Publications

Greetings, Next week is Privacy Awareness Week, running from 16 to 22 June. This annual initiative encourages individuals, organisations and government agencies to take privacy seriously and raise awareness about the importance of protecting personal information. The 2025 theme is “Privacy: It’s Everyone’s Business”, and we’re being asked to shout it from the rooftops! Led by the Office of the Australian Information Commissioner (OAIC), Privacy Awareness Week is supported by state and territory privacy regulators as well as members of the Asia Pacific Privacy Authorities forum. Privacy is protected both in Australia and internationally through a range of laws. The OAIC primarily administers the Privacy Act 1988, which is the key piece of federal legislation governing the handling of personal information. In addition, each Australian state and territory has its own privacy laws that apply to their public sector agencies. A recent Help Net Security article highlights the growing threat of Vendor Email Compromise (VEC) attacks, which have led to over $300 million in attempted thefts within a year. VEC attacks involve cyber criminals impersonating trusted vendors to trick employees into actions like transferring funds or disclosing sensitive information. The report found that 72% of employees in large organisations (50,000+ staff) who read a VEC email went on to engage with it, with entry-level sales staff being particularly vulnerable. Industries like telecommunications and energy/utilities saw the highest engagement rates, and prior victims were more likely to be targeted again. The report also revealed that VEC attacks are significantly underreported—only 1.46% of advanced text-based email threats were flagged to security teams, leaving organisations unaware of many potential breaches. In regions like Europe, the Middle East and Africa, engagement with VEC was 90% higher than with BEC (Business Email Compromise) attacks, yet detection and response lag behind. Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks Date: 2025-06-09 Author: The Hacker News A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks. Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers. Critical Vulnerability Patched in SAP NetWeaver Date: 2025-06-10 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Enterprise software maker SAP on Tuesday announced the release of 14 new security patches as part of its June 2025 Security Patch Day, including a note addressing a critical-severity vulnerability in NetWeaver. Tracked as CVE-2025-42989 (CVSS score of 9.6), the critical bug is described as a missing authorization check in the NetWeaver application server for ABAP. Google patched bug leaking phone numbers tied to accounts Date: 2025-06-09 Author: Bleeping Computer A vulnerability allowed researchers to brute-force any Google account's recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks. The attack method involves abusing a now-deprecated JavaScript-disabled version of the Google username recovery form, which lacked modern anti-abuse protections. Fortinet, Ivanti Patch High-Severity Vulnerabilities Date: 2025-06-11 Author: Security Week [See AUSCERT bulletin for Fortinet: https://portal.auscert.org.au/bulletins/ESB-2025.3786] Fortinet and Ivanti on Tuesday announced fixes for over a dozen vulnerabilities across their product portfolios, including multiple high-severity flaws. Ivanti released a Workspace Control (IWC) update to address three high-severity bugs that could lead to credential leaks. Tracked as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, the issues exist because of hardcoded keys in IWC versions 10.19.0.0 and prior, which could allow authenticated attackers to decrypt stored SQL credentials and environment passwords. INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure Date: 2025-06-11 Author: The Hacker News INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants. The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns. "These coordinated efforts resulted in the takedown of 79 percent of identified suspicious IP addresses," INTERPOL said in a statement. "Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities." ESB-2025.3716 – roundcube: CVSS (Max): 9.9 Debian addresses CVE-2025-49113 in Roundcube 1.4.15+dfsg.1-1+deb11u5. This vulnerability allows authenticated attackers to execute arbitrary code via PHP object deserialization. ESB-2025.3819 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1 Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Exploitation could result in security feature bypass, privilege escalation, and arbitrary code execution. ESB-2025.3831 – GitLab Community Edition and Enterprise: CVSS (Max): 8.7 GitLab addresses several high-severity vulnerabilities, including HTML injection and cross-site scripting flaws, which could lead to account takeover or unauthorized actions across GitLab Community and Enterprise Editions. ASB-2025.0104 – Microsoft Windows: CVSS (Max): 8.8 Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities, including two actively exploited flaws. CVE-2025-33053 is a one-click WebDAV flaw that lets attackers run code remotely if a user clicks a malicious link. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The Australian Government has enacted new legislation requiring certain organisations to report ransomware and cyber extortion payments within 72 hours. Effective from 30 May 2025, the law applies to businesses with an annual turnover of at least AUD $3 million, as well as all entities within the critical infrastructure sector. If an organisation is a reporting entity, as defined under Part 3 of the Cyber Security Act 2024, they must submit a report via the Australian Signals Directorate (ASD) at cyber.gov.au/report within 72 hours of making a ransomware or cyber extortion payment or becoming aware that a payment has been made on their behalf. The regulation covers both monetary and non-monetary payments made in response to ransomware or extortion demands, whether paid directly or via a third party. Reports must include key details such as the nature of the incident, the attacker’s demands, contact information, communications, the payment amount and any other relevant information. The Department of Home Affairs will work with organisations to support the reporting process, identify challenges, and ensure smooth implementation. While the ASD will not enforce compliance within the first six months, it will support entities in responding to, mitigating, and recovering from cyber incidents. This legislation aims to increase transparency and strengthen Australia’s cyber resilience by improving visibility of ransomware activity and informing future protective measures. Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code Date: 2025-06-03 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.3551/] Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via PHP object deserialization. Hewlett Packard Enterprise warns of critical StoreOnce auth bypass Date: 2025-06-03 Author: Bleeping Computer Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution. Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue. Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion Date: 2025-06-03 Author: The Hacker News Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft Security, said. The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters. New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch Date: 2025-06-03 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.3591/] Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD). Exploit details for max severity Cisco IOS XE flaw now public Date: 2025-05-31 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.2902/] Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. The write-up by Horizon3 researchers does not contain a 'ready-to-run' proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces. Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users take action now to protect their endpoints. ESB-2025.3572 – Splunk Universal Forwarder: CVSS (Max): 9.8 Splunk has addressed multiple critical and high-severity third-party package vulnerabilities in Universal Forwarder versions 9.1.9 to 9.4.2. Users are advised to upgrade to the latest fixed versions and manually remove deprecated binaries if present. ESB-2025.3573 – Splunk Enterprise: CVSS (Max): 9.8 Splunk has addressed multiple critical and high-severity CVEs by updating or removing third-party packages in Splunk Enterprise versions 9.4.2, 9.3.4, 9.2.6, and 9.1.9. ESB-2025.3597 – Schneider Electric Wiser Home Automation: CVSS (Max): 9.8 A critical buffer overflow vulnerability in Schneider Electric's Wiser AvatarOn and Cuadro H 5P Socket devices could allow remote code injection or authentication bypass. As these products are end-of-life, users are advised to disable firmware updates or remove them from service to mitigate risk. ESB-2025.3659 – Cisco Identity Services Engine (ISE): CVSS (Max): 9.9 A critical vulnerability (CVE-2025-20286) in Cisco Identity Services Engine cloud deployments causes shared static credentials across environments, enabling unauthenticated remote attackers to access or disrupt systems. Only cloud-based Primary Admin nodes are affected; Cisco has released patches, with no workarounds available. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the team begins to recover from an incredible week at AUSCERT2025, we're also taking a moment to reflect on some of our favourite highlights and memorable moments. One standout was the Gala Dinner, where we celebrated excellence in our community and recognised the remarkable individuals and organisations making a real difference. A heartfelt congratulations to our 2025 award winners! • Craig Ford – AUSCERT Award for Individual Excellence in Information Security Honoured for his outstanding contributions to the field, not only through technical expertise but also through his leadership and community engagement. • Paula Sillars – Diversity and Inclusion Champion Recognised for her tireless dedication and innovative efforts to advance diversity and inclusion in the cybersecurity industry. • Mark Laffan – AUSCERT Member Individual of the Year Celebrated for his long-standing commitment and invaluable impact on the broader cybersecurity community. • Cenitex – AUSCERT Member Organisation of the Year Awarded for exemplifying innovation, collaboration, and excellence in cybersecurity practices. This week, The Australian Cyber Security Centre (ACSC) has released new guidance to support organisations in implementing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms. SIEM solutions collect, centralise, and analyse log data from across an organisation’s network—helping security teams detect, investigate, and respond to threats more efficiently. Meanwhile, SOAR platforms automate cyber security functions through integration of SIEM systems and other technical security controls. Together, SIEM and SOAR enhance visibility, reduce response times, and streamline security operations—making them critical components of a modern and resilient cyber security strategy. Read the ACSC article for more information AI Data Security Date: 2025-05-23 Author: ASD’s ACSC This Cybersecurity Information Sheet (CSI) provides essential guidance on securing data used in artificial intelligence (AI) and machine learning (ML) systems. It also highlights the importance of data security in ensuring the accuracy and integrity of AI outcomes and outlines potential risks arising from data integrity issues in various stages of AI development and deployment. This CSI provides a brief overview of the AI system lifecycle and general best practices to secure data used during the development, testing, and operation of AI-based systems. 251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch Date: 2025-05-28 Author: The Hacker News Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct "exposure points" earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. "These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity," the threat intelligence firm said. "All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation." GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts Date: 2025-05-23 Author: The Hacker News Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to write, review, and edit code. Built using Anthropic's Claude models, the service was first launched in June 2023. Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected Date: 2025-05-24 Author: Hack Read A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the Sednit hacking group. Learn how this flaw allows attackers to compromise user sessions and why immediate patching is crucial. A new security weakness has been discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform. This issue, classified as CVE-2024-27443, is a type of cross-site scripting (XSS) flaw that could allow attackers to steal information or take control of user accounts. Russian Government Hackers Caught Buying Passwords from Cybercriminals Date: 2025-05-27 Author: Security Week Microsoft on Tuesday published technical documentation on a new Russia-linked espionage outfit it calls “Void Blizzard,” warning that the group has spent the past year quietly looting e-mail, files and even Teams chats from government and defense contractors across Europe and North America. In a new report published in tandem with Dutch intelligence agencies, Redmond’s threat hunting team said the Kremlin hacking team is leaning heavily on the low-cost end of the cybercrime economy: buying stolen usernames and passwords from infostealer markets for use in password-spraying attacks. ESB-2025.3340 – Tomcat: CVSS (Max): 9.8 A vulnerability in Apache Tomcat (CVE-2025-24813) could allow attackers to access sensitive files or execute code via specially crafted requests. This update extends the fix to Ubuntu 24.04 LTS, 24.10, and 25.04 for the Tomcat library package. ESB-2025.3355 – Google Chrome: CVSS (Max): None Chrome 137 has been released to the stable channel for Windows, Mac, and Linux, featuring multiple fixes and enhancements. This update includes 11 security fixes. ESB-2025.3356 – Mozilla Thunderbird: CVSS (Max): 7.5* Thunderbird 139 addresses multiple critical and moderate vulnerabilities. ESB-2025.3382 – Linux kernel (Raspberry Pi): CVSS (Max): 9.1* Multiple vulnerabilities in the Linux kernel for Raspberry Pi could lead to system crashes or arbitrary code execution. The update addresses issues across numerous kernel subsystems and requires recompiling third-party modules due to ABI changes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, What a week it’s been! AUSCERT2025 kicked off with a bang, delivering a truly unforgettable experience filled with groundbreaking tutorials, exploratory presentations, and engaging initiatives that brought the cyber security community together like never before. The week launched with a diverse lineup of hands-on tutorials covering a wide spectrum of subjects — from network security, security culture and awareness, to many other topical and emerging challenges facing the infosec world today. Each session was led by passionate experts, creating an environment that encouraged learning, sharing, and thought-provoking discussion. This year’s keynote lineup truly raised the bar, featuring three standout leaders who brought bold insights and energy to the AUSCERT2025 stage. Jess Modini, Head of Technology and Security at a stealth startup, impressed with her depth of experience across AWS, ACSC, and Defence, and her ongoing cyber research at UNSW ADFA. Professor Marek Kowalkiewicz from QUT challenged us to rethink AI’s role in society, drawing from his award-winning book The Economy of Algorithms. And finally LTGEN Michelle McGuinness, Australia’s National Cyber Security Coordinator, delivered a standout keynote on national cyber strategy, shaped by decades of high-level intelligence and defence leadership. AUSCERT2025 has once again proven to be more than just a conference – it's a dynamic gathering of minds driving the future of cybersecurity. With cutting-edge tutorials, thought-provoking keynotes, and a strong sense of community, this week has sparked important conversations and inspired new ideas. As we look ahead, the connections made and knowledge shared will continue to shape and strengthen the security landscape across Australia and beyond. Here's to another year of innovation, collaboration, and resilience. Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards Date: 2025-05-19 Author: The Hacker News [AUSCERT has published security bulletins for these Firefox updates] Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. The two exploited zero-day vulnerabilities are CVE-2025-4918 – An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object, and CVE-2025-4919 – An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes. Australia Post issues warning regarding invalid postcode scam Date: 2025-05-16 Author: news.com.au Australia Post has issued an urgent warning to customers as a fresh wave of scam messages and emails sweeps across the country. Fraudulent messages impersonating Australia Post claim a parcel delivery was unsuccessful due to an invalid postcode, and requests the recipient to click a link to remedy the issue. The link leads vulnerable customers to a page that appears similar to Australia Post’s website, and prompts them to provide personal details and information. CISA tags recently patched Chrome bug as actively exploited Date: 2025-05-16 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.3057] On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser. Solidlab security researcher Vsevolod Kokorin discovered the flaw (CVE-2025-4664) and shared technical details online on May 5th. Google released security updates to patch it on Wednesday. As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome's Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages. Vic gov to spend $100m on cyber security Date: 2025-05-21 Author: iTnews The Victorian government will spend $100 million strengthening cyber security across government agencies as one of the topline technology-related measures in the state budget. The funding will cover work to “identify threats, protect against attacks, and respond to incidents”, the government said in budget papers. 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads Date: 2025-05-20 Author: The Hacker News Since February 2024, an unknown threat actor has been creating malicious Chrome Browser extensions which masquerade as legitimate extensions. They provide the advertised features while running malicious code in the background. This enables the threat actor to steal cookies and credentials, session hijack, inject ads, and create phishing pages using DOM manipulation. Google has since taken down the identified extensions and recommends that users only install extensions from verified developers, review the requested permissions, and scrutinize reviews. ESB-2025.3190 – Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL – CVSS (Max): 10.0 Successful exploitation of this vulnerability could allow an attacker to perform unauthenticated remote code execution. All versions are affected. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. ESB-2025.3212 – Linux kernel (Raspberry Pi Real-time) – CVSS (Max) 8.1* A large number of security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. The problem can be corrected by updating your system to the package versions stipulated in the bulletin. ESB-2025.3244 – Tomcat – CVSS (Max) 9.8 Tomcat could expose sensitive files or run programs if it received specially crafted network traffic. A remote attacker could possibly use this issue to access sensitive files, inject malicious content, or execute remote code. The problem can be corrected by updating your system. ESB-2025.3253 – Cisco Identity Services Engine (ISE) – CVSS (Max) 8.6 A vulnerability in the RADIUS message processing feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. ESB-2025.3131 – xrdp – CVSS (Max) 9.8 Several vulnerabilities were discovered in xrdp, a Remote Desktop Protocol (RDP) server. For Debian 11 bullseye, these problems have been fixed in version 0.9.21.1-1~deb11u2. It is recommended to upgrade xrdp packages. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Just a few more sleeps until AUSCERT2025 kicks off! Registrations are closing soon, so if you haven’t secured your spot yet, now’s the time—don’t miss out! This year promises to impress with a fantastic line-up of empowering tutorials, thought-provoking speakers, and plenty of fun activities. Check out the full program here! This week we saw further examples of vulnerabilities in information security devices being actively exploited in the wild, namely Ivanti and Fortinet. Such devices are commonly deployed at the network edge of organisations, making them visible to anyone on the Internet and always on. Threat actors have been consistently observed specifically targeting these kinds of vulnerabilities and exploiting them. The ACSC released a critical alert for Ivanti products, highlighting how multiple moderate severity vulnerabilities can be chained together to produce potentially significant impacts. Multiple vulnerabilities in Fortinet products have also been observed being exploited, some of which have a CVSS rating of 9.8 (Critical). The Australian Taxation Office (ATO) has issued a warning about fraudulent websites disseminating false information regarding changes to superannuation preservation and withdrawal rules, purportedly effective from 1 June 2025. Deputy Commissioner Emma Rosenzweig confirms that the preservation age remains at 60 for individuals born on or after 1 July 1964. The ATO advises relying on official sources for accurate information and cautions against unofficial websites and unsolicited advice that may attempt to collect personal information. Verifying the credentials of tax professionals through the Tax Practitioners Board is also recommended. SAP patches second zero-day flaw exploited in recent attacks Date: 2025-05-13 Author: Bleeping computer SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day. The company issued security updates for this security flaw (CVE-2025-42999) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer that was fixed in April. ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files Date: 2025-05-12 Author: The Hacker News ASUS has released updates to address two security flaws impacting ASUS DriverHub that, if successfully exploited, could enable an attacker to leverage the software in order to achieve remote code execution. DriverHub is a tool that's designed to automatically detect the motherboard model of a computer and display necessary driver updates for subsequent installation by communicating with a dedicated site hosted at "driverhub.asus[.]com." FortiOS Authentication Bypass Vulnerability Lets Attackers Take Full Control of Device Date: 2025-05-13 Author: Cyber Security News [AusCERT has identified the impacted members (where possible) and contacted them via email] Fortinet has disclosed a significant security vulnerability affecting multiple Fortinet products, allowing attackers to bypass authentication and gain administrative access to affected systems. The vulnerability, CVE-2025-22252 (Missing Authentication for Critical Function), affects FortiOS, FortiProxy, and FortiSwitchManager products configured to use TACACS+ with ASCII authentication. Hackers now testing ClickFix attacks against Linux targets Date: 2025-05-12 Author: Bleeping Computer A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware. These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware. Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks Date: 2025-05-14 Author: The Hacker News [AUSCERT has identified and contacted potentially impacted members where possible] Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below – CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system ASB-2025.0098 – Microsoft Windows: CVSS (Max): 8.8 Microsoft's May 2025 Patch Tuesday addressed 72 vulnerabilities, including five zero-day flaws currently under active exploitation. Among these, two critical elevation-of-privilege bugs in the Windows Common Log File System (CLFS) driver (CVE-2025-32701 and CVE-2025-32706) allow attackers to gain SYSTEM-level access, calling for immediate patching. ESB-2025.2958 – Apple iOS 18.5 and iPadOS 18.5: CVSS (Max): 7.8* Apple has released iOS 18.5 and macOS updates to address critical vulnerabilities that could allow attackers to execute arbitrary code simply by opening malicious images, videos, or websites. ESB-2025.3015 – Juniper Secure Analytics: CVSS (Max): 9.8 Juniper Networks has patched nearly 90 vulnerabilities in its Secure Analytics virtual appliance, which collects security events from network devices, endpoints, and applications. These vulnerabilities have been resolved in 7.5.0 UP11 IF03. ESB-2025.3070 – Intel Processors: CVSS (Max): 5.6 Intel has addressed multiple CPU vulnerabilities, including CVE-2024-45332, and is releasing microcode updates to mitigate these threats and protect against potential information leaks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Mother’s Day is coming up this weekend and while flowers and chocolates are always nice, a more meaningful gift might help your parents to stay safe online. Older generations are increasingly targeted by scammers, often due to limited familiarity with digital technology. Cyber criminals exploit this lack of understanding through phishing emails, fake calls, and deceptive websites designed to steal personal or financial information. Taking the time to show your parents how to spot scams, use strong passwords, and update their devices can go a long way to protect them. It’s a gift that offers peace of mind and empowers them to navigate the digital world more confidently. We’re thrilled to announce that Jess Modini has joined our lineup of keynote speakers for AUCERT2025! Jess is a highly accomplished technology leader, academic, and security researcher. She brings a wealth of experience as a global keynote speaker, inventor, and advisory board member. Jess is currently the Head of Technology and Security at a stealth-mode startup set to launch in 2025. Her impressive career includes senior roles at Amazon Web Services, the Australian Cyber Security Centre, and the Australian Department of Defence. Jess holds five masters degrees and is completing a Doctorate in Cyber Security at UNSW’s Australian Defence Force Academy, where she also teaches and conducts cutting-edge research. Her current work focuses on advanced persistent threat (APT) detection and cyber epidemiology in collaboration with global partners. We’re honoured to have Jess share her insights and expertise at AUCERT 2025. With less than a couple of weeks to go, excitement is building as we prepare to reconnect with our community and hear from an outstanding lineup of speakers. Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise Date: 2025-05-06 Author: Security Week Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns. The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it. Microsoft Warns of Attackers Exploiting Misconfigured Apache Pinot Installations Date: 2025-05-06 Author: Security Week Research conducted by Microsoft into the security of Kubernetes installations revealed that threat actors have targeted misconfigured Apache Pinot instances. Apache Pinot is an open source real-time analytics platform designed for querying large datasets with high speed and low latency. Pinot is used by some of the world’s biggest companies, including Walmart, Uber, Slack, LinkedIn, Wix and Stripe. In the case of Kubernetes installations, the official Apache Pinot documentation does not inform users that the default configuration is highly insecure and can expose sensitive user data. Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day Date: 2025-05-07 Author: Security Week [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2025.0059/, https://portal.auscert.org.au/bulletins/ASB-2025.0053/] Multiple ransomware groups appear to have exploited a recently patched Windows vulnerability as a zero-day, Symantec reported. The vulnerability in question is tracked as CVE-2025-29824 and it was patched by Microsoft with its April 2025 Patch Tuesday updates. The flaw impacts the Windows Common Log File System (CLFS) and it can be exploited by an attacker to escalate privileges. PoC Published for Exploited SonicWall Vulnerabilities Date: 2025-05-05 Author: Security Week The US cybersecurity agency CISA added two SonicWall flaws to the Known Exploited Vulnerabilities (KEV) catalog on the same day that proof-of-concept (PoC) exploit code targeting them was published. The exploitation of the two security defects, tracked as CVE-2023-44221 and CVE-2024-38475, came to light last week, when SonicWall updated its advisories to flag them as targeted in attacks. Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025 Date: 2025-05-07 Author: GB Hackers The healthcare sector has emerged as a prime target for cyber attackers, driven by the increasing reliance on cloud applications and the rapid integration of generative AI (genAI) tools into organizational workflows. According to the Netskope Threat Labs Report for Healthcare 2025, cybercriminals are exploiting trusted platforms like GitHub, with 13% of healthcare organizations experiencing malware downloads from the developer hub each month. ESB-2025.2740 – Google Android: CVSS (Max): 8.1* Google's May 2025 Android update patches 47 vulnerabilities, including an actively exploited zero-day (CVE-2025-27363) in the FreeType library that could allow remote code execution. The update applies to Android versions 13, 14, and 15, and users are urged to update immediately to stay protected. The zero-day, as confirmed by Google, may be under limited, targeted exploitation. ESB-2025.2790 – Google Chrome: CVSS (Max): None Google has released a critical Chrome update (version 136.0.7103.92/.93) to patch CVE-2025-4372, a Use-After-Free vulnerability in the WebAudio component. The flaw allows remote code execution via malicious HTML with minimal user interaction and no special privileges.Chrome's WebAudio component has been targeted before, with past vulnerabilities like CVE-2023-6345 and CVE-2024-0224 revealing ongoing security challenges tied to the complexity of audio processing in web browsers. ESB-2025.2902 – Cisco IOS XE Wireless Controller Software: CVSS (Max): 10.0 Cisco has patched a critical vulnerability (CVE-2025-20188) in IOS XE for Wireless LAN Controllers, caused by a hard-coded JSON Web Token. This flaw allows unauthenticated remote attackers to fully compromise affected devices by impersonating authorised users. Rated CVSS 10.0, the issue affects the Out-of-Band AP Image Download feature and poses a severe security risk. ESB-2025.2899 – GitLab Community and Enterprise Edition: CVSS (Max): 6.8 GitLab has released versions 17.11.2, 17.10.6, and 17.9.8 for CE and EE with critical bug and security fixes. These updates patch three medium-severity vulnerabilities: a Device OAuth bypass (CVE-2025-0549), a GitHub import DoS exploit (CVE-2024-8973), and a group IP restriction bypass (CVE-2025-1278). Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, Verizon Business released its much-anticipated 2025 Data Breach Investigations Report (DBIR), and the findings should serve as a wake-up call for the cyber security community. The report analysed over 22,000 incidents and more than 12,000 confirmed breaches, painting a sobering picture of the current threat landscape. Key Takeaways: • Third-party breaches have doubled, now linked to 30% of incidents, raising supply chain concerns. • Vulnerability exploitation is up 34%, often targeting perimeter devices and zero-day flaws. • Ransomware features in 44% of breaches, hitting SMBs hardest—88% of ransomware breaches affected this group. • Credential abuse (22%) and vulnerability exploitation (20%) remain dominant attack vectors. • Human error and social engineering continue to play a critical role in breaches. The report strongly urges organisations to prioritise strong password policies, prompt patching, and comprehensive security awareness training. Espionage-driven attacks are on the rise in the Manufacturing and Healthcare sectors, while Education, Financial, and Retail continue to face persistent threats. With increasing zero-day and third-party threats, businesses should strengthen patching practices, assess vendor risk, and reinforce human-centric defences. Proactive resilience is key. Read more insights and guidance from the report Verizon DBIR site Final reminder to register for our upcoming webinar —The New Competitive Edge? Cyber Security in Value Propositions on Tuesday, 6 May from 12:00–1:00pm. Join AUSCERT General Manager Ivano Bongiovanni and a panel of leading experts as they explore how cyber security is emerging as a powerful strategic differentiator. Discover how it’s reshaping trust, purchasing behaviour, and value creation — and what organisations need to do to stay ahead in a trust-driven economy. Register now to secure your spot. Storm-1977 targets education sector with password spraying Date: 2025-04-27 Author: Security Affairs Over the past year, Microsoft Threat Intelligence researchers observed a threat actor, tracked as Storm-1977, using AzureChecker.exe to launch password spray attacks against cloud tenants in the education sector. AzureChecker.exe connected to sac-auth[.]nodefunction[.]vip to download AES-encrypted data, which, once decrypted, revealed password spray targets. It also accepted an accounts.txt file with username and password pairs, using both datasets to validate credentials against target tenants. Microsoft observed a successful account breach where a threat actor used a guest account to create a resource group and over 200 containers for cryptomining. SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients Date: 2025-04-29 Author: The Hacker News Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure and some of its high-value customers. "We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees," security researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter said in an analysis published Monday. PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15, which is also tracked as Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda. Thousands of Australian bank login details leaked on dark web, and banks can’t stop it Date: 2025-04-30 Author: 7news Thousands of Australians’ bank login details are being passed around on the dark web and banks say there’s little they can do to stop it. More than 31,000 sets of credentials — including those of at least 14,000 Commonwealth Bank customers, 7000 ANZ customers, 5000 NAB customers and 4000 Westpac customers — have been stolen from personal devices infected with malware, the ABC reported. The stolen details are now circulating on the messaging platform Telegram and dark web forums, according to Australian cyber intelligence firm Dvuln. Cloudflare mitigates record number of DDoS attacks in 2025 Date: 2025-04-28 Author: Bleeping Computer Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase. These figures come from Cloudflare's 2025 Q1 DDoS Report, where the company says it mitigated a total of 21.3 million DDoS attacks in 2024. Melbourne Airport aims to ‘predict the future’ with enhanced cyber visibility Date: 2025-04-28 Author: iTnews Melbourne Airport is building up its cyber detection and response capabilities in order to secure 30 million annual passenger journeys, which are enabled by multiple technology systems. Speaking on the iTnews Podcast, head of cyber security Cheuk Wong said he is heavily focused on having visibility across the airport’s technology ecosystem, from its internal IT to baggage handling systems and even its wi-fi networks. ESB-2025.2665 – Tenable Identity Exposure Several of the third-party components (Erlang OTP, OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. ESB-2025.2623 – Linux kernel Michael Randrianantenaina discovered that the Bluetooth driver in the Linux Kernel contained an improper access control vulnerability ESB-2025.2650 – Mozilla Firefox Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. ESB-2025.2652 – Node.js Node.js could be made to crash if it received specially crafted network traffic. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As we approach the ANZAC Day long weekend, it’s a time to reflect, remember, and honour those who served. Whether you're attending a dawn service, spending time with loved ones, or taking a well-earned break, please remember to prioritise your safety—including your cyber safety. Public holidays often see a spike in online activity, making them a prime time for cyber threat actors to strike. If you're shopping, scrolling, or streaming over the break, stay vigilant online. Be cautious of suspicious links, scams, and unexpected messages. Enable multi-factor authentication wherever possible and keep your devices and software up to date. Only 4 Weeks to go until AUSCERT2025! Don’t miss your chance to grab the exclusive AUSCERT2025 hoodie — available for just $60 until midnight on Sunday, 27 April! Whether you're after a cosy conference keepsake or a stylish nod to the cyber security community, now’s the perfect time to order. Stock is limited, so secure yours before they’re gone! Simply add your hoodie to your event registration, and you can collect it onsite at the event. Also a reminder of our webinar coming up —The New Competitive Edge? Cyber Security in Value Propositions on Tuesday, 6 May from 12:00–1:00pm. Join AUSCERT General Manager Ivano Bongiovanni and a panel of leading experts as they explore how cyber security is emerging as a powerful strategic differentiator. Discover how it’s reshaping trust, purchasing behaviour, and value creation — and what organisations need to do to stay ahead in a trust-driven economy. Register now to secure your spot. Australians Brace For Potential Cyberattacks Targeting Voter Engagement Date: 2025-04-21 Author: Tech Business News As political campaigns ramp up and voter engagement spikes, scammers are expected to seize the opportunity — often disguising malicious messages as official communications or leveraging political content to lure unsuspecting victims. The message from cybersecurity professionals is clear: vigilance is key. Australians are urged to scrutinise unsolicited messages, avoid clicking on suspicious links, and stay informed about the latest scam tactics as the election season heats up. Mark Gorrie, Managing Director APAC for Norton, warns that Australian voters are now prime targets. They’re coming for your data: What are infostealers and how do I stay safe? Date: 2025-04-16 Author: We Live Security In the world of cybercrime, information is a means to an end. And that end, more often than not, is to make money. That’s why information-stealing (infostealer) malware has risen to become a major driver of identity fraud, account takeover and digital currency theft. But there are also plenty of people that live much of their daily lives online and manage to stay safe. The key is to understand how to manage digital risk effectively. Here’s what you need to know to keep your personal and financial information out of harm’s way. Zscaler Identifies New Mustang Panda Cyber Activity Date: 2025-04-22 Author: Australian Cyber Security Magazine Following a recent US-led court-authorised operation that removed malware from over 4,200 infected networks, new activity has emerged from the same Chinese state-sponsored threat group called Mustang Panda (also known as Twill Typhoon). The Zscaler ThreatLabz team has discovered new activity associated with Mustang Panda, originating from two machines from a targeted organisation in Myanmar. This research led to the discovery of new ToneShell variants and several previously undocumented tools. Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials Date: 2025-04-22 Author: The Hacker News In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. "The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X. "It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts." Clearer cyber risk benchmarks for Australian SMEs pushed Date: 2025-04-24 Author: Insurance Asia Australia should tighten cybersecurity rules to ease the blowback from attacks especially on small and medium enterprises (SME), many of which are not insured, analysts said. “The financial fallout from a single cyber event can be devastating,” Susie Amos, principal and head of commercial lines at Finity Consulting Pty Ltd., told Insurance Asia. “For an SME, in some cases, even a fraction of this cost could lead to insolvency.” ESB-2025.2558 – GitLab Community and Enterprise Editions: CVSS (Max): 8.7 GitLab has released versions 17.11.1, 17.10.5, and 17.9.7 for CE and EE, addressing several critical security and bug issues. Immediate upgrades are strongly recommended for all self-managed instances. These patches fix high-severity vulnerabilities including XSS in Maven Dependency Proxy, NEL header injection, and a DoS issue via issue preview. ESB-2025.2525 – Erlang/OTP SSH server: CVSS (Max): 10.0 Cisco has issued an advisory regarding a critical unauthenticated remote code execution vulnerability (CVE-2025-32433) in the Erlang/OTP SSH server, affecting multiple Cisco products. This flaw arises from improper handling of SSH messages during the authentication phase. Cisco recommends upgrading to fixed software versions to mitigate potential risks. ESB-2025.2524 – Google Chrome: CVSS (Max): None Google Chrome has released version 135.0.7049.114/.115 for Windows and Mac, and 135.0.7049.114 for Linux. This update includes one key security fix alongside various improvements from internal audits and fuzzing tools. Bug details remain restricted until most users are updated to ensure security. ESB-2025.2482 – Tenable Nessus: CVSS (Max): 9.1* Nessus 10.8.4 addresses vulnerabilities in third-party libraries (libxml2, expat) by upgrading them to secure versions. It also fixes two major flaws: insecure directory permissions on Windows (CVE-2025-24914) and log manipulation via HTTP requests (CVE-2025-36625). Users are urged to upgrade to the latest version, available on the Tenable Downloads Portal. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Easter is one of Australia’s most popular times for a getaway—whether it’s a beachside escape, a cosy countryside retreat, or an overseas adventure. But while you’re planning a well-earned break, scammers are planning how to steal your holiday and money. As travel bookings surge over the Easter period, so too do reports of travel-related scams. Cyber criminals know many people are on the hunt for last-minute deals and accommodation—and they’re ready to take advantage. Here are some common travel scams to watch out for this holiday season. Fraudulent Listings & Accounts Scammers often create fake accounts and listings on trusted booking platforms like Airbnb and Booking.com, using stunning photos and prices that seem too good to be true. Some go further by hacking legitimate host accounts, changing payment details, or moving communication off-platform to make easier to steal money and harder to trace them. Phishing Scams Phishing is a common tactic where scammers send malicious emails or text messages that appear to be from legitimate sources. These messages often include fake booking confirmations, flight cancellations, or requests to "verify" your information. Travel prize scams are also on the rise—offering fake giveaways or competitions to lure victims in. Fake Passport Schemes A more targeted scam aimed at Australians involves emails impersonating the Australian Passport Office. The Department of Foreign Affairs and Trade (DFAT) warned last year that these emails may contain malicious links or QR codes designed to steal personal information. DFAT stresses it will never send unsolicited emails or texts asking you to click a link—though it may send one if you request a password reset or other action. Public Wi-Fi Risks Public Wi-Fi in airports, cafes, or hotels might be convenient—but it's often unsecured and can be malicious. Hackers can exploit these networks to steal sensitive data like passwords, credit card numbers, and travel documents. If you need to connect while travelling, use a VPN and avoid accessing personal or financial accounts over public networks. Concerns were raised this week about the future of the Common Vulnerabilities and Exposures (CVE) program due to a lack of certainty of the US government’s funding of the MITRE contract to deliver the service. A last minute reprieve was subsequently announced to extend funding for a further 11 months but doubts remains of the long term future of this critically important program. SonicWall Patches Multiple Vulnerabilities in NetExtender VPN Client For Windows Date: 2025-04-10 Author: Cybersecurity News SonicWall has released security updates addressing three critical vulnerabilities in its NetExtender VPN client for Windows. The flaws, which could potentially allow attackers to escalate privileges and manipulate system files, affect both 32-bit and 64-bit versions of the software prior to version 10.3.2. Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit Date: 2025-04-11 Author: The Hacker News [Please see AUSCERT's bulletins issued for the 3 CVEs in question- https://portal.auscert.org.au/bulletins/ESB-2024.0849/, https://portal.auscert.org.au/bulletins/ESB-2023.3340/, https://portal.auscert.org.au/bulletins/ESB-2022.6458.2/] [AUSCERT urges its members to consider the mitigation measures listed by the vendor – https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity] Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched. Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways Date: 2025-04-11 Author: The Hacker News Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat hunters warned of a surge in suspicious login scanning activity targeting its appliances. "Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," a spokesperson for the company told The Hacker News. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary." Australian Cyber Network releases inaugural State of the Industry 2024 report Date: 2025-04-16 Author: Cyber Daily The Australian Cyber Network (ACN) has released a first-of-its-kind, benchmark report into the state of the nation’s cyber security industry, and while some of the figures paint a picture of a growing and vital sector of the economy, others reveal a far darker truth – Australia needs to do a lot more to keep pace with rising threats. The inaugural State of the Industry 2024 report reveals an industry that contributes $9.99 billion to Australia’s gross value added (GVA) and attracted $348 million in investment in 2024 alone. It’s also home to more than 137,000 cyber security workers and professionals. MITRE's CVE program given last-minute reprieve Date: 2025-04-17 Author: iTNews A last-minute change of plan has lead to US officials extending support for MITRE's Common Vulnerabilities and Exposures (CVE) database for an additional 11months. The database acts as a catalogue for cyber weaknesses and allows IT administrators to quickly flag and triage the different bugs and hacks discovered daily. ESB-2025.2434 – Apple iOS 18.4.1 and iPadOS 18.4.1: CVSS (Max): 7.5 Apple released urgent updates to address two security vulnerabilities (CVE-2025-31200 and CVE-2025-31201) that had been exploited in sophisticated attacks against specific iOS targets. The flaws included a code execution issue related to CoreAudio and a mitigation bypass in the RPAC feature. Although the vulnerabilities affect iOS, iPadOS, and macOS, Apple reported limited exploitation on iPhones and did not disclose further details on the attacks. ESB-2025.2399 – Mozilla Firefox: CVSS (Max): None Mozilla has released Firefox 137.0.2 to address a high-severity security vulnerability (CVE-2025-3608) in the nsHttpTransaction component that could lead to memory corruption and potential code execution by attackers. Discovered by the Mozilla Fuzzing Team, the flaw involves a race condition that may cause browser instability under specific network conditions. Users are urged to update to the latest version to mitigate risks associated with this vulnerability. ESB-2025.2389 – Google Chrome: CVSS (Max): None Google confirmed two serious Chrome vulnerabilities: CVE-2025-3619, a heap buffer overflow in Codecs, and CVE-2025-3620, a critical use-after-free issue in USB functionality. CVE-2025-3620 poses the greatest risk, as it could allow attackers to execute arbitrary code. Users are urged to update their Chrome browsers to the latest version for protection. ASB-2025.0067 – Oracle Commerce: CVSS (Max): 9.8 Multiple high-risk vulnerabilities have been reported for Oracle Commerce, with a CVSS of 9.8, indicating significant potential for exploitation. These vulnerabilities could be exploited remotely by attackers to compromise the system's confidentiality, integrity, and availability. Affected systems include various versions of Oracle Commerce running on Linux, UNIX, and Windows operating systems. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings Register now for our upcoming webinar examining the evolving role of cyber security in shaping organisational value propositions, led by AUSCERT general manager Ivano Bongiovanni. Taking place on Tuesday, 6 May, from 12:00pm to 1:00pm AEST, this dynamic panel discussion will feature leading industry experts sharing insights, challenges, and strategies connecting cyber security and business value. Panellists include Charles McDermid (BOQ), Rob Nobilo (Google), Lukasz Gogolkiewicz (Accent Group Ltd), and Dr Jodie Siganto (Privacy108). Don’t miss this opportunity to gain valuable perspectives from some of the most influential voices in the field—register today to secure your spot. The session will explore the evolution of Cyber Security-as-a-Service (CSaaS), with a spotlight on the rising influence of end-customers as a third market force. While still much smaller than the traditional B2B space, consumer demand is accelerating as individuals become more informed about cyber risks and increasingly value cyber security in their purchasing choices. This shift is evident in the widespread adoption of tools such as multi-factor authentication (MFA) and VPNs, as well as in marketing strategies that now frame cyber security as a core value-add. For providers such as MSSPs, this trend presents both opportunities and responsibilities—the need to remain ethical, innovative, and trusted is more important than ever. On the other side, demand-side organisations must navigate vendor complexity and ensure their cyber security investments align with overarching business objectives. Looking ahead, emerging B2B2C models—offering cyber security support not only to employees but also to their families—are opening new market opportunities while encouraging safer digital behaviours across work and home environments. As servitisation, trust, and adaptability continue to shape the future of CSaaS, this timely and thought-provoking discussion is one you won’t want to miss. Register now! Australian pension funds hit by wave of credential stuffing attacks Date: 2025-04-04 Author: Bleeping Computer Over the weekend, a massive wave of credential stuffing attacks hit multiple large Australian super funds, compromising thousands of members’ accounts. The Association of Superannuation Funds of Australia (ASFA), Australia's advocacy body for the superannuation industry, said today that "a number of members were affected" even though the "majority of the attempts were repelled." Reuters has learned from a source familiar with the matter that over 20,000 accounts were breached in this massive wave of attacks targeting Australia's superannuation industry, with some members reportedly losing some of their savings. China-backed espionage group hits Ivanti customers again Date: 2025-04-03 Author: CyberScoop [AUSCERT has identified the impacted members (where possible) and contacted them via email] UNC5221 has a knack for exploiting defects in Ivanti products. The group has exploited at least four vulnerabilities in the vendor’s products since 2023, according to Mandiant. Ivanti customers are confronting another string of attacks linked to an actively exploited vulnerability in the company’s VPN products. Mandiant said a nation-state backed espionage group linked to China has been exploiting the critical vulnerability, CVE-2025-22457, since mid-March. CISA Warns of CrushFTP Vulnerability Exploitation in the Wild Date: 2025-04-08 Author: Infosecurity Magazine [AUSCERT contacted the potentially vulnerable members via email on 26 March 2025] The US top cybersecurity agency has confirmed that the critical vulnerability in file transfer solution provider CrushFTP’s product is being exploited in the wild. The authentication bypass vulnerability, CVE-2025-31161, was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 7. SAP April 2025 Update Fixes Critical Code Injection Vulnerabilities Date: 2025-04-09 Author: gbhackers SAP Security Patch Day has introduced a critical update to address vulnerabilities in SAP products, including high-severity code injection weaknesses. A total of 18 new Security Notes, along with 2 updates to existing notes, were released to tackle serious risks such as unauthorized access, code injection, and directory traversal. SAP recommends customers promptly apply these patches to safeguard their systems and ensure the robustness of their SAP landscapes. Oracle says "obsolete servers" hacked, denies cloud breach Date: 2025-04-09 Author: Bleeping Computer Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as "two obsolete servers." However, the company added that its Oracle Cloud servers were not compromised, and this incident did not impact customer data and cloud services. "Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach," Oracle says in a customer notification shared with BleepingComputer. ESB-2025.2224.2 – FortiSwitch: CVSS (Max): 9.3 A recently revealed critical vulnerability in Fortinet’s FortiSwitch product line is sparking serious security concerns. Identified as CVE-2024-48887, the flaw allows remote, unauthenticated attackers to reset administrator passwords without needing prior access—posing a significant risk to organizations that depend on FortiSwitch for their network infrastructure. ESB-2025.2214 – Google Chrome: CVSS (Max): 8.8 Google has released an important security update for its Chrome browser, addressing a serious vulnerability that could potentially allow attackers to execute code remotely. The issue, tracked as CVE-2025-3066, affects Chrome's Site Isolation feature, highlighting the critical role regular browser updates play in defending against cyber threats. The update, rolled out on April 8, 2025, updates the Chrome Stable Channel to version 135.0.7049.84/.85 for Windows and Mac, and 135.0.7049.84 for Linux. ASB-2025.0059 – Microsoft Windows: CVSS (Max): 8.8 Microsoft has released security fixes to address a massive set of 125 flaws affecting its software products, including an active exploitation of a zero-day vulnerability in the Windows Common Log File System (CLFS) driver, tracked as CVE-2025-29824. ESB-2025.2191 – Android: CVSS (Max): 8.8* The April 2025 Android Security Bulletin details multiple vulnerabilities affecting Android devices, all addressed by the 2025-04-05 security patch level. The most severe is a critical System vulnerability that allows remote privilege escalation without user interaction or extra permissions, especially dangerous if mitigations are bypassed or disabled. ESB-2025.2242 – Juniper Junos OS: CVSS (Max): 10.0 Juniper Networks' April 2025 Security Bulletin addresses multiple vulnerabilities in Junos Space, Junos OS, and related products including CVE-2024-36971. The Junos Space 24.1R3 release resolves several critical and high-severity vulnerabilities, including remote code execution and denial-of-service issues. Users are advised to upgrade to Junos Space 24.1R3 and Junos OS versions 21.4R3-S10 or later to mitigate these risks. ESB-2025.2317 – Adobe ColdFusion: CVSS (Max): 9.1 Adobe's April 2025 Patch Tuesday release addresses 54 security vulnerabilities, including critical flaws in products like ColdFusion, FrameMaker, Photoshop, and Adobe Commerce. The most urgent fix is for ColdFusion, with 15 vulnerabilities that could allow arbitrary code execution, file system access, and security feature bypasses. Eleven of these vulnerabilities are ranked as critical, with CVSS scores between 7.5 and 9.1. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, We’re excited to introduce two new courses to our training offerings this year, designed to help organisations tackle key cyber security challenges. Due to high demand, we’ve added the Understanding and Implementing the ASD Essential Eight course to help security managers and technical specialists navigate the Essential Eight—a set of critical cyber security strategies published by the Australian Government. By completing this course, participants will gain a solid understanding of the ASD Essential Eight (E8), valuable insights into implementation options, and a clear grasp of the E8 maturity model. The course also covers how to prepare for an E8 assessment by an ASD-certified assessor. The next session for this course is coming up on July 29 &30—register now before it books out! Another course we’ve recently introduced is Managing Third-Party Cyber Security Risk, designed for professionals across various industries. This course focuses on securing organisations against risks posed by third-party suppliers and partners. Participants will gain a comprehensive understanding of third-party cyber risks, their impact on business operations and data security, and how to effectively identify and assess supplier risks. The course also covers mitigation strategies, industry best practices, and continuous monitoring techniques to strengthen an organisation’s cyber security posture. The next session is on August 5 & 6—register now! Looking for a streamlined approach to staff training? Our in-house training and volume booking options provide flexible, tailored solutions to meet your organisation’s needs. Contact us today to discuss how we can align our training with your organisation’s objectives for maximum impact! Hackers abuse WordPress MU-Plugins to hide malicious code Date: 2025-03-31 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection. The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code. "The fact that we've seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold," explains Sucuri's security analyst Puja Srivastava. CISA Analyzes Malware Used in Ivanti Zero-Day Attacks Date: 2025-03-31 Author: Security Week The US cybersecurity agency CISA on Friday published its analysis of the malware used by Chinese hackers in attacks exploiting an Ivanti Connect Secure zero-day patched in January 2025. The issue, tracked as CVE-2025-0282 (CVSS score of 9.0), is described as a stack-based buffer overflow enabling attackers to execute arbitrary code remotely, without authentication. 24,000 unique IP addresses target PAN-OS GlobalProtect gateways Date: 2025-04-01 Author: SC Media A significant surge in scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateway portals was observed in which over the last 30 days, nearly 24,000 unique IP addresses have attempted to access the PAN-OS devices. The increased activity suggests a coordinated effort to probe network defenses and identify vulnerable systems, potentially as a precursor to targeted exploitation. GitHub expands security tools after 39 million secrets leaked in 2024 Date: 2025-04-02 Author: Bleeping Computer GitHub announced updates to its Advanced Security platform after it detected over 39 million leaked secrets in repositories during 2024, including API keys and credentials, exposing users and organizations to serious security risks. In a new report by GitHub, the development company says the 39 million secrets were found through its secret scanning service, a security feature that detects API keys, passwords, tokens, and other secrets in repositories. "Secret leaks remain one of the most common—and preventable—causes of security incidents," reads GitHub's announcement. U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog Date: 2025-04-02 Author: Security Affairs [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.1669.2] The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apache Tomcat path equivalence vulnerability, tracked as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. The Apache Tomcat vulnerability CVE-2025-24813 was recently disclosed and is being actively exploited just 30 hours after a public PoC was released. The issue is a path equivalence flaw in Apache Tomcat that allows remote code execution or information disclosure if specific conditions are met. ESB-2025.2011 – Apple iOS 15.8.4 and iPadOS 15.8.4: CVSS (Max): 8.8 Apple addressed two zero-day vulnerabilities: CVE-2025-24201 in WebKit, which allows attackers to escape the Web Content sandbox, and CVE-2025-24200, which lets attackers with physical access disable USB Restricted Mode on a locked device. Both were exploited in a sophisticated attack on specific targets. Security updates were released for iOS and iPadOS to fix these issues. ESB-2025.2035 – Google Chrome: CVSS (Max): None Chrome 135 has been released with 14 security fixes, including nine from external researchers. The most severe is a high-risk use-after-free flaw (CVE-2025-3066) in Navigations. The update also addresses medium- and low-severity issues in areas like Custom Tabs, Extensions, and Autofill. ESB-2025.2095 – Jenkins (core) and Jenkins Plugins: CVSS (Max): 8.8 Jenkins released a high-priority security advisory addressing multiple vulnerabilities in its core platform and plugins. The most critical issue, CVE-2025-31722, allows arbitrary code execution via the Templating Engine Plugin, with a CVSSv3 score of 8.8. ESB-2025.2048 – VMware Products: CVSS (Max): 7.8 VMware has released a critical security advisory (VMSA-2025-0006) for a high-severity privilege escalation vulnerability (CVE-2025-22231) in its Aria Operations platform, affecting multiple products. The flaw, rated 7.8 on the CVSSv3 scale, allows attackers with local admin access to gain root control over the system. Patches are now available for affected VMware platforms. ESB-2025.2045 – Firefox ESR: CVSS (Max): 8.1 Mozilla released Firefox 137 fixing critical vulnerabilities. The update addresses a high-impact use-after-free bug (CVE-2025-3028) and memory safety issues (CVE-2025-3030), which could lead to arbitrary code execution. Users are urged to update immediately to protect against these severe risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week has been an exciting one with the release of AUSCERT’s 2024 Year in Review! This report provides our members with a valuable snapshot of our efforts behind the scenes, offering insights into the services available and the opportunities they can take advantage of. It also offers valuable insights into industry trends and the ongoing progress across key areas. These milestones highlight our unwavering commitment to equipping members with the tools, knowledge, and support needed to navigate the ever-evolving cyber security landscape with confidence. Read the full report here Oracle has rejected claims that its cloud systems were compromised after a cyber criminal advertised the alleged theft of sensitive data from Oracle Cloud. The attacker claimed to have exploited a vulnerability in Oracle’s Single Sign-On (SSO) login servers, but Oracle denied this, stating no breach occurred and that the leaked credentials were unrelated to Oracle Cloud. The situation intensified when the threat actor released a 10,000-line sample of the purportedly stolen data, apparently to substantiate their claim of exfiltrating 6 million records from Oracle Cloud. Bleeping Computer contacted some of the alleged victim organisations, some of whom reportedly validated the stolen information was theirs. AUSCERT has issued a Critical Member Security Information Notification to potentially impacted members. We are actively monitoring the situation and will continue to update members as it unfolds. Despite these developments, Oracle maintains there has been no breach and is proceeding with its investigation. Critical ‘IngressNightmare’ Vulns Imperil Kubernetes Environments Date: 2025-03-25 Author: Dark Reading The maintainers of Kubernetes have released patches for four critical vulnerabilities in the Ingress NGINX Controller, affecting 6,500, or 41%, of all Internet-facing container orchestration clusters, including those used by several Fortune 500 companies. The vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands in affected environments and completely take over Kubernetes clusters, according to researchers at Wiz who discovered the flaws. Researchers raise alarm about critical Next.js vulnerability Date: 2025-03-24 Author: CyberScoop [AUSCERT has identified the impacted members (where possible) and contacted them via email] The software defect in the widely used open-source JavaScript framework allows attackers to bypass middleware-based authorization. Researchers warn that attackers could exploit a recently discovered critical vulnerability in the open-source JavaScript framework Next.js to bypass authorization in middleware and gain access to targeted systems. Vercel, the San Francisco-based company that created and maintains Next.js, released a patch for CVE-2025-29927 in Next.js 15.2.3 on March 18 and published a security advisory on March 21. Google Patches Chrome Sandbox Escape Zero-Day Caught by Kaspersky Date: 2025-03-25 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1867/] Google late Tuesday rushed out a patch a sandbox escape in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign targeting organizations in Russia. CrushFTP warns users to patch unauthenticated access flaw immediately Date: 2025-03-25 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately. As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S). “Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon,” the company warned. VMware Patches Authentication Bypass Flaw in Windows Tools Suite Date: 2025-03-25 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1852/] Virtualization technology giant VMware on Tuesday released an urgent fix for an authentication bypass security defect affecting its VMware Tools for Windows utilities suite. The vulnerability, tagged as CVE-2025-22230, opens the door for a malicious actor with non-administrative privileges on a Windows guest virtual machine to perform certain high-privilege operations within that VM. Oracle customers confirm data stolen in alleged cloud breach is valid Date: 2025-03-26 Author: Bleeping Computer Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users ASB-2025.0050 – AUSCERT Bulletin Service – Oracle Cloud breach AUSCERT released an advisory regarding an alleged Oracle Cloud breach, where a threat actor claims to have stolen 6 million sensitive records. Oracle has denied the breach despite data samples appearing legitimate. The impact remains unclear, and mitigation measures should be evaluated based on the organisation’s policies. ESB-2025.1921 – GitLab Community and Enterprise Editions: CVSS (Max): 8.7 GitLab issued a security advisory urging users to upgrade to versions 17.10.1, 17.9.3, or 17.8.6 to address multiple vulnerabilities, including two high-severity XSS flaws (CVSS 8.7): CVE-2025-2255, which allows XSS via merge-request error messages, and CVE-2025-0811, caused by improper rendering of certain file types, both affecting versions prior to 17.8.6, 17.9.3, and 17.10.1. ESB-2025.1867 – Google Chrome: CVSS (Max): None Google fixed a high-severity Chrome zero-day vulnerability (CVE-2025-2783) exploited to escape the browser’s sandbox and deploy malware in espionage attacks targeting Russian media and education organisations. The flaw was related to an incorrect handle in Mojo on Windows. The fix is rolling out globally for Windows users in Chrome version 134.0.6998.178, with automatic updates available. ESB-2025.1852 – VMware Tools: CVSS (Max): 7.8 Broadcom issued security patches for a high-severity authentication bypass vulnerability in VMware Tools for Windows, tracked as CVE-2025-22230, rated 7.8 CVSS. The flaw allows attackers with non-admin privileges to perform high-privilege operations within a Windows guest VM. The vulnerability affects VMware Tools versions 11.x.x and 12.x.x and is fixed in version 12.5.1. ESB-2025.1840 – F5 Products: CVSS (Max): 9.8 Multiple vulnerabilities were discovered in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to remote code execution. These vulnerabilities, including CVE-2025-1974 (CVSS 9.8), allow unauthenticated attackers to execute arbitrary code and access all secrets in the Kubernetes cluster. F5 Networks has released an advisory and is actively investigating the issue to assess how these flaws may impact their products. Stay safe, stay patched and have a good weekend! The AUSCERT team