of the "passkeys are more secure than passwords" story is derived from the fact that passkeys are non-human-readable secrets — stored somewhere on your device — that even you have very limited access to. OK, so what happens to those passkeys if your device is stolen? ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH Date: 2025-08-30 Author: Bleeping Computer A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances. In June, Google's Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks. In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce's connected app setup page. On this page, they were told to enter a "connection code", which linked a malicious version of Salesforce's Data Loader OAuth app to the target's Salesforce environment. ESB-2025.5186 – Tenable Patch Management An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data. ESB-2025.5182 – SQLite An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. ( CVE-2025-6965 ) ESB-2025.4160.4 – Cisco Products A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. ESB-2025.5156 – chromium Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 25th July 2025

Greetings, We’re excited to announce the release of another episode of Share Today, Save Tomorrow – Episode 42: Jess Modini on Curiosity, Cyber Security, and Cross-Disciplinary Thinking, brought to you by AUSCERT. And for the first time, you can now watch the full interview on our YouTube channel, giving you a front-row seat to this engaging and insightful discussion. In this episode, Jess Modini shares perspectives drawn from her extensive background in cyber security, including five master’s specialisations and her current doctoral research in cyber epidemiology. She explores how concepts from computational biology and health sciences such as the spread of pathogens can mirror the behaviours of malware and cyber threats. The conversation dives deep into the parallels between public health and cyber defence, emphasising the importance of cross-disciplinary thinking in improving threat modelling and incident response. Tune in now to discover how breaking down traditional silos can lead to smarter, more resilient cyber defence. Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access Date: 2025-07-22 Author: The Hacker News [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.4160.2/] Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation. "In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert. HPE warns of hardcoded passwords in Aruba access points Date: 2025-07-20 Author: Bleeping Computer Hewlett-Packard Enterprise (HPE) is warning of hardcoded credentials in Aruba Instant On Access Points that allow attackers to bypass normal device authentication and access the web interface. Aruba Instant On Access Points are compact, plug-and-play wireless (Wi-Fi) devices, designed primarily for small to medium-sized businesses, offering enterprise-grade features (guest networks, traffic segmentation) with cloud/mobile app management. The security issue, tracked as CVE-2025-37103 and rated “critical” (CVSS v3.1 score: 9.8), impacts Instant On Access Points running firmware version 3.2.0.1 and below. Microsoft Confirms Hackers Exploiting SharePoint Flaws, Patch Now Date: 2025-07-21 Author: Hack Read [AUSCERT has published security bulletins for these Microsoft updates: https://portal.auscert.org.au/bulletins/ASB-2025.0142/] [AUSCERT has identified impacted members (where possible) and contacted them via email] Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers are already exploiting them in active campaigns. The vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are not present in SharePoint Online, but on-premises environments using SharePoint 2019 and the SharePoint Subscription Edition are directly at risk. Sophos fixed two critical Sophos Firewall vulnerabilities Date: 2025-07-23 Author: Security Affairs Sophos has fixed five vulnerabilities (CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973) in Sophos Firewall that could allow an attacker to remotely execute arbitrary code. “Sophos has resolved five independent security vulnerabilities in Sophos Firewall. Every Critical and High severity vulnerability was remediated through hotfixes.” reads the advisory. “No action is required for Sophos Firewall customers to receive these fixes with the “Allow automatic installation of hotfixes” feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.” Microsoft: Windows Server KB5062557 causes cluster, VM issues Date: 2025-07-22 Author: Bleeping Computer Microsoft is asking businesses to reach out for support to mitigate a known issue causing Cluster service and VM restart issues after installing this month's Windows Server 2019 security updates. As the company explains in a private advisory seen by BleepingComputer, the Cluster service (a system component essential to cluster operation) might fail to function correctly after installing the KB5062557 update released on July 8th. The same bug is also causing some nodes to fail when attempting to rejoin their cluster and triggering errors on systems where administrators have enabled the BitLocker Windows security feature on Cluster Shared Volumes (CSV) drives. ESB-2025.4160.2 – Cisco Products: CVSS (Max): 10.0 Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. Cisco has released software updates that address these vulnerabilities. ESB-2025.5029 – firefox-esr: CVSS (Max): 9.8 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. It is recommended to upgrade firefox-esr packages. ESB-2025.4953 – Schneider Electric EcoStruxture IT Data Center Expert: CVSS (Max): 10.0 Successful exploitation of discovered vulnerabilities could allow an attacker to disrupt operations and access system data. The problem is corrected by updating the system. ESB-2025.4930 – Apache HTTP Server: CVSS (Max): 9.1 Several security issues were fixed in Apache HTTP Server. It was discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. ASB-2025.0142 – Microsoft SharePoint Server: CVSS (Max): 9.8 Microsoft released the July Security Updates to address vulnerabilities in on-premises SharePoint Server, which allowed an authorized attacker to perform spoofing over a network. Deserialization of untrusted data in on-premises Microsoft SharePoint Server allowed an unauthorized attacker to execute code over a network. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 18th July 2025

Greetings, This week, Clive Palmer’s United Australia Party and affiliated group Trumpet of Patriots confirmed they were hit by a ransomware attack that exposed extensive personal data. The breach, discovered on June 23, compromised years of emails, identity documents, banking details, and employment history. While systems have now been secured and restored, the organisations were unable to notify all affected individuals directly. Authorities have been informed, and impacted individuals are urged to monitor their accounts, change passwords, and review past communications for any shared sensitive information. A new CyCognito study has identified the education sector as the most exposed to cyber risk across all industries, particularly in cloud infrastructure, APIs, and web applications. Vulnerability rates in education are significantly higher, 31% for cloud assets, 38% for APIs, and 35% for web apps—compared to the industry averages of 14%, 21%, and 20%, respectively. The increased risk is attributed to rapid digital transformation, reliance on legacy systems, underfunded cyber security, and small, overstretched IT teams. The fast shift to remote learning has also introduced numerous tools without adequate security controls, making educational institutions prime targets for ransomware, data breaches, and credential theft. AUSCERT, which counts many educational organisations among its members, is helping the sector mitigate these risks through timely threat intelligence, proactive alerts, expert incident response, and vulnerability notification services. By improving asset visibility and prioritising critical actions, AUSCERT supports long-term resilience in this high-risk environment. CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch Date: 2025-07-11 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email. Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.4041.2] The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes. Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue. Interlock ransomware adopts FileFix method to deliver malware Date: 2025-07-14 Author: Bleeping Computer Hackers have adopted the new technique called 'FileFix' in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems. Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka 'LandUpdate808') to deliver payloads through compromised websites. CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn Date: 2025-07-11 Author: The Register Huntress security researchers observed exploitation of the CVSS 10.0 remote code execution (RCE) flaw in Wing FTP Server on July 1, just one day after its public disclosure. Wing FTP Server is a cross-platform file-transfer solution, supporting FTP, FTPS, SFTP, and HTTP/S. It is used by over 10,000 customers worldwide for secure data exchange, including Airbus, Reuters, and the US Air Force, according to its website. New Fortinet FortiWeb hacks likely linked to public RCE exploits Date: 2025-07-16 Author: Bleeping Computer [See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2025.4493] Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257. News of the exploitation activity comes from threat monitoring platform The Shadowserver Foundation, which observed 85 infections on July 14 and 77 on the next day. SonicWall SMA Appliances Targeted With New ‘Overstep’ Malware Date: 2025-07-16 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A threat actor that may be financially motivated has been targeting SonicWall appliances with a new piece of malware, Google’s Threat Intelligence Group warned on Wednesday. The threat actor, tracked by Google as UNC6148, has been around since at least October 2024. The hackers’ malware can enable data theft, extortion and ransomware deployment, but the researchers have not been able to definitively confirm that they are financially motivated. It’s worth noting that the lines between state-sponsored hacker attacks and financially motivated cybercrime have become increasingly blurry. ESB-2025.4716 – IBM QRadar SIEM: CVSS (Max): 7.5 IBM QRadar SIEM version 7.5.0 UP12 IF02 is impacted by multiple vulnerabilities in the gRPC and HTTP/2 protocols, which can lead to denial of service (DoS) conditions. IBM has addressed these issues via Auto Update. ESB-2025.4744 – VMware Products: CVSS (Max): 9.3 Critical vulnerabilities in VMware’s VMXNET3, VMCI, PVSCSI, and vSockets components allows local admin privileged attackers to execute code or leak memory on host systems or virtual machines. Broadcom has released patches across ESXi, Workstation, Fusion, and VMware Tools to remediate them. ESB-2025.4752 – Atlassian Products: CVSS (Max): 8.8 Atlassian’s monthly Security Bulletin covers a batch of recent high-severity vulnerabilities affecting their Data Center and Server products. Users are advised to update to the listed fixed versions for each affected product to mitigate potential risks. ASB-2025.0141 – Oracle Retail Applications: CVSS (Max): 9.8 Oracle has released patches addressing multiple critical vulnerabilities in several Oracle Retail products. Some flaws allow unauthenticated remote attackers to take full control or cause denial of service, urging immediate application of fixes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 11th July 2025

Greetings, We’re excited to launch a brand new season of Share Today, Save Tomorrow with Episode 41 of the AUSCERT Podcast: “New Season + AUSCERT2025 Conference Wrap-Up.” In this episode, our very own Bek Cheb, Business Manager at AUSCERT, steps behind the mic to introduce the fresh new format and direction for the season ahead. Bek also shares key insights and standout moments from the AUSCERT2025 Conference held earlier this year. Whether you’re a returning listener or tuning in for the first time, this episode offers an engaging glimpse into what’s next for AUSCERT and the wider cyber security community. If you missed any presentations from AUSCERT2025 or want to revisit your favourites, don’t forget you can access the recordings now available on our YouTube Channel. From keynote speeches to technical deep dives, you can relive the most impactful moments of the conference at your convenience. Share these sessions with colleagues and peers because sharing knowledge is at the heart of strengthening our collective cyber resilience. This week, cyber criminals have launched a global scam involving over 17,000 fake news websites impersonating well-known media outlets such as CNN, BBC, and CNBC. These fraudulent sites publish fabricated articles featuring public figures ranging from world leaders to central bank governors falsely endorsing cryptocurrency investment schemes. Victims are lured via online ads to scam platforms like Eclipse Earn or Solara, which simulate legitimate trading environments but are designed solely to steal funds and personal information. These attacks are regionally-targeted (including Australia), using localised content, native language, and trusted local brands to gain credibility. Once a user engages, their data is often resold or used in future phishing campaigns. AUSCERT recommends verifying sources, avoiding unsolicited investment offers, and reporting any suspicious sites or ads to your internal security team or national cyber authority. Microsoft Patch Tuesday, July 2025 Edition Date: 2025-07-08 Author: Krebs on Security [AUSCERT has published security bulletins for these Microsoft updates] Microsoft released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users. New ServiceNow flaw lets attackers enumerate restricted data Date: 2025-07-09 Author: Bleeping Computer A new vulnerability in ServiceNow, dubbed Count(er) Strike, allows low-privileged users to extract sensitive data from tables to which they should not have access. ServiceNow is a cloud-based platform that enables organizations to manage digital workflows for their enterprise operations. It is widely adopted across various industries, including public sector organizations, healthcare, financial institutions, and large enterprises. Task scams: Why you should never pay to get paid Date: 2025-07-04 Author: We Live Security Many of us have been experiencing a cost-of-living crisis for years, and the news headlines remain filled with doom-laden predictions of what the future might hold. Against this backdrop, it’s understandable why many of us are looking for a side hustle or for even a new, better-paid job. But the scammers know this, and are ready to take advantage. In 2024 alone, employment scams reported to the FBI made fraudsters over $264 million. Many of these are so-called “task scams,” where victims are actually tricked into paying a “deposit” in order to get paid. It might sound unbelievable. But it’s easier to fall for than you think. Qantas says it has been contacted by a group claiming to have stolen data of its frequent flyers Date: 2025-07-08 Author: news.com.au Qantas says it has been contacted by a group claiming to be behind the theft of the data of millions of its frequent flyers last week. The airline said in a statement late on Monday that “a potential cybercriminal has made contact” but it would not disclose if a ransom was being sought. “As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the detail of the contact,” a Qantas spokesman said. ESB-2025.4636 – Siemens SINEC NMS Successful exploitation of these vulnerabilities could allow an attacker to elevate privileges and execute arbitrary code ESB-2025.4620 – Juniper Security Director A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface ESB-2025.4591 – GlobalProtect App An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect App on macOS devices enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT\AUTHORITY SYSTEM on Windows ESB-2025.4567 – GitLab Community Edition and Enterprise Edition GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 4th July 2025

Greetings, This week, Qantas experienced a major cyber attack compromising the personal data of up to six million customers. The breach, caused by a social engineering technique known as "vishing," exploited a third-party call centre system and exposed names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Crucially, no passwords, PINs, credit card details, or passport information were accessed, and multi-factor authentication continues to protect frequent flyer accounts. Qantas is actively investigating the incident and will contact affected customers directly. Meanwhile, cyber security experts urge individuals to stay vigilant against phishing attempts, use strong and unique passwords, enable two-factor authentication, and monitor their accounts for unusual activity. Support lines have been set up to assist those impacted. This incident highlights the importance of securing supply chains. The UK’s National Cyber Security Centre (NCSC), offers a 12-principle framework to guide organisations through risk assessment, control, verification, and continuous improvement. The framework helps stakeholders set clear security requirements, embed them into contracts, and build long-term resilience. AUSCERT also offers a dedicated course on ‘Managing Third-Party Cyber Security Risk’, equipping participants with a deep understanding of third-party threats and the skills to identify, assess, and mitigate them. The course explores the business and data impacts of supplier vulnerabilities, outlines best-practice controls, and highlights the importance of ongoing monitoring and vendor assessments to ensure robust cyber security. Cisco scores a perfect 10 for a critical comms flaw Date: 2025-07-02 Author: The Register [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.4373] If you're running the Engineering-Special (ES) builds of Cisco Unified Communications Manager or its Session Management Edition, you need to apply Cisco's urgent patch after someone at Switchzilla made a big mistake. There is an ostensible purpose behind the mistake, dubbed CVE-2025-20309, with a critical rating of 10.0. The credentials have been left in there to make development work easier, Cisco said in its advisory. Qantas discloses cyberattack amid Scattered Spider aviation breaches Date: 2025-07-01 Author: Bleeping Computer Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. This attack comes as cybersecurity firms warn that hackers known as "Scattered Spider" have begun targeting the aviation and transportation industries. While it is unclear if this group is behind the Qantas attack, BleepingComputer has learned the incident shares similarities with other recent attacks by the threat actors. Microsoft security updates address CrowdStrike crash, kill ‘Blue Screen of Death’ Date: 2025-06-27 Author: CyberScoop Third-party antivirus software will no longer have access to the Windows kernel as Microsoft rolls out changes to reduce IT downtime from unexpected crashes or disruptions. When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame. Hacker Conversations: Rachel Tobac and the Art of Social Engineering Date: 2025-06-30 Author: Security Week Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects. Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers. Initial Access Broker Self-Patches Zero Days as Turf Control Date: 2025-07-03 Author: Dark Reading A likely China-nexus threat actor has been exploiting unpatched Ivanti vulnerabilities to gain initial access to victim networks and then patching the systems to block others from breaking in to the same network. ESB-2025.4269 – Sudo: CVSS (Max): 9.3 Sudo vulnerabilities in Ubuntu allow local attackers to bypass host restrictions or execute arbitrary commands as root, impacting several versions. Users are advised to update to the latest sudo package versions to resolve these issues. ESB-2025.4333 – FESTO Didactic CP, MPS 200, and MPS 400 Firmware: CVSS (Max): 9.8 A memory protection bypass vulnerability in FESTO Didactic CP, MPS 200, and MPS 400 firmware can allow remote attackers to write arbitrary code or read sensitive data. Users are advised to update to Siemens Simatic S7-1500/ET200SP firmware version 2.9.2 or higher to mitigate risks. ESB-2025.4337 – Voltronic Power and PowerShield UPS Monitoring Software: CVSS (Max): 10.0 Voltronic Power and PowerShield UPS monitoring software contain critical vulnerabilities that allow unauthenticated remote attackers to execute arbitrary code or shut down UPS-connected devices. CISA advises minimizing network exposure and isolate from business networks to mitigate these risks. ESB-2025.4411 – Mitsubishi Electric MELSOFT Update Manager: CVSS (Max): 8.1 Mitsubishi Electric MELSOFT Update Manager versions 1.000A to 1.012N contain vulnerabilities that are actively being exploited. Users are advised to update to version 1.013P or later to mitigate these risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 27th June 2025

Greetings, Cyber criminals are increasingly adopting and selling "uncensored" Large Language Models (LLMs) on dark web forums like BreachForums. Rather than building malicious AI tools from scratch, they are "jailbreaking" legitimate, powerful models from mainstream companies like xAI (the creator of Grok) and the French firm Mistral AI (creator of Mixtral). Many of these tools are being sold as WormGPT or variants with similar names and functionality, including FraudGPT and EvilGPT. On a potentially related note, research claims a 90% success rate in jailbreaking LLMs. AUSCERT is urging its members and the wider community to prepare for a surge in cyber incidents as the End of Financial Year (EOFY) approaches. Cybercriminals are once again exploiting this high-activity period—this time with more sophisticated tactics than ever before. AUSCERT has observed a sharp and consistent rise in phishing scams, particularly those impersonating trusted government and taxation agencies. The increased volume of payments, invoicing, and accounting activity during EOFY creates ideal conditions for threat actors to target already time-poor and pressured organisations. To help you stay prepared, AUSCERT has compiled key insights and practical guidance in our latest article. Read it here to learn how to better protect your organisation during this critical time. Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC Date: 2025-06-25 Author: The Hacker News [AUSCERT has published security bulletins for these updates: https://portal.auscert.org.au/bulletins/ESB-2025.4172] [AUSCERT has identified the impacted members (where possible) and contacted them via email] Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. It has been described as a case of memory overflow that could result in unintended control flow and denial-of-service. However, successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Flaw in Notepad++ installer could grant attackers SYSTEM access (CVE-2025-49144) Date: 2025-06-25 Author: Help Net Security A high-severity vulnerability (CVE-2025-49144) in the Notepad++ installer could be exploited by unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. There is currently no indication that the vulnerability is being leveraged by attackers, though technical details and a proof-of-concept (PoC) have been published – and redacted shortly after for security reasons. No, the 16 billion credentials leak is not a new data breach Date: 2025-06-19 Author: Bleeping Computer News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials. Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet. Reported Impersonation Scams Surge 148% as AI Takes Hold Date: 2025-06-24 Author: Infosecurity Magazine The volume of impersonation scams has soared 148% year-on-year (YoY) thanks in part to AI tools making life easier for cybercriminals, according to the Identity Theft Resource Center (ITRC). The US non-profit’s new 2025 Trends in Identity Report is based on analysis of identity crimes (compromise, theft and misuse) reported to it by victims from April 1 2024 to March 31 2025. Identity Is the New Perimeter: Why Proofing and Verification Are Business Imperatives Date: 2025-06-24 Author: Security Week Digital transformation has unlocked new opportunities – not just for innovation and growth, but also for cybercriminals seeking to exploit personal and sensitive information. According to the Future of Global Identity Verification report, more than two-thirds (69%) of organizations have experienced an increase in fraud attempts. Among companies with over 5,000 employees, the average annual direct cost of identity fraud is $13 million. That figure rises sharply with organizational size; for enterprises with more than 10,000 employees, 20% report annual direct and indirect identity fraud costs exceeding $50 million. ESB-2025.4180 – NetScaler ADC and NetScaler Gateway Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). ESB-2025.4160 – Cisco Products Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. ESB-2025.4093 – Apache Log4j Apache Log4j could be made to run programs as your login if it opened a specially crafted file. An attacker could possibly use these issues to enable the execution of arbitrary code. ( CVE-2022-23302 , CVE-2022-23305 , CVE-2022-23307 ) ESB-2025.4080 – IBM Security QRadar SIEM IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more