Greetings, This week, the moon made a stunning appearance, captivating the world with its extraordinary beauty. Larger and brighter than ever, the majestic supermoon illuminated the night sky, drawing people’s eyes upward in awe. Its radiant glow was visible to all, uniting people from different corners of the globe, mesmerized by its allure. Just as the moon goes through its various phases, cyber security operates on a layered defence approach, encompassing detection, prevention, response and foresight planning. This week's full moon symbolizes completion and strength, reflecting the importance of building a resilient cyber security strategy. We are thrilled to announce the release of the latest episode of ‘Share Today, Save Tomorrow’ – Episode 25 – What does the future hold. Join Anthony as he reunites with his old friend, the captivating and renowned Futurist, Dr Joseph Voros. An expert in the field of strategic foresight, Dr Voros provides valuable insights into the fascinating realm of preparing for uncertain futures. His work alongside governments worldwide has been instrumental in navigating the ever-evolving threat landscape of cyber security. Touching on the big trends in the future cybersecurity space, Dr Voros also comments on how artificial intelligence may pose more threats than benefits to us. Listen to this insightful conversation that explores how strategic thinking can shape a more secure and resilient future. As Artificial Intelligence (AI) Technology continues to advance and become increasingly sophisticated, the security risks associated with their use and potential for misuse also increase. The capabilities of AI open up new opportunities for hackers and malicious actors to create more targeted and authentic cyber attacks. Already we are starting to see chatbots trained specifically for malicious purposes such as phishing, social engineering, exploiting vulnerabilities and creating malware. The trend of using generative AI Chatbots is growing and the adoption rate is increasing as it can provide easy solutions for less capable threat actors or those wanting to expand operations to other regions and lack the language skills. A growing concern in the field of AI is the need for reforms and shared safety protocols. As AI systems become more advanced, experts are increasingly aware of the potential risks they pose to society and humanity. Just as the moon provides a guiding light in the darkness of the night, experts must remain vigilant and advocate for better safety protocols across the AI industry to ensure accountability and transparency. Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks Date: 2023-07-31 Author: Security Week [AUSCERT has directly notified affected members about this vulnerability where possible] Ivanti has warned customers about a second zero-day vulnerability in its Endpoint Manager Mobile (EPMM) product that has been exploited in targeted attacks. Further investigation by cybersecurity firm Mnemonic revealed the existence of CVE-2023-3508, a high-severity flaw that allows an authenticated attacker with administrator privileges to remotely write arbitrary files to the server. Late last week, Ivanti published an advisory and CISA issued an alert to inform organizations about this second vulnerability and warn them of active exploitation. Organizations have been urged to immediately patch their devices. Malware spotted on Barracuda email gateways Date: 2023-07-31 Author: itnews The need to replace Barracuda email gateways has taken on a new urgency, with America’s Computer and Infrastructure Security Agency (CISA) warning it has identified three malware variants planted on vulnerable devices. Earlier this year, Barracuda advised that a remote code execution bug (CVE-2023-2868) in some of its email security gateways required affected devices to be replaced. Some units clearly remain in service, and CISA has warned it has identified three malware variants it has spotted on Barracuda devices. Threat actors abuse Google AMP for evasive phishing attacks Date: 2023-08-01 Author: Bleeping Computer Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees. The idea behind using Google AMP URLs embedded in phishing emails is to make sure that email protection technology does not flag messages as malicious or suspicious due to Google’s good reputation. The AMP URLs trigger a redirection to a malicious phishing site, and this additional step also adds an analysis-disrupting layer. Relying on CVSS alone is risky for vulnerability management Date: 2023-07-31 Author: Help Net Security A vulnerability management strategy that relies solely on CVSS for vulnerability prioritization is proving to be insufficient at best, according to Rezilion. In fact, relying solely on a CVSS severity score to assess the risk of individual vulnerabilities was shown to be equivalent to randomly selecting vulnerabilities for remediation. Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023 Date: 2023-08-02 Author: The Hacker News About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year. "Critical manufacturing (37.3% of total reported CVEs) and Energy (24.3% of the total reported) sectors are the most likely to be affected," the OT cybersecurity and asset monitoring company said in a report shared with The Hacker News. Apple rejects new name 'X' for Twitter iOS app because… rules Date: 2023-07-29 Author: Bleeping Computer Mr. Musk may have successfully pushed Twitter's new name and logo, 'X', and even made the vanity domain x.com redirect to the social media website, but that's not to say, the Mathematical double-struck letter will fit the bill everywhere. Turns out, Apple's App Store can't accept the new name for Twitter's iOS app because of minimum character requirements. ESB-2023.4293 – OpenSSH: CVSS (Max): 9.8 Ubuntu has fixed an OpenSSH vulnerability that allowed programs to be run as a user login when using ssh-agent forwarding. ESB-2023.4385 – SUSE Manager: CVSS (Max): 9.4 SUSE has released an update that resolves three vulnerabilities and 38 fixes for SUSE Manager. ESB-2023.4425 – Red Hat Ansible Automation Platform: CVSS (Max): 9.8 Red Hat has released security fixes to openshift-clients to resolve issues such as excessive memory growth and denial of service from excessive resource consumption. ESB-2023.4430 – python-django: CVSS (Max): 9.8 A fix has been released for python-django packages to address missing sanitising of emails and URL validators, which could result in a denial of service. ESB-2023.4413 – Linux Kernel RT (Live Patch 0 for SLE 15 SP5): CVSS (Max): 8.2 An update has been released to resolve four vulnerabilities. The fixed security issues included addressing exploits to achieve local privilege escalation and unauthorized execution of management commands. ESB-2023.4414 – .NET 6.0: CVSS (Max): 8.1 An update has been released to resolve various security vulnerabilities that could lead to a symlink attack and crashing due to unmanaged heap corruption. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Barbie Mania has introduced a concerning new trend of cyber-related attacks worldwide. Leveraging the distraction caused by the hype, criminals are taking advantage of this opportunity to launch attacks on unsuspecting individuals. Related attacks have risen since the promotion and release of the movie with the U.S. taking the brunt of the attacks, however other countries such as the UK and Australia are also being impacted. Criminals are exploiting this trend to trick people into clicking malicious links, harmful files or providing sensitive information leading to data breaches and financial losses. Blinded by excitement many people are acting impulsively, thus making them susceptible to these deceptive methods. Social engineering cyber attacks like the Barbie trend are becoming increasingly sophisticated and pervasive. Criminals have recognized the power of using popular trends and emotional triggers as bait to manipulate and deceive people. Exploiting emotions and creating a sense of urgency or excitement can be a trigger for individuals to divulge their sensitive information. CTO of McAfee, Steve Grobman, explained that this is not a new trend and criminals will look for any opportunity to make their scam more attractive and believable, often leveraging popular and well-publicized events to trick users into clicking on malicious links. Social engineering attacks are all about the psychology of persuasion, targeting the mind and heart, with the main aim being to gain the trust of the target, encourage them to lower their guard and engage in unsafe actions. Here are a few tips & tricks to avoid scams like these: Stick with reliable suppliers, brands or networks. If you’re unfamiliar with the brand, it’s best to investigate the source of the content. Use your judgement – and don’t let emotions cloud your judgement! If an offer seems too good to be true.. it often is! It is essential to be cautious of unexpected requests, unsolicited emails or messages. Do your research – before giving away your sensitive details or financial information research the organisation and ensure they are a trustworthy source. Members – contact us! If you're an AUSCERT member don't forget you can always contact us for support. This deceptive tactic serves as a stark reminder of the ever-evolving methods cybercriminals employ to deceive and victimize people. By staying informed, employing strong security practices and being sceptical of suspicious communications we can better protect ourselves and our data from falling into the wrong hands. Atlassian patches vulnerabilities in server, data centre products Date: 2023-07-24 Author: IT News [See AUSCERT Security Bulletins 26 July 2023 ESB-2023.4207, ESB-2023.4208 & ESB-2023.4209] Atlassian last Friday announced fixes for three remote code execution (RCE) vulnerabilities. The three bugs are rated as high rather than critical severity, since they’re exploitable only by authenticated users. CVE-2023-22505, discovered in the company’s bug bounty program, has a CVSS score of 8, and was introduced in version 8.0.0 of Confluence data centre and server products. It’s an RCE that allows an attacker to execute arbitrary code without user interaction. Almost 40% of Ubuntu users vulnerable to new privilege elevation flaws Date: 2023-07-26 Author: Bleeping Computer [See AUSCERT Security Bulletins 26 July 2023 ESB-2023.4186 & ESB-2023.4189] Two Linux vulnerabilities introduced recently into the Ubuntu kernel create the potential for unprivileged local users to gain elevated privileges on a massive number of devices. Ubuntu is one of the most widely used Linux distributions, especially popular in the U.S., having an approximate user base of over 40 million. Ivanti patches MobileIron zero-day bug exploited in attacks Date: 2023-07-24 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] US-based IT software company Ivanti has patched an actively exploited zero-day vulnerability impacting its Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core). Ivanti released security patches for the remote unauthenticated API access vulnerability tracked as CVE-2023-35078 on Sunday. ATO attackers filed $557 million in false claims Date: 2023-07-26 Author: iTnews Criminals exploiting a loophole in the government’s digital identity systems filed more than $550 million in false claims over the last two financial years, the ATO has disclosed. The ABC reported this morning that criminals had found they could create bogus myGov accounts, and then link them to real taxpayers’ ATO files. An earlier December 2022 investigation found attackers were using customer identity information stolen in high-profile data breaches like Optus and Medibank as part of the fraud. Patch Now: Up to 900K MikroTik Routers Vulnerable to Total Takeover Date: 2023-07-26 Author: Dark Reading [AUSCERT has identified the impacted members (where possible) and contacted them via email] Up to 900,00 MikroTik routers — a popular target for threat actors including nation-state groups — may be open to attack via a privilege escalation vulnerability in the RouterOS operating system. The vulnerability (CVE-2023-30788) gives attackers a way to take complete control of affected MIPS-processor-based MikroTik devices and pivot into an organization's network, according to researchers from VulnCheck, which just published several new exploits for the flaw. Attackers can also use it to enable man-in-the-middle attacks on network traffic flowing through the router, they warned. Versions of MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to the issue. ESB-2023.4155 – Citrix Hypervisor and XenServer : CVSS (Max): 6.2 Citrix has released a hotfix that includes AMD microcode to mitigate hardware issues on systems running Citrix Hypervisor on AMD Zen 2 CPUs. ESB-2023.4156 – iOS and iPadOS: CVSS (Max): 8.8* Apple issued its third security update in a month to remedy zero-day vulnerability CVE-2023-38606 exploited in Operation Triangulation. This update is available through iTunes for iPhone and Software Update on your iOS device. ESB-2023.4158 – macOS Ventura 13.5: CVSS (Max): 8.8* Apple pushed a new macOS Ventura 13.5 update which includes bug fixes and security updates for CVE-2023-37450 which may be exploited in the wild. ESB-2023.4177 – Tenable Security Center: CVSS (Max): 7.5 Tenable has discovered a vulnerability in Tenable Security Centre, and released Patch SC-202307.1-6.x to address the issue. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Cancer is a dangerous disease that tragically claims the lives of so many people far too quickly, leaving a void in our beautiful world and hearts. It’s a disease that touches us all, whether it’s our colleague, friend, family or even ourselves. It finds a way to infiltrate our lives, reminding us of its presence and the urgent need for continued efforts in research, prevention, and support for those impacted. Security2Cure has organised a very special cyber security conference in honour of those affected by this heart-breaking disease. The conference will be an opportunity to knowledge-share and network with cyber security professionals with a mission to promote cancer awareness and raise money for cancer research. You will hear about fascinating cyber security topics ranging from incident response to imposter syndrome to fatigue management. In addition, there'll be a panel of heartfelt insights from people who have been impacted by the disease. A full list of the speakers and abstracts can be viewed here. All money raised will be donated straight to the Spirit2Cure cancer research charity. To register and for further details, go to their site at Security2Cure. If you aren’t able to attend the conference, then please contribute to this great cause by donating here. This week we released our training schedule for the rest of 2023! With so many great courses to choose from, be sure to secure your spot as soon as possible as spaces are limited. The foundation of building strong cyber security resilience for your organisation relies on empowering your staff with the relevant knowledge, skills and strategies through interactive and professional training courses. Explore our diverse list of courses below: Intermediate Cyber Security – Internet Technologies (NEW) • 24-25 August 2023, 9am – 12:30pm AEST each day Register now Introduction to Cyber Security for IT Professionals • 14-15 August 2023, 9am – 12:30pm AEST each day Register now Cyber Security Risk Management • 5-6 September 2023, 9am – 12:30pm AEST each day Register now Incident Response Planning • 10-11 October 2023, 9am – 12:30pm AEST each day Register now For more information on our training courses visit our website AUSCERT Education Zimbra Collaboration Suite warning: Patch this 0-day right now (by hand)! Date: 2023-07-14 Author: Naked Security [AUSCERT has notified members using Zimbra Collaboration Suite (where possible) via MSIN] Popular collaboration product Zimbra has warned customers to apply a software patch urgently to close a security hole that it says “could potentially impact the confidentiality and integrity of your data.” The vulnerability is what’s known as an XSS bug, short for cross-site scripting, whereby performing an innocent-looking operation via site X, such as clicking through to site Y, gives the operator of site X a sneaky chance to implant rogue JavaScript code into the web pages that your browser receives back from Y. New critical Citrix ADC and Gateway flaw exploited as zero-day Date: 2023-07-18 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Citrix today is alerting customers of a critical-severity vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild, and “strongly urges” to install updated versions without delay. The security issue may be the same one advertised earlier this month on a hacker forum as a zero-day vulnerability. MOVEit Hack: Number of Impacted Organizations Exceeds 340 Date: 2023-07-17 Author: Security Week The number of entities impacted by the MOVEit attack carried out by a notorious cybercrime group now reportedly exceeds 340 organizations and 18 million individuals. Brett Callow, a threat analyst at cybersecurity firm Emsisoft who has been monitoring the campaign, said over the weekend that he is aware of 347 impacted organizations, including 58 educational institutions in the United States. This includes Colorado State University, which last week confirmed that student and employee data may have been stolen. CISA Unveils Guide to Aid Firms Transition to Cloud Security Date: 2023-07-18 Author: Info Security Magazine The US Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive factsheet on July 17, 2023, to assist businesses transitioning to cloud environments in ensuring data security and safeguarding critical assets. Named Free Tools for Cloud Environments, the factsheet offers network defenders and incident response/analysts open-source tools, methods and guidance for identifying, mitigating and detecting cyber threats, vulnerabilities and anomalies while operating in cloud or hybrid environments. Adobe emergency patch fixes new ColdFusion zero-day used in attacks Date: 2023-07-19 Author: Bleeping Computer [See AUSCERT Security Bulletin 20 July 2023 ESB-2023.4101] Adobe released an emergency ColdFusion security update that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks. As part of today’s out-of-band update, Adobe fixed three vulnerabilities: a critical RCE tracked as CVE-2023-38204 (9.8 rating), a critical Improper Access Control flaw tracked as CVE-2023-38205 (7.8 rating), and a moderate Improper Access Control flaw tracked as CVE-2023-38206 (5.3 rating). ASB-2023.0151 – Oracle PeopleSoft: CVSS (Max): 9.8 This Critical Patch Update contains 9 new security patches for Oracle PeopleSoft. 8 of these vulnerabilities may be remotely exploitable without authentication. ESB-2023.4101 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe released updates to resolve critical and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass. ESB-2023.4042.2 – UPDATED ALERT Citrix ADC & Citrix Gateway: CVSS (Max): 9.8 Multiple critical vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). ESB-2023.3941 – Siemens SIMATIC CN 4100: CVSS (Max): 9.9 ICS-CERT published security advisory on Siemens equipment and successful exploitation could allow an attacker to gain privilege escalation and bypass network isolation. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, It’s that time of year again! The BDO and AUSCERT 2022 Cyber Security Results are in! For the seventh year in a row, organisations across Australia and New Zealand were surveyed to identify the challenges and threats experienced in 2022 as well as what organisational leaders have prioritised to protect key assets and infrastructure. The findings from the report give a comprehensive overview of the present cyber security landscape in Australia and New Zealand. It delves into recent trends in cyber threats, their impact and the measures being implemented to mitigate these risks. In the ever-evolving digital landscape, the significance of implementing strong cybersecurity measures has escalated. In 2022 BDO & AUSCERT reported a growing concern over data breaches, affecting individuals and high-profile organisations. The continuously evolving cyber threat landscape and increasing sophistication of attacks has emphasized the necessity for organisations to prioritise the development of cyber resilience. Here are a few key themes that the report revealed. 1) Senior leadership is key to driving cyber security resilience The report revealed the importance for Executive Leadership teams to take a more active role in Cyber governance in addition to being aware of the cyber risks within their organisations. The data collected indicated that although there had been a significant increase in attacks – concerningly there was a decline in senior leadership emphasis. Establishing effective leadership is crucial in fostering the adoption and implementation of policies and practices related to cyber security resilience. 2) The rapidly evolving cyber threat landscape Rapid technology advancements have triggered the growth and increased sophistication of threats resulting in greater impacts during incidents. Data suggests cyber criminals are advancing at unprecedented levels relentlessly pursuing new methods to locate and exploit vulnerabilities. However reports indicate a concerning decline in organisations investing in the essential resources required to effectively detect and respond to incidents. Neglecting to allocate sufficient resources to cyber security can result in an increased vulnerability to attacks. 3) Importance of resilience In this current landscape it is crucial for us all to realise we are all vulnerable to an attack at any time. Cyber resilience involves accepting this and planning accordingly for the different incidents that may occur, what assets may be targeted, how quickly we can identify the incident and how we respond. If you’re interested in delving deeper into these topics or eager to gain further insights from the 2022 report, we invite you to download the complete report now! SonicWall warns admins to patch critical auth bypass bugs immediately Date: 2023-07-12 Author: Bleeping Computer SonicWall warned customers today to urgently patch multiple critical vulnerabilities impacting the company's Global Management System (GMS) firewall management and Analytics network reporting engine software suites. In total, the American cybersecurity company addressed a total of 15 security flaws today, including ones that can let threat actors gain access to vulnerable on-prem systems running GMS 9.3.2-SP1 or earlier and Analytics 2.5.0.4-R7 or earlier after bypassing authentication. New Phishing Attack Spoofs Microsoft 365 Authentication System Date: 2023-07-09 Author: Hack Read Vade, a provider of email security and threat detection services, has released a report on a recently discovered phishing attack that involves the spoofing of the Microsoft 365 authentication system. According to Vade’s Threat Intelligence and Response Center (TIRC), the attack email includes a harmful HTML attachment with JavaScript code. This code is designed to gather the recipient’s email address and modify the page using data from a callback function’s variable. How kids pay the price for ransomware attacks on education Date: 2023-07-07 Author: Malwarebytes Modern ransomware attacks are as much about stealing data and threatening to leak it as they are about encrypting data. Which means that when a school or hospital is attacked, it's often students' and patients' data that's leaked if the ransom demand isn't met. We have to wonder how greedy any person would need to be to show such a blatant disregard for how painful sharing that kind of information can be. In our recent report on the state of ransomware in education we saw an 84% increase in known attacks on the education sector. Storm-0978 attacks reveal financial and espionage motives Date: 2023-07-11 Author: Microsoft Corporation Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress. Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers Date: 2023-07-11 Author: Cisco Talos Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates. Microsoft has blocked all certificates discussed in this blog and has released an advisory. Apple re-releases zero-day patch after fixing browsing issue Date: 2023-07-12 Author: Bleeping Computer Apple fixed and re-released emergency security updates addressing a WebKit zero-day vulnerability exploited in attacks. The initial patches had to be withdrawn on Monday due to browsing issues on certain websites. "Apple is aware of an issue where recent Rapid Security Responses might prevent some websites from displaying properly," Apple said on Tuesday. ESB-2023.3892 – FortiOS and FortiProxy: CVSS (Max): 9.8 Fortinet has disclosed a critical vulnerability CVE-2023-33308 affecting FortiOS and FortiProxy. AUSCERT has identified impacted members (where possible) and notified them via MSIN ESB-2023.3907 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018 ESB-2023.3910 – Citrix ADC and Gateway: CVSS (Max): 9.6 A critical vulnerability has been discovered in Citrix Secure Access Client for Ubuntu ASB-2023.0118 – ALERT Windows: CVSS (Max): 9.8* Microsoft releases updates to Windows addressing several critical vulnerabilities ESB-2023.3880 – macOS Ventura 13.4.1: CVSS (Max): None Apple fixed an exploited zero-day vulnerability (CVE-2023-37450) in WebKit Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Many hackers employ the principles of persuasion to tell you lies and play on your vulnerabilities as a human being to obtain your sensitive information. In our latest episode of ‘Share Today Save Tomorrow’ Anthony sits down with Rachel Tobac, CEO of Social Proof Security and explores human vulnerabilities – Episode 24: People, People, People, Process and Technology.. Rachel explains the importance of verifying the authenticity of any request by employing different tools and methods to justify the credentials of the sender and searching for hidden agendas. In the spirit of full disclosure giant global corporation Microsoft has been heavily targeted by a hacktivist group ‘Anonymous Sudan’. However, Microsoft has chosen not to disclose specific details of these incidents publicly. Earlier this week, Microsoft denied public claims made by the group regarding a data breach which allegedly resulted in 30 million customer account details being compromised. Anonymous Sudan posted a sample of the stolen data online offering it for sale, yet Microsoft denied the validity of these allegations. Over a month ago Microsoft experienced a distributed denial of service (DDoS) attack orchestrated by the same group and resulted in the disruption of several of its services.. At the time Microsoft did not provide specific information regarding the attacks, prompting Anonymous Sudan to publicly call them out for their alleged dishonesty and issue threats to teach them a lesson via a statement on their public Telegram channel.. It’s important to note the situation is still developing and we are awaiting further updates from Microsoft as the investigation progresses. Only the truth will be able to determine the best possible solution for all the parties implicated. By encouraging open collaboration and information exchange, we strive to collectively strengthen our defences against cyber threats. We are currently seeking a skilled and driven Senior Security Systems Administrator to join our team. The due date to apply has been extended to Monday 10th July , so if you or anyone you know are interested in joining our team, please apply soon. Apply here MITRE Updates CWE Top 25 Most Dangerous Software Weaknesses Date: 2023-07-30 Author: Security Week The MITRE Corporation has published an updated Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list to reflect the latest trends in the adversarial landscape. The 2023 CWE Top 25 lists more common and impactful weaknesses leading to serious software vulnerabilities that are often exploited in malicious attacks to take over systems, steal information, or cause denial-of-service (DoS). Apple, Google, and MOVEit Just Patched Serious Security Flaws Date: 2023-07-30 Author: WIRED Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMware, Cisco, Fortinet, and Progress Software’s MOVEit products. A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can. Who’s Behind the DomainNetworks Snail Mail Scam? Date: 2023-07-03 Author: Krebs on Security If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — DomainNetworks — and some clues about who may be behind it. The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug Date: 2023-07-03 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Hundreds of thousands of FortiGate firewalls are vulnerable to a critical security issue identified as CVE-2023-27997, almost a month after Fortinet released an update that addresses the problem. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem in FortiOS, the operating system that connects all Fortinet networking components to integrate them in the vendor's Security Fabric platform. CVE-2023-27997 is exploitable and allows an unauthenticated attacker to execute code remotely on vulnerable devices with the SSL VPN interface exposed on the web. Cisco not patching Nexus switch vulnerability Date: 2023-07-06 Author: iTnews Cisco has disclosed a serious vulnerability in the encryption used in some of its Nexus 9000 switches, but said the bug will not be fixed. “A vulnerability in the Cisco ACI [application-centric infrastructure] multi-site CloudSec encryption feature of Cisco Nexus 9000 Series fabric switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic,” Cisco’s advisory states. ESB-2023.3824 – Android OS: CVSS (Max): 9.8* Security vulnerabilities have been identified affecting Android devices. The most severe of these vulnerabilities is in the System component that could lead to remote code execution. Android has released security patches to address all of the issues. ESB-2023.3818 – Cisco ACI Multi-Site CloudSec: CVSS (Max): 7.4 Cisco warned customers of a high-severity vulnerability impacting Cisco Nexus 9000 Series Fabric Switches in ACI mode. No software updates have been released to resolve the vulnerability. Impacted customers are advised to contact their support organisation to discuss alternative options. ESB-2023.3817 – Cisco Webex Meetings: CVSS (Max): 5.4 Cisco has released software updates to address multiple vulnerabilities in Cisco Webex Meetings which, if exploited could result in cross-site scripting or cross-site request forgery attacks. ESB-2023.3804 – Firefox: CVSS (Max): None Mozilla Foundation has released fixes for a number of security vulnerabilities in Firefox 115. ESB-2023.3843 – Nessus Agent: CVSS (Max): 5.9 Tenable has reported vulnerabilities in OpenSSL which is a third-party software used by Nessus Agent for its underlying functionality. Nessus 10.4.1 has been released to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As we approach the end of the financial year, we find ourselves in a critical season where scammers are actively targeting individuals and businesses. It is important to stay aware this tax time as scams impersonating the Australian Taxation Office (ATO) are likely to spike in the following weeks. The ATO reported in May this year they had already received 1,978 reports of impersonation scams a 70% increase from the previous month. Together let’s explore the primary channels that scammers have recently been using to deceive unsuspecting citizens. Social Media Scams The ATO has reported a huge increase in social media accounts impersonating them on Facebook, Twitter, Instagram, and other platforms. Fake accounts have been asking users to send their personal and sensitive information to help process their enquiry. The best way to verify an account is to investigate their followers and recent activity to see if there is anything suspicious. The ATO’s Facebook & LinkedIn has over 200,000 followers and its Twitter account has over 65,000. Also, they should have been operating for over 10 years and have a verified tick next to their account name. Phone & SMS Scams Phone scams impersonating the ATO are a common trend usually using a pre-recorded message alerting you of your outstanding debt or fee and requiring your sensitive personal information. Similarly SMS scams will include a payment link that will direct you to a fake ATO webpage and ask for your details. The ATO has confirmed that they will never send a pre-recorded message to your phone, threaten you with immediate arrest or demand immediate payment through unusual methods or links. Email Scams Email is probably the most common method used by scammers to impersonate the ATO or MyGov utilising authentic looking content to seem legitimate. These emails usually contain phishing links or attachments that request your banking details or other sensitive information. It is very important to be extra cautious and do not open any attachments or links until you can 100% verify the identity. Remember the ATO or MyGov would not usually send an email directly asking for any personal information. They will usually instruct you to lodge it via their online portals. Stay aware this tax time! If you think something isn’t genuine do not engage with it. You can contact the ATO directly on 1800 008 540 to check with them. Or click here to see how to verify or report a scam Exploit released for new Arcserve UDP auth bypass vulnerability Date: 2023-06-28 Author: Bleeping Computer Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges. According to the company, Arcserve UDP is a data and ransomware protection solution designed to help customers thwart ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity. Fortinet fixes critical FortiNAC remote command execution flaw Date: 2023-06-23 Author: Bleeping Computer [See AUSCERT Security Bulletin https://portal.auscert.org.au/bulletins/ESB-2023.3637] Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands. FortiNAC is a allows organizations to manage network-wide access policies, gain visibility of devices and users, and secure the network against unauthorized access and threats. The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is a deserialization of untrusted data that may lead to remote code execution (RCE) without authentication. Governments across Australia embark on identity reform Date: 2023-06-27 Author: iTnews Commonwealth, state and territory digital ministers have signed off on sweeping identity reforms, designed to make Australians’ digital identities harder to steal, and easier to restore. After a Data and Digital Ministers’ meeting last week, the group published a National Strategy for Identity Resilience. Under the strategy, the ministers have pledged to make government-issued digital IDs more interoperable. Two major energy corporations added to growing MOVEit victim list Date: 2023-06-27 Author: CyberScoop Two major energy corporations have fallen victim to the MOVEit breach, the latest targets in an ongoing hacking campaign that has struck a growing number of organizations including government agencies, states and universities. CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims. Hundreds of devices found violating new CISA federal agency directive Date: 2023-06-27 Author: Bleeping Computer Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies. Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang Date: 2023-06-28 Author: Security Week A ransomware gang named 8Base was the second most active group in June 2023, claiming roughly 30 victims, VMware reports. Active since March 2022 and mainly focused on small businesses, the group engages in double extortion tactics, publicly naming and shaming victims to compel them to pay the ransom. To date, the 8Base gang has hit approximately 80 organizations across sectors such as automotive, business services, construction, finance, healthcare, hospitality, IT, manufacturing, and real estate. ESB-2023.3637 – FortiNAC: CVSS (Max): 9.6 Fortinet has released software updates that address a vulnerability in FortiNAC that if exploited could allow an unauthenticated user to execute unauthorized code or commands. ESB-2023.3638 – IBM QRadar SIEM: CVSS (Max): 6.5 IBM has addressed the verification bypass vulnerability in Google OAuth Client Library for Java as used by IBM QRadar SIEM. ESB-2023.3646 – Tenable.io, Tenable Security Center and Nessus: CVSS (Max): 6.3 Tenable has discovered vulnerability in Nessus Plugin, and released updates to address this issue. The updates have been distributed via the Tenable plugin feed ID #202306261202. ESB-2023.3752 – GitLab Community Edition & Enterprise Edition: CVSS (Max): 7.5 Gitlab released security updates for GitLab Community Edition (CE) and Enterprise Edition (EE) which contain important security fixes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, the world celebrated Wi-Fi Day! In our very digitalised lives we take Wi-Fi for granted and overlook the appreciation it truly deserves. Nowadays the ability to connect to the internet anytime and anywhere has become an expectation that we all demand. It has become an essential part of our daily lives and has revolutionized our society and reshaped our global landscape. Although Wi-Fi should be used with caution and diligence as it can also act as a gateway providing hackers with a direct channel into your computer or devices.. It is essential to adopt safe practices when using Wi-Fi networks, here are a few tips: 1) Connect to only known and trusted networks. It is crucial to use common sense when connecting to Wi-Fi networks and only use trusted and reliable sources. When you encounter an unfamiliar network offering free internet in exchange for your details, be wary this could be a tactic to collect your personal information. It is risky to use free public WiFi as you don’t know how it has been set up or what safeguards or encryptions are in place. On these networks avoid internet activity that includes your sensitive or personal information. Utilising your own personal mobile hot-spot is ultimately the safest option when on the go. 2) Be careful what you open Modern internet browsers such as Google Chrome will often let you know if you are visiting a site that uses an unencrypted HTTP link by labelling it “Not Secure”. People on the same Wi-Fi network as you can watch what you are doing on these sites relatively easily. So be careful what information you put on these sites as chances are someone could be watching it. Also turn off your filesharing and airdrop settings on your phone and laptop when using unsecure internet networks to ensure no one is able to discover your devices. 3) Stay Vigilant Vigilance is key! We know no one reads the terms and conditions but in this case it could be the very thing that stops your data from being stolen for malicious intent. Often the red flags will be clear and should hinder you from clicking accept and signing on. Also an additional safeguard is to ensure your computer is equipped with the latest anti-virus protection and to keep on top of all your software updates. Having strong passwords and multi-factor authentication also provides an additional layer of protection. Following these simple tips can ensure your Wi-Fi experience is enjoyable and will avoid you becoming a victim to malicious activity. MOVEit Customers Urged to Patch Third Critical Vulnerability Date: 2023-06-19 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Progress Software is urging MOVEit customers to apply patches to a third critical vulnerability in the file transfer software in less than one month. Tracked as CVE-2023-35708, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated attacker to escalate privileges and access the MOVEit Transfer database. VMware warns of critical vRealize flaw exploited in attacks Date: 2023-06-20 Author: Bleeping Computer [See AUSCERT Security Bulletin 14 June 2023 ESB-2023.3381.2] VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks. “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild,” the company said today. Reddit hackers threaten to leak data stolen in February breach Date: 2023-06-18 Author: Bleeping Computer The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company. On February 9th, Reddit disclosed that its systems were hacked on February 5th after an employee fell victim to a phishing attack. This phishing attack allowed the threat actors to gain access to Reddit’s systems and steal internal documents, source code, employee data, and limited data about the company’s advertisers. Data leak at major law firm sets Australia’s government and elites scrambling Date: 2023-06-20 Author: The Register An infosec incident at a major Australian law firm has sparked fear among the nation’s governments, banks and businesses – and a free speech debate. The firm, HWL Ebsworth, has acknowledged that on April 28, “we became aware that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data from HWL Ebsworth.” A Vulnerability in ShareFile Storage Zones Controller Could Allow for Remote Code Execution Date: 2023-06-20 Author: Center for Internet Security [See AUSCERT Security Bulletin 14 June 2023 ESB-2023.3357] A vulnerability have been discovered in ShareFile Storage Zones Controller which could allow for remote code execution. Storage Zones Controller extends the ShareFile Software as a Service (SaaS) cloud storage. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. ESB-2023.3381.2 – UPDATED ALERT VMware Aria Operations for Networks: CVSS (Max): 9.8 VMware has released patches to remediate multiple vulnerabilities in Aria Operations for Networks which maybe exploited in the wild. ESB-2023.3483 – Jenkins and Jenkins-2-plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting Jenkins and Jenkins-2-plugins have been addressed by the vendor. ESB-2023.3521 – iOS 15.7.7 and iPadOS 15.7.7: CVSS (Max): None Apple addressed three zero-day vulnerabilities used to deploy Triangulation spyware on iPhones via iMessage zero-click exploits. ESB-2023.3522 – macOS Ventura: CVSS (Max): None Apple pushed a new macOS Ventura 13.4.1 update which includes bug fixes and security updates for CVE-2023-32439 and CVE-2023-32434 which may be exploited in the wild. ESB-2023.3550 – Cisco Duo Two-Factor Authentication: CVSS (Max): 6.2 Cisco has released software updates that address bypass vulnerability in Cisco Duo Two-Factor Authentication for macOS. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, At AUSCERT, we recognize that continuous growth and development are vital aspects of a successful organisation. As part of our commitment to providing the most valuable services, we are currently focusing on understanding the needs and preferences of our members. To achieve this, we conducted a comprehensive member survey and are now about to embark on the next phase of our journey by organising intimate focus groups in each of your respective cities. We highly value your direct input and are eager to hear your thoughts, opinions, and suggestions. Your feedback will play a pivotal role in driving our continuous improvement and development. We will contact you soon with the more details so please stay tuned! In the spirit of continuous development, we have launched a new training course that is designed to build on the skills developed in our Introduction to Cyber for IT Professionals. Our new course, Intermediate Cyber Security – Internet Technologies is designed to provide participants with awareness on the security issues utilising a range of internet-oriented technologies and protocols. As well as practical guidance for how participants can safeguard their organisation. In today’s digital landscape we rely heavily on the internet for both daily business operations and government service delivery, making it critical to have a comprehensive understanding of the current threat environment. As the internet advances and cyber crimes become more sophisticated, it is important to recognize the evolving threat landscape so we can adopt appropriate measures to safeguard our information. Even the Australian government is being targeted by hackers searching for vulnerabilities through their internal suppliers and networks. Recently HWL Ebsworth Law Firm was targeted as they have an extensive client base encompassing both commercial and government entities across every state and territory. The Russian-linked ransomware group claimed it had stolen employee and client data, including financial information, network maps and credentials. The Tasmanian government were among the impacted, reporting that they have been in touch with the federal government and are investigating the possible leak of government data. It is crucial to stay one step ahead of hackers by continuously expanding your knowledge and enhancing your skills. This way you can effectively identify vulnerabilities in your organisation before they are exploited. Massive phishing campaign uses 6,000 sites to impersonate 100 brands Date: 2023-06-13 Author: Bleeping Computer A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now Date: 2023-06-11 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices. The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023. New MOVEit Transfer critical flaws found after security audit, patch now Date: 2023-06-09 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution that can let attackers steal information from customers' databases. These security bugs were discovered with the help of cybersecurity firm Huntress following detailed code reviews initiated by Progress on May 31, when it addressed a flaw exploited as a zero-day by the Clop ransomware gang in data theft attacks. They affect all MOVEit Transfer versions and enable unauthenticated attackers to compromise Internet-exposed servers to alter or extract customer information. Microsoft Patches Critical Windows Vulns, Warn of Code Execution Risks Date: 2023-06-13 Author: Security Week Microsoft’s security response team on Tuesday rolled out a massive batch of software updates to address major security gaps in its flagship Windows operating system and software components. Redmond’s monthly Patch Tuesday updates cover at least 70 documented vulnerabilities affecting the Windows ecosystem, including six critical issues that expose users to dangerous code execution attacks. According to Microsoft, none of the vulnerabilities have been publicly discussed or exploited in the wild. Qld gov agencies have 'more to do' to be ready for future data breach reporting Date: 2023-06-14 Author: iTnews Queensland government agencies have “more work to do” to prepare for a future mandatory data breach reporting scheme, based on a readiness survey by the state’s information commissioner. The survey [pdf] attracted 107 responses from 221 agencies. Of those that responded, 52 agencies – a bit less than half – had a “documented data breach response plan”, with some “more comprehensive than others”. ESB-2023.3376 – FortiOS and FortiProxy: CVSS (Max): 7.6 A cleartext transmission of sensitive information vulnerability [CWE-319] in FortiOS & FortiProxy may allow an authenticated attacker with readonly superadmin privileges to intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands. ESB-2023.3366 – FortiOS: CVSS (Max): 8.3 A use of externally-controlled format string vulnerability [CWE-134] in the Fclicense daemon of FortiOS may allow a remote authenticated attacker to execute arbitrary code or commands via specially crafted requests. ASB-2023.0113 – Windows Server 2008: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of June 2023 which includes fixes for 18 vulnerabilities in Windows Server. ESB-2023.3355 – Adobe Commerce and Magneto Open Source: CVSS (Max): 9.1 Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The ocean is an indispensable life source as it blankets 70% of our planet’s surface and generates at least 50% of Earths oxygen. To commemorate World Ocean Day I would like to pose a challenge for you all, whenever you visit the beach, choose to make a positive impact by leaving it in a better condition than when you arrived by collecting at least one piece of rubbish. Remember even small steps contribute to significant successes! Just like the vastness of the ocean, the digital landscape is a deep-sea of data that remains largely unexplored and not fully comprehended. Where possible we need to take the advice of experts to ensure we are staying ahead of attackers and protecting ourselves as best we can. In our newest episode of Share Today Save Tomorrow, Anthony explores Mobile Device Security with Martin McGregor CEO of Devici. To enhance the security of your device and ensure the safety of your data, consider downloading an authenticator app on your phone. This app will provide an additional layer of security for all your applications, adding an extra layer to the authentication process and safeguarding your sensitive information. Just as the ocean is in constant motion, cyber security threats continuously evolve and come in waves. They can be unpredictable and relentless constantly crashing on our shores and causing havoc. Recently an attack on MOVEit a private file-sharing platform faced a significant security breach which has sparked global concern. The cyber extortion group known as Clop, has come forward identifying themselves as being behind the attack and threatening to release stolen data unless the targeted organisations meet their ransom demands. Authorities have issued warnings regarding the global-supply chain attack as reportedly hundreds of organisations across different sectors could be impacted.The deep and unknown depths of the dark web can cause concern and requires awareness and proactive measure to navigate through these murky waters. But remember small steps to safeguard your businesses can make the biggest impacts! If you would like further advice on how to better safeguard yourself against possible attacks get in contact with us today! Clop ransomware claims responsibility for MOVEit extortion attacks Date: 2023-06-05 Author: Bleeping Computer The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach multiple companies' servers and steal data. This confirms Microsoft's Sunday night attribution to the hacking group they track as 'Lace Tempest,' also known as TA505 and FIN11. The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday, as previously disclosed by Mandiant. Don't Overlook Twitter's Trove of Threat Intel for Enterprise Cybersecurity Date: 2023-06-06 Author: Dark Reading Tagged, organized, and free for anyone who wants it, social media posts and data are an underused threat intelligence resource for many enterprise cybersecurity teams. Just as cybercriminals have found social media platforms useful for gathering information on targets and launching attacks, network defenders should likewise be looking at Twitter and other similar public-facing social media data sources, so called open source intelligence (OSINT), to help inform cyber defenses, according to experts. Sextortionists are making AI nudes from your social media images Date: 2023-06-06 Author: Bleeping Computer The Federal Bureau of Investigation (FBI) is warning of a rising trend of malicious actors creating deepfake content to perform sextortion attacks. Sextortion is a form of online blackmail where malicious actors threaten their targets with publicly leaking explicit images and videos they stole (through hacking) or acquired (through coercion), typically demanding money payments for withholding the material. In many cases of sextortion, compromising content is not real, with the threat actors only pretending to have access to scare victims into paying an extortion demand. Law Council says privacy should be considered in cyber security review Date: 2023-06-07 Author: iTnews The Law Council of Australia has asked the government to deal with invasive personal data collection practices as part of a potential Cyber Security Act. The council’s submission to the government’s cyber security discussion paper, published yesterday [pdf', said any Cyber Security Act should also look at ways Australians can verify their identity without providing excessive amounts of personal data. Barracuda says hacked ESG appliances must be replaced immediately Date: 2023-06-07 Author: Bleeping Computer [Please also see AUSCERT bulletin ASB-2023.0107] Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in an update to the initial advisory issued on Tuesday. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." According to Barracuda, affected customers have already been notified through breached ESGs' user interface. Customers who haven't yet replaced their devices are urged to contact support urgently via email. ASB-2023.0107 – Barracuda Email Security Gateway Appliance (ESG): CVSS (Max): 9.8 A remote connection injection vulnerability has been detected in Barracuda Email Security Gateway devices. Barracuda advise its customers to replace impacted devices immediately. ESB-2023.3285 – VMware Aria Operations for Networks: CVSS (Max): 9.8 VMware has released patches to remediate the command injection vulnerability in Aria Operations for Networks. ESB-2023.3248 – ALERT Google Chrome: CVSS (Max): None Google has released updates to its stable and extended stable channels, which will roll out over the coming days/weeks. ESB-2023.3195 – Android OS: CVSS (Max): 9.8* Security patch levels of 2023-06-05 or later address the security vulnerabilities affecting Android devices. ESB-2023.3194 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 The most recent security patch release for GitLab Community Edition (CE) and Enterprise Edition (EE) contains important security fixes. The users are strongly advised to apply the patches as soon as possible to avoid being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, With the arrival of dropping temperatures, shorter days, and thicker coats we can confidently say winter is finally upon us. In Queensland, winters are truly delightful, striking a perfect balance between cool breezes and the warming sunshine. It’s the season that allows you to relish the outdoors for extended periods of time without beads of sweat forming on your forehead. The only time hot beverages and soups don’t leave you feeling uncomfortably hot. The only time gathering around a fire provides warmth rather than just entertainment. So here’s to winter! Embrace the cold air with open arms and allow the refreshing chill to invigorate your spirit. If you haven’t watched Mark McPherson’s inspiring seminar on the history of AUSCERT watch it now! Titled ‘AUSCERT this is your life’, Mark explores the first decade of operation for our organisation, the unexpected incidents and unique moments that shaped our business model and operating structure. Mark describes our very founding moments and the historical realisation from governing bodies that a central source for information security and protection was desperately required in Australia. We evolved rapidly and in recent years have also expanded our services to include a range of cybersecurity training courses to address the growing demand for cybersecurity expertise in the workplace. Informing and empowering staff through relevant, engaging and focused professional training experiences is a critical component of organisational cyber security resilience. For more information on our upcoming training courses visit AUSCERT Education. In cyber security news this week, PayID scams are on a rapid rise with the second-hand sales market taking a huge hit. With the cost of living skyrocketing many Australians are struggling for cash and have turned to the online second-hand market to turn some of their previously loved items into much needed funds. Realising this market has significantly grown in popularity, scammers saw an easy way to infiltrate the payment systems known as PayID to steal funds. PayID is a popular payment system that is frequently used on Facebook Marketplace and Gumtree and supported by almost every Bank. NAB Executive Chirs Sheehan warned consumers of the increasing PayID scams saying criminals are becoming increasingly sophisticated with their fraudulent message.He went on to say educating yourself about PayID and remaining vigilant means being able to identify the red flags, for tips on what these are read the full article here. Microsoft finds macOS bug that lets hackers bypass SIP root restrictions Date: 2023-05-30 Author: Bleeping Computer Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks. Discovered and reported to Apple by a team of Microsoft security researchers, the flaw (dubbed Migraine) is now tracked as CVE-2023-32369. Apple has patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18. Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards Date: 2023-05-31 Author: Security Week Researchers at firmware and hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor functionality that could pose a significant risk to organizations. The backdoor was discovered by Eclypsium based on behavior associated with the functionality, which triggered an alert in the company’s platform. Specifically, the researchers determined that the firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers. Hackers exploit critical Zyxel firewall flaw in ongoing attacks Date: 2023-05-31 Author: Bleeping Computer Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware. The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability: ATP – ZLD V4.60 to V5.35 USG FLEX – ZLD V4.60 to V5.35 VPN- ZLD V4.60 to V5.35 ZyWALL/USG – ZLD V4.60 to V4.73 New Mirai Variant Campaigns are Targeting IoT Devices Date: 2023-05-29 Author: Infosecurity Magazine Unit 42, Palo Alto Networks threat research team, has found new malicious activity targeting IoT devices, using a variant of Mirai, a piece of malware that turns networked devices running Linux, typically small IoT devices, into remotely controlled bots that can be used in large-scale network attacks. Dubbed IZ1H9, this variant was first discovered in August 2018 and has since become one of the most active Mirai variants. ‘Dark Pink’ APT attacks governments, militaries, more in Thailand, Brunei, Belgium, Vietnam and Indonesia Date: 2023-06-01 Author: The Record The Dark Pink hacker group has been tied to five new attacks on governments, militaries and organizations based in Belgium, Thailand, Brunei, Vietnam and Indonesia. Researchers from Group-IB have been tracking the group for months and said it has been active since mid-2021, compromising at least 13 organizations across Europe and the Asia-Pacific region. ESB-2023.3083 – Advantech WebAccess/SCADA: CVSS (Max): 7.3 Advantech released a new version 9.1.4 to address a vulnerability in SCADA which, if exploited, could allow an attacker to gain full control of the server. ESB-2023.3086 – VMware Products: CVSS (Max): 6.1 An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was reported to VMware. Updates are available to address this vulnerability in affected VMware products. ESB-2023.3060 – Red Hat Advanced Cluster Management: CVSS (Max): 9.8 Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability has released fixes for security issues and update container images. ESB-2023.3119 – texlive-bin: CVSS (Max): 9.8 It was discovered that the patch to fix CVE-2023-32700 in texlive-bin, released as DLA-3427-1, was incomplete and caused an error when running the lualatex command. This has been addressed in a texlive-bin package upgrade. ESB-2023.3099 – wireshark: CVSS (Max): 8.8 An update for wireshark has fixed six vulnerabilities and various application crashing issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Today, we respectfully recognise and remember the unjust treatment endured by Aboriginal and Torres Strait Islander individuals and communities who have been forcibly separated from their families and culture. National Sorry Day is an opportunity for us to come together as a nation to commemorate the strength and resilience of the Stolen Generation survivors and reflect on how we can all contribute to the healing process. With National Reconciliation Week just around the corner, there are plenty of opportunities to learn about our shared histories, cultures and achievements and to explore how each of us can contribute to achieving reconciliation in Australia. Registrations are now open for AUSCERT’s upcoming training courses, designed to enhance your skills and empower your mind! Our courses are facilitated by trainers who possess extensive industry experience and pride themselves on creating engaging, interactive and high quality learning experiences. In two half-day, online sessions they will guide you through the principles and practices whilst also drawing from their own valuable career insights to enrich your learning experience. Our first upcoming course, Cyber Security Risk Management, is designed to provide participants with the ability to perform risk assessments including how to rate, assess and report business risks rather than technical vulnerabilities. We have a wide range of courses to choose from, for more information visit AUSCERT Education. In other news, Telstra has launched a new scam reporting service allowing customers to forward suspicious SMS and MMS messages to a national phone number (7226) to help identify and block scam messages. With scams on a rapid rise in Australia the best defence is to stay informed and question every unexpected communication regardless of the sender. Although, it is becoming increasing difficult to detect a fraudulent message as scammers are appearing more and more authentic. For tips and tools on how to recognise, avoid and report scams visit Scamwatch. Or alternatively, if you’re an AUSCERT member you can contact our 24/7 Incident Support Service where we can help you detect, interpret and respond to attacks. It’s better to be too safe than sorry when it comes to scams! Experts Warn of Voice Cloning-as-a-Service Date: 2023-05-19 Author: Infosecurity Magazine Security experts are warning of surging threat actor interest in voice cloning-as-a-service (VCaaS) offerings on the dark web, designed to streamline deepfake-based fraud. Recorded Future’s latest report, I Have No Mouth and I Must Do Crime, is based on threat intelligence analysis of chatter on the cybercrime underground. Deepfake audio technology can mimic the voice of a target to bypass multi-factor authentication, spread mis- and disinformation and enhance the effectiveness of social engineering in business email compromise (BEC)-style attacks, among other things. Google will delete accounts inactive for more than 2 years Date: 2023-05-21 Author: Bleeping Computer Google has updated its policy for personal accounts across its services to allow a maximum period of inactivity of two years. After that time has passed, the accounts "may" be deleted, along with all their contents, settings, preferences, and user-saved data. This includes all data stored on services such as Gmail, Docs, Drive, Meet, Calendar, Google Photos, and YouTube. Here's how you can help report SMS and MMS scams to Telstra Date: 2023-05-24 Author: techAU Telstra has launched a new scam reporting service that allows customers to forward suspicious SMS and MMS messages to a national phone number. The service, which is free to use, will help Telstra to better identify and block scam messages. To report a scam message, customers simply need to forward the message to 7226. Telstra will then investigate the message and take appropriate action, such as blocking the sender or reporting the message to the relevant authorities. Australian critical infrastructure operators urged to move off Chinese tech Date: 2023-05-23 Author: iTnews A sweep of Chinese-made hardware and software from the federal government could be expanded to cover critical infrastructure operators as well, with the government already assessing its powers for “market intervention”. The comments, made by Home Affairs officials at senate estimates yesterday, come as the government increasingly suspends its use of Chinese-made technology over security concerns. Home Affairs to migrate AUSTRAC, ACIC out of cyber hub Date: 2023-05-23 Author: iTnews Home Affairs will spend $3.7 million helping AUSTRAC and the Australian Criminal Intelligence Commission (ACIC) transition off cyber security services it provided under the government’s axed cyber hubs pilot. The pilot was discontinued earlier this month after a Finance-led review of the pilot scheme. ESB-2023.2979 – Tomcat: CVSS (Max): 7.5 The previous fix for CVE-2023-24998 was incomplete. Apache has released regression update to address the issue ESB-2023.3006 – ALERT GitLab Community Edition and Enterprise Edition: CVSS (Max): 10.0 A critical file read vulnerability has been addressed in the new releases of GitLab ESB-2023.3025 – jenkins and jenkins-2-plugins: CVSS (Max): 9.8 An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for Red Hat OCP ESB-2023.2965 – WordPress: CVSS (Max): None WordPress 6.2.2 is now available which addresses 1 security issue and 1 bug issue Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Although our bodies are feeling a bit worse for wear from last week’s conference our minds are buzzing with new information, skills, and possibilities! After the amazing week we had last week it’s safe to say the AUSCERT team was a little slower this week, taking vital time to rest and recover after all the shenanigans. Although it was all worth it to catch up with past members, meet new members and strengthen our community bond! In addition to providing cutting-edge education, one of the most significant attractions of the conference lies in its vibrant community, fostering idea sharing and facilitating valuable networking opportunities. Google has sparked a lot of controversy with its roll out of new ‘.zip’ and ‘.mov’ top level domains (TLDs). The reason for the concern is that these domains are commonly used for file extensions and may aid threat actors in misleading potential victims. Cybersecurity researchers and professionals are concerned that this will add unnecessary risk to an already risky environment and increase phishing scams and malware downloads. Threat actors could potentially obtain a ZIP domain with the same name as other trusted brands and create fake sites to manipulate unknowing consumers into providing personal information or transferring funds. This has triggered a controversial debate online with many researchers also rebutting these arguments and claiming it’s not that bad and everyone shouldn’t panic. Google mimicked these arguments by saying it takes phishing and malware seriously and has existing mechanisms in place to protect users if new threats emerge. Only time will tell whether this was a smart move by Google or whether it will give further ammunition to scammers. In more positive news, the federal government has announced it will spend $58 million to create the national anti-scams centre to report scams and distribute information more efficiently to banks, law enforcement and vulnerable communities. This will facilitate faster responses to reported scams by establishing a team of industry and law enforcement experts to act efficiently on scam trends. After the ACCC reported a loss of billions due to scams last year, the government and banks have been put under considerable pressure by consumers to develop safer systems, including a new method of dealing with fraudulent transactions. The Australian Banking Association has announced its new digital platform called ‘Fraud Reporting Exchange’, which will allow banks to share information about scam transactions quickly between each other. At least we are taking steps in the right direction to work together to put a stop to scammers. TechnologyOne still investigating impact of M365 cyber incident Date: 2023-05-12 Author: iTnews TechnologyOne said it had managed to contain an incident that impacted its internally-used Microsoft 365 instance earlier this week, and that the system is operating again. In an update [pdf], the software maker said M365 was “successfully restored and is fully operational”. On Wednesday, TechnologyOne disclosed there had been unauthorised access to its M365 instance. It said that “security experts” had since “confirmed our Microsoft 365 system is secure”. Google's .zip Top Level domain is already used in phishing attacks Date: 2023-05-15 Author: ghacks.net Google released the top-level domain .zip to the public recently, which means that interested organizations and users may register .zip domains. Cyber criminals are already using .zip domains in phishing campaigns. According to the SANS Internet Storm Center, about 1230 names have been registered so far. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public registration alongside seven other domain extensions. It seems that Google has reduced the registration price to $15 per year for a .zip domain last week, which appears to be less than halve the previous price. Drug and alcohol tests of graduate paramedics revealed in Ambulance Victoria data breach Date: 2023-05-12 Author: The Guardian The confidential drug and alcohol test results of graduate paramedics were available for every Ambulance Victoria staff member to view under a significant breach that has been reported to the state’s privacy watchdog. The Ambulance Victoria chief executive, Jane Miller, confirmed on Friday afternoon that the “unacceptable” breach involved 600 test results relating to a “few hundred” people, and offered her unreserved apology to those impacted. Parental control app with 5 million downloads vulnerable to attacks Date: 2023-05-16 Author: Bleeping Computer Kiddowares 'Parental Control – Kids Place' app for Android is impacted by multiple vulnerabilities that could enable attackers to upload arbitrary files on protected devices, steal user credentials, and allow children to bypass restrictions without the parents noticing. The Kids Place app is a parental control suite with 5 million downloads on Google Play, offering monitoring and geolocation capabilities, internet access and purchasing restrictions, screen time management, harmful content blocking, remote device access, and more. MalasLocker ransomware targets Zimbra servers, demands charity donation Date: 2023-05-17 Author: Bleeping Computer A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted. Microsoft is scanning the inside of password-protected zip files for malware Date: 2023-05-16 Author: Ars Technica Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code. ESB-2023.2867 – WordPress: CVSS (Max): None WordPress released WordPress 6.2.1 that features 20 bug fixes in Core and 10 bug fixes for the block editor. ESB-2023.2892 – Cisco Small Business Series Switches: CVSS (Max): 9.8 Cisco has released software updates that address multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches. ESB-2023.2910 – Google Chrome: CVSS (Max): None Google released Chrome 113.0.5672.126 for Mac and Linux and 113.0.5672.126/.127 for Windows that contains 12 security fixes. ESB-2023.2911 – Jenkins Plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting various Jenkins plugins have been addressed by Jenkins Stay safe, stay patched and have a good weekend! The AUSCERT team