Publications

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Securing from insider threats In this episode, AUSCERT features the following guests: > Sal Bowman, UQSchoolsNet > Mark Carey-Smith, AUSCERT Anthony sits down with Sal Bowman from UQSchoolsNet to discuss how she works with schools who’s biggest threat comes from inside. Sal explains how she helps schools assess and minimise risks through an effective and school appropriate threat assessment process. In the second half of the episode, Bek chats with Mark Carey-Smith from AUSCERT to discuss the process of narrowing almost 200 conference program submissions to just 30 and how representation of minority groups in cyber are starting to become more prominent. This episode was hosted by Anthony Caruana and Bek Cheb

Greetings, The AUSCERT2025 Program is now live! This year’s selection process was one of the most rigorous yet, with the program committee meticulously reviewing more than 200 high-quality submissions to curate a lineup of presentations, workshops, and keynotes that deliver maximum value to conference delegates. With so many outstanding proposals, the selection process was exceptionally challenging. Each submission underwent thorough evaluation and re-evaluation to ensure it met the highest standards of relevance, innovation, and impact. The result is a carefully crafted program that tackles critical security challenges, emerging threats, and industry best practices, making AUSCERT2025 an unmissable event for security professionals. A recent example of the growing sophistication of cyber attacks is the No-Phish PayPal phishing scam, which cleverly exploits PayPal’s payment request feature to bypass traditional security measures. This stealthy tactic makes it significantly harder for users to identify fraudulent activity. In response, PayPal urges users to remain vigilant, avoid interacting with suspicious invoices or payment requests, and report any dubious activity directly to their security team to help mitigate the threat. In addition to this, another PayPal scam leverages the New Address feature to send phishing emails. These emails are designed to compromise users' devices and gain unauthorized access to sensitive information. This week, Troy Hunt, frequent speaker at the AUSCERT conference, integrated the ALIEN TXTBASE dataset into Have I Been Pwned (HIBP), adding 1.5TB of stealer logs containing 23 billion rows and impacting 284 million email addresses. The dataset also includes 244 million new passwords and updates for 199 million existing ones. With this update, HIBP now allows domain owners to check for stealer logs and helps website operators identify compromised users. These logs, often sourced from malware infections linked to pirated software, circulate on platforms like Telegram, fuelling cybercrime. By enhancing its search capabilities, HIBP aims to combat these threats, equipping individuals and organisations with actionable security insights. Australia Has More to do Says National Cybersecurity Coordinator Date: 2025-02-21 Author: Australian Cyber Security Magazine In an address at a cybersecurity conference in Sydney, the National Cybersecurity Coordinator Michelle McGuinness outlined Australia’s ambitious plan to become a world leader in cyber security by 2030. The strategy, embedded within the broader 2030 Australian national security framework, recognises that achieving this goal requires not only technical prowess but also a fundamental shift in the nation’s cyber security culture. U.S. CISA adds Adobe ColdFusion and Oracle Agile PLM flaws to its Known Exploited Vulnerabilities catalog Date: 2025-02-25 Author: Security Affairs [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2017.1034/ and https://portal.auscert.org.au/bulletins/ASB-2024.0032/] U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall SonicOS and Palo Alto PAN-OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The two vulnerabilities are: CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare Date: 2025-02-26 Author: The Register A tip-off from a government agency has resulted in 284 million unique email addresses and plenty of passwords snarfed by credential-stealing malware being added to privacy-breach-notification service Have I Been Pwned (HIBP). HIBP founder Troy Hunt said an un-named agency alerted him to the existence of the trove after he published an analysis of a separate massive collection of info-stealer logs he encountered and incorporated into his site in mid-January. "After loading the aforementioned corpus of data, someone in a government agency reached out and pointed me in the direction of more data by way of two files totaling just over 5GB," Hunt wrote this week. Australia Bans Kaspersky Software Over National Security and Espionage Concerns Date: 2025-02-24 Author: The Hacker News Australia has become the latest country to ban the installation of security software from Russian company Kaspersky, citing national security concerns. "After considering threat and risk analysis, I have determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage," Stephanie Foster PSM, the Secretary of the Department of Home Affairs, said. Only a Fifth of Ransomware Attacks Now Encrypt Data Date: 2025-02-25 Author: Infosecurity Magazine Ransomware actors are largely eschewing encryption, with at least 80% of attacks last year focusing solely on exfiltrating data, as it is quicker and easier, according to ReliaQuest. The threat intelligence vendor claimed in its Annual Cyber-Threat Report that exfiltration-only ransomware attacks are 34% faster. After initial access, “breakout time” typically takes just 48 minutes, although some groups manage to achieve lateral movement in as little as 27 minutes, giving network defenders little time to react. ESB-2025.1373 – GitLab Community Edition and GitLab Enterprise Edition: CVSS (Max): 8.7 GitLab has released versions 17.9.1, 17.8.4, and 17.7.6 for CE and EE, which include critical bug and security fixes, addressing high-severity vulnerabilities like XSS and authorisation flaws. Users are urged to upgrade their self-managed instances immediately, as GitLab.com has already been patched. The update also resolves medium-severity issues that could expose sensitive data or disrupt functionality. ESB-2025.1345 – Google Chrome: CVSS (Max): 8.8 Google issued a security advisory to address vulnerabilities in the Stable Channel Chrome for Desktop, specifically in versions prior to 133.0.6943.141/142 for Windows and Mac, and 133.0.6943.141 for Linux. Users and administrators are encouraged to review the provided web link and implement the necessary updates to ensure their systems remain secure. ESB-2025.1239 – ABB FLXEON Controllers: CVSS (Max): 10.0 An advisory has been issued regarding critical vulnerabilities in FLXeon controllers, affecting firmware versions 9.3.4 and earlier. These flaws could allow remote code execution, unauthorised access, or information leakage. Affected products include FLXEON Controllers FBXi, FBVi, FBTi, and CBXi. ABB recommends upgrading to firmware version 9.3.5 and applying security measures, such as disconnecting exposed devices and ensuring secure remote access. ESB-2025.1371 – Cisco Nexus 3000 and 9000 Series Switches: CVSS (Max): 7.4 Cisco has disclosed a high-severity vulnerability in Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode, allowing unauthenticated attackers to trigger denial of service conditions. The flaw, rated 7.4 on the CVSS v3.1 scale, affects critical infrastructure and can cause prolonged service disruptions through malicious Ethernet frames. Cisco recommends upgrading to patched software or using ACL-based workarounds to mitigate the risk. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Join Our Upcoming Webinar: Strengthen Your Security with Maturity Assessments! Don’t miss our upcoming webinar, where we’ll introduce our new Maturity Assessment service—an essential tool for evaluating your organisation’s security posture against critical NIST controls. Learn how to identify gaps and risks across people, processes, and technology, helping you build more resilient cybersecurity practices. Register Now and take the next step in enhancing your organisation’s security! Cyber threats continue to pose significant risks to businesses across all industries, and the healthcare sector is no exception. Genea, a nationwide IVF provider with 21 locations, recently fell victim to a cyber attack, leading to unauthorised data access and system disruptions. While the full extent of the breach is still unfolding, the attack has already caused a phone outage and disrupted the My Genea App, impacting both patients and staff. Many patients remain uninformed, with some yet to receive official communication about the breach. Others, frustrated and anxious, have spent days attempting to contact Genea with urgent clinical inquiries, further highlighting the severe operational and patient care implications of the attack. This incident serves as a stark reminder that no organisation is immune to cyber threats, and the ability to respond quickly and effectively is crucial to minimising damage. A well-structured Cyber Incident Response Plan (CIRP) is the backbone of any organisation’s cyber security strategy. No matter how strong an organisation’s security measures are, breaches can still occur. When they do, a well-written CIRP helps teams to respond swiftly, contain the damage, and recover operations with minimal disruption. Without a clear response strategy, businesses risk prolonged downtime, data loss, regulatory penalties, and reputational damage—all of which can have long-term consequences. At AUSCERT, we provide tailored incident response plans designed to meet your operational needs and regulatory requirements. A strong CIRP not only helps mitigate risks but also enhances resilience against future attacks. Don’t wait for a breach to expose gaps — be prepared. Enquire today about our bespoke Cyber Incident Response Plans and safeguard your organisation. AUSCERT members receive 15% off this essential service! Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts Date: 2025-02-14 Author: CyberScoop Suspected Russian nation-state threat groups have duped multiple victims into granting potentially persistent access to networks via authentication requests and valid tokens. Microsoft threat researchers discovered a series of what they are calling “device code” phishing attacks that allowed a suspected Russia-aligned threat group to gain access to and steal data from critical infrastructure organizations, the company said in research released Thursday. New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now Date: 2025-02-18 Author: The Hacker News [Please also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.1166/ https://portal.auscert.org.au/bulletins/ESB-2025.1165/ https://portal.auscert.org.au/bulletins/ESB-2025.1142] Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. Palo Alto Networks tags new firewall bug as exploited in attacks Date: 2025-02-19 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1026.3/] Palo Alto Networks warns that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks. The vendor first disclosed the authentication bypass vulnerability tracked as CVE-2025-0108 on February 12, 2025, releasing patches to fix the vulnerability. That same day, Assetnote researchers published a proof-of-concept exploit demonstrating how CVE-2025-0108 and CVE-2024-9474 could be chained together to gain root privileges on unpatched PAN-OS firewalls. Australia Imposes Sanctions On Medibank Private Cyberattack Date: 2025-02-14 Author: The Cyber Express The government of Prime Minister Anthony Albanese has imposed additional cyber sanctions in response to a major 2022 cyberattack that hit Medibank Private. The breach, which compromised millions of customers’ sensitive medical data, marked a turning point in Australia’s approach to cyber security. The Medibank Private cyberattack not only targeted the personal information of Medibank’s customers but also saw portions of the stolen data published on the dark web. Ransomware-as-a-service actors drive four-times increase in ransomware attacks Date: 2025-02-17 Author: Cyber Daily Every year, Barracuda Networks releases a detailed cyber security report based on its managed extended detection and response business, and while the previous 12 months saw relatively consistent activity across the year, ransomware activity increased dramatically. The numbers that Barracuda can draw on for its analysis are impressive. The company tracked 11 trillion IT events in total and found that more than 1 million of them were potential risks requiring assessment. Microsoft Patches Actively Exploited CVE-2025-21355 RCE Vulnerability in Bing Date: 2025-02-20 Author: The Hacker News Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed below – CVE-2025-21355 (CVSS score: 8.6) – Microsoft Bing Remote Code Execution Vulnerability CVE-2025-24989 (CVSS score: 8.2) – Microsoft Power Pages Elevation of Privilege Vulnerability "Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network," the tech giant said in an advisory for CVE-2025-21355. No customer action is required. ESB-2025.1214 – Linux kernel: CVSS (Max): 9.1* Several security issues were fixed in the Linux kernel. An attacker could possibly exploit these vulnerabilities to compromise the system. This major update corrects these flaws. ESB-2025.1171 – Atlassian Products: CVSS (Max): 9.8 The vulnerabilities reported in this Security Bulletin include 7 high-severity vulnerabilities and 5 critical-severity vulnerabilities which have been fixed. Atlassian recommends patching your instances to the latest version or one of the Fixed Versions as advised in this Security Bulletin. ESB-2025.1155 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM includes vulnerable components (e.g. framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. ESB-2025.1144 – Docker: CVSS (Max): 9.9 Several security issues were fixed in Docker. Docker could unexpectedly forward DNS requests from internal networks in an unexpected manner. An attacker could possibly use this issue to exfiltrate data by encoding information in DNS queries to controlled nameservers. This issue was only addressed in Ubuntu 24.04 LTS. ESB-2025.1168 – Citrix NetScaler Console and NetScaler Agent: CVSS (Max): 8.8 A vulnerability has been discovered in NetScaler Console (formerly NetScaler ADM) and NetScaler Agent. Cloud Software Group strongly urges customers of NetScaler Console and NetScaler Agent to install the relevant updated versions as soon as possible. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Happy Valentine's Day! While celebrating with loved ones, it's crucial to stay vigilant against malicious behaviour. Enjoy the love but remain cautious. Threat actors exploit this emotional time to their advantage. Be warned: new AI-enhanced romance scams are targeting Australian hearts and bank accounts. Researchers warn that romance scams pose a significant threat, costing nearly $35 million in 2023, with many cases going unreported. Scammers exploit dating apps and generative AI to create convincing messages. Currently the most prevalent and impactful romance scam is romance baiting, where scammers build fake relationships to gain trust and persuade victims to invest in fake cryptocurrency, stock platforms, or other scams. The Australian government is making significant strides in consumer protection. This week, Parliament passed the world's first Scams Prevention Framework Bill, enhancing protections by establishing consistent and enforceable obligations for businesses in key sectors where scammers operate. The framework empowers the ACCC to investigate potential breaches and take enforcement action against entities that fail to fulfill their obligations. If you're interested in gaining essential skills to navigate the legal and managerial dimensions of cyber security in your organisation, we recommend registering for our course led by General Manager Ivano Bongiovanni. The Overcoming Cyber Risks course covers legal implications and privacy laws, offering strategies to manage risk using enterprise risk frameworks, including crisis response and vendor oversight. Lastly, a positive reminder: AUSCERT2025 registrations are officially open! Take advantage of early bird discounts and secure your favourite tutorials before spaces run out! Massive brute force attack uses 2.8 million IPs to target VPN devices Date: 2025-02-08 Author: Bleeping Computer A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall. A brute force attack is when threat actors attempt to repeatedly log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to a network. CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration Date: 2025-02-09 Author: Security Online Zimbra Collaboration, a widely used open-source email and collaboration platform, has been found to contain two newly discovered security vulnerabilities that pose a serious risk to businesses relying on the software for email, calendaring, file sharing, and task management. These vulnerabilities, identified as CVE-2025-25064 and CVE-2025-25065, could allow attackers to gain unauthorized access to sensitive data and internal network resources. SonicWall firewall exploit lets hackers hijack VPN sessions, patch now Date: 2025-02-11 Author: Bleeping Computer [AUSCERT contacted the impacted members (where possible) via email in January 2025] Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application. The vendor warned about the high exploitation possibility of the flaw in a bulletin on January 7, urging administrators to upgrade their SonicOS firewalls' firmware to address the problem. AnyDesk Exploit Alert: CVE-2024-12754 Enables Privilege Escalation—PoC Available Date: 2025-02-09 Author: Security Online Security researcher Naor Hodorov has recently published an analysis of a vulnerability discovered in AnyDesk, a popular remote administration software. This vulnerability, identified as CVE-2024-12754, could allow a low-privileged user to gain elevated access and potentially take complete control of a system. The vulnerability stems from an elevated arbitrary file read/copy operation performed by the AnyDesk service as NT AUTHORITY\SYSTEM. Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries Date: 2025-02-12 Author: The Hacker News A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the Microsoft Threat Intelligence team said in a new report shared with The Hacker News ahead of publication. Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed Date: 2025-02-10 Author: Security Online Progress has issued a security advisory addressing multiple vulnerabilities affecting all current LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. The vulnerabilities, identified as CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, and CVE-2024-56135, could allow authenticated attackers to execute arbitrary system commands or download sensitive files. ASB-2025.0035 – Microsoft Office products: CVSS (Max): 9.8 CISA has issued an urgent warning about the exploitation of a critical Microsoft Outlook vulnerability (CVE-2024-21413). The flaw enables remote code execution through malicious email links, bypassing Office Protected View. Exploiting this vulnerability allows attackers to open emails in editing mode, posing serious risks to federal agencies. ESB-2025.0830 – Trimble Cityworks: CVSS (Max): 7.2 Trimble has issued an urgent cybersecurity alert concerning a critical vulnerability in its Cityworks asset and work management software. Identified as CVE-2025-0994 with a CVSS score of 7.2, this flaw is actively being exploited, presenting a serious threat to organisations utilising the platform. ESB-2025.1035 – Google Chrome: CVSS (Max): None Google's latest Chrome update addresses multiple vulnerabilities, including the critical CVE-2025-0995, a "Use-After-Free" issue in the V8 JavaScript engine. The update fixes the security flaw that could allow attackers to execute malicious code remotely on vulnerable systems. The Chrome Stable channel has been updated to versions 133.0.6943.98/.99 for Windows and Mac, and 133.0.6943.98 for Linux. ASB-2025.0043 – Microsoft Windows: CVSS (Max): 8.8 February 2025 Patch Tuesday addresses 56 vulnerabilities, including two zero-days, CVE-2025-21418 and CVE-2025-21391, under active exploitation. CVE-2025-21418, affecting the Windows Ancillary Function Driver, allows privilege escalation, while CVE-2025-21391 impacts Windows Storage, potentially leading to file deletion and service disruption. These flaws highlight ongoing risks, including possible exploitation by threat groups like Lazarus. ESB-2025.0876 – Apple iOS 18.3.1 and iPadOS 18.3.1: CVSS (Max): None Apple released emergency security updates for iOS and iPadOS to fix a vulnerability (CVE-2025-24200) that has been exploited in the wild. The issue, described as an authorisation flaw, could allow attackers to disable USB Restricted Mode on a locked device during a cyber-physical attack. This indicates that the attackers need physical access to the device to exploit the vulnerability. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Member Tokens for the AUSCERT2025 conference are now available! This is your exclusive chance to register early and secure your spot at the conference. Be sure to sign up for our expert-led tutorials to deepen your cybersecurity knowledge. Public registrations open next week so take advantage of this early access while you can! This week, the Australian Signals Directorate (ASD) issued an important reminder about securing edge devices—the gateways where data flows in and out of networks. Leaving these network perimeters unprotected is like leaving doors wide open, making it easier for malicious actors to access sensitive data, disrupt operations, and launch further attacks. While many of you have likely addressed this, it’s a timely reminder for those who haven’t. Common edge devices in enterprise networks include routers, firewalls, and VPN concentrators. The ASD provides best practices to ensure these devices don’t become security weak points. Amid ongoing speculation surrounding DeepSeek, the Australian government has officially banned the AI chatbot on government devices due to national security concerns. Acting on intelligence agency advice, the Home Affairs Department Secretary issued a directive on Tuesday prohibiting its use across all federal government systems and devices, citing it as an unacceptable security risk. Officials emphasised that the decision was based on security assessments rather than the program’s Chinese origin. PoC Exploit Released for macOS Kernel Vulnerability CVE-2025-24118 (CVSS 9.8) Date: 2025-02-02 Author: Security Online [AUSCERT has published security bulletins for these Apple updates] A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution, according to security researcher Joseph Ravichandran (@0xjprx) of MIT CSAIL. Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4. Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections Date: 2025-02-04 Author: The Hacker News A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09. "The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files," Trend Micro security researcher Peter Girnus said. CISA orders agencies to patch Linux kernel bug exploited in attacks Date: 2025-02-05 Author: Bleeping Computer CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks. Tracked as CVE-2024-53104, the security bug was first introduced in kernel version 2.6.26 and was patched by Google for Android users on Monday. "There are indications that CVE-2024-53104 may be under limited, targeted exploitation," the Android February 2025 Android security updates warn. Backdoor found in two healthcare patient monitors, linked to IP in China Date: 2025-01-30 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device. Contec is a China-based company that specializes in healthcare technology, offering a range of medical devices including patient monitoring systems, diagnostic equipment, and laboratory instruments. DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked Date: 2025-01-30 Author: The Hacker News Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data. The ClickHouse database "allows full control over database operations, including the ability to access internal data," Wiz security researcher Gal Nagli said. The exposure also includes more than a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information, such as API Secrets and operational metadata. Hackers spoof Microsoft ADFS login pages to steal credentials Date: 2025-02-05 Author: Bleeping Computer A help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections. The targets of this campaign, according to Abnormal Security that discovered it, are primarily education, healthcare, and government organizations, with the attack targeting at least 150 targets. ESB-2025.0755 – Google Chrome: CVSS (Max): None The Chrome team has released version 133 for Windows, Mac, and Linux, which includes important updates, particularly a set of twelve security fixes. While new features are part of the update, the main focus is on addressing vulnerabilities to ensure a safer browsing experience. The update is being rolled out gradually, with version 133.0.6943.53 for Linux and 133.0.6943.53/54 for Windows and Mac. ESB-2025.0732 – Mozilla Thunderbird: CVSS (Max): 9.8* Multiple vulnerabilities were found in Mozilla products, exposing systems to remote code execution, denial of service, spoofing, and data manipulation. Affected versions include Firefox 135, Firefox ESR 115.20, Thunderbird 135, and others. Users are advised to apply the latest updates to mitigate these security risks. ESB-2025.0709 – Android: CVSS (Max): 9.8* The Android Security Bulletin February 2025 provides information on security vulnerabilities impacting Android devices. The most critical issue is a high-severity vulnerability in the Framework component, which could allow local privilege escalation without requiring additional execution privileges. These issues are resolved by security patch levels of 2025-02-05 or higher. ESB-2025.0799 – Cisco Identity Services Engine (ISE): CVSS (Max): 9.9 Cisco released patches for critical vulnerabilities in its Identity Services Engine (ISE), tracked as CVE-2025-20124 and CVE-2025-20125. The flaws, affecting ISE APIs, could allow authenticated remote attackers to execute arbitrary commands, escalate privileges, or tamper with device configurations. Users are urged to update to ISE versions 3.1P10, 3.2P7, or 3.3P4 immediately, as no workarounds are available. Stay safe, stay patched and have a good weekend! The AUSCERT team

A guide to AUSCERT Member Security Incident Notifications: MSINs Introduction The Member Security Incident Notifications (MSINs) service provides crucial alerts and insights on security incidents affecting members. What is an MSIN? An MSIN is a daily customised composite security report targeted towards AUSCERT member organizations. It contains a compilation of “security incident reports” as observed by AUSCERT through its threat intelligence platforms. MSIN Dashboard As part of this service, a dashboard view provides high level statistics along with the ability to search and filter organisational alerts. The dashboard is accessible at https://portal.auscert.org.au/msins MSIN Dashboard Statistics Tabs The Australia and organisation statistics tabs provide insights into both nation-wide and your own organisation’s MSIN alerts. Near the beginning of the week, it is not unusual for your organisation’s statistics to show zero or be blank, as alerts are ingested into AUSCERT’s systems around 3pm each day, and it can take up to 24-48hours for the charts to be updated. MSIN Results Table The results table is the primary interface for your organisation’s MSIN alerts and allows you to perform advanced searches, sort and filter your alerts, view the full details as well as exploring the CVEs associated with them by clicking through to the external NVD links for each CVE. By default, this view will show all alerts excluding “info” level alerts in the last 48 hours for your organisation. 48 hours has been chosen as it factors in the ~24 hour delay that occurs while MSIN alerts are ingested and processed by AUSCERT’s systems. MSIN Details Page Under the actions column for every MSIN, the three dots dropdown can be expanded to open up the details popup for each alert. This shows all available information relating to the MSIN and may contain extra information relating to specific alerts. Source reference links for additional context can also be viewed here. Further Information Daily MSINs are processed and issued daily MSINs are only issued if at least one incident report specific to the member is detected within the past 24-hour period If there are no incidents to report, no MSIN will be issued. The more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN and the larger the MSIN is received Customised MSINs are tailored for each member organization, based on IPs and Domains provided To receive accurate and useful MSINs, it’s important this information updated is kept updated in your membership profile (see FAQ below) Severity Individual events in MSINs are categorised into the following severity levels: Critical Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-auth RCE or modification or leakage of sensitive data High End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. Medium Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (MITM without being able to manipulate the traffic) to exploit, attacker will need to know internal systems/infrastructure in order to exploit it. Low Deviation from best practice – little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. For example, SSL POODLE reports may end up in this category. Info Informational only. Review in accordance with your security policy. These severity levels are based on those used by Shadowserver. Events which have not been assigned a severity will be marked as Unknown. A summary of reports by severity level can be found at the top of your MSIN. For example:     Summary of reports based on severity:     * Critical: accessible-ssh 3     * High    : vulnerable-exchange-server 1     * Medium  : accessible-cwmp 1 The MSIN subject will be prefixed with the highest-level severity seen in the report. For example: [Severity:CRITICAL] AusCERT Member Security Incident Notification (MSIN) for “Member Name” Composite Each MSIN could potentially consist of multiple incident TYPE reports. For example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack. Each incident type report could also include multiple incident reports. For example, this “infected hosts” report contains 2 incidents: Incidents Reported Timestamp:                      2015-08-25T00:20:34+00:00 Drone IP:                       123.456.789.abc Drone Port:                     13164 Drone Hostname:                 abc.xxx.xxx.xxx.au Command and Control IP:         aaa.bbb.ccc.ddd Command and Control Hostname:   imacnc1.org Command and Control Port:       80 Malware Type:                   redyms Timestamp:                      2015-08-25T00:20:34+00:00 Drone IP:                       321.654.987.cba Drone Port:                     2343 Drone Hostname:                 def.xxx.xxx.xxx.au Command and Control IP:         ddd.eee.fff.ggg Command and Control Hostname:   imacnc2.org Command and Control Port:       123 Malware Type:                   dyre All timestamps are in UTC. It is imperative that these incidents be reviewed and handled individually. Structure An MSIN has the following basic structure. ==================HEADING FOR INCIDENT TYPE 1================== Incident Type Name of the incident and any known exploited vulnerabilities and associated CVEs. Incident Description Further information on potential attack vectors and impacts. Incidents Reported List of individual reports sighted by AUSCERT Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future. References Links to resources referenced within the report. Additional Resources Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques. =============================END OF REPORT========================= =====================HEADING FOR INCIDENT TYPE 2=================== Incident Type Incident Description Incidents Reported Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations References Additional Resources =============================END OF REPORT========================= … … =====================HEADING FOR INCIDENT TYPE X=================== =============================END OF REPORT=========================   MSINs API Overview The MSINs API provides two endpoints for querying and retrieving information about MSINs. Base URL https://portal.auscert.org.au/api/msins/v1/ Authentication All endpoints require API key authentication. Include your API key in the request headers as follows: 1 | API-Key: <your_api_key> Endpoints Search MSINs Returns a list of MSINs matching the specified parameters or default values. Endpoint: /search Method: GET Get MSIN Details Returns the detailed information for a single specified MSIN object. Endpoint: /get Method: GET   Frequently Asked Questions 1. How can I update domain/IP information for my organisation? If you are a Primary AUSCERT contact simply email AUSCERT Membership at membership@auscert.org.au and provide the updated information. If you have a privileged account in the Member portal you can request changes through the portal. AUSCERT will perform a validation check to ensure the domains are under your organisation’s ownership or control prior to including them in the monitoring list. 2. Where does the information in an MSIN come from? AUSCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means. The trust relationship between AUSCERT and third parties entails conditions which prevent disclosure of the source(s) of information.  

Greetings, This week, we released a new episode of our podcast, "Share Today, Save Tomorrow." In Episode 39 – AI, Evolving Threats & the End of Attribution?, Anthony sits down with Michael Hamm from CIRCL (the CERT of Luxembourg and core maintainers of MISP) to explore AI’s impact on cybersecurity, the shifting threat landscape, and whether attribution is becoming impossible. In the second half, Bek speaks with AUSCERT’s General Manager, Ivano Bongiovanni, about what’s ahead for 2025. The recent news of the surge in popularity of the AI application DeepSeek highlights how highly publicised products can create cyber security and privacy risks. 1.Phishing Lures & Malicious Software: The hype surrounding ‘the next big thing’ creates opportunities for threat actors to craft phishing lures and fake, malicious software (mobile apps, browser plugins, etc.) that mimic the original. 2.Unauthorised Adoption: Staff members may rapidly adopt new products and services without seeking advice from cyber security professionals and accidentally disclose confidential information. Without proper oversight, staff may unknowingly enter sensitive company data into AI-powered tools, unaware that the platform may store, process, or even share the information externally. 3.Data Privacy & Compliance Risks: AI applications often require access to large volumes of personal or proprietary data, raising significant privacy and compliance concerns. If organisations fail to verify how an AI tool stores and processes data, they risk violating compliance obligations. To embrace AI while minimising cyber security risks, organisations should: •Educate staff on the risks of AI adoption and ‘free’ software in general. •Implement security policies that provide practical guidance on AI usage within the organisation. •Monitor emerging threats, such as phishing campaigns targeting trending AI applications. •Conduct security assessments as part of third party risk management practices before integrating AI tools into business workflows. By staying proactive and security-conscious, organisations can harness AI’s potential without compromising cyber security or privacy. VMware Warns of High-Risk Blind SQL Injection Bug in Avi Load Balancer Date: 2025-01-28 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.0601/] Virtualization technology giant VMware on Tuesday issued an urgent alert for a blind SQL injection flaw in its Avi Load Balancer, warning that attackers would exploit the issue to gain broader database access. The vulnerability, tracked as CVE-2025-22217, carries a CVSS severity score of 8.6/10. The company described the security defect as an unauthenticated blind SQL Injection vulnerability and urged enterprise admins to apply available patches urgently as there are no pre-patch workarounds. CVE-2025-0065: TeamViewer Patches Privilege Escalation Vulnerability in Windows Clients Date: 2025-01-29 Author: Security Online TeamViewer, a popular remote access and support software, has issued a critical security advisory addressing a vulnerability that could allow attackers to gain elevated privileges on Windows systems. The vulnerability, tracked as CVE-2025-0065 and assigned a CVSS score of 7.8 (High), affects TeamViewer Clients for Windows prior to version 15.62. According to the advisory, the flaw stems from “Improper Neutralization of Argument Delimiters in the TeamViewer_service.exe component.” New Zyxel Zero-Day Under Attack, No Patch Available Date: 2025-01-29 Author: Security Week Malware hunters at GreyNoise are reporting active exploitation of a newly discovered zero-day vulnerability in Zyxel CPE devices alongside warnings that there are no patches available from the vendor. GreyNoise, which monitors the internet for malicious activity, described the flaw as a critical command injection issue that opens the door for attackers to gain full system compromise. Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era Date: 2025-01-30 Author: ACSC With the rise of advanced tools that enable the rapid creation, alteration, and distribution of images, videos, and other digital content, there are many ways to manipulate what people see and believe. The ability to manipulate media is not new, but the accessibility, speed, and quality of these modifications today, powered by artificial intelligence (AI) and machine learning tools, have reached unprecedented levels and may not be caught by traditional verification methods. GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs Date: 2025-01-27 Author: The Hacker News Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user's Git credentials. "Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper," GMO Flatt Security researcher Ry0taK, who discovered the flaws, said in an analysis published Sunday. "Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways." ESB-2025.0595 – Rockwell Automation FactoryTalk: CVSS (Max): 9.8 Rockwell Automation released six security advisories addressing critical vulnerabilities. Notable issues include CVE-2025-24479, a local code execution vulnerability, and CVE-2025-24480, a remote code execution vulnerability. Both flaws pose significant security risks and require prompt action. ESB-2025.0576 – Google Chrome: EPSS (Max): None Google has released a patch for CVE-2025-0762, a medium-severity use-after-free memory issue in Chrome’s DevTools function. This vulnerability impacts users on Linux, Mac, and Windows, though Android appears unaffected for now. Users are urged to update to address the security risk. ESB-2025.0560 – Juniper Networks Juniper Secure Analytics: CVSS (Max): 9.8 Multiple critical vulnerabilities were discovered in Juniper Secure Analytics versions prior to 7.5.0 UP10 IF02, identified by various CVEs. Exploiting these flaws could lead to remote code execution, denial of service, data confidentiality breaches, and security policy bypass. Juniper has released security updates as of January 2025, to address these issues. ESB-2025.0549 – Apple iOS and Apple iPadOS: CVSS (Max): 7.8* iOS 18.3 and iPadOS 18.3 address multiple security vulnerabilities across various components, including AirPlay, CoreMedia, and WebKit. These updates fix issues such as privilege escalation, denial-of-service, and unauthorised access, impacting devices like iPhone XS and later, and several iPad models. The update includes fixes for issues and is available via iTunes or Software Update. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”  AI, Evolving Threats & the End of Attribution? In this episode, AUSCERT features the following guests: Michael Hamm, CIRCL Ivano Bongiovanni, AUSCERT Anthony sits down with the Michael Hamm from CIRCL the CERT of Luxembourg and creators of MISP. They discuss AI, the emerging threat landscape and whether attribution is going to become impossible In the second half of the episode, Bek chats with Ivano Bongiovanni from AUSCERT to discuss what AUSCERT has in store for 2025. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify and Apple Podcasts

Greetings, This week, Oracle released patches addressing a staggering 320 security vulnerabilities. Among the most critical issues are those affecting Oracle Communications Applications and Fusion Middleware, both with a CVSS score of 9.8. These vulnerabilities allow attackers to exploit systems over a network without requiring authentication. Make sure you stay on top of updates and patches to protect your systems. A final reminder the Call for Presentations for the AUSCERT2025 conference closes at midnight on 28 January! This is your last chance to submit a proposal. If you're a first-time speaker or would like support with your delivery or presentation, you can opt in to our Speaker Mentoring Program when submitting your proposal. This program provides personalised guidance to help refine your presentation, improve delivery, and build confidence. Our experienced mentors are here to assist you every step of the way. We're also excited to announce that the Tutorials Program for AUSCERT2025 is now live on our website! This year’s program features some returning favourites with new content, as well as fresh perspectives on exciting subjects. Topics include Incident Response Handling, Network Security, Red Teaming, Information Security Innovation, Awareness and Culture, Cyberpsychology, and Governance, Risk and Compliance (GRC). Whether you’re looking to deepen your expertise or explore new areas, this year’s program has something for everyone. Head to our website to explore the full list of tutorials, detailed descriptions, and instructor profiles. Registrations will be opening soon, so don’t miss your chance to secure a spot in these highly sought-after sessions! Stay tuned for updates, and we look forward to seeing you at AUSCERT2025! CISA, FBI Update Software Security Recommendations Date: 2025-01-20 Author: Security Week The US cybersecurity agency CISA and the FBI have updated their guidance on risky software security bad practices to include the feedback received during a public comment period. Called Product Security Bad Practices, the guidance provides an overview of the security practices considered exceptionally risky, provides recommendations on addressing them, and urges makers of software for the critical infrastructure to prioritize security. Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released Date: 2025-01-20 Author: Cyber Security News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0188.3/] A critical vulnerability, CVE-2024-43468, has been identified in Microsoft Configuration Manager (ConfigMgr), posing a severe security risk to organizations relying on this widely used systems management software. Rated with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute remote code on affected systems, potentially leading to complete system compromise. Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications Date: 2025-01-22 Author: CISA [AUSCERT has shared IoCs via MISP] According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers. Telegram captcha tricks you into running malicious PowerShell scripts Date: 2025-01-22 Author: Bleeping Computer Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into run PowerShell code that infects them with malware. The attack, spotted by vx-underground, is a new variant of the "Click-Fix" tactic that has become very popular among threat actors to distribute malware over the past year. However, instead of being fixes for common errors, this variant pretends to be a captcha or verification system that users must run to join the channel. ESB-2025.0471 – ClamAV: CVSS (Max): 5.3 Cisco has released a patch for heap-based buffer overflow (CVE-2025-20128) affecting Cisco Secure Endpoint Connector. The buffer overflow flaw could disrupt ClamAV scanning on endpoints, and a proof-of-concept exploit is available but has not been observed in the wild. ESB-2025.0463 – Google Chrome: CVSS (Max): None Google has released a critical security update for Chrome, addressing three vulnerabilities, including two high severity issues in the V8 JavaScript engine. CVE-2025-0611 allows object corruption, potentially leading to arbitrary code execution, while CVE-2025-0612 involves out-of-bounds memory access that could crash the browser or enable code execution. Users are urged to update to version 132.0.6834.110/111 immediately. ESB-2025.0467 – Cisco Meeting Management: CVSS (Max): 9.9 Cisco has released updates to address a critical privilege escalation vulnerability (CVE-2025-20156) in its Meeting Management system's REST API. With a CVSS score of 9.9, the flaw could allow authenticated attackers to gain administrator privileges on affected instances. Exploiting the vulnerability involves sending API requests to a specific endpoint, potentially giving attackers control over managed edge nodes. ESB-2025.0470 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 GitLab has released security updates (versions 17.8.1, 17.7.3, and 17.6.4) to address multiple vulnerabilities, including a high-severity XSS flaw (CVE-2025-0314). The vulnerability allows attackers to inject malicious scripts into GitLab instances via improper file rendering, potentially leading to session hijacking or control over affected systems. Users are urged to update to the latest versions to mitigate the risks. ASB-2025.0031 – Oracle Supply Chain: CVSS (Max): 9.9 Oracle’s January 2025 Critical Patch Update addressed several vulnerabilities across its products, including six new patches for Oracle Supply Chain. Notably, CVE-2025-21556 and CVE-2024-23807 are high-severity flaws, allowing unauthenticated attackers to exploit Oracle Agile PLM Framework and Oracle Agile Engineering Data Management remotely. Successful exploitation could result in unauthorised access to critical data or system takeovers. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week served as a valuable reminder, as we begin the new year, of the critical importance of maintaining vigilance in cyber security practices. Keeping systems patched and updated is essential because software updates often address newly discovered vulnerabilities that attackers could exploit. Failing to apply these updates can leave systems vulnerable to threats such as malware, ransomware, and unauthorised access. Each patch typically resolves security gaps, enhances functionality, and improves software stability. Therefore, regularly checking for updates and applying patches promptly is crucial for maintaining robust defences in the ever-evolving cyber security landscape. This week, Microsoft rolled out fixes for 160 security flaws across a range of Windows OS and applications, marking the highest number of CVEs addressed in a single month since 2017. This update included patches for three actively exploited zero-day vulnerabilities affecting Windows Hyper-V NT Kernel Integration VSP, remote code execution risks in Microsoft Digest Authentication, Remote Desktop Services, Windows OLE, Microsoft Excel, and Windows RMCAST. Additionally, the Australian Signals Directorate (ASD) published an article on "Secure by Design" principles, highlighting common weaknesses in operational technology components. These weaknesses include weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and outdated protocols. Such flaws can be easily exploited by cyber threat actors to gain unauthorised access to systems. Over 660,000 Rsync servers exposed to code execution attacks Date: 2025-01-15 Author: Bleeping Computer Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers. Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. It supports local file systems transfers, remote transfers over secure protocols like SSH, and direct file syncing via its own daemon. Ivanti Patches Critical Vulnerabilities in Endpoint Manager Date: 2025-01-15 Author: Security Week Ivanti on Tuesday announced patches for multiple critical- and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM). The most severe of the resolved flaws are four absolute path traversal issues in Ivanti EPM that could allow remote, unauthenticated attackers to leak sensitive information. Tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8), the bugs impact EMP versions 2024 and 2022 SU6 that have the November 2024 security update installed. Zyxel Urges Patch Application for Privilege Escalation Vulnerability (CVE-2024-12398) Date: 2025-01-13 Author: Security Online Zyxel has issued an advisory for a newly identified security vulnerability, CVE-2024-12398, that affects multiple access points (AP) and security routers. With a CVSS score of 8.8, this vulnerability underscores the urgency for users to apply patches immediately to protect their systems from potential exploitation. The vulnerability is an improper privilege management flaw within the web management interface of certain Zyxel AP and router firmware versions. CVE-2025-22777 (CVSS 9.8): Critical Security Alert for GiveWP Plugin with 100,000 Active Installations Date: 2025-01-11 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] A severe vulnerability has been identified in the GiveWP plugin, one of WordPress’s most widely used tools for online donations and fundraising. Tracked as CVE-2025-22777, the flaw has a CVSS score of 9.8, signaling its criticality. With over 100,000 active installations, the GiveWP plugin powers countless donation platforms worldwide. New macOS Exploit Revealed: PoC for CVE-2024-54498 Breaks Sandbox Security Date: 2025-01-12 Author: Security Online Recently, security researcher @wh1te4ever has revealed a proof of concept (PoC) exploit for CVE-2024-54498, a vulnerability that allows applications to escape the confines of the macOS Sandbox. The PoC, published on GitHub, demonstrates how malicious actors could leverage this flaw to gain unauthorized access to sensitive user data. The macOS Sandbox is a critical security feature that restricts applications from accessing or modifying files and resources outside their designated area. This safeguard protects users from malicious software that might attempt to steal personal information, corrupt system files, or install malware. Fortinet warns of auth bypass zero-day exploited to hijack firewalls Date: 2025-01-14 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.0250/] Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks. This security flaw (tracked as CVE-2024-55591) impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module. ESB-2025.0199 – Google Chrome: CVSS (Max): None Google has issued an urgent warning about 13 security vulnerabilities in Chrome, affecting Windows, Mac, Linux, and Android. This follows a recent exploit discovered in the "Sign In With Google" feature, risking sensitive data theft. Users are advised to update Chrome immediately to address these critical issues. ESB-2025.0224 – Adobe Photoshop: CVSS (Max): 7.8 Adobe has released critical security fixes for over a dozen vulnerabilities across its products, including Photoshop for Windows and macOS. The updates address two high-severity arbitrary code execution flaws in Photoshop, which could be exploited by hackers. Users are urged to apply the updates immediately to mitigate the risks of remote code execution attacks. ASB-2025.0001 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has warned of three exploited zero-day vulnerabilities in the Windows Hyper-V platform, affecting the NT Kernel Integration Virtualisation Service Provider. These flaws could allow attackers to escalate privileges and gain SYSTEM-level access. Microsoft has urged urgent attention but has not provided technical details or indicators of compromise. ESB-2025.0225 – Hitachi Energy FOXMAN-UN: CVSS (Max): 10 ICS-CERT has released an advisory regarding multiple critical vulnerabilities in Hitachi Energy's FOXMAN-UN products, including authentication bypass, argument injection, buffer overflow, improper user management, and more. These flaws could allow remote attackers to exploit the systems, potentially gaining unauthorised access and executing arbitrary code. ESB-2025.0244 – Zoom: CVSS (Max): 8.8 Zoom has issued six security bulletins addressing multiple vulnerabilities across its product ecosystem, impacting Linux, Windows, macOS, and Android. The most critical, CVE-2025-0147, is a high-severity type confusion vulnerability in the Zoom Workplace App for Linux, allowing privilege escalation via network. Users and administrators are urged to apply updates to mitigate potential risks such as data loss, privilege escalation, and DoS attacks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As we return to work, holiday scams continue to affect Australians. NAB’s fraud and cyber security experts have outlined emerging scams to watch for in 2025: AI-Driven Scams Criminals use deepfakes—AI-generated impersonations of people—to create realistic voicemails, videos, or social media posts. Be cautious of investment opportunities promoted by high-profile figures and always do your own research. Cryptocurrency Investment Scams Scammers lure victims into fake crypto-trading apps with promises of high returns. While small withdrawals may seem legitimate, larger ones will encounter hidden fees or lockouts. Always verify credentials and research the investment. Bucket List Scams Scammers target people dreaming of international travel or events, using social media to offer false opportunities. Research the seller's profile, activity, and reviews before proceeding. Remote Access Scams Targeting Businesses Scammers impersonate trusted organisations, like banks, convincing businesses to grant remote access to sensitive information. Never give remote access to unexpected callers or emails, and investigate suspicious requests. Phishing Scams Phishing remains common, with criminals impersonating banks, government agencies, or even friends. A new trend targets people with messages about expiring rewards points. Be sceptical of unsolicited contact—delete or hang up if in doubt. Stay safe and vigilant! SonicWall urges admins to patch exploitable SSLVPN bug immediately Date: 2025-01-08 Author: Bleeping Computer SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is "susceptible to actual exploitation." In an email sent to SonicWall customers and shared on Reddit, the firewall vendor says the patches are available as of yesterday, and all impacted customers should install them immediately to prevent exploitation. Exploit Code Published for Potentially Dangerous Windows LDAP Vulnerability Date: 2025-01-03 Author: Security Week SafeBreach has published proof-of-concept (PoC) exploit code targeting a recently resolved denial-of-service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP). The issue, tracked as CVE-2024-49113 (CVSS score of 7.5), was patched on December 10 along with a critical remote code execution (RCE) flaw in LDAP (CVE-2024-49112, CVSS score of 9.8). Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions Date: 2025-01-03 Author: Security Online The popular React framework, Next.js, has addressed a security vulnerability that could have allowed attackers to launch denial-of-service (DoS) attacks against applications using Server Actions. The vulnerability, tracked as CVE-2024-56332, was responsibly disclosed by the PackDraw team. Next.js, known for its performance and developer-friendly features, is used by many high-traffic websites and applications. Server Actions, a relatively new feature, enable server-side data fetching and mutations, enhancing application performance and security. Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product Date: 2025-01-08 Author: Security Week [AUSCERT identified the impacted members (where possible) and contacted them via email] Embattled IT software vendor Ivanti on Wednesday raised an alarm for a pair of remotely exploitable vulnerabilities in its enterprise-facing products and warned that one of the bugs has already been exploited in the wild. The high-severity vulnerabilities, tagged as CVE-2025-0282 and CVE-2025-0283, allow unauthenticated remote attackers to launch code execution and privilege escalation attacks. “We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. Bad Tenable plugin updates take down Nessus agents worldwide Date: 2025-01-03 Author: Bleeping Computer Tenable says customers must manually upgrade their software to revive Nessus vulnerability scanner agents taken offline on December 31st due to buggy differential plugin updates. As the cybersecurity company acknowledged in an incident report issued after pausing plugin updates to prevent the issue from impacting even more systems, the agents went offline "for certain users on all sites." This ongoing incident affects systems updated to Nessus Agent versions 10.8.0 and 10.8.1 across the Americas, Europe, and Asia. Tenable has since pulled the bad versions and released Nessus Agent version 10.8.2 to fix the issue causing agents to shut down. ESB-2025.0099 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.9* GitLab has released patch updates (versions 17.7.1, 17.6.3, 17.5.5) to fix security vulnerabilities in its import functionality and core features. The vulnerabilities (CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970) could allow system exploitation. The user contribution mapping functionality has been redesigned to resolve these issues. ESB-2025.0103 – Expedition Migration Tool: CVSS (Max): 7.8 Palo Alto Networks released a security advisory for vulnerabilities in its Expedition migration tool, which could expose sensitive data and allow unauthorised actions. The tool helps organisations transition to Palo Alto's next-gen firewall platform. Identified vulnerabilities could lead to unauthorised access to usernames, passwords, and device configurations. ESB-2025.0039 – Android: CVSS (Max): 9.8* Android's first security update of the year addresses several critical and high-severity vulnerabilities affecting many devices. The update highlights five critical remote code execution (RCE) flaws in Android's core system components, potentially allowing attackers to execute code without extra privileges. These vulnerabilities pose significant security risks to affected devices. ESB-2025.0057 – ABB ASPECT-Enterprise, NEXUS, and MATRIX series: CVSS (Max): 10 Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code. The vendor has identified the specific workarounds and mitigations users can apply to reduce risks. ESB-2025.0056 – Mozilla Foundation Products: CVSS (Max): None Multiple vulnerabilities were identified in Mozilla Products. A remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege, security restriction bypass, denial of service condition, remote code execution and spoofing on the targeted system. ESB-2025.0048 – Google Chrome: CVSS (Max): None Google released a critical security update for Chrome to fix a high-severity "Type Confusion" vulnerability in its V8 JavaScript engine. The flaw, tracked as CVE-2025-0291, could allow attackers to execute malicious code and compromise user systems. The update is being rolled out for Windows, Mac, and Linux users. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As we step into 2025, we are presented with both challenges and opportunities. Now is the perfect time to set clear objectives for ourselves and our organisations, laying the groundwork for the year ahead. It’s also an ideal opportunity to strengthen cyber hygiene and invest in training to further develop our individual and collective expertise. The start of this new year marks a chapter filled with potential for growth, progress, and innovation. We are ready to embrace the challenges ahead, learn from past experiences, and move forward into a period of development and success. As cyber attacks continue to rise, it is no longer a question of if, but when. To ensure organisations are properly prepared, it’s crucial to test the readiness of teams, policies, and strategies. Subsequently, tabletop exercises and maturity assessments should be prioritised as vital components of a robust cyber security strategy. Tabletop exercises simulate realistic cyber attack scenarios, enabling teams to evaluate their response plans, improve coordination, and identify vulnerabilities in their incident response processes. These exercises foster collaboration across departments, helping ensure that all stakeholders are ready to respond quickly and effectively to emerging threats. In addition, maturity assessments provide organisations with a comprehensive evaluation of the effectiveness of their cyber security frameworks. These assessments help identify gaps in policies, processes, and technologies while benchmarking progress against industry standards. By regularly conducting both tabletop exercises and maturity assessments, organisations can maintain a resilient, adaptive cyber security posture, prepared to defend against increasingly sophisticated threats. Interested in tabletop exercises or maturity assessments? Reach out to us for a quote today! New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites Date: 2025-01-01 Author: The Hacker News Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo. New details reveal how hackers hijacked 35 Google Chrome extensions Date: 2024-12-31 Author: Bleeping Computer New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven. Although initial reports focused on Cyberhaven's security-focused extension, subsequent investigations revealed that the same code had been injected into at least 35 extensions collectively used by roughly 2,600,000 people. DrayTek Devices Vulnerability Let Attackers Arbitrary Commands Remotely Date: 2025-01-01 Author: GB Hackers The DrayTek Gateway devices, more specifically the Vigor2960 and Vigor300B models, are susceptible to a critical command injection vulnerability. Exploitable via the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, attackers can inject arbitrary commands into the system by manipulating the session parameter within a crafted HTTP request. FortiGuard Labs Links New EC2 Grouper Hackers to AWS Credential Exploits Date: 2025-01-01 Author: Hack Read According to the latest research from Fortinet’s FortiGuard Labs Threat Research team, this group is characterized by its consistent use of AWS tools and a unique security group naming convention in its attacks. Researchers tracked this actor in several dozen customer environments due to similar user agents and security group naming conventions. ESB-2025.0025 – IBM Db2 OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems. ESB-2025.0018 – python-django It was discovered that there was a potential Denial of Service (DoS) vulnerability, in Django, a popular Python-based web development framework. ESB-2025.0010 – gst-plugins-good1.0 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially executing arbitrary code if a malformed media file is opened. Stay safe, stay patched and have a good weekend! The AUSCERT team