Publications

Greetings, The countdown to AUSCERT2025 is on! The call for presentations opens this Tuesday, 19th November, so now’s the time to start planning. If you have a topic you’re passionate about, take this opportunity to organise your ideas and submit a proposal. Don’t miss your chance to contribute, share insights, and connect with the cyber security community! The November 2024 Patch Tuesday from Microsoft addresses 89 vulnerabilities, including four critical zero-day flaws. Notable fixes include Microsoft Exchange and Windows, which hackers have actively exploited. Three of the zero-days are escalation of privilege vulnerabilities, allowing attackers to gain higher access rights, while the fourth is a security feature bypass. The update covers a range of products, underscoring the importance of timely patching to avoid potential exploitation. Full details and patch links are available on Microsoft’s security update page. The Five Eyes alliance (US, UK, Australia, Canada, and New Zealand) has issued a warning on the increasing exploitation of zero-day vulnerabilities, marking a shift from previous years when older software flaws were more commonly targeted. Their advisory lists the top 15 most exploited vulnerabilities in 2023, led by CVE-2023-3519 in Citrix’s NetScaler, which has been linked to large-scale attacks by actors possibly associated with China. With most of 2023’s vulnerabilities initially exploited as zero-days—a trend continuing into 2024—the alliance agencies’ urge organisations and vendors to prioritise rapid patching and invest in secure-by-design practices to better mitigate these evolving threats. Final reminder for our Brisbane-based members, next week’s festive Members’ Meet-Up is the perfect chance to connect with fellow cyber security professionals, exchange ideas, and start planning for the year ahead. Enjoy a festive drink, reconnect with old friends, and make new ones! If you haven’t already, be sure to register to secure your spot. This meet-up promises engaging discussions, valuable insights, and a wonderful opportunity to strengthen our local cyber security community. We’re excited to see you there! Citrix ‘Recording Manager’ Zero-Day Bug Allows Unauthenticated RCE Date: 2024-11-13 Author: Dark Reading An unpatched zero-day vulnerability in Citrix’s Session Recording Manager allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover. According to watchTowr research out today, the issue (which does not yet have a CVE or CVSS score) resides in Citrix’s Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more. FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 Date: 2024-11-12 Author: Bleeping Computer The FBI, the NSA, and cybersecurity authorities of the Five Eyes intelligence alliance have released today a list of the top 15 routinely exploited vulnerabilities throughout last year. A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks’ exposure to potential attacks. “In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets,” the cybersecurity agencies warned. Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities Date: 2024-11-12 Author: Security Online Ivanti has released urgent security updates to address a range of vulnerabilities, including critical remote code execution (RCE) flaws, in its Connect Secure, Policy Secure, and Secure Access Client products. These vulnerabilities pose significant risks to organizations, potentially allowing attackers to gain unauthorized access, escalate privileges, and execute malicious code. Veeam Patches High-Severity Vulnerability as Exploitation of Previous Flaw Expands Date: 2024-11-11 Author: Security Week Tracked as CVE-2024-40715 (CVSS score of 7.7), the bug can be exploited by a remote attacker by performing a man-in-the-middle (MiTM) attack to bypass authentication. To address this flaw, Veeam has released a hotfix for Backup Enterprise Manager 12.2.0.334 and included the hotfix in repackaged images for Veeam Backup & Replication and Veeam Data Platform that were released on November 6. SAP Patches High-Severity Vulnerability in Web Dispatcher Date: 2024-11-12 Author: Security Week Enterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates. Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances. In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug. ASB-2024.0229 – Microsoft Windows: CVSS (Max): 9.8 Microsoft’s November patch update addresses 89 vulnerabilities, including four zero-day flaws, two of which are actively being exploited. ESB-2024.7366 – Google Chrome: CVSS (Max): 8.8* Google announced the release of Chrome 131 to the stable channel, including patches for 12 vulnerabilities. For more information, refer to their security page. ESB-2024.7374 – Adobe Commerce: CVSS (Max): 7.7 Adobe released a critical security update for Adobe Commerce which addresses a server-side request forgery (SSRF) vulnerability that could enable arbitrary code execution. ESB-2024.7375 – Zoom: CVSS (Max): 8.5 Zoom has issued fixes for six vulnerabilities, including two high-severity issues that could enable remote attackers to escalate privileges or access sensitive information. ESB-2024.7451 – Intel Server Board S2600ST Family: CVSS (Max): 8.2 Intel has issued 44 new advisories addressing over 80 vulnerabilities, with more than 20 classified as high severity. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, With only a few months left of the year, it’s the perfect opportunity to begin forecasting for next year by gathering insights, refining strategies and reconnecting with key members of the community! With events and celebrations already filling up the calendar fast, we encourage our Brisbane members to save the date for November 21st and our Melbourne members for November 27th! These meet-ups are excellent opportunities to exchange ideas, share industry insights, and contribute to shaping the future together. Don’t miss out on this chance to connect and collaborate! This week, cyber criminals have been exploiting DocuSign’s "Envelope: create" API to conduct business email compromise (BEC) attacks with convincing fake invoices and bypassing spam filters. Wallarm warns of the associated risks, while DocuSign urges users to verify sender and payment details to prevent fraud. This underscores the growing importance of secure verification practices as BEC attacks rise. Lastly, a final reminder for AUSCERT2025 tutorial submissions! If you have fresh insights or a session idea, now is the time to submit—deadline is Monday 11th November. As we move into the final months of the year, let’s celebrate our achievements, connect with peers, and prepare for a successful 2025. We look forward to seeing you at the meet-ups and hearing your ideas for AUSCERT2025! CVE-2024-42509 (CVSS 9.8): Critical Vulnerability Exposes Aruba Access Points to Attack Date: 2024-11-06 Author: Security Online HPE Aruba Networking has issued a security advisory warning of multiple critical vulnerabilities affecting Access Points running Instant AOS-8 and AOS-10. The company has released patches addressing these vulnerabilities, which, if exploited, could lead to remote code execution (RCE), unauthorized access, and even full system compromise. LiteSpeed Cache Plugin Vulnerability Poses Admin Access Risk Date: 2024-10-30 Author: Infosecurity Magazine [AUSCERT has identified the impacted members and contacted them via email] A vulnerability in the LiteSpeed Cache plugin for WordPress, which has over 6 million active installations, has been discovered allowing unauthenticated visitors to gain administrator-level access by exploiting a security flaw in the plugin’s role simulation feature. This flaw permitted unauthorized access that could lead to the installation of malicious plugins. The LiteSpeed Cache plugin is widely used for site optimization and supports popular WordPress plugins like WooCommerce, bbPress and Yoast SEO. Google fixes two Android zero-days used in targeted attacks Date: 2024-11-05 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.7175/] Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. Tracked as CVE-2024-43047 and CVE-2024-43093, the two issues are marked as exploited in limited, targeted attacks. "There are indications that the following may be under limited, targeted exploitation," says Google's advisory. The CVE-2024-43047 flaw is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges. Microsoft SharePoint RCE bug exploited to breach corporate network Date: 2024-11-02 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please also see AUSCERT's updated bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0128.2/] A recently disclosed Microsoft SharePoint remote code execution (RCE) vulnerability tracked as CVE-2024-38094 is being exploited to gain initial access to corporate networks. CVE-2024-38094 is a high-severity (CVSS v3.1 score: 7.2) RCE flaw impacting Microsoft SharePoint, a widely used web-based platform functioning as an intranet, document management, and collaboration tool that can seamlessly integrate with Microsoft 365 apps. Google Claims World First As AI Finds 0-Day Security Vulnerability Date: 2024-11-05 Author: Forbes An AI agent has discovered a previously unknown, zero-day, exploitable memory-safety vulnerability in widely used real-world software. It’s the first example, at least to be made public, of such a find, according to Google’s Project Zero and DeepMind, the forces behind Big Sleep, the large language model-assisted vulnerability agent that spotted the vulnerability. ESB-2024.7250 – Cisco Unified Industrial Wireless Software: CVSS (Max): 10.0 A critical vulnerability in Cisco's UWRB access points allows attackers to execute commands as a root user. The flaw is due to improper validation of input, which can be exploited remotely. Cisco has issued patches to fix the issue and advises affected users to apply them immediately. ESB-2024.7215 – Google Chrome: CVSS (Max): None Google released an emergency Chrome update to fix two critical use-after-free vulnerabilities (CVE-2024-10826 and CVE-2024-10827) that could lead to remote code execution and system compromise. Users are urged to update their browsers immediately to mitigate security risks. ESB-2024.7175 – Google Android: CVSS (Max): 8.4* In its November 2024 update, Google patched 40 Android vulnerabilities, including two actively exploited zero-days: CVE-2024-43047 and CVE-2024-43093. CVE-2024-43047, a use-after-free flaw in Qualcomm’s DSP, could lead to privilege escalation and device compromise, while CVE-2024-43093 affects Android’s framework, exposing devices to potential attacks. Users are urged to update their devices promptly to mitigate these risks. ASB-2024.0128.2 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.8 AUSCERT updated its bulletin from 10 July to include the addition of CVE-2024-38094 to CISA's KEV catalog. This vulnerability is actively being exploited by attackers to gain access to corporate networks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As spooky characters roam our streets and candy fills our homes, it’s a season for both thrills and caution. While we might be watching for costumed ghouls at our doorsteps, remember: the real threats this Halloween season could be lurking online. Cyber “monsters” are prowling the digital world, preying on unsuspecting people through deceptive emails, fraudulent links, and even holiday-themed phishing schemes. So as you decorate your homes with pumpkins, don’t forget to sharpen your cyber defences, too. Staying mindful of both physical and digital spaces will help keep this season fun and safe. This week, the International Cybersecurity Championship & Conference (IC3) took place in Santiago, Chile. Representing team Oceania, UQ Cyber earned an impressive third-place finish in the competition! Often called the ‘World Cup of Cybersecurity”, IC3 is organised by the European Union Agency for Cybersecurity (ENISA) in partnership with UQ and other major cyber security organisation IC3 unites the brightest university students in the field of cybersecurity from Oceania, the USA, Europe, Asia, Africa, Latin America, and Canada. This year’s IC3 event showcased skill and resilience through intense challenges in cryptography, reverse engineering, and attack/defence simulations. By bringing young cyber defenders together, IC3 aims to cultivate global cooperation and foster skills that will define the future of cyber security. Team Oceania’s strong performance stands as a testament to the region’s commitment to cyber excellence and growing expertise in the field. Well done! A reminder that AUSCERT2025 has opened its Call for Tutorials, with submissions due by 11 November. If you have innovative topic ideas, this is your chance to contribute to a prestigious event! The Call for Presentations will open shortly after on 19 November. For those interested in sponsorship opportunities, a webinar is scheduled for next week. Click here to register and join the session to learn more and get your questions answered. If you haven't done so yet, be sure to download the Sponsorship Prospectus for valuable insights that may address your queries. Remember, sponsorship opportunities—including branding, booth positions, and speaking slots—are allocated on a "first come, first served" basis, so act quickly to secure your preferred options! ASIC urges cyber security to be ‘top of mind’ Date: 2024-10-25 Author: Money Management ASIC chair Joe Longo has told AFSLs that cyber protection should be “top of mind” for them as they manage their businesses, and flagged the weaknesses demonstrated by RI Advice. Appearing before the standing committee on economics to discuss ASIC’s FY24 annual report on 25 October, Longo said the regulator had received 600 responses to its Cyber Pulse Survey, including 120 financial advisers. QNAP patches second zero-day exploited at Pwn2Own to get root Date: 2024-10-30 Author: Bleeping Computer QNAP has released security patches for a second zero-day bug exploited by security researchers during last week's Pwn2Own hacking contest. This critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was found in QNAP's SMB Service and is now fixed in versions 4.15.002 or later and h4.15.002 and later. Cybersecurity Training Resources Often Limited to Developers Date: 2024-10-31 Author: Dark Reading New studies show that cybersecurity executives often fail to prioritize software security training for the entirety of a company, instead only deeming it necessary for a select few — and not always for the right reasons. Nearly half of cybersecurity leaders who provide these kind of training tools don't consider awareness efforts to be essential within their organizations, according to a study conducted by CMD+CTRL Security and Wakefield Research. In addition to this, half of the leaders who do provide security training do so to build a "security culture," but only 41% say they provide training because of the increased risk from third parties and supply chains. What are the top cyber security threats for businesses? Date: 2024-10-28 Author: In Daily New technology has given organisations greater data analytics, communication, and operational efficiency capabilities. However, it has also made threat actors, ranging from nation-state actors to cyber criminals, more sophisticated. As our world becomes more digitally interconnected, we see the integration of artificial intelligence with cyber attacks enhancing the severity of these attacks. Most Australians have experienced a cyber attack Date: 2024-10-29 Author: Cyber Daily Almost two-thirds (63 per cent) of Australians experienced a cyber attack or data breach during the last 12 months, according to a new report released by National Australia Bank (NAB). Released as part of Cyber Security Awareness Month, the major bank’s latest Consumer Cyber Security Survey draws results from interviews with 1,038 Australians conducted between August and September 2024. ESB-2024.7018 – Apple Safari: CVSS (Max): 8.8* An attacker may be able to misuse a trust relationship to download malicious content ESB-2024.7004 – Siemens InterMesh Subscriber Devices: CVSS (Max): 10.0 Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, execute commands, write arbitrary files, or execute arbitrary commands. ESB-2024.6963 – activemq: CVSS (Max): 10.0 Implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code. ESB-2024.6958 – Cisco Secure Firewall Management Center Software: CVSS (Max): 9.9 This vulnerability is due to insufficient input validation of certain HTTP requests. An attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, AUSCERT is excited to announce the launch of AUSCERT2025! From 20–23 May, we’ll be returning to the Gold Coast, and we invite you to join us for another year of dynamic keynote speakers, innovative tutorials, and ground-breaking presentations. Let’s come together to evolve and thrive in the ever-evolving world of cyber security. Call for Tutorials is officially open! We encourage everyone to submit their proposals or spread the word to someone who should. The submission deadline is 11 November, so don’t miss your chance to contribute to AUSCERT2025 and be part of one of the most anticipated cyber security events of the year! This year we’re offering new sponsorship packages to suit different organisations, including options tailored specifically for start-ups.By sponsoring AUSCERT2025 your business will gain a unique platform to showcase its solutions, connect with potential clients, and expand its presence within the cyber security community. Contact us today to learn more about how your organisation can get involved! The theme for AUSCERT2025, ‘Evolve and Thrive’,highlights the critical need for continuous innovation, learning, and the application of new knowledge to stay ahead of cyber criminals. Inspired by the prehistoric reign of dinosaurs, ‘Evolve and Thrive’ serves as a powerful metaphor for modern cyber security challenges. Just as dinosaurs—once dominant but ultimately unable to adapt—became extinct, organisations today must embrace innovation to remain relevant in an increasingly hostile digital landscape. Head to our website for more information VMware Struggles to Fix Flaw Exploited at Chinese Hacking Contest Date: 2024-10-21 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5949/] For the second time in as many months, the virtualization tech vendor pushed a patch to cover a remote code execution vulnerability first documented — and exploited — at a Chinese hacking contest earlier this year. “VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812,” the company said in an updated advisory on Monday. No additional details were provided. Bank impersonation scams are reportedly on the rise. Here's how to spot one and stay safe Date: 2024-10-19 Author: SBS News If you've recently received a call from someone claiming to be from a bank, be cautious about sharing any personal information. It may be an attempt to steal your money. Scams in which criminals call, email or message people pretending to be from a bank are on the rise, according to a warning from the government's National Anti-Scam Centre. "The scammers ask you for personal or financial information or to transfer funds or to give them a one-time security code over the phone," the centre's Scamwatch service warned on Friday Fortinet Confirms Zero-Day Exploit Targeting FortiManager Systems Date: 2024-10-23 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.6898/] [AUSCERT also identified the impacted members (where possible) and contacted them via email] The US government’s cybersecurity agency CISA on Wednesday called urgent attention to a critical vulnerability in Fortinet’s FortiManager platform and warned that remote hackers are already launching code execution exploits. The security defect, tracked as CVE-2024-47575, is documented as a “missing authentication for critical function vulnerability” in the FortiManager fgfmd daemon. CISA Warns Recent Microsoft SharePoint RCE Flaw Exploited in Attacks Date: 2024-10-23 Author: Security Week The US cybersecurity agency CISA on Tuesday warned that a recently patched remote code execution (RCE) vulnerability in Microsoft SharePoint Server has been exploited in the wild. The issue, tracked as CVE-2024-38094 (CVSS score of 7.2) and addressed with July 2024 Patch Tuesday updates, can be exploited over the network without user interaction, but requires authentication as a highly privileged user. “An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Microsoft explains in its advisory. Google Warns of Samsung Zero-Day Exploited in the Wild Date: 2024-10-22 Author: Security Week A zero-day vulnerability in Samsung’s mobile processors has been leveraged as part of an exploit chain for arbitrary code execution, Google’s Threat Analysis Group (TAG) warns. Tracked as CVE-2024-44068 (CVSS score of 8.1) and patched as part of Samsung’s October 2024 set of security fixes, the issue is described as a use-after-free bug that could be abused to escalate privileges on a vulnerable Android device. “An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920. A use-after-free in the mobile processor leads to privilege escalation,” a NIST advisory reads. ESB-2024.6916 – Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services: CVSS (Max): 5.8 Cisco has issued an urgent update for vulnerabilities affecting ASA and FTD VPNs, which are currently being actively exploited. The flaw could allow attackers to bypass security measures and gain unauthorized access. Users are strongly urged to apply the patches promptly to protect their systems from potential threats. ESB-2024.6874 – Google Chrome: CVSS (Max): None This October, Google rolled out critical updates for Chrome, addressing high-risk vulnerabilities, including a significant flaw in the Extensions (CVE-2024-10229) and two in the V8 JavaScript engine (CVE-2024-10230 and CVE-2024-10231). Users on Chrome 129 should upgrade to version 130 for enhanced protection against potential threats. ESB-2024.5949.2 – VMware vCenter Server: CVSS (Max): 9.8 Broadcom has issued new patches for previously addressed vulnerabilities (CVE-2024-38812 and CVE-2024-38813) in vCenter Server, as one of these flaws was not fully resolved initially and could enable attackers to execute remote code. ESB-2024.6898 – FortiManager fgfmd: CVSS (Max): 9.8 The "FortiJump" vulnerability (CVE-2024-47575) has been exploited in zero-day attacks since June 2024, affecting over 50 servers, according to Mandiant. This flaw, which involves missing authentication in FortiManager and FortiManager Cloud, allows attackers to execute arbitrary code through specially crafted requests. Fortinet confirmed the exploitation and noted that attackers have automated the exfiltration of sensitive data, prompting CISA to add this vulnerability to its Known Exploited Vulnerabilities catalog. ESB-2024.6899 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 GitLab has patched two critical vulnerabilities, CVE-2024-8312 and CVE-2024-6826, which could allow attackers to escalate privileges and execute arbitrary code. Users are strongly advised to update to the latest versions to mitigate potential risks. The vulnerabilities have been addressed in GitLab's security releases to enhance overall platform security. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, our team participated in the 19th ASEAN CERT Incident Drill (ACID), organised by the Cyber Security Agency of Singapore (CSA) under the theme "Navigating the Rise of AI-Enabled Cyber Attacks." With the rapid adoption of Artificial Intelligence (AI) technologies, the threat of AI-powered cyberattacks is growing quickly. These attacks include the utilisation of machine learning to assess targets and deploy the most effective techniques for compromising organisational security. As generative AI tools enable increasingly sophisticated attacks, defenders face mounting challenges in detecting and mitigating these threats. ACID, an annual drill hosted by Singapore since 2006, tests incident response procedures and strengthens cybersecurity preparedness and cooperation among CERTs from ASEAN Member States and ASEAN Dialogue Partners. Teams from across the region, including AUSCERT, participated in this year’s exercise, reinforcing regional collaboration in combating evolving cyber threats. Additionally, a few members of our team travelled to Sydney to attend the inaugural iTnews Benchmark Awards: Security. For over a decade, the iTnews Benchmark Awards have recognised Australian IT leaders across the nation. This year, a new category was introduced to celebrate leadership in cybersecurity. CISOs, CSOs, and senior cybersecurity leaders were honoured for their outstanding leadership in their organisations and their efforts to drive effective cybersecurity programs. While in Sydney, our team also participated in a session co-hosted by AUSCERT, WTW, and Ethan Global. The session provided valuable insights into holistic cyber risk management strategies, drawn from real-life case studies. Our general manager, Ivano Bongiovanni, was a panellist alongside industry thought leaders and experienced practitioners, discussing key developments in legal and regulatory changes, prioritising cyber investments, and effective reporting. It was an excellent event! To our Melbourne members: this event is coming your way on Thursday, 31 October! Spaces are still available—don’t miss out! Register here ASIC warns of identity theft leading to stolen shares Date: 2024-10-15 Author: Cyber Daily The Australian Securities and Investments Commission is warning investors to be on the lookout following a “significant increase” in reports of identity theft leading to shares being stolen or sold off without the victims being aware. According to ASIC, ongoing data breaches that have compromised the personal data of a large number of Australians are leading to fraudsters being able to successfully use stolen identities to access shares illegally. HashiCorp Cloud Vault Vulnerability Let Attackers Escalate Privileges Date: 2024-10-13 Author: Cyber Security News HashiCorp, a leading provider of cloud infrastructure automation software, has disclosed a critical security vulnerability in its Vault secret management platform. The flaw, identified as CVE-2024-9180, could allow privileged attackers to escalate their privileges to the highly sensitive root policy, potentially compromising the entire Vault instance. Thousands of Fortinet Devices Remain Exposed to RCE CVE-2024-23113 Vulnerability Date: 2024-10-13 Author: Security Online [A Shadowserver report (MSIN) has been sent to the potentially exposed members] [Also see AUSCERT's bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0851.2] A recent report from the Shadowserver Foundation has revealed a concerning number of Fortinet devices remain vulnerable to a critical remote code execution (RCE) vulnerability, despite patches being available for months and active exploitation in the wild. VMware Patches High-Severity SQL Injection Flaw in HCX Platform Date: 2024-10-16 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.6776/] VMware on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform. The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager. “A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor. NAB, Vodafone and Microsoft listed in alleged Cisco data breach Date: 2024-10-15 Author: Cyber Daily Cisco is a network hardware and software manufacturer, best known for the production of its routers. In a post on a popular cyber crime forum, threat actor IntelBroker said it gained access to Cisco’s systems on 6 October, stealing large amounts of data belonging to it and its customers. Data allegedly includes “Github projects, Gitlab Projects, SonarQube projects, source code, hard-coded credentials, certificates, customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!” Education under siege: How cybercriminals target our schools Date: 2024-10-10 Author: Microsoft The cyberthreats that Microsoft observes across different industries tend to be compounded in education, and threat actors have realized that this sector is inherently vulnerable. With an average of 2,507 cyberattack attempts per week, universities are prime targets for malware, phishing, and IoT vulnerabilities. SolarWinds Web Help Desk flaw is now exploited in attacks Date: 2024-10-16 Author: Bleeping Computer CISA has added three flaws to its 'Known Exploited Vulnerabilities' (KEV) catalog, among which is a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) that the vendor fixed in late August 2024. SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations. ASB-2024.0190 – CSA Advisory: SVR cyber operations A joint advisory has been released outlining the TTPs used by SVR in recent cyber operations. It highlights the significant threats posed by SVR activities to national security and critical infrastructure, stressing the importance of vigilance and proactive defence measures. The advisory also recommends key mitigation strategies for network defenders to combat these cyber threats effectively. ESB-2024.6776 – VMware HCX: CVSS (Max): 8.8 VMware has addressed a high-severity SQL injection vulnerability in its HCX platform, allowing non-admin users to execute remote code on the HCX manager. The flaw affects versions 4.8.x, 4.9.x, and 4.10.x. VMware advises users to update to patched versions 4.8.3, 4.9.2, and 4.10.1 to mitigate the risk. ESB-2024.6720 – Mozilla Firefox: CVSS (Max): None CVE-2024-10004 is a critical vulnerability in Firefox for iOS, affecting versions below 131.2. Disclosed by Mozilla, the flaw allows an HTTP website opened from an external link to mistakenly display a secure HTTPS padlock icon if the browser was previously closed with an HTTPS tab open. This misleading indicator can lead users to believe a non-secure site is secure, increasing the risk of data interception or phishing attacks. Mozilla urges users to update to version 131.2 or later to address this issue and improve security. ESB-2024.6701 – Google Chrome: CVSS (Max): None Google has released Chrome 130, fixing 17 security vulnerabilities, including the high-severity use-after-free flaw CVE-2024-9954 in the AI component. The update is being rolled out for Windows, Mac, and Linux users, and includes several medium-severity issues. Users are urged to update their browsers promptly to enhance security. ESB-2024.6667 – Splunk Enterprise: CVSS (Max): 8.8 Splunk has released fixes for 11 vulnerabilities in Splunk Enterprise. The most critical issue, CVE-2024-45733, involves an insecure session storage configuration, allowing non-admin users to execute code remotely. Affected users are advised to update, as only Windows instances running Splunk Web are vulnerable. ESB-2024.6621 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 10.0 An exploit for the critical GitLab authentication bypass vulnerability CVE-2024-45409 has been released, affecting self-managed installations with SAML authentication. This flaw allows attackers to bypass signature validation, granting access as any user. GitLab urges admins to upgrade to fixed versions immediately to prevent exploitation. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, AUSCERT was proud to sponsor the Best Security Student Award at the Women in Security Awards, held in Sydney on Thursday. Now in its sixth year, the Australian Women in Security Awards® brings together the security industry to celebrate and elevate the profile of Australia’s IT Security, Cyber, and Protective Security sectors. By recognising and honouring the achievements, value, and contributions of individuals in Australia, the event aims to give them the acknowledgment they rightfully deserve. In an exciting turn of events, our very own Business Manager, Bek Cheb, was recognised with the MVP in the Security Industry award. This award is a testament to Bek's dedication, leadership, and the profound impact she has made within the security industry. Her peers in the industry have recognised her for her exceptional contributions, including strategic initiatives, promotion of best practices, and her commitment to fostering a more inclusive and resilient security community. This week, the Australian Federal Government introduced legislation proposing several changes to the cyber security regulatory environment. These measures include: • Mandating minimum cyber security standards for ‘smart devices’ • Requiring mandatory reporting of ransomware payments for certain organisations • Implementing ‘limited use’ restrictions on how information provided to the Australian Signals Directorate and the National Cyber Security Coordinator can be used • Establishing a Cyber Incident Review Board to conduct “no fault” investigations into cyber security incidents and offer recommendations based on lessons learned Additionally, the proposed changes include modifications to the existing Security of Critical Infrastructure (SOCI) legislation. These changes aim to clarify current obligations, empower the Government to mandate remediation of “serious deficiencies” in organisational risk management practices, and enhance information sharing between industry and government, among other adjustments. Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications Date: 2024-10-07 Author: The Hacker News A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances. The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4. "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory released last week. "Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue." Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities Date: 2024-10-08 Author: Cisco Talos [For the latest Microsoft ASBs, please visit AUSCERT's security bulletin page.] The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity. Ivanti warns of three more CSA zero-days exploited in attacks Date: 2024-10-08 Author: Bleeping Computer [AUSCERT contacted the impacted members (where possible) via email on 23 September 2024] American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks. As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September. Qualcomm patches high-severity zero-day exploited in attacks Date: 2024-10-07 Author: Bleeping Computer Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. The security flaw (CVE-2024-43047) was reported by Google Project Zero's Seth Jenkins and Amnesty International Security Lab's Conghui Wang, and it is caused by a use-after-free weakness that can lead to memory corruption when successfully exploited by local attackers with low privileges. "Currently, the DSP updates header buffers with unused DMA handle fds. In the put_args section, if any DMA handle FDs are present in the header buffer, the corresponding map is freed," as explained in a DSP kernel commit. New Generation of Malicious QR Codes Uncovered by Researchers Date: 2024-10-09 Author: Infosecurity Magazine A new generation of QR code phishing (quishing) attacks have been uncovered by threat analysts at Barracuda. Research by the email protection firm highlighted new techniques that have been designed to evade traditional security defenses by including QR codes built from text-based ASCII/Unicode characters rather than the standard static image. This tactic is designed to evade optical character recognition (OCR)-based defenses. In an email, it will look like a traditional QR code. To a typical OCR detection system, it appears meaningless. ESB-2024.6438 – Google Android: CVSS (Max): 9.8* The advisory highlights multiple vulnerabilities in Google Android OS that could enable remote code execution by attackers. These flaws could potentially compromise devices and lead to unauthorised access or control. Users are urged to update their systems to mitigate these security risks. ESB-2024.6467 – Adobe Products: CVSS (Max): 9.8 Critical vulnerabilities detected in Adobe Commerce and Magento could allow Privilege escalation and Arbitrary code execution. Users are urged to update their installations promptly to mitigate these risks. The advisory specifies affected versions and offers guidance for securing the platform. ESB-2024.6478 – Google Chrome: CVSS (Max): None Google has released a critical security update for Chrome, addressing several vulnerabilities, particularly two high-severity type confusion flaws in the V8 JavaScript engine, tracked as CVE-2024-9602 and CVE-2024-9603. These flaws could enable arbitrary code execution, risking sensitive data and disrupting system operations. ASB-2024.0184 – Microsoft Windows: CVSS (Max): 9.0 For October 2024 Patch Tuesday, Microsoft released fixes for 117 security vulnerabilities, including two actively exploited flaws: CVE-2024-43573, a spoofing bug in the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console. CVE-2024-43573 has similarities to a previously exploited MSHTML vulnerability, and both flaws require user interaction to be exploited, typically involving social engineering. ESB-2024.6504 – Palo Alto Expedition: CVSS (Max): 9.9 Palo Alto Networks has disclosed multiple vulnerabilities in Expedition, allowing attackers to read sensitive database contents and arbitrary files, as well as write files to temporary storage. Key vulnerabilities include CVE-2024-9463 and CVE-2024-9464, both allowing OS command injection, and CVE-2024-9465, which enables SQL injection to access database information like usernames and passwords. All versions prior to 1.2.96 are affected, and these flaws could lead to severe security breaches if exploited. ESB-2024.6524 – Firefox and Firefox ESR: CVSS (Max): 9.8 Mozilla has released an emergency update for Firefox and Firefox ESR to address the actively exploited zero-day vulnerability CVE-2024-9680, a use-after-free issue that can lead to code execution. The update was made available within 25 hours of the vulnerability being reported, with affected versions being Firefox 131.0.2 and Firefox ESR 115.16.1 and 128.3.1. Users are urged to update their browsers promptly, as automatic updates are typically enabled by default. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Cyber Security Awareness Month is here! This is the ideal opportunity to educate those who are less tech-savvy about essential online safety practices. This global initiative emphasises the growing importance of cyber security for individuals, businesses, and organisations. With this year’s theme, Secure Our World, the focus is important as we confront an increasing number of sophisticated cyber threats. Whilst, Cyber Security Awareness Month typically focuses on educating individuals, especially non-technical staff, about basic online safety practices, phishing prevention, and password hygiene. It’s important to remember cyber security isn’t a one-off effort; it’s a holistic practice across not only cyber but also all GRC executives and the board of directors. Organisations should prioritise proactive Governance, Risk, and Compliance (GRC) measures. GRC is a holistic framework that integrates governance, risk management, and compliance, helping organisations not only meet regulatory obligations but also stay ahead of the rapidly evolving cyber threat landscape. A well-executed GRC strategy improves decision-making, safeguards sensitive data, and enhances overall cyber resilience. Cyber security is a shared responsibility that requires close collaboration across all teams within an organisation. Transparent, regular reporting to senior leadership, along with comprehensive employee training programmes, is crucial for minimising vulnerabilities and fostering a security-conscious culture organisation-wide. AUSCERT provides expert advice and consultations to help your organisation navigate the complexities of Governance, Risk, and Compliance (GRC) enhancing your cyber security posture in line with your business objectives. Our team specialises in guiding organisations to confidently adhere to industry frameworks, standards, and benchmarks. Contact us today to learn more about our GRC services and how we can support your security and compliance goals – grc@auscert.org.au Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities Date: 2024-10-02 Author: The Hacker News A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. "These vulnerabilities could enable attackers to take control of a router by injecting malicious code, allowing them to persist on the device and use it as a gateway into enterprise networks," Forescout Vedere Labs said in a technical report shared with The Hacker News. Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks Date: 2024-09-30 Author: The Hacker News [AUSCERT has published security bulletins for these updates] Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks. "These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher Pedro Umbelino said in a report published last week. Storm-0501: Ransomware attacks expanding to hybrid cloud environments Date: 2024-09-26 Author: Microsoft Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations. Meta, Australian banks tout progress on taking down scam ads Date: 2024-10-03 Author: iTnews Meta has taken down some 8000 so-called "celeb bait" scam ads from Facebook and Instagram as part of a new effort with Australian banks to curb the practice. The scams use images of famous people, often generated by artificial intelligence, to trick consumers into giving money to non-existent investment schemes. The US social media giant said it took down the scam ads after receiving 102 reports since April from the Australian Financial Crimes Exchange, an intelligence-sharing body run by the country's main banks. Zimbra RCE Vuln Under Attack Needs Immediate Patching Date: 2024-10-02 Author: Dark Reading [AUSCERT has identified the impacted members (where possible) and contacted them via email] Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away. The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Zimbra issued updates for affected versions last week but has not released any details of the flaw so far. ESB-2024.6304 – Juniper Junos OS: CVSS (Max): None Juniper Networks has released a security advisory regarding vulnerabilities in multiple products using the RADIUS protocol which are susceptible to forgery attacks (Blast RADIUS). ESB-2024.6323 – Mozilla Firefox: CVSS (Max): 9.8 Mozilla has fixed critical vulnerabilities in Firefox 131. These vulnerabilities could allow for arbitrary code execution or denial of service attacks across various platforms, including desktop and Android. ESB-2024.6335 – Optigo Networks ONS-S8 Spectra Aggregation Switch: CVSS (Max): 9.8 CISA's advisory identifies critical vulnerabilities in Optigo Networks' ONS-S8 Spectra Aggregation Switch, which could allow attackers to bypass authentication, execute remote code, or upload arbitrary files. ESB-2024.6389 – Cisco Nexus Dashboard Fabric Controller (NDFC): 9.9 Cisco Nexus Dashboard Fabric Controller (NDFC) has a critical vulnerability that allows authenticated, low-privileged remote attackers to execute arbitrary commands via a command injection flaw in the REST API and web UI. Cisco advises to apply patches to address this issue​. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, One of the most important yet often overlooked aspects of cyber security is providing comprehensive training to all personnel. This training ensures employees understand their security responsibilities and how to mitigate risks effectively. For staff with specialized roles or elevated access to sensitive information, tailored privilege user training is crucial in addressing the unique risks they face beyond those of standard users. By equipping your team with the necessary knowledge and skills, you can foster a proactive and resilient cyber security culture within your organisation. Yesterday, the Australian Signals Directorate (ASD) released updated Personnel Security Guidelines, highlighting the importance of strong internal security practices. One of the most frequently reported cyber crimes in Australia is Business Email Compromise (BEC), which led to financial losses exceeding $98 million in 2021–2022. While 2024 statistics are still emerging, experts expect this trend to continue due to increasingly sophisticated cyber threat actors and reliance on digital communication. Training and education are vital in mitigating BEC risks. Educating staff on identifying warning signs and establishing clear authorisation processes can significantly reduce the chances of falling victim to such attacks. The ASD has outlined several guidelines to help organisations better manage these risks. For more targeted training, AUSCERT offers a range of courses tailored to various roles and skill levels. The Cyber Security Fundamentals course is designed to provide staff with essential, practical knowledge for staying safe online. Advanced courses are also available for technical teams, covering a wide array of specialized topics. Visit the AUSCERT website for more information on upcoming training courses! Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks Date: 2024-09-20 Author: The Hacker News [AUSCERT has identified the potentially impacted members and contacted them via Critical MSIN ] Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. CUPS flaws enable Linux remote code execution, but there’s a catch Date: 2024-09-26 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0180/ ] Under certain conditions, attackers can chain a set of vulnerabilities in multiple components of the CUPS open-source printing system to execute arbitrary code remotely on vulnerable machines. Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) and discovered by Simone Margaritelli, these security flaws don't affect systems in their default configuration Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk Date: 2024-09-23 Author: The Hacker News A critical security flaw has been disclosed in the Microchip Advanced Software Framework (ASF) that, if successfully exploited, could lead to remote code execution. The vulnerability, tracked as CVE-2024-7490, carries a CVSS score of 9.5 out of a maximum of 10.0. It has been described as a stack-based overflow vulnerability in ASF's implementation of the tinydhcp server stemming from a lack of adequate input validation. WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites Date: 2024-09-23 Author: Cyber Security News [AUSCERT has identified the potentially impacted members and contacted them via email] Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin. The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk. New guidance on detecting and mitigating Active Directory compromises Date: 2024-09-26 Author: ACSC Alongside our international partners, we have released new guidance on Detecting and Mitigating Active Directory compromises. This guidance provides strategies to help organisations mitigate the 17 most prevalent techniques used by malicious cyber actors to target Active Directory and gain access to their networks. Detecting and mitigating Active Directory compromises builds on recent updates to the Information Security Manual (ISM) and includes a checklist with Active Directory security controls for organisations. Critical Ivanti vTM auth bypass bug now exploited in attacks Date: 2024-09-24 Author: Bleeping Computer CISA has tagged another critical Ivanti security vulnerability, which can let threat actors create rogue admin users on vulnerable Virtual Traffic Manager (vTM) appliances, as actively exploited in attacks. Tracked as CVE-2024-7593, this auth bypass flaw is caused by an incorrect implementation of an authentication algorithm that lets remote unauthenticated attackers circumvent authentication on Internet-exposed vTM admin panels. ASB-2024.0180 – Common Unix Printing System (CUPS): CVSS (Max): 9.0 Several critical vulnerabilities have been identified in the Common UNIX Printing System (CUPS) that could allow for remote code execution on Linux systems. However, these flaws necessitate specific configurations or user permissions for exploitation. Users are advised to implement the latest patches or mitigations to reduce potential risks. ESB-2024.6106 – Apache Tomcat: CVSS (Max): None A critical vulnerability has been identified in Apache Tomcat that could enable attackers to bypass security restrictions and gain unauthorised access to sensitive data. The flaw affects multiple versions of the server, necessitating prompt updates to mitigate risks. Users are urged to apply the latest patches to ensure their systems remain secure. ESB-2024.6174 – Google Chrome: CVSS (Max): None Multiple vulnerabilities have been found in Google Chrome, with the most severe enabling arbitrary code execution by attackers. This could allow them to install programs, access, modify, or delete data, or create accounts with full user rights, particularly affecting users with administrative privileges. Those with lower user rights may experience reduced impact but are still at risk. ESB-2024.6028 – OpenShift Container Platform 4.15.33: CVSS (Max): 9.9 Flaws have been identified in Red Hat OpenShift, specifically CVE-2024-45496 and CVE-2024-7387, which could lead to potential privilege escalation and denial of service. These vulnerabilities may allow attackers to gain elevated access or disrupt services. Red Hat recommends users apply the latest updates to mitigate these risks. ESB-2024.6186 – OMNTEC Proteus Tank Monitoring: CVSS (Max): 9.8 Critical vulnerabilities have been discovered in automated tank gauge systems, potentially allowing attackers to manipulate data and disrupt operations. These flaws could lead to significant safety and financial risks for organizations relying on these systems. Experts urge immediate action to address the vulnerabilities and enhance security measures. ESB-2024.6182 – Tenable Nessus Network Monitor: CVSS (Max): 9.8 Tenable has released Nessus Network Monitor 6.5.0 to address multiple vulnerabilities found in third-party components like OpenSSL, expat, curl, and libxml2, which have been updated to secure versions. Additionally, a stored cross-site scripting vulnerability (CVE-2024-9158) was fixed, allowing privileged local attackers to inject code into the UI. Users are urged to upgrade to the latest version to mitigate these risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, With school holidays upon us, many of us have little ones running wild and free – sometimes even on the internet! It's important to teach them about online safety, especially since holidays are a common time for criminals to launch phishing campaigns. Some of these scams target children by offering attractive games, promotions, or advertisements designed to entice them into clicking on malicious links or sharing personal information. To keep children safe online, take proactive steps to secure devices by keeping software up to date. Additionally, educate kids about the dangers of interacting with unknown links and the importance of protecting their personal information. Encourage them to speak up if they encounter anything suspicious or feel uncomfortable about an online interaction. By fostering open communication and awareness, we can help children navigate the internet safely and confidently, even during the busiest holiday seasons. AUSCERT's Sensitive Information Alerts (SIAs) are changing! From Wednesday 26th September, SIAs will no longer be emailed as an encrypted file. Instead, SIA emails will contain a unique URL to the AUSCERT Member Portal where you can generate a temporary link to download the file. This removes the need for encrypted files and will streamline the process! Please note that only an organisation's privileged users will initially have access to download SIAs. That person will be able to provide access to other users in the organisation by assigning the SIA role to them in the Settings/Users & Roles menu option. Privileged users will be able to check this setting a few days before the go-live date next week. To access any historical SIAs issued before the changeover, members will need to access the symmetric key from the Member Portal to decrypt the file. This will require encryption software such as PGP or GnuPG. Follow the link to the encryption keys page and match the thread ID with the received message. Import the decryption key into the encryption software, then select the encrypted file and decrypt it using the software's option. Windows vulnerability abused braille “spaces” in zero-day attacks Date: 2024-09-15 Author: Bleeping Computer [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2024.0176/, https://portal.auscert.org.au/bulletins/ASB-2024.0175/] A recently fixed "Windows MSHTML spoofing vulnerability" tracked under CVE-2024-43461 is now marked as previously exploited after it was used in attacks by the Void Banshee APT hacking group. When first disclosed as part of the September 2024 Patch Tuesday, Microsoft had not marked the vulnerability as previously exploited. However, on Friday, Microsoft updated the CVE-2024-43461 advisory to indicate it had been exploited in attacks before it was fixed. CISA warns of hackers exploiting bug for end-of-life Ivanti product Date: 2024-09-13 Author: CyberScoop An end-of-life version of Ivanti’s cloud IT service management software has a recently released vulnerability that the Cybersecurity and Infrastructure Security Agency says is being exploited. CISA warned that organizations outfitted with Ivanti’s Cloud Service Appliance version 4.6 and below are being targeted by hackers and the bug has been added to the known exploited vulnerabilities (KEV) list. The Utah-based company said on Friday that a “limited number of customers” have confirmed exploitation but did not provide further details. CVE-2024-45186: FileSender Vulnerability Poses Risk to User Credentials, Immediate Action Required Date: 2024-09-13 Author: Security Online A severe security flaw has been identified in FileSender, the popular web-based application that allows authenticated users to securely send large files. The vulnerability, classified as CVE-2024-45186, was discovered by security researcher Jonathan Bouman. This server-side template injection vulnerability allows non-authenticated users to retrieve server credentials, putting sensitive data and systems at risk. Australia Faces Surge in Data Breaches to Highest Level in 3.5 Years Date: 2024-09-16 Author: The Cyber Express The Office of the Australian Information Commissioner (OAIC) has released new statistics revealing that the first half of 2024 saw the highest number of data breach notifications in three and a half years. From January to June 2024, the OAIC report stated that it received 527 notifications of data breaches—a notable increase of 9% compared to the previous six months and the highest since the second half of 2020 in Australia. Cybersecurity incidents continue to be the leading cause of data breaches, accounting for 38% of all reported cases. CISA, FBI Urge Organizations to Eliminate XSS Vulnerabilities Date: 2024-09-18 Author: Security Week The US cybersecurity agency CISA and the FBI have issued a Secure by Design alert on the prevalence of cross-site scripting (XSS) vulnerabilities, urging organizations to eliminate them from their products. XSS flaws, the two agencies note in the alert (PDF), exist because user input is not properly validated, sanitized, or escaped, which allows threat actors to inject malicious scripts into web applications, leading to data manipulation, theft, or misuse. “Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures,” CISA and the FBI note. Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks Date: 2024-09-16 Author: The Hacker News Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. "Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content," Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang said. ESB-2024.6010 – GitLab: CVSS (Max): 10.0 GitLab has released several new versions (17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10) for both Community and Enterprise Editions, addressing critical bug and security vulnerabilities, including a SAML authentication bypass. All users with self-managed installations are strongly urged to upgrade immediately. ESB-2024.5955 – Google Chrome: CVSS (Max): None Google has announced the release of Chrome 129, available for Windows, Mac, and Linux users, fixing nine vulnerabilities, including a high-severity flaw in V8. Users are urged to update their browsers to benefit from these security improvements and performance enhancements. ESB-2024.5949 – VMware vCenter Server: CVSS (Max): 9.8 Broadcom has issued fixes for two critical vulnerabilities in VMware vCenter Server, which could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813) when triggered by specially crafted network packets. While Broadcom states there are no known active exploits for CVE-2024-38812, they urge organizations to promptly update to the patched versions. Both vulnerabilities affect vCenter Server versions 8.0 and 7.0, as well as VMware Cloud Foundation versions 5.x and 4.x. ESB-2024.5932 – iOS 18 and iPadOS 18: CVSS (Max): 9.1* Apple has released iOS 18 and iPadOS 18, addressing several security vulnerabilities that could potentially allow unauthorized access to sensitive data or cause system malfunctions. Key issues include risks associated with Siri that could enable access to contacts and user data with physical access to the device. Additional vulnerabilities could lead to denial-of-service attacks and data leaks. ESB-2024.5900 – Citrix Workspace app for Windows: CVSS (Max): 7.0 Citrix has issued security updates for critical vulnerabilities (CVE-2024-7889 and CVE-2024-7890) in the Citrix Workspace app for Windows, which could allow local attackers to escalate privileges to SYSTEM on compromised machines. Affected versions include Current Release (CR) before 2405 and Long Term Service Release (LTSR) prior to 2402 LTSR CU1. Citrix advises users to upgrade to patched versions immediately and recommends security best practices to protect against threats. The U.S. CISA also urges prompt application of these updates. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, R U OK is encouraging everyone to ask "R U OK?" any day, because life happens every day. This reminder comes as 72% of Australians report experiencing elevated levels of distress. Each year, R U OK Day serves as a powerful reminder of the importance of checking in on others' well-being and actively listening to their concerns. Often, those facing challenges may not openly express their feelings, and a simple, empathetic conversation can make a huge difference. Asking "Are you okay?" and genuinely listening can offer emotional support and show someone they are not alone in their struggles. Meaningful connection and open dialogue about mental health help build a supportive and compassionate community. Prioritising mental health reduces stigma and creates an environment where people feel comfortable sharing their feelings and seeking help. It's a reminder that small acts of kindness and genuine concern can profoundly impact someone's life. For a range of free resources for your workplace, home or community, visit the R U OK? Day website. AUSCERT has always been a strong advocate for mental health support and services, actively implementing more mental health initiatives in the workplace and at our conferences. At AUSCERT2024, we again provided an onsite psychologist for attendees, offering the opportunity to discuss anything from mental wellbeing to life coaching. This year, we introduced mindfulness walks in the mornings that allowed delegates to start the day with a peaceful, serene stroll along the beach, and also introduced a dopamine hit of puppy pats and cuddles throughout the day – this was extremely popular! This week, Microsoft addressed and patched critical zero-day vulnerabilities as part of its monthly update. The first vulnerability, identified as CVE-2024-38217, affected Smart App Control and SmartScreen in Windows. This vulnerability allowed malicious files to bypass crucial security warnings and execute without raising any alarms. It appears to have been actively exploited by hackers for at least six years, with numerous samples detected on VirusTotal since 2018! The second vulnerability resided within the Windows Servicing Stack and allowed remote code execution (RCE). Identified as CVE-2024-43491, the cause of this vulnerability was a flaw in the Servicing Stack that essentially rolled back security fixes for optional components in Windows 10 version 1507. This left systems exposed to previously mitigated threats by removing prior security patches installed between March and August 2024. This is a timely reminder to always remain vigilant with patching systems regularly in your environment to mitigate and protect against such critical zero-day vulnerabilities. Please see this AUSCERT bulletin for more information on the above Microsoft vulnerabilities. Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild Date: 2024-09-06 Author: Security Week [AUSCERT issued a critical MSIN to the impacted members (where possible) on 26 August 2024] SonicWall is warning customers that a recently patched SonicOS vulnerability tracked as CVE-2024-40766 may be exploited in the wild. CVE-2024-40766 was disclosed on August 22, when Sonicwall announced the availability of patches for each impacted product series, including Gen 5, Gen 6 and Gen 7 firewalls. The security hole, described as an improper access control issue in the SonicOS management access and SSLVPN, can lead to unauthorized resource access and in some cases it can cause the firewall to crash. Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues Date: 2024-09-05 Author: The Hacker News Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below – CVE-2024-40711 (CVSS score: 9.8) – A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. Progress LoadMaster vulnerable to 10/10 severity RCE flaw Date: 2024-09-08 Author: Bleeping Computer Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device. The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request. Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution Date: 2024-09-08 Author: Security Online [AUSCERT issued a critical MSIN to the impacted members (where possible) on 10 September 2024] Elastic, the company behind the popular open-source data visualization and analytics platform Kibana, has issued a critical security advisory urging users to update immediately to version 8.15.1. Two severe vulnerabilities, tracked as CVE-2024-37288 and CVE-2024-37285, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities Date: 2024-09-11 Author: The Hacker News Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution. A brief description of the issues is as follows – CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. NoName ransomware gang deploying RansomHub malware in recent attacks Date: 2024-09-10 Author: Bleeping Computer The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472). ESB-2024.5829 – Nessus: CVSS (Max): 9.8 Tenable has released Nessus 10.7.6 to address critical vulnerabilities in third-party components OpenSSL and expat, which affected earlier versions of the software. The update includes OpenSSL 3.0.15 and expat 2.6.3 to mitigate the identified security risks. Users are urged to upgrade promptly to protect against potential exploits. ASB-2024.0176 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has revealed a critical zero-day vulnerability, CVE-2024-43491, in the Windows Servicing Stack, scoring 9.8 in severity. This flaw, present since the March 2024 update, caused security patches for optional components in Windows 10 version 1507 to be rolled back, leaving systems vulnerable to previously fixed threats. While no active exploitation has been reported, attackers could potentially exploit this to achieve remote code execution. ASB-2024.0173 – ACSC advisory, GRU Unit 29155 cyber actors Russian military cyber actors are targeting critical infrastructure in the U.S. and globally, according to an alert from the Australian Cyber Security Centre. The threat actors are using sophisticated tactics to compromise essential systems. Organizations are urged to enhance their cybersecurity measures to defend against these advanced persistent threats. ESB-2024.5800 – Google Chrome: CVSS (Max): None Multiple vulnerabilities in Google Chrome, including heap buffer overflows and use-after-free issues, could allow for arbitrary code execution. Exploitation of these flaws might enable attackers to install programs, access or alter data, or create new user accounts, particularly impacting systems with administrative privileges. Users are advised to update Chrome to the latest version and follow recommended security practices to mitigate these risks. ESB-2024.5807 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe has also patched CVE-2024-41874, a severe flaw with a CVSS score of 9.8, affecting all ColdFusion 2023 versions. Recent attacks by hackers have intensified the urgency for these updates. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Conference MC Extraordinaire, Adam Spencer In this episode, AUSCERT features the following guests: Adam Spencer Ivano Bongiovanni, AUSCERT Anthony sits down with our favourite conference MC, the one and only Adam Spencer! So many highlights, reflections and changes across his fifteen AUSCERT conferences! In the second half of the episode, Bek chats with Ivano Bongiovanni from AUSCERT to talk about his recent travels to Fiji and Papua New Guinea for the DFAT Cyber and Critical Tech Cooperation Program. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, Spring has sprung! As many of us start thinking about organising and refreshing our homes this season, it's also the perfect time to update our cyber security measures. Regularly reviewing, updating, and optimising our digital habits can greatly enhance the protection of our sensitive information and ensure a safer online experience. Take some time this month to review your security approach! The AUSCERT team is already gearing up for next year's conference, with this year's event becoming a cherished memory. Our team is actively catching up with the program committee and will soon open the call for tutorials and presentations! To relive the fantastic moments from this year, we often revisit the outstanding sessions and activities on our YouTube channel. Some of the highlights from AUSCERT 2024 included a session by Darren Kitchen, founder of HAK5, on innovative implants and deceptive devices—essential tools for red teams worldwide. We also thoroughly enjoyed the presentation by Piotr Kijewski, CEO and Trustee at The ShadowServer Foundation. As well as a talk from Michael Hamm and Christian Studder of CIRCL. To top it all off, there was a live podcast recording from Risky Biz, which was the perfect cherry on top! We can't wait to see what next year has in store! So please save the date for next year's conference – 20th to 23rd May 2025 – returning to the beautiful Gold Coast! If there are keynote speakers who you're eager to see at next year's conference, send us an email with your suggestions at conference@auscert.org.au, and we'll see what we can do! AUSCERT is excited to introduce the Exploitability Index (EI) for its Microsoft ASBs starting Wednesday, 11th September, 2024. Created by Microsoft, the Exploitability Index forecasts which vulnerabilities are likely to be exploited within 30 days of an advisory's release, helping organisations to prioritise their vulnerability management. Featuring a numerical score from 0 to 3, it assists IT professionals to target the most critical vulnerabilities, improves risk management, and facilitates clear communication about security risks. For further information about the Exploitability Index (EI), please visit this Microsoft website. Critical flaw in Zyxel's secure routers allows OS command execution via cookie (CVE-2024-7261) Date: 2024-09-03 Author: Help Net Security Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices. VMware Patches High-Severity Code Execution Flaw in Fusion Date: 2024-09-03 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5613/] The root cause of the issue, tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable, VMware notes in an advisory. “VMware Fusion contains a code execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the ‘Important’ severity range.” RansomHub hits 210 victims in just 6 months Date: 2024-08-30 Author: The Register [AUSCERT has published a bulletin (ASB-2024.0172) regarding this and also shared IoCs and TTPs via MISP ] As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it's time to issue an official warning about the group that's gunning for ransomware supremacy. According to the security advisory from CISA, the FBI, the HHS, and the MS-ISAC, RansomHub amassed at least 210 victims since spinning up in February this year. Google Issues Android Attack Warning As 0-Day Threat Strikes Date: 2024-09-04 Author: Forbes [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5624/] Although a number of security issues are addressed by the September update, there is one that demands your attention more than most. Common vulnerabilities and exposures number 32896 for this year, known as CVE-2024-32896, is the most severe, according to Google. This high-severity security vulnerability impacts the Android framework component which, as the name suggests, is rather important. The Android framework is, in effect, a set of different software components that sit at the heart of Android upon which applications are built. Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns Date: 2024-08-30 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0290/] Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. The security vulnerability exploited is CVE-2023-22527, a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024. ESB-2024.5618 – Mozilla Firefox: CVSS (Max): 9.8* Multiple vulnerabilities in Mozilla Firefox could allow for arbitrary code execution by an attacker. This could enable the attacker to install programs, view, alter, or delete data, or create new accounts with full user rights, depending on the user’s privileges. Users with administrative rights are at greater risk compared to those with limited user privileges. ASB-2024.0172 – CISA advisory, RansomHub Ransomware RansomHub, a ransomware-as-a-service that began in February 2024 and is also known as Cyclops and Knight, is targeting sectors such as healthcare, government, and finance. It uses a double-extortion tactic, encrypting and exfiltrating data while employing various initial access methods like phishing and exploitation of vulnerabilities. AUSCERT has shared IoCs and TTPs via MISP to help organizations defend against this threat. ESB-2024.5613 – VMware Fusion: CVSS (Max): 8.8 A high-severity vulnerability in VMware Fusion for macOS allows standard user privileges to execute arbitrary code, potentially leading to unauthorised access or data breaches. The issue is caused by an insecure environment variable. VMware has released a patched version, Fusion 13.6, and users are advised to update immediately to mitigate the risk. ESB-2024.5624 – Google Android: CVSS (Max): 8.4* Google's latest Android security bulletin addresses several vulnerabilities but highlights CVE-2024-32896 as the most critical. This high-severity flaw affects the Android framework and could allow attackers to escalate privileges without additional execution rights. First reported in the June Pixel update and now exploited in the wild, it has been added to the Known Exploited Vulnerabilities Catalog. Users are urged to update their devices immediately to protect against this ongoing threat. ESB-2024.5674 – Cisco Identity Services Engine: CVSS (Max): 6.0 Cisco has patched a critical command injection vulnerability, CVE-2024-20469, in its Identity Services Engine (ISE) that allows attackers with Administrator privileges to escalate to root access. This flaw, caused by inadequate validation of user input, can be exploited through malicious CLI commands. While proof-of-concept exploit code is available, no active exploits have been reported. Cisco has released updates for affected versions and removed a backdoor account from its Smart Licensing Utility to enhance security. Stay safe, stay patched and have a good weekend! The AUSCERT team