Week in review

AUSCERT Week in Review for 20th December 2024

Greetings, As the year draws to a close, we take pride in reflecting on the remarkable achievements of AUSCERT in 2024. This year has been defined by innovation, growth, and collaboration, marked by significant milestones that have further enhanced the value we deliver to our members. AUSCERT has strengthened its reputation as a trusted ally in cyber security by introducing transformative initiatives, enhancing existing services, and fostering deeper connections within the global cyber security community. These accomplishments demonstrate our unwavering commitment to equipping our members with the tools, knowledge, and support they need to confidently navigate the ever-evolving cyber security landscape. One of the standout moments of the year was the successful delivery of AUSCERT2024, which welcomed over 900 delegates—a record-breaking achievement! The conference featured ground-breaking workshops, insightful presentations, and key initiatives designed to strengthen and advance the cyber security industry. For those who missed conference presentations or wish to revisit them, recordings are available on our YouTube Channel. This year, we celebrated a major milestone with the launch of our rebrand—a refreshed identity that proudly reflects our new position as an “Ally in Cyber Security.” As part of this transformation, we unveiled an updated member portal featuring enhanced functionality designed to provide a more seamless and improved experience for our members. Our commitment to continuous improvement and service excellence remains unwavering. We invite our members to share their thoughts and ideas for future enhancements. Your feedback is invaluable—please submit your suggestions through the feedback feature in the member portal. Together, we can shape the future of our services to better meet your needs. Additionally, we expanded our offerings to include Governance, Risk, and Compliance (GRC) services. These encompass maturity assessments and tabletop exercises tailored to help our members navigate the complexities of GRC while aligning cyber security practices with their business objectives. Our proactive approach identifies and provides advice to address cyber security gaps, mitigate risks, and enhance organisational resilience. Through close collaboration, we aim to elevate security and compliance standards across your organisation. Looking ahead to 2025, we are excited to build on this momentum and continue delivering exceptional value to our members. Together, we will achieve even greater success in the coming year. CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers Date: 2024-12-18 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] A recently disclosed security vulnerability in Next.js, a popular React framework used by millions of developers worldwide, could have allowed unauthorized access to sensitive application data. The vulnerability, tracked as CVE-2024-51479 and assigned a CVSS score of 7.5, was discovered by tyage from GMO Cybersecurity by IERAE. It affects Next.js versions 9.5.5 through 14.2.14. Clop is back to wreak havoc via vulnerable file-transfer software Date: 2024-12-17 Author: CyberScoop In what we can assure you is a new cybersecurity incident despite sounding incredibly similar to incidents of past notoriety: threat actors tied to a notorious ransomware and extortion group have exploited file-transfer software to carry out attacks. Clop has claimed responsibility for attacks tied to vulnerabilities in software made by Cleo, an Illinois-based IT company that sells various types of enterprise software. The vulnerabilities, which affected Cleo’s LexiCom, VLTrader, and Harmony products, have led to worries that sensitive data across various industries could be swiped by the group in a repeat of some of the most damaging security incidents of the past few years. CISA confirms critical Cleo bug exploitation in ransomware attacks Date: 2024-12-13 Author: Bleeping Computer CISA confirmed today that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks. This flaw (tracked as CVE-2024-50623 and impacting all versions before version 5.8.0.21) enables unauthenticated attackers to gain remote code execution on vulnerable servers exposed online. Cleo released security updates to fix it in October and warned all customers to "immediately upgrade instances" to additional potential attack vectors. Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances Date: 2024-12-16 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Citrix has issued a fresh warning on password spraying attacks targeting NetScaler and NetScaler Gateway appliances deployed by organizations worldwide. The attacks appear to be related to a broad campaign that was initially detailed in April 2024, targeting VPN and SSH services from Cisco, CheckPoint, Fortinet, SonicWall, and other organizations to brute-force them. Cisco patched a vulnerability related to these attacks in early October, and later that month Microsoft warned of password spray attacks targeting routers from multiple vendors. Curl Vulnerability Let Attackers Access Sensitive Information Date: 2024-12-15 Author: Cyber Security News [Please sere AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.8235/] A critical security flaw has been discovered in the popular data transfer tool Curl, potentially allowing attackers to access sensitive information. The vulnerability, identified as CVE-2024-11053, affects curl versions 6.5 through 8.11.0 and could lead to the exposure of passwords to unauthorized parties. Windows kernel bug now exploited in attacks to gain SYSTEM privileges Date: 2024-12-16 Author: Bleeping Computer [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2024.0118/, https://portal.auscert.org.au/bulletins/ASB-2024.0113/, https://portal.auscert.org.au/bulletins/ESB-2024.1544/] [AUSCERT has also identified the impacted members (where possible) for the Improper Access Control Vulnerability in Adobe ColdFusion and has contacted them via email] CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability. Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction. ESB-2024.8323 – Google Chrome CVSS (Max): None Google has rolled out an important update for its Chrome browser, fixing five security vulnerabilities, some of which are classified as “High” severity. Users are strongly advised to upgrade to the latest Stable channel version (131.0.6778.204/.205 for Windows and Mac, 131.0.6778.204 for Linux) at their earliest convenience. The update addresses various issues, with special attention given to the V8 JavaScript engine. ESB-2024.8334 – FortiWLM CVSS (Max): 9.6 A critical vulnerability in FortiWLM, enables unauthenticated attackers to access sensitive files. With a CVSS score of 9.6, this flaw arises from a relative path traversal issue, allowing attackers to obtain unauthorized access to confidential data. ESB-2024.8264 – Apache Tomcat CVSS (Max): 9.8 The Apache Software Foundation has released a patch to address a critical vulnerability in Apache Tomcat. This flaw enables a malicious actor to upload harmful files disguised as legitimate ones, potentially leading to remote code execution (RCE). ESB-2024.8163 – Apache Struts CVSS (Max): 9.5 Researchers have alerted that threat actors are attempting to exploit the vulnerability CVE-2024-53677 in Apache Struts. A remote attacker could leverage this flaw to upload malicious files, potentially resulting in arbitrary code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 13th December 2024

Greetings, This week, we were reminded of the critical importance of strong operational security (OPSEC) in protecting sensitive information, as poor security practices can not only compromise data but also expose criminal activities and lead to arrests. A 19-year-old Californian resident was recently arrested for an alleged role in cyber crimes committed by the Scattered Spider group. According to court documents released this week, investigators were able to identify the suspect by linking together online accounts, IP and physical addresses, and the use of a money laundering service that was operated by the FBI. In a similar case, alleged cyber criminals who had stolen source code, credentials, and other sensitive data were uncovered due to their own poor cyber security practices. Security researchers discovered more than 2 terabytes of stolen data as a result of overly permissive access control settings on their AWS S3 bucket. These incidents underscore the need for vigilance and robust security practices—not only for those seeking to protect against cyber threats but ironically also for those who perpetrate them. Mitel MiCollab zero-day flaw gets proof-of-concept exploit Date: 2024-12-05 Author: Bleeping Computer [AUSCERT identified the impacted members (where possible) and contacted them via email] Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server's filesystem. Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities. Fully patched Cleo products under renewed 'zero-day-ish' mass attack Date: 2024-12-10 Author: The Register Researchers at security shop Huntress are seeing mass exploitation of a vulnerability affecting three Cleo file management products, even on patched systems. Cleo issued patches for CVE-2024-50623, an unauthenticated remote code execution (RCE) bug affecting Harmony, VLTrader, and LexiCom running version 5.8.0.21 – marketed as secure file integration and transfer products – back in October. The situation was described by Huntress on Reddit as "zero-day-ish." It's a zero-day in the sense that it involves the novel exploit of a vulnerability, but "ish" because that vulnerability was already addressed, or so Cleo thought. SonicWall Patches 6 Vulnerabilities in Secure Access Gateway Date: 2024-12-06 Author: Security Week [AUSCERT identified the impacted members (where possible) and contacted them via email] SonicWall this week announced patches for multiple vulnerabilities in the SMA100 SSL-VPN secure access gateway, including high-severity flaws leading to remote code execution (RCE). The most severe of these issues are two buffer overflow bugs affecting the web management interface and a library loaded by the Apache web server. Django Releases Patches for CVE-2024-53907 and CVE-2024-53908 to Mitigate DoS and SQLi Threats Date: 2024-12-05 Author: Security Online [AUSCERT identified the impacted members (where possible) and contacted them via email] The Django team has recently announced the release of Django 5.1.4, Django 5.0.10, and Django 4.2.17 to address two security vulnerabilities. All users are strongly encouraged to upgrade their Django installations as soon as possible. CVE-2024-53907: Potential Denial-of-Service Attack The first vulnerability, identified as CVE-2024-53907, involves a potential denial-of-service (DoS) vulnerability in the django.utils.html.strip_tags() method and striptags template filter. Microsoft NTLM Zero-Day to Remain Unpatched Until April Date: 2024-12-10 Author: Dark Reading [Please see AUSCERT advisory: https://portal.auscert.org.au/bulletins/ASB-2024.0236/ ] The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice. QNAP Patches Vulnerabilities Exploited at Pwn2Own Date: 2024-12-09 Author: Security Week Taiwan-based QNAP Systems over the weekend announced patches for multiple QTS and QuTS Hero vulnerabilities demonstrated at the Pwn2Own Ireland 2024 hacking contest. At Pwn2Own, participants earned tens of thousands of dollars for QNAP product exploits, and one entry even earned white hat hackers $100,000, but it involved chaining not only QNAP but also TrueNAS device vulnerabilities. ASB-2024.0236 – Windows Workstation and Server AUSCERT issued an advisory warning its members about the zero-day vulnerability in Windows NTLM. Microsoft has not yet released a patch but has provided new guidance to organisations on how to mitigate NTLM relay attacks. ESB-2024.8086 – Atlassian Products: CVSS (Max): 8.1 Atlassian has released fixes for 10 high-severity vulnerabilities affecting Bamboo, Bitbucket, and Confluence Data Center and Server products. The patches address issues in third-party dependencies like Apache, AWS SDK, and Hazelcast. Users are urged to update their instances. ASB-2024.0233 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has issued security updates for 59 vulnerabilities across Windows 10, 11, and Server, with Windows 7 and 8.1 no longer receiving support. CVE-2024-49138, a high-risk buffer overflow vulnerability in the shared protocol file system driver, is actively being targeted, allowing attackers to gain elevated system privileges. Users are advised to update to Windows 10 22H2 or Windows 11 23H2 for continued security. ESB-2024.8056 – Google Chrome: CVSS (Max): None Google has released a Chrome update (version 131.0.6778.139/140) for Windows, Mac, and Linux, addressing several security vulnerabilities, including two rated "High" severity. Notably, CVE-2024-12381 (Type Confusion in V8) and CVE-2024-12382 (Use After Free in Translate) were fixed, reducing risks of arbitrary code execution and system control. ESB-2024.8062 – Adobe Connect: CVSS (Max): 9.3 Adobe has released a security update for Adobe Connect, addressing critical, important, and moderate vulnerabilities that could lead to arbitrary code execution, privilege escalation, and security feature bypass. Affected versions include Adobe Connect 12.6 and earlier, as well as 11.4.7 and earlier. The update, rated priority 3, is available for all platforms, and users are urged to upgrade to Adobe Connect 12.7 or 11.4.9. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 6th December 2024

Greetings, The festive season is a time for celebration, but it’s also a period when cyber criminals ramp up their efforts to exploit busy, distracted, or unsuspecting individuals. As online shopping surges during Christmas, it’s essential to stay vigilant and take proactive steps to safeguard your personal information and devices. As cyber security professionals, it’s critical to not only apply best practices personally but also reinforce awareness among less tech-savvy colleagues, friends, and family members. Phishing scams, fake e-commerce promotions, and delivery fraud are rampant during this period. Scammers create convincing fake websites, pay for top placement in search results, and set up fraudulent stores on social media to deceive consumers. Common tactics include fake travel deals, parcel delivery scams, and offers that seem too good to be true—designed to steal payments or personal data. To protect yourself, always verify URLs for accuracy and security, avoid clicking on links in emails or messages, and download apps only from trusted sources. Use secure payment methods with consumer protections like PayPal or credit cards, and consider a low-limit credit card for online transactions. Avoid saving payment details in online accounts, and the more risky payment methods like bank transfers or cryptocurrencies. Strengthen account and device security with unique passwords, multi-factor authentication, and regular software updates. Stay alert to parcel scams, verifying any messages even if expecting a delivery. If a deal seems too good to be true, access the retailer’s website directly to confirm its legitimacy. Remember these three steps to avoid scams: Stop—Don’t rush into action; Check—Verify the offer through official channels or reviews; and Report—inform your bank and update passwords if you suspect a scam. By staying proactive, you can enjoy a safe and secure holiday season for all! CVE-2024-42330 (CVSS 9.1): Zabbix Patches Critical Remote Code Execution Vulnerability Date: 2024-11-28 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] Popular open-source monitoring tool Zabbix has released urgent security updates to address a critical vulnerability that could allow attackers to execute arbitrary code on vulnerable systems. The vulnerability, tracked as CVE-2024-42330 and assigned a CVSS score of 9.1, affects multiple versions of Zabbix 6.0, 6.4, and 7.0. Zabbix is widely used by organizations of all sizes to monitor their IT infrastructure, including networks, servers, and cloud services. RomCom exploits Firefox and Windows zero days in the wild Date: 2024-11-26 Author: We Live Security [Please see the AUSCERT bulletin published in October for CVE-2024-9680: https://portal.auscert.org.au/bulletins/ESB-2024.6620/] ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit. ESET researchers discovered a previously unknown vulnerability in Mozilla products, exploited in the wild by Russia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023. CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks Date: 2024-12-04 Author: Security Week The US cybersecurity agency CISA on Tuesday warned that a path traversal vulnerability in multiple Zyxel firewall appliances has been exploited in the wild. The issue, tracked as CVE-2024-11667 (CVSS score of 7.5), is a high-severity flaw affecting the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Veeam warns of critical RCE bug in Service Provider Console Date: 2024-12-03 Author: Bleeping Computer ​Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads. Exploit released for critical WhatsUp Gold RCE flaw, patch now Date: 2024-12-03 Author: Bleeping Computer A proof-of-concept (PoC) exploit for a critical-severity remote code execution flaw in Progress WhatsUp Gold has been published, making it critical to install the latest security updates as soon as possible. The flaw is tracked as CVE-2024-8785 (CVSS v3.1 score: 9.8) and was discovered by Tenable in mid-August 2024. It exists in the NmAPI.exe process in WhatsUp Gold versions from 2023.1.0 and before 24.0.1. ESB-2024.7833 – Google Chrome: CVSS (Max): 8.8 Google has released a security update for Chrome to fix a high-severity "type confusion" vulnerability (CVE-2024-12053) in the V8 JavaScript engine. This flaw could allow attackers to execute arbitrary code, bypassing Chrome’s sandbox and compromising system security. The issue was promptly patched in Chrome version 131.0.6778.108/.109 for Windows, Mac, and Linux. ESB-2024.7802 – Cisco Adaptive Security Appliance WebVPN: CVSS (Max): 6.1 Cisco warns that the decade-old ASA vulnerability (CVE-2014-2120) is being actively exploited in attacks. This flaw, found in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) software, allows unauthenticated remote attackers to conduct cross-site scripting (XSS) attacks. Cisco urges customers to upgrade to fixed software versions following new exploitation attempts detected in November 2024. ESB-2024.7832 – Siemens RUGGEDCOM APE1808: CVSS (Max): 10.0 Siemens products are affected by multiple vulnerabilities. These vulnerabilities could allow attackers to gain unauthorised access, cause denial-of-service conditions, or escalate privileges. Affected devices should be updated using Siemens patches, and access to the management interface should be limited to trusted IP addresses. CISA recommends protective measures to reduce exploitation risks, including securing network access and following industrial security guidelines. Additionally, users should be vigilant against social engineering attacks. ESB-2024.7785 – Google Android: CVSS (Max): 8.4* The Android Security Bulletin highlights critical vulnerabilities, with the most severe being a high-risk flaw in the System component, potentially allowing remote code execution without requiring additional privileges. The vulnerability could severely impact devices if platform and service mitigations are bypassed or disabled. Security patch levels of 2024-12-05 or later address all issues. Android partners were notified in advance, and source code patches have been released in the AOSP repository. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 29th November 2024

Greetings, This week, we had the exciting opportunity to reconnect with our Melbourne community at an AUSCERT member meetup. It was an inspiring space for collaboration, where participants shared experiences, discussed challenges in a supportive environment. Coming together in person highlighted the passion, innovation, and drive that are the heart of our community, reminding us of the importance of meaningful interactions as we work towards our common goals. Following the meet up, the AUSCERT team attended the AISA Melbourne CyberCon where our General Manager, Ivano Bongiovanni, delivered three engaging sessions. These focused on the future of cyber security, the vital role of data governance, and decision-making in the age of AI. It was a great opportunity to reconnect with the AISA community and engage with the wider cyber security industry in Melbourne during this event! This week the Australian government has passed its first standalone Cyber Security Act as part of the 2023–2030 Cyber Security Strategy. This landmark legislation aims to strengthen the nation's cyber resilience with provisions such as enhanced incident reporting, mandatory smart device security standards, and the creation of a Cyber Incident Review Board. A notable feature is the "limited use" obligation, which safeguards organisations that share data during cyber incidents, promoting greater collaboration between government and industry. The Act also updates critical infrastructure protections and broadens government powers to address emerging cyber threats. Key elements of the legislative package include: Mandatory Ransomware Payment Reporting: Businesses with annual turnovers above AUD 3 million must disclose ransomware payments within a set timeframe, enhancing transparency and response efforts. IoT Security Standards: New regulations bring Australian IoT devices, like home security cameras and smart appliances, in line with international security standards to reduce vulnerabilities. Enhanced Protections for Data and Critical Infrastructure: Updates to laws such as the Privacy Act 1988 and the Security of Critical Infrastructure Act 2018 aim to fortify the security of critical infrastructure and improve data management. Liability Protections: The new rules offer [businesses "no-fault" protections when reporting cyber incidents, encouraging greater transparency without the fear of legal consequences. These reforms represent a major step toward building a more secure digital environment across Australia. QNAP addresses critical flaws across NAS, router software Date: 2024-11-25 Author: Bleeping Computer QNAP has released security bulletins over the weekend, which address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible. Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it: CVE-2024-38643 – Missing authentication for critical functions could allow remote attackers to gain unauthorized access and execute specific system functions. The lack of proper authentication mechanisms makes it possible for attackers to exploit this flaw without prior credentials, leading to potential system compromise. (CVSS v4 score: 9.3, "critical") CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that could enable remote attackers with authentication credentials to send crafted requests that manipulate server-side behavior, potentially exposing sensitive application data. CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks Date: 2024-11-26 Author: The Hacker News The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that could be exploited to achieve arbitrary code execution remotely. Fixes (version 9.4.0.484) for the security shortcoming were released by the network hardware vendor in March 2023. Cyber security bill passes parliament Date: 2024-11-26 Author: iTnews Australia’s first cyber security legislation has been passed by parliament after being approved by the senate yesterday. The package of legislation was introduced last month as part of the government’s 2023-2030 Australian Cyber Security Strategy. Now, businesses that pay ransomware hackers will be compelled to report it to the government. There is also a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) to share information from a victim during an incident. macOS Vulnerability (CVE-2023-32428) Grants Root Access, PoC Published Date: 2024-11-26 Author: Security Online Security researcher Gergely Kalman has detailed a high-severity vulnerability in Apple’s MallocStackLogging framework that could allow attackers to gain local privilege escalation (LPE) on macOS systems. The flaw, designated CVE-2023-32428 with a CVSS score of 7.8, demonstrates how seemingly helpful developer tools can be manipulated to bypass security measures and compromise high-privilege operations. CVE-2024-8114: GitLab Vulnerability Allows Privilege Escalation Date: 2024-11-26 Author: Security Online GitLab has released critical security updates to address multiple vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) products. Versions 17.6.1, 17.5.3, and 17.4.5 contain important bug and security fixes, including patches for a high severity privilege escalation vulnerability. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said in its security advisory. ESB-2024.7747 – GitLab Community Edition (CE) and Enterprise Edition (EE) GitLab has released critical security updates to address multiple vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) products. ESB-2024.7745 – GlobalProtect App An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. ESB-2024.7714 – OpenSSL Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 3.2.2, 4.2.2 and higher. ESB-2024.7561.2 – Palo Alto PAN-OS An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 22nd November 2024

Greetings, The call for presentations at AUSCERT2025 is officially open! As the longest-running event of its kind in Australia, AUSCERT has built a strong, collaborative network of professionals committed to advancing the industry. This event not only fosters the exchange of cutting-edge ideas but also offers networking opportunities with top experts, innovators, and industry leaders. Contributing to the collective knowledge at AUSCERT2025 is more critical than ever. By sharing your insights, research, and strategies, you can help drive innovation and ensure the industry continues to evolve and thrive in this dynamic environment. The Australian Signals Directorate (ASD) has released its 2023–24 Annual Cyber Threat Report, shedding light on the growing sophistication of cyber threats. Over the past financial year, the ASD received over 36,700 calls to its Cyber Security Hotline—an increase of 12% from the previous year—and responded to more than 1,100 cyber incidents. These figures highlight the persistent targeting of Australian organisations by both criminal and state-sponsored actors, particularly governments and critical infrastructure. The report also highlights the increasing use of artificial intelligence by cyber criminals, reducing the expertise required to execute attacks. Common threats like business email compromise, fraud, ransomware, and data theft extortion continue to disrupt businesses and individuals. With global tensions escalating, the ASD stresses the importance of closer collaboration between governments, industries, and international partners. Strong public-private partnerships and proactive incident reporting are essential to building national cyber resilience. The report underscores the urgent need for improved cyber security measures, knowledge-sharing, and unified efforts to safeguard Australia’s digital infrastructure. Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover Date: 2024-11-15 Author: Security Week A critical-severity vulnerability in the Really Simple Security plugin for WordPress potentially exposed four million websites to complete takeover, WordPress security firm Defiant warns. Tracked as CVE-2024-10924 (CVSS score of 9.8), the issue is described as an authentication bypass that allows an unauthenticated attacker to log in as any user, including an administrator. According to Defiant, the security defect exists because of an improper user check error handling in the plugin’s two-factor REST API action. Specifically, the bug is triggered if two-factor authentication (2FA) is enabled. Palo Alto Networks Releases IoCs for New Firewall Zero-Day Date: 2024-11-18 Author: Security Week [AUSCERT has contacted members where possible. Also see AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2024.7561, IOCs published on MISP] Palo Alto Networks has released indicators of compromise (IoCs) for the attacks exploiting a newly uncovered firewall zero-day vulnerability. The company recently came across claims regarding a previously unknown remote code execution vulnerability in its PAN-OS operating system. A security advisory published by the company on November 8 urged customers to ensure that access to the PAN-OS management interface is secured, but said there had been no indication of a zero-day being exploited in attacks. Critical RCE bug in VMware vCenter Server now exploited in attacks Date: 2024-11-18 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2024.7542] Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. TZL security researchers reported the RCE vulnerability (CVE-2024-38812) during China's 2024 Matrix Cup hacking contest. It is caused by a heap overflow weakness in the vCenter's DCE/RPC protocol implementation and affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation. Apple fixes two zero-days used in attacks on Intel-based Macs Date: 2024-11-19 Author: Bleeping Computer Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS. Cyber security bill recommended for 'urgent' parliamentary approval Date: 2024-11-18 Author: IT News Proposed legislation compelling businesses to disclose their ransomware payments to the government has been recommended for “urgent” parliamentary approval. Introduced last month by cyber security minister Tony Burke, the Cyber Security Bill 2024 aims to enforce mandatory reporting of ransomware payments to “build [the government’s] understanding of the ransomware threat”. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended the bill be urgently passed by parliament. ESB-2024.7592 – IBM Security QRadar SIEM: CVSS (Max): 10.0 The product includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. IBM has addressed these vulnerabilities with an update. ESB-2024.7542.2 – VMware vCenter Server: CVSS (Max): 9.8 VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) ESB-2024.7565 – Atlassian Products: CVSS (Max): 10.0 19 high severity vulnerabilities have been fixed in new versions of Atlassian products. The addressed vulnerabilities emcompassed DoS (Denial of Service and Remote Code Execution (RCE) flaws. ESB-2024.7561 – Palo Alto PAN-OS: CVSS (Max): 9.3 An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. This has been addressed in release of new versions of the software. ESB-2024.7610 – mySCADA myPRO Manager: CVSS (Max): 10.0 An identified vulnerability could allow a remote attacker to execute arbitrary commands or disclose sensitive information. mySCADA recommends updating to latest versions of the software to address the issue. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 15th November 2024

Greetings, The countdown to AUSCERT2025 is on! The call for presentations opens this Tuesday, 19th November, so now’s the time to start planning. If you have a topic you’re passionate about, take this opportunity to organise your ideas and submit a proposal. Don’t miss your chance to contribute, share insights, and connect with the cyber security community! The November 2024 Patch Tuesday from Microsoft addresses 89 vulnerabilities, including four critical zero-day flaws. Notable fixes include Microsoft Exchange and Windows, which hackers have actively exploited. Three of the zero-days are escalation of privilege vulnerabilities, allowing attackers to gain higher access rights, while the fourth is a security feature bypass. The update covers a range of products, underscoring the importance of timely patching to avoid potential exploitation. Full details and patch links are available on Microsoft’s security update page. The Five Eyes alliance (US, UK, Australia, Canada, and New Zealand) has issued a warning on the increasing exploitation of zero-day vulnerabilities, marking a shift from previous years when older software flaws were more commonly targeted. Their advisory lists the top 15 most exploited vulnerabilities in 2023, led by CVE-2023-3519 in Citrix’s NetScaler, which has been linked to large-scale attacks by actors possibly associated with China. With most of 2023’s vulnerabilities initially exploited as zero-days—a trend continuing into 2024—the alliance agencies’ urge organisations and vendors to prioritise rapid patching and invest in secure-by-design practices to better mitigate these evolving threats. Final reminder for our Brisbane-based members, next week’s festive Members’ Meet-Up is the perfect chance to connect with fellow cyber security professionals, exchange ideas, and start planning for the year ahead. Enjoy a festive drink, reconnect with old friends, and make new ones! If you haven’t already, be sure to register to secure your spot. This meet-up promises engaging discussions, valuable insights, and a wonderful opportunity to strengthen our local cyber security community. We’re excited to see you there! Citrix ‘Recording Manager’ Zero-Day Bug Allows Unauthenticated RCE Date: 2024-11-13 Author: Dark Reading An unpatched zero-day vulnerability in Citrix’s Session Recording Manager allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover. According to watchTowr research out today, the issue (which does not yet have a CVE or CVSS score) resides in Citrix’s Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more. FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 Date: 2024-11-12 Author: Bleeping Computer The FBI, the NSA, and cybersecurity authorities of the Five Eyes intelligence alliance have released today a list of the top 15 routinely exploited vulnerabilities throughout last year. A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks’ exposure to potential attacks. “In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets,” the cybersecurity agencies warned. Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities Date: 2024-11-12 Author: Security Online Ivanti has released urgent security updates to address a range of vulnerabilities, including critical remote code execution (RCE) flaws, in its Connect Secure, Policy Secure, and Secure Access Client products. These vulnerabilities pose significant risks to organizations, potentially allowing attackers to gain unauthorized access, escalate privileges, and execute malicious code. Veeam Patches High-Severity Vulnerability as Exploitation of Previous Flaw Expands Date: 2024-11-11 Author: Security Week Tracked as CVE-2024-40715 (CVSS score of 7.7), the bug can be exploited by a remote attacker by performing a man-in-the-middle (MiTM) attack to bypass authentication. To address this flaw, Veeam has released a hotfix for Backup Enterprise Manager 12.2.0.334 and included the hotfix in repackaged images for Veeam Backup & Replication and Veeam Data Platform that were released on November 6. SAP Patches High-Severity Vulnerability in Web Dispatcher Date: 2024-11-12 Author: Security Week Enterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates. Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances. In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug. ASB-2024.0229 – Microsoft Windows: CVSS (Max): 9.8 Microsoft’s November patch update addresses 89 vulnerabilities, including four zero-day flaws, two of which are actively being exploited. ESB-2024.7366 – Google Chrome: CVSS (Max): 8.8* Google announced the release of Chrome 131 to the stable channel, including patches for 12 vulnerabilities. For more information, refer to their security page. ESB-2024.7374 – Adobe Commerce: CVSS (Max): 7.7 Adobe released a critical security update for Adobe Commerce which addresses a server-side request forgery (SSRF) vulnerability that could enable arbitrary code execution. ESB-2024.7375 – Zoom: CVSS (Max): 8.5 Zoom has issued fixes for six vulnerabilities, including two high-severity issues that could enable remote attackers to escalate privileges or access sensitive information. ESB-2024.7451 – Intel Server Board S2600ST Family: CVSS (Max): 8.2 Intel has issued 44 new advisories addressing over 80 vulnerabilities, with more than 20 classified as high severity. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 8th November 2024

Greetings, With only a few months left of the year, it’s the perfect opportunity to begin forecasting for next year by gathering insights, refining strategies and reconnecting with key members of the community! With events and celebrations already filling up the calendar fast, we encourage our Brisbane members to save the date for November 21st and our Melbourne members for November 27th! These meet-ups are excellent opportunities to exchange ideas, share industry insights, and contribute to shaping the future together. Don’t miss out on this chance to connect and collaborate! This week, cyber criminals have been exploiting DocuSign’s "Envelope: create" API to conduct business email compromise (BEC) attacks with convincing fake invoices and bypassing spam filters. Wallarm warns of the associated risks, while DocuSign urges users to verify sender and payment details to prevent fraud. This underscores the growing importance of secure verification practices as BEC attacks rise. Lastly, a final reminder for AUSCERT2025 tutorial submissions! If you have fresh insights or a session idea, now is the time to submit—deadline is Monday 11th November. As we move into the final months of the year, let’s celebrate our achievements, connect with peers, and prepare for a successful 2025. We look forward to seeing you at the meet-ups and hearing your ideas for AUSCERT2025! CVE-2024-42509 (CVSS 9.8): Critical Vulnerability Exposes Aruba Access Points to Attack Date: 2024-11-06 Author: Security Online HPE Aruba Networking has issued a security advisory warning of multiple critical vulnerabilities affecting Access Points running Instant AOS-8 and AOS-10. The company has released patches addressing these vulnerabilities, which, if exploited, could lead to remote code execution (RCE), unauthorized access, and even full system compromise. LiteSpeed Cache Plugin Vulnerability Poses Admin Access Risk Date: 2024-10-30 Author: Infosecurity Magazine [AUSCERT has identified the impacted members and contacted them via email] A vulnerability in the LiteSpeed Cache plugin for WordPress, which has over 6 million active installations, has been discovered allowing unauthenticated visitors to gain administrator-level access by exploiting a security flaw in the plugin’s role simulation feature. This flaw permitted unauthorized access that could lead to the installation of malicious plugins. The LiteSpeed Cache plugin is widely used for site optimization and supports popular WordPress plugins like WooCommerce, bbPress and Yoast SEO. Google fixes two Android zero-days used in targeted attacks Date: 2024-11-05 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.7175/] Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. Tracked as CVE-2024-43047 and CVE-2024-43093, the two issues are marked as exploited in limited, targeted attacks. "There are indications that the following may be under limited, targeted exploitation," says Google's advisory. The CVE-2024-43047 flaw is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges. Microsoft SharePoint RCE bug exploited to breach corporate network Date: 2024-11-02 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please also see AUSCERT's updated bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0128.2/] A recently disclosed Microsoft SharePoint remote code execution (RCE) vulnerability tracked as CVE-2024-38094 is being exploited to gain initial access to corporate networks. CVE-2024-38094 is a high-severity (CVSS v3.1 score: 7.2) RCE flaw impacting Microsoft SharePoint, a widely used web-based platform functioning as an intranet, document management, and collaboration tool that can seamlessly integrate with Microsoft 365 apps. Google Claims World First As AI Finds 0-Day Security Vulnerability Date: 2024-11-05 Author: Forbes An AI agent has discovered a previously unknown, zero-day, exploitable memory-safety vulnerability in widely used real-world software. It’s the first example, at least to be made public, of such a find, according to Google’s Project Zero and DeepMind, the forces behind Big Sleep, the large language model-assisted vulnerability agent that spotted the vulnerability. ESB-2024.7250 – Cisco Unified Industrial Wireless Software: CVSS (Max): 10.0 A critical vulnerability in Cisco's UWRB access points allows attackers to execute commands as a root user. The flaw is due to improper validation of input, which can be exploited remotely. Cisco has issued patches to fix the issue and advises affected users to apply them immediately. ESB-2024.7215 – Google Chrome: CVSS (Max): None Google released an emergency Chrome update to fix two critical use-after-free vulnerabilities (CVE-2024-10826 and CVE-2024-10827) that could lead to remote code execution and system compromise. Users are urged to update their browsers immediately to mitigate security risks. ESB-2024.7175 – Google Android: CVSS (Max): 8.4* In its November 2024 update, Google patched 40 Android vulnerabilities, including two actively exploited zero-days: CVE-2024-43047 and CVE-2024-43093. CVE-2024-43047, a use-after-free flaw in Qualcomm’s DSP, could lead to privilege escalation and device compromise, while CVE-2024-43093 affects Android’s framework, exposing devices to potential attacks. Users are urged to update their devices promptly to mitigate these risks. ASB-2024.0128.2 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.8 AUSCERT updated its bulletin from 10 July to include the addition of CVE-2024-38094 to CISA's KEV catalog. This vulnerability is actively being exploited by attackers to gain access to corporate networks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 1st November 2024

Greetings, As spooky characters roam our streets and candy fills our homes, it’s a season for both thrills and caution. While we might be watching for costumed ghouls at our doorsteps, remember: the real threats this Halloween season could be lurking online. Cyber “monsters” are prowling the digital world, preying on unsuspecting people through deceptive emails, fraudulent links, and even holiday-themed phishing schemes. So as you decorate your homes with pumpkins, don’t forget to sharpen your cyber defences, too. Staying mindful of both physical and digital spaces will help keep this season fun and safe. This week, the International Cybersecurity Championship & Conference (IC3) took place in Santiago, Chile. Representing team Oceania, UQ Cyber earned an impressive third-place finish in the competition! Often called the ‘World Cup of Cybersecurity”, IC3 is organised by the European Union Agency for Cybersecurity (ENISA) in partnership with UQ and other major cyber security organisation IC3 unites the brightest university students in the field of cybersecurity from Oceania, the USA, Europe, Asia, Africa, Latin America, and Canada. This year’s IC3 event showcased skill and resilience through intense challenges in cryptography, reverse engineering, and attack/defence simulations. By bringing young cyber defenders together, IC3 aims to cultivate global cooperation and foster skills that will define the future of cyber security. Team Oceania’s strong performance stands as a testament to the region’s commitment to cyber excellence and growing expertise in the field. Well done! A reminder that AUSCERT2025 has opened its Call for Tutorials, with submissions due by 11 November. If you have innovative topic ideas, this is your chance to contribute to a prestigious event! The Call for Presentations will open shortly after on 19 November. For those interested in sponsorship opportunities, a webinar is scheduled for next week. Click here to register and join the session to learn more and get your questions answered. If you haven't done so yet, be sure to download the Sponsorship Prospectus for valuable insights that may address your queries. Remember, sponsorship opportunities—including branding, booth positions, and speaking slots—are allocated on a "first come, first served" basis, so act quickly to secure your preferred options! ASIC urges cyber security to be ‘top of mind’ Date: 2024-10-25 Author: Money Management ASIC chair Joe Longo has told AFSLs that cyber protection should be “top of mind” for them as they manage their businesses, and flagged the weaknesses demonstrated by RI Advice. Appearing before the standing committee on economics to discuss ASIC’s FY24 annual report on 25 October, Longo said the regulator had received 600 responses to its Cyber Pulse Survey, including 120 financial advisers. QNAP patches second zero-day exploited at Pwn2Own to get root Date: 2024-10-30 Author: Bleeping Computer QNAP has released security patches for a second zero-day bug exploited by security researchers during last week's Pwn2Own hacking contest. This critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was found in QNAP's SMB Service and is now fixed in versions 4.15.002 or later and h4.15.002 and later. Cybersecurity Training Resources Often Limited to Developers Date: 2024-10-31 Author: Dark Reading New studies show that cybersecurity executives often fail to prioritize software security training for the entirety of a company, instead only deeming it necessary for a select few — and not always for the right reasons. Nearly half of cybersecurity leaders who provide these kind of training tools don't consider awareness efforts to be essential within their organizations, according to a study conducted by CMD+CTRL Security and Wakefield Research. In addition to this, half of the leaders who do provide security training do so to build a "security culture," but only 41% say they provide training because of the increased risk from third parties and supply chains. What are the top cyber security threats for businesses? Date: 2024-10-28 Author: In Daily New technology has given organisations greater data analytics, communication, and operational efficiency capabilities. However, it has also made threat actors, ranging from nation-state actors to cyber criminals, more sophisticated. As our world becomes more digitally interconnected, we see the integration of artificial intelligence with cyber attacks enhancing the severity of these attacks. Most Australians have experienced a cyber attack Date: 2024-10-29 Author: Cyber Daily Almost two-thirds (63 per cent) of Australians experienced a cyber attack or data breach during the last 12 months, according to a new report released by National Australia Bank (NAB). Released as part of Cyber Security Awareness Month, the major bank’s latest Consumer Cyber Security Survey draws results from interviews with 1,038 Australians conducted between August and September 2024. ESB-2024.7018 – Apple Safari: CVSS (Max): 8.8* An attacker may be able to misuse a trust relationship to download malicious content ESB-2024.7004 – Siemens InterMesh Subscriber Devices: CVSS (Max): 10.0 Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, execute commands, write arbitrary files, or execute arbitrary commands. ESB-2024.6963 – activemq: CVSS (Max): 10.0 Implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code. ESB-2024.6958 – Cisco Secure Firewall Management Center Software: CVSS (Max): 9.9 This vulnerability is due to insufficient input validation of certain HTTP requests. An attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 25th October 2024

Greetings, AUSCERT is excited to announce the launch of AUSCERT2025! From 20–23 May, we’ll be returning to the Gold Coast, and we invite you to join us for another year of dynamic keynote speakers, innovative tutorials, and ground-breaking presentations. Let’s come together to evolve and thrive in the ever-evolving world of cyber security. Call for Tutorials is officially open! We encourage everyone to submit their proposals or spread the word to someone who should. The submission deadline is 11 November, so don’t miss your chance to contribute to AUSCERT2025 and be part of one of the most anticipated cyber security events of the year! This year we’re offering new sponsorship packages to suit different organisations, including options tailored specifically for start-ups.By sponsoring AUSCERT2025 your business will gain a unique platform to showcase its solutions, connect with potential clients, and expand its presence within the cyber security community. Contact us today to learn more about how your organisation can get involved! The theme for AUSCERT2025, ‘Evolve and Thrive’,highlights the critical need for continuous innovation, learning, and the application of new knowledge to stay ahead of cyber criminals. Inspired by the prehistoric reign of dinosaurs, ‘Evolve and Thrive’ serves as a powerful metaphor for modern cyber security challenges. Just as dinosaurs—once dominant but ultimately unable to adapt—became extinct, organisations today must embrace innovation to remain relevant in an increasingly hostile digital landscape. Head to our website for more information VMware Struggles to Fix Flaw Exploited at Chinese Hacking Contest Date: 2024-10-21 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5949/] For the second time in as many months, the virtualization tech vendor pushed a patch to cover a remote code execution vulnerability first documented — and exploited — at a Chinese hacking contest earlier this year. “VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812,” the company said in an updated advisory on Monday. No additional details were provided. Bank impersonation scams are reportedly on the rise. Here's how to spot one and stay safe Date: 2024-10-19 Author: SBS News If you've recently received a call from someone claiming to be from a bank, be cautious about sharing any personal information. It may be an attempt to steal your money. Scams in which criminals call, email or message people pretending to be from a bank are on the rise, according to a warning from the government's National Anti-Scam Centre. "The scammers ask you for personal or financial information or to transfer funds or to give them a one-time security code over the phone," the centre's Scamwatch service warned on Friday Fortinet Confirms Zero-Day Exploit Targeting FortiManager Systems Date: 2024-10-23 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.6898/] [AUSCERT also identified the impacted members (where possible) and contacted them via email] The US government’s cybersecurity agency CISA on Wednesday called urgent attention to a critical vulnerability in Fortinet’s FortiManager platform and warned that remote hackers are already launching code execution exploits. The security defect, tracked as CVE-2024-47575, is documented as a “missing authentication for critical function vulnerability” in the FortiManager fgfmd daemon. CISA Warns Recent Microsoft SharePoint RCE Flaw Exploited in Attacks Date: 2024-10-23 Author: Security Week The US cybersecurity agency CISA on Tuesday warned that a recently patched remote code execution (RCE) vulnerability in Microsoft SharePoint Server has been exploited in the wild. The issue, tracked as CVE-2024-38094 (CVSS score of 7.2) and addressed with July 2024 Patch Tuesday updates, can be exploited over the network without user interaction, but requires authentication as a highly privileged user. “An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Microsoft explains in its advisory. Google Warns of Samsung Zero-Day Exploited in the Wild Date: 2024-10-22 Author: Security Week A zero-day vulnerability in Samsung’s mobile processors has been leveraged as part of an exploit chain for arbitrary code execution, Google’s Threat Analysis Group (TAG) warns. Tracked as CVE-2024-44068 (CVSS score of 8.1) and patched as part of Samsung’s October 2024 set of security fixes, the issue is described as a use-after-free bug that could be abused to escalate privileges on a vulnerable Android device. “An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920. A use-after-free in the mobile processor leads to privilege escalation,” a NIST advisory reads. ESB-2024.6916 – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services: CVSS (Max): 5.8 Cisco has issued an urgent update for vulnerabilities affecting ASA and FTD VPNs, which are currently being actively exploited. The flaw could allow attackers to bypass security measures and gain unauthorized access. Users are strongly urged to apply the patches promptly to protect their systems from potential threats. ESB-2024.6874 – Google Chrome: CVSS (Max): None This October, Google rolled out critical updates for Chrome, addressing high-risk vulnerabilities, including a significant flaw in the Extensions (CVE-2024-10229) and two in the V8 JavaScript engine (CVE-2024-10230 and CVE-2024-10231). Users on Chrome 129 should upgrade to version 130 for enhanced protection against potential threats. ESB-2024.5949.2 – VMware vCenter Server: CVSS (Max): 9.8 Broadcom has issued new patches for previously addressed vulnerabilities (CVE-2024-38812 and CVE-2024-38813) in vCenter Server, as one of these flaws was not fully resolved initially and could enable attackers to execute remote code. ESB-2024.6898 – FortiManager fgfmd: CVSS (Max): 9.8 The "FortiJump" vulnerability (CVE-2024-47575) has been exploited in zero-day attacks since June 2024, affecting over 50 servers, according to Mandiant. This flaw, which involves missing authentication in FortiManager and FortiManager Cloud, allows attackers to execute arbitrary code through specially crafted requests. Fortinet confirmed the exploitation and noted that attackers have automated the exfiltration of sensitive data, prompting CISA to add this vulnerability to its Known Exploited Vulnerabilities catalog. ESB-2024.6899 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 GitLab has patched two critical vulnerabilities, CVE-2024-8312 and CVE-2024-6826, which could allow attackers to escalate privileges and execute arbitrary code. Users are strongly advised to update to the latest versions to mitigate potential risks. The vulnerabilities have been addressed in GitLab's security releases to enhance overall platform security. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 18th October 2024

Greetings, This week, our team participated in the 19th ASEAN CERT Incident Drill (ACID), organised by the Cyber Security Agency of Singapore (CSA) under the theme "Navigating the Rise of AI-Enabled Cyber Attacks." With the rapid adoption of Artificial Intelligence (AI) technologies, the threat of AI-powered cyberattacks is growing quickly. These attacks include the utilisation of machine learning to assess targets and deploy the most effective techniques for compromising organisational security. As generative AI tools enable increasingly sophisticated attacks, defenders face mounting challenges in detecting and mitigating these threats. ACID, an annual drill hosted by Singapore since 2006, tests incident response procedures and strengthens cybersecurity preparedness and cooperation among CERTs from ASEAN Member States and ASEAN Dialogue Partners. Teams from across the region, including AUSCERT, participated in this year’s exercise, reinforcing regional collaboration in combating evolving cyber threats. Additionally, a few members of our team travelled to Sydney to attend the inaugural iTnews Benchmark Awards: Security. For over a decade, the iTnews Benchmark Awards have recognised Australian IT leaders across the nation. This year, a new category was introduced to celebrate leadership in cybersecurity. CISOs, CSOs, and senior cybersecurity leaders were honoured for their outstanding leadership in their organisations and their efforts to drive effective cybersecurity programs. While in Sydney, our team also participated in a session co-hosted by AUSCERT, WTW, and Ethan Global. The session provided valuable insights into holistic cyber risk management strategies, drawn from real-life case studies. Our general manager, Ivano Bongiovanni, was a panellist alongside industry thought leaders and experienced practitioners, discussing key developments in legal and regulatory changes, prioritising cyber investments, and effective reporting. It was an excellent event! To our Melbourne members: this event is coming your way on Thursday, 31 October! Spaces are still available—don’t miss out! Register here ASIC warns of identity theft leading to stolen shares Date: 2024-10-15 Author: Cyber Daily The Australian Securities and Investments Commission is warning investors to be on the lookout following a “significant increase” in reports of identity theft leading to shares being stolen or sold off without the victims being aware. According to ASIC, ongoing data breaches that have compromised the personal data of a large number of Australians are leading to fraudsters being able to successfully use stolen identities to access shares illegally. HashiCorp Cloud Vault Vulnerability Let Attackers Escalate Privileges Date: 2024-10-13 Author: Cyber Security News HashiCorp, a leading provider of cloud infrastructure automation software, has disclosed a critical security vulnerability in its Vault secret management platform. The flaw, identified as CVE-2024-9180, could allow privileged attackers to escalate their privileges to the highly sensitive root policy, potentially compromising the entire Vault instance. Thousands of Fortinet Devices Remain Exposed to RCE CVE-2024-23113 Vulnerability Date: 2024-10-13 Author: Security Online [A Shadowserver report (MSIN) has been sent to the potentially exposed members] [Also see AUSCERT's bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0851.2] A recent report from the Shadowserver Foundation has revealed a concerning number of Fortinet devices remain vulnerable to a critical remote code execution (RCE) vulnerability, despite patches being available for months and active exploitation in the wild. VMware Patches High-Severity SQL Injection Flaw in HCX Platform Date: 2024-10-16 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.6776/] VMware on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform. The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager. “A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor. NAB, Vodafone and Microsoft listed in alleged Cisco data breach Date: 2024-10-15 Author: Cyber Daily Cisco is a network hardware and software manufacturer, best known for the production of its routers. In a post on a popular cyber crime forum, threat actor IntelBroker said it gained access to Cisco’s systems on 6 October, stealing large amounts of data belonging to it and its customers. Data allegedly includes “Github projects, Gitlab Projects, SonarQube projects, source code, hard-coded credentials, certificates, customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!” Education under siege: How cybercriminals target our schools Date: 2024-10-10 Author: Microsoft The cyberthreats that Microsoft observes across different industries tend to be compounded in education, and threat actors have realized that this sector is inherently vulnerable. With an average of 2,507 cyberattack attempts per week, universities are prime targets for malware, phishing, and IoT vulnerabilities. SolarWinds Web Help Desk flaw is now exploited in attacks Date: 2024-10-16 Author: Bleeping Computer CISA has added three flaws to its 'Known Exploited Vulnerabilities' (KEV) catalog, among which is a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) that the vendor fixed in late August 2024. SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations. ASB-2024.0190 – CSA Advisory: SVR cyber operations A joint advisory has been released outlining the TTPs used by SVR in recent cyber operations. It highlights the significant threats posed by SVR activities to national security and critical infrastructure, stressing the importance of vigilance and proactive defence measures. The advisory also recommends key mitigation strategies for network defenders to combat these cyber threats effectively. ESB-2024.6776 – VMware HCX: CVSS (Max): 8.8 VMware has addressed a high-severity SQL injection vulnerability in its HCX platform, allowing non-admin users to execute remote code on the HCX manager. The flaw affects versions 4.8.x, 4.9.x, and 4.10.x. VMware advises users to update to patched versions 4.8.3, 4.9.2, and 4.10.1 to mitigate the risk. ESB-2024.6720 – Mozilla Firefox: CVSS (Max): None CVE-2024-10004 is a critical vulnerability in Firefox for iOS, affecting versions below 131.2. Disclosed by Mozilla, the flaw allows an HTTP website opened from an external link to mistakenly display a secure HTTPS padlock icon if the browser was previously closed with an HTTPS tab open. This misleading indicator can lead users to believe a non-secure site is secure, increasing the risk of data interception or phishing attacks. Mozilla urges users to update to version 131.2 or later to address this issue and improve security. ESB-2024.6701 – Google Chrome: CVSS (Max): None Google has released Chrome 130, fixing 17 security vulnerabilities, including the high-severity use-after-free flaw CVE-2024-9954 in the AI component. The update is being rolled out for Windows, Mac, and Linux users, and includes several medium-severity issues. Users are urged to update their browsers promptly to enhance security. ESB-2024.6667 – Splunk Enterprise: CVSS (Max): 8.8 Splunk has released fixes for 11 vulnerabilities in Splunk Enterprise. The most critical issue, CVE-2024-45733, involves an insecure session storage configuration, allowing non-admin users to execute code remotely. Affected users are advised to update, as only Windows instances running Splunk Web are vulnerable. ESB-2024.6621 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 10.0 An exploit for the critical GitLab authentication bypass vulnerability CVE-2024-45409 has been released, affecting self-managed installations with SAML authentication. This flaw allows attackers to bypass signature validation, granting access as any user. GitLab urges admins to upgrade to fixed versions immediately to prevent exploitation. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more