Week in review

AUSCERT Week in Review for 28th March 2025

Greetings, This week has been an exciting one with the release of AUSCERT’s 2024 Year in Review! This report provides our members with a valuable snapshot of our efforts behind the scenes, offering insights into the services available and the opportunities they can take advantage of. It also offers valuable insights into industry trends and the ongoing progress across key areas. These milestones highlight our unwavering commitment to equipping members with the tools, knowledge, and support needed to navigate the ever-evolving cyber security landscape with confidence. Read the full report here Oracle has rejected claims that its cloud systems were compromised after a cyber criminal advertised the alleged theft of sensitive data from Oracle Cloud. The attacker claimed to have exploited a vulnerability in Oracle’s Single Sign-On (SSO) login servers, but Oracle denied this, stating no breach occurred and that the leaked credentials were unrelated to Oracle Cloud. The situation intensified when the threat actor released a 10,000-line sample of the purportedly stolen data, apparently to substantiate their claim of exfiltrating 6 million records from Oracle Cloud. Bleeping Computer contacted some of the alleged victim organisations, some of whom reportedly validated the stolen information was theirs. AUSCERT has issued a Critical Member Security Information Notification to potentially impacted members. We are actively monitoring the situation and will continue to update members as it unfolds. Despite these developments, Oracle maintains there has been no breach and is proceeding with its investigation. Critical ‘IngressNightmare’ Vulns Imperil Kubernetes Environments Date: 2025-03-25 Author: Dark Reading The maintainers of Kubernetes have released patches for four critical vulnerabilities in the Ingress NGINX Controller, affecting 6,500, or 41%, of all Internet-facing container orchestration clusters, including those used by several Fortune 500 companies. The vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands in affected environments and completely take over Kubernetes clusters, according to researchers at Wiz who discovered the flaws. Researchers raise alarm about critical Next.js vulnerability Date: 2025-03-24 Author: CyberScoop [AUSCERT has identified the impacted members (where possible) and contacted them via email] The software defect in the widely used open-source JavaScript framework allows attackers to bypass middleware-based authorization. Researchers warn that attackers could exploit a recently discovered critical vulnerability in the open-source JavaScript framework Next.js to bypass authorization in middleware and gain access to targeted systems. Vercel, the San Francisco-based company that created and maintains Next.js, released a patch for CVE-2025-29927 in Next.js 15.2.3 on March 18 and published a security advisory on March 21. Google Patches Chrome Sandbox Escape Zero-Day Caught by Kaspersky Date: 2025-03-25 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1867/] Google late Tuesday rushed out a patch a sandbox escape in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign targeting organizations in Russia. CrushFTP warns users to patch unauthenticated access flaw immediately Date: 2025-03-25 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S). “Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon,” the company warned. VMware Patches Authentication Bypass Flaw in Windows Tools Suite Date: 2025-03-25 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1852/] Virtualization technology giant VMware on Tuesday released an urgent fix for an authentication bypass security defect affecting its VMware Tools for Windows utilities suite. The vulnerability, tagged as CVE-2025-22230, opens the door for a malicious actor with non-administrative privileges on a Windows guest virtual machine to perform certain high-privilege operations within that VM. Oracle customers confirm data stolen in alleged cloud breach is valid Date: 2025-03-26 Author: Bleeping Computer Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users ASB-2025.0050 – AUSCERT Bulletin Service – Oracle Cloud breach AUSCERT released an advisory regarding an alleged Oracle Cloud breach, where a threat actor claims to have stolen 6 million sensitive records. Oracle has denied the breach despite data samples appearing legitimate. The impact remains unclear, and mitigation measures should be evaluated based on the organisation’s policies. ESB-2025.1921 – GitLab Community and Enterprise Editions: CVSS (Max): 8.7 GitLab issued a security advisory urging users to upgrade to versions 17.10.1, 17.9.3, or 17.8.6 to address multiple vulnerabilities, including two high-severity XSS flaws (CVSS 8.7): CVE-2025-2255, which allows XSS via merge-request error messages, and CVE-2025-0811, caused by improper rendering of certain file types, both affecting versions prior to 17.8.6, 17.9.3, and 17.10.1. ESB-2025.1867 – Google Chrome: CVSS (Max): None Google fixed a high-severity Chrome zero-day vulnerability (CVE-2025-2783) exploited to escape the browser’s sandbox and deploy malware in espionage attacks targeting Russian media and education organisations. The flaw was related to an incorrect handle in Mojo on Windows. The fix is rolling out globally for Windows users in Chrome version 134.0.6998.178, with automatic updates available. ESB-2025.1852 – VMware Tools: CVSS (Max): 7.8 Broadcom issued security patches for a high-severity authentication bypass vulnerability in VMware Tools for Windows, tracked as CVE-2025-22230, rated 7.8 CVSS. The flaw allows attackers with non-admin privileges to perform high-privilege operations within a Windows guest VM. The vulnerability affects VMware Tools versions 11.x.x and 12.x.x and is fixed in version 12.5.1. ESB-2025.1840 – F5 Products: CVSS (Max): 9.8 Multiple vulnerabilities were discovered in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to remote code execution. These vulnerabilities, including CVE-2025-1974 (CVSS 9.8), allow unauthenticated attackers to execute arbitrary code and access all secrets in the Kubernetes cluster. F5 Networks has released an advisory and is actively investigating the issue to assess how these flaws may impact their products. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 21st March 2025

Greetings, The Australian Signals Directorate (ASD) has reported a rise in denial-of-service (DoS) attacks targeting critical online services such as banking, healthcare, and e-commerce. This increase is partly driven by insecure “Internet of Things” (IoT) devices, which cybercriminals exploit to overload websites with unsolicited and excessive packet traffic, resulting in subsequent outages. While organisations cannot fully prevent DoS attacks, they can mitigate the impact by following ASD’s Preparing for and Responding to Denial-of-Service Attacks guidance. Individuals can also play a role by securing their internet-connected devices using ASD resources like Internet of Things Devices and Secure Your Wi-Fi and Router. We are honoured to welcome Lieutenant General Michelle McGuinness as a keynote speaker for AUSCERT2025. Appointed as Australia’s National Cyber Security Coordinator in February 2024, LTGEN McGuinness leads national cyber policy, major incident response, and government-wide cyber preparedness. With 30 years of service in the Australian Defence Force, she has held key tactical, operational, and strategic roles, including Deputy Director Commonwealth Integration at the U.S. Defence Intelligence Agency. We look forward to her insights on Australia’s evolving cyber security landscape. Check out the full AUSCERT2025 program now! Ransomware hits record high, Australia among top targets Date: 2025-03-17 Author: Insurance Business Australia Australia was among the 10 most targeted nations in a record-setting month for ransomware attacks, according to a cybersecurity report from Bitdefender. The company’s March 2025 Threat Debrief found that ransomware incidents increased by 126% year-over-year, making last month the highest on record for reported attacks. New Windows zero-day exploited by 11 state hacking groups since 2017 Date: 2025-03-18 Author: Bleeping Computer At least 11 state-backed hacking groups have been exploiting a new Windows vulnerability in data theft and cyber espionage 0-day attacks since 2017. However, as security researchers Peter Girnus and Aliakbar Zahravi with Trend Micro's ZDI reported today, Microsoft tagged it as "not meeting the bar servicing" in late September and said it wouldn't release security updates to address it. "We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; probably the total number of exploitation attempts are much higher," they said. "Subsequently, we submitted a POC exploit to Microsoft, who declined to address this vulnerability with a security patch." Should we ban DeepSeek AI from all Australian devices? Experts weigh in Date: 2025-03-15 Author: ABC News Cyber security experts say the federal government should consider banning a controversial AI chatbot with Chinese origins on all Australian devices, warning it poses a "unique risk" to national security. DeepSeek AI was banned from all government devices last month, after a directive from Australian National Security and intelligence agencies found the chatbot put the federal "technology estate" at risk. The tech was produced in Hangzhou city in China and runs at a fraction of the price of other AI products. Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations Date: 2025-03-13 Author: CloudSEK Ramadan is a time of reflection, generosity, and heightened charitable giving. However, cybercriminals are exploiting this sacred period to launch targeted crypto scams, preying on the goodwill of individuals and organizations. From fraudulent donation requests to spreading crypto token investment schemes, these scams leverage social engineering and trust to deceive victims into transferring their digital assets. This report examines the rising trend of Ramadan-related crypto, e-commerce and donation scams, uncovering the techniques used by cybercriminals, their impact on victims, and best practices for staying secure and making awareness and vigilance more crucial than ever. Microsoft 365 Targeted in New Phishing, Account Takeover Attacks Date: 2025-03-17 Author: Security Week Security researchers warn of fresh malicious campaigns that abuse Microsoft 365 for phishing attacks, or target the service’s users to take over accounts. As part of one campaign, attackers are leveraging legitimate Microsoft domains and tenant misconfigurations in BEC attacks likely aimed at stealing credentials and performing account takeover (ATO), Guardz warns. The attackers were seen controlling multiple Microsoft 365 organization tenants (either new or compromised), creating administrative accounts, creating misleading full-text messages mimicking Microsoft transaction notifications, initiating a purchase or trial subscription event to generate a billing email, and then sending phishing emails using Microsoft’s infrastructure. ESB-2025.1767 – Google Chrome: CVSS (Max): None CVE-2025-2476 is a critical use-after-free vulnerability in the Lens component of Chrome. It allows remote attackers to exploit heap corruption through specially crafted HTML, potentially leading to arbitrary code execution. The issue arises when memory is referenced or reused after being freed, and if malicious data is injected before chunk consolidation, it could be exploited to execute arbitrary code. ESB-2025.1731 – Atlassian Products: CVSS (Max): 9.8 The March 2025 Atlassian Security Bulletin reports 13 high-severity vulnerabilities across several products, including Bamboo, Bitbucket, Crowd, Jira, and Jira Service Management. These issues, discovered via bug bounty programs and security scans, involve various vulnerabilities such as denial of service and SQL injection, with fixes available in the latest versions. Users are urged to update to the recommended fixed versions for each affected product. ESB-2025.1719 – Rockwell Automation Lifecycle Services with VMware: CVSS (Max): 9.8 Rockwell Automation products using VMware are vulnerable to critical flaws, including TOCTOU race conditions and out-of-bounds reads. Exploiting these vulnerabilities could allow local attackers to execute code or leak memory. Users are advised to update to fixed versions or implement security best practices to mitigate risks. ESB-2025.1753 – Drupal Core: CVSS (Max): None Drupal core has a moderately critical Cross Site Scripting (XSS) vulnerability in Link field attributes, affecting versions between 8.0.0 and 11.1.4. Exploitation requires edit access via core web services or a custom module, and sites with the Link module disabled are not affected. Users are advised to update to the latest versions (10.3.14, 10.4.5, 11.0.13, or 11.1.5). Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 14th March 2025

Greetings, After last week’s whirlwind, it’s a relief to feel a sense of normality returning. However, for many still dealing with the aftermath of Cyclone Alfred, the road to recovery is far from over. Let’s stay mindful, support one another, and remain vigilant—especially as scammers continue to exploit those affected. With AI-generated scams on the rise, this week, we’re focusing on how to recognise them, spot key warning signs, and protect ourselves. Language can be a clear indicator of AI-generated content. Be on the lookout for overly formal phrasing, a lack of personal warmth, or awkward sentence structures. Similarly, when evaluating AI-generated visuals and audio, watch for unnatural movements, features that appear flawless yet artificial, and lighting inconsistencies. Backgrounds that look fabricated or hand gestures that seem stiff and unrealistic are additional warning signs. Voice cloning and scam calls are another growing threat. Watch out for any unusual pacing, voices that sound inhumanly fast or slow, or a lack of natural pauses. Speech that comes across as either too flat or overly dramatic, along with tonal or pronunciation inconsistencies, can also be red flags. To protect yourself from AI-driven scams, always stay cautious and verify unsolicited emails, calls, and messages. If an offer seems too good to be true or a request feels urgent, confirm it independently by reaching out to the person directly via a verified phone number or email. Never click on unknown links or respond without proper validation. Staying informed about the latest AI-driven scams is one of your strongest defences, as awareness helps you spot red flags before falling victim. Enabling Multi-Factor Authentication (MFA) adds an essential layer of security, making it significantly harder for scammers to access your accounts—even if they attempt to deceive you with AI-generated phishing tactics. Whenever possible, opt for phishing-resistant MFA for maximum protection. While generative AI has allowed cybercriminals to craft more convincing scams, their capabilities are often exaggerated. By staying informed, cautious, and proactive, you can recognise warning signs and stay ahead of evolving threats. Critical PHP Vulnerability Under Mass Exploitation Date: 2025-03-10 Author: Security Week Threat actors have started exploiting en masse a critical vulnerability in PHP that could allow remote code execution on vulnerable servers, threat intelligence firm GreyNoise warns. The flaw, tracked as CVE-2024-4577 (CVSS score of 9.8), can be exploited on Windows servers that are using Apache and PHP-CGI, if they are set to use certain code pages, to inject arguments remotely and execute arbitrary code. Microsoft patches 57 vulnerabilities, including 6 zero-days | CyberScoop Date: 2025-03-11 Author: Cyber Scoop [See AUSCERT Bulletins: https://portal.auscert.org.au/bulletins/ASB-2025.0049/, https://portal.auscert.org.au/bulletins/ASB-2025.0048/, https://portal.auscert.org.au/bulletins/ASB-2025.0047/, https://portal.auscert.org.au/bulletins/ASB-2025.0046/, https://portal.auscert.org.au/bulletins/ASB-2025.0045/] Microsoft patched 57 vulnerabilities affecting its foundational systems and core products, including six actively exploited zero-day vulnerabilities, the company said in its latest security update Tuesday. Four of the six zero-days, which were all added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, are high-severity on the CVSS scale. Apple fixed the third actively exploited zero-day of 2025 Date: 2025-03-11 Author: Security Affairs [See AUSCERT Bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.1571/, https://portal.auscert.org.au/bulletins/ESB-2025.1570/, https://portal.auscert.org.au/bulletins/ESB-2025.1569/] Apple has released emergency security updates to address a zero-day vulnerability, tracked as CVE-2025-24201, in the WebKit cross-platform web browser engine. The vulnerability is an out-of-bounds write issue that was exploited in “extremely sophisticated” attacks. Mozilla warns users to update Firefox before certificate expires Date: 2025-03-12 Author: Bleeping Computer Mozilla is warning Firefox users to update their browsers to the latest version to avoid facing disruption and security risks caused by the upcoming expiration of one of the company's root certificates. The Mozilla certificate is set to expire this Friday, March 14, 2025, and was used to sign content, including add-ons for various Mozilla projects and Firefox itself. Users need to update their browsers to Firefox 128 (released in July 2024) or later and ESR 115.13 or later for 'Extended Support Release' (ESR) users. The Role of Differential Privacy in Protecting Sensitive Information in the Era of Artificial Intelligence Date: 2025-03-07 Author: Security Affairs Differential privacy (DP) protects data by adding noise to queries, preventing re-identification while maintaining utility, addressing Artificial Intelligence -era privacy challenges. In the era of Artificial Intelligence, confidentiality and security are becoming significant challenges. Traditional anonymization techniques, such as pseudonymization and k-anonymity, have proven inadequate against sophisticated re-identification attacks. Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack Date: 2025-03-12 Author: The Hacker News Threat intelligence firm GreyNoise is warning of a "coordinated surge" in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities spanning multiple platforms. "At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts," the company said, adding it observed the activity on March 9, 2025. The countries which have emerged as the target of SSRF exploitation attempts include the United States, Germany, Singapore, India, Lithuania, and Japan. Another notable country is Israel, which has witnessed a surge on March 11, 2025. ESB-2025.1570 – Apple iOS & iPadOS: CVSS (Max): None Apple released a security update on Tuesday to address a zero-day flaw, CVE-2025-24201, in the WebKit browser engine. The vulnerability, an out-of-bounds write issue, could allow malicious web content to escape the Web Content sandbox. The update improves checks to prevent unauthorized actions. ASB-2025.0049 – Microsoft Windows: CVSS (Max): 8.8* Microsoft latest patch release fixes multiple flaws in Windows products. Several vulnerabilities are under active exploitation, including CVE-2025-26633, a security bypass in Microsoft Management Console allowing code execution through MSC files. CVE-2025-24993 and CVE-2025-24985, remote code execution flaws in NTFS and Fast FAT, are triggered by mounting a crafted VHD. Additionally, CVE-2025-24983 enables privilege escalation, while CVE-2025-24984 and CVE-2025-24991 expose sensitive information, requiring urgent patching. ESB-2025.1552 – VMware Products: CVSS (Max): 9.3 Broadcom released an advisory for three zero-day vulnerabilities in VMware products, including CVE-2025-22224 (heap overflow), CVE-2025-22225 (arbitrary write), and CVE-2025-22226 (information disclosure). These vulnerabilities, impacting ESXi, Workstation, and Fusion, were discovered by Microsoft's MSTIC and are being actively exploited. ESB-2025.1533 – Google Chrome: CVSS (Max): None Google has released a critical update for Chrome, advancing the stable channel to version 134.0.6998.88 for Windows, Mac, and Linux, and 134.0.6998.89 for the Extended Stable channel. The update includes high-priority security fixes to protect users from potential threats. ESB-2025.1628 – Adobe Acrobat Reader: CVSS (Max): 7.8 As part of its regular Patch Tuesday update, Adobe issued a bulletin highlighting a number of security vulnerabilities in Adobe Acrobat and Reader for both Windows and macOS. The company warned that successful exploitation could lead to arbitrary code execution and memory leaks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 7th March 2025

Greetings, It’s been a stormy week with Cyclone Alfred brewing off the coast of Brisbane! A timely reminder that scammers love to stir up trouble, preying on those seeking disaster relief, insurance claims, or opportunities to assist others. Stay alert, verify sources, and batten down the hatches against fraud. Read our blog for tips on spotting and avoiding scams before they make landfall! In the latest episode of the ‘Share Today, Save Tomorrow’ podcast, Episode 40: Securing from Insider Threats, host Anthony sits down with Sal Bowman from UQSchoolsNet to discuss one of the most pressing cyber security challenges faced by schools today—insider threats. In the second half of the episode, Bek chats with Mark Carey-Smith from AUSCERT about the exciting yet challenging process of selecting 30 standout conference sessions from nearly 200 submissions. They also dive into the challenges of gaining better representation of women in cyber. Progress is happening, but there’s still a pressing need for greater diversity to drive innovation and inclusivity in the field. With International Women’s Day just around the corner, we’re taking this opportunity to spotlight and celebrate the incredible women shaping the future of cyber security. AUSCERT has always been a strong advocate for diversity and inclusion, and we remain committed to fostering a more equitable cyber security landscape. Let’s keep breaking down barriers and driving meaningful change together. Ransomware criminals love CISA's KEV list – and that's a bug, not a feature Date: 2025-02-28 Author: The Register Fresh research suggests attackers are actively monitoring databases of vulnerabilities that are known to be useful in carrying out ransomware attacks. GreyNoise's annual Mass Internet Exploitation Report revealed this week that 28 percent of the bugs logged in CISA's Known Exploited Vulnerability (KEV) catalog were also used by ransomware criminals in 2024. It's a logical assumption to make that attackers would see the KEV list as a useful tool to help them plan their attacks. Android security update contains 2 actively exploited vulnerabilities Date: 2025-03-03 Author: Cyberscoop [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.1463] Google addressed 43 vulnerabilities affecting Android devices in its March security update, including a pair of software defects reportedly under active exploitation. Google said the two vulnerabilities — CVE-2024-43093 and CVE-2024-50302 — “may be under limited, targeted exploitation.” The most severe of the flaws under active exploitation, CVE-2024-43093, carries a CVSS score of 7.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog in November. CISA tags Windows, Cisco vulnerabilities as actively exploited Date: 2025-03-03 Author: Bleeping Computer [See AUSCERT Bulletins https://portal.auscert.org.au/bulletins/ESB-2023.0171.3 and https://portal.auscert.org.au/bulletins/ASB-2018.0303.2] CISA has warned US federal agencies to secure their systems against attacks exploiting vulnerabilities in Cisco and Windows systems. While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it. VMware Security Flaws Exploited in the Wild—Broadcom Releases Urgent Patches Date: 2025-03-04 Author: The Hacker News Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure. The list of vulnerabilities is as follows – CVE-2025-22224 (CVSS score: 9.3) – A Time-of-Check Time-of-Use vulnerability CVE-2025-22225 (CVSS score: 8.2) – An arbitrary write vulnerability CVE-2025-22226 (CVSS score: 7.1) – An information disclosure vulnerability YouTube warns of AI-generated video of its CEO used in phishing attacks Date: 2025-03-05 Author: Bleeping Computer The attackers are sharing it as a private video with targeted users via emails claiming YouTube is changing its monetization policy. "We're aware that phishers have been sharing private videos to send false videos, including an AI generated video of YouTube’s CEO Neal Mohan announcing changes in monetization," the online video sharing platform warned in a pinned post on its official community website. Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers Date: 2025-03-04 Author: The Hacker News Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems. ASB-2025.0044 – AUSCERT Bulletin Service – Cyclone Alfred AUSCERT has issued an advisory to its members about the potential cybersecurity impact of the Alfred Cyclone, highlighting risks and offering mitigation strategies to help prevent falling victim to scammers. ESB-2025.1463 – Android devices: CVSS (Max): 8.2 The Android Security Bulletin for March 2025 addresses critical security vulnerabilities in various components, including the Android Framework, system, and mediaTek components. It includes patches to resolve issues such as privilege escalation and remote code execution risks. The bulletin confirms that CVE-2024-43093 has been under limited, targeted exploitation. Users are encouraged to update their devices to mitigate potential security threats. ESB-2025.1469 – Google Chrome: CVSS (Max): None Google Chrome has released Chrome 134 to the stable channel for Windows , Mac and Linux, bringing with it a critical set of security patches. This update, which will gradually roll out to users over the coming days and weeks, addresses 14 security vulnerabilities, including a high-severity flaw in the V8 JavaScript engine. ESB-2025.1486 – Mozilla Thunderbird: CVSS (Max): 9.8* Mozilla's advisory for Thunderbird 136 addresses multiple security vulnerabilities, including high-impact use-after-free flaws and memory safety issues that could potentially allow arbitrary code execution or sandbox escapes. Key vulnerabilities include issues with AudioIPC, WebTransportChild, and WASM i32 return values on 64-bit CPUs. These flaws were fixed with the release of Thunderbird 136. Mozilla advises that in general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. ESB-2025.1479 – Cisco Webex for BroadWorks: CVSS (Max): None A flaw in Cisco Webex for BroadWorks Release 45.2 allows unauthenticated attackers to access data and credentials due to unsecure transport in SIP communication. Additionally, authenticated users could access credentials in plain text through client and server logs. Cisco has released a configuration update to address the issue and recommends restarting the Webex application to apply the fix. ESB-2025.1484 – Edimax IC-7100 IP Camera: CVSS (Max): 9.8 A vulnerability in Edimax IC-7100 IP Cameras allows remote code execution due to improper neutralization of special elements in OS commands. The flaw, identified as CVE-2025-1316, has a high CVSS score of 9.8, making it critical. Users are advised to take defensive measures to mitigate the risk. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Cyclone Alfred – Watch Out for Scams

As Cyclone Alfred approaches the SE QLD region, AUSCERT wants to remind its members that, in the wake of natural disasters, scammers can often exploit the vulnerability of those affected. Fraudulent activities can range from door-to-door scams to phone, text, mail, and email schemes. These fraudsters take advantage of the chaos and desperation following such events, frequently targeting individuals seeking disaster relief, insurance claims, or opportunities to assist others. To mitigate the risk of fraud during Cyclone Alfred and any post-cyclone recovery efforts, residents and those intending to donate to charities can take several key actions. Be cautious of scams following a disaster. Government agencies, like Services Australia and MyGov, will never ask for any sensitive information over the phone, so hang up and call their official number if in doubt. Phone scams may use caller ID spoofing to appear legitimate, so always verify calls independently. For insurance scams, never provide personal information until you have verified the contact directly with your provider. If contractors claim to be insurance partners, ensure they are licensed and insured by checking with local authorities. When donating to charities, only support trusted charities and verify their legitimacy through official websites. Be cautious with charity phone numbers, emails, or crowdfunding platforms, as scammers may pose as fake charities or misrepresent campaigns. Please see [1] and [2] for further information. Stay safe! REFERENCES [1] Avoid scams and fraud – https://www.servicesaustralia.gov.au/avoid-scams-and-fraud-when-claiming-natural-disaster-support [2] Avoid fundraising scams after an emergency – https://www.vic.gov.au/avoid-fundraising-scams-after-emergency

Learn more

Week in review

AUSCERT Week in Review for 28th February 2025

Greetings, The AUSCERT2025 Program is now live! This year’s selection process was one of the most rigorous yet, with the program committee meticulously reviewing more than 200 high-quality submissions to curate a lineup of presentations, workshops, and keynotes that deliver maximum value to conference delegates. With so many outstanding proposals, the selection process was exceptionally challenging. Each submission underwent thorough evaluation and re-evaluation to ensure it met the highest standards of relevance, innovation, and impact. The result is a carefully crafted program that tackles critical security challenges, emerging threats, and industry best practices, making AUSCERT2025 an unmissable event for security professionals. A recent example of the growing sophistication of cyber attacks is the No-Phish PayPal phishing scam, which cleverly exploits PayPal’s payment request feature to bypass traditional security measures. This stealthy tactic makes it significantly harder for users to identify fraudulent activity. In response, PayPal urges users to remain vigilant, avoid interacting with suspicious invoices or payment requests, and report any dubious activity directly to their security team to help mitigate the threat. In addition to this, another PayPal scam leverages the New Address feature to send phishing emails. These emails are designed to compromise users' devices and gain unauthorized access to sensitive information. This week, Troy Hunt, frequent speaker at the AUSCERT conference, integrated the ALIEN TXTBASE dataset into Have I Been Pwned (HIBP), adding 1.5TB of stealer logs containing 23 billion rows and impacting 284 million email addresses. The dataset also includes 244 million new passwords and updates for 199 million existing ones. With this update, HIBP now allows domain owners to check for stealer logs and helps website operators identify compromised users. These logs, often sourced from malware infections linked to pirated software, circulate on platforms like Telegram, fuelling cybercrime. By enhancing its search capabilities, HIBP aims to combat these threats, equipping individuals and organisations with actionable security insights. Australia Has More to do Says National Cybersecurity Coordinator Date: 2025-02-21 Author: Australian Cyber Security Magazine In an address at a cybersecurity conference in Sydney, the National Cybersecurity Coordinator Michelle McGuinness outlined Australia’s ambitious plan to become a world leader in cyber security by 2030. The strategy, embedded within the broader 2030 Australian national security framework, recognises that achieving this goal requires not only technical prowess but also a fundamental shift in the nation’s cyber security culture. U.S. CISA adds Adobe ColdFusion and Oracle Agile PLM flaws to its Known Exploited Vulnerabilities catalog Date: 2025-02-25 Author: Security Affairs [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2017.1034/ and https://portal.auscert.org.au/bulletins/ASB-2024.0032/] U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall SonicOS and Palo Alto PAN-OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The two vulnerabilities are: CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability With millions upon millions of victims, scale of unstoppable info-stealer malware laid bare Date: 2025-02-26 Author: The Register A tip-off from a government agency has resulted in 284 million unique email addresses and plenty of passwords snarfed by credential-stealing malware being added to privacy-breach-notification service Have I Been Pwned (HIBP). HIBP founder Troy Hunt said an un-named agency alerted him to the existence of the trove after he published an analysis of a separate massive collection of info-stealer logs he encountered and incorporated into his site in mid-January. "After loading the aforementioned corpus of data, someone in a government agency reached out and pointed me in the direction of more data by way of two files totaling just over 5GB," Hunt wrote this week. Australia Bans Kaspersky Software Over National Security and Espionage Concerns Date: 2025-02-24 Author: The Hacker News Australia has become the latest country to ban the installation of security software from Russian company Kaspersky, citing national security concerns. "After considering threat and risk analysis, I have determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage," Stephanie Foster PSM, the Secretary of the Department of Home Affairs, said. Only a Fifth of Ransomware Attacks Now Encrypt Data Date: 2025-02-25 Author: Infosecurity Magazine Ransomware actors are largely eschewing encryption, with at least 80% of attacks last year focusing solely on exfiltrating data, as it is quicker and easier, according to ReliaQuest. The threat intelligence vendor claimed in its Annual Cyber-Threat Report that exfiltration-only ransomware attacks are 34% faster. After initial access, “breakout time” typically takes just 48 minutes, although some groups manage to achieve lateral movement in as little as 27 minutes, giving network defenders little time to react. ESB-2025.1373 – GitLab Community Edition and GitLab Enterprise Edition: CVSS (Max): 8.7 GitLab has released versions 17.9.1, 17.8.4, and 17.7.6 for CE and EE, which include critical bug and security fixes, addressing high-severity vulnerabilities like XSS and authorisation flaws. Users are urged to upgrade their self-managed instances immediately, as GitLab.com has already been patched. The update also resolves medium-severity issues that could expose sensitive data or disrupt functionality. ESB-2025.1345 – Google Chrome: CVSS (Max): 8.8 Google issued a security advisory to address vulnerabilities in the Stable Channel Chrome for Desktop, specifically in versions prior to 133.0.6943.141/142 for Windows and Mac, and 133.0.6943.141 for Linux. Users and administrators are encouraged to review the provided web link and implement the necessary updates to ensure their systems remain secure. ESB-2025.1239 – ABB FLXEON Controllers: CVSS (Max): 10.0 An advisory has been issued regarding critical vulnerabilities in FLXeon controllers, affecting firmware versions 9.3.4 and earlier. These flaws could allow remote code execution, unauthorised access, or information leakage. Affected products include FLXEON Controllers FBXi, FBVi, FBTi, and CBXi. ABB recommends upgrading to firmware version 9.3.5 and applying security measures, such as disconnecting exposed devices and ensuring secure remote access. ESB-2025.1371 – Cisco Nexus 3000 and 9000 Series Switches: CVSS (Max): 7.4 Cisco has disclosed a high-severity vulnerability in Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode, allowing unauthenticated attackers to trigger denial of service conditions. The flaw, rated 7.4 on the CVSS v3.1 scale, affects critical infrastructure and can cause prolonged service disruptions through malicious Ethernet frames. Cisco recommends upgrading to patched software or using ACL-based workarounds to mitigate the risk. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 21st February 2025

Greetings, Join Our Upcoming Webinar: Strengthen Your Security with Maturity Assessments! Don’t miss our upcoming webinar, where we’ll introduce our new Maturity Assessment service—an essential tool for evaluating your organisation’s security posture against critical NIST controls. Learn how to identify gaps and risks across people, processes, and technology, helping you build more resilient cybersecurity practices. Register Now and take the next step in enhancing your organisation’s security! Cyber threats continue to pose significant risks to businesses across all industries, and the healthcare sector is no exception. Genea, a nationwide IVF provider with 21 locations, recently fell victim to a cyber attack, leading to unauthorised data access and system disruptions. While the full extent of the breach is still unfolding, the attack has already caused a phone outage and disrupted the My Genea App, impacting both patients and staff. Many patients remain uninformed, with some yet to receive official communication about the breach. Others, frustrated and anxious, have spent days attempting to contact Genea with urgent clinical inquiries, further highlighting the severe operational and patient care implications of the attack. This incident serves as a stark reminder that no organisation is immune to cyber threats, and the ability to respond quickly and effectively is crucial to minimising damage. A well-structured Cyber Incident Response Plan (CIRP) is the backbone of any organisation’s cyber security strategy. No matter how strong an organisation’s security measures are, breaches can still occur. When they do, a well-written CIRP helps teams to respond swiftly, contain the damage, and recover operations with minimal disruption. Without a clear response strategy, businesses risk prolonged downtime, data loss, regulatory penalties, and reputational damage—all of which can have long-term consequences. At AUSCERT, we provide tailored incident response plans designed to meet your operational needs and regulatory requirements. A strong CIRP not only helps mitigate risks but also enhances resilience against future attacks. Don’t wait for a breach to expose gaps — be prepared. Enquire today about our bespoke Cyber Incident Response Plans and safeguard your organisation. AUSCERT members receive 15% off this essential service! Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts Date: 2025-02-14 Author: CyberScoop Suspected Russian nation-state threat groups have duped multiple victims into granting potentially persistent access to networks via authentication requests and valid tokens. Microsoft threat researchers discovered a series of what they are calling “device code” phishing attacks that allowed a suspected Russia-aligned threat group to gain access to and steal data from critical infrastructure organizations, the company said in research released Thursday. New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now Date: 2025-02-18 Author: The Hacker News [Please also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.1166/ https://portal.auscert.org.au/bulletins/ESB-2025.1165/ https://portal.auscert.org.au/bulletins/ESB-2025.1142] Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. Palo Alto Networks tags new firewall bug as exploited in attacks Date: 2025-02-19 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1026.3/] Palo Alto Networks warns that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks. The vendor first disclosed the authentication bypass vulnerability tracked as CVE-2025-0108 on February 12, 2025, releasing patches to fix the vulnerability. That same day, Assetnote researchers published a proof-of-concept exploit demonstrating how CVE-2025-0108 and CVE-2024-9474 could be chained together to gain root privileges on unpatched PAN-OS firewalls. Australia Imposes Sanctions On Medibank Private Cyberattack Date: 2025-02-14 Author: The Cyber Express The government of Prime Minister Anthony Albanese has imposed additional cyber sanctions in response to a major 2022 cyberattack that hit Medibank Private. The breach, which compromised millions of customers’ sensitive medical data, marked a turning point in Australia’s approach to cyber security. The Medibank Private cyberattack not only targeted the personal information of Medibank’s customers but also saw portions of the stolen data published on the dark web. Ransomware-as-a-service actors drive four-times increase in ransomware attacks Date: 2025-02-17 Author: Cyber Daily Every year, Barracuda Networks releases a detailed cyber security report based on its managed extended detection and response business, and while the previous 12 months saw relatively consistent activity across the year, ransomware activity increased dramatically. The numbers that Barracuda can draw on for its analysis are impressive. The company tracked 11 trillion IT events in total and found that more than 1 million of them were potential risks requiring assessment. Microsoft Patches Actively Exploited CVE-2025-21355 RCE Vulnerability in Bing Date: 2025-02-20 Author: The Hacker News Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed below – CVE-2025-21355 (CVSS score: 8.6) – Microsoft Bing Remote Code Execution Vulnerability CVE-2025-24989 (CVSS score: 8.2) – Microsoft Power Pages Elevation of Privilege Vulnerability "Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network," the tech giant said in an advisory for CVE-2025-21355. No customer action is required. ESB-2025.1214 – Linux kernel: CVSS (Max): 9.1* Several security issues were fixed in the Linux kernel. An attacker could possibly exploit these vulnerabilities to compromise the system. This major update corrects these flaws. ESB-2025.1171 – Atlassian Products: CVSS (Max): 9.8 The vulnerabilities reported in this Security Bulletin include 7 high-severity vulnerabilities and 5 critical-severity vulnerabilities which have been fixed. Atlassian recommends patching your instances to the latest version or one of the Fixed Versions as advised in this Security Bulletin. ESB-2025.1155 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM includes vulnerable components (e.g. framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. ESB-2025.1144 – Docker: CVSS (Max): 9.9 Several security issues were fixed in Docker. Docker could unexpectedly forward DNS requests from internal networks in an unexpected manner. An attacker could possibly use this issue to exfiltrate data by encoding information in DNS queries to controlled nameservers. This issue was only addressed in Ubuntu 24.04 LTS. ESB-2025.1168 – Citrix NetScaler Console and NetScaler Agent: CVSS (Max): 8.8 A vulnerability has been discovered in NetScaler Console (formerly NetScaler ADM) and NetScaler Agent. Cloud Software Group strongly urges customers of NetScaler Console and NetScaler Agent to install the relevant updated versions as soon as possible. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 14th February 2025

Greetings, Happy Valentine's Day! While celebrating with loved ones, it's crucial to stay vigilant against malicious behaviour. Enjoy the love but remain cautious. Threat actors exploit this emotional time to their advantage. Be warned: new AI-enhanced romance scams are targeting Australian hearts and bank accounts. Researchers warn that romance scams pose a significant threat, costing nearly $35 million in 2023, with many cases going unreported. Scammers exploit dating apps and generative AI to create convincing messages. Currently the most prevalent and impactful romance scam is romance baiting, where scammers build fake relationships to gain trust and persuade victims to invest in fake cryptocurrency, stock platforms, or other scams. The Australian government is making significant strides in consumer protection. This week, Parliament passed the world's first Scams Prevention Framework Bill, enhancing protections by establishing consistent and enforceable obligations for businesses in key sectors where scammers operate. The framework empowers the ACCC to investigate potential breaches and take enforcement action against entities that fail to fulfill their obligations. If you're interested in gaining essential skills to navigate the legal and managerial dimensions of cyber security in your organisation, we recommend registering for our course led by General Manager Ivano Bongiovanni. The Overcoming Cyber Risks course covers legal implications and privacy laws, offering strategies to manage risk using enterprise risk frameworks, including crisis response and vendor oversight. Lastly, a positive reminder: AUSCERT2025 registrations are officially open! Take advantage of early bird discounts and secure your favourite tutorials before spaces run out! Massive brute force attack uses 2.8 million IPs to target VPN devices Date: 2025-02-08 Author: Bleeping Computer A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall. A brute force attack is when threat actors attempt to repeatedly log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to a network. CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration Date: 2025-02-09 Author: Security Online Zimbra Collaboration, a widely used open-source email and collaboration platform, has been found to contain two newly discovered security vulnerabilities that pose a serious risk to businesses relying on the software for email, calendaring, file sharing, and task management. These vulnerabilities, identified as CVE-2025-25064 and CVE-2025-25065, could allow attackers to gain unauthorized access to sensitive data and internal network resources. SonicWall firewall exploit lets hackers hijack VPN sessions, patch now Date: 2025-02-11 Author: Bleeping Computer [AUSCERT contacted the impacted members (where possible) via email in January 2025] Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application. The vendor warned about the high exploitation possibility of the flaw in a bulletin on January 7, urging administrators to upgrade their SonicOS firewalls' firmware to address the problem. AnyDesk Exploit Alert: CVE-2024-12754 Enables Privilege Escalation—PoC Available Date: 2025-02-09 Author: Security Online Security researcher Naor Hodorov has recently published an analysis of a vulnerability discovered in AnyDesk, a popular remote administration software. This vulnerability, identified as CVE-2024-12754, could allow a low-privileged user to gain elevated access and potentially take complete control of a system. The vulnerability stems from an elevated arbitrary file read/copy operation performed by the AnyDesk service as NT AUTHORITY\SYSTEM. Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries Date: 2025-02-12 Author: The Hacker News A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the Microsoft Threat Intelligence team said in a new report shared with The Hacker News ahead of publication. Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed Date: 2025-02-10 Author: Security Online Progress has issued a security advisory addressing multiple vulnerabilities affecting all current LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. The vulnerabilities, identified as CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, and CVE-2024-56135, could allow authenticated attackers to execute arbitrary system commands or download sensitive files. ASB-2025.0035 – Microsoft Office products: CVSS (Max): 9.8 CISA has issued an urgent warning about the exploitation of a critical Microsoft Outlook vulnerability (CVE-2024-21413). The flaw enables remote code execution through malicious email links, bypassing Office Protected View. Exploiting this vulnerability allows attackers to open emails in editing mode, posing serious risks to federal agencies. ESB-2025.0830 – Trimble Cityworks: CVSS (Max): 7.2 Trimble has issued an urgent cybersecurity alert concerning a critical vulnerability in its Cityworks asset and work management software. Identified as CVE-2025-0994 with a CVSS score of 7.2, this flaw is actively being exploited, presenting a serious threat to organisations utilising the platform. ESB-2025.1035 – Google Chrome: CVSS (Max): None Google's latest Chrome update addresses multiple vulnerabilities, including the critical CVE-2025-0995, a "Use-After-Free" issue in the V8 JavaScript engine. The update fixes the security flaw that could allow attackers to execute malicious code remotely on vulnerable systems. The Chrome Stable channel has been updated to versions 133.0.6943.98/.99 for Windows and Mac, and 133.0.6943.98 for Linux. ASB-2025.0043 – Microsoft Windows: CVSS (Max): 8.8 February 2025 Patch Tuesday addresses 56 vulnerabilities, including two zero-days, CVE-2025-21418 and CVE-2025-21391, under active exploitation. CVE-2025-21418, affecting the Windows Ancillary Function Driver, allows privilege escalation, while CVE-2025-21391 impacts Windows Storage, potentially leading to file deletion and service disruption. These flaws highlight ongoing risks, including possible exploitation by threat groups like Lazarus. ESB-2025.0876 – Apple iOS 18.3.1 and iPadOS 18.3.1: CVSS (Max): None Apple released emergency security updates for iOS and iPadOS to fix a vulnerability (CVE-2025-24200) that has been exploited in the wild. The issue, described as an authorisation flaw, could allow attackers to disable USB Restricted Mode on a locked device during a cyber-physical attack. This indicates that the attackers need physical access to the device to exploit the vulnerability. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 7th February 2025

Greetings, Member Tokens for the AUSCERT2025 conference are now available! This is your exclusive chance to register early and secure your spot at the conference. Be sure to sign up for our expert-led tutorials to deepen your cybersecurity knowledge. Public registrations open next week so take advantage of this early access while you can! This week, the Australian Signals Directorate (ASD) issued an important reminder about securing edge devices—the gateways where data flows in and out of networks. Leaving these network perimeters unprotected is like leaving doors wide open, making it easier for malicious actors to access sensitive data, disrupt operations, and launch further attacks. While many of you have likely addressed this, it’s a timely reminder for those who haven’t. Common edge devices in enterprise networks include routers, firewalls, and VPN concentrators. The ASD provides best practices to ensure these devices don’t become security weak points. Amid ongoing speculation surrounding DeepSeek, the Australian government has officially banned the AI chatbot on government devices due to national security concerns. Acting on intelligence agency advice, the Home Affairs Department Secretary issued a directive on Tuesday prohibiting its use across all federal government systems and devices, citing it as an unacceptable security risk. Officials emphasised that the decision was based on security assessments rather than the program’s Chinese origin. PoC Exploit Released for macOS Kernel Vulnerability CVE-2025-24118 (CVSS 9.8) Date: 2025-02-02 Author: Security Online [AUSCERT has published security bulletins for these Apple updates] A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution, according to security researcher Joseph Ravichandran (@0xjprx) of MIT CSAIL. Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4. Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections Date: 2025-02-04 Author: The Hacker News A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09. "The vulnerability was actively exploited by Russian cybercrime groups through spear-phishing campaigns, using homoglyph attacks to spoof document extensions and trick users and the Windows Operating System into executing malicious files," Trend Micro security researcher Peter Girnus said. CISA orders agencies to patch Linux kernel bug exploited in attacks Date: 2025-02-05 Author: Bleeping Computer CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks. Tracked as CVE-2024-53104, the security bug was first introduced in kernel version 2.6.26 and was patched by Google for Android users on Monday. "There are indications that CVE-2024-53104 may be under limited, targeted exploitation," the Android February 2025 Android security updates warn. Backdoor found in two healthcare patient monitors, linked to IP in China Date: 2025-01-30 Author: Bleeping Computer The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device. Contec is a China-based company that specializes in healthcare technology, offering a range of medical devices including patient monitoring systems, diagnostic equipment, and laboratory instruments. DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked Date: 2025-01-30 Author: The Hacker News Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data. The ClickHouse database "allows full control over database operations, including the ability to access internal data," Wiz security researcher Gal Nagli said. The exposure also includes more than a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information, such as API Secrets and operational metadata. Hackers spoof Microsoft ADFS login pages to steal credentials Date: 2025-02-05 Author: Bleeping Computer A help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections. The targets of this campaign, according to Abnormal Security that discovered it, are primarily education, healthcare, and government organizations, with the attack targeting at least 150 targets. ESB-2025.0755 – Google Chrome: CVSS (Max): None The Chrome team has released version 133 for Windows, Mac, and Linux, which includes important updates, particularly a set of twelve security fixes. While new features are part of the update, the main focus is on addressing vulnerabilities to ensure a safer browsing experience. The update is being rolled out gradually, with version 133.0.6943.53 for Linux and 133.0.6943.53/54 for Windows and Mac. ESB-2025.0732 – Mozilla Thunderbird: CVSS (Max): 9.8* Multiple vulnerabilities were found in Mozilla products, exposing systems to remote code execution, denial of service, spoofing, and data manipulation. Affected versions include Firefox 135, Firefox ESR 115.20, Thunderbird 135, and others. Users are advised to apply the latest updates to mitigate these security risks. ESB-2025.0709 – Android: CVSS (Max): 9.8* The Android Security Bulletin February 2025 provides information on security vulnerabilities impacting Android devices. The most critical issue is a high-severity vulnerability in the Framework component, which could allow local privilege escalation without requiring additional execution privileges. These issues are resolved by security patch levels of 2025-02-05 or higher. ESB-2025.0799 – Cisco Identity Services Engine (ISE): CVSS (Max): 9.9 Cisco released patches for critical vulnerabilities in its Identity Services Engine (ISE), tracked as CVE-2025-20124 and CVE-2025-20125. The flaws, affecting ISE APIs, could allow authenticated remote attackers to execute arbitrary commands, escalate privileges, or tamper with device configurations. Users are urged to update to ISE versions 3.1P10, 3.2P7, or 3.3P4 immediately, as no workarounds are available. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Member information

A guide to AUSCERT Member Security Incident Notifications: MSINs

A guide to AUSCERT Member Security Incident Notifications: MSINs Introduction The Member Security Incident Notifications (MSINs) service provides crucial alerts and insights on security incidents affecting members. What is an MSIN? An MSIN is a daily customised composite security report targeted towards AUSCERT member organizations. It contains a compilation of “security incident reports” as observed by AUSCERT through its threat intelligence platforms. MSIN Dashboard As part of this service, a dashboard view provides high level statistics along with the ability to search and filter organisational alerts. The dashboard is accessible at https://portal.auscert.org.au/msins MSIN Dashboard Statistics Tabs The Australia and organisation statistics tabs provide insights into both nation-wide and your own organisation’s MSIN alerts. Near the beginning of the week, it is not unusual for your organisation’s statistics to show zero or be blank, as alerts are ingested into AUSCERT’s systems around 3pm each day, and it can take up to 24-48hours for the charts to be updated. MSIN Results Table The results table is the primary interface for your organisation’s MSIN alerts and allows you to perform advanced searches, sort and filter your alerts, view the full details as well as exploring the CVEs associated with them by clicking through to the external NVD links for each CVE. By default, this view will show all alerts excluding “info” level alerts in the last 48 hours for your organisation. 48 hours has been chosen as it factors in the ~24 hour delay that occurs while MSIN alerts are ingested and processed by AUSCERT’s systems. MSIN Details Page Under the actions column for every MSIN, the three dots dropdown can be expanded to open up the details popup for each alert. This shows all available information relating to the MSIN and may contain extra information relating to specific alerts. Source reference links for additional context can also be viewed here. Further Information Daily MSINs are processed and issued daily MSINs are only issued if at least one incident report specific to the member is detected within the past 24-hour period If there are no incidents to report, no MSIN will be issued. The more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN and the larger the MSIN is received Customised MSINs are tailored for each member organization, based on IPs and Domains provided To receive accurate and useful MSINs, it’s important this information updated is kept updated in your membership profile (see FAQ below) Severity Individual events in MSINs are categorised into the following severity levels: Critical Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-auth RCE or modification or leakage of sensitive data High End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. Medium Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (MITM without being able to manipulate the traffic) to exploit, attacker will need to know internal systems/infrastructure in order to exploit it. Low Deviation from best practice – little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. For example, SSL POODLE reports may end up in this category. Info Informational only. Review in accordance with your security policy. These severity levels are based on those used by Shadowserver. Events which have not been assigned a severity will be marked as Unknown. A summary of reports by severity level can be found at the top of your MSIN. For example:     Summary of reports based on severity:     * Critical: accessible-ssh 3     * High    : vulnerable-exchange-server 1     * Medium  : accessible-cwmp 1 The MSIN subject will be prefixed with the highest-level severity seen in the report. For example: [Severity:CRITICAL] AusCERT Member Security Incident Notification (MSIN) for “Member Name” Composite Each MSIN could potentially consist of multiple incident TYPE reports. For example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack. Each incident type report could also include multiple incident reports. For example, this “infected hosts” report contains 2 incidents: Incidents Reported Timestamp:                      2015-08-25T00:20:34+00:00 Drone IP:                       123.456.789.abc Drone Port:                     13164 Drone Hostname:                 abc.xxx.xxx.xxx.au Command and Control IP:         aaa.bbb.ccc.ddd Command and Control Hostname:   imacnc1.org Command and Control Port:       80 Malware Type:                   redyms Timestamp:                      2015-08-25T00:20:34+00:00 Drone IP:                       321.654.987.cba Drone Port:                     2343 Drone Hostname:                 def.xxx.xxx.xxx.au Command and Control IP:         ddd.eee.fff.ggg Command and Control Hostname:   imacnc2.org Command and Control Port:       123 Malware Type:                   dyre All timestamps are in UTC. It is imperative that these incidents be reviewed and handled individually. Structure An MSIN has the following basic structure. ==================HEADING FOR INCIDENT TYPE 1================== Incident Type Name of the incident and any known exploited vulnerabilities and associated CVEs. Incident Description Further information on potential attack vectors and impacts. Incidents Reported List of individual reports sighted by AUSCERT Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future. References Links to resources referenced within the report. Additional Resources Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques. =============================END OF REPORT========================= =====================HEADING FOR INCIDENT TYPE 2=================== Incident Type Incident Description Incidents Reported Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations References Additional Resources =============================END OF REPORT========================= … … =====================HEADING FOR INCIDENT TYPE X=================== =============================END OF REPORT=========================   MSINs API Overview The MSINs API provides two endpoints for querying and retrieving information about MSINs. Base URL https://portal.auscert.org.au/api/msins/v1/ Authentication All endpoints require API key authentication. Include your API key in the request headers as follows: 1 | API-Key: <your_api_key> Endpoints Search MSINs Returns a list of MSINs matching the specified parameters or default values. Endpoint: /search Method: GET Get MSIN Details Returns the detailed information for a single specified MSIN object. Endpoint: /get Method: GET   Frequently Asked Questions 1. How can I update domain/IP information for my organisation? If you are a Primary AUSCERT contact simply email AUSCERT Membership at membership@auscert.org.au and provide the updated information. If you have a privileged account in the Member portal you can request changes through the portal. AUSCERT will perform a validation check to ensure the domains are under your organisation’s ownership or control prior to including them in the monitoring list. 2. Where does the information in an MSIN come from? AUSCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means. The trust relationship between AUSCERT and third parties entails conditions which prevent disclosure of the source(s) of information.  

Learn more