Week in review

AUSCERT Week in Review for 30th June 2023

Greetings, As we approach the end of the financial year, we find ourselves in a critical season where scammers are actively targeting individuals and businesses. It is important to stay aware this tax time as scams impersonating the Australian Taxation Office (ATO) are likely to spike in the following weeks. The ATO reported in May this year they had already received 1,978 reports of impersonation scams a 70% increase from the previous month. Together let’s explore the primary channels that scammers have recently been using to deceive unsuspecting citizens. Social Media Scams The ATO has reported a huge increase in social media accounts impersonating them on Facebook, Twitter, Instagram, and other platforms. Fake accounts have been asking users to send their personal and sensitive information to help process their enquiry. The best way to verify an account is to investigate their followers and recent activity to see if there is anything suspicious. The ATO’s Facebook & LinkedIn has over 200,000 followers and its Twitter account has over 65,000. Also, they should have been operating for over 10 years and have a verified tick next to their account name. Phone & SMS Scams Phone scams impersonating the ATO are a common trend usually using a pre-recorded message alerting you of your outstanding debt or fee and requiring your sensitive personal information. Similarly SMS scams will include a payment link that will direct you to a fake ATO webpage and ask for your details. The ATO has confirmed that they will never send a pre-recorded message to your phone, threaten you with immediate arrest or demand immediate payment through unusual methods or links. Email Scams Email is probably the most common method used by scammers to impersonate the ATO or MyGov utilising authentic looking content to seem legitimate. These emails usually contain phishing links or attachments that request your banking details or other sensitive information. It is very important to be extra cautious and do not open any attachments or links until you can 100% verify the identity. Remember the ATO or MyGov would not usually send an email directly asking for any personal information. They will usually instruct you to lodge it via their online portals. Stay aware this tax time! If you think something isn’t genuine do not engage with it. You can contact the ATO directly on 1800 008 540 to check with them. Or click here to see how to verify or report a scam Exploit released for new Arcserve UDP auth bypass vulnerability Date: 2023-06-28 Author: Bleeping Computer Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges. According to the company, Arcserve UDP is a data and ransomware protection solution designed to help customers thwart ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity. Fortinet fixes critical FortiNAC remote command execution flaw Date: 2023-06-23 Author: Bleeping Computer [See AUSCERT Security Bulletin https://portal.auscert.org.au/bulletins/ESB-2023.3637] Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands. FortiNAC is a allows organizations to manage network-wide access policies, gain visibility of devices and users, and secure the network against unauthorized access and threats. The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is a deserialization of untrusted data that may lead to remote code execution (RCE) without authentication. Governments across Australia embark on identity reform Date: 2023-06-27 Author: iTnews Commonwealth, state and territory digital ministers have signed off on sweeping identity reforms, designed to make Australians’ digital identities harder to steal, and easier to restore. After a Data and Digital Ministers’ meeting last week, the group published a National Strategy for Identity Resilience. Under the strategy, the ministers have pledged to make government-issued digital IDs more interoperable. Two major energy corporations added to growing MOVEit victim list Date: 2023-06-27 Author: CyberScoop Two major energy corporations have fallen victim to the MOVEit breach, the latest targets in an ongoing hacking campaign that has struck a growing number of organizations including government agencies, states and universities. CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims. Hundreds of devices found violating new CISA federal agency directive Date: 2023-06-27 Author: Bleeping Computer Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies. Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang Date: 2023-06-28 Author: Security Week A ransomware gang named 8Base was the second most active group in June 2023, claiming roughly 30 victims, VMware reports. Active since March 2022 and mainly focused on small businesses, the group engages in double extortion tactics, publicly naming and shaming victims to compel them to pay the ransom. To date, the 8Base gang has hit approximately 80 organizations across sectors such as automotive, business services, construction, finance, healthcare, hospitality, IT, manufacturing, and real estate. ESB-2023.3637 – FortiNAC: CVSS (Max): 9.6 Fortinet has released software updates that address a vulnerability in FortiNAC that if exploited could allow an unauthenticated user to execute unauthorized code or commands. ESB-2023.3638 – IBM QRadar SIEM: CVSS (Max): 6.5 IBM has addressed the verification bypass vulnerability in Google OAuth Client Library for Java as used by IBM QRadar SIEM. ESB-2023.3646 – Tenable.io, Tenable Security Center and Nessus: CVSS (Max): 6.3 Tenable has discovered vulnerability in Nessus Plugin, and released updates to address this issue. The updates have been distributed via the Tenable plugin feed ID #202306261202. ESB-2023.3752 – GitLab Community Edition & Enterprise Edition: CVSS (Max): 7.5 Gitlab released security updates for GitLab Community Edition (CE) and Enterprise Edition (EE) which contain important security fixes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 23rd June 2023

Greetings, This week, the world celebrated Wi-Fi Day! In our very digitalised lives we take Wi-Fi for granted and overlook the appreciation it truly deserves. Nowadays the ability to connect to the internet anytime and anywhere has become an expectation that we all demand. It has become an essential part of our daily lives and has revolutionized our society and reshaped our global landscape. Although Wi-Fi should be used with caution and diligence as it can also act as a gateway providing hackers with a direct channel into your computer or devices.. It is essential to adopt safe practices when using Wi-Fi networks, here are a few tips: 1) Connect to only known and trusted networks. It is crucial to use common sense when connecting to Wi-Fi networks and only use trusted and reliable sources. When you encounter an unfamiliar network offering free internet in exchange for your details, be wary this could be a tactic to collect your personal information. It is risky to use free public WiFi as you don’t know how it has been set up or what safeguards or encryptions are in place. On these networks avoid internet activity that includes your sensitive or personal information. Utilising your own personal mobile hot-spot is ultimately the safest option when on the go. 2) Be careful what you open Modern internet browsers such as Google Chrome will often let you know if you are visiting a site that uses an unencrypted HTTP link by labelling it “Not Secure”. People on the same Wi-Fi network as you can watch what you are doing on these sites relatively easily. So be careful what information you put on these sites as chances are someone could be watching it. Also turn off your filesharing and airdrop settings on your phone and laptop when using unsecure internet networks to ensure no one is able to discover your devices. 3) Stay Vigilant Vigilance is key! We know no one reads the terms and conditions but in this case it could be the very thing that stops your data from being stolen for malicious intent. Often the red flags will be clear and should hinder you from clicking accept and signing on. Also an additional safeguard is to ensure your computer is equipped with the latest anti-virus protection and to keep on top of all your software updates. Having strong passwords and multi-factor authentication also provides an additional layer of protection. Following these simple tips can ensure your Wi-Fi experience is enjoyable and will avoid you becoming a victim to malicious activity. MOVEit Customers Urged to Patch Third Critical Vulnerability Date: 2023-06-19 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Progress Software is urging MOVEit customers to apply patches to a third critical vulnerability in the file transfer software in less than one month. Tracked as CVE-2023-35708, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated attacker to escalate privileges and access the MOVEit Transfer database. VMware warns of critical vRealize flaw exploited in attacks Date: 2023-06-20 Author: Bleeping Computer [See AUSCERT Security Bulletin 14 June 2023 ESB-2023.3381.2] VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks. “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild,” the company said today. Reddit hackers threaten to leak data stolen in February breach Date: 2023-06-18 Author: Bleeping Computer The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company. On February 9th, Reddit disclosed that its systems were hacked on February 5th after an employee fell victim to a phishing attack. This phishing attack allowed the threat actors to gain access to Reddit’s systems and steal internal documents, source code, employee data, and limited data about the company’s advertisers. Data leak at major law firm sets Australia’s government and elites scrambling Date: 2023-06-20 Author: The Register An infosec incident at a major Australian law firm has sparked fear among the nation’s governments, banks and businesses – and a free speech debate. The firm, HWL Ebsworth, has acknowledged that on April 28, “we became aware that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data from HWL Ebsworth.” A Vulnerability in ShareFile Storage Zones Controller Could Allow for Remote Code Execution Date: 2023-06-20 Author: Center for Internet Security [See AUSCERT Security Bulletin 14 June 2023 ESB-2023.3357] A vulnerability have been discovered in ShareFile Storage Zones Controller which could allow for remote code execution. Storage Zones Controller extends the ShareFile Software as a Service (SaaS) cloud storage. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. ESB-2023.3381.2 – UPDATED ALERT VMware Aria Operations for Networks: CVSS (Max): 9.8 VMware has released patches to remediate multiple vulnerabilities in Aria Operations for Networks which maybe exploited in the wild. ESB-2023.3483 – Jenkins and Jenkins-2-plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting Jenkins and Jenkins-2-plugins have been addressed by the vendor. ESB-2023.3521 – iOS 15.7.7 and iPadOS 15.7.7: CVSS (Max): None Apple addressed three zero-day vulnerabilities used to deploy Triangulation spyware on iPhones via iMessage zero-click exploits. ESB-2023.3522 – macOS Ventura: CVSS (Max): None Apple pushed a new macOS Ventura 13.4.1 update which includes bug fixes and security updates for CVE-2023-32439 and CVE-2023-32434 which may be exploited in the wild. ESB-2023.3550 – Cisco Duo Two-Factor Authentication: CVSS (Max): 6.2 Cisco has released software updates that address bypass vulnerability in Cisco Duo Two-Factor Authentication for macOS. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 16th June 2023

Greetings, At AUSCERT, we recognize that continuous growth and development are vital aspects of a successful organisation. As part of our commitment to providing the most valuable services, we are currently focusing on understanding the needs and preferences of our members. To achieve this, we conducted a comprehensive member survey and are now about to embark on the next phase of our journey by organising intimate focus groups in each of your respective cities. We highly value your direct input and are eager to hear your thoughts, opinions, and suggestions. Your feedback will play a pivotal role in driving our continuous improvement and development. We will contact you soon with the more details so please stay tuned! In the spirit of continuous development, we have launched a new training course that is designed to build on the skills developed in our Introduction to Cyber for IT Professionals. Our new course, Intermediate Cyber Security – Internet Technologies is designed to provide participants with awareness on the security issues utilising a range of internet-oriented technologies and protocols. As well as practical guidance for how participants can safeguard their organisation. In today’s digital landscape we rely heavily on the internet for both daily business operations and government service delivery, making it critical to have a comprehensive understanding of the current threat environment. As the internet advances and cyber crimes become more sophisticated, it is important to recognize the evolving threat landscape so we can adopt appropriate measures to safeguard our information. Even the Australian government is being targeted by hackers searching for vulnerabilities through their internal suppliers and networks. Recently HWL Ebsworth Law Firm was targeted as they have an extensive client base encompassing both commercial and government entities across every state and territory. The Russian-linked ransomware group claimed it had stolen employee and client data, including financial information, network maps and credentials. The Tasmanian government were among the impacted, reporting that they have been in touch with the federal government and are investigating the possible leak of government data. It is crucial to stay one step ahead of hackers by continuously expanding your knowledge and enhancing your skills. This way you can effectively identify vulnerabilities in your organisation before they are exploited. Massive phishing campaign uses 6,000 sites to impersonate 100 brands Date: 2023-06-13 Author: Bleeping Computer A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now Date: 2023-06-11 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices. The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023. New MOVEit Transfer critical flaws found after security audit, patch now Date: 2023-06-09 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution that can let attackers steal information from customers' databases. These security bugs were discovered with the help of cybersecurity firm Huntress following detailed code reviews initiated by Progress on May 31, when it addressed a flaw exploited as a zero-day by the Clop ransomware gang in data theft attacks. They affect all MOVEit Transfer versions and enable unauthenticated attackers to compromise Internet-exposed servers to alter or extract customer information. Microsoft Patches Critical Windows Vulns, Warn of Code Execution Risks Date: 2023-06-13 Author: Security Week Microsoft’s security response team on Tuesday rolled out a massive batch of software updates to address major security gaps in its flagship Windows operating system and software components. Redmond’s monthly Patch Tuesday updates cover at least 70 documented vulnerabilities affecting the Windows ecosystem, including six critical issues that expose users to dangerous code execution attacks. According to Microsoft, none of the vulnerabilities have been publicly discussed or exploited in the wild. Qld gov agencies have 'more to do' to be ready for future data breach reporting Date: 2023-06-14 Author: iTnews Queensland government agencies have “more work to do” to prepare for a future mandatory data breach reporting scheme, based on a readiness survey by the state’s information commissioner. The survey [pdf] attracted 107 responses from 221 agencies. Of those that responded, 52 agencies – a bit less than half – had a “documented data breach response plan”, with some “more comprehensive than others”. ESB-2023.3376 – FortiOS and FortiProxy: CVSS (Max): 7.6 A cleartext transmission of sensitive information vulnerability [CWE-319] in FortiOS & FortiProxy may allow an authenticated attacker with readonly superadmin privileges to intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands. ESB-2023.3366 – FortiOS: CVSS (Max): 8.3 A use of externally-controlled format string vulnerability [CWE-134] in the Fclicense daemon of FortiOS may allow a remote authenticated attacker to execute arbitrary code or commands via specially crafted requests. ASB-2023.0113 – Windows Server 2008: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of June 2023 which includes fixes for 18 vulnerabilities in Windows Server. ESB-2023.3355 – Adobe Commerce and Magneto Open Source: CVSS (Max): 9.1 Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 9th June 2023

Greetings, The ocean is an indispensable life source as it blankets 70% of our planet’s surface and generates at least 50% of Earths oxygen. To commemorate World Ocean Day I would like to pose a challenge for you all, whenever you visit the beach, choose to make a positive impact by leaving it in a better condition than when you arrived by collecting at least one piece of rubbish. Remember even small steps contribute to significant successes! Just like the vastness of the ocean, the digital landscape is a deep-sea of data that remains largely unexplored and not fully comprehended. Where possible we need to take the advice of experts to ensure we are staying ahead of attackers and protecting ourselves as best we can. In our newest episode of Share Today Save Tomorrow, Anthony explores Mobile Device Security with Martin McGregor CEO of Devici. To enhance the security of your device and ensure the safety of your data, consider downloading an authenticator app on your phone. This app will provide an additional layer of security for all your applications, adding an extra layer to the authentication process and safeguarding your sensitive information. Just as the ocean is in constant motion, cyber security threats continuously evolve and come in waves. They can be unpredictable and relentless constantly crashing on our shores and causing havoc. Recently an attack on MOVEit a private file-sharing platform faced a significant security breach which has sparked global concern. The cyber extortion group known as Clop, has come forward identifying themselves as being behind the attack and threatening to release stolen data unless the targeted organisations meet their ransom demands. Authorities have issued warnings regarding the global-supply chain attack as reportedly hundreds of organisations across different sectors could be impacted.The deep and unknown depths of the dark web can cause concern and requires awareness and proactive measure to navigate through these murky waters. But remember small steps to safeguard your businesses can make the biggest impacts! If you would like further advice on how to better safeguard yourself against possible attacks get in contact with us today! Clop ransomware claims responsibility for MOVEit extortion attacks Date: 2023-06-05 Author: Bleeping Computer The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach multiple companies' servers and steal data. This confirms Microsoft's Sunday night attribution to the hacking group they track as 'Lace Tempest,' also known as TA505 and FIN11. The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday, as previously disclosed by Mandiant. Don't Overlook Twitter's Trove of Threat Intel for Enterprise Cybersecurity Date: 2023-06-06 Author: Dark Reading Tagged, organized, and free for anyone who wants it, social media posts and data are an underused threat intelligence resource for many enterprise cybersecurity teams. Just as cybercriminals have found social media platforms useful for gathering information on targets and launching attacks, network defenders should likewise be looking at Twitter and other similar public-facing social media data sources, so called open source intelligence (OSINT), to help inform cyber defenses, according to experts. Sextortionists are making AI nudes from your social media images Date: 2023-06-06 Author: Bleeping Computer The Federal Bureau of Investigation (FBI) is warning of a rising trend of malicious actors creating deepfake content to perform sextortion attacks. Sextortion is a form of online blackmail where malicious actors threaten their targets with publicly leaking explicit images and videos they stole (through hacking) or acquired (through coercion), typically demanding money payments for withholding the material. In many cases of sextortion, compromising content is not real, with the threat actors only pretending to have access to scare victims into paying an extortion demand. Law Council says privacy should be considered in cyber security review Date: 2023-06-07 Author: iTnews The Law Council of Australia has asked the government to deal with invasive personal data collection practices as part of a potential Cyber Security Act. The council’s submission to the government’s cyber security discussion paper, published yesterday [pdf', said any Cyber Security Act should also look at ways Australians can verify their identity without providing excessive amounts of personal data. Barracuda says hacked ESG appliances must be replaced immediately Date: 2023-06-07 Author: Bleeping Computer [Please also see AUSCERT bulletin ASB-2023.0107] Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in an update to the initial advisory issued on Tuesday. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." According to Barracuda, affected customers have already been notified through breached ESGs' user interface. Customers who haven't yet replaced their devices are urged to contact support urgently via email. ASB-2023.0107 – Barracuda Email Security Gateway Appliance (ESG): CVSS (Max): 9.8 A remote connection injection vulnerability has been detected in Barracuda Email Security Gateway devices. Barracuda advise its customers to replace impacted devices immediately. ESB-2023.3285 – VMware Aria Operations for Networks: CVSS (Max): 9.8 VMware has released patches to remediate the command injection vulnerability in Aria Operations for Networks. ESB-2023.3248 – ALERT Google Chrome: CVSS (Max): None Google has released updates to its stable and extended stable channels, which will roll out over the coming days/weeks. ESB-2023.3195 – Android OS: CVSS (Max): 9.8* Security patch levels of 2023-06-05 or later address the security vulnerabilities affecting Android devices. ESB-2023.3194 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 The most recent security patch release for GitLab Community Edition (CE) and Enterprise Edition (EE) contains important security fixes. The users are strongly advised to apply the patches as soon as possible to avoid being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 2nd June 2023

Greetings, With the arrival of dropping temperatures, shorter days, and thicker coats we can confidently say winter is finally upon us. In Queensland, winters are truly delightful, striking a perfect balance between cool breezes and the warming sunshine. It’s the season that allows you to relish the outdoors for extended periods of time without beads of sweat forming on your forehead. The only time hot beverages and soups don’t leave you feeling uncomfortably hot. The only time gathering around a fire provides warmth rather than just entertainment. So here’s to winter! Embrace the cold air with open arms and allow the refreshing chill to invigorate your spirit. If you haven’t watched Mark McPherson’s inspiring seminar on the history of AUSCERT watch it now! Titled ‘AUSCERT this is your life’, Mark explores the first decade of operation for our organisation, the unexpected incidents and unique moments that shaped our business model and operating structure. Mark describes our very founding moments and the historical realisation from governing bodies that a central source for information security and protection was desperately required in Australia. We evolved rapidly and in recent years have also expanded our services to include a range of cybersecurity training courses to address the growing demand for cybersecurity expertise in the workplace. Informing and empowering staff through relevant, engaging and focused professional training experiences is a critical component of organisational cyber security resilience. For more information on our upcoming training courses visit AUSCERT Education. In cyber security news this week, PayID scams are on a rapid rise with the second-hand sales market taking a huge hit. With the cost of living skyrocketing many Australians are struggling for cash and have turned to the online second-hand market to turn some of their previously loved items into much needed funds. Realising this market has significantly grown in popularity, scammers saw an easy way to infiltrate the payment systems known as PayID to steal funds. PayID is a popular payment system that is frequently used on Facebook Marketplace and Gumtree and supported by almost every Bank. NAB Executive Chirs Sheehan warned consumers of the increasing PayID scams saying criminals are becoming increasingly sophisticated with their fraudulent message.He went on to say educating yourself about PayID and remaining vigilant means being able to identify the red flags, for tips on what these are read the full article here. Microsoft finds macOS bug that lets hackers bypass SIP root restrictions Date: 2023-05-30 Author: Bleeping Computer Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks. Discovered and reported to Apple by a team of Microsoft security researchers, the flaw (dubbed Migraine) is now tracked as CVE-2023-32369. Apple has patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18. Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards Date: 2023-05-31 Author: Security Week Researchers at firmware and hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor functionality that could pose a significant risk to organizations. The backdoor was discovered by Eclypsium based on behavior associated with the functionality, which triggered an alert in the company’s platform. Specifically, the researchers determined that the firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers. Hackers exploit critical Zyxel firewall flaw in ongoing attacks Date: 2023-05-31 Author: Bleeping Computer Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware. The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability: ATP – ZLD V4.60 to V5.35 USG FLEX – ZLD V4.60 to V5.35 VPN- ZLD V4.60 to V5.35 ZyWALL/USG – ZLD V4.60 to V4.73 New Mirai Variant Campaigns are Targeting IoT Devices Date: 2023-05-29 Author: Infosecurity Magazine Unit 42, Palo Alto Networks threat research team, has found new malicious activity targeting IoT devices, using a variant of Mirai, a piece of malware that turns networked devices running Linux, typically small IoT devices, into remotely controlled bots that can be used in large-scale network attacks. Dubbed IZ1H9, this variant was first discovered in August 2018 and has since become one of the most active Mirai variants. ‘Dark Pink’ APT attacks governments, militaries, more in Thailand, Brunei, Belgium, Vietnam and Indonesia Date: 2023-06-01 Author: The Record The Dark Pink hacker group has been tied to five new attacks on governments, militaries and organizations based in Belgium, Thailand, Brunei, Vietnam and Indonesia. Researchers from Group-IB have been tracking the group for months and said it has been active since mid-2021, compromising at least 13 organizations across Europe and the Asia-Pacific region. ESB-2023.3083 – Advantech WebAccess/SCADA: CVSS (Max): 7.3 Advantech released a new version 9.1.4 to address a vulnerability in SCADA which, if exploited, could allow an attacker to gain full control of the server. ESB-2023.3086 – VMware Products: CVSS (Max): 6.1 An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was reported to VMware. Updates are available to address this vulnerability in affected VMware products. ESB-2023.3060 – Red Hat Advanced Cluster Management: CVSS (Max): 9.8 Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability has released fixes for security issues and update container images. ESB-2023.3119 – texlive-bin: CVSS (Max): 9.8 It was discovered that the patch to fix CVE-2023-32700 in texlive-bin, released as DLA-3427-1, was incomplete and caused an error when running the lualatex command. This has been addressed in a texlive-bin package upgrade. ESB-2023.3099 – wireshark: CVSS (Max): 8.8 An update for wireshark has fixed six vulnerabilities and various application crashing issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 26th May 2023

Greetings, Today, we respectfully recognise and remember the unjust treatment endured by Aboriginal and Torres Strait Islander individuals and communities who have been forcibly separated from their families and culture. National Sorry Day is an opportunity for us to come together as a nation to commemorate the strength and resilience of the Stolen Generation survivors and reflect on how we can all contribute to the healing process. With National Reconciliation Week just around the corner, there are plenty of opportunities to learn about our shared histories, cultures and achievements and to explore how each of us can contribute to achieving reconciliation in Australia. Registrations are now open for AUSCERT’s upcoming training courses, designed to enhance your skills and empower your mind! Our courses are facilitated by trainers who possess extensive industry experience and pride themselves on creating engaging, interactive and high quality learning experiences. In two half-day, online sessions they will guide you through the principles and practices whilst also drawing from their own valuable career insights to enrich your learning experience. Our first upcoming course, Cyber Security Risk Management, is designed to provide participants with the ability to perform risk assessments including how to rate, assess and report business risks rather than technical vulnerabilities. We have a wide range of courses to choose from, for more information visit AUSCERT Education. In other news, Telstra has launched a new scam reporting service allowing customers to forward suspicious SMS and MMS messages to a national phone number (7226) to help identify and block scam messages. With scams on a rapid rise in Australia the best defence is to stay informed and question every unexpected communication regardless of the sender. Although, it is becoming increasing difficult to detect a fraudulent message as scammers are appearing more and more authentic. For tips and tools on how to recognise, avoid and report scams visit Scamwatch. Or alternatively, if you’re an AUSCERT member you can contact our 24/7 Incident Support Service where we can help you detect, interpret and respond to attacks. It’s better to be too safe than sorry when it comes to scams! Experts Warn of Voice Cloning-as-a-Service Date: 2023-05-19 Author: Infosecurity Magazine Security experts are warning of surging threat actor interest in voice cloning-as-a-service (VCaaS) offerings on the dark web, designed to streamline deepfake-based fraud. Recorded Future’s latest report, I Have No Mouth and I Must Do Crime, is based on threat intelligence analysis of chatter on the cybercrime underground. Deepfake audio technology can mimic the voice of a target to bypass multi-factor authentication, spread mis- and disinformation and enhance the effectiveness of social engineering in business email compromise (BEC)-style attacks, among other things. Google will delete accounts inactive for more than 2 years Date: 2023-05-21 Author: Bleeping Computer Google has updated its policy for personal accounts across its services to allow a maximum period of inactivity of two years. After that time has passed, the accounts "may" be deleted, along with all their contents, settings, preferences, and user-saved data. This includes all data stored on services such as Gmail, Docs, Drive, Meet, Calendar, Google Photos, and YouTube. Here's how you can help report SMS and MMS scams to Telstra Date: 2023-05-24 Author: techAU Telstra has launched a new scam reporting service that allows customers to forward suspicious SMS and MMS messages to a national phone number. The service, which is free to use, will help Telstra to better identify and block scam messages. To report a scam message, customers simply need to forward the message to 7226. Telstra will then investigate the message and take appropriate action, such as blocking the sender or reporting the message to the relevant authorities. Australian critical infrastructure operators urged to move off Chinese tech Date: 2023-05-23 Author: iTnews A sweep of Chinese-made hardware and software from the federal government could be expanded to cover critical infrastructure operators as well, with the government already assessing its powers for “market intervention”. The comments, made by Home Affairs officials at senate estimates yesterday, come as the government increasingly suspends its use of Chinese-made technology over security concerns. Home Affairs to migrate AUSTRAC, ACIC out of cyber hub Date: 2023-05-23 Author: iTnews Home Affairs will spend $3.7 million helping AUSTRAC and the Australian Criminal Intelligence Commission (ACIC) transition off cyber security services it provided under the government’s axed cyber hubs pilot. The pilot was discontinued earlier this month after a Finance-led review of the pilot scheme. ESB-2023.2979 – Tomcat: CVSS (Max): 7.5 The previous fix for CVE-2023-24998 was incomplete. Apache has released regression update to address the issue ESB-2023.3006 – ALERT GitLab Community Edition and Enterprise Edition: CVSS (Max): 10.0 A critical file read vulnerability has been addressed in the new releases of GitLab ESB-2023.3025 – jenkins and jenkins-2-plugins: CVSS (Max): 9.8 An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for Red Hat OCP ESB-2023.2965 – WordPress: CVSS (Max): None WordPress 6.2.2 is now available which addresses 1 security issue and 1 bug issue Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th May 2023

Greetings, Although our bodies are feeling a bit worse for wear from last week’s conference our minds are buzzing with new information, skills, and possibilities! After the amazing week we had last week it’s safe to say the AUSCERT team was a little slower this week, taking vital time to rest and recover after all the shenanigans. Although it was all worth it to catch up with past members, meet new members and strengthen our community bond! In addition to providing cutting-edge education, one of the most significant attractions of the conference lies in its vibrant community, fostering idea sharing and facilitating valuable networking opportunities. Google has sparked a lot of controversy with its roll out of new ‘.zip’ and ‘.mov’ top level domains (TLDs). The reason for the concern is that these domains are commonly used for file extensions and may aid threat actors in misleading potential victims. Cybersecurity researchers and professionals are concerned that this will add unnecessary risk to an already risky environment and increase phishing scams and malware downloads. Threat actors could potentially obtain a ZIP domain with the same name as other trusted brands and create fake sites to manipulate unknowing consumers into providing personal information or transferring funds. This has triggered a controversial debate online with many researchers also rebutting these arguments and claiming it’s not that bad and everyone shouldn’t panic. Google mimicked these arguments by saying it takes phishing and malware seriously and has existing mechanisms in place to protect users if new threats emerge. Only time will tell whether this was a smart move by Google or whether it will give further ammunition to scammers. In more positive news, the federal government has announced it will spend $58 million to create the national anti-scams centre to report scams and distribute information more efficiently to banks, law enforcement and vulnerable communities. This will facilitate faster responses to reported scams by establishing a team of industry and law enforcement experts to act efficiently on scam trends. After the ACCC reported a loss of billions due to scams last year, the government and banks have been put under considerable pressure by consumers to develop safer systems, including a new method of dealing with fraudulent transactions. The Australian Banking Association has announced its new digital platform called ‘Fraud Reporting Exchange’, which will allow banks to share information about scam transactions quickly between each other. At least we are taking steps in the right direction to work together to put a stop to scammers. TechnologyOne still investigating impact of M365 cyber incident Date: 2023-05-12 Author: iTnews TechnologyOne said it had managed to contain an incident that impacted its internally-used Microsoft 365 instance earlier this week, and that the system is operating again. In an update [pdf], the software maker said M365 was “successfully restored and is fully operational”. On Wednesday, TechnologyOne disclosed there had been unauthorised access to its M365 instance. It said that “security experts” had since “confirmed our Microsoft 365 system is secure”. Google's .zip Top Level domain is already used in phishing attacks Date: 2023-05-15 Author: ghacks.net Google released the top-level domain .zip to the public recently, which means that interested organizations and users may register .zip domains. Cyber criminals are already using .zip domains in phishing campaigns. According to the SANS Internet Storm Center, about 1230 names have been registered so far. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public registration alongside seven other domain extensions. It seems that Google has reduced the registration price to $15 per year for a .zip domain last week, which appears to be less than halve the previous price. Drug and alcohol tests of graduate paramedics revealed in Ambulance Victoria data breach Date: 2023-05-12 Author: The Guardian The confidential drug and alcohol test results of graduate paramedics were available for every Ambulance Victoria staff member to view under a significant breach that has been reported to the state’s privacy watchdog. The Ambulance Victoria chief executive, Jane Miller, confirmed on Friday afternoon that the “unacceptable” breach involved 600 test results relating to a “few hundred” people, and offered her unreserved apology to those impacted. Parental control app with 5 million downloads vulnerable to attacks Date: 2023-05-16 Author: Bleeping Computer Kiddowares 'Parental Control – Kids Place' app for Android is impacted by multiple vulnerabilities that could enable attackers to upload arbitrary files on protected devices, steal user credentials, and allow children to bypass restrictions without the parents noticing. The Kids Place app is a parental control suite with 5 million downloads on Google Play, offering monitoring and geolocation capabilities, internet access and purchasing restrictions, screen time management, harmful content blocking, remote device access, and more. MalasLocker ransomware targets Zimbra servers, demands charity donation Date: 2023-05-17 Author: Bleeping Computer A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted. Microsoft is scanning the inside of password-protected zip files for malware Date: 2023-05-16 Author: Ars Technica Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code. ESB-2023.2867 – WordPress: CVSS (Max): None WordPress released WordPress 6.2.1 that features 20 bug fixes in Core and 10 bug fixes for the block editor. ESB-2023.2892 – Cisco Small Business Series Switches: CVSS (Max): 9.8 Cisco has released software updates that address multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches. ESB-2023.2910 – Google Chrome: CVSS (Max): None Google released Chrome 113.0.5672.126 for Mac and Linux and 113.0.5672.126/.127 for Windows that contains 12 security fixes. ESB-2023.2911 – Jenkins Plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting various Jenkins plugins have been addressed by Jenkins Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 12th May 2023

Greetings, What an amazing week it’s been at AUSCERT2023! Attending cyber security conferences can be wonderfully rewarding, but also quite daunting for first time attendees or those with a neuro-diverse background. This year at AUSCERT2023 we once again featured an onsite psychologist for attendees to visit and discuss anything from mental wellbeing right through to life coaching. In addition, The University of Queensland’s Shelly Mills coordinated a panel discussion with Trinity McNicol from Sunshine Coast University on neurodiversity in the workplace, and how employers and team members can support these individuals. With “Back to the Future” for our theme, past AUSCERT team member Mark McPherson joined forces with present-day AUSCERT Senior Analyst Eric Halil to present a wonderful trip down memory lane beginning in the late 1980s, when the seeds were planted to form the AUSCERT we know today. If you missed this or any of the presentations, watch out for the YouTube uploads later on. Organisations are realising that data governance is an extremely important mitigating control against breaches, and this shift has brought professionals from both the cybersecurity and data governance fields together. The AUSCERT2023 Conference featured Troy Hunt, long-time cyber security expert and creator of the Have I Been Pwned website, Craig Rowlands, Director of Technology Data at Bupa, Kate Carruthers, Chief Data & Insights Officer for UNSW Sydney and The University of Queensland’s Sasenka Abeysooriya, Strategist and Data Governance Expert in a cross-discipline discussion on the importance of data governance and cyber security strategy. At the heart of this week’s AUSCERT2023 Conference was a strong theme of working together to achieve common goals. An amazing number of “hallway conversations” took place amongst the delegates, sharing ideas and comparing notes with other professionals from many disciplines. Next week delegates will return to their workplaces armed with a wealth of knowledge from those conversations, tutorials and the very latest content from the presentations. The coming weekend will hopefully give our delegates a chance to restore a healthy work-life balance and rest up, especially after celebrating last night at the Back to the Future themed gala dinner, featuring once again the amazing DJ Clariti and AUSCERT Awards! In case you missed this week’s cyber security news while attending AUSCERT2023, here’s the top stories: Western Digital says hackers stole customer data in March cyberattack Date: 2023-05-07 Author: Bleeping Computer Western Digital has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers’ data was stored in a Western Digital database stolen during the attack. “Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers,” Western Digital said. Microsoft: Iranian hacking groups join Papercut attack spree Date: 2023-05-08 Author: Bleeping Computer Microsoft says Iranian state-backed hackers have joined the ongoing assault targeting vulnerable PaperCut MF/NG print management servers. These groups are tracked as Mango Sandstorm (aka Mercury or Muddywater and linked to Iran’s Ministry of Intelligence and Security) and Mint Sandstorm (also known as Phosphorus or APT35 and tied to Iran’s Islamic Revolutionary Guard Corps). 1 Million Impacted by Data Breach at NextGen Healthcare Date: 2023-05-08 Author: Security Week Healthcare solutions provider NextGen Healthcare has started informing roughly one million individuals that their personal information was compromised in a data breach. Headquartered in Atlanta, Georgia, the company makes and sells electronic health records software and provides doctors and medical professionals with practice management services. FluHorse: New Android Threat Stealing 2FA Codes and Passwords Date: 2023-05-08 Author: Cyware Hacker News According to a recent report by Check Point Research, a new type of malware, named FluHorse, has been discovered. The malware comprises a cluster of Android apps that masquerade as genuine applications. Shockingly, the fake apps have already been downloaded by more than one million users. FluHorse is created to pilfer personal information such as usernames, passwords, and 2FA codes. The distribution of the FluHorse malware occurs through email, and it targets various sectors in the Eastern Asian market. NodeStealer: New Information-stealing Threat Terminated by Facebook Date: 2023-05-09 Author: Cyware Hacker News A new information-stealing malware, named NodeStealer, has been discovered by Facebook. It can steal browser cookies to hijack accounts on the platform, as well as Outlook and Gmail accounts. Furthermore, it allows its operator to bypass 2FA. About the campaign Facebook’s engineers spotted the NodeStealer malware first in late January and linked the attacks to Vietnamese threat actors. Cybercriminals aim to hijack the Facebook account’s ability to run advertising campaigns and push misinformation or lead audiences to sites spreading malware. ESB-2023.2521 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 9.6 GitLab has released versions 15.11.2, 15.10.6, and 15.9.7 for Community Edition (CE) and Enterprise Edition (EE). ASB-2023.0103 – ALERT Microsoft Windows: CVSS (Max): 9.8 Microsoft’s most recent patch update resolves 27 vulnerabilities across Windows, Windows Server, Remote Desktop and Av1 Video Extension. ASB-2023.0105 – ALERT Microsoft ESU: CVSS (Max): 9.8 Microsoft has resolved 14 vulnerabilities with Windows Server 2008 variants. ESB-2023.2691 – emacs: CVSS (Max): 9.8 Issues have been discovered in Emacs which, if exploited, could result in the execution of arbitrary shell commands. This has been fixed in a new version. ESB-2023.2694 – Citrix ADC and Citrix Gateway: CVSS (Max): 6.3 Citrix reports vulnerabilities in ADC and Gateway, and advises its users to install relevant updated versions. ESB-2023.2693 – Nessus Network Monitor: CVSS (Max): 9.8 Tenable has discovered vulnerabilities in Nessus Network Monitor, and released a critical patch to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 5th May 2023

Greetings, The first known use of an authentication system dates back to the Ancient Roman times where the military would use “watchwords” to prove membership to a unit. In those days, passwords became used as ways to signal affiliation with a particular societal position. In 1961 the password evolved to a digital platform when MIT computer science professor Fernando Corbato created the first computer password, as he needed individual users to have their own private access. Just two years later, the first recorded password theft occurred as one of the users printed the system’s password file to gain more privileges. Back to the future: this week, some sixty years later we celebrated world password day! As our use of passwords rapidly increased so did their predictability. With so many passwords to remember we became obvious in our choices to ensure it could be easily remembered, often using our birthdays, family names, beloved pets or even simply “password123”. Password cracking became even simpler for hackers as they caught on to the “best practice” trends promoted within the community. While encryption and hashing technology improved, so has the technology available to attackers, meaning that even our longer and more complex passwords were no longer a barrier of entry. Here’s what you should know about the latest recommended password security and best practices: Choose a strong password & keep it confidential – combine uppercase and lowercase letters, numbers and special characters in a random order. The more random the better! Also the longer the better – a minimum of 8 characters. The best password is a “passphrase” combining four or five random words that you’ll easily remember. Don’t reuse passwords for important systems. That means you’ll also need to keep track of all your passwords securely. Write it on paper and lock it in a secure location or better yet, use a password manager system that stores all your passwords securely in one location. Use a multi-factor authentication (MFA) system. By requiring a factor other than just your password (for example a verification code sent to your phone), multi-factor authentication can keep a hacker from being able to log onto your account even if they do get a hold of your password. Spread the word about this both at home and at work – remember that if we’re all used to employing these protective layers at home, it’s also more likely we’ll take the same care in the workplace! See you at AUSCERT2023 next week! Fortinet warns of a spike in attacks against TBK DVR devices Date: 2023-05-02 Author: Security Affairs FortiGuard Labs researchers are warning of a spike in malicious attacks targeting TBK DVR devices. Threat actors are attempting to exploit a five-year-old authentication bypass issue, tracked as CVE-2018-9995 (CVSS score of 9.8), in TBK DVR devices. The CVE-2018-9995 flaw is due to an error when handling a maliciously crafted HTTP cookie. A remote attacker can trigger the flaw to obtain administrative privileges and eventually gain access to camera video feeds. TBK Vision is a video surveillance company that provides network CCTV devices and other related equipment, including DVRs for the protection of critical infrastructure facilities. Apple pushes first-ever 'rapid' patch – and rapidly screws up Date: 2023-05-02 Author: The Register Apple on Monday pushed to some iPhones and Macs its first-ever rapid security fix. This type of patch is supposed to be downloaded and applied automatically and seamlessly by the operating system to immediately protect devices from exploitation, thus avoiding the usual system update cycle that users may put off or miss and thus leave their stuff vulnerable to attack. As luck would have it, though, this first-of-its-kind patch didn't go off without a hitch. Some Cupertino fans reported problems actually getting the update. CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service Date: 2023-05-02 Author: Zero Day Initiative A heap-based buffer overflow has been reported in Microsoft DHCPv6 Server. The vulnerability is due to improper processing of DHCPv6 Relay-forward messages. A remote attacker can exploit this vulnerability by sending crafted DHCPv6 Relay-forward messages to the target server. Successful exploitation could result in the execution of arbitrary code with administrative privileges. Australian law firm HWL Ebsworth hit by Russian-linked ransomware attack | Data and computer security Date: 2023-05-02 Author: The Guardian The Australian commercial law firm HWL Ebsworth has fallen victim to a ransomware attack, with Russian-linked hackers claiming to have obtained client information and employee data. Late last week, the ALPHV/Blackcat ransomware group posted on its website that 4TB of company data had been hacked, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. Meta says ChatGPT-related malware is on the rise Date: 2023-05-04 Author: iTnews Lures users into downloading malicious apps and browser extensions. Meta said it had uncovered malware purveyors leveraging public interest in ChatGPT to lure users into downloading malicious apps and browser extensions, likening the phenomenon to cryptocurrency scams. Since March, the social media giant has found around 10 malware families and more than 1000 malicious links that were promoted as tools featuring the popular artificial intelligence-powered chatbot, it said in a report. In some cases, the malware delivered working ChatGPT functionality alongside abusive files, the company said. ESB-2023.2453 – Android OS: CVSS (Max): 9.8* Android's most recent security bulletin contains details of vulnerabilities affecting Android devices. The most severe vulnerability affects the Framework component which could lead to local escalation of privilege. ESB-2023.2463 – GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 7.5* GitLab has released versions 15.11.1, 15.10.5, and 15.9.6 for GitLab Community Edition and Enterprise Edition which contain important security fixes. ESB-2023.2504 – chromium: CVSS (Max): None Multiple security issues have been reported in Chromium, which if exploited could result in the execution of arbitrary code, denial of service or information disclosure. ESB-2023.2501 – AirPods and Beats: CVSS (Max): None Apple has released updates for AirPods Firmware and Beats Firmware to address multiple security issues. ESB-2023.2502 – Cisco SPA112 2-Port Phone Adapters: CVSS (Max): 9.8 As SPA112 2-Port Phone Adapters have reached end of life, Cisco advises its customers to migrate to the ATA 190 Series Analog Telephone Adapter. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 28th April 2023

Greetings, This week we commemorated the Anzac soldiers for their bravery, courage, and ultimate sacrifice for our great nations. We pay respect to the victims and their families and vow to always honour and remember them. Lest we forget! In other less sombre news we released our new podcast episode this week featuring Eric Pinkerton titled ‘Changing Behaviour in Cyber’. Eric, CEO of Phronesis, Australia’s first B-Corp certified cyber security company committed to doing good. In this episode Eric and Anthony examine how people’s behaviours changed during the pandemic and how we can use this knowledge to influence the cyber world. Understanding people’s behaviours is important to understanding the tactics that hackers may take. Hackers pry on our natural instincts and emotions as humans to bait us into a vulnerable position. Scammers are luring naïve consumers into becoming their money mules and exploiting the widening knowledge gap of fraudulent activity. Sadly, emotionally vulnerable people are the most targeted as hackers utilise key methods to exploit their feelings and reap rewards. The Australian Competition and Consumer Commission (ACCC) reported investment scams or ‘get rich schemes’ were the highest reported scams with an astonishing $377 million lost. Dating and Romance scams were the second most targeted approach with the ACC reporting 40 million lost to this last year. Hackers would pull at heart strings to get funds from helpless victims, arguably one of the cruellest forms of consumer-facing fraud as it would often cause significant distress. The preferred method of contact that scammers preferred was phone calls or text messages with 55% of all scams last year being via phone devices. Angry consumers believe the accountability lies with banks to provide reimbursement if they fall victim to a scam or a third-party fraud. To combat scam losses the government is looking into different initiatives to better safeguard consumers. A $10million commitment has been announced to fund a SMS sender register to prevent sender ID scams imitating key industry or government brand names in text message headers. As criminals get more authentic we as a society must also be more vigilant on the warning signs of a scam and ensure not to fall victim to their emotive baiting techniques. New SLP bug can lead to massive 2,200x DDoS amplification attacks Date: 2023-04-25 Author: Bleeping Computer A new reflective Denial-of-Service (DoS) amplification vulnerability in the Service Location Protocol (SLP) allows threat actors to launch massive denial-of-service attacks with 2,200X amplification. This flaw, tracked as CVE-2023-29552, was discovered by researchers at BitSight and Curesec, who say that over 2,000 organizations are using devices that expose roughly 54,000 exploitable SLP instances for use in DDoS amplification attacks. Vulnerable services include VMware ESXi Hypervisors, Konica Minolta printers, IBM Integrated Management Modules, and Planex Routers deployed by unsuspecting organizations worldwide. Clop, LockBit ransomware gangs behind PaperCut server attacks Date: 2023-04-26 Author: Bleeping Computer "Members who potentially utilize this product have been notified" Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data. Last month, two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform unauthenticated remote code execution and information disclosure. Decoy Dog malware toolkit found after analyzing 70 billion DNS queries Date: 2023-04-23 Author: Bleeping Computer A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity. Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations. Researchers from Infoblox discovered the toolkit in early April 2023 as part of its analysis of over 70 billion DNS records daily to look for signs of abnormal or suspicious activity. Gov to fund SMS sender ID register with $10m Date: 2023-04-24 Author: itnews A government-run register of SMS sender IDs will go ahead courtesy of a $10 million commitment to be made in next month’s federal budget. Communications minister Michelle Rowland said yesterday that the funding, to be announced as part of the 2023-24 Budget on May 9, would run over four years. Rowland had asked the ACMA to investigate a local register, and other models, back in February as a way to combat rising scam losses. Investigation into PostalFurious: a Chinese-speaking phishing gang targeting Singapore and Australia Date: 2023-04-21 Author: Group-IB Phishing attacks are becoming ever more sophisticated and their scale is increasing exponentially. The automation of many processes and the growing popularity and accessibility of phishing kits over recent years has made it much easier for cybercriminals to set up fraudulent infrastructure to steal user credentials, bank card details, addresses, OTP codes, IP addresses, and other sensitive information. ESB-2023.2371 – Tenable.sc: CVSS (Max): 8.1 One of the third-party components (PHP) of Tenable.sc was found to contain vulnerabilities, and updated versions have been made available by the providers ESB-2023.2370 – VMware Workstation Pro / Player (Workstation) and VMware Fusion: CVSS (Max): 9.3 Multiple security vulnerabilities in VMware Workstation and Fusion were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in the affected VMware products ESB-2023.2311 – thunderbird: CVSS (Max): 8.2 Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code ESB-2023.2293 – curl: CVSS (Max): 9.8 This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 21st April 2023

Greetings, Earth Day is tomorrow! A great opportunity to be grateful for the world we live in and reflect on ways we as individuals can reduce our environmental footprint. Avoid single use items, reduce energy consumption, encourage recycling, conserve water, and plant a tree! Established in 1970 Earth Day has become a world phenomenon with over 190 countries participating in a wide variety of environmental activities to drive change. President of Earth Day, Kathleen Rogers, proclaimed this year’s theme is to invest in a green economy to pave a path for a healthy, prosperous and equitable future. So tomorrow make sure to take the time to do something to benefit our beautiful green world! Just as we must invest in protecting our natural environment so too must we protect our cyber environment too. With the increasingly growing rate of scams, it has become imperative for every organisation to invest in their cyber security by providing their employees with the latest education, training and resources to prepare for any attack. The ACCC reported a record loss of $3.1billion to scams last year an astonishing 80% increase over last year. Scammers and hackers have become far more sophisticated in the tactics they are utilising, making them appear genuine, believable, and very difficult to detect. Experts worry this will only continue to increase as artificial intelligence scams are on a rapid rise with hackers now using voice cloning technologies to trick people. Microsoft revealed a new AI system which could recreate a person's voice after listening to them speak for only 3 seconds, a spine tingling sign of how quickly technology could be used to convincingly replicate a key piece of someone’s identity. At this year’s AUSCERT2023 conference we are featuring a new tutorial delivered by global cyber security company, Palo Alto Networks. Their zero trust architects will be hosting a Security Posture Assessment workshop to provide an in-depth analysis of the current state of your security environment. The experts will consult your cyber teams on the vulnerabilities present and priority areas of your organisation, providing recommendations and objectives to strengthen against cyber attacks.Register today to invest in your cyber security protection, hurry spaces limited! … Google patches another actively exploited Chrome zero-day Date: 2023-04-19 Author: Bleeping Computer Google has released a security update for the Chrome web browser to fix the second zero-day vulnerability found to be exploited in attacks this year. "Google is aware that an exploit for CVE-2023-2136 exists in the wild," reads the security bulletin from the company. The new version is 112.0.5615.137 and fixes a total of eight vulnerabilities. The stable release is available only for Windows and Mac users, with the Linux version to roll out "soon," Google says. Hackers actively exploit critical RCE bug in PaperCut servers Date: 2023-04-19 Author: Bleeping Computer [See AUSCERT Security Bulletin 21 April 2023 ASB-2023.0102] https://portal.auscert.org.au/bulletins/ASB-2023.0102 Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers. PaperCut makes printing management software compatible with all major brands and platforms. It is used by large companies, state organizations, and education institutes, while the official website claims it serves hundreds of millions of people from over 100 countries. Australian insurers warn against outright ransomware payment ban Date: 2023-04-18 Author: iTnews The Insurance Council of Australia has warned the government to tread carefully in its contemplation of an outright ban on paying ransoms and extortion demands in data breach incidents. The council also wants the federal government to simplify and “harmonise” cyber security requirements on business, while it contemplates drafting a specific Cyber Security Act. Fortra attributes GoAnywhere breach to a zero day vulnerability Date: 2023-04-20 Author: iTnews Fortra has published a post mortem of the GoAnywhere hack that compromised end user data in January and February. Australian organisations affected by the data breach include Tasmania’s education department, Rio Tinto, and Crown Resorts. The company said the attack used a zero-day vulnerability, CVE-2023-0669, which it said is a “pre-authentication command injection vulnerability … due to deserialising an arbitrary attacker-controlled object”. UK and US issue warning about APT28 actors exploiting poorly maintained Cisco routers Date: 2023-04-18 Author: NCSC UK and US agencies have today (Tuesday) issued a joint advisory to help organisations counter malicious activity used by Russian cyber actors to exploit poorly maintained Cisco routers. APT28 – a threat group attributed to Russia’s military intelligence service the GRU – has been observed taking advantage of poorly configured networks and exploiting a known vulnerability to deploy malware and access Cisco routers worldwide. ASB-2023.0098 – Oracle PeopleSoft: CVSS (Max): 9.8 Oracle's Critical Patch Update release contains 10 new security patches for Oracle PeopleSoft. 8 of these vulnerabilities may be remotely exploitable without authentication. ESB-2023.2198 – Google Chrome: CVSS (Max): None Google released an update for Chrome which addresses a type confusion in V8 vulnerability that has been exploited in the wild. ESB-2023.2257 – Schneider Electric Easy UPS Online Monitoring Software: CVSS (Max): 9.8 Schneider Electric has released security updates for Schneider Electric Easy UPS Online Monitoring Software which fix remote code execution, escalation of privileges, and authentication bypass. ESB-2023.2282 – VMware Aria Operations for Logs: CVSS (Max): 9.8 VMware released updates and workarounds which address multiple vulnerabilities in VMware Aria Operations for Logs. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 14th April 2023

Greetings, With Easter celebrations now behind us, let us embrace the spirit of this holiday as a chance to embark on new adventures, pursue new goals and embrace new experiences. As Autumn unfolds around us temperatures begin to cool and leaves begin to change, it is a powerful reminder of the ever-evolving nature of our world. With it we must ensure to be constantly developing new skills and acquiring knowledge to continue our own self-growth and improvement. Just like nature the digital world is constantly growing and evolving, with new technologies, platforms and applications emerging at an unprecedented rate. The rapid growth and evolution of technological advancements has transformed the digital landscape, and today we are witnessing a whole new era of innovation. We encourage members to undertake frequent cyber security training and courses to promote a culture of awareness and help protect against threats and attacks as new vulnerabilities emerge in the ever-evolving digital environment. This year we have a wide variety of exciting tutorials featured in our AUSCERT2023 conference program specifically designed to ensure your organisation is properly equipped. Particularly the workshops from the SANS Institute ,the world’s largest provider of cyber security training. Spaces are limited so register now! Recently popular targets of cyber-attacks include Microsoft and Adobe software, with increasing reports of vulnerabilities. For the second month in a row Microsoft is pushing out urgent updates to fix an already exploited vulnerability in its flagship windows operating systems. This was announced the same day that Adobe rolled out security fixes to 56 vulnerabilities in a wide range of its products. With high profile software companies under constant threat of malicious activity and potential exposure of consumer data it is important to work together and develop a better strategy to safeguard our cyber security. A reminder the government’s 2023-2030 Australian Cyber Security Strategy Discussion papers are due by tomorrow. Submit your views and recommendations on how the government can better secure the digital economy and thriving cyber ecosystem. … Exploit available for critical bug in VM2 JavaScript sandbox library Date: 2023-04-07 Author: Bleeping Computer [See ASB-2023.0060] Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in the popular VM2 library, a JavaScript sandbox that is used by multiple software to run code securely in a virtualized environment. The library is designed to run untrusted code in an isolated context on Node.js servers. It allows partial execution of the code and prevents unauthorized access to system resources or to external data. Microsoft Patches Another Already-Exploited Windows Zero-Day Date: 2023-04-11 Author: Security Week [See ASB-2023.0061] For the second month in a row, Microsoft is pushing out urgent patches to cover an already-exploited vulnerability in its flagship Windows operating system. The vulnerability, flagged as zero-day by researchers at Mandiant, is described as an elevation of privilege issue in the Windows Common Log File System driver. In an advisory documenting the CVE-2023-28252, Redmond warns that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. 3CX confirms North Korean hackers behind supply chain attack Date: 2023-04-12 Author: Bleeping Computer VoIP communications company 3CX confirmed today that a North Korean hacking group was behind last month’s supply chain attack. “Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” 3CX CISO Pierre Jourdan said today. Windows admins warned to patch critical MSMQ QueueJumper bug Date: 2023-04-12 Author: Bleeping Computer Security researchers and experts warn of a critical vulnerability in the Windows Message Queuing (MSMQ) middleware service patched by Microsoft during this month’s Patch Tuesday and exposing hundreds of thousands of systems to attacks. MSMQ is available on all Windows operating systems as an optional component that provides apps with network communication capabilities with “guaranteed message delivery,” and it can be enabled via PowerShell or the Control Panel. MSI hit in cyberattack, warns against installing knock-off firmware Date: 2023-04-07 Author: The Register Owners of MSI-brand motherboards, GPUs, notebooks, PCs, and other equipment should exercise caution when updating their device’s firmware or BIOS after the manufacturer revealed it has recently suffered a cyberattack. In a statement shared on Friday, MSI urged users “to obtain firmware/BIOS updates only from its official website,” and to avoid using files from other sources. ESB-2023.2108 – Adobe Acrobat and Reader: CVSS (Max): 8.6 Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS which fix arbitrary code execution, privilege escalation, security feature bypass and memory leak vulnerabilities. ASB-2023.0066 – ALERT Microsoft ESU: CVSS (Max): 9.8 Microsoft has released its monthly security patch update which resolves 44 vulnerabilities across Microsoft Extended Security Update (ESU). ASB-2023.0061 – ALERT Windows: CVSS (Max): 9.8 Microsoft’s most recent security patch update resolves 77 vulnerabilities in Windows and Windows Server. ESB-2023.2063 – ALERT macOS Monterey: CVSS (Max): None Apple has released macOS Monterey 12.6.5 which delivers important security enhancements to Mac devices running macOS Monterrey. ESB-2023.2065 – ALERT macOS Big Sur: CVSS (Max): None Apple released a security update for macOS Big Sur which according to Apple’s security updated notes fixes the vulnerability labeled CVE-2023-28206. ESB-2023.2062 – ALERT macOS Ventura: CVSS (Max): None Apple pushed a new macOS Ventura 13.3.1 update which includes bug fixes and security updates for CVE-2023-28206 and CVE-2023-28205. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more