Greetings, AUSCERT2024 has officially launched! The countdown is on for another year of exciting tutorials, presentations, workshops and more! This year’s theme; ‘Pay it Forward’, is about discovering the power of amplifying your impact in the realm of cyber security and highlighting the significant influence that everyone’s actions can create. It promotes the idea of how sharing knowledge and collaborating can cause a ripple effect, strengthening the broader community. This year, consider paying it forward by sharing your knowledge and expertise at our conference, either through tutorials or presentations. Your insights have the potential to create a significant impact and further advance the industry. Call for Tutorials is now open and will run until November 10th. Once tutorial submissions close, we will then open the Call for Presentations. We extend a warm invitation to anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent mentoring support for speakers to ensure a successful experience. Additionally, sponsorship opportunities are also now available, and you can access the sponsorship prospectus for more information on how you can get involved. In other news, AUSCERT recently participated in the 2023 ASEAN Computer Emergency Response Team (CERT) Incident Drill (ACID). This annual drill hosted by Singapore since 2006, tests incident response capability and strengthens cyber security preparedness and cooperation among CERTs in ASEAN member states and Dialogue Partners. This year’s ACID tested the CERTs’ preparedness against multi-pronged attacks arising from hacktivism. This theme was chosen due to the increasing frequency and sophistication of global cyber attacks that are motivated by ideological beliefs. Such attacks typically include multi-pronged attacks using a combination of Distributed Denial-of-Service, data breaches and wiper wares against government websites, financial institutions, media outlets etc This year, SingCERT moderated a new exercise using realistic real-world scenarios as a practical way to test participants’ knowledge and expertise in the field. AUSCERT takes pride in participating in this drill annually, as it plays a pivotal role in enhancing cooperation, facilitating the exchange of experiences, and fostering awareness of emerging cyber attack trends. Critical RCE flaws found in SolarWinds access audit solution Date: 2023-10-20 Author: Bleeping Computer Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges. SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments. It offers Microsoft Active Directory integration, role-based access control, visual feedback, and more. VMware fixes critical code execution flaw in vCenter Server Date: 2023-10-25 Author: Bleeping Computer [AUSCERT has also identified the impacted members (where possible) and contacted them via email] VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation. US energy firm shares how Akira ransomware hacked its systems Date: 2023-10-23 Author: Bleeping Computer In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities. Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches Date: 2023-10-24 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6197] The cybersecurity community discovered tens of thousands of compromised systems shortly after Cisco disclosed the existence of the first zero-day. Rockwell informed customers last week that its Stratix 5800 and 5200 managed industrial Ethernet switches, which use the Cisco IOS XE operating system, are affected by CVE-2023-20198. The devices are only impacted if the IOS XE web UI feature is enabled. 1Password detects “suspicious activity” in its internal Okta account Date: 2023-10-24 Author: Ars Technica 1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday. “On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.” ESB-2023.6140 – Atlassian Products: CVSS (Max): 10.0 Atlassian has identified multiple vulnerabilities in their products, with 2 being classified as critical. To ensure the security of their customers, Atlassian strongly advises upgrading to the latest version ASB-2023.0221 – Okta support case management system Okta has recently experienced a cyber incident concerning their support case management system. In response to this, AUSCERT recommends that its members promptly implement the suggested mitigation measures to address any potential risks ESB-2023.6197 – ALERT Rockwell Automation Stratix 5800 and Stratix 5200: CVSS (Max): 10.0 Rockwell Automation has issued patches to address a critical vulnerability found in Stratix 5800 and Stratix 5200. If successfully exploited, this vulnerability could potentially grant unauthorized control of the affected system to an attacker without authentication. It is strongly advised to apply the provided patches to mitigate this risk ESB-2023.6234 – ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8 A control plane issue which allows the attacker to execute arbitrary system commands has been fixed in BIG-IP Configuration Utility component Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Yesterday we successfully launched our new Cyber Resilience for Senior Executives training course in Brisbane. Conducted by one of our most experienced Principal Analysts and a highly knowledgeable industry partner, participants had the valuable opportunity to grasp key concepts through real-world examples. Senior executives play a key role in making strategic decisions that impact their organisations’ risk management. Understanding the importance of cyber resilience allows them to factor cyber security considerations into long-term planning, investment, and resource allocation decisions. This course empowers leaders on the importance of adapting and evolving their approach to cyber security risk management to ensure organisational resilience. Ransomware continues to be a persistent threat, disrupting critical services, businesses, and communities on a global scale. Alarmingly, a significant number of these incidents are carried out by ransomware actors exploiting well-documented vulnerabilities. Because of this, it’s essential to acknowledge that organisations may be unaware of the existence of these vulnerabilities within their networks. CISA identifies and documents vulnerabilities that are known to be used by ransomware operators. Recently they have also updated their KEV catalogue to include a new entry that identifies if the vulnerability has been exploited in ransomware attacks. This information has been incorporated into AUSCERT Security Bulletins. CISA have also released a second resource that serves as a companion to the KEV; a list of misconfigurations and weaknesses exploited by ransomware operators that are not CVE-based. To conclude we would like to bring your attention to an exciting upcoming event that is being held jointly by AWSN, Queensland Police and APIO – “Brisbane’s Hacking the Human: Understanding Social Attacks. This session is designed to unveil the secrets behind social engineering attacks and instruct participants on the tactics employed by cyber-criminals to exploit human vulnerabilities. Our Principal Analyst, Mark Carey-Smith, will be among the experts who will guide you through the fundamental aspects of these attacks. Additionally, you’ll gain insights into the legal aspects associated and the role of law enforcement in combatting cybercrime. By the end of this session, you’ll be equipped to identify common social engineering tactics and develop effective defence strategies to protect your personal and professional data. Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks Date: 2023-10-16 Author: CISA The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation. CISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware Date: 2023-10-13 Author: SecurityWeek The US cybersecurity agency CISA is stepping up its efforts to prevent ransomware by making it easier for organizations to learn about vulnerabilities and misconfigurations exploited in these attacks. The first of these resources is a new column in the Known Exploited Vulnerabilities catalog, which flags flaws that CISA is aware of being associated with ransomware campaigns. The other new resource CISA is offering now is a new table on the StopRansomware project’s website, which lists information on the misconfigurations and weaknesses that ransomware operators have been observed targeting in their attacks. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks Date: 2023-10-17 Author: Bleeping Computer Attackers have exploited a recently disclosed critical zero-day bug to compromise and infect more than 10,000 Cisco IOS XE devices with malicious implants. The list of products running Cisco IOS XE software includes enterprise switches, aggregation and industrial routers, access points, wireless controllers, and more. Ransomware Attacks Double: Are Companies Prepared for 2024’s Cyber Threats? Date: 2023-10-13 Author: The Hacker News Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies. Russia and China-linked hackers exploit WinRAR bug Date: 2023-10-19 Author: The Record Hackers connected to the governments of Russia and China are allegedly using a vulnerability in a popular Windows tool to attack targets around the world, including in Ukraine and Papua New Guinea. Google’s Threat Analysis Group’s said that in recent weeks it has seen multiple government-backed groups exploiting CVE-2023-38831, a vulnerability affecting the Windows file archiver tool WinRAR. The bug, which has been patched, was initially exploited by criminal groups throughout early 2023. ESB-2023.6043 – ALERT Cisco iOS XE Software: CVSS (Max): 10.0 A Critical vulnerability has been identified in Cisco IOS XE software. AUSCERT has sent MSINs to the affected members regarding this vulnerability. ESB-2023.6064 – Jira Service Management Server and Data Center: CVSS (Max): 8.4 An XXE vulnerability in Jira products has been addressed by Atlassian ESB-2023.6078 – Google Chrome: CVSS (Max): None Google has released updates to Chrome which includes 1 security fix ASB-2023.0192 – ALERT Oracle PeopleSoft: CVSS (Max): 9.8 This critical patch update contains 5 new security patches for Oracle PeopleSoft Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week was an eventful one for AUSCERT as part of our team journeyed to Melbourne to connect with our members and participate in the prestigious Women in Security Awards ceremony. The 2023 Australian Women in Security Awards was a night filled with grace and charm, as it embraced an enchanting masquerade theme this year. This event served as a wonderful occasion for members of the industry to come together and celebrate the achievements and contributions of both men and women who have played pivotal roles in this field. AUSCERT is a proud sponsor of the Women in Security Awards, endorsing their initiatives to foster greater diversity and break down gender-related barriers. These awards honour champions who are committed to dismantling gender discrimination in their workplace while advocating for equality within the cyber security industry. Additionally, they acknowledge organisations that are dedicated to fostering a more inclusive and empowering workplace culture. The Women in Security Awards does a great job of shining a spotlight on those who go above and beyond to create an environment that genuinely celebrates all voices and contributes to shaping a brighter and more equitable future for all. In recent developments, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a cyber security advisory (CSA) that highlights the most common misconfigurations found in large organisations, detailing the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit these misconfigurations. The CSA outlines the top 10 misconfigurations which reveal a prevailing trend of systemic vulnerabilities within many organisations, even those with well-established cyber security practices. They also provide mitigation advice to reduce vulnerabilities, including the importance of secure-by-design principles in the software supply chain. This proactive approach can alleviate the strain on defenders, making it essential in the ongoing effort to enhance cyber security resilience. In conclusion, if you’re seeking something engaging to listen to during your commute, be sure to tune in to our newest episode of our Share Today, Save Tomorrow podcast – Episode 27, Celebrating Neurodiversity! Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience on creating the best work environment for people who might see and feel the world differently. Bek and our Principal Analyst Mark Carey-Smith, sit down in the second half of the episode to discuss our new Cyber Resilience for Executives course and preparations for AUSCERT2024. HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks Date: 2023-10-10 Author: The Hacker News [Please see AUSCERT bulletin: ASB-2023.0189] Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10. New critical Citrix NetScaler flaw exposes 'sensitive' data Date: 2023-10-10 Author: Bleeping Computer [Please see AUSCERT bulletin: ESB-2023.5826] [AUSCERT has also identified the impacted members (where possible) and contacted them via email] Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances. The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity. However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks. curl vulnerabilities ironed out with patches after week-long tease Date: 2023-10-11 Author: The Register [See AUSCERT bulletin: ASB-2023.0190] Updated After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today. Described by curl project founder and lead developer Daniel Stenberg as "probably the worst curl security flaw in a long time," the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546. We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "high." Australia’s home affairs department hit by DDoS attack claimed by pro-Russia hackers Date: 2023-10-06 Author: The Guardian The department responsible for Australia’s cybersecurity, national security and immigration has confirmed it was hit with a distributed denial-of-service attack on Thursday night that took its website offline for five hours, after a pro-Russia hacker group said it would target the site over Australia’s support for Ukraine. The group posted on Telegram on Thursday night that it was targeting the home affairs department with a distributed denial-of-service (DDoS) attack after Australia announced this week that Slinger technology aimed at combating drones would be sent to Ukraine in the push back against the Russian invasion. GNOME Linux systems exposed to RCE attacks via file downloads Date: 2023-10-09 Author: Bleeping Computer A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment. libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions. Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format. Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability Date: 2023-10-10 Author: Ars Technica Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin. The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads. ASB-2023.0187 – ALERT Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.4 Microsoft's most recent security patch update resolves vulnerabilities across Microsoft Office, Office Services and Web Apps. ASB-2023.0182 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft patched 80 vulnerabilities in Windows and Windows Server in its October 2023 Patch Tuesday release. ESB-2023.5866 – ALERT BIG-IP Configuration utility: CVSS (Max): 9.9 F5 Networks has introduced fixes to resolve a directory traversal vulnerability found in BIG-IP. These fixes are designed to address and mitigate the potential risks associated with this vulnerability. ESB-2023.5861 – ALERT FortiWLM: CVSS (Max): 9.6 Fortinet has issued patches to address a critical vulnerability in FortiWLM, related to unauthenticated command injection. ESB-2023.5878 – Adobe Photoshop: CVSS (Max): 7.8 Adobe has recently launched an update for Photoshop for both Windows and macOS operating systems. This update specifically addresses a critical vulnerability that, if exploited successfully, could potentially result in the execution of arbitrary code. ESB-2023.5917 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM QRadar SIEM has taken the necessary steps to address the relevant CVEs. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This month is Cyber Security Awareness Month, an important time for all to enhance their knowledge of cyber security and to take proactive steps to safeguard their information and devices. At AUSCERT, we hold the belief that cyber security should be an integral part of our everyday routines and should be considered as an enabler in every organisation. Yet we recognize that for the broader public who may not be as immersed in the cyber security world, this month serves as a timely reminder of its crucial role in our lives. We’d like to emphasize the role of cyber leaders in extending their expertise and advocating everyone within their organisation, community, or home to adopt the following simple tips. Click here to read our blog for some shareable tips. Engaging in regular training is crucial for staying ahead in the field of cyber security. AUSCERT offers a diverse range of training courses that are specifically designed to provide you with the most relevant and up-to-date knowledge and skills. With experienced practitioners offering real-world advice and solutions, you can ensure you are well-equipped. In particular, the importance of data governance is continually growing in today’s data-centric business landscape. Many industries and organisations are subject to regulatory requirements regarding data management and privacy, making it a pivotal component in an effective organisation. Our Data Governance Principles and Practices training course equips participants with the fundamental skills and knowledge required to develop a structured framework that your organisation can follow to ensure it is managing data effectively. The course also includes information about how effective data governance contributes to cyber security initiatives. Hurry, this is the last opportunity for this year to register for our training course. For more information click here. In conclusion, let’s lead our community towards being safer online! With improved knowledge, we can ensure that we are cyber-wise and better prepared to protect ourselves and organisations from cyber threats. Together we can make a safer cyber world! Millions of Exim mail servers exposed to zero-day RCE attacks Date: 2023-09-29 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers. Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service. Atlassian patches critical Confluence zero-day exploited in attacks Date: 2023-10-04 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Australian software company Atlassian released emergency security updates to fix a maximum severity zero-day vulnerability in its Confluence Data Center and Server software, which has been exploited in attacks. "Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," the company said. Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day Date: 2023-10-04 Author: Security Week [See AUSCERT Security Bulletin 05 October 2023: ESB-2023.5703] Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down. The Cupertino device maker on Wednesday rushed out a new patch to cover a pair of serious vulnerabilities and warned that one of the issues has already been exploited as zero-day in the wild. In a barebones advisory, Apple said the exploited CVE-2023-42824 kernel vulnerability allows a local attacker to elevate privileges, suggesting it was used in an exploit chain in observed attacks. The biggest hack of 2023 keeps getting bigger Date: 2023-10-02 Author: Wired In a field of shocking, opportunistic espionage campaigns and high-profile digital attacks on popular businesses, the biggest hack of 2023 isn’t a single incident, but a juggernaut of related attacks that keeps adding victims to its score. In the coming months, more people, as many as tens of millions, could find out that their sensitive information has been compromised. But more still will likely never learn of the situation or its impact on them. New 'Looney Tunables' Linux bug gives root on major distros Date: 2023-10-03 Author: Bleeping Computer A new Linux vulnerability known as 'Looney Tunables' enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library's ld.so dynamic loader. The GNU C Library (glibc) is the GNU system's C library and is in most Linux kernel-based systems. It provides essential functionality, including system calls like open, malloc, printf, exit, and others, necessary for typical program execution. ESB-2023.5669 – ALERT Cisco Emergency Responder: CVSS (Max): 9.8 A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted ESB-2023.5668 – ALERT Confluence Data Center and Confluence Server: CVSS (Max): 10.0 Privilege Escalation Vulnerability in Confluence Data Center and Server ESB-2023.5632 – firefox-esr: CVSS (Max): 9.8 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code ESB-2023.5637 – exim4: CVSS (Max): 9.8 Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the long weekend approaches, and we eagerly anticipate time away from work and the daily grind, it's important to remain aware that holidays can create opportunities for cyber criminals to exploit vulnerabilities and launch phishing scams. Attacks tend to increase during holiday season when people are often more distracted and may be expecting various online communications and transactions related to holiday shopping, travel plans and gifts from friends and family Recently a persistent gift card phishing campaign has been circulating, leaving unsuspecting individuals vulnerable to cyber attacks. This ongoing gift card scam continues to evolve, recently employing random email accounts from Gmail or compromised domains. It typically impersonates company CEOs and targets both employees’ personal and work email addresses. Some of the deceptive Gmail accounts include aliases like “teamrecognition@gmail.com” or “ceo.name@gmail.com” making it increasingly challenging to detect. Even emails with innocent subject lines like “Recognizing Excellence” – Prompt Response!! Could be part of the scam. To say safe here’s what you can do: Know the Danger: Make sure your constituents are aware that this phishing scam is common, explain how it works and why it’s a threat. Any requests that ask for gift cards to be purchased are highly likely to be malicious. This is a great ‘red flag’ to be used in awareness messaging. Check Emails Carefully: Look closely at the sender’s email address, especially if they’re asking you to buy gift cards or give out personal information. If anything seems suspicious, contact the person using a different communications method (not using the reply-to address in the original email) to check. Using the phone is usually very effective. Have a plan: Know what to do if you think you’ve been tricked by this scam of if you spot something suspicious. Have a plan to act quickly. Stay vigilant during holidays and be cautious when receiving unsolicited requests for gift cards or any form of payment. Always verify the legitimacy of the request, especially if it seems unusual or urgent. For more information on how to stay ahead of these scams visit Avoiding and Reporting Gift Card Scams & Protecting yourself from Gift Card Scams New Cisco IOS Zero-Day Delivers a Double Punch Date: 2023-09-29 Author: Dark Reading A vulnerability affecting Cisco operating systems could enable attackers to take full control of affected devices, execute arbitrary code, and cause reloads that trigger denial of service (DoS) conditions. And at least one attempt at exploitation has already occurred in the wild. Progress warns of maximum severity WS_FTP Server vulnerability Date: 2023-09-28 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software. The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software. In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover Date: 2023-09-25 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical vulnerability in the TeamCity CI/CD server could be exploited remotely, without authentication, to execute arbitrary code and gain administrative control over a vulnerable server. Developed by JetBrains, TeamCity is a general-purpose build management and continuous integration platform available both for on-premises installation and as a cloud service. The recently identified critical flaw, tracked as CVE-2023-42793 (CVSS score of 9.8), is described as an authentication bypass impacting the on-premises version of TeamCity. Google assigns new maximum rated CVE to libwebp bug exploited in attacks Date: 2023-09-26 Author: Bleeping Computer Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago. The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format. Hackers actively exploiting Openfire flaw to encrypt servers Date: 2023-09-26 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Hackers are actively exploiting a high-severity vulnerability in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times and used extensively for secure, multi-platform chat communications. ESB-2023.5513 – macOS Sonoma 14: CVSS (Max): 9.8* Apple released macOS 14 Sonoma and the latest version of the operating system patches over 60 vulnerabilities. ESB-2023.5533 – Mozilla Firefox: CVSS (Max): None Mozilla released Firefox 118 with patches for nine vulnerabilities,including high-severity flaws. ESB-2023.5538 – Cisco Catalyst SD-WAN Manager: CVSS (Max): 9.8 Cisco has patched vulnerabilities in several versions of its Catalyst SD-WAN software.The most critical is an unauthorised access vulnerability in Catalyst SD-WAN’s security assertion markup language (SAML) APIs. ESB-2023.5547 – Cisco IOS and IOS XE Software: CVSS (Max): 6.6 Cisco has released patches for multiple vulnerabilities impacting its products, including a zero-day IOS and IOS XE software vulnerability targeted by attackers in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, two of our team members had the privilege to travel to the tropical island of Vanuatu for an annual cyber security conference. Organised and hosted by the Forum of Incident Response and Security Teams (FIRST), the annual conference centres around the global challenges faced worldwide. The conference features international speakers who delve into a wide array of topics, encompassing the most relevant developments in incident response and prevention, vulnerability analysis, security management and policy issues. This event is always highly anticipated by our team as it provides a valuable opportunity to reconnect with friends from other incident response teams across the globe. Founded in 1990, FIRST was established with the primary objective of improving communication and relationships among cyber security teams worldwide. Its mission is to foster trust-building amongst its members and eliminate cultural and political borders and boundaries. It has grown into a global forum that fosters collaboration and cooperation across diverse regions and organisations, facilitating a deeper understanding and insight in cyber security. AUSCERT has maintained a strong relationship with FIRST, working together closely for an astonishing twenty-seven years and counting! Moving on to other updates, AUSCERT has partnered with UQSchoolsNet to create a series of informative workshops for teachers. The “Engaging Minds” workshop is designed to educate teachers on navigating the complexities of the modern cyber world, empowering them to educate and inspire the minds of tomorrow. This workshop offers valuable hands-on learning experiences, enabling them to seamlessly integrate IT and computing into their curriculum. It will cover the following key areas: Foundations of AI and its implications Interactive sessions led by researchers in IT and computing-related fields Fundamentals of binary coding providing tangible tools for teaching Societal impact of technology Fundamentals of cybersecurity, including knowledge about different threats and methods to safeguard against them Insights and knowledge from industry experts in computer science and IT. Each participant in this workshop will be awarded a Certificate of Participation and provided with essential teaching resources. Additionally, ongoing educational support will be available to ensure continued growth in IT education. The workshop also includes meals throughout the day and accommodation for participants traveling from interstate. The upcoming workshops are scheduled for December 12th and 13th. If you’re interested in participating or would like more information please don’t hesitate to reach out via email at – schoolsnet@uq.edu.au Industry to gov: improve digital ID as part of cyber security strategy Date: 2023-09-18 Author: iTnews A clear industry consensus in favour of government-backed digital ID has emerged across submissions to the govermment's revised cyber security strategy consultation. NAB explained its support for strong digital ID comes from a desire for a zero-knowledge proof of ID. ANZ Banking Group agrees, saying such a regime would “help minimise the volume of identity documents collected and stored.” How the ACSC can help during a cyber security incident Date: 2023-09-11 Author: Cyber Gov Au The Australian Signal’s Directorate’s Australian Cyber Security Centre’s (ACSC) incident management capabilities provide technical advice and assistance to support Australian organisations through a cyber security incident response. In September, ASD’s ACSC introduced a new publication, How the ACSC can help during a cyber security incident. Read the new publication and learn how ASD’s ACSC can support your organisation if you are impacted by a cyber security incident. Microsoft Azure Data Leak Exposes Dangers of File-Sharing Links Date: 2023-09-19 Author: Dark Reading An overly permissive file-sharing link allowed public access to a massive 38TB storage bucket containing private Microsoft data, leaving a variety of development secrets — including passwords, Teams messages, and files from two employees' workstations — accessible to attackers. Government to create six "cyber shields" to layer Australian protection Date: 2023-09-18 Author: iTnews The government will frame a revised cyber security strategy later this year around six “cyber shields” it plans to build as a multi-layered defence against attacks. Home Affairs Minister Clare O’Neil unveiled the structure at an AFR Cyber Summit on Monday. O’Neil described the shields as being built “around our nation” and as being elements of a “cohesive, planned national response that builds to a more protected Australia.” How the FBI Fights Back Against Worldwide Cyberattacks Date: 2023-09-19 Author: Security Intelligence The FBI maintains a division called the Cyber Division (CyD), responsible for investigating and prosecuting cyber crimes. The organization focuses on threats not only to the government and citizens but also to American companies. More than 1,000 CyD agents and analysts work in 56 US field offices and over 350 sub-offices. They also travel globally in Cyber Action Teams to help foreign nations with cyber crime and learn about threats to US interests. The FBI also works with the major three-letter U.S. agencies, including the CIA, DHS and the NSA. ESB-2023.5338 – ALERT GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.6 A critical severity vulnerability has been addressed in GitLab Community Edition and Enterprise Edition ESB-2023.5394 – Atlassian Products: CVSS (Max): 8.5* Atlassian has released patches for vulnerabilities identified in multiple products ESB-2023.5438 – Drupal Core: CVSS (Max): None A cache poisoning vulnerability has been found in Drupal Core (Drupal 7 is not affected) ESB-2023.5437 – Jenkins (core) and Jenkins Plugins: CVSS (Max): 8.0 Several vulnerabilities which impacts Jenkins Core and Plugins have been patched ESB-2023.5457 – macOS Monterey 12.7: CVSS (Max): None Apple has patched a privilege escalation vulnerability affecting macOS Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, R U OK? Day serves as a powerful reminder of the significance of checking in on the well-being of others and actively listening to their concerns. In many cases individuals who are facing challenges may not openly express their feelings, and a simple empathetic conversation can make a world of difference. The act of asking “Are you okay” and genuinely listening, can provide emotional support and let someone know that they are not alone in their struggles. Meaningful connections and open dialogues about mental health contribute to building a supportive and compassionate community. Prioritizing mental health reduces the stigma and fosters an environment where people feel comfortable sharing their feelings and seeking help when needed. It’s a reminder that small acts of kindness and genuine concern can have a profound impact on someone’s life. The R U OK? Day website features a range of free resources for your workplace, home or community click here to visit their website. AUSCERT has always been an avid supporter and endorser of mental health support and services. This year at AUSCERT2023 we once again featured an on-site psychologist for attendees to visit and discuss anything from mental well-being right through to life coaching. We have created an on-going commitment to fostering a culture of support and understanding through promoting open conversations and creating a safe, inclusive environment for our community. Episode 15 of our Podcast explored the importance of understanding mental and physical well-being in the workplace with Dr Carla Rogers. Dr Carla Rogers, a renowned holistic psychologist, discusses the importance of understanding mental and physical well-being in the workplace. Dr Rogers explains the connection between mind and body along with techniques to help individuals identify, treat, and overcome challenges in the workplace. The Australian Department of Health also provides a useful resource – Head to Health which features a range of information resources to provide mental health support. In other news, some of our team ventured to the BSides Melbourne conference last weekend. We sat down with Lucas this week to hear his experience and highlights – you can read the full interview here. Also, there are still a few spots remaining in our upcoming Data Governance Principles and Practices training course, both the in-person session and online sessions. Get in quick before spaces fill up! Google fixes another Chrome zero-day bug exploited in attacks Date: 2023-09-11 Author: Bleeping Computer [See AUSCERT Security Bulletin 13 September 2023: ESB-2023.5207] Google released emergency security updates to fix the fourth Chrome zero-day vulnerability exploited in attacks since the start of the year. "Google is aware that an exploit for CVE-2023-4863 exists in the wild," the company revealed in a security advisory published on Monday. The new version is currently rolling out to users in the Stable and Extended stable channels, and it's estimated that it will reach the entire user base over the coming days or weeks. Zero Day Summer: Microsoft Warns of Fresh New Software Exploits Date: 2023-09-12 Author: Security Week [See AUSCERT Security Bulletins 13 September 2023: ASB-2023.0169 and ASB-2023.0171] Microsoft’s struggles with zero-day exploits rolled into a new month with a fresh warning that two new Windows vulnerabilities are being targeted by malware attacks in the wild. As part of its scheduled batch of Patch Tuesday security fixes, Redmond’s security response team flagged the two zero-days — CVE-2023-36761 and CVE-2023-36802 — in the “exploitation detected” category and urged Windows sysadmins to urgently apply available fixes. Adobe warns of critical Acrobat and Reader zero-day exploited in attacks Date: 2023-09-12 Author: Bleeping Computer [See AUSCERT Security Bulletin 13 September 2023: ESB-2023.5195] Adobe has released security updates to patch a zero-day vulnerability in Acrobat and Reader tagged as exploited in attacks. Even though additional information on the attacks is yet to be disclosed, the zero-day is known to affect both Windows and macOS systems. "Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company said in a security advisory published today. Apple races to patch the latest zero-day iPhone exploit Date: 2023-09-08 Author: The Register [See AUSCERT Security Bulletin 8 September 2023: ESB-2023.5123.2] Apple devices are again under attack, with a zero-click, zero-day vulnerability used to deliver Pegasus spyware to iPhones discovered in the wild. Even running the latest version of iOS (16.6) is no defence against the exploit, which involves PassKit attachments containing malicious images. Once sent to the victim's iMessage account, the NSO Group's Pegasus spyware can be deployed without interaction. MGM Resorts ESXi servers allegedly encrypted in ransomware attack Date: 2023-09-14 Author: Bleeping Computer An affiliate of the BlackCat ransomware group, also known as APLHV, is behind the attack that disrupted MGM Resorts’ operations, forcing the company to shut down IT systems. In a statement today, the BlackCat ransomware group claims that they had infiltrated MGM’s infrastructure since Friday and encrypted more than 100 ESXi hypervisors after the company took down the internal infrastructure. ASB-2023.0169 – ALERT Windows: CVSS (Max): 8.8 Microsoft’s most recent patch update resolves 21 vulnerabilities across Windows and Windows Server. ASB-2023.0171 – ALERT Microsoft 365 Apps: CVSS (Max): 8.8 Microsoft’s most recent patch Tuesday update resolves 8 vulnerabilities across Office, Office Services and Web Apps. ESB-2023.5195 – Adobe Acrobat and Reader: CVSS (Max): 7.8 Adobe has released security updates to patch a zero-day vulnerability exploited in the wild, impacting Acrobat and Reader. ESB-2023.5197 – Thunderbird, Firefox and Firefox ESR: CVSS (Max): 8.8 Mozilla has released security updates to patch a zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. ESB-2023.5207 – Google Chrome: CVSS (Max): 8.8 Google released emergency security updates to fix the Chrome zero-day vulnerability exploited in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Who can believe that there are only a mere four months left until the end of the year – where has the year gone? Time really does fly by. With that said, the AUSCERT team are well and truly planning for next year’s conference and this year’s conference is already beginning to feel like a distant memory. To remind ourselves of the amazing time we had, we often enjoy revisiting and reliving the program of outstanding speakers and activities via our YouTube channel. One of our highlights for AUSCERT2023 was the significant presence of remarkable female speakers in our program. These include Tara Dharnikota’s session – “Staying ahead of evolving threats”, Jane O’Loughlin’s session – “What we do in the shadows” and our much-loved session led by Vanessa Wong & Shelly Mills – “You can’t ask that: Women in Cyber Security”. Not to mention our impressive keynote speaker Rachel Tobac, a globally renowned expert in the field of social engineering. Rachel is also chair of the board for the not-for-profit organisation Women in Security and Privacy (WISP) where she works to advance women to lead the future of privacy and security. Last week we celebrated Women In Cyber Day, an initiative aimed at promoting and supporting the advancement and support of women in cyber security. Increasing the proportion of women within the industry isn’t just about equity, it’s a strategic imperative for enhancing security, innovation, and the overall effectiveness of the field. Women often possess different skills that can complement those of their colleagues, including communication, attention to detail, and a collaborative approach to problem-solving. A wider range of perspectives is also beneficial when making decisions about security policies, products and practices, which can lead to better protection for all. Diversity fosters innovation and creativity, as it brings different perceptions that can lead to innovative solutions and approaches. To conclude, if you are looking for something to read across the weekend, NIST recently released an updated, draft guide detailing the creation of cybersecurity and privacy learning program. This is the first revision since NIST SP800-50 Building a Cybersecurity and Privacy Learning Program was introduced in 2003, a well-needed update. This initial public draft is open for community feedback until October 27, 2023. Click here to read the full document, NIST SP 800-50 Rev.1 University of Sydney data breach impacts recent applicants Date: 2023-09-03 Author: Bleeping Computer The University of Sydney (USYD) announced that a breach at a third-party service provider exposed personal information of recently applied and enrolled international applicants. The public university started operations in 1850 and has nearly 70,000 students and about 8,500 academic and administrative personnel. It is considered one of Australia’s most important educational institutes. Exploit Code Published for Critical-Severity VMware Security Defect Date: 2023-09-01 Author: Security Week Just days after shipping a major security update to correct vulnerabilities in its Aria Operations for Networks product line, VMware is warning that exploit code has been published online. In an updated advisory, the virtualization technology giant confirmed the public release of exploit code that provides a roadmap for hackers to bypass SSH authentication and gain access to the Aria Operations for Networks command line interface. Hackers exploit MinIO storage system to breach corporate networks Date: 2023-09-04 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers. MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size. Its high performance and versatility, especially for large-scale AI/ML and data lake applications, make MinIO a popular, cost-effective choice. Australian authorities tire of excuses, delays on data breach disclosure Date: 2023-09-05 Author: iTnews Australian authorities had to formally invoke powers to get a client list from a breached IT services provider, as problems persist in getting organisations to notify data breaches in a timely fashion. The issue of Australian organisations either seeking to downplay or delay mandatory notification of a data breach was raised more than two years ago. A regulatory report, released Tuesday, shows the issue persists. “Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” Australian information commissioner and privacy commissioner Angelene Falk said in a statement. Defence Housing Australia investigates third-party provider hack exposure Date: 2023-09-07 Author: iTnews Defence Housing Australia has launched an investigation to determine if it, or the data of Australian Defence personnel, has been exposed in a cyber attack on a third-party service provider. The government business enterprise (GBE) said it is collaborating with the Defence on the investigation, which sought to establish – among other things – “if any Defence personnel or families’ information has been compromised.” Scams Australia: Alarming surge in the number of teens being exploited online Date: 2023-09-04 Author: 9NEWS The number of young Australians being targeted by scammers online has surged in the last year, with concerning levels of sextortion taking place, new data suggests. Statistics released today by Westpac Banks show the number of scams reported by customers under the age of 18 have almost quadrupled since last year, and have more than doubled for those under 30. The data was concerning and showed a growing trend of scammers using techniques such as sextortion, Westpac General Manager of Financial Crime & Fraud Prevention, Chris Whittingham, said. ESB-2023.5018 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 5.5* GitLab released versions 16.3.1, 16.2.5 and 16.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) which contain important security fixes. ESB-2023.5067 – Mozilla VPN client for Linux: CVSS (Max): None Mozilla Foundation reported Local user authentication flaws impacting Mozilla VPN client on Linux. ESB-2023.5088 – Jenkins Plugins: CVSS (Max): 8.2* The most recent security advisory released by Jenkins lists vulnerabilities affecting 12 Jenkins Plugins. ESB-2023.5108 – ALERT Cisco BroadWorks Application Delivery Platform and Xtended Services Platform: CVSS (Max): 10.0 A vulnerability in Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an attacker to commit toll fraud or to execute commands at the privilege level of the affected system. ESB-2023.5117 – Python: CVSS (Max): 9.8 Python could be made to crash or leak sensitive information if it received specially crafted input. The problem can be corrected by updating your system. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Spring has sprung! Just as we begin to make plans to dust off and organise our homes during this season, it’s a perfect opportunity to freshen up and enhance our cyber security measures. Regularly reviewing, updating, and optimizing our digital habits can go a long way in safeguarding our sensitive information and ensuring a safer online experience. Take the time this month to refresh your security strategies! We have a new episode of our Share Today Save Tomorrow Podcast being released! In Episode 26 – Communication is Key Anthony sits down with Darren Pauli, a cyber security awareness practitioner and freelance journalist who explains the importance of effective written communication within the digital world. During the AUSCERT2023 conference Darren gave an exploratory talk on the simple steps to become a faster, more effective written communicator. In today’s digital landscape, the influence of technology spans every industry, compelling an increasing number of non-technical personnel to grapple with cyber-related matters for their organisations. Consequently, it has become paramount for information security professionals to use clear, concise, and simple language to ensure they are effectively conveying messages. Yesterday, experts from the University of Queensland (UQ) published a paper to address the generalised lack of guidance on the ethical treatment of corporate data in higher education institutions. While the focus of this study is on the Higher Education sector, the principles discussed can be extended to other industries and organisations. This paper offers valuable observations and insights that can serve as a guide for ethical data practices, as currently no actionable framework currently exists within Australia. Our new Data Governance Principles and Practices course is led by one of the authors of this paper – Sasenka Abeysooriya. This training can assist your organisation in developing a successful data governance framework, by teaching best practices and real-world examples of data governance in action. By participating in this course, attendees are equipped with the fundamental skills and knowledge they need to accelerate the development of a successful data governance program in their organisation. For members’ convenience, we are currently offering in-person and online delivery of this course. Advisory: Qlik Sense Enterprise for Windows Remote Code Execution Vulnerabilities Date: 2023-08-29 Author: Praetorian [AUSCERT has notified affected members of this vulnerability where possible] Recently, we discovered two vulnerabilities which can be chained together to achieve unauthenticated remote code execution on Qlik Sense Enterprise. At the moment, we are waiting to publish technical details on the vulnerability to give impacted organizations time to update their systems and remediate the vulnerability. Praetorian has worked closely with Qlik to responsibly disclose these vulnerabilities, CVE-2023-41265 (HTTP Tunneling Vulnerability in Qlik Sense Enterprise for Windows) and CVE-2023-41266 (Path Traversal in Qlik Sense Enterprise for Windows). Cisco fixes 3 high-severity DoS flaws in NX-OS and FXOS software Date: 2023-08-29 Author: Security Affairs [Please see AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2023.4858] Cisco addressed three high-severity flaws in NX-OS and FXOS software that could cause denial-of-service (DoS) conditions. An attacker can exploit these three issues to cause a denial-of-service (DoS) condition. The most severe issue, tracked as CVE-2023-20200 (CVSS score 7.7), is a DoS bug that resides in the Simple Network Management Protocol (SNMP) service of Cisco FXOS Software for Firepower 4100 Series and Firepower 9300 Security Appliances and of Cisco UCS 6300 Series Fabric Interconnects. Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom Date: 2023-08-29 Author: The Hacker News A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as "highly responsive to defensive efforts" and capable of actively tweaking their modus operandi to maintain persistent access to targets. Ransomware attack dwell times fall, pressuring companies to quickly respond Date: 2023-08-23 Author: Cybersecurity Dive The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday. The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favoured a “late hour at the end of the week” to launch an attack. Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches Date: 2023-08-25 Author: The Hacker News The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also deemed the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit." ESB-2023.4982 – Red Hat Advanced Cluster Management 2.8.1: CVSS (Max): 9.8 Red Hat has released Critical security updates and fixes for Red Hat Advanced Cluster Management for Kubernetes. ESB-2023.4955 – Aria Operations for Networks: CVSS (Max): 9.8 Multiple critical severity vulnerabilities in Aria Operations for Networks were responsibly reported to VMware. Updates to remediate these vulnerabilities in affected VMware products have been released. ESB-2023.4858 – Cisco Products: CVSS (Max): 7.7 An SNMP Denial of Service Vulnerability affecting Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS 6300 Series devices has software updates to resolve the issue. ESB-2023.4883 – chromium: CVSS (Max): 8.8* Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. These issues have been fixed in a software update. ESB-2023.4890 – json-c: CVSS (Max): 9.8 json-c could be made to crash or execute arbitrary code if it received a specially crafted JSON file. This issue is resolved by updating to Ubuntu 22.04 – libjson-c5 – 0.15-3~ubuntu1.22.04.2. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the days gradually lengthen and a gentle warmth begins to replace cold, the end of winter approaches. The transition between seasons represents a period of renewal and regeneration mirroring the continuous evolution of nature’s cycle. This natural pattern parallels our own expedition of self-growth and development. As spring approaches, it’s time to ready ourselves for the beginning of a new flourishing chapter. Let’s grasp this opportunity to consciously make choices that lead us to a more evolved version of ourselves. Take proactive steps now to shed the metaphorical cocoon of winter and emerge like a butterfly, gracefully navigating through new opportunities and prospects. To aid our members’ growth in the realm of cyber security we offer a diverse range of professional training courses specifically crafted to empower you with the most relevant knowledge and skills. We are very excited to announce we have updated our courses and introduced a few new additions. This includes our new “Data Governance Principles and Practices” course which will teach attendees the key components of a successful data governance framework. The course covers best practices and real-world examples, equipping attendees with the fundamental skills and knowledge they require to accelerate the development of a successful program in their organisation – including methodologies for stakeholder management and creation of a “strategy on a page”. Whether you are a business analyst, data scientist, IT or cyber security professional, this course will provide you with an appreciation of how data governance contributes to cyber security and a better understanding of how to successfully manage your organisation's data assets. On completion of this course, practical data governance references and templates will be provided to participants. We have an in-person session and an online session coming up! For more information visit AUSCERT Education. Finally, what could be a more fitting moment to break free from the winter hibernation than by attending the Security2Cure cyber security conference and ring in the start of spring by helping to raise some much needed funds for Cancer Research. The event boasts an intriguing line-up of speakers, featuring keynote speaker Richard Boxall, CISO and Executive General Manager from the Suncorp Group. Scheduled for next Friday, September 1st this is an exceptional chance to be part of a remarkable initiative. Don’t miss out, register your attendance now. WinRAR flaw lets hackers run programs when you open RAR archives Date: 2023-08-18 Author: Bleeping Computer [See AUSCERT Security Bulletins 21 August 2023 ASB-2023.0168] A high-severity vulnerability has been fixed in WinRAR, the popular file archiver utility for Windows used by millions, that can execute commands on a computer simply by opening an archive. The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened. The vulnerability was discovered by researcher "goodbyeselene" of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023. Akira ransomware gang spotted targeting Cisco VPN products to hack organizations Date: 2023-08-22 Author: Security Affairs The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers. The group now is targeting Cisco VPN products to gain initial access to corporate networks. Sophos researchers observed in May the threat actor using compromised Cisco VPN accounts to breach target networks. New Supply Chain Attack Hit Close to 100 Victims—and Clues Point to China Date: 2023-08-22 Author: WIRED EVERY SOFTWARE SUPPLY chain attack, in which hackers corrupt a legitimate application to push out their malware to hundreds or potentially thousands of victims, represents a disturbing new outbreak of a cybersecurity scourge. But when that supply chain attack is pulled off by a mysterious group of hackers, abusing a Microsoft trusted software model to make their malware pose as legitimate, it represents a dangerous and potentially new adversary worth watching. 'Millions' of spammy emails with no opt-out? That'll cost you $650K Date: 2023-08-22 Author: The Register Experian has agreed to cough up $650,000 after being accused of spamming people with no opt-out button. That sum will hardly be felt by the credit-reporting giant as its profits totaled $1.1 billion last year. The penalty stems from a complaint filed against it by the US Department of Justice on behalf of the Federal Trade Commission. According to the Feds [PDF], California-based Experian Consumer Services, also known as ConsumerInfo.com, spammed folks with marketing offers after they signed up for free accounts to limit third-party access to their credit reports. Artificial Intelligence and USBs Drive 8% Rise in Cyber-Attacks Date: 2023-08-23 Author: InfoSecurity Magazine Check Point Research has released its 2023 Mid-Year Security Report. The research reveals a concerning 8% surge in global weekly cyber-attacks during Q2, marking the most significant increase in two years. The report highlights the fusion of advanced artificial intelligence (AI) technology with traditional tools like USB devices used for disruptive cyber-attacks. It also uncovers a rise in ransomware attacks in the first half of 2023, introducing new ransomware groups to the scene. ESB-2023.4792 – Firefox: CVSS (Max): 9.8 Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. ASB-2023.0168 – WinRAR: CVSS (Max): 7.8 This vulnerability allows remote attackers to execute arbitrary code on systems where WinRAR is installed by exploiting a buffer overflow flaw in the data validation process ESB-2023.4803 – Moodle: CVSS (Max): 8.0 The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue. ESB-2023.4828 – Rockwell Automation ThinManager ThinServer: CVSS (Max): 9.8 Successful exploitation of these vulnerabilities could allow an attacker to remotely delete arbitrary files with system privileges. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, the AUSCERT analyst team successfully completed the annual drill hosted by the Asia Pacific Computer Emergency Response Team (APCERT). The drill tests the capabilities of leading Computer Security Incident Response Teams (CSIRTS) in the Asia Pacific region. This year 24 teams participated from 21 countries, being tested on their abilities to interact and collaborate locally and internationally. The aim of the exercise was to strengthen collaboration amongst the different constituencies, enhance communication and develop technical capabilities and quality of incident response to ensure security and safety. The theme of this year’s APCERT Drill was “Digital Supply Chain Redemption” which reflects real incidents and issues that exist today. We are honoured to be part of such an incredible drill as it provides an opportunity to strengthen our relationship with local and international partners, as well as enhancing our team’s knowledge and skills when dealing with complex global incidents. Recently the National Institute of Standards (NIST) released a new draft update to its globally used Cybersecurity Framework (CSF). First released in 2014, the CSF has been updated to reflect the community’s feedback and current usage patterns. The Framework provides high-level guidance, including a common language and a systematic methodology for managing cybersecurity risk across sectors and aiding communication between technical and nontechnical staff. This includes initiatives that can be incorporated into cybersecurity programs and tailored to meet organisational objectives. One key update to the Framework has been adding an extra pillar for ‘Govern’. The Govern function is designed to establish and monitor an organization’s cyber security risk management strategy, expectations and policy. The public draft is available via the NIST website or you can click here to read the full document. It provides guidance on implementing the CSF and tailoring it for different organisational sectors. NIST does not plan to release another draft of CSF 2.0 for comment. The final CSF 2.0 is to be published in early 2024. Finally, for our South-East Queensland readers, we would like to inform you that SANS will be holding their highly anticipated cutting-edge information and hands-on in-person training event in Brisbane from October 9 -14, 2023. SANS Brisbane 2023 features three of SANS most popular courses which aim to provide cyber security professionals with the tools and knowledge required to combat ever-evolving cyber threats. Industrial PLCs worldwide impacted by CODESYS V3 RCE flaws Date: 2023-08-11 Author: Bleeping Computer Millions of PLC (programmable logic controllers) used in industrial environments worldwide are at risk to 15 vulnerabilities in the CODESYS V3 software development kit, allowing remote code execution (RCE) and denial of service (DoS) attacks. Over 500 device manufacturers use the CODESYS V3 SDK for programming on more than 1,000 PLC models according to the IEC 61131-3 standard, allowing users to develop custom automation sequences. Ivanti Avalanche impacted by critical pre-auth stack buffer overflows Date: 2023-08-15 Author: Bleeping Computer Two stack-based buffer overflows collectively tracked as CVE-2023-32560 impact Ivanti Avalanche, an enterprise mobility management (EMM) solution designed to manage, monitor, and secure a wide range of mobile devices. The flaws are rated critical (CVSS v3: 9.8) and are remotely exploitable without user authentication, potentially allowing attackers to execute arbitrary code on the target system. The vulnerability impacts WLAvalancheService.exe version 6.4.0.0 and older, which receives communications over TCP port 1777. Data centres vulnerable, researchers tell DEF CON Date: 2023-08-14 Author: iTnews Trellix researchers are warning of vulnerabilities in the products of two vendors, CyberPower and Dataprobe, that are widely used in data centres, one of which is rated as “critical” with a CVSS score of 9.8. The company last week presented its work to DEFCON in Las Vegas. Trellix said both CyberPower and Dataprobe have released fixes. Phishing campaign used QR codes to target large energy company Date: 2023-08-17 Author: The Record Cybersecurity researchers uncovered a large phishing campaign using malicious QR codes with the hopes of acquiring Microsoft credentials at several targets, including a major U.S. energy company. QR codes have become widely adopted since the onset of the COVID-19 pandemic, with thousands of restaurants and businesses replacing physical menus and guides with the machine-readable images that pull up webpages containing the same information. But hackers have been quick to exploit the trend, launching campaigns that spread fake QR codes to steal user information. Cybersecurity firm Cofense released a new report on Wednesday identifying a campaign that began in May targeting a wide array of industries. Five foreign nationals arrested in alleged card skimming scam on Australian ATMs Date: 2023-08-13 Author: ABC News Five alleged members of an international syndicate accused of fitting card skimmers to Australian ATMs have been arrested in Brisbane and Sydney after a tip-off from US authorities. The group allegedly used ATM skimmers to steal card numbers and pins and then used cloned cards to withdraw welfare payments as soon as they were deposited. ESB-2023.4698 – Cisco Unified CM and Cisco Unified CM SME: CVSS (Max): 8.1 Cisco has released fixes for an SQL Injection vulnerability identified in Unified Communication Manager ESB-2023.4720 – Google Chrome: CVSS (Max): None Google Chrome has been updated to address multiple vulnerabilities ESB-2023.4745 – Traffix SDC: CVSS (Max): 7.5 A Denial of Service vulnerability affects the WebUI component of Traffix SDC ESB-2023.4747 – IBM Security QRadar SIEM: CVSS (Max): 7.9 A Path Traversal vulnerability in AWS SDK for Java used by QRadar SIEM has been addressed by IBM ESB-2023.4750 – Confluence Data Center & Confluence Server: CVSS (Max): 7.5 Atlassian has address a Denial of Service vulnerability in Confluence Data Center and Server ESB-2023.4754 – [Juniper] Junos OS: CVSS (Max): 9.8 Juniper has addressed several vulnerabilities in Junos OS. These vulnerabilities can be chained together leading to Remote Code Execution Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, If you haven’t been keeping up with the Matildas over the past few weeks, you’ve definitely been missing out! The team is on an impressive winning streak, triumphing over Denmark on Monday and Canada last week. Their remarkable performance has captured the nation’s attention, with widespread support pouring in from every corner. Witnessing the outpouring of love and encouragement from this immensely talented female team has been truly heartening and inspiring. Anticipation is building as we eagerly await the future victories of this extraordinary team of athletes! We are very excited to announce the AUSCERT2023 conference video recordings are now available on our YouTube Channel! Relive your favourite moments or catch-up on missed sessions from the two feature packed days of presentations, tutorials, debates, and panel discussions. Watch cybersecurity leader Tara Dharnikota’s thought provoking session exploring the evolving threat landscape and the ways to stay ahead. Or listen to expert Peter Jackson as he explains the five cybersecurity controls that can be utilised together to create an effective industrial control system (ICS) or operational technology security program Also don’t miss the riveting panel discussion with leading cyber security professionals addressing the important subject of data governance and cyber security. Highlighting the challenges and opportunities presented by emerging technologies, evolving regulatory landscapes and the growing sophistication of cyber threats. On the topic of Data Governance our very own Director, Dr David Stockdale, alongside academic experts from UQ Associate Professor Sergeja Slapničar, Dr Micheal Axelsen, and Dr Ivano Bongiovanni, released a research paper this week titled ‘A pathway model to five lines of accountability cybersecurity governance’. The research paper delves into the accountability of the five lines in cybersecurity governance: cyber security control functions, chief information security office, internal audit, executive management and the boards of directors, and looks into the configuration and methodology that organizations employ to govern cybersecurity. Additionally, it sheds light on the primary factors influencing the formation of these configurations and relationships, while providing practical recommendations for both practitioners and researchers. New PaperCut critical bug exposes unpatched servers to RCE attacks Date: 2023-08-04 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] PaperCut recently fixed a critical security vulnerability in its NG/MF print management software that allows unauthenticated attackers to gain remote code execution on unpatched Windows servers. Tracked as CVE-2023-39143, the flaw results from a chain of two path traversal weaknesses discovered by Horizon3 security researchers that enable threat actors to read, delete, and upload arbitrary files on compromised systems following low-complexity attacks that don't require user interaction. Officials Warn Of Energy Grid Risk Due To Foreign-Made Solar Tech Date: 2023-08-08 Author: channelnews According to the Cyber Security Cooperative Research Centre, Australia’s use of foreign-made solar panel tech has made the country susceptible to targeted attacks, which could result in an undermining of power grids causing large-scale blackouts. The top cyber research body also warned the threat comes primarily from solar inverters, the technology that converts solar energy to electricity, which is manufactured in Beijing, a city holding around 76% of the global market supply. Melbourne Airport upgrades web security, DDoS protections Date: 2023-08-07 Author: iTnews Melbourne Airport has deployed Cloudflare’s web application firewall (WAF) and moved its network perimeter to Cloudflare’s global network edge to protect its multi-layered IT environment and public-facing network against DDoS attacks. Chief information officer Anthony Tomai said that maintaining visibility and implementing integrated security solutions was a serious challenge because the airport relies on a diverse variety of IT-supported services to serve its 25 million annual passengers and work with its 40 airline partners. SA Power Networks reduces high-severity cyber incidents Date: 2023-08-08 Author: iTnews SA Power Networks has reduced the number of cyber incidents it classifies as high-severity by automating its analysis of prior incidents to help it find and address vulnerabilities. A high-severity incident, according to the state's sole energy distribution provider, is a confirmed breach to IT or OT sytems, or significant unauthorised access or disclosure of highly confidential and/or customer data. Most VPNs can be tricked into leaking traffic Date: 2023-08-09 Author: itnews Nearly 70 VPN clients and servers are vulnerable to a long-standing attack that can cause them to leak user traffic, university researchers have claimed. “Our tests indicate that every VPN product is vulnerable on at least one device”, the researchers wrote, with VPNs running on Apple devices most likely to be vulnerable, but most VPNs on Windows and Linux also are. VPNs running on Android were the most likely to be secure, they said. ESB-2023.4562 – Adobe Acrobat and Reader: CVSS (Max): 8.6 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS which addressed 30 critical, important, and moderate CVEs that could lead to application denial-of-service, security feature bypass, memory leaks, and arbitrary code execution. Adobe says it's not aware of any of their vulnerabilities being exploited in the wild. ESB-2023.4548 – Intel RealSenseTM SDK: CVSS (Max): 6.7 Intel has released an update for Intel RealSense SDK that fixes a security vulnerability which if exploited could lead to an escalation of privilege. ESB-2023.4488 – Android OS: CVSS (Max): 7.5* The most recent Android Security Bulletin contains details of security vulnerabilities impacting Android devices. The most severe of these issues is remote (proximal/adjacent) code execution in the system component. Security patch levels of 2023-08-05 or later address the issues. ASB-2023.0165 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft released fixes for 36 vulnerabilities in Windows and Windows server which include three RCE vulnerabilities in the Microsoft Message Queuing component of Windows operating systems that were each given a CVSSv3 score of 9.8 and a rating of critical. ASB-2023.0161 – Microsoft Exchange Server: CVSS (Max): 9.8 Microsoft has fixed 6 flaws in Microsoft Exchange Server 2016 and 2019 which could lead to Elevation of Privilege, Remote Code Execution or Spoofing. Stay safe, stay patched and have a good weekend! The AUSCERT team