Week in review

AUSCERT Week In Review for January 6th 2023

Greetings, With Australia taking out the unenviable title of the most hacked nation in the world during the last quarter of 2022, it shouldn’t be a surprise that spending on cybersecurity has grown in parallel and, shows no sign of slowing. Following the spate of cyber-attacks impacting millions of Australians in 2022, organisations are looking to increase their cyber resilience. Cyber Security Connect recently reported that businesses are re-evaluating cyber practices, including working together, to combat the increasing cyber threats. Although many of us have had some time off during the festive season, cybercriminals seem to have been hard at work with several ransomware attacks impacting organisations across the globe. QUT, The Guardian UK and SickKids, a research hospital in Toronto, are just some of the organisations that have had experienced ‘serious IT issues’ resulting in staff being forced to work from home along with other major service disruptions. Although, in the instance of the hospital, the ransomware gang apologised and provided a free decryptor. These situations reinforce the need to increase cyber resilience but also that organisations may need to focus on behaviour and culture, including improving security awareness and training. One way to improve awareness, understanding and insight into industry trends is to listen to AUSCERT’s podcast series, Share Today, Save Tomorrow. Now with eighteen episodes, there’s sure to be something for everyone – happy listening! Ransomware impacts over 200 govt, edu, healthcare orgs in 2022 Date: 2023-01-02 Author: Bleeping Computer Ransomware attacks in 2022 impacted more than 200 hundred larger organizations in the U.S. public sector in the government, educational, and healthcare verticals. Data collected from publicly available reports, disclosure statements, leaks on the dark web, and third-party intelligence show that hackers stole data in about half of these ransomware attacks. Ransomware attacks in 2022 impacted more than 200 hundred larger organizations in the U.S. public sector in the government, educational, and healthcare verticals. Data collected from publicly available reports, disclosure statements, leaks on the dark web, and third-party intelligence show that hackers stole data in about half of these ransomware attacks. Python's PyPI registry suffers another supply-chain attack Date: 2023-01-04 Author: iTnews Unknown attackers have compromised a package in the Python PyPI registry, injecting a malicious binary into it, the maintainers of the open source machine learning framework PyTorch are warning. PyTorch maintainers said the compromised dependency affected the nightly release of their code, but not the stable packages. The compromised package is torchtriton, which is part of the Triton language and compiler which is used for writing custom deep-learning primitives. 'Multiple security breaches' shut down trucker protest Date: 2023-01-03 Author: The Register An anti-government protest by truckers in Canada has been called off following "multiple security breaches," according to organizers, who also cited "personal character attacks," as a reason for the withdrawal. Canada Unity, one of the groups that organized last year's so-called Freedom Convoy – during which truckers and others overtook Canadian city streets to protest mandatory COVID-19 vaccinations – has canceled a repeat demonstration planned for February 17 to 20, according to a press release posted to the group's Facebook page. 200 million Twitter users' email addresses allegedly leaked online Date: 2023-01-04 Author: Bleeping Computer A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. BleepingComputer has confirmed the validity of many of the email addresses listed in the leak. Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces. Car companies massively exposed to web vulnerabilities Date: 2023-01-04 Author: The Daily Swig The web applications and APIs of major car manufacturers, telematics (vehicle tracking and logging technology) vendors, and fleet operators were riddled with security holes, security researchers warn. In a detailed report, security researcher Sam Curry laid out vulnerabilities that run the gamut from information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping the engines of cars. The findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem BitRat Malware Gnaws at Victims With Bank Heist Data Date: 2023-01-05 Author: Dark Reading Threat actors are using data stolen from a Colombian bank as a lure in what appears to be a malicious campaign aimed at spreading the BitRAT malware, researchers have found. The activity demonstrates the evolution of how attackers are using commercial, off-the-shelf malware in advanced threat scenarios, they said. Researchers at IT security and compliance firm Qualys were investigating "multiple lures" for BitRAT when they identified that the infrastructure of a Colombian cooperative bank had been hijacked. Attackers were using sensitive data gleaned from that compromise to try to capture victims, they reported in a blog post published Jan. 3. ESB-2023.0068 – Android OS: CVSS (Max): 8.8* Security patch levels of 2023-01-05 or later address the security vulnerabilities affecting Android devices. ESB-2023.0077 – OpenShift Container Platform 4.10.46: CVSS (Max): 9.8 Red Hat released an update that fix several bugs and add enhancements to OpenShift Container Platform. ESB-2023.0063 – Apache Tomcat: CVSS (Max): None The Apache Software Foundation released fixes for the vulnerabilities in Apache Tomcat. ESB-2023.0062 – WebSphere Application Server Patterns: CVSS (Max): 5.9 Multiple vulnerabilities in the IBM SDK Java Technology Edition affects IBM WebSphere Application Server that is bundled with IBM WebSphere Application Server Patterns. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for December 23rd 2022

Greetings, With a little over a week left for the year, many people look towards the year ahead, often making resolutions focused on their health, finance or perhaps an overseas trip. Whilst we can’t help on those fronts, we thought it might be beneficial and a little fun to look at what might be in store for 2023. Two of the predictions which popped up in a few publications centred on the new social engineering ‘battleground’ following the growing trend of social media scams and building a security-aware society. Articles in Forbes and the Australian Cyber Security Magazine provide an insight into what to look out for and how to prepare for what possibly awaits. Earlier in the week, it was revealed that Australia was the most hacked nation in the world during the last quarter of 2023. Many of us hope that we’ve seen the end of attacks like those still impacting customers of Medibank and Optus, however, many within the cybersecurity industry are anticipating a large-scale incident to occur during the Festive Season. With many out-of-office replies being sent and Christmas closure notices posted on social media and websites, it’s easy for potential attackers to know which organisations may be softer targets. To help individuals and organisations to prepare, cybersecurity expert Alistair MacGibbon recently spoke to the team at Today and provided some tips on how we can all take steps to better protect ourselves. Lastly, a reminder of our scheduled shutdown over the Christmas and New Year period: AUSCERT will be closed from 5:00 pm Friday, December 23rd, 2022, until Monday, January 2nd 2023. We will reopen on Tuesday, January 3rd, 2023. The auscert@auscert.org.au mailbox will not be monitored during this period. However, we will staff the 24/7 member incident hotline as usual; so do call us for any urgent matters during this period. To log an incident or for further information, log in via the Member Portal. We would like to wish everyone a safe and happy Christmas and all the very best for 2023. 5 Recommendations to Improve Wholesale and Retail Cybersecurity Over the Holidays Date: 2022-12-16 Author: Security Intelligence It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping season feel pretty perilous. It makes sense to learn about the types of cyberattacks aimed at this sector, particularly at this time of year, and what retailers and wholesalers can do to protect themselves. Google announces client-side encryption for Gmail is now in beta Date: 2022-12-19 Author: Cyber Security Connect Google revealed last week that it is expanding client-side encryption access on a range of its web-based platforms. The encryption is in its beta phase and is now available for Google Workspace Enterprise Plus, Education Plus, and Education Standard. Sign-ups are open now and until 20 January 2023. The beta program is not yet available for individual accounts. “Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities,” Google said in its announcement. “Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs.” Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks Date: 2022-12-19 Author: Security Week Cisco has updated multiple security advisories to warn of the malicious exploitation of severe vulnerabilities impacting its networking devices. Many of the bugs, which carry severity ratings of ‘critical’ or ‘high’, have been addressed 4-5 years ago, but organizations that haven’t patched their devices continue to be impacted. Last week, the tech giant added exploitation warnings to more than 20 advisories detailing security defects in Cisco IOS, NX-OS, and HyperFlex software. Cybercrime (and Security) Predictions for 2023 Date: 2022-12-19 Author: The Hacker News Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it’s up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs. Here’s a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead. Ransomware Attackers Bypass Microsoft’s ProxyNotShell Mitigations With Fresh Exploit Date: 2022-12-22 Author: Dark Reading The operators of a ransomware strain called Play have developed a new exploit chain for a critical remote code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November. The new method bypasses mitigations that Microsoft had provided for the exploit chain, meaning organizations that have only implemented those but have not yet applied the patch for it need to do so immediately. The RCE vulnerability at issue (CVE-2022-41082) is one of two so-called “ProxyNotShell” flaws in Exchange Server versions 2013, 2016, and 2019 that Vietnamese security company GTSC publicly disclosed in November after observing a threat actor exploiting them. The other ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system. ESB-2022.6617 – VMware vRealize Operations (vROps): CVSS (Max): 7.2 VMware vRealize Operations (vROps) updates address privilege escalation vulnerabilities ESB-2022.6630 – Nessus Network Monitor: CVSS (Max): 9.8 Nessus Network Monitor 6.2.0 updates moment.js to version 2.29.4 and handlebars to version 4.7.7 to address the identified vulnerabilities ESB-2022.6657 – Mozilla Thunderbird: CVSS (Max): 6.1 Mozilla has released updates to Thunderbird to address malicious code execution vulnerability ESB-2022.6631 – Citrix Hypervisor: CVSS (Max): 6.3 Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash Stay safe, stay patched and Merry Christmas! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for December 16th 2022

Greetings, The AUSCERT team are excited to announce that the Call for Presentations and Sponsorship options for next year’s conference are open! We believe that there is an abundance of potential speakers from far afield and close to home, even if people don’t know it. To help those unsure of what to speak about or, in need of some assistance, AUSCERT has implemented some new initiatives aimed at helping uncover talking points and help interested parties develop their presentation. These include a mentorship program and a webinar titled, “I don’t have anything to talk about”, scheduled for early 2023. If you would like some inspiration or ideas, perhaps an episode of our podcast, ‘Share Today, Save Tomorrow’ is in order. This includes our last episode of 2022 , released today, that features Dave Lewis, a speaker at this year’s conference and is currently a Global Advisory CISO for Cisco. Dave is also working towards his graduate degree at Harvard and wrote columns for Forbes, CSO Online, Huffington Post, The Daily Swig and others. If you’re considering sponsorship at AUSCERT2023, we have the usual offerings along with some returning favourites from this year – including the Gelato Cart – along with some fantastic new options that we think will be highly sought after! If you’d like to see what’s on offer, simply visit the sponsorship portal and request a copy of the Sponsorship Prospectus. With just over a week until Christmas Day, many people have placed online orders for their gifts and no doubt are anticipating the delivery each day. If you are one of the many on the look-out for a delivery, beware of potential scams that make claims of a failed delivery, requesting you update your details – be warned, DO NOT click on any links! This is just one of the ’12 Scams of Christmas’ that have been compiled to promote awareness and hopefully, keep everyone safe this Festive Season! Fortinet confirms VPN vulnerability exploited in the wild Date: 2022-12-12 Author: TechTarget [Refer AUSCERT Security Bulletin ESB-2022.6458.2] A critical zero-day vulnerability in Fortinet’s SSL-VPN has been exploited in the wild in at least one instance. Fortinet issued an advisory Monday detailing the heap-based buffer overflow flaw, tracked as CVE-2022-42475, affecting multiple versions of its FortiOS SSL-VPN. Ranked a 9.3 on the common vulnerability scoring system, Fortinet warned the critical flaw could allow a remote unauthenticated attacker to execute arbitrary code. “Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” Fortinet wrote in the advisory. Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws Date: 2022-12-13 Author: Bleeping Computer ​Today is Microsoft’s December 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities, including an actively exploited bug, and a total of 49 flaws. Six of the 49 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution, one of the most severe types of vulnerabilities. Citrix ADC, Gateway Users Race Against Hackers to Patch Critical Flaw Date: 2022-12-14 Author: Dark Reading Citrix has issued a patch for a critical flaw affecting Citrix ADC and Citrix Gateway, adding that the company is aware of attacks against the vulnerability in the wild. The vulnerability, tracked under CVE-2022-27518, affects Citrix ADC and Citrix Gateway versions 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32. “Both must be configured with an SAML SP or IdP configuration to be affected,” Citrix noted in its security update. TPG Telecom discloses hosted Exchange breach at iiNet, Westnet Date: 2022-12-14 Author: iTnews TPG Telecom has disclosed a breach of hosted Exchange services that run email accounts for up to 15,000 iiNet and Westnet business customers. The telco said that Mandiant had “found evidence of unauthorised access” on December 13. The target appeared to be “crypocurrency and financial information” contained within accounts, TPG Telecom said in a financial filing. It appears the incident was identified as part of routine scans on networked assets. Fire Rescue Victoria relies on radios and mobile phones as it probes mystery dispatch system outage Date: 2022-12-15 Author: The Age [Update at : https://www.frv.vic.gov.au/update-frv-outage} Victorian firefighters will be forced to use mobile phones and radios for up to four days after their dispatch system suffered a mystery outage. Fire Rescue Victoria acting Commissioner Gavin Freeman said the disruption was first noticed between 4am and 5am on Thursday. The acting commissioner said fire trucks and crews were still able to be deployed in response to the incidents, and safety had not been compromised. ESB-2022.6592 – Tenable.ad: CVSS (Max): 9.8 Tenable.ad leverages third-party software to help provide underlying functionality. One of the third-party components (Erlang) was found to contain vulnerabilities, and updated versions have been made available by the providers. ESB-2022.6508 – macOS Ventura: CVSS (Max): 8.2* macOS Ventura 13.1 addresses multiple important security issues. ESB-2022.6481 – ALERT VMware vRealize Network Insight (vRNI): CVSS (Max): 9.8 Multiple vulnerabilities in VMware vRealize Network Insight (vRNI) were privately reported to VMware. Patches and updates are available to remediate these vulnerabilities in affected VMware products. ESB-2022.6474 – ALERT Citrix ADC and Gateway: CVSS (Max): None A vulnerability has been discovered in Citrix Gateway and Citrix ADC that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance. ASB-2022.0245 – ALERT Microsoft Windows: CVSS (Max): 8.5* Microsoft has released its monthly security patch update for the month of December 2022 which outlined 31 vulnerabilities across multiple products ESB-2022.6458.2 – UPDATED ALERT FortiOS: CVSS (Max): 9.3 A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for December 9th 2022

Greetings, It’s hard to ignore the biggest sporting spectacle of the year, especially following the Socceroos success in reaching the Round of 16 for only the second time! But with these large-scale and popular events, comes an increase in cyber threats. As reported in The Register recently, tactics such as phishing are part of the social engineering tactics due to the more promising opportunities for an attack. With the FIFA Women’s World Cup being held in Australia and New Zealand next year and, the Summer Olympics in Brisbane in 2032, greater awareness, education and support for individuals and organisations, should be sought out and provided to ensure a more protected and resilient environment exists. At AUSCERT, we’re already in the throes of enhancing our education and training portfolio for 2023. We will be providing updates when dates and course information is finalised so be sure to keep an eye on our Education page. In the meantime, there is a broad range of topics and intriguing speakers featured in our podcast series, Share Today, Save Tomorrow that you can fill your spare time with these holidays – even if it’s to drown out the noise of everything that’s happening around you! The AUSCERT Conference team will soon be putting the call out for Tutorial and Presentation submissions for any and all interested in sharing their insights and experience with attendees at AUSCERT2023 which will take place between May 9-12, 2023. We believe that there is an abundance of potential speakers from far afield and close to home, even if they don’t know it! Should you wish to be inspired and motivated to make a submission, or if you just want to be entertained by our wonderful array of speakers at previous conferences, visit our YouTube channel. Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems Date: 2022-12-05 Author: The Hacker News The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. Multiple government departments in New Zealand affected by ransomware attack on IT provider Date: 2022-12-06 Author: The Record by Recorded Future A ransomware attack on Mercury IT, a widely used managed service provider (MSP) in New Zealand, is feared to have disrupted dozens of organizations in the country, including several government departments and public authorities. The Ministry of Justice and Te Whatu Ora (Health New Zealand) are among the public authorities that have announced being impacted by a cyberattack on a third-party IT support provider. New Zealand’s privacy commissioner confirmed on Tuesday morning that “a cyber security incident involving a ransomware attack” was to blame, saying its upstream target was Mercury IT, which “provides a wide range of IT services to customers across New Zealand.” Android malware apps with 2 million installs spotted on Google Play Date: 2022-12-04 Author: Bleeping Computer A new set of Android malware, phishing, and adware apps have infiltrated the Google Play store, tricking over two million people into installing them. The apps were discovered by Dr. Web antivirus and pretend to be useful utilities and system optimizers but, in reality, are the sources of performance hiccups, ads, and user experience degradation. One app illustrated by Dr. Web that has amassed one million downloads is TubeBox, which remains available on Google Play at the time of writing this. Several Code Execution Vulnerabilities Patched in Sophos Firewall Date: 2022-12-06 Author: Security Week Sophos has informed customers that Sophos Firewall version 19.5, whose general availability was announced in mid-November, patches several vulnerabilities, including ones that can lead to arbitrary code execution. In addition to resiliency improvements and a performance boost, the latest Sophos Firewall version brings patches for seven vulnerabilities. According to a security advisory released on December 1, one of the vulnerabilities patched in version 19.5 is CVE-2022-3236, which has a ‘critical’ severity rating. Amnesty International hit by China-sponsored cyber attack Date: 2022-12-07 Author: Cyber Security Connect Amnesty International has said that it has been targeted by a China-sponsored cyber attack. The breach was first detected by the human rights organisation on 5 October, when hackers attempted to search for data specific to China, Hong Kong and several high-profile Chinese activists. Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover Date: 2022-12-07 Author: The Daily Swig Steps towards building a defendable internet are possible, but to get there the industry needs to accept baseline security regulations and move away from a fixation about zero-day vulnerabilities. Opening the Black Hat Europe conference on Tuesday, security researcher Daniel Cuthbert praised security improvements gained with the wider adoption of cloud computing, improvements in iOS, and tighter web security controls in Google Chrome, among other developments. One problem, however, is that these improvements are not feeding down to provide improvements in security practices more generally. Machine Learning Models: A Dangerous New Attack Vector Date: 2022-12-07 Author: Dark Reading Threat actors can hijack machine learning (ML) models that power artificial intelligence (AI) to deploy malware and move laterally across enterprise networks, researchers have found. These models, which often are publicly available, serve as a new launchpad for a range of attacks that also can poison an organization’s supply chain — and enterprises need to prepare. Researchers from HiddenLayer’s SAI Team have developed a proof-of-concept (POC) attack that demonstrates how a threat actor can use ML models — the decision-making system at the core of almost every modern AI-powered solution — to infiltrate enterprise networks, they revealed in a blog post published Dec. 6. The research is attributed to HiddenLayer’s Tom Bonner, senior director of adversarial threat research; Marta Janus, principal adversarial threat researcher; and Eoin Wickens, senior adversarial threat researcher ESB-2022.6363 – Android OS: CVSS (Max): 7.8* Android released a security bulletin that contains details of security vulnerabilities affecting Android devices ESB-2022.6333 – IBM Security QRadar SIEM: CVSS (Max): 8.2 IBM QRadar Wincollect agent is vulnerable to using components with known vulnerabilities ESB-2022.6305 – chromium: CVSS (Max): 8.8 Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure ESB-2022.6359 – FortiOS and FortiProxy: CVSS (Max): 7.7 An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for December 2nd 2022

Greetings, The Medibank breach here in Australia and another recent attack on the Colombian healthcare provider, Keralty. support a 2014 Reuters article, which claimed that “your medical information is worth 10 times more than your credit card number on the black market”. For those in the healthcare industry, there are resources available to help keep sensitive information safe. From individuals to large health providers, digitalhealth.gov.au has a range of services and resources to help promote cyber security awareness and better protect individual’s data and the people tasked with safeguarding it. Additionally, the Cyber and Tech Risk Team at WTW, will look at the most recent cyber events across Australia, during an education session on Thursday 8 December from 12:00 pm that will examine key learnings that can be taken from the incident, governance impacts and analysis of the current state of cyber and technology risk insurance market. For more information and to register, click here. For companies that fail to provide satisfactory protection of their customers’ data in Australia, new laws recently passed may act as a motivator to review practices. The Privacy Legislation Amendment Bill 2022 will see an increase in fines for serious or repeated privacy breaches that currently have a maximum of $2.2 million, to upwards of $50 million. Despite the current weather in a lot of the country, Summer has arrived in Australia! It coincides with International Volunteer Day on December 5. With so many Aussies flocking to the beach each year, perhaps it’s the perfect time to consider volunteering with your local Surf Lifesaving club. There are numerous ways to get involved, just click on your state for more info: Queensland New South Wales Victoria Tasmania South Australia Western Australia Northern Territory Medibank breach prompts “intensifying” APRA scrutiny Date: 2022-11-28 Author: IT News The Australian Prudential Regulation Authority (APRA) is intensifying its supervision of Medibank Private, and is widening its investigations into financial services security more broadly. The move comes in the wake of the Medibank data breach, which APRA said in a statement “raised concerns about the strength of [Medibank’s] operational risk controls”. Twitter Data Breach Bigger Than Initially Reported Date: 2022-11-28 Author: Security Week A massive Twitter data breach disclosed a few months ago appears to be bigger than initially reported. In August, Twitter admitted that a vulnerability affecting its systems had been exploited to obtain user data. The issue, introduced in June 2021, could have been exploited to determine whether a specified phone number or email address was tied to an existing Twitter account, even for accounts where the information should have been private. The vulnerability was reported to the social media giant in January and it was quickly fixed, but not before it was exploited by malicious actors. LastPass Suffers Another Breach, and This Time Customer Data Is Affected Date: 2022-12-01 Author: PC Mag Australia The data breach LastPass suffered in August enabled a hacker to infiltrate the company again and steal customer information. On Wednesday, LastPass announced it was investigating the breach, which involved a third-party cloud storage service connected to company systems. “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” the company wrote in a blog post. Developers Warned of Critical Remote Code Execution Flaw in Quarkus Java Framework Date: 2022-11-30 Author: SecurityWeek.Com [Refer AUSCERT Bulletin ESB-2022.6037] Developers have been warned that the popular Quarkus framework is affected by a critical vulnerability that could lead to remote code execution. Available since 2019, Quarkus is an open source Kubernetes-native Java framework designed for GraalVM and HotSpot virtual machines. Tracked as CVE-2022-4116 (CVSS score of 9.8), the security defect was identified in the Dev UI Config Editor and can be exploited via drive-by localhost attacks. “Exploiting the vulnerability isn’t difficult and can be done by a malicious actor without any privileges,” Contrast Security researcher Joseph Beeton, who discovered the bug, explains. Chrome fixes 8th zero-day of 2022 – check your version now Date: 2022-11-28 Author: Naked Security [This article refers to AUSCERT Security Bulletin ESB-2022.6163] Google has just patched Chrome’s eighth zero-day hole of the year so far. Zero-days are bugs for which there were zero days you could have updated proactively… …because cybercriminals not only found the bug first, but also figured out how to exploit it for nefarious purposes before a patch was prepared and published. So, the quick version of this article is: go to Chrome’s Three-dot menu (⋮), choose Help > About Chrome, and check that you have version 107.0.5304.121 or later. Gov’s new privacy breach penalties pass parliament Date: 2022-11-28 Author: iTnews The government has secured passage of a sizable increase in civil penalties for organisations that experience “serious” or “repeated” privacy breaches. The new penalties will come into effect a day after Royal Assent by the Governor-General. The bill passed the senate on Monday with only one minor wording amendment, and was then approved by the lower house later in the afternoon. ESB-2022.6282 – Moodle: CVSS (Max): 9.1 Moodle’s LTI provider library did not utilise Moodle’s inbuilt cURL helper, which resulted in a blind SSRF risk. ESB-2022.6260 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 7.7 Github released important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. ESB-2022.6259 – Thunderbird: CVSS (Max): 7.5* Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content. This vulnerability has fixed in Thunderbird 102.5.1. ESB-2022.6163 – Google Chrome: CVSS (Max): None Google released a security update on Chrome and Google is aware that this exploit exists in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for November 25th 2022

Greetings, Australians have recently been subjected to situations that have tested the resilience and resolve of most of us. Weather events, the lingering presence of COVID and, as seen recently, cyber-attacks, have individually and collectively, taken their toll. The spate of security breaches, including Optus and Medibank, doesn’t only concern identity theft or money. An individual’s mental health can also be affected, with feelings of vulnerability, anger, and being violated. IDCARE is Australia and New Zealand’s national identity and cyber support service, assisting those that have been impacted by data breaches, through effective response and mitigation. If you or someone you know might need help, it’s worth reaching out. Digital billboards are now commonplace, going beyond Times Square in New York, and popping up in cities and suburbia alike. Recently, a billboard in Brisbane was hacked, showing pornographic images, visible to passers-by on a busy road, for three minutes. This case demonstrates a vulnerability with the convergence of information technology (IT) systems and operational technology (OT) as part of the global digital transformation. Integrating cloud computing, e-commerce, industrial control systems, automated manufacturing and more, the benefits of convergence between IT and OT systems are many, but so are the potential cybersecurity threats for the converged environment. A Forbes article published earlier in the year discusses potential strategies to help bridge the cybersecurity gap of ITOT Convergence. With all this going on concurrently, evolving and stretching out for indefinite periods, it may be hard to know where to look for answers. Luckily, AUSCERT’s podcast series, Share Today, Save Tomorrow features episodes ‘ITOT Convergence’, ‘Understanding and Combatting Cyber Attacks’ and our brand new episode ‘Digital Forensics and Incident Response’, to name but a few. So, peruse what’s on offer, there’s sure to be something for everybody! Essential Eight Maturity Model Date: 2022-11-24 Author: Cyber.gov.au [ACSC has updated the Essential Eight Maturity Model] The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight. Hackers breach energy orgs via bugs in discontinued web server Date: 2022-11-22 Author: Bleeping Computer Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector. As cybersecurity company Recorded Future revealed in a report published in April, state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company. WhatsApp data leak: 500 million user records for sale Date: 2022-11-24 Author: Cybernews On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included. Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million). The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers. NSW govt eyes law change to spur ‘good faith’ hacking Date: 2022-11-22 Author: Innovation Aus The New South Wales government will push for changes to Commonwealth criminal laws to prevent cybersecurity researchers being prosecuted for reporting potential bugs and vulnerabilities, including in the systems of public sector agencies, in “good faith”. Customer Service and Digital Government minister Victor Dominello is planning to pursue the changes before he retires from politics in March 2023, to pave the way for the state’s first whole-of-government policy framework for cyber security vulnerability disclosure. Google releases 165 YARA rules to detect Cobalt Strike attacks Date: 2022-11-21 Author: Bleeping Computer The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks. Security teams will also be able to identify Cobalt Strike versions deployed in their environment using these detection signatures. Lorenz Ransomware Alert: Risk to Healthcare, Public Sector Date: 2022-11-24 Author: Bankinfo Security Large healthcare and public sector organizations are continuing to get hit by attackers wielding Lorenz ransomware, cybersecurity experts warn. “It is used to target larger organizations in what is called ‘big-game hunting,’ and publishes data publicly as part of pressuring victims in the extortion process,” according to a new security alert from the U.S. Department of Health and Human Services. “Relatively little is known about Lorenz as compared to many other ransomware operators,” says HHS’ Health Sector Cybersecurity Coordination Center, or HC3. ESB-2022.6094 – Git: CVSS (Max): 8.8 Kevin Backhouse discovered that Git incorrectly handled certain command strings. An attacker could possibly use this issue to arbitrary code execution. ESB-2022.6112 – IBM QRadar: CVSS (Max): 9.8 IBM QRadar Network Security is affected by multiple vulnerabilities. ESB-2022.6133 – Ruby: CVSS (Max): 8.8 Ruby 2.7.7 has been released and this release includes a few security fix. ESB-2022.6139 – nginx: CVSS (Max): 7.4 SUSE released an update that fixed the ALPACA attack that limiting the number of errors after closing a connection. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week In Review for November 18th 2022

Greetings, With the increasing frequency and, in some cases severity, of recent cyber attacks in Australia, now might be the time to look back at this year’s AUSCERT2022 conference presentations. Covering a range of topics from Incident Response and Handling to Governance, Risk Management and Compliance and of course, Cybercrime, there is a wealth of knowledge and experience from over 50 presenters available for your education and enjoyment! As Australia’s growing digital economy requires individuals to increase the frequency and amount of personal and sensitive data to access services, greater reforms and protection for consumers are needed. This has been made abundantly clear and reinforced by recent cyber attacks. The New South Wales government has recently launched a pilot program, part of a 2015 strategy, that will allow individuals to store their encrypted information on their own device, not held by a government agency or private entity. In case you weren’t aware, November 18 (that’s today) is the 94th birthday of the world’s most famous mouse, Mickey! That’s right, the perennial favourite of children and the young at heart, Mickey Mouse, has been around for almost a century. From the ground-breaking short film ‘Steamboat Willie’ (which was released on this day) to the global sensation he is today, this icon can inspire joy, elicit smiles, and spark the imagination. Mickey’s birthday is the perfect excuse to enjoy some family fun by grabbing some snacks and watching a classic animated film! Advanced threat predictions for 2023 Date: 2022-11-14 Author: Securelist It is fair to say that since last year’s predictions, the world has dramatically changed. While the geopolitical landscape has durably shifted, cyberattacks remain a constant threat and show no signs of receding – quite the contrary. No matter where they are, people around the world should be prepared for cybersecurity incidents. A useful exercise in that regard is to try to foresee the future trends and significant events that might be coming in the near future. We polled our experts from the GReAT team and have gathered a small number of key insights about what APT actors are likely to focus on in 2023. But first, let’s examine how they fared with the predictions for 2022. Why CVE Management as a Primary Strategy Doesn’t Work Date: 2022-11-12 Author: Dark Reading While IT and security teams dislike CVEs because of the threat they pose and the mountain of remediation work they create for them, what troubles me is the way our modern security procedures relate to CVEs. Our mitigation strategies have become too focused on “vulnerability management” and are too CVE-centric, when what we really need is a hacker-centric approach to effectively reduce our exposure. Unpatched Zimbra Platforms Are Probably Compromised, CISA Says Date: 2022-11-15 Author: Dark reading Security teams running unpatched, Internet-connected Zimbra Collaboration Suites (ZCS) should just go ahead and assume compromise, and take immediate detection and response action. That’s according to a new alert issued by the Cybersecurity and Infrastructure Security Agency, which flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. The attacks lead to remote code execution and access to the Zimbra platform. Australia sets up 100-strong permanent ‘operation’ to target hackers Date: 2022-11-12 Author: iTnews Australia will set up a permanent operation comprising around 100 police and defence personnel to “hack the hackers”, with an immediate priority to target ransomware groups. Updated RapperBot malware targets game servers in DDoS attacks Date: 2022-11-16 Author: Bleeping Computer The Mirai-based botnet ‘RapperBot’ has re-emerged via a new campaign that infects IoT devices for DDoS (Distributed Denial of Service) attacks against game servers. The malware was discovered by Fortinet researchers last August when it used SSH brute-forcing to spread on Linux servers. By tracing its activities, the researchers found that RapperBot has been operational since May 2021, but its exact goals were hard to decipher. The recent variant uses a Telnet self-propagation mechanism instead, which is closer to the approach of the original Mirai malware. MFA Fatigue attacks are putting your organization at risk Date: 2022-11-15 Author: Bleeping Computer The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. A common threat targeting businesses is MFA fatigue attacks—a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. MFA refers to multi-factor authentication, a layered end-user verification strategy to secure data and applications. For a user to log in, an MFA system needs them to submit various combinations of two or more credentials. Misconfigurations, Vulnerabilities Found in 95% of Applications Date: 2022-11-16 Author: Dark Reading Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows. Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys’ new Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe. ESB-2022.5996 – F5 Products: CVSS (Max): 8.8 BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP (CVE-2022-41622) ESB-2022.5982 – Firefox: CVSS (Max): 9.8* Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the contents of the addressbar, bypass security restrictions, cross-site tracing or execute arbitrary code ESB-2022.5843 – Intel DCM: CVSS (Max): 8.8 A potential security vulnerability in the Intel Data Center Manager (DCM) software may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability ESB-2022.6008 – asterisk: CVSS (Max): 9.8 Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 11th November 2022

Greetings, AUSCERT is seeking a new team member in our security systems admin and development area to lead engineering efforts and coordinate projects across our Analyst Team. If you're interested in security automation, infrastructure-as-a-service and cybersecurity-specific open source projects such as MISP, apply now – applications close this Sunday! AUSCERT’s Senior Manager, Mike Holm delivered a presentation on how to digest MISP data and draw meaningful conclusions from it during the 2022 AHECS Cybersecurity Summit held on the 7th-9th November in Canberra. The AHECS Cybersecurity Summit is a conference developed by the sector with a focus on the Higher Education and Research Cybersecurity, Identity Management and Privacy Community. In Cyber security news this week, criminals released files on a dark web forum that are believed to contain stolen Medibank customer data. Australian Federal Police announced the expansion of Operation Guardian to protect Medibank Private customers whose personal data was unlawfully released to the internet. Operation Guardian was set up in September this year to deliver specialised protection to current and former Optus customers from identity crime and financial fraud following the Optus cybercrime incident. AUSCERT advises its members who are impacted by the recent data breaches to be alert for any phishing scams via email, texts, voice calls or post and verify any communications received to ensure that they are from a legitimate source. In other news this week, our celestial neighbour glowed a spectacular red colour as the last total lunar eclipse for three years illuminated the sky on Tuesday night. While most parts of Australia had a clear view of the total lunar eclipse, the stargazers from our neighbours across the ditch had the most spectacular full show. The next total lunar eclipse is expected to grace our skies on March 14, 2025. Last but not least, AUSCERT acknowledges Remembrance Day and remembers the armed forces members who gave their lives in the line of duty to protect the nation. Have a good weekend! Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data Date: 2022-11-07 Author: The Hacker News Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft Date: 2022-11-07 Author: Security Week According to Microsoft’s 2022 Digital Defense Report, nation-state hacker attacks on critical infrastructure have soared, largely due to Russian cyber operations targeting Ukraine and its allies. Between June 2020 and June 2021, 20% of all nation-state attacks observed by Microsoft were aimed at critical infrastructure. That percentage increased to 40% in the period between July 2021 and June 2022. Microsoft November 2022 Patch Tuesday fixes 6 exploited zero-days, 68 flaws Date: 2022-11-08 Author: Bleeping Computer Today is Microsoft's November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws. Eleven of the 68 vulnerabilities fixed in today's update are classified as 'Critical' as they allow privilege elevation, spoofing, or remote code execution, one of the most severe types of vulnerabilities. ‘Cyberspace has become a battleground,’ warns Australian Cyber Security Centre Date: 2022-11-04 Author: The Record The Australian Cyber Security Centre received over 76,000 cybercrime reports during the last financial year — an increase of nearly 13% — and warned in its latest annual report that “cyberspace has become a battleground.” The agency also warned that the regional dynamics in the Indo-Pacific were “increasing the risk of crisis” and cautioned that “cyber operations are likely to be used by states to challenge the sovereignty of others.” Several Cyber Attacks Observed Leveraging IPFS Decentralized Network Date: 2022-11-09 Author: The Hacker News A number of phishing campaigns are leveraging the decentralized Interplanetary Filesystem (IPFS) network to host malware, phishing kit infrastructure, and facilitate other attacks. "Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks," Cisco Talos researcher Edmund Brumaghin said in an analysis shared with The Hacker News. The research mirrors similar findings from Trustwave SpiderLabs in July 2022, which found more than 3,000 emails containing IPFS phishing URLs as an attack vector, calling IPFS the new "hotbed" for hosting phishing sites. Medibank hackers target high-profile drug and mental health patients as AFP steps up action Date: 2022-11-09 Author: ABC News Medibank customers remain in the dark about whether any of their personal information is among that leaked onto the dark web by hackers overnight. It appears the cybercriminals have published what they have termed "naughty" and "nice" lists of prominent people amongst the leaked data. ASB-2022.0199.5 – UPDATE Medibank Cyber Security Incident : Medibank released further information on the Medibank cyber security incident and confirmed that customer data has been released on a dark web forum. ESB-2022.5782 – Nessus : CVSS (Max): 9.8 Tenable released Nessus Version 8.15.7 to address multiple vulnerabilities in its third-party components. ASB-2022.0234 – ALERT Exchange Server: CVSS (Max): 8.8 Microsoft's most recent security patch update includes a fix to resolves 4 vulnerabilities across Microsoft Exchange Server. ASB-2022.0233 – ALERT Windows 7 and Windows Server 2008: CVSS (Max): 8.8* Microsoft has released its patch update for the month of November 2022 which resolves 24 vulnerabilities in Windows 7 and Windows Server 2008. ASB-2022.0231 – ALERT Windows and Windows Server: CVSS (Max): 8.8* Microsoft released fixes for 40 vulnerabilities across Windows 8.1, 10, 11 and Windows Server 2012, 2016, 2019, 2022. ESB-2022.5792.2 – UPDATE iOS and iPadOS: CVSS (Max): 8.2 Apple released iOS 16.1.1 and iPadOS 16.1.1 to address issues in libxml which if exploited could result in arbitrary code execution or denial of service. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 4th of November 2022

Greetings, This week saw trick-or-treaters and people of all ages flock to the streets in ‘spooky’ costumes in celebration of Halloween. The history of trick-or-treating goes back to Scotland and Ireland, where the tradition began as people would go door to door staging performances that were rewarded with food and sweets. Speaking of candy, today is the National Candy Day! Of course, this is mostly celebrated in the US, but why not make it into an excuse to dig into the leftover Halloween treats? Whether it is chewy, gummy, hard, fruit-flavoured or the ones that melt in your mouth, candy has always been a source of universal happiness. On a more serious topic, The OpenSSL Project released OpenSSL 3.0.7 to address two high-severity security flaws in its cryptographic library amid a big storm of hype in the Cyber Security world. These flaws were initially listed as “critical” but were downgraded to “high” following additional testing. The vulnerabilities affect OpenSSL versions 3.0.0 to 3.0.6. AUSCERT strongly recommends the deployment of OpenSSL 3.0.7 as soon as possible to impacted applications and servers to avoid potential Denial of Service or Remote Code Execution attacks. In other news this week, Australia took part in the Counter Ransomware Initiative (CRI) Summit hosted by the White House on 31 October to 1 November 2022. The participating governments released a set of planned actions including the establishment of the Voluntary International Counter Ransomware Task Force, led by Australia that will encourage threat information sharing and better coordination of the international actions aimed at tracking ransomware criminals' financial activities. Last but not least, AUSCERT would like to remind everyone to be mindful of current threats and vulnerabilities, with the recent spate of data breaches and ransomware attacks targeting Australian organisations. Have a good weekend! … Microsoft releases out-of-band updates to fix OneDrive crashes Date: 2022-10-29 Author: Bleeping Computer Microsoft has released out-of-band updates to address a known issue causing OneDrive and OneDrive for Business to crash after installing recent Windows 10 updates. The issue occurs when signing out or unlinking OneDrive accounts or sites and folders from Microsoft Teams and SharePoint. "After installing KB5018410 or later updates, OneDrive might unexpectedly close," Redmond explained in a Windows health dashboard update on Friday. OpenSSL fixes two high severity vulnerabilities Date: 2022-11-01 Author: Bleeping Computer The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7. CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow. Australian Defence Department caught up in ransomware attack Date: 2022-10-31 Author: ABC News A communications platform used by military personnel and Defence Department public servants has been hit by a ransomware attack. Hackers have targeted the ForceNet service, which is run by an external ICT provider, but Defence has been told no data of current or former personnel appears to have been compromised. Dropbox discloses breach after hacker stole 130 GitHub repositories Date: 2022-11-01 Author: Bleeping Computer Dropbox disclosed a security breach after threat actors stole 130 code repositories after gaining access to one of its GitHub accounts using employee credentials stolen in a phishing attack. The company discovered the attackers breached the account on October 14 when GitHub notified it of suspicious activity that started one day before the alert was sent. "To date, our investigation has found that the code accessed by this threat actor contained some credentials—primarily, API keys—used by Dropbox developers," Dropbox revealed on Tuesday. Govt counter-ransomware taskforce in works Date: 2022-11-02 Author: FST Media Minister for Home Affairs and Cyber Security, Clare O’Neil, said the taskforce will be convened by the Department of Home Affairs Cyber and Critical Technology Coordination Centre after members of the international initiative agreed to establish a unit at the Counter Ransomware Summit in Washington earlier this week. “The cyber incident involving Medibank Private is a blunt reminder that we need a globally focused capability to combat cyber threats, including ransomware,” Minister O’Neil said. ESB-2022.5595 – Red Hat Single Sign-On 7.6.1 security update on RHEL 9 Multiple security fixes introduced with the latest version of Red Hat Single Sign On address remote code execution, denial of service and XSS vulnerabilities. ASB-2022.0229.2 – OpenSSL Critical Patch Update for 3.0.x It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. ESB-2022.5303.2 – APPLE-SA-2022-10-24-1 iOS 16.1 and iPadOS 16 Multiple security updates were released by Apple for iOS 16.1 and IPadOS 16 that addressed vulnerabilities relating to arbitrary code execution, app privilege levels and disclosure of user information. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 28th October 2022

Greetings, Episode 16 of our podcast has landed and features a chat between Anthony Caruana and Alex Tilley of Secureworks about understanding and combatting cyberattacks – timely given the recent spate of Australians impacted by several large-scale data breaches. Later, the AUSCERT team discuss the intangible nature of cyber threats and the need for greater awareness of their relevance and potential impact. To improve understanding of what can be done in this regard, the discussion then focuses on education and learning, including AUSCERT’s training courses. The first of November of each year sees the culturally significant celebration Dia de los Muertos, also known as the Day of the Dead, across Mexico. Unlike Halloween, Dia de los Muertos isn’t about scaring or being frightened but celebrates the lives of loved ones who have passed away. Day of the Dead combines the ancient Aztec custom of celebrating ancestors with All Souls’ Day, a holiday that Spanish invaders brought to Mexico starting in the early 1500s and has become a joyful time that helps people remember the deceased and celebrate their memory. This time of year also typically sees shades of purple dominate streetscapes across Australia with the Jacaranda trees flowering. The captivating and vibrant Jacaranda is an iconic tree in Australia but is native to Central and South America. Here at The University of Queensland, they’re even part of local lore, signifying the end-of-year exams and are celebrated with the BLOOM Festival. There’s a lot to see, including interactive exhibits, live music, pop-up picnics and indigenous foods. Gov invokes emergency coordination as Medibank breach worsens Date: 2022-10-26 Author: IT News The government has invoked a Covid-era response mechanism, bringing together federal, state and territory agencies to coordinate on the worsening Medibank data breach. Minister for cyber security Clare O’Neil said the national coordination mechanism (NCM) was activated on Saturday. The activation came as Medibank announced that the attackers who breached its ahm and international student systems had provided a file which demonstrated compromise of customer records under its main brand as well. Security experts targeted with malicious CVE PoC exploits on GitHub Date: 2022-10-24 Author: Security Affairs A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities. The experts analyzed PoCs shared on GitHub for known vulnerabilities discovered in 2017-2021, some of these repositories were used by threat actors to spread malware. The experts pointed out that public code repositories do not provide any guarantees that any given PoC comes from a trustworthy source. Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn Date: 2022-10-28 Author: Dark Reading [Refer AUSCERT Bulletin ASB-2022.0229 ] Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a “critical” vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet. On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue. Why Retail Stores Are More Vulnerable Than Ever to Cybercrime Date: 2022-10-27 Author: Dark Reading When we think about cybercrime and retail it is natural to focus on websites being targeted with attacks. Indeed, there has been a shocking rise in the number of cyberattacks perpetrated against online retailers in the past year. Dakota Murphey explains why store owners and security managers need to also protect their physical locations from the cyber threat, too, however. Figures from SonicWall’s Biannual Report revealed that e-commerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers’ minds. However, for those retailers that have a physical store as well as an online presence, there might be an assumption that the cybersecurity in-store doesn’t need to be considered as a top priority. Well, doing so could be a big mistake. Third quarter of 2022 reveals increase in cyberattacks and unexpected developments in global trends Date: 2022-10-26 Author: Check Point Highlights: Global attacks increased by 28%in the third quarter of 2022 compared to same period in 2021. The average weekly attacks per organization worldwide reached over 1,130 The most attacked industry in the third quarter of the year was the Education/Research sector, with an average of 2,148 attacks per organization every week, an increase of 18% compared to third quarter of 2021 The Healthcare sector was the most targeted industry for ransomware during the third quarter of 2022, with one in 42 organizations impacted by ransomware, a 5% increase YoY Australian Clinical Labs says patient data stolen in ransomware attack Date: 2022-10-27 Author: Bleeping Computer Australian Clinical Labs (ACL) has disclosed a February 2022 data breach that impacted its Medlab Pathology business, exposing the medical records and other sensitive information of 223,000 people. ESB-2022.5278 – Apache Commons Text : CVSS (Max): 9.8 Apache Software Foundation has reported a vulnerability in Apache Commons Text and recommends the users to upgrade Commons Text to 1.10.0. ESB-2022.5300 – ALERT macOS Ventura: CVSS (Max): 9.8* Apple has released macOS Ventura 13 which fixes a number of issues across a range of products. ASB-2022.0199.4 – UPDATE Medibank Cyber Security Incident Medibank announced a further development in the Medibank data breach incident. AUSCERT continues to keep its members updated as further information is released. ASB-2022.0228 – Energy Australia Data Breach Energy Australia announced a cyber incident which involved unauthorised access to their online platform. AUSCERT is aware of the incident and will share further information with members as they become available. ASB-2022.0229 – OpenSSL OpenSSL version 3.0.7 is scheduled for Tuesday, 1 November 2022 and includes a patch for a critical vulnerability. AUSCERT strongly recommends the administrators to apply the patch when it is released. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for October 21st 2022

Greetings, AUSCERT has been receiving reports of various Request For Quote (RFQ) scams spoofing Australian Universities and targeting several small vendors via the spoofed domain. Our recent blog post delves into the current methods being used to help identify potential scams and recommendations on what can be done, should you be the victim of such a scam. AUSCERT aims to inform and educate how and when we can, including through our training sessions, aimed at anyone that looks after their organisation’s cyber security. We have three courses currently available for the remainder of 2022, as per the below: Intro to Cyber for IT Professionals | October 24 and 25 (it’s not too late to register!) Cyber Security Risk Management | October 31 and November 1 Incident Response Planning | December 6 and 7 All courses are delivered online in two half-day sessions from 9 am to 12:30 pm each day. For more information on each course or, to book online, visit our Education page. Diwali, also known as the Festival of lights or Deepavali, will commence on Monday, October 24 and is a five-day-long celebration. It is revered as a day to light the lamp of power, knowledge, and virtues within each of us and signifies the victory of good over evil. Watch out for the celebrations with entertainers, fireworks displays, dancing performances, music, henna and more throughout the city in many shopping centres, King George Square and Indian restaurants. You can learn more about this cultural festival, including a feast consisting of special dishes, by clicking here. Speaking of food, today is International Day of the Nacho. Yes, there is an official day to indulge and overeat the tasty corn chip or tortilla-based treat, layered with guacamole, beans, minced beef and cheese! Invented in 1943, nachos have been a go-to dish for many with unknown and seemingly unlimited variations seen in their near 80-year history. To see how others eat their nachos, or, to learn more about this Tex-Mex culinary delight, click here. Adobe patches critical Magento XSS that puts sites at takeover risk Date: 2022-10-14 Author: The Daily Swig A super-critical vulnerability in Adobe Magento could allow attackers to fully compromise e-commerce platforms, according to the security researcher who unearthed the bug. Adobe has urged users to update their systems to protect their websites from abuse of the flaw, which has been assigned the maximum possible severity (CVSS) score of 10. Woolworths says 2.2m MyDeal customers’ data hacked Date: 2022-10-15 Author: Financial Review [Refer AUSCERT Bulletin: ASB-2022.0200.2] In the third major corporate security breach in as many weeks, Woolworths is scrambling to contact 2.2 million customers of its MyDeal online marketplace arm whose data has been accessed by an unauthorised user using “compromised” credentials, the supermarkets giant says. The hack follows telecoms group Optus in owning up to data breaches affecting millions of consumers. Health insurer Medibank Private also disclosed a data breach but said it had no evidence of any customer data being accessed, although it was still investigating the hack. Apache Commons Text RCE flaw — Keep calm and patch away Date: 2022-10-19 Author: Bleeping Computer [Refer AUSCERT Bulletin: ESB-2022.5278] A remote code execution flaw in the open-source Apache Commons Text library has some people worried that it could turn into the next Log4Shell. However, most cybersecurity researchers say it is nowhere near as concerning. Apache Commons Text is a popular open-source Java library with an “interpolation system” that allows developers to modify, decode, generate, and escape strings based on inputted string lookups. For example, passing the string lookup ${base64Decoder:SGVsbG9Xb3JsZCE=} to the interpolation system would cause the library to convert it to its base64 decoded value of ‘HelloWorld!’. Microsoft Office 365 email encryption could expose message content Date: 2022-10-14 Author: Bleeping Computer Security researchers at WithSecure, previously F-Secure Business, found that it is possible to partially or fully infer the contents of encrypted messages sent through Microsoft Office 365 due to the use of a weak block cipher mode of operation. Organizations use Office 365 Message Encryption to send or receive emails, both external and internal, to ensure confidentiality of the content from destination to source. However, the feature encrypts the data using the Electronic Code Book (ECB) mode, which allows inferring the plaintext message under certain conditions. Police tricked a ransomware gang into handing over its decryption keys. Here’s how they did it Date: 2022-10-17 Author: ZDNET Police tricked a ransomware gang into handing over decryption keys, providing victims with the ability to unlock their encrypted data for free. Working alongside cybersecurity company Responders.NU, the Dutch National Police obtained 150 decryption keys from ransomware group Deadbolt. With the decryption keys now in the hands of law enforcement, some victims of Deadbolt ransomware attacks can retrieve encrypted files and servers without the need to pay cyber-criminal extortionists. Medibank’s alleged attackers threaten data release, extortion Date: 2022-10-20 Author: iTnews [Refer AUSCERT Bulletin: ASB-2022.0199.3] Medibank has entered a trading halt after being contacted by a group claiming to have copied customer data. The Sydney Morning Herald yesterday reported it had heard from the alleged attackers, who were threatening to release patient data from a “200 gigabyte” haul. The threats included selling the data, or releasing information like diagnoses about the most prominent people found in the database. In an market disclosure late yesterday, the health insurer said it was “a new development” that will “cause concerns for customers”. ESB-2022.5278 – Apache Commons Text : CVSS (Max): 9.8 Apache Software Foundation has reported a critical vulnerability in Apache Common Text and recommends its users to upgrade to version 1.10.0. ASB-2022.0199.3 – UPDATE Medibank Cyber Security Incident Medibank has reported that the alleged hacking group has provided a sample of records for 100 policies. Australian Federal Police is investigating the issue as a crime. ASB-2022.0200.2 – UPDATE MyDeal Data Breach The hacker involved in the MyDeal data breach has reportedly released samples of the stolen data to a hacking forum. MyDeal customers are encouraged to reset their passwords. ASB-2022.0220 – Oracle PeopleSoft: CVSS (Max): 8.1* Multiple vulnerabilities have been identified in Oracle PeopleSoft. The vendor has released a critical patch update which contains 8 new security patches. ASB-2022.0201 – Oracle Commerce Platform: CVSS (Max): 9.8 The critical patch update for October 2022 contains 3 new security patches for Oracle Commerce. ESB-2022.5232 – Jenkins Plugins: CVSS (Max): 8.8 Jenkins Security Advisory for October 2022 announces vulnerabilities in Jenkins plugins. Security updates have been released for most of the plugins. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for October 14th 2022

Greetings, As Marie Antoinette is said to have proclaimed, “Let them eat cake!”, for today, October 14 is National Dessert Day. Given the need to celebrate such an auspicious occasion, it’s official that today is the day when calories don’t count. As such, we implore everyone to consider their preferred sugary, tasty treat to indulge in and if you’re stuck for ideas, the following site may be able to assist. Simply click HERE. The Optus saga moves forward with ongoing commentary made about the situation which only increases as more details and issues arise, seemingly every day. A recent article in the Financial Review posits that “Companies and individuals don’t rise to the occasion. They fall to their level of preparedness.” The comment comes as banks, such as the CBA, experience an increase in the number of calls received each day from concerned customers about their financial security. The article also states that whilst risks can never be completely removed, those responsible should be aware of the risks and plan for how to respond should an incident occur. We’d like to remind those that wish to share their thoughts, experience, and insights into the dynamic and ever-changing landscape of cyber security that the annual BDO and AUSCERT Cyber Security Survey is now open! The annual BDO and AUSCERT cyber security survey identifies the current cyber security trends, issues and threats facing organisations across Australia and New Zealand. Zimbra remote code execution vulnerability actively exploited in the wild Date: 2022-10-10 Author: The Daily Swig [AUSCERT has been in touch with the affected members] A zero-day remote code execution (RCE) vulnerability in Zimbra is being actively exploited in the wild. The bug was assigned the tracker CVE-2022-41352 in late September. Issued a CVSS severity score of 9.8, the critical issue can be exploited to plant a shell in the software’s root directly, achieving RCE and enabling attackers to wreak havoc on a vulnerable system. Zimbra, once known as the Zimbra Collaboration Suite (ZCS), is an open source email suite. The software is relied upon by millions of users and is designed for managing enterprise and SMB email and collaboration tools. Fortinet says critical auth bypass bug is exploited in attacks Date: 2022-10-10 Author: Bleeping Computer [See also ASB-2022.0192.2] Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild. The security flaw (CVE-2022-40684) is an auth bypass on the administrative interface that enables remote threat actors to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances. “An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” Fortinet said in an advisory issued today. Medibank takes systems offline after ‘cyber incident’ Date: 2022-10-13 Author: iTnews [See also ASB-2022.0199 ] Investigates extent of unauthorised access. Medibank has taken two customer-facing systems offline “to reduce the likelihood of damage to systems or data loss” stemming from a cyber security incident. The insurer said that policy management systems covering its ahm brand as well as international students are now offline, and would remain that way “for most of the day”. It did not detail what had exactly occurred, aside from the detection of “unusual activity on its network.” Optus data breach response ‘cracking’ as cyber support charity fields 15,000 queries and counting Date: None Author: ABC News A national identity and cyber support charity say they are enduring the “toughest” period in the organisation’s history following the Optus data breach. IDCARE fielded a months’ worth of calls in just three days following the incident, and in the past three weeks has dealt with more than 15,000 interactions with no signs of slowing down. Darkweb market BidenCash gives away 1.2 million credit cards for free Date: 2022-10-09 Author: Bleeping Computer [AUSCERT has been in touch with the affected members] A dark web carding market named ‘BidenCash’ has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud. Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware. BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move. Indicators of Behavior and the Diminishing Value of IOCs Date: 2022-10-12 Author: Cyber reason How secure is your organization if you can only stop attacks that have already been detected in other environments based on Indicators of Compromise (IOCs)? Secure enough, if those were the only attacks you needed to be concerned with. But what about targeted attacks with bespoke tactics, techniques, and procedures (TTPs) that have never been documented because they were designed only to be used against your organization? In today’s threat landscape that’s what’s happening: zero-day exploits, never-before-seen malware strains, and advanced techniques developed specifically for high-value targets are plaguing security teams. ASB-2022.0199 – Medibank Cyber Security Incident AUSCERT shares information on a security incident targeting Medibank. AUSCERT will continue to share further information as they become available. ASB-2022.0192.2 – UPDATED ALERT FortiOS,FortiProxy and FortiSwitchManager: CVSS (Max): 9.6 Fortinet reported a critical vulnerability in 3 of its products which may allow an unauthenticated attacker to perform operations on the compromised devices. Fortinet released important mitigation information as well as security updates. ESB-2022.5034 – wordpress: CVSS (Max): 9.8 Several security vulnerabilities were discovered in WordPress for which a security patch has been released. ASB-2022.0195 – ALERT Azure: CVSS (Max): 10.0 Microsoft’s monthly security patch update for October included an update to resolves 3 vulnerabilities in Azure. ASB-2022.0193 – ALERT Windows and Windows Server: CVSS (Max): 8.8 Microsoft’s most recent patch update fixes 68 vulnerabilities in Windows and Widows Server. ESB-2022.5091 – Google Chrome: CVSS (Max): None Google announced updates to the Google Chrome Stable channel and Extended stable channel. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more