Week in review

AUSCERT Week in Review for 13th September 2024

Greetings, R U OK is encouraging everyone to ask "R U OK?" any day, because life happens every day. This reminder comes as 72% of Australians report experiencing elevated levels of distress. Each year, R U OK Day serves as a powerful reminder of the importance of checking in on others' well-being and actively listening to their concerns. Often, those facing challenges may not openly express their feelings, and a simple, empathetic conversation can make a huge difference. Asking "Are you okay?" and genuinely listening can offer emotional support and show someone they are not alone in their struggles. Meaningful connection and open dialogue about mental health help build a supportive and compassionate community. Prioritising mental health reduces stigma and creates an environment where people feel comfortable sharing their feelings and seeking help. It's a reminder that small acts of kindness and genuine concern can profoundly impact someone's life. For a range of free resources for your workplace, home or community, visit the R U OK? Day website. AUSCERT has always been a strong advocate for mental health support and services, actively implementing more mental health initiatives in the workplace and at our conferences. At AUSCERT2024, we again provided an onsite psychologist for attendees, offering the opportunity to discuss anything from mental wellbeing to life coaching. This year, we introduced mindfulness walks in the mornings that allowed delegates to start the day with a peaceful, serene stroll along the beach, and also introduced a dopamine hit of puppy pats and cuddles throughout the day – this was extremely popular! This week, Microsoft addressed and patched critical zero-day vulnerabilities as part of its monthly update. The first vulnerability, identified as CVE-2024-38217, affected Smart App Control and SmartScreen in Windows. This vulnerability allowed malicious files to bypass crucial security warnings and execute without raising any alarms. It appears to have been actively exploited by hackers for at least six years, with numerous samples detected on VirusTotal since 2018! The second vulnerability resided within the Windows Servicing Stack and allowed remote code execution (RCE). Identified as CVE-2024-43491, the cause of this vulnerability was a flaw in the Servicing Stack that essentially rolled back security fixes for optional components in Windows 10 version 1507. This left systems exposed to previously mitigated threats by removing prior security patches installed between March and August 2024. This is a timely reminder to always remain vigilant with patching systems regularly in your environment to mitigate and protect against such critical zero-day vulnerabilities. Please see this AUSCERT bulletin for more information on the above Microsoft vulnerabilities. Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild Date: 2024-09-06 Author: Security Week [AUSCERT issued a critical MSIN to the impacted members (where possible) on 26 August 2024] SonicWall is warning customers that a recently patched SonicOS vulnerability tracked as CVE-2024-40766 may be exploited in the wild. CVE-2024-40766 was disclosed on August 22, when Sonicwall announced the availability of patches for each impacted product series, including Gen 5, Gen 6 and Gen 7 firewalls. The security hole, described as an improper access control issue in the SonicOS management access and SSLVPN, can lead to unauthorized resource access and in some cases it can cause the firewall to crash. Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues Date: 2024-09-05 Author: The Hacker News Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below – CVE-2024-40711 (CVSS score: 9.8) – A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. Progress LoadMaster vulnerable to 10/10 severity RCE flaw Date: 2024-09-08 Author: Bleeping Computer Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device. The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request. Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution Date: 2024-09-08 Author: Security Online [AUSCERT issued a critical MSIN to the impacted members (where possible) on 10 September 2024] Elastic, the company behind the popular open-source data visualization and analytics platform Kibana, has issued a critical security advisory urging users to update immediately to version 8.15.1. Two severe vulnerabilities, tracked as CVE-2024-37288 and CVE-2024-37285, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities Date: 2024-09-11 Author: The Hacker News Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution. A brief description of the issues is as follows – CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. NoName ransomware gang deploying RansomHub malware in recent attacks Date: 2024-09-10 Author: Bleeping Computer The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472). ESB-2024.5829 – Nessus: CVSS (Max): 9.8 Tenable has released Nessus 10.7.6 to address critical vulnerabilities in third-party components OpenSSL and expat, which affected earlier versions of the software. The update includes OpenSSL 3.0.15 and expat 2.6.3 to mitigate the identified security risks. Users are urged to upgrade promptly to protect against potential exploits. ASB-2024.0176 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has revealed a critical zero-day vulnerability, CVE-2024-43491, in the Windows Servicing Stack, scoring 9.8 in severity. This flaw, present since the March 2024 update, caused security patches for optional components in Windows 10 version 1507 to be rolled back, leaving systems vulnerable to previously fixed threats. While no active exploitation has been reported, attackers could potentially exploit this to achieve remote code execution. ASB-2024.0173 – ACSC advisory, GRU Unit 29155 cyber actors Russian military cyber actors are targeting critical infrastructure in the U.S. and globally, according to an alert from the Australian Cyber Security Centre. The threat actors are using sophisticated tactics to compromise essential systems. Organizations are urged to enhance their cybersecurity measures to defend against these advanced persistent threats. ESB-2024.5800 – Google Chrome: CVSS (Max): None Multiple vulnerabilities in Google Chrome, including heap buffer overflows and use-after-free issues, could allow for arbitrary code execution. Exploitation of these flaws might enable attackers to install programs, access or alter data, or create new user accounts, particularly impacting systems with administrative privileges. Users are advised to update Chrome to the latest version and follow recommended security practices to mitigate these risks. ESB-2024.5807 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe has also patched CVE-2024-41874, a severe flaw with a CVSS score of 9.8, affecting all ColdFusion 2023 versions. Recent attacks by hackers have intensified the urgency for these updates. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 6th September 2024

Greetings, Spring has sprung! As many of us start thinking about organising and refreshing our homes this season, it's also the perfect time to update our cyber security measures. Regularly reviewing, updating, and optimising our digital habits can greatly enhance the protection of our sensitive information and ensure a safer online experience. Take some time this month to review your security approach! The AUSCERT team is already gearing up for next year's conference, with this year's event becoming a cherished memory. Our team is actively catching up with the program committee and will soon open the call for tutorials and presentations! To relive the fantastic moments from this year, we often revisit the outstanding sessions and activities on our YouTube channel. Some of the highlights from AUSCERT 2024 included a session by Darren Kitchen, founder of HAK5, on innovative implants and deceptive devices—essential tools for red teams worldwide. We also thoroughly enjoyed the presentation by Piotr Kijewski, CEO and Trustee at The ShadowServer Foundation. As well as a talk from Michael Hamm and Christian Studder of CIRCL. To top it all off, there was a live podcast recording from Risky Biz, which was the perfect cherry on top! We can't wait to see what next year has in store! So please save the date for next year's conference – 20th to 23rd May 2025 – returning to the beautiful Gold Coast! If there are keynote speakers who you're eager to see at next year's conference, send us an email with your suggestions at conference@auscert.org.au, and we'll see what we can do! AUSCERT is excited to introduce the Exploitability Index (EI) for its Microsoft ASBs starting Wednesday, 11th September, 2024. Created by Microsoft, the Exploitability Index forecasts which vulnerabilities are likely to be exploited within 30 days of an advisory's release, helping organisations to prioritise their vulnerability management. Featuring a numerical score from 0 to 3, it assists IT professionals to target the most critical vulnerabilities, improves risk management, and facilitates clear communication about security risks. For further information about the Exploitability Index (EI), please visit this Microsoft website. Critical flaw in Zyxel's secure routers allows OS command execution via cookie (CVE-2024-7261) Date: 2024-09-03 Author: Help Net Security Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices. VMware Patches High-Severity Code Execution Flaw in Fusion Date: 2024-09-03 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5613/] The root cause of the issue, tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable, VMware notes in an advisory. “VMware Fusion contains a code execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the ‘Important’ severity range.” RansomHub hits 210 victims in just 6 months Date: 2024-08-30 Author: The Register [AUSCERT has published a bulletin (ASB-2024.0172) regarding this and also shared IoCs and TTPs via MISP ] As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it's time to issue an official warning about the group that's gunning for ransomware supremacy. According to the security advisory from CISA, the FBI, the HHS, and the MS-ISAC, RansomHub amassed at least 210 victims since spinning up in February this year. Google Issues Android Attack Warning As 0-Day Threat Strikes Date: 2024-09-04 Author: Forbes [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5624/] Although a number of security issues are addressed by the September update, there is one that demands your attention more than most. Common vulnerabilities and exposures number 32896 for this year, known as CVE-2024-32896, is the most severe, according to Google. This high-severity security vulnerability impacts the Android framework component which, as the name suggests, is rather important. The Android framework is, in effect, a set of different software components that sit at the heart of Android upon which applications are built. Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns Date: 2024-08-30 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0290/] Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. The security vulnerability exploited is CVE-2023-22527, a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024. ESB-2024.5618 – Mozilla Firefox: CVSS (Max): 9.8* Multiple vulnerabilities in Mozilla Firefox could allow for arbitrary code execution by an attacker. This could enable the attacker to install programs, view, alter, or delete data, or create new accounts with full user rights, depending on the user’s privileges. Users with administrative rights are at greater risk compared to those with limited user privileges. ASB-2024.0172 – CISA advisory, RansomHub Ransomware RansomHub, a ransomware-as-a-service that began in February 2024 and is also known as Cyclops and Knight, is targeting sectors such as healthcare, government, and finance. It uses a double-extortion tactic, encrypting and exfiltrating data while employing various initial access methods like phishing and exploitation of vulnerabilities. AUSCERT has shared IoCs and TTPs via MISP to help organizations defend against this threat. ESB-2024.5613 – VMware Fusion: CVSS (Max): 8.8 A high-severity vulnerability in VMware Fusion for macOS allows standard user privileges to execute arbitrary code, potentially leading to unauthorised access or data breaches. The issue is caused by an insecure environment variable. VMware has released a patched version, Fusion 13.6, and users are advised to update immediately to mitigate the risk. ESB-2024.5624 – Google Android: CVSS (Max): 8.4* Google's latest Android security bulletin addresses several vulnerabilities but highlights CVE-2024-32896 as the most critical. This high-severity flaw affects the Android framework and could allow attackers to escalate privileges without additional execution rights. First reported in the June Pixel update and now exploited in the wild, it has been added to the Known Exploited Vulnerabilities Catalog. Users are urged to update their devices immediately to protect against this ongoing threat. ESB-2024.5674 – Cisco Identity Services Engine: CVSS (Max): 6.0 Cisco has patched a critical command injection vulnerability, CVE-2024-20469, in its Identity Services Engine (ISE) that allows attackers with Administrator privileges to escalate to root access. This flaw, caused by inadequate validation of user input, can be exploited through malicious CLI commands. While proof-of-concept exploit code is available, no active exploits have been reported. Cisco has released updates for affected versions and removed a backdoor account from its Smart Licensing Utility to enhance security. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 30th August 2024

Greetings, This week, our team travelled to Adelaide to connect with our members! We had the opportunity for meaningful one-on-one conversations, gathered valuable feedback, and shared updates on our upcoming service developments. There is still time to register for the Digital Nation exclusive Brisbane event that is on Wednesday 4th of September, which delves deep into the evolving landscape of cyber security in Australia. Don't miss the opportunity to hear insights from our General Manager Ivano Bongiovanni! Click here to register. We released a new blog post on Tabletop Exercises (TTXs) this week! TTXs are an essential tool for testing an organisation's ability to respond effectively to security incidents. These exercises help identify gaps in incident response plans and prepare teams for real-world crises by guiding participants through realistic, discussion-based scenarios focused on roles, responsibilities, coordination, and decision-making. TTXs can be tailored to meet your organisation's specific needs, whether for incident response, business continuity, crisis management, or a mix of these areas. Participants from all roles—operational staff, cybersecurity professionals, communication teams, and executives—benefit from these exercises, enhancing cross-role coordination during incidents. Click here to read the full article! In case you missed it, this week we published an analysis of the Jenkins CLI path traversal vulnerability, CVE-2024-23897, exclusively for AUSCERT members. At the time of publication, just over 4% of Jenkins servers worldwide have been updated to mitigate this critical vulnerability. It's often useful to present a trusted third party's review when prioritising patching tasks, and we hope this analysis will assist those of you striving to patch your Jenkins instance. The Analyst Team has added Critical MSINs to AUSCERT's Early Warning SMS Alert Service, in addition to the existing critical vulnerability notifications. Whilst members' existing email notifications remain the same, the contacts nominated for Early Warning SMS Alerts will also now receive a corresponding SMS for Critical MSINs. The text message will always begin with the word "AUSCERT" and will direct the recipient to check for emails from AUSCERT for further information. Members can add additional Early Warning SMS Alert contacts in the Member Portal. Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day Date: None Author: Security Week Malware hunters at Lumen Technologies have caught Chinese APT Volt Typhoon exploiting a fresh zero-day in Versa Director servers to hijack credentials to break into downstream customers’ networks. The high-severity vulnerability, tracked as CVE-2024-39717, was added to the CISA must-patch list over the weekend after Versa Networks confirmed zero-day exploitation and warned that the Versa Director GUI can be hacked to plant malware on affected devices. Exchange Online mistakenly tags emails as malware Date: None Author: Bleeping Computer Microsoft is investigating an Exchange Online false positive issue causing emails containing images to be wrongly tagged as malicious and sent to quarantine. "Users' email messages containing images may be incorrectly flagged as malware and quarantined," Microsoft said in a service alert posted on the Microsoft 365 admin center two hours ago. "We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan." Tracked under EX873252, this ongoing service degradation issue seems to be widespread, according to reports from system administrators, and it also impacts messages with image signatures. Vulnerability prioritization is only the beginning Date: None Author: Help Net Security To date, most technology solutions focused on vulnerability management have focused on the prioritization of risks. That usually took the shape of some risk-ranking structure displayed in a table with links out to the CVEs and other advisory or threat intelligence information. Three steps to secure compliance with Australia’s new technology asset stocktake requirements Date: None Author: Security Brief The recently introduced PSPF Direction 002-2024 requires Australian Government entities to identify and actively manage their technology assets. Compliance is imperative. By June 2025, all government entities and their suppliers must complete a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity. This directive is a crucial step towards strengthening cybersecurity posture and ensuring efficient IT asset management. How Paris Olympic authorities battled cyberattacks, and won gold Date: None Author: SecurityIntelligence The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions. In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event. ESB-2024.5559 – Google Chrome Google has updated Chrome for Desktop versions addressing multiple vulnerabilities ESB-2024.5535 – Drupal Ubuntu has released updates for drupal7 package to patch vulnerabilities that are currently being exploited ESB-2024.5495 – F5 Products A null pointer dereference leading to DoS has been addressed in various F5 products through mitigation ESB-2024.5558 – Cisco Nexus Switches A Denial of Service vulnerability has been fixed in NX-OS Software currently affecting Cisco Nexus 3000 and 7000 Series Switches. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 16th August 2024

Greetings, This week, we released Episode 36 of our Share Today, Save Tomorrow podcast titled The Changing Face of Incident Response. In this episode, Kylie Watson from DXC joins us to discuss the evolving landscape of incident response and the critical importance of having a robust decision-making process. In the second half, Bek dives deep into tabletop exercises with our Principal Analyst, Mark-Carey Smith. Tune in now! Adelaide members, check your inbox for news about our upcoming member meet-up on August 29th! These gatherings are excellent opportunities to connect with fellow members, exchange ideas, and enjoy some refreshments. During these catch ups we also host a session designed to help you maximize your membership, showcasing what AUSCERT can do for you. Our team will guide you through each of our services, and we’ll open the floor for a TLP:RED discussion, allowing members to share insights in confidence. Don’t miss out on this chance to make new connections and have a fantastic time! Keep an eye out for an invitation as we will be coming your way soon! After tremendous success in Sydney and Melbourne, Digital Nation is bringing Digital As Usual: Cyber to Brisbane, and AUSCERT is thrilled to sponsor this event! This gathering will delve into Digital Nation’s latest ‘Digital as Usual’ report, bringing together security leaders, C-level executives, and board directors to explore strategies for building more robust cyber programs. With our General Manager, Ivano Bongiovanni, among the expert speakers, we are very excited for this event! For more information and to register head to their website! Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities Date: 2024-08-14 Author: Security Week Intel and AMD have each informed customers about dozens of vulnerabilities found and patched in their products. Intel has published 43 new advisories that cover a total of roughly 70 security holes. Nine advisories describe high-severity vulnerabilities. … AMD published eight new advisories on Patch Tuesday to inform customers about 46 vulnerabilities. Fortinet, Zoom Patch Multiple Vulnerabilities Date: 2024-08-14 Author: Security Week Patches announced on Tuesday by Fortinet and Zoom address multiple vulnerabilities, including high-severity flaws leading to information disclosure and privilege escalation in Zoom products. Fortinet released patches for three security defects impacting FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiPAM, and FortiSwitchManager, including two medium-severity flaws and a low-severity bug. Critical SAP flaw allows remote attackers to bypass authentication Date: 2024-08-13 Author: Bleeping Computer SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system. The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a "missing authentication check" bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions. '0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk Date: 2024-08-09 Author: Dark Reading [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0162] Attackers can use a flaw that exploits the 0.0.0.0 IP address to remotely execute code on various Web browsers — Chrome, Safari, Firefox, and others — putting users at risk for data theft, malware, and other malicious activity. Researchers at open source security firm Oligo Security have discovered a way to bypass browser security and interact with services running on an organization's local network from outside the network, that they are calling "0.0.0.0 Day," because of the Web address it exploits. Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8) Date: 2024-08-09 Author: Security Online [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0161] The Django team has issued security updates for Django 5.0.8 and 4.2.15 to address multiple vulnerabilities, including potential denial-of-service (DoS) attacks and a critical SQL injection vulnerability. All Django users are strongly urged to upgrade to the patched versions as soon as possible. Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It is widely used for building secure and scalable web applications. ESB-2024.5281 – Flatpak: CVSS (Max): 10.0 An update of Flatpak was released to address a flaw in the handling of mounts for persistent directories. A malicious or compromised Flatpak app could take advantage of this flaw to access files outside of the sandbox. ESB-2024.5174 – Tenable Security Center: CVSS (Max): 9.1 Security Center leverages third-party software to help provide underlying functionality. Several of the third-party components (Apache, libcurl) were found to contain vulnerabilities, and updated versions have been made available by the providers. ASB-2024.0167 – Microsoft ESU: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of August 2024. This update resolves 42 vulnerabilities across various Windows Server products. A critical zero-click TCP/IP vulnerability in Windows, affecting all systems with IPv6 enabled, could allow remote code execution through specially crafted packets. Microsoft urges users to patch immediately due to the high risk of exploitation. ASB-2024.0163 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of August 2024. This update resolves 65 vulnerabilities across Windows 10, 11 and Server products. ESB-2024.5158 – Python for Scientific Computing: CVSS (Max): 9.8* Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 9th August 2024

Greetings, We continuously strive to help our members minimize their exposure to cyber threats and understand that effective prioritisation in vulnerability management is a growing concern. To assist with these efforts, AUSCERT is pleased to introduce the Exploitation Prediction Scoring System (EPSS) within our bulletins and Critical MSINs, starting August 12, 2024. Read our blog article for more information!. This week, CrowdStrike published a root cause analysis of the recent widespread outage caused by a faulty update pushed out to its Falcon customers. The report details the chain of events and multiple independent testing failures that occurred during the creation and validation of the problematic configuration file distributed to customers. After such a widespread outage causing billions of dollars in damage across multiple countries, many are questioning who is legally responsible. Microsoft, whose ecosystem was impacted, estimated the outage affected 8.5 million Windows devices. Some organisations that were significantly affected by the incident have begun seeking legal recourse against CrowdStrike for compensation for the disruption to business. Delta Air Lines, which suffered widespread flight disruptions and service failures, is seeking financial damages against CrowdStrike. The outages cost Delta an estimated US$350 million to $500 million, as they are dealing with over 176,000 refund or reimbursement requests after almost 7,000 flights were cancelled. However, CrowdStrike has rejected allegations of gross negligence or misconduct, arguing that the terms and conditions of their contracts may limit their liability to customers, thereby severely restricting options for seeking redress under contract law. This has led some law firms to explore the possibility of pursuing class action under other claims, such as negligence. This case reveals the vulnerability of global supply chains and the significant impact IT disruptions can have on organisations worldwide. Major insurance companies are closely monitoring the situation, and many businesses are now scrutinizing their cyber insurance policies. This incident has prompted many to consider whether additional legal ramifications should be established to better protect consumers and hold responsible parties more accountable for their actions. Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code Date: 2024-08-07 Author: Cyber Security News [AUSCERT has identified the impacted members (where possible) and contacted them via email] Kibana, a popular open-source data visualization and exploration tool, has identified a critical security flaw that could allow attackers to execute arbitrary code. This vulnerability, tracked as CVE-2024-37287, has a CVSSv3 severity rating of 9.9, indicating its critical nature. The flaw arises from a prototype pollution vulnerability that can be exploited by attackers with access to Machine Learning (ML) and Alerting connector features and write access to internal ML indices. Exploiting this vulnerability allows attackers to execute arbitrary code, posing significant security risks, as reported by Elastic Cloud. Chrome, Firefox Updates Patch Serious Vulnerabilities Date: 2024-08-07 Author: Security Week [Please also see AUSCERT's bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.5054/ & https://portal.auscert.org.au/bulletins/ESB-2024.5049/] Mozilla and Google both updated their web browsers on Tuesday and the latest versions patch several potentially serious vulnerabilities. Google updated Chrome to version 127.0.6533.99, which fixes six vulnerabilities, including a critical out-of-bounds memory access issue in the Angle component. A reward has yet to be determined for this flaw, which is tracked as CVE-2024-7532. Critical 1Password Security Flaw Could Let Hackers Steal Unlock Key Date: 2024-08-07 Author: Forbes AgileBits, the developer of the hugely popular 1Password password manager, has confirmed that a critical security vulnerability could have allowed an attacker to exfiltrate password vault items and potentially obtain account unlock keys from macOS users. What Is CVE-2024-42219? In a 1Password support posting it was stated that CVE-2024-42219 could enable a “malicious process running locally on a machine to bypass inter-process communication protections” and allow the malicious software in question to “exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and SRP-𝑥.” Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers Date: 2024-08-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4972/] Organizations using certain Logix programmable logic controllers (PLCs) made by Rockwell Automation have been informed about a high-severity security bypass vulnerability discovered by researchers at industrial cybersecurity firm Claroty. On August 1, Claroty published a blog post describing its findings, and Rockwell and the cybersecurity agency CISA published advisories for the flaw, which is tracked as CVE-2024-6242. Google fixes Android kernel zero-day exploited in targeted attacks Date: 2024-08-07 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5013] Android security updates this month patch 46 vulnerabilities, including a high-severity remote code execution (RCE) exploited in targeted attacks. The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weakness in the Linux kernel's network route management. It requires System execution privileges for successful exploitation and allows altering the behavior of certain network connections. Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords Date: 2024-08-07 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and contacted them via email] Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week. CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash Date: 2024-08-06 Author: Security Week Embattled cybersecurity vendor CrowdStrike on Tuesday released a root cause analysis detailing the technical mishap behind a software update crash that crippled Windows systems globally and blamed the incident on a confluence of security vulnerabilities and process gaps. The new CrowdStrike root cause analysis documents a combination of factors the Falcon EDR sensor crash — a mismatch between inputs validated by a Content Validator and those provided to a Content Interpreter, an out-of-bounds read issue in the Content Interpreter, and the absence of a specific test — and a vow to work with Microsoft on secure and reliable access to the Windows kernel. ESB-2024.4645.2 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0 The Cisco PSIRT has updated its initial advisory from July 2027 to confirm that proof-of-concept exploit code is now available for the vulnerability discussed in the advisory. However, they have not reported any instances of malicious exploitation related to this vulnerability. AUSCERT advises its members to apply the patches immediately if they haven't already done so, to prevent potential exploitation. ESB-2024.5095 – Jenkins (core):CVSS (Max): 9.0 The Jenkins Security Advisory 2024-08-07 addresses critical vulnerabilities in Jenkins core that could lead to arbitrary file read and potential remote code execution (CVE-2024-43044). It also highlights a medium-severity issue allowing unauthorized access to other users' "My Views" (CVE-2024-43045). Updates in Jenkins versions 2.471 and LTS 2.452.4 resolve these vulnerabilities. ASB-2024.0160 – EPSS Score Starting August 12, 2024, AUSCERT will include Exploitation Prediction Scoring System (EPSS) scores in Bulletins and Critical MSINs to indicate the likelihood of vulnerability exploitation. The EPSS score will be displayed alongside the CVSS score for Bulletins and in the Overview of Critical MSINs. Members should use up-to-date EPSS values for informed vulnerability management. ESB-2024.5054 – Google Chrome: CVSS (Max): 8.8* On August 6, 2024, Chrome’s Stable channel updated to version 127.0.6533.99 for Windows, Mac, and Linux, introducing five security fixes. Notable fixes include critical and high-severity vulnerabilities reported by external researchers, such as out-of-bounds memory access and use-after-free issues. ESB-2024.5049 – Firefox: CVSS (Max): 9.8* Mozilla's Security Advisory 2024-33, released August 6, 2024, addresses high-impact vulnerabilities in Firefox 129. Key issues include CVE-2024-7518, which allows fullscreen dialogs to be obscured, and CVE-2024-7519, involving out-of-bounds memory access in graphics handling. Other critical fixes cover type confusion in WebAssembly and various use-after-free vulnerabilities. ESB-2024.5013 – Android: CVSS (Max): 9.8* The August 2024 Android Security Bulletin addresses high-severity vulnerabilities affecting Android devices, including critical privilege escalation issues in the Framework component. The patch levels of 2024-08-05 or later resolve these issues. Updates are available in the AOSP repository , with Android partners notified in advance. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 2nd August 2024

Greetings, With the Olympic Games in full swing, many of us are thrilled to cheer on our country in every sport, celebrating the incredible athletic talents of all participants. Each event showcases the dedication, skill, and fairness of athletes from around the world, inspiring us with their remarkable performances and unwavering determination. It is a privilege to witness this global celebration of excellence and unity through sport. Security2Cure is back, bigger and better than ever! This year, the event will be held in Brisbane on August 9th and in Sydney on August 23rd. The event will bring more stories of survival, grief, resilience, and love from within our amazing cyber industry, and we welcome everyone to be part of this inspiring experience. Now in its fourth year, Security2Cure raises money for cancer research, support, and prevention. The day's schedule in both cities includes a range of engaging talks on various aspects of cyber security, covering both technical and non-technical topics. Places are limited! Don’t miss the opportunity to hear from industry peers, leaders, and enthusiasts as they share insights from the cyber front lines and embrace the humility and vulnerability surrounding a disease that affects us all. Support a worthy cause and be inspired by the stories of strength and determination from within our community. If you can’t attend you can still donate to this great cause, just head to the website! Apple Rolls Out Security Updates for iOS, macOS Date: 2024-07-30 Author: Security Week [Please also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.4910/, https://portal.auscert.org.au/bulletins/ESB-2024.4911/, https://portal.auscert.org.au/bulletins/ESB-2024.4912/, https://portal.auscert.org.au/bulletins/ESB-2024.4913/, https://portal.auscert.org.au/bulletins/ESB-2024.4914/, https://portal.auscert.org.au/bulletins/ESB-2024.4915/, https://portal.auscert.org.au/bulletins/ESB-2024.4916/, https://portal.auscert.org.au/bulletins/ESB-2024.4917/, https://portal.auscert.org.au/bulletins/ESB-2024.4918/] iOS 17.6 and iPadOS 17.6 were released for the latest generation iPhone and iPad devices with fixes for 35 security defects that could lead to authentication and policy bypasses, unexpected application termination or system shutdown, information disclosure, denial-of-service (DoS), and memory leaks. Microsoft confirms Azure, 365 outage linked to DDoS attack Date: 2024-07-31 Author: Cyber Security Dive Dive Brief: Microsoft said a DDoS attack led to an eight hour outage Tuesday involving its Azure portal, as well as some Microsoft 365 and Microsoft Purview services. Microsoft said an unexpected spike in usage led to intermittent errors, spikes and timeouts in Azure Front Door and Azure Content Delivery Network. An initial investigation showed an error in the company’s security response may have compounded the impact of the outage. Microsoft said it will have a preliminary review of the incident in 72 hours and a final review within two weeks, to see what went wrong and how to better respond. Google Releases Critical Security Update for Chrome Date: 2024-07-31 Author: Cyber Security News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4872/] Google has rolled out a critical security update for its Chrome browser, addressing a severe flaw that could lead to browser crashes. The update, now available on the Stable channel, brings Chrome to version 127.0.6533.88/89 for Windows and Mac and 127.0.6533.88 for Linux. This update will be distributed over the coming days and weeks. The latest update includes three significant security fixes, two of which were reported by an external researcher known as “gelatin dessert.” The details of these fixes are as follows: Cyber ransom payments will need to be disclosed by businesses under new laws Date: 2024-07-30 Author: ABC News Australian businesses are paying untold amounts of ransom to hackers, but the government is hoping to claw back some visibility with a landmark cybersecurity law. The Cyber Security Act would force Australian businesses and government entities to disclose payments or face fines, and is expected to be brought before parliament in the next sitting. Dark Angels ransomware receives record-breaking $75 million ransom Date: 2024-07-30 Author: Bleeping Computer A Fortune 50 company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang, according to a report by Zscaler ThreatLabz. "In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that's bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below)," reads the 2024 Zscaler Ransomware Report. Gov revamps cyber security leadership in ministerial shake-up Date: 2024-07-28 Author: iTnews The federal government has named Tony Burke as its new minister for cyber security as well as Home Affairs, with incumbent Clare O’Neil moved to the housing portfolio. Albanese also announced a new advisory role for MP Andrew Charlton, as “special envoy for cyber security and digital resilience”. ESB-2024.4872 – Google Chrome: CVSS (Max): None Google has released an urgent security update for its popular Chrome browser to address three vulnerabilities, including one classified as "critical." These vulnerabilities, identified as CVE-2024-6990, CVE-2024-7255, and CVE-2024-7256, could potentially enable attackers to exploit flaws in the browser, putting user security at risk. ESB-2024.4948 – Apache Commons Collections: CVSS (Max): 9.8 Apache Commons Collections could be made to execute arbitrary code if it received specially crafted input. The problem can be corrected by updating your system to libcommons-collections3-java – 3.2.1-6ubuntu0.1~esm1 available with Ubuntu Pro ESB-2024.4912 – Apple iOS and iPad OS: CVSS (Max): 7.5* Apple has released iOS and iPad OS patches to address vulnerabilities such as a maliciously crafted file potentially leading to unexpected app termination plus various bug fixes and enhancements. ESB-2024.4973 – Vonets WiFi Bridges: CVSS (Max): 10.0 Vulnerabilities were identified that could allow an attacker to disclose sensitive information, cause a denial of service condition or execute arbitrary code on affected devices. Vonets has not responded to requests by CISA to mitigate this vulnerability. CISA recommended users take defensive measures to minimize the risk of exploitation of these vulnerabilities. ESB-2024.4960 – IBM QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 26th July 2024

Greetings, Friday afternoon, CrowdStrike released a sensor configuration update that triggered errors and system crashes in millions of Windows systems, causing major outages worldwide. This event grounded flights, disrupted banks, and closed businesses, highlighting the interconnectedness and fragility of our digital infrastructure. It served as a wake-up call, emphasising that the IT industry is a critical component linking every part of the world. When mistakes are made or incidents occur, the repercussions are felt globally. Reports indicate that malicious actors are quickly capitalising on the disruption caused by this technical issue. Cyber criminals are exploiting the outage window to launch phishing campaigns and other malicious activities. Notably, there have been reports of criminals mimicking CrowdStrike support communications and even impersonating CrowdStrike staff during phone calls.CrowdStrike has also noted instances where cyber criminals posed as independent researchers, falsely asserting evidence linking the technical issue to a cyber attack. In response to these developments, cyber security organisations and authorities have issued advisories urging heightened vigilance. Users are encouraged to verify the authenticity of communications, especially during service disruptions, and to adhere strictly to official channels for updates and support. For more information regarding this issue,read our full article here Attention Brisbane Members! In partnership with WTW and Ethan Global, we will be hosting an event in the CBD on August 13th for IT Directors, Managers, CISOs, C-Suite executives, as well as Risk and Insurance Managers. During this in-person session, AUSCERT, WTW, and Ethan Global will provide attendees with insights and practical steps to understand and communicate holistic cyber risk management strategies, drawn from real-life case studies.Our speakers will examine developments in legal and regulatory changes, prioritising cyber investments, and reporting. Don't miss this opportunity to hear firsthand from thought leaders and experienced practitioners through both presentations and panel discussions. Register here Scammers will pounce on global outage caused by CrowdStrike bug, Home Affairs Minister Clare O'Neil warns Date: 2024-07-20 Author: ABC News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0159/] AUSCERT has also shared IoCs via MISP Australians have been warned scammers and hackers are trying to capitalise on CrowdStrike-triggered outages to steal personal information including bank details and to gain access to computer systems. The unprecedented outage affected a raft of major institutions in Australia and internationally, including emergency services, government agencies, banks and airlines Microsoft releases Windows repair tool to remove CrowdStrike driver Date: 2024-07-21 Author: Bleeping Computer Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday. On Friday, CrowdStrike pushed out a faulty update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops. This glitch caused massive IT outages, as companies suddenly found that all of their Windows devices no longer worked. These IT outages affected airports, hospitals, banks, companies, and government agencies worldwide. Telegram zero-day allowed sending malicious Android APKs as videos Date: 2024-07-22 Author: Bleeping Computer A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious Android APK payloads disguised as video files. A threat actor named 'Ancryno' first began selling the Telegram zero-day exploit on June 6, 2024, in a post on the Russian-speaking XSS hacking forum, stating the flaw existed in Telegram v10.14.4 and older. Australian cyber security firms to boost Indo-Pacific resilience Date: 2024-07-24 Author: Security Brief AUSCERT and the University of Queensland have announced a partnership with IDCARE to expand cyber security support across the Indo-Pacific under an Australian Government contract. The collaboration is part of the Cyber and Critical Tech Co-operation Program, aiming to bolster cyber resilience in Papua New Guinea and Fiji through tailored cyber-crime Windows July security updates send PCs into BitLocker recovery Date: 2024-07-24 Author: Bleeping Computer Microsoft warned that some Windows devices will boot into BitLocker recovery after installing the July 2024 Windows security updates. The BitLocker Windows security feature mitigates the risk of data theft or information exposure from lost, stolen, or inappropriately decommissioned devices by encrypting the storage drives. Windows computers can automatically enter BitLocker recovery mode following various events, including hardware and firmware upgrades or changes to the TPM (Trusted Platform Module), to restore access to BitLocker-protected drives that have not been unlocked via the default unlock mechanism. Over 3,000 GitHub accounts used by malware distribution service Date: 2024-07-24 Author: Bleeping Computer Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub that push information-stealing malware. The malware delivery service is called Stargazers Ghost Network and it utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives that contain malware. In most cases, the malware are infostealers, such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer. ESB-2024.4781 – Google Chrome: CVSS (Max): None Google announced the release of Chrome 127 to the stable channel with patches for 24 vulnerabilities. As usual, memory safety bugs were the most common type of security flaw addressed, representing half of the reported issues, including four high-severity ones. ASB-2024.0159 – CrowdStrike sensor configuration update AUSCERT issued an advisory regarding the global outage caused by the sensor configuration update that impacted millions of Windows systems worldwide. ESB-2024.4758 – National Instruments IO Trace: CVSS (Max): None ICS-CERT has issued an advisory for a critical vulnerability (CVE-2024-5602) in National Instruments IO Trace, a network appliance. The issue, a stack-based buffer overflow, requires user interaction to exploit but could allow arbitrary code execution. A patch is available, and users are advised to minimize network exposure and use secure remote access methods. ESB-2024.4742 – IBM Security QRadar SIEM: CVSS (Max): 7.5 IBM Security QRadar SIEM has released updates to address multiple vulnerabilities, including CVE-2024-29415, which has a CVSS score of 7.5 for server-side request forgery. The updates also fix other issues such as denial of service and HTTP request smuggling. ESB-2024.4833 – ICSA-24-207-01 Siemens SICAM Products: CVSS (Max): 9.8 Siemens SICAM products are vulnerable to critical issues, including a severe password reset flaw (CVE-2024-37998) and a missing authentication issue (CVE-2024-39601). These vulnerabilities could lead to unauthorized access and potential information leaks. Users are advised to upgrade to the latest versions and disable auto login to mitigate risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th July 2024

Greetings, The winds picked up in the sunny state this week, bringing a noticeable drop in temperatures and allowing us to truly feel the winter chill. Perhaps we can also blame the winds for Queensland’s disappointing loss to New South Wales in the men's State of Origin. The Blues secured one of their greatest victories, defeating Queensland 14-4 at Suncorp Stadium, breaking a 19-year inability to win a decider there. Although it was a sad loss for the Maroons, we applaud the Blues for a good game and a great win. Until next time, Blues! This week, our analyst team distributed critical MSINS to affected members, alerting them to the Exim Flaw vulnerability, which is tracked as CVSS 9.1. Successful exploitation of this security defect could allow attackers to deliver executable attachments to inboxes, potentially leading to code execution and system compromise if the user opens the attachment. All organisations that had their Google Domains service migrated to Squarespace recently are advised to enable two-factor authentication on their Squarespace account, as it is not enabled by default. A number of cryptocurrency-related businesses appear to have been caught up in DNS hijacking attacks as a result of the way Squarespace migrated the service. Most of the noteworthy cases have been resolved; however, hundreds of domains are still alleged to be at risk of similar DNS hijacking, so it may not be over yet. It is crucial for organisations to adopt multi-factor authentication (MFA) to protect their data and maintain trust with customers and partners. By effectively implementing MFA, organisations can better defend against cyber threats and ensure the security of sensitive information. While MFA does not offer complete protection against all threats, it remains an essential component in reducing cyber security risks and safeguarding sensitive data. Atlassian Patches High-Severity Vulnerabilities in Bamboo, Confluence, Jira Date: 2024-07-17 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4634/] Software vendor Atlassian on Tuesday released security-themed updates to fix several high-severity vulnerabilities in its Bamboo, Confluence and Jira products. The Australian firm called urgent attention to the Bamboo Data Center and Server updates that resolve two high-severity bugs, including one affecting the UriComponentsBuilder dependency that could allow an unauthenticated attacker to perform a server-side request forgery (SSRF) attack. Critical Exim Flaw Allows Attackers to Deliver Malicious Executables to Mailboxes Date: 2024-07-12 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical vulnerability in over 1.5 million internet-accessible Exim mail transfer agent (MTA) installations potentially allows attackers to deliver malicious executables to user mailboxes, Censys warns. The issue, tracked as CVE-2024-39929 (CVSS score of 9.1) and impacting RFC 2231 header parsing, results in filenames being incorrectly parsed, which could allow remote attackers to bypass the filename extension-blocking protection mechanisms. Organizations Warned of Exploited GeoServer Vulnerability Date: 2024-07-16 Author: Security Week [AUSCERT contacted the potentially vulnerable members (where possible) on 04 July 2024] The US cybersecurity agency CISA is urging federal agencies to patch a critical-severity vulnerability in GeoServer as soon as possible, warning of evidence of active exploitation. The bug, tracked as CVE-2024-36401 (CVSS score of 9.8), is described as the unsafe evaluation of property names as XPath expressions, which could allow unauthenticated attackers to execute code remotely, through crafted input against a default GeoServer installation. Critical Apache HTTP Server Vulnerabilities Expose Millions of Websites Date: 2024-07-18 Author: Cyber Security News [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4720/] The Apache Software Foundation has disclosed several critical vulnerabilities in the Apache HTTP Server, which could potentially expose millions of websites to cyber-attacks. These vulnerabilities, identified by their Common Vulnerabilities and Exposures (CVE) numbers, affect various versions of the Apache HTTP Server and could lead to severe consequences such as source code disclosure, server-side request forgery (SSRF), and denial of service (DoS). Infoseccers claim Squarespace migration linked to DNS hijackings at Web3 firms Date: 2024-07-15 Author: The Register Security researchers are claiming a spate of DNS hijackings at web3 businesses is linked to Squarespace's acquisition of Google Domains last year. The theory is that cybercriminals may have picked up on a flaw in the method Squarespace used to migrate Google Domains customer data over to its servers, allowing them to guess the email addresses associated with admin accounts and register the account for themselves. Hackers use PoC exploits in attacks 22 minutes after release Date: 2024-07-13 Author: Bleeping Computer Threat actors are quick to weaponize available proof-of-concept (PoC) exploits in actual attacks, sometimes as quickly as 22 minutes after exploits are made publicly available. That is according to Cloudflare's Application Security report for 2024, which covers activity between May 2023 and March 2024 and highlights emerging threat trends. Cloudflare, which currently processes an average of 57 million HTTP requests per second, continues to see heightened scanning activity for disclosed CVEs, followed by command injections and attempts to weaponize available PoCs. ESB-2024.4635 – Google Chrome CVSS (Max): None The latest Chrome 126 update addresses several critical issues, including an inappropriate implementation flaw and a type confusion in V8, as well as use-after-free vulnerabilities in Screen Capture, Media Stream, Audio, and Navigation. Additionally, it fixes a race condition in DevTools and an out-of-bounds memory access in V8. ASB-2024.0134.2 – Oracle MySQL: CVSS (Max): 9.8 Oracle's latest quarterly Critical Patch Update addresses 386 security vulnerabilities, with 37 patches specifically for Oracle MySQL. Among these, 11 vulnerabilities can be exploited remotely without authentication. Notably, CVE-2023-37920 in MySQL Cluster is rated critical with a CVSS score of 9.8, potentially allowing remote attackers to exploit these vulnerabilities through simple network attacks. ESB-2024.4645 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0 Cisco has issued patches for a critical security flaw affecting Smart Software Manager On-Prem (Cisco SSM On-Prem). This vulnerability, identified as CVE-2024-20419 and rated with a maximum CVSS score of 10.0, could allow a remote, unauthenticated attacker to alter the passwords of any users, including administrative accounts. ESB-2024.4631 – Rockwell Automation Pavilion 8: CVSS (Max): 8.8 A vulnerability in Rockwell Automation Pavilion 8 permits a remote attacker to gain elevated privileges on the system. This security flaw arises from incorrect permission assignments on critical resources, enabling a remote user to access sensitive data and create new user accounts. ESB-2024.4633 – Mozilla Thunderbird: CVSS (Max): 9.8 The Mozilla Foundation has issued patches for vulnerabilities in Thunderbird 128. While these flaws generally cannot be exploited through email within Thunderbird due to disabled scripting when reading mail, they pose potential risks in browser or browser-like environments. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 12th July 2024

Greetings, This week, we celebrate NAIDOC Week, recognising the history, culture, and achievements of Aboriginal and Torres Strait Islander Peoples. NAIDOC Week offers an opportunity for all Australians to learn about First Nations cultures and histories and participate in celebrations of the oldest continuous living cultures on earth. Visit the NAIDOC website for a full list of local events. This month's Patch Tuesday brought significant updates, addressing 142 security flaws across various Microsoft products. Among these, two vulnerabilities were actively exploited in the wild, posing immediate threats to users. Additionally, two zero-day vulnerabilities, which had been publicly disclosed but not yet exploited, were patched. These zero-days are particularly concerning as there may be an exploit available before a fix is released. The update also fixed five critical vulnerabilities, all classified as remote code execution (RCE) flaws. These updates highlight the importance of regular patch management to protect systems from known threats. Users and organisations are strongly advised to apply these patches promptly to mitigate the risk of exploitation. Keeping systems updated is a crucial step in maintaining a secure IT environment and defending against cyber threats. The National Anti-Scam Centre is urging Australians who have had money stolen by scammers to be wary of offers to recover their money for an upfront fee. Reports involving a money recovery element are on the rise. Between December 2023 and May 2024, Scam watch received 158 reports with total losses exceeding $2.9 million, including losses from the original scams. The number of reports increased by 129 percent compared to the previous six months, while financial losses decreased by 29 percent from $4.1 million. Australians aged 65 and older were the largest reporting group and suffered the highest average losses. Victims of previous scams are easily identified by criminals who commonly keep and sell information about individuals they have exploited. The best method to stay ahead of cyber threats is through training and education. With the necessary skills and expertise, you can ensure that you and your organisation are always protected from attacks. Check out our online training schedules to find out how you can enhance your knowledge. It’s also important for victims of scams to feel able to report and share their experiences without judgement, so please share information about scams with less knowledgeable friends and family. New OpenSSH Vulnerability CVE-2024-6409 Exposes Systems to RCE Attack Date: 2024-07-10 Author: Cyber Security News Security researchers have discovered a new vulnerability in OpenSSH, identified as CVE-2024-6409, which could potentially allow remote code execution attacks on affected systems. This vulnerability, which affects OpenSSH versions 8.7 and 8.8, allows for potential remote code execution (RCE) due to a race condition in signal handling within the privilege separation (privsep) child process. Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks Date: 2024-07-06 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] [AUSCERT also shared IoCs and Attack Patterns via MISP] Trend Micro, a global leader in cybersecurity, has issued a warning about a recent wave of attacks targeting misconfigured Jenkins servers. Cybercriminals are exploiting vulnerabilities in the Jenkins Script Console to illicitly install and operate cryptocurrency mining software, siphoning computational resources from unsuspecting organizations. The Essential Eight Is An Opportunity To Drive New Strategic Value Into The Enterprise Date: 2024-07-08 Author: IT News The Australian Cyber Security Centre (ACSC)’s Essential Eight framework has the potential to transform Australia into a global leader in cyber security. However, in challenging organisations to develop a more strategic approach to cyber security, it also introduces some new risks to IT environments that enterprises are going to need to grapple with in the coming years. SAP Patches High-Severity Vulnerabilities in PDCE, Commerce Date: 2024-07-09 Author: Security Week Enterprise software maker SAP on Tuesday announced the release of 16 new and two updated security notes as part of its July 2024 patch day, including two notes dealing with high-severity vulnerabilities. The most severe of the issues is a missing authorization check in PDCE (Product Design Cost Estimating), a lifecycle costing tool. Tracked as CVE-2024-39592 (CVSS score of 7.7/10), the bug could allow an attacker to read generic table data, according to SAP. RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks Date: 2024-07-09 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0130] Cybersecurity researchers have discovered a security vulnerability in the RADIUS network authentication protocol called BlastRADIUS that could be exploited by an attacker to stage Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain circumstances. "The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks," InkBridge Networks CEO Alan DeKok, who is the creator of the FreeRADIUS Project, said in a statement. Nearly 10bn passwords posted to hacking forum Date: 2024-07-08 Author: Cyber Daily The user – named ObamaCare – made the post on 4 July on a popular hacking forum, sharing a file called rockyou2024.txt. “Xmas came early this year,” ObamaCare said. “I present to you a new rockyou2024 password list with over 9.9 billion passwords.” “I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years.” The shared list has 9,948,575,739 passwords in all, and it appears to be a compilation of new and old leaks compiled into a single list. The file is a 45.6 gigabyte .zip archive. ASB-2024.0122 – Microsoft Windows: CVSS (Max): 9.8 For July 2024 Patch Tuesday, Microsoft’s security updates and patches address two zero-day vulnerabilities currently being exploited: CVE-2024-38080 in Windows Hyper-V and CVE-2024-38112 in the Windows MSHTML Platform. ESB-2024.4425.2 – Citrix Netscaler Products: CVSS (Max): 9.4 Citrix has disclosed two critical vulnerabilities impacting its NetScaler Console, NetScaler SVM, and NetScaler Agent, which could potentially enable attackers to access sensitive information and launch denial of service attacks. The vulnerabilities, designated as CVE-2024-6235 and CVE-2024-6236, have led Citrix to issue urgent update recommendations to mitigate these risks. ESB-2024.4427 – Palo Alto Networks Expedition: CVSS (Max): 9.3 Palo Alto Networks has issued security updates to address several vulnerabilities affecting its products, including a critical flaw that could enable authentication bypass. Tracked as CVE-2024-5910 this vulnerability is characterized as a missing authentication issue in the Expedition migration tool, potentially allowing unauthorized access to an administrator account. ESB-2024.4429 – VMware Aria Automation: CVSS (Max): 8.5 VMware has issued security updates to address a high-severity vulnerability in their Aria Automation product. This vulnerability, a structured query language (SQL) injection flaw, could allow an authenticated attacker to execute unauthorized read or write operations in the database by sending specially crafted SQL queries. ESB-2024.4428.2 – GitLab Community and Enterprise editions: CVSS (Max): 9.6 GitLab has released a new set of updates to address security vulnerabilities in its software development platform, including a critical flaw that enables an attacker to execute pipeline jobs as any arbitrary user. Tracked as CVE-2024-6385, this vulnerability has a CVSS score of 9.6. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 5th July 2024

Greetings, This week, we published the AUSCERT2024 recordings! To re-live your favourite sessions, head to our YouTube channel to watch them. We featured many exciting sessions that made the event truly unforgettable. This year, the conference focused on industry technology, modernizing infrastructure, data governance, and the legal aspects of cyber security. One highlight to revisit is the live Risky Biz recording with Adam Boileau and Patrick Gray, in which they discussed some very interesting topics. MISP was another hot topic, with our Senior Security Systems Administrator, Josh Hopkins, leading a session on modernising MISP by applying Infrastructure as Code principles to your MISP services. Data governance was another significant focus at AUSCERT2024. In Trinity McNicol’s session, she explored how organisations can manage data-related risks, protect data assets, leverage data for decision-making, meet consumer privacy expectations, and ensure compliance with data protection legislation. Cyber security frameworks can also help organisations understand their cyber health and improve overall resilience. The Cyber Health Check Program Panel discussion went beyond theory, offering real-world case studies that highlight successful cyber security enhancements. Watch as the team embarks on an enlightening exploration of cyber security framework essentials. Piotr Kijewski’s session provided an overview of how Shadowserver functions as a large-scale information collection and sharing project, collaborating with the global Internet defender community. Piotr described their recent journey in search of sustainability and concluded with their vision of continuing the mission to raise the bar on global cyber security without compromising their principles of free threat intelligence sharing. Darren Kitchen’s session was a highly anticipated keynote, in which he shared tales of device deception from nearly 20 years of experience with Hak5. He discussed the innovative implants and deceptive devices equipping red teams worldwide. Darren’s successful penetration tests have resulted in a multitude of real-world stories that proved effective. We concluded with a captivating Speed Debate featuring exciting, witty, and comical topics. Watch this session for a good laugh! The Cyber Security Conference actively focuses on community, value, and upskilling the workforce in a fun and inclusive environment. This year was no exception, with around 900 delegates attending across the four days. We can’t wait for next year, but in the meantime we have the videos to keep us entertained! Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug Date: 2024-07-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4145/] Google has released patches for 25 documented security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component. The critical bug, tracked as CVE-2024-31320, impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device. “The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in an advisory. Cisco warns of NX-OS zero-day exploited to deploy custom malware Date: 2024-07-01 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4143/] Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches. Cybersecurity firm Sygnia, who reported the incidents to Cisco, linked the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant. "Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant," Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer. Splunk Patches High-Severity Vulnerabilities in Enterprise Product Date: 2024-07-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4152/] Splunk on Monday announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs. Three of the high-severity issues are remote code execution flaws that require authentication for successful exploitation. The first of them, tracked as CVE-2024-36985, could be exploited by a low-privileged user through a lookup that likely references the ‘splunk_archiver’ application. The issue affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x. New regreSSHion OpenSSH RCE bug gives root on Linux servers Date: 2024-07-01 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0121/] A new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion" gives root privileges on glibc-based Linux systems. OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. The flaw, discovered by researchers at Qualys in May 2024, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. Juniper releases out-of-cycle fix for max severity auth bypass flaw Date: 2024-06-30 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4117/] Juniper Networks has released an emergency update to address a maximum severity vulnerability that leads to authentication bypass in Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. The security issue is tracked as CVE-2024-2973 and an attacker could exploit it to take full control of the device. Gov launches 'overdue' cyber security network for health sector Date: 2024-07-01 Author: iTnews Mirroring a model already used in the financial and critical infrastructure sectors, the pilot Information Sharing and Analysis Centre (ISAC) will focus on “cyber threats, responses and preventative measures” among health organisations. Minister for Home Affairs and cyber security Clare O’Neil said healthcare organisations’ “access to sensitive data”, and their “struggle with building and funding strong cyber protections”, had made them a threat target. “The last two years has been the beginning of a big, overdue national journey to lift up cyber security across the country to better protect our citizens,” she said in a statement. ESB-2024.4245 – PHP: CVSS (Max): 9.8 Ubuntu has fixed a vulnerability in PHP. The update caused a regression in parsing XML in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. ESB-2024.4211 – python-Js2Py: CVSS (Max): 9.6 SUSE has released an update that solves a vulnerability for a potential sandbox escape via untrusted JavaScript code. ESB-2024.4144.2 – OpenSSH: CVSS (Max): 8.1 OpenSSH incorrectly handled signal management which could allow an attacker to bypass authentication and remotely access systems without proper credentials. Fixes were released to patch this vulnerability. ESB-2024.4164 – Splunk Enterprise: CVSS (Max): 9.8 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.1, 9.1.4, 9.0.9 and higher. ESB-2024.4174 – mySCADA myPRO: CVSS (Max): 9.8 mySCADA released an update for myPRO to address a vulnerability that could allow an attacker to remotely execute code on affected devices. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more

Week in review

AUSCERT Week in Review for 28th June 2024

Greetings, Events this week underscored the critical importance of staying updated on the latest cyber security threats and trends. Australia’s proactive approach to implementing security measures and educating the community plays a crucial role in mitigating risks and enhancing overall cyber resilience. The week began with an alert from the Australian Cyber Security Centre (ACSC) highlighting increased cyber threat activity targeting Snowflake customers. Businesses and critical infrastructure in Australia were advised to bolster their security measures and remain vigilant against potential attacks. Many organisations applied Microsoft's June 2024 Patch Tuesday updates, which addressed 51 vulnerabilities, including 18 critical remote code execution flaws. Addressing these vulnerabilities promptly helps organisations mitigate the risks associated with commonly used applications and systems. In other news, a Wednesday court filing provided some details about the September 2022 Optus data breach, from the perspective of Australia's Communications and Media Authority (ACMA). ACMA is leveraging its regulatory powers to pursue Optus, alleging that the company failed to adequately protect personally identifiable customer information, including failing to fix an identified coding error in all of its Internet-visible APIs and to continue to operate a vulnerable API for two years despite there being no need for its operation. The filing states that “The cyber attack was not highly sophisticated nor did it require advanced skills or proprietary knowledge of Optus's processes or systems. It was executed through a simple process of trial and error,”. ACMA is seeking civil penalties in the case. Singtel, the parent company of Optus, has advised investors that it cannot determine the quantum of penalties but will defend the case. This incident exemplifies how regulatory bodies are intensifying their efforts to hold organisations accountable for failing to adhere to appropriate practices in safeguarding personal information. Ensure your organisation is compliant with the necessary regulatory standards. If you need assistance in analysing your organisation's cyber security maturity level, contact our team at – grc@auscert.org.au. Cyber threats surge during Australia's EOFY tax season Date: 2024-06-25 Author: Security Brief As the end of the financial year (EOFY) approaches in Australia, organisations and individuals find themselves preoccupied with tax returns, financial statements, and compliance reports. This busy period also brings with it a heightened risk of cyber threats, creating a favourable environment for scammers and cybercriminals. Analysts have noted an uptick in seasonal cyber activities during the EOFY period, exploiting the chaos and urgency associated with tax-related activities. The most common threats include phishing scams, ransomware, business email compromise (BEC), and identity theft. If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately Date: 2024-06-25 Author: The Register [AUSCERT has identified the impacted members (where possible) and contacted them via email] The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year. Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it. The site offered polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers. Progress quietly fixes MOVEit auth bypass flaws (CVE-2024-5805, CVE-2024-5806) Date: 2024-06-25 Author: Help Net Security [AUSCERT has identified the impacted members (where possible) and contacted them via email] Progress Software has patched one critical (CVE-2024-5805) and one high-risk (CVE-2024-5806) vulnerability in MOVEit, its widely used managed file transfer (MFT) software product. According to WatchTowr Labs researchers, the company has been privately instructing users to implement the hotfixes before they go public with the information. Hacker Claims Theft of 30M User Records From Australia Ticketing Company TEG Date: 2024-06-24 Author: Security Week A threat actor is boasting on a hacking forum the theft of information pertaining to millions of Ticketek users, roughly three weeks after the company acknowledged a data breach. On May 31, Ticketek Entertainment Group (TEG), an Australia-based live events and ticketing firm, announced that user account information had been compromised after hackers accessed a database stored on a cloud-based platform. “The available evidence at this time indicates that, from a privacy perspective, customer names, dates of birth and email addresses may have been impacted,” TEG said. Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack Date: 2024-06-25 Author: Ars Technica WordPress plugins running on as many as 36,000 websites have been backdoored in a supply-chain attack with unknown origins, security researchers said on Monday. ESB-2024.4118 – GitLab: CVSS (Max): 9.6* Gitlab has released critical patches for GitLab Community Edition (CE) and Enterprise Edition (EE). ESB-2024.4099 – SQLite: CVSS (Max): 9.8 SQLite could be made to crash or execute arbitrary code. ESB-2024.4076 – OpenVPN: CVSS (Max): 9.8 OpenVPN could allow unintended access to network services. ESB-2024.4073 – git: CVSS (Max): 9.0 Multiple vulnerabilities were found in git, a fast, scalable and distributed revision control system. ESB-2024.4019.2 – Google Chrome: CVSS (Max): None Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more