Greetings, We have released a new podcast episode titled Security Culture. In this episode, Anthony sits down with Daisy Wong, AUSCERT's Diversity and Inclusion Champion for 2023 to talk about her unique experience and background which has helped her become a security culture advocate and champion. In the second half of the episode, Bek sits down with David Stockdale, Director of AUSCERT for an exciting announcement about a new recruitment opportunity for a General Manager at AUSCERT. Applications closing this Sunday January 28, so if you’re interested apply today! This week, the Australian federal government took decisive action by officially identifying and imposing sanctions on Russian citizen Aleksandr Ermakov, over his alleged involvement in the Medibank cyber attack. This ground-breaking move marks the government's first cyber crime sanction against a perpetrator, thereby clearly conveying the message that anonymity and impunity will not be tolerated in the realm of cyberspace in Australia. The Medibank cyber attack which occurred in 2022, had severe repercussions, involving the unauthorized acquisition of 9.7million records and inflicting a staggering financial toll of $46.4million on the insurer during the 2022-2023 financial year. This enforcement action underscores the government’s commitment to holding individuals accountable for cyber offenses and serves as a pivotal step in addressing the escalating challenges posed by cyber threats. The action aligns with the dedication outlined in the 2023-2030 Australian Cyber Security Strategy, highlighting the government’s determination to both deter and respond to malicious cyber activities through the strategic use of sanctions. Such measures underscore the imperative of robust cybersecurity initiatives and signal a proactive approach to safeguarding against future cyber threats. In conclusion, if you are looking for some reading over the long weekend, we highly recommend a publication by two friends of AUSCERT, Senior Lecturer from UQ, Ivano Bongiovanni, and UQ Research Officer Bert Valkenburg. They recently published a systematic review of literature on the Three Lines Model (TLM) research. This review contains practical indications for organizations interested in exploring the adoption of the TLM as a Cyber Governance framework. It also offers reflections on some current trends observed in the industry, such as the evolution of CISOs' roles and increased involvement by senior executives. Progress Software patches critical OpenEdge vulnerability Date: 2024-01-22 Author: iTnews Progress Software has disclosed a critical vulnerability in several versions of its Progress Application Server in OpenEdge (PASOE) software. According to an advisory, CVE-2023-40051 affects OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. “An attacker can formulate a request for a web transport that allows unintended file uploads to a server directory path on the system running PASOE," the advisory states. New NTLM Hash Leak Attacks Target Outlook, Windows Programs Date: 2024-01-22 Author: Security Week [AUSCERT has identified impacted members (where possible) and contacted them via email] Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs. The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said. Mother of all breaches – a historic data leak reveals 26 billion records: check what's exposed Date: 2024-01-24 Author: Cyber News The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered. There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases. Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks Date: 2024-01-18 Author: Security Week The Rapid SCADA open source industrial automation platform is affected by several vulnerabilities that could allow hackers to gain access to sensitive industrial systems, but the flaws remain unpatched. The US cybersecurity agency CISA published an advisory last week to inform industrial organizations about seven vulnerabilities discovered by Claroty researchers in Rapid SCADA. Rapid SCADA is advertised as ideal for developing monitoring and control systems, particularly industrial automation and IIoT systems, energy accounting systems, and process control systems. High-Severity Vulnerability Patched in Splunk Enterprise Date: 2024-01-23 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Splunk on Monday announced patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances. Tracked as CVE-2024-23678, the high-severity flaw is described as an issue related to incorrect sanitization of path input data resulting in “the unsafe deserialization of untrusted data from a separate disk partition on the machine”. Deserialization of untrusted data is a type of vulnerability allowing for the use of malformed data to cause denial of service, abuse application logic, or execute arbitrary code. Exploit released for Fortra GoAnywhere MFT auth bypass bug Date: 2024-01-23 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files. ESB-2024.0386 – VMWare: CVSS (Max): 9.8 VMware issued security updates to fix a critical vCenter Server vulnerability that is being exploited in the wild to gain remote code execution attacks on vulnerable servers. ESB-2024.0412 – Splunk Enterprise: CVSS (Max): 7.5 Splunk released patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances. Splunk advises its clients to upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher. ESB-2024.0426 – ALERT macOS Sonoma 14.3: CVSS (Max): None Apple has released new iOS 17.3 and macOS Sonoma 14.3 updates fix multiple vulnerabilities that expose Apple users to code execution, denial-of-service and data exposure attacks. Multiple WebKit vulnerabilities may have been exploited as zero-day in the wild. ESB-2024.0493 – ALERT Cisco Unified Communications Products: CVSS (Max): 9.9 Cisco has released software updates that address critical-rated RCE vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that if exploited could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, AUSCERT has been busy finalising our member meet-up schedule for 2024! Keep an eye out for invitations coming out soon for a catch-up in your local area! They offer invaluable moments of sharing industry expertise, knowledge sharing, and the chance to connect with old friends while making new ones within the cyber security industry. In cyber news this week, customers of some of Australia’s well-known brands including Dan Murphy’s, Binge, Guzman y Gomez, and Event Cinemas have fallen victim to a coordinated credential stuffing attack, affecting an estimated 15,000 customers. Scammers acquired stolen login details and are exploiting online accounts to conduct fraudulent transactions, accumulating thousands in online purchases. Prime Minister Anthony Albanese emphasized the critical importance of cyber awareness and security during the recent wave of cybercrimes, highlighting the significant threat to Australia and its economic security. A credential stuffing attack like this one involves the use of large sets of username and password combinations obtained from previous data breaches to gain unauthorised access to user accounts on various online platforms. Attackers use automated tools or scripts to test stolen credentials to gain access into different websites or services. If the login attempt is successful, the attacker gains unauthorised access to the user’s account. Attackers may then exploit the compromised account for various malicious activities such as stealing personal information, making unauthorised transactions or launching further attacks. Here are a few helpful tips to protect against credential stuffing attacks: • Reuse of Credentials: – While using strong passwords, passphrases, and password managers is crucial, it's equally important to avoid using the same credentials across multiple platforms. In the event of a data breach on one site or any alternative compromise, your username and password could be exposed, leaving you susceptible to credential-stuffing attacks on other sites. • Enable Multi-Factor Authentication (MFA): – If possible, enabling MFA adds an additional layer of security by requiring a second form of verification along with password. • Regularly Update Passwords: – Users should regularly update their passwords to reduce the risk associated with compromised credentials. • Rate Limiting & CAPTCHA: – Online platforms can implement rate limiting to detect and prevent multiple logins. Additionally CAPTCHA challenges can help stop automated attempts. The above steps are simple ways to enhance your cyber security posture for 2024! GitLab warns of critical zero-click account hijacking vulnerability Date: 2024-01-12 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0272] GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction. The vendor strongly recommends updating as soon as possible all vulnerable versions of the DevSecOps platform (manual update required for self-hosted installations) and warns that if there is "no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.” Patch now: Critical VMware, Atlassian flaws found Date: 2024-01-16 Author: The Register [AUSCERT has identified the impacted members for Confluence products (where possible) and contacted them via email] [Also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.0290 (Confluence) and https://portal.auscert.org.au/bulletins/ESB-2024.0292 (VMware)] VMware and Atlassian today disclosed critical vulnerabilities and, while neither appear to have been exploited by miscreants yet, admins should patch now to avoid disappointment. First off, a pair of issues from Atlassian. Most serious is CVE-2023-22527, a template injection flaw that can allow unauthenticated remote code execution (RCE) attacks. It scored a perfect CVSS rating of 10 out of 10 and affects Confluence Data Center and Server 8 versions released before December 5, 2023 and 8.4.5, which no longer receives fixes. Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks Date: 2024-01-15 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Security researchers have found over 178,000 SonicWall next-generation firewalls (NGFW) with the management interface exposed online are vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks. These appliances are affected by two DoS security flaws tracked as CVE-2022-22274 and CVE-2023-0656, the former also allowing attackers to gain remote code execution. Google Warns of Chrome Browser Zero-Day Being Exploited Date: 2024-01-16 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0293] Google has pushed out an urgent Chrome browser update to fix a trio of high-severity security defects and warned that one of the bugs is already being exploited in the wild. The exploited zero-day, tagged as CVE-2024-0519, is described as an out-of-bounds memory access issue in the V8 JavaScript engine. As is customary, Google did not provide any additional details on scope of the observed attacks or share telemetry to help defenders hunt for signs of compromise. Citrix warns of new Netscaler zero-days exploited in attacks Date: 2024-01-16 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0318] Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities. The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively. However, to gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access. Have I Been Pwned adds 71 million emails from Naz.API stolen account list Date: 2024-01-17 Author: Bleeping Computer Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. ASB-2024.0027 – Oracle MySQL: CVSS (Max): 9.8 Oracle has identified multiple vulnerabilities in MySQL and advised that 12 of the vulnerabilities may be remotely exploitable without authentication. ESB-2024.0318 – NetScaler: CVSS (Max): 8.2 Citrix has warned of two critical zero-day vulnerabilities that have active exploitations in the wild. Tracked as CVE-2023-6548 and CVE-2023-6549, the vulnerabilities allow remote code execution and denial-of-service attacks on the affected devices. ESB-2024.0293 – Google Chrome: CVSS (Max): 7.5 Google has pushed out an urgent Chrome browser update to fix three high-severity security defects and advised that one of the bugs, tracked as CVE-2024-0519 is already being exploited in the wild. ESB-2024.0292 – VMware Products: CVSS (Max): 9.9 Tagged as CVE-2023-34063, missing access control problem in Aria Automation earlier of 8.16 has been reported. With a CVSS rating of 9.9 this flaw may allow unauthorized access to remote organizations and workflows. ESB-2024.0290 – ALERT Confluence Data Center and Confluence Server: CVSS (Max): 10.0 Template injection flaw that can allow unauthenticated remote code execution has been identified in Confluence Data Center and Server. Tracked as CVE-2023-22527, the flaw scored a CVSS rating of 10 out of 10. ESB-2024.0272 – ALERT GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0 GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities. The most critical issue is the account hijacking with no user interaction vulnerability with the maximum severity score and is being tracked as CVE-2023-7028. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the new year is in full swing, and many of us have returned to work, now is a great time to commence the development of our organisational goals and objectives for the year. Cyber security practices should stand as a fundamental pillar within all organisations, given the increased frequency and heightened sophistication of cyber attacks. This week, Microsoft initiated their first Patch Tuesday of the new year, addressing various flaws and vulnerabilities. This serves as a timely reminder for the new year to stay secure and keep your systems patched by addressing these vulnerabilities. Small and medium sized businesses are often the most severely impacted when targeted in cyber attacks. Even a minor incident can have devastating consequences, resulting in significant losses that may be challenging to recover from. Employing robust cyber security measures is crucial for safeguarding financial stability, reputation and ensuring business continuity. The ASD has released a helpful guide for small businesses, offering valuable insights into basic security measures to protect against common security threats. To better prepare consumers, NAB scam experts have shared their top tips to spot the red flags of scam trends predicted to impact Australians in 2024. According to the bank’s fraud and cyber security experts, emerging scams to watch out for include AI voice scams and QR code phishing. The top six scams to be vigilant of: AI voice impersonation scams Term deposit investment scams Remote access scams using chat Romance scams Ticket scams QR code phishing scams NAB has reported a significant rise in AI voice scams, emphasizing the need for heightened vigilance in 2024. These scams can be created with as little as three seconds of audio sources from social media posts, voicemails or videos on websites. It is crucial to stay vigilant and promptly report any red flags. NAB has implemented a comprehensive bank-wide strategy to address the global scam epidemic. Make sure to read through it and ensure you are familiar with all the key points! Cisco says critical Unity Connection bug lets attackers get root Date: None Author: Bleeping Computer [Please also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.0247 and https://portal.auscert.org.au/bulletins/ESB-2024.0249 ] Cisco has patched a critical Unity Connection security flaw that can let unauthenticated attackers remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support. Ivanti patches two exploited zero-day bugs Date: None Author: iTnews [AUSCERT has identified the impacted members (where possible) and contacted them via email] Ivanti is warning users against two zero-day vulnerabilities in its Connect Secure VPN devices after they were discovered and disclosed by security researchers from Volexity. Volexity spotted the vulnerabilities while analysing a system that was attacked by a group it dubbed “UTA0178”, which it has “reason to believe … is a Chinese nation-state level threat actor”. The bugs, described here, comprise an authentication bypass and a command injection bug, which can be chained together. Critical Xwiki vulnerability risks RCE attacks Date: None Author: Cyber News Xwiki, an application development platform, has a critical vulnerability that could open it up for remote code execution (RCE) attacks. Xwiki is vulnerable to remote code execution (RCE) attacks through its user registration feature. The vulnerability, tracked as CVE-2024-21650 allows an attacker to execute arbitrary code by crafting malicious payloads in the “first name” or “last name” fields during user registration. Ivanti warns critical EPM bug lets hackers hijack enrolled devices Date: None Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Ivanti fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers hijack enrolled devices or the core server. Ivanti EPM helps manage client devices running a wide range of platforms, from Windows and macOS to Chrome OS and IoT operating systems. The security flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5. Cybersecurity trends and challenges to watch out for in 2024 Date: None Author: We Live Security What are some of the key cybersecurity trends that people and organizations should have on their radars this year? As 2024 dawns, it's time to look ahead to the challenges that are set to face people and organizations across the world this year. In this week's video, ESET Chief Security Evangelist Tony Anscombe looks at: how the upcoming presidential election in the US comes into play why small and medium-sized businesses in particular should be on their guard the ransomware landscape the AI cybersecurity conundrum expected developments in cybersecurity legislation Android’s January 2024 Security Update Patches 58 Vulnerabilities Date: None Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0092] The first part of Android’s January 2024 update, which arrives on devices as the 2024-01-01 security patch level, addresses ten security holes in the Framework and System components, all rated ‘high severity’. “The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory. ESB-2024.0219 – ALERT Security Director Insights: CVSS (Max): 10.0 Juniper Networks has released Security Director Insights 23.1R1 to address critical vulnerabilities in 3rd party libraries. Juniper Networks has also released information on how to mitigate the issues. ESB-2024.0149 – Splunk Enterprise Security: CVSS (Max): 9.8 Splunk Enterprise Security Third-Party Package Updates for January 2024 fix common vulnerabilities and exposures identified in Third Party Packages. Splunk administrators are urged to update Splunk Enterprise Security to versions 7.1.2, 7.2.0, 7.3.0 or higher. ASB-2024.0008 – Microsoft Windows Products: CVSS (Max): 9.0* Microsoft's first patch update for the new year resolves 40 vulnerabilities across Windows and Windows Server. This includes two critical Security Feature Bypass and Remote Code Execution flaws. ESB-2024.0249 – ALERT Cisco Unity Connection: CVSS (Max): 7.3 Cisco Systems has released patches to address a critical vulnerability in the Unity Connection unified messaging and voicemail solution. This vulnerability, identified as CVE-2024-20272, has the potential to be remotely exploited without authentication. If successfully exploited, it could allow unauthorized individuals to upload arbitrary files, execute commands on the underlying operating system, and gain elevated privileges to root. ESB-2024.0171 – Adobe Substance 3D Stager: CVSS (Max): 5.5 Adobe has recently released an update for Adobe Substance 3D Stager that targets and resolves significant vulnerabilities. These vulnerabilities, if successfully exploited, could result in memory leaks and the execution of arbitrary code within the current user's context. It is highly recommended to install this update to ensure the security and stability of Adobe Substance 3D Stager. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the calendar turns the page to the dawn of 2024 a sense of excitement and anticipation fills the air. The arrival of the new year symbolises a journey towards development and progression for every one of us. We stand prepared to embrace new challenges, learn from the past and propel ourselves forward into an era of growth and prosperity. Just as individuals set resolutions for the new year to pursue good health and fortune, businesses must also create resolutions for improved cybersecurity practices. In our rapidly evolving digital ecosystem, the year ahead promises both ground-breaking strides and the continuous evolution of technology advancements. As organisations gear up to defend against ever-more-sophisticated cyber threats, the role of artificial intelligence and machine learning has elevated threats to new heights. Collaboration is a cornerstone in the cyber realm, as information sharing among industries, governments, and security communities becomes integral to staying one step ahead of cyber threats. The exchange of threat intelligence, best practices and incident response strategies becomes integral to creating a resilient defence ecosystem. The start of 2024 emphasizes the need for a united front against cyber-attacks, as threats become increasingly borderless and interconnected. Therefore our theme for AUSCERT2024 is “Pay it Forward,” as it highlights the importance of passing it forward by demonstrating how shared knowledge and collaboration can create a ripple effect, strengthening the entire field of cyber security. Cyber Conferences serve as an invaluable platform to cultivate new relationships, establish improved communication channels, and facilitate information sharing across organisations and the broader community. Join us at AUSCERT2024 and discover the power of amplifying your impact in the realm of cyber security. The theme for this year highlights the significant influence that everyone’s action can carry within the broader cyber community. We are already hard at work, developing a ground-breaking program of tutorials and presentations, so keep your eyes peeled for more updates. Please note Call for Presentations closes on the 29th of January. We encourage you to submit as soon as possible! Critical Apache OFBiz Vulnerability in Attacker Crosshairs Date: 2024-01-29 Author: Security Week [Please also see AUSCERT bulletin: ASB-2024.0001.2 ] The Shadowserver Foundation has been seeing attempts to exploit a critical vulnerability affecting the Apache OFBiz open source enterprise resource planning (ERP) system. Apache OFBiz is leveraged by several ERP and other types of projects, including the widely used Atlassian Jira issue tracking and project management software. The nonprofit cybersecurity organization Shadowserver reported seeing signs of in-the-wild exploitation for an Apache OFBiz vulnerability tracked as CVE-2023-49070 shortly after details of a different OFBiz bug, CVE-2023-51467, were disclosed by SonicWall. Barracuda Zero-Day Used to Target Government, Tech Organizations in US, APJ Date: 2024-01-28 Author: Security Week [ AUSCERT has shared the indicators of compromise associated with CVE-2023-7102 through MISP.] The recently disclosed vulnerability affecting Barracuda Email Security Gateway (ESG) appliances has been exploited as a zero-day to target government, high-tech and IT organizations, according to Mandiant. The ESG vulnerability, tracked as CVE-2023-7102, is an arbitrary code execution flaw impacting ‘Spreadsheet::ParseExcel’, an open source library used by ESG devices to check Excel email attachments for malware Victoria State's court suffers 'unsettling' and 'distressing' cyber hack Date: 2024-01-02 Author: 9 News Victoria's court system has confirmed that it suffered a cyberattack, with bosses admitting it could be "unsettling" and "distressing" for those affected. Court Services Victoria said "unauthorised access" was gained to the courts audiovisual technology network just before Christmas. It means hackers have got hold of some video and audio recordings as well as transcriptions of court proceedings from between November 1 and December 21. Mandiant’s account on X hacked to push cryptocurrency scam Date: 2024-01-03 Author: Bleeping Computer The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. "We are aware of the incident impacting the Mandiant X account and are working to resolve the issue," a Mandiant spokesperson told BleepingComputer. The law enforcement operations targeting cybercrime in 2023 Date: 2024-01-01 Author: Bleeping Computer In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful than others, law enforcement has been increasingly using hack-back tactics to infiltrate operations and disrupt them. 21 New Mac Malware Families Emerged in 2023 Date: 2024-01-03 Author: Security Week A total of 21 new malware families designed to target macOS systems were discovered in 2023, according to Patrick Wardle, a researcher specializing in the security of Apple devices. Wardle has published a blog post analyzing the new malware families that emerged last year and the total number represents an increase of over 50% compared to 2022. For each of the new malware families, Wardle’s blog describes the infection vector, persistence mechanism, features, and purpose. Malware samples have also been made available. ASB-2024.0001 – Apache OFBiz AUSCERT has recently issued its initial ASB for the year, which highlights an important security concern. The bulletin addresses an Authentication Bypass vulnerability, identified as CVE-2023-51467, affecting Apache OfBiz. To ensure the safety of your systems, AUSCERT strongly advises its members who utilize OfBiz to promptly update to the recommended version. ESB-2024.0093 – Google Chrome: CVSS (Max): None Several vulnerabilities have been discovered in Google Chrome. These vulnerabilities have the potential to be exploited by remote attackers, leading to remote code execution and denial of service of the affected system. Google has released patches to mitigate these issues. ESB-2024.0092 – Android: CVSS (Max): 9.8* Multiple vulnerabilities have been identified in Android devices, with one of the most critical being a high-security vulnerability found in the Framework component. This particular vulnerability has the potential to result in a local escalation of privilege, requiring no additional execution privileges. It is crucial to address this issue promptly to ensure the security of the Android devices. ESB-2024.0096 – IBM Cloud Pak System Software: CVSS (Max): 9.8 IBM has recently released an advisory reporting a vulnerability in its WebSphere Application Server Pattern which can impact IBM Cloud Pak System. IBM has released updates to address the issue. ESB-2024.0108 – Rockwell Automation FactoryTalk Activation: CVSS (Max): 9.8 An Out-of-Bounds Write flaw has been detected in Rockwell Automation's FactoryTalk Activation Manager, which if exploited could result in an attacker gaining full access to the system. Users of the affected software are strongly recommended to promptly implement the necessary risk mitigations. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the final workday is here, we can’t help but reflect on the incredible year we’ve had! AUSCERT2023 stands out as a massive success, featuring world-renowned speakers such as the impressive Rachel Tobac, who shared valuable insights on the importance of social engineering. If you wish to revisit any treasured memories from this year’s conference remember that the recordings are available on our YouTube channel. Fond memories were forged with our valued members across various cities, as we engaged in discussions about our services and exchanged valuable feedback. Notably, celebrating the milestone of turning 30 added another layer of significance to this remarkable year. Our 30 Years 30 Stories campaign, made this even more special as we shared beautiful stories from our valued community, members, and staff. As we persist in our journey of growth and prosperity, we eagerly anticipate what the next year holds for us. Heartfelt thanks to everyone who contributed to making this year truly unforgettable. If you are looking for something interesting to listen to while you wrap up your day, we have released a new episode of ‘Share Today Save Tomorrow’ this week! In episode 29, Anthony sits down with former AUSCERT employee Chris from Cosive to discuss Cyber Threat Intelligence, emphasizing the importance of information and why context matters so much. Also to conclude, a friendly reminder to our members that our 24/7 hotline will remain open if any emergencies arise over the break. We will be staffing it as usual, so please don’t hesitate to reach out! 3CX Urges Customers to Disable Integration Due to Potential Vulnerability Date: 2023-12-18 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Business communication company 3CX is urging customers to disable SQL database integrations to prevent a vulnerability that occurs in certain configurations. In a security advisory published on Friday, the company revealed that 3CX versions 18 and 20 are impacted by an integration bug. “Only 0.25% of our user base have sequel integrated. It’s an old-style integration meant for an on-premise firewall secured network. Nevertheless, if you are using an SQL database integration, it’s subject potentially to a vulnerability – depending upon the configuration,” the company said. Before you go away for Xmas: You've patched that critical Perforce Server hole, right? Date: 2023-12-19 Author: The Register Four vulnerabilities in Perforce Helix Core Server, including one critical remote code execution bug, should be patched "immediately," according to Microsoft, which spotted the flaws and disclosed them to the software vendor. Perforce Server is a source code management platform used across gaming, government, military, and tech sectors. Microsoft operates GitHub, also a widely used source code management platform, among other services that compete against Perforce. Ivanti releases patches for 13 critical Avalanche RCE flaws Date: 2023-12-20 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution. Avalanche allows admins to manage over 100,000 mobile devices from a single, central location over the Internet, deploy software, and schedule updates. As Ivanti explained on Wednesday, these security flaws are due to WLAvalancheService stack or heap-based buffer overflow weaknesses reported by Tenable security researchers and Trend Micro's Zero Day Initiative. Google fixes 8th Chrome zero-day exploited in attacks this year Date: 2023-12-20 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.7619] Google has released emergency updates to fix another Chrome zero-day vulnerability exploited in the wild, the eighth patched since the start of the year. "Google is aware that an exploit for CVE-2023-7024 exists in the wild," a security advisory published Wednesday said. The company fixed the zero-day bug for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows users (120.0.6099.129/130) and Mac and Linux users (120.0.6099.129) one day after being reported to Google. Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds Date: 2023-12-16 Author: The Hacker News Dec 16, 2023 Newsroom Online Security / Cybercrime Holiday Gift Card Frauds Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens ESB-2023.7574 – Adobe Experience Manager (AEM) Forms on JEE: CVSS (Max): 9.8 Adobe has recently issued security updates for AEM Forms on JEE versions 6.5.19.0 and earlier. These updates address a critical vulnerability that, if exploited, could potentially result in arbitrary code execution. ESB-2023.7491.2 – UPDATE Cisco Products: CVSS (Max): 9.8 Cisco has advised that it is investigating its product line to identify any potential impact from the vulnerability in Apache Struts. As a part of this effort, a table of vulnerable products has been added to the advisory that was initially released on 14 December 2023. ESB-2023.7619 – Google Chrome: CVSS (Max): None Google has released emergency updates to fix a zero-day vulnerability in Google Chrome that may be exploited in the wild. It is strongly recommended to apply these updates to protect against any potential threats. ESB-2023.7573 – Apache Struts: CVSS (Max): 9.8 While F5 products remain unaffected by the Apache Struts vulnerability (CVE-2023-50164), F5 Networks has still released an advisory regarding this vulnerability due to its critical nature. This proactive measure aims to inform and raise awareness among users about the potential risks associated with the vulnerability. ESB-2023.7616 – macOS Sonoma: CVSS (Max): None A session rendering issue has been resolved through improved session tracking in macOS Sonoma 14.2.1. This update addresses the issue where users who share their screen may unintentionally share incorrect content. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Spear phishing is experiencing a significant surge, marked by a rise in both prevalence and sophistication. Cyber Criminals employ highly targeted techniques to deceive their victims, demonstrating a precision that focuses on specific individuals or organisations. The particularly concerning aspect of these attacks lies in their high success rate, attributed to their effectiveness in appearing genuine. A joint advisory from key nations – Australia, Canada, New Zealand, the United Kingdom, and the United States, highlights the spear phishing techniques employed by the Russian state-based actor, Star Blizzard. This advisory aims to raise awareness regarding the increasingly sophisticated tactics used by cyber adversaries to target individuals and organisations globally. Notably these techniques are commonly directed at sectors such as academia, defence, governmental organisations, NGO’s (Non-Governmental Organisations), and political figures. While Star Blizzard has predominately targeted the UK and US, the advisory serves as a global warning, urging everyone to remain vigilant. The evolving nature of these attacks necessitates a collective effort to stay informed and proactive against the growing threats. The advisory provides valuable insights into spear-phishing campaigns and offers guidance on recognising potential signs of deception. In spear-phishing campaigns, cybercriminals gather detailed information about their targets including names, titles, and relationships. This level of personalisation makes these phishing attempts more convincing and challenging to identify. The perpetrators often impersonate high-ranking executives of trusted individuals within an organisation, manipulating employees into divulging sensitive information or performing actions that could compromise security. The emails appear very legitimate as they often use cloned email templates from the target organisation, increasing the likelihood that recipients will trust and act upon them. This method usually involves social engineering tactics, manipulating human psychology to exploit trust or authority. Attackers may leverage information from social media, organisational information, or other sources to craft convincing and targeted messages. Staying informed about these tactics and remaining vigilant are crucial steps in fortifying defences against such deceptive cyber threats. Empower your employees by allocating resources for training and investing in broader education and awareness initiatives. Head to our website for more information on upcoming training courses for 2024! Adobe Patches 207 Security Bugs in Mega Patch Tuesday Bundle Date: 2023-12-12 Author: Security Week [Please see AUSCERT Bulletins: ESB-2023.7419, ESB-2023.7418, ESB-2023.7413] Adobe warned users on both Windows and macOS systems about exposure to code execution, memory leaks and denial-of-service security issues. Software maker Adobe on Tuesday rolled out fixes for code execution flaws in the enterprise-facing Illustrator, Substance 3D Sampler and After Effects products. Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day Date: 2023-12-12 Author: Bleeping Computer [Please see AUSCERT Bulletins: ASB-2023.(0230 – 0235)] Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. While eight remote code execution (RCE) bugs were fixed, Microsoft only rated three as critical. In total, there were four critical vulnerabilities, with one in Power Platform (Spoofing), two in Internet Connection Sharing (RCE), and one in Windows MSHTML Platform (RCE). Critical Vulnerability in popular Java framework Apache Struts2 Date: 2023-12-14 Author: ACSC [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.7339.2] A Critical RCE vulnerability has been found in the Apache Struts2 Framework with ‘flawed file upload logic’. This can allow a temporary file upload to instead be uploaded to any directories and allow execution, such as the deployment of a web shell. Patches have been released for the framework itself, but mitigation will also require vendors applying these patches in all applications which use the framework. This includes multiple enterprise-oriented web applications. Exploitation attempts have been observed globally. UniFi devices broadcasted private video to other users’ accounts Date: 2023-12-15 Author: Ars Technica Users of UniFi, the popular line of wireless devices from manufacturer Ubiquiti, are reporting receiving private camera feeds from, and control over, devices belonging to other users, posts published to social media site Reddit over the past 24 hours show. “Recently, my wife received a notification from UniFi Protect, which included an image from a security camera,” one Reddit user reported. “However, here's the twist—this camera doesn't belong to us.” WordPress 6.4.2 Patches Remote Code Execution Vulnerability Date: 2023-12-08 Author: Security Week WordPress last week released a security update for the popular content management system (CMS) to address a remote code execution (RCE) vulnerability. The flaw addressed in the open source CMS is a property oriented programming (POP) chain issue introduced in WordPress core 6.4. It can be combined with a different object injection flaw, allowing attackers to execute PHP code on vulnerable websites. Apple Ships iOS 17.2 With Urgent Security Patches Date: 2023-12-11 Author: Security Week [Please see AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.7367] Apple on Monday rolled out security-themed iOS and iPadOS refreshes to address multiple serious vulnerabilities that expose mobile users to malicious hacker attacks. The newest iOS 17.2 and iPadOS 17.2 contains fixes for at least 11 documented security defects, some serious enough to lead to arbitrary code execution or app sandbox escapes. ASB-2023.0230 – ALERT Microsoft Windows: CVSS (Max): 8.8 Microsoft has released its monthly security patch update for December 2023 which resolves 25 vulnerabilities in Windows and Windows Server. ESB-2023.7367 – iOS 17.2 and iPadOS 17.2: CVSS (Max): 7.1* The newest iOS 17.2 and iPadOS 17.2 rollout addresses a number of security issues , some serious enough to lead to arbitrary code execution or app sandbox escapes. ESB-2023.7339.2 – UPDATE Apache Struts: CVSS (Max): None A Critical RCE vulnerability has been found in the Apache Struts2 which has been exploited in the wild. Patches have been released and it is strongly recommended that IT Administrators take immediate action to apply these patches and ensure the security of their systems. ESB-2023.7344 – WordPress: CVSS (Max): None WordPress has released WordPress 6.4.2. for the popular content management system to address a remote code execution vulnerability. Site owners and administrators are advised to update to the fixed CMS version as soon as possible. ESB-2023.7413 – Adobe Illustrator: CVSS (Max): 7.8 Adobe has released an update for Adobe Illustrator 2023 and 2024. This update resolves critical vulnerabilities that could lead to arbitrary code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Automation has long been recognized as the future, but is the future already upon us? The emergence of next-generation connectivity, exemplified by autonomous vehicles and smart cities, signals the dawn of a new era in digital infrastructure. The integration of artificial intelligence (AI) and advanced robotics is propelling automation to new heights, revolutionizing productivity across diverse industries. In this transformative landscape, building our capabilities in these cutting-edge technologies becomes imperative. Doing so ensures that we not only keep up with change but also position ourselves to capitalize on emerging opportunities as they arise. New emerging technologies are likely to transform cyber roles and reshape skill requirements as automated tools assume greater responsibility for core network protection functions. Minister Clare O’Neil has outlined the critical role of automation in the 2023-2030 Cyber Security Strategy. In response to cybercriminals increasingly employing sophisticated technologies to automate ransomware attacks, the strategy advocates a proactive approach through the deployment of automated threat detectors. Essentially, the strategy recognizes automation as a cornerstone in the ongoing battle against cyber threats. The investment in automated solutions and real-time collaboration underscores a commitment to staying ahead in the dynamic cybersecurity landscape, ensuring a robust defence against emerging cyber threats. Successfully implementing automation relies heavily on a strong foundation of clear definitions, guidelines, and processes Often organisations struggle with automation due to a lack of well-documented processes and limited staffing resources. This along with other factors such as maturity and process monitorability, contributes to the challenges security teams face when implementing automation. Successful automation requires a pragmatic approach where teams identify and prioritize processes that are feasible and provide the greatest impact on efficiency and risk reduction. To conclude we would like to remind you of the webinar discussion we have coming up next week designed to support you with the development and submission of your presentations for AUSCERT2024! Register here Atlassian patches critical RCE flaws across multiple products Date: 2023-12-06 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email]. [See AUSCERT bulletins: ESB-2023.7312, ESB-2023.7311, ESB-2023.7310, ESB-2023.7308] Atlassian has published security advisories for four critical remote code execution (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, along with a companion app for macOS. VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks Date: 2023-12-01 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6704.2] VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins to manage data centers spread across multiple locations as Virtual Data Centers (VDC). The auth bypass security flaw (CVE-2023-34060) only impacts appliances running VCD Appliance 10.5 that were previously upgraded from an older release. However, VMware says it doesn't affect fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances. "Sierra:21" vulnerabilities impact critical infrastructure routers Date: 2023-12-06 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.7318] A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. The flaws discovered by Forescout Vedere Labs affect Sierra Wireless AirLink cellular routers and open-source components like TinyXML and OpenNDS (open Network Demarcation Service). AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity. Nissan discloses cyber incident in Australia and NZ Date: 2023-12-07 Author: iTnews Carmaker Nissan is investigating a cyber incident affecting undisclosed systems used by its Australian and New Zealand operations. The company said in a statement overlaid on its homepage that the “Australian and New Zealand Nissan Corporation and Financial Services advises that its systems have been subject to a cyber incident.” Apple fixes two new iOS zero-days in emergency updates Date: 2023-12-30 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.7211] Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday. Establishing New Rules for Cyber Warfare Date: 2023-12-05 Author: Dark Reading The efforts of the International Committee of the Red Cross (ICRC) to establish rules of engagement to combatants in a cyberwar should be applauded internationally, even if adherence is likely to be limited. The ICRC recently released a set of rules for civilian hackers involved in conflicts to follow in order to clarify the line between civilians and combatants, as cyberspace can be a blurry place to work in — especially during a war. ESB-2023.6704.2 – UPDATE VMware Cloud Director Appliance: CVSS (Max): 9.8 VMware has released Cloud Director Appliance 10.5.1 to fix the authentication bypass vulnerability reported in November 2023. ESB-2023.7318 – Sierra Wireless AirLink with ALEOS firmware: CVSS (Max): 8.1 Multiple vulnerabilities have been reported in Sierra Wireless AirLink with ALEOS which if exploited could result in a cross site scripting or denial-of-service attack. ESB-2023.7309 – Google Chrome: CVSS (Max): None Google announced the release of Chrome 120 to the stable channel for Mac,Linux and Windows. This update contains patches for 10 vulnerabilities. ESB-2023.7308 – ALERT Confluence Data Center and Confluence Server: CVSS (Max): 9.0 The Template Injection vulnerability in Confluence Data Center and Server allows an authenticated attacker to inject unsafe user input into a Confluence page which could result in a RCE attack on an affected instance. Atlassian recommends applying patches to the affected installations. ESB-2023.7339.2 – UPDATE Apache Struts: CVSS (Max): None The Apache Struts group has released Apache Struts versions 6.3.0.2 & 2.5.33 to address a potential security vulnerability identified as CVE-2023-50164. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As December unfolds and ushers in the enchanting Christmas season, a wave of joy and warmth embraces us. It’s that magical time when we dust off cherished decorations and unwrap trees, inviting a festive cheer into our lives. May your December days be adorned with happiness, love and the spirit of giving as we immerse ourselves in the holiday spirit! On that note this year’s theme for AUSCERT2024 highlights the significant influence that everyone’s actions can carry within the broader cyber community. It promotes the idea of passing it forward by demonstrating how shared knowledge and collaboration can create a ripple effect, strengthening the entire cyber industry. Submit a presentation and contributing to the growth and development of our community. Join our upcoming webinar discussion to gain support in enhancing your presentation skills In cyber news this week, the Queensland Parliament has successfully enacted a mandatory data breach notification scheme, set to impact state agencies from mid-2025 and local governments from mid-2026. Government agencies will be subject to new requirements for managing personal information, after the ‘Information Privacy and Other Legislation Amendment Act 2023’ was passed by parliament on Wednesday. Under the scheme, agencies must notify affected individuals and the Office of the Information Commissioner of data breaches that have the potential to result in serious harm. This proactive notification process empowers individuals by enabling them to take decisive action to manage risks and mitigate potential harm arising from a data breach. Mandating notification underscores the importance of data security for agencies, prompting a more proactive approach to preventing and managing data breaches.In essence, this legislative measure not only safeguards individuals but also serves as a catalyst for improved data security practices within government entities. Queensland has become only the second state to legislate a mandatory data breach notification scheme for public sector entities, along with NSW. In other news, the ACSC Essential Eight Maturity Model (E8MM) was recently updated to better assist organisations in protecting their digital assets against cyber threats. Key focus areas for this update have included balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure. Critical bug in ownCloud file sharing app exposes admin passwords Date: 2023-11-24 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials. ownCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform. It is used by businesses and enterprises, educational institutes, government agencies, and privacy-conscious individuals who prefer to maintain control over their data rather than hosting it at third-party cloud storage providers. Essential Eight Maturity Model Update Date: 2023-11-27 Author: ASD As the Australian Signals Directorate (ASD) is committed to providing cyber security advice that is contemporary, fit for purpose and practical, the Essential Eight Maturity Model (E8MM) is updated annually. In doing so, it is designed to assist organisations in protecting their internet-connected information technology networks against common cyber threats. Key focus areas for this update have included balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure. AI systems ‘subject to new types of vulnerabilities,’ British and US cyber agencies warn Date: 2023-11-28 Author: The Record “AI systems are subject to new types of vulnerabilities,” the 20-page document warns — specifically referring to machine-learning tools. The new guidelines have been agreed upon by 18 countries, including the members of the G7, a group that does not include China or Russia. The guidance classifies these vulnerabilities within three categories: those “affecting the model’s classification or regression performance”; those “allowing users to perform unauthorized actions”; and those involving users “extracting sensitive model information.” Guidelines for secure AI system development Date: 2023-11-27 Author: NCSC This document recommends guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools and services provided by others. Implementing these guidelines will help providers build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties. Okta Breach Impacted All Customer Support Users—Not 1 Percent Date: 2023-11-29 Author: WIRED In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago. ESB-2023.7196 – Tenable Nessus: CVSS (Max): 9.8 Several of the third-party components (HandlebarsJS, OpenSSL, and jquery-file-upload) were found to contain vulnerabilities, and updated versions have been made available by the providers ESB-2023.7117 – ALERT Google Chrome: CVSS (Max): None The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows. This update includes 7 security fixes ESB-2023.7077 – Perl: CVSS (Max): 9.8 Perl incorrectly handled printing certain warning messages. An attacker could possibly use this issue to cause Perl to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS. ( CVE-2022-48522 ) ESB-2023.7135 – Delta Electronics InfraSuite Device Master: CVSS (Max): 9.8 Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code and obtain plaintext credentials ESB-2023.7211 – ALERT Apple: CVSS (Max): None Apple is aware of a report that this issue may have been exploited against some versions of iOS Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week we released a new episode of our Share Today, Save Tomorrow podcast – episode 28: Cyber Artefacts. In this episode Anthony sits down with Mike Pritchard from Cydarm Technologies to discuss Mike’s passion for collecting hardware artefacts that provide insights into the history of cyber security. Mike showcases extraordinary artefacts dating back 60-70 years, offering a glimpse into the foundations of the computer industry. In the final part of the episode, Anthony hands over to Bek Cheb, AUSCERT’s Business Manager, who has a chat with our Principal Analyst, Mark Carey-Smith, about AUSCERT2024 and the exceptional mentoring support available for speakers. If you’re interested in speaking at AUSCERT2024 but are unsure about what to present or struggling to choose a topic, we’re hosting a webinar to address any concerns and guide you through the process of formulating a concept for your presentation. If you’d like to attend, please register here AUSCERT is thrilled to introduce a new service for our members – AusMISP. So, what is AusMISP, you might be asking? Well, AusMISP is a platform that facilitates the sharing of threat intelligence with members. The platform features a shared curated feed of threat indicators that members can utilise to enhance their network security. This collaborative effort includes threat intelligence acquired from trusted communities and organisations, contributing to the enhancement of members' cyber security posture. For our higher education members, we have an existing special sector specific platform AHECS ISAC, which includes AusMISP data and additional threat indicators relevant to this sector. Eager to learn more about AusMISP and exactly what it entails? Head to our website or message our membership team who can provide you with a Starter Guide and other resources to help your organisation implement it as part of your cyber security strategy! To conclude if you’re looking for some captivating reading this weekend, then delve into the “Australia’s Strategic Vision in Cyber Security” written by Sasenka Abeysooriya, Program Director and Senior Strategic Advisor at UQ and AUSCERT Director and UQ CISO David Stockdale. The article summarises the visionary leadership, strategic layers of defence, and the broader implications of Australia’s 2023-2030 Cyber Security Strategy. Securing Customer Personal Data for Small to Medium Businesses Date: 2023-11-17 Author: ASD The latest Annual Cyber Threat Report found that cybercrime reports have increased compared to data from the previous year, with one report now received every 6 minutes. During the 2022-23 financial year, the cost of cybercrime to businesses increased by 14%. Per cybercrime report, small businesses experienced an average financial loss of $46,000, while cybercrime cost medium businesses an average of $97,200. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has launched a new publication on Securing Customer Personal Data for Small and Medium Businesses. Gov commits $18.2m for SME cyber security boost Date: 2023-11-21 Author: iTnews The federal government has announced two initiatives aimed at boosting support to small and medium businesses (SMEs) to fortify their cyber security skills. The government has promised $7.2 million to set up a voluntary cyber health-check program, enabling access to a free, self-assessments of cyber security maturity. It’s also committed another $11 million towards the Small Business Cyber Resilience Service, which offers one-on-one assistance towards cyber challenges, and covers cyber attack recovery. Malware dev says they can revive expired Google auth cookies Date: 2023-11-21 Author: Bleeping Computer The Lumma information-stealer malware (aka 'LummaC2') is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Session cookies are specific web cookies used to allow a browsing session to log in to a website's services automatically. As these cookies allow anyone possessing them to log in to the owner's account, they commonly have a limited lifespan for security reasons to prevent misuse if stolen. Researchers want more detail on industrial control system alerts Date: 2023-11-22 Author: CyberScoop At the beginning of July, Rockwell Automation released a security advisory about a vulnerability in one of its products. Working with the U.S. government, the company said it had become aware that a state-backed hacking unit had developed the ability to run malicious code on the communication modules of an industrial controller. The company wouldn’t identify who had this ability to attack its products and an accompanying advisory from the Cybersecurity and Infrastructure Security Agency said there were no known instances of the vulnerability being exploited in the wild. Cybersecurity Investment Involves More Than Just Technology Date: 2023-11-17 Author: Dark Reading Organizations are looking for a "high value for money" when deciding how to allocate their cybersecurity budgets, and there is a "greater focus on getting value from existing resources," according to S-RM's "Cyber Security Insights Report 2023." The report, which reflects responses from 600 C-suite business leaders and senior IT professionals within large organizations, found that the top five investment areas were cybersecurity technologies (49%), threat intelligence (46%), risk assessment (42%), cyber insurance (42%), and third-party risk management (40%). Fewer organizations highlighted technology as good value for money in 2023 (49%) than in 2022 (58%). ESB-2023.6886 – Tenable Security Center: CVSS (Max): 8.8 Tenable Security Center has been updated to address vulnerabilities affecting third-party components ESB-2023.6945 – Atlassian Products: CVSS (Max): 8.5 Several high severity vulnerabilities have been patched in various Atlassian products ESB-2023.6949 – Firefox: CVSS (Max): 7.5 Mozilla has updated Firefox to address multiple vulnerabilities ESB-2023.6997 – Intel NUC Software Products: CVSS (Max): 8.8 Intel has addressed several vulnerabilities affecting NUC Software products in its quarterly update Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, With Black Friday sales already underway, it’s a good reminder to remain vigilant. Each year the deals claim to be bigger and better, drawing people into excessive spending. Cyber criminals have become very sophisticated in exploiting this opportunity to execute cyber attacks. Educate your family and friends on the potential dangers of online shopping during this time! This week, the Australian Signals Directorate (ASD) released its annual cyber security threat report,revealing some very concerning statistics. The report indicates that cyber crimes continued to be a pervasive and endemic threat to Australia’s economic and social prosperity throughout 2022-23. Australia is perceived as a very popular target due to its booming e-commerce industry and relative wealth. The report revealed the most common cyber attacks on individuals consisted of identity fraud, online banking fraud and online shopping fraud. For Australian businesses, the cost of cyber crime has climbed by 14% with the most identified attack being compromised emails. Business email compromise fraud continues to significantly impact businesses with almost $80 million in reported losses. Malicious cyber actors often exploit unpatched and misconfigured systems or take advantage of weak or re-used credentials to access systems and networks. To defend against email attacks, set aside time for regular cyber security training and ensure staff are cautious of emails that contain requests for payment of change of bank details Thankfully for our nation we have a proactive Cyber Security Minister, Clare O’Neil, who understands the growing concerns of individuals and businesses and is taking proactive steps to mitigate these threats to our economy. Ms O’Neil is planning to create new legislation that would classify telecommunication companies as critical infrastructure for the first time, requiring company boards to comply with strict rules that already cover hospitals, utilities, ports, and energy generation assets. Following the high-profile Optus attack last year and nationwide network outage last week, the Australian government believes it is necessary to include telcos under the Security of Critical Infrastructure Act. This means they will now be required to sign off on a new cyber risk management program every year or face potentially hundreds of thousands of dollars in penalties. To conclude, we are excited to notify you our Call for Presentations for AUSCERT2024 is now open! Submit your papers today! Microsoft Warns of Critical Bugs Being Exploited in the Wild Date: 2023-11-14 Author: Security Week [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2023.0226 and https://portal.auscert.org.au/bulletins/ASB-2023.0223] The world’s largest software maker Microsoft on Tuesday released patches with cover for at least 59 documented security vulnerabilities, including a pair of critical-severity zero-days already being exploited in the wild. Redmond’s security response team documented a wide range of security defects in a range of Windows OS and components and called special attention to two vulnerabilities — CVE-2023-36033 and CVE-2023-36036 — being exploited in active attacks. LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed Date: 2023-11-14 Author: Bleeping Computer [AUSCERT identified the impacted members (where possible) and notified them via email on 11 October 2023] [We urge impacted members to promptly apply the patches in accordance with the vendor's recommendations, if they have not already done so] The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files. Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S. Novel backdoor persists even after critical Confluence vulnerability is patched Date: 2023-11-14 Author: The Register [AUSCERT identified the impacted members (where possible) and notified them via email on 01 November 2023] [We urge impacted members to promptly apply the patches in accordance with the vendor's recommendations, if they have not already done so] A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence. The backdoor provides attackers remote access to a victim, both its Confluence server and other network resources, and is found to persist even after Confluence patches are applied. Azure CLI credential leak part of Microsoft's monthly patch rollup Date: 2023-11-15 Author: iTnews [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2023.0224] One of the critical vulnerabilities, CVE-2023-36052, is important enough to receive a detailed technical discussion in this blog post. The bug leaks credentials to GitHub Actions logs through the Azure command-line interface (CLI). Aviad Hahami of Palo Alto’s Prisma Cloud found that Azure CLI commands could be used to show sensitive data and output to continuous integration and continuous deployment (CI/CD) logs, Microsoft explained. Intel patches high-severity vulnerability affecting central processing units Date: 2023-11-15 Author: The Record The U.S. chip manufacturer Intel has patched a high-severity vulnerability affecting central processing units in its desktop, mobile and server products. The successful exploitation of the bug could allow hackers to gain higher-level access to the system, obtain sensitive information and even cause the machine to crash. The vulnerability, tracked as CVE-2023-23583 and codenamed Reptar, carries the CVSS severity score of 8.8 out of 10. There haven't been any reported incidents of an attack through Reptar in the wild. CISA warns of actively exploited Juniper pre-auth RCE exploit chain Date: 2023-11-13 Author: Bleeping Computer CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild. "Juniper SIRT is now aware of successful exploitation of these vulnerabilities. Customers are urged to immediately upgrade," the company said. ESB-2023.6749 – FortiSIEM: CVSS (Max): 9.3 Fortinet has recently identified a critical vulnerability in the FortiSIEM report server. This vulnerability involves an OS command injection and could potentially be exploited by remote, unauthenticated attackers. By sending specially crafted API requests, these attackers may be able to execute arbitrary commands on the affected system. It is crucial for customers to be aware of this vulnerability and take appropriate measures to mitigate the risk. ESB-2023.6734 – Google Chrome: CVSS (Max): None Google has released an update for the Google Chrome Stable channel. The update version 119.0.6045.159 is specifically for Mac and Linux users, while Windows users will receive either version 119.0.6045.159 or 119.0.6045.160. It is recommended that users of Google Chrome on these platforms update to the latest version to ensure they have the most recent security enhancements and bug fixes. ESB-2023.6639 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe has released an update for ColdFusion that addresses critical vulnerabilities. These vulnerabilities have the potential to result in the deserialization of untrusted data, improper access control, and other security issues ASB-2023.0223 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft has recently issued its monthly security patch update for November 2023. This update addresses a total of 32 vulnerabilities found in Windows and Windows Server. It is important to note that Microsoft has confirmed the active exploitation of CVE-36025, CVE-2023-36033, and CVE-2023-36036. ESB-2023.6704 – VMware Cloud Director Appliance: CVSS (Max): 9.8 An authentication bypass vulnerability has been identified in VMware Cloud Director Appliance with the CVE identifier CVE-2023-34060. This vulnerability affects VMware products that have been upgraded to version 10.5 from a previous version. To address this issue, updates have been released by VMware Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Thirty-five years ago the ‘Morris Worm’ carved a path of destruction and chaos that inadvertently triggered a ripple effect of events, paving the way for the thriving cyber security industry we have today. Prior to this incident, cyber security wasn’t really a consideration by the public. However, this event, along with subsequent ones, quickly changed peoples' perspectives. Although many within the field already familiar with the story may see it as a ‘ho-hum’ history tale, it’s important to remember that understanding our history is crucial for building a stronger future. Robert Morris Jr, intent on discovering how big the internet was, accidentally set loose the first ever internet worm upon thousands of computers. The young grad student was completing his graduate degree at Cornell when he launched the experiment that would change the cyber world forever. Previously no attack had affected so many computers, taking down systems in government facilities, hospitals, and military bases in addition to privately owned computers. The experiment resulted in US$100,000 – 10,000,000 dollars’ worth of damage, taking hundreds of people days to clean up the mess left in its wake. This event became a tale of caution to many students studying in the field as probing vulnerabilities out of curiosity can have huge detrimental and unintended consequences. In response to incidents like the Morris Worm, the concept of Computer Emergency Response Teams (CERTs) emerged, highlighting the need for coordinated efforts to respond to and mitigate cyber incidents. Some key takeaways from incidents like the Morris Worm include the importance of proactive measures, the need for rapid incident response teams and the continuous evolution of security measures to stay ahead of emerging threats. In the context of growth and development we should not dismiss the past but instead learn from it. Click here to read more insights about the event from industry luminary Gene Spafford. What better way to create your own ripple effect in the community than by contributing your time and expertise to our upcoming AUSCERT2024 conference? Your knowledge and skills have the potential to create a significant impact and further advance the industry. Call for Tutorials submissions portal is closing today, so don’t miss out! Presentation submissions will be opening on November 16, next week! We invite anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent benefits such as travel and accommodation, as well as mentoring support for speakers. Additionally, sponsorship opportunities are also now available on our website. Critical Atlassian Confluence bug exploited in Cerber ransomware attacks Date: 2023-11-06 Author: Bleeping Computer Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware. Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software. Veeam warns of critical bugs in Veeam ONE monitoring platform Date: 2023-11-06 Author: Bleeping Computer [AUSCERT has directly notified members about this vulnerability where possible] Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical. The company assigned almost maximum severity ratings (9.8 and 9.9/10 CVSS base scores) to the critical security flaws since they let attackers gain remote code execution (RCE) and steal NTLM hashes from vulnerable servers. The remaining two are medium-severity bugs that require user interaction or have limited impact. Hacker Leaks 35 Million Scraped LinkedIn User Records Date: 2023-11-07 Author: Hack Read The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records. A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, Breach Forums. Government looks at passwordless access for myGov Date: 2023-11-09 Author: iTnews The federal government intends to change how citizens authenticate to the myGov system from next year, moving to passwordless approaches such as passkeys and facial recognition. At the press conference, government services minister Bill Shorten said the government planned to "upgrade the security of the myGov system." He said myGov "will benefit from a number of changes to how customers can sign-in, ensuring that accounts and personal information remain protected.” New Microsoft Exchange zero-days allow RCE, data theft attacks Date: 2023-11-03 Author: Bleeping Computer Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations. The zero-day vulnerabilities were disclosed by Trend Micro's Zero Day Initiative (ZDI) yesterday, who reported them to Microsoft on September 7th and 8th, 2023. Despite Microsoft acknowledging the reports, its security engineers decided the flaws weren't severe enough to guarantee immediate servicing, postponing the fixes for later. ESB-2023.6043.3 – UPDATED ALERT Cisco iOS XE Software: CVSS (Max): 10.0 Cisco provided fixes as a result of an ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE software. The investigation determined that the treat actors exploited two previously unknown issues documented in CVE-2023-20198 and CVE-2023-20273. ESB-2023.6313.2 – UPDATED ALERT Confluence Data Center and Server: CVSS (Max): 10.0 Atlassian observed several active exploits and reports of threat actors using ransomware in relation to Confluence. Atlassian has released fixes to mitigate this threat in new versions of Confluence Data Center and Server. ESB-2023.6480 – Jira: CVSS (Max): 10.0 Certain versions of Jira Service Management Data Center and Server allowed authenticated attackers to initiate an XML External Entity Injection attack using job descriptions. Atlassian has released fixes to mitigate this vulnerabiliy in new versions of Jira Service Management Data Center and Server. ESB-2023.6481 – cacti: CVSS (Max): 9.8 Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection. Updating cacti packages addresses these vulnerabilies. ESB-2023.6438 – webkit2gtk3: CVSS (Max): 8.8 SUSE released an update that solves eight vulnerabilities and contains two security fixes which addresses issues where processing malicious web content could lead to arbitrary code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, many of us excitedly dusted off our costumes and indulged in Halloween celebrations. The tradition is gradually gaining more traction in Australia, with an increasing number of children embracing the thrill of trick-or-treating. Both youngsters and adults enthusiastically engage in the festivities, dressing in a wide variety of costumes ranging from monsters to fairies. This festive time also provides a good opportunity for our children to learn about the various personas people can adopt in our community and digital world, some helpful and some unfortunately harmful. Cyber security threats can be highly detrimental to an organisation’s reputation, financial stability and overall success. Gone are the days of cyber security being solely the IT department’s responsibility. Today, leadership at all levels must actively support policies and practices throughout the organisation. Fostering a progressive and active cyber security culture within the workplace is crucial for achieving organisational resilience. Leaders and senior executives are now expected to possess a comprehensive understanding of cyber security risk management to ensure the safety and well-being of their organisation and its stakeholders. In a surprising development on Monday that has spooked some in the cybersecurity community, the Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cyber security practices and known risks. While this case is still unfolding, it serves as a valuable learning experience for us all. It underlines the critical importance of actively implementing strong cyber security risk management practices. Leadership plays a pivotal role in ensuring the safety of their organisation by possessing a comprehensive understanding of the cyber security risks relevant to them, and leading accordingly. Instead of jumping to conclusions, we should utilise this case as an opportunity to reflect on the significance of cyber security risk within organisations and the detrimental impacts that deceptive behaviour can have. AUSCERT recognizes the increasing demands and pressures on leadership to possess cyber security risk management knowledge and skills. Therefore, we have launched a new training course designed to empower leaders in this critical area. The Cyber Resilience for Senior Executives course equips participants with the knowledge and skills required to effectively lead their organisation’s strategic response to the cyber security challenge and improve their organisational resilience. This course is suitable for any senior executives, with any background and no technical knowledge is required. Critical vulnerability found in Atlassian Confluence software Date: 2023-11-01 Author: iTnews [AUSCERT has identified the impacted members (where possible) and contacted them via email. Also please see our bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6313 ] The company’s advisory for CVE-2023-22518 attributed a message to the company’s CISO, Bala Sathiamurthy, saying the users are “vulnerable to significant data loss” if the vulnerability is exploited. “There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” Sathiamurthy wrote. RCE exploit for Wyze Cam v3 publicly released, patch now Date: 2023-10-30 Author: Bleeping Computer A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices. Wyze Cam v3 is a top-selling, inexpensive indoor/outdoor security camera with support for color night vision, SD card storage, cloud connectivity for smartphone control, IP65 weatherproofing, and more. Security researcher Peter Geissler (aka bl4sty) recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices. 3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online Date: 2023-11-01 Author: Bleeping Computer Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability. Apache ActiveMQ is a scalable open-source message broker that fosters communication between clients and servers, supporting Java and various cross-language clients and many protocols, including AMQP, MQTT, OpenWire, and STOMP Citrix Bleed: Mass exploitation in progress (CVE-2023-4966) Date: 2023-10-30 Author: Help Net Security [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.5826.2] CVE-2023-4966, aka “Citrix Bleed”, a critical information disclosure vulnerability affecting Citrix NetScaler ADC/Gateway devices, is being massively exploited by threat actors. According to security researcher Kevin Beaumont’s cybersecurity industry sources, one ransomware group has already distributed a Python script to automate the attack chain to their operators, and other groups have started leveraging a working exploit. New CVSS 4.0 vulnerability severity rating standard released Date: 2023-11-01 Author: Bleeping Computer The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. CVSS is a standardized framework for assessing software security vulnerabilities' severity used to assign numerical scores or qualitative representation (such as low, medium, high, and critical) based on exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores denoting more severe vulnerabilities. ESB-2023.6234.3 – UPDATED ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8 F5 is warning BIG-IP admins about recently disclosed Configuration utility unauthenticated remote code execution vulnerability (CVE-2023-46747) ESB-2023.6266 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM has taken the necessary steps to address the relevant CVEs. ESB-2023.6321 – Zavio IP Camera: CVSS (Max): 9.8 Users of Zavio IP cameras are strongly urged to change their devices since proper updates to patch these vulnerabilities will not be available. ESB-2023.6344 – ALERT Tenable Security Center: CVSS (Max): 9.8 Tenable has discovered vulnerabilities in Tenable Security Center, and released a critical patch to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team