Publications

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” New Season + AUSCERT2025 Conference Wrap Up Kicking off a new season for the AUSCERT Podcast! Announcing new changes and format for this season and an overview of the recent AUSCERT2025 Conference. This episode was hosted by Bek Cheb The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, This week, Qantas experienced a major cyber attack compromising the personal data of up to six million customers. The breach, caused by a social engineering technique known as "vishing," exploited a third-party call centre system and exposed names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Crucially, no passwords, PINs, credit card details, or passport information were accessed, and multi-factor authentication continues to protect frequent flyer accounts. Qantas is actively investigating the incident and will contact affected customers directly. Meanwhile, cyber security experts urge individuals to stay vigilant against phishing attempts, use strong and unique passwords, enable two-factor authentication, and monitor their accounts for unusual activity. Support lines have been set up to assist those impacted. This incident highlights the importance of securing supply chains. The UK’s National Cyber Security Centre (NCSC), offers a 12-principle framework to guide organisations through risk assessment, control, verification, and continuous improvement. The framework helps stakeholders set clear security requirements, embed them into contracts, and build long-term resilience. AUSCERT also offers a dedicated course on ‘Managing Third-Party Cyber Security Risk’, equipping participants with a deep understanding of third-party threats and the skills to identify, assess, and mitigate them. The course explores the business and data impacts of supplier vulnerabilities, outlines best-practice controls, and highlights the importance of ongoing monitoring and vendor assessments to ensure robust cyber security. Cisco scores a perfect 10 for a critical comms flaw Date: 2025-07-02 Author: The Register [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.4373] If you're running the Engineering-Special (ES) builds of Cisco Unified Communications Manager or its Session Management Edition, you need to apply Cisco's urgent patch after someone at Switchzilla made a big mistake. There is an ostensible purpose behind the mistake, dubbed CVE-2025-20309, with a critical rating of 10.0. The credentials have been left in there to make development work easier, Cisco said in its advisory. Qantas discloses cyberattack amid Scattered Spider aviation breaches Date: 2025-07-01 Author: Bleeping Computer Australian airline Qantas disclosed that it detected a cyberattack on Monday after threat actors gained access to a third-party platform containing customer data. This attack comes as cybersecurity firms warn that hackers known as "Scattered Spider" have begun targeting the aviation and transportation industries. While it is unclear if this group is behind the Qantas attack, BleepingComputer has learned the incident shares similarities with other recent attacks by the threat actors. Microsoft security updates address CrowdStrike crash, kill ‘Blue Screen of Death’ Date: 2025-06-27 Author: CyberScoop Third-party antivirus software will no longer have access to the Windows kernel as Microsoft rolls out changes to reduce IT downtime from unexpected crashes or disruptions. When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame. Hacker Conversations: Rachel Tobac and the Art of Social Engineering Date: 2025-06-30 Author: Security Week Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects. Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers. Initial Access Broker Self-Patches Zero Days as Turf Control Date: 2025-07-03 Author: Dark Reading A likely China-nexus threat actor has been exploiting unpatched Ivanti vulnerabilities to gain initial access to victim networks and then patching the systems to block others from breaking in to the same network. ESB-2025.4269 – Sudo: CVSS (Max): 9.3 Sudo vulnerabilities in Ubuntu allow local attackers to bypass host restrictions or execute arbitrary commands as root, impacting several versions. Users are advised to update to the latest sudo package versions to resolve these issues. ESB-2025.4333 – FESTO Didactic CP, MPS 200, and MPS 400 Firmware: CVSS (Max): 9.8 A memory protection bypass vulnerability in FESTO Didactic CP, MPS 200, and MPS 400 firmware can allow remote attackers to write arbitrary code or read sensitive data. Users are advised to update to Siemens Simatic S7-1500/ET200SP firmware version 2.9.2 or higher to mitigate risks. ESB-2025.4337 – Voltronic Power and PowerShield UPS Monitoring Software: CVSS (Max): 10.0 Voltronic Power and PowerShield UPS monitoring software contain critical vulnerabilities that allow unauthenticated remote attackers to execute arbitrary code or shut down UPS-connected devices. CISA advises minimizing network exposure and isolate from business networks to mitigate these risks. ESB-2025.4411 – Mitsubishi Electric MELSOFT Update Manager: CVSS (Max): 8.1 Mitsubishi Electric MELSOFT Update Manager versions 1.000A to 1.012N contain vulnerabilities that are actively being exploited. Users are advised to update to version 1.013P or later to mitigate these risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Cyber criminals are increasingly adopting and selling "uncensored" Large Language Models (LLMs) on dark web forums like BreachForums. Rather than building malicious AI tools from scratch, they are "jailbreaking" legitimate, powerful models from mainstream companies like xAI (the creator of Grok) and the French firm Mistral AI (creator of Mixtral). Many of these tools are being sold as WormGPT or variants with similar names and functionality, including FraudGPT and EvilGPT. On a potentially related note, research claims a 90% success rate in jailbreaking LLMs. AUSCERT is urging its members and the wider community to prepare for a surge in cyber incidents as the End of Financial Year (EOFY) approaches. Cybercriminals are once again exploiting this high-activity period—this time with more sophisticated tactics than ever before. AUSCERT has observed a sharp and consistent rise in phishing scams, particularly those impersonating trusted government and taxation agencies. The increased volume of payments, invoicing, and accounting activity during EOFY creates ideal conditions for threat actors to target already time-poor and pressured organisations. To help you stay prepared, AUSCERT has compiled key insights and practical guidance in our latest article. Read it here to learn how to better protect your organisation during this critical time. Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC Date: 2025-06-25 Author: The Hacker News [AUSCERT has published security bulletins for these updates: https://portal.auscert.org.au/bulletins/ESB-2025.4172] [AUSCERT has identified the impacted members (where possible) and contacted them via email] Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. It has been described as a case of memory overflow that could result in unintended control flow and denial-of-service. However, successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Flaw in Notepad++ installer could grant attackers SYSTEM access (CVE-2025-49144) Date: 2025-06-25 Author: Help Net Security A high-severity vulnerability (CVE-2025-49144) in the Notepad++ installer could be exploited by unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. There is currently no indication that the vulnerability is being leveraged by attackers, though technical details and a proof-of-concept (PoC) have been published – and redacted shortly after for security reasons. No, the 16 billion credentials leak is not a new data breach Date: 2025-06-19 Author: Bleeping Computer News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks. To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials. Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet. Reported Impersonation Scams Surge 148% as AI Takes Hold Date: 2025-06-24 Author: Infosecurity Magazine The volume of impersonation scams has soared 148% year-on-year (YoY) thanks in part to AI tools making life easier for cybercriminals, according to the Identity Theft Resource Center (ITRC). The US non-profit’s new 2025 Trends in Identity Report is based on analysis of identity crimes (compromise, theft and misuse) reported to it by victims from April 1 2024 to March 31 2025. Identity Is the New Perimeter: Why Proofing and Verification Are Business Imperatives Date: 2025-06-24 Author: Security Week Digital transformation has unlocked new opportunities – not just for innovation and growth, but also for cybercriminals seeking to exploit personal and sensitive information. According to the Future of Global Identity Verification report, more than two-thirds (69%) of organizations have experienced an increase in fraud attempts. Among companies with over 5,000 employees, the average annual direct cost of identity fraud is $13 million. That figure rises sharply with organizational size; for enterprises with more than 10,000 employees, 20% report annual direct and indirect identity fraud costs exceeding $50 million. ESB-2025.4180 – NetScaler ADC and NetScaler Gateway Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). ESB-2025.4160 – Cisco Products Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. ESB-2025.4093 – Apache Log4j Apache Log4j could be made to run programs as your login if it opened a specially crafted file. An attacker could possibly use these issues to enable the execution of arbitrary code. ( CVE-2022-23302 , CVE-2022-23305 , CVE-2022-23307 ) ESB-2025.4080 – IBM Security QRadar SIEM IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Stay safe, stay patched and have a good weekend! The AUSCERT team

As we approach the End of Financial Year (EOFY), cyber criminals are once again exploiting this high-activity period, only this year their tactics are more sophisticated than ever. AUSCERT has observed a consistent and sharp rise in phishing scams, particularly those impersonating trusted government and taxation agencies. The surge in payments, invoicing, and accounting workflows during EOFY creates a perfect storm of opportunity for threat actors to target organisations already under pressure. Phishing scams have risen significantly in recent years, with reported incidents rising from 1,100 in 2022 to 2,500 in 2023, and reaching 2,960 in 2024. These scams often feature official-looking branding, convincing language, and urgent calls to action. Common tactics include prompting users to click malicious links, scan QR codes, or download attachments—typically under the disguise of tax refunds, account issues, or penalty warnings. Among AUSCERT’s members, unsurprisingly the Financial and Insurance Services industry remains the most heavily impacted during this time. Given its access to high-value data and essential services, this sector is a prime target for fraud, identity theft, and business email compromise (BEC), making vigilance during EOFY more critical than ever. Alarmingly, phishing threats are becoming even more difficult to detect with the rise of AI-generated scams. Artificial intelligence is now being used to craft highly personalised and scalable phishing campaigns that mimic human language and behaviour. These AI-powered scams are more deceptive, harder to identify, and faster to deploy making them a serious challenge for both individuals and organisations. To stay safe from ATO and MyGov-related phishing scams this tax season, it’s important to take the following precautions: Verify the source: Don’t trust unsolicited emails, calls, or texts. The ATO and myGov will never ask for sensitive information via email or SMS. Contact them directly using official channels. Hang up on threats: If a caller pressures you to pay or threatens arrest, end the call immediately. Legitimate agencies don’t behave this way. Avoid unknown links and attachments: Never click on unexpected links or open attachments from unknown sources. Be wary of urgency: Scammers use urgency to rush decisions. Take your time to verify before taking the next step. Protect personal information: Don’t share financial or personal details without validating the request through different communications channels. Report suspicious activity: Report phishing attempts to the ATO, ACSC, or ScamWatch. Keep software updated: Ensure your devices have the latest security updates and antivirus protection to defend against malware and phishing. Get Help: If you have been scammed as an individual, contact IDCARE. If your organisation has been impacted and you are an AUSCERT member, contact us. If not, contact the ACSC. By staying alert and applying strong cyber hygiene practices, both individuals and businesses can reduce the risk of falling victim to sophisticated phishing scams this tax season.

AUSCERT2025 Conference recap On the 20th of May the AUSCERT2025 Cyber Security Conference launched with two days of tutorials followed by two days of conference sessions, all centred around this year’s powerful theme: Evolve and Thrive. This theme wasn’t chosen lightly. In a world where cyber threats evolve daily, our industry must continuously innovate, adapt, and stay ahead of the curve. Evolve and Thrive captures that spirit perfectly, resonating deeply with attendees. The venue theming, featuring hand-drawn artwork, a dark ominous backdrop, and cyberpunk dinosaurs, was a visual hit. Sparking conversations and compliments from everyone in attendance. Hands-on Workshops with Industry Leaders During the tutorial days (20th – 21st), delegates had the opportunity to attend hands-on workshops led by industry leaders such as Bruce Large, Paul McCarty, and Chris Gatford. Topics ranged from Generative AI Security to Detection Engineering and ISO270001 Compliance. These tutorial days, offered as a complimentary add-on to conference registration, continue to be a favourite way for attendees to upskill in a practical and engaging environment. A Grand Opening and Powerful Keynotes The main conference began with a moving Welcome to Country followed by opening remarks from AUSCERT’s Director David Stockdale and AUSCERT’s General Manager Ivano Bongiovanni. Our keynote lineup, Jess Modini, Lt. General Michelle McGuinness and Professor Marek Kowalkiewicz, deliver compelling presentations to a packed room of over 900 delegates. Post conference feedback confirmed what we already know, the keynotes were a standout success. Adapting and Thriving Even in the Face of a Cyclone If you attended AUSCERT2025, you might have noticed that the Sponsorship Exhibition was a little different this year. Due to damage from Cycle Alfred, our usual marquee at The Star was unavailable. The AUSCERT Events team quicky pivoted, adapting to a new space with a smaller footprint. The result? A bright, open exhibition area that made the most of the Gold Cost’s beautiful spring weather and natural light. This created a vibrant atmosphere that exhibitor and delegates alike appreciated. A Glimpse into the Future: ICCs and Team Oceania. If you passed though the foyer on Wednesday or Thursday, you may have seen a group of very focused women typing furiously. This was the awesome women of Team Oceania, absolutely killing it. They were participating in a miniature Capture the Flag (CTF) challenge against several other international teams of women. This activation was our exciting first step in promoting AUSCERT2026, where we’ll proudly host the International Cybersecurity Championships (ICCs)! Community, Connection, and Cuddles We brought back beloved initiatives like our beloved Puppy Cuddle area, while also rethinking and retiring elements that no longer served our community. This year we focused on what our delegate truly value, connection, learning, and fun. Looking ahead to AUSCERT2026, we are already planning something extraordinary with hosting the ICCs. There will be challenges no doubt, but as always, we’ll rise to the challenge and deliver an unforgettable conference for our member and delegates alike!

Greetings, As Privacy Awareness Week 2025 unfolds, it’s encouraging to see strong support across the industry. Organisations are actively engaging in meaningful conversations about the role of privacy and it’s clear that data protection is no longer just a regulatory obligation. It’s now recognised as a core business value and a collective responsibility. Creating a privacy-conscious digital environment requires genuine collaboration between industry, government, and individuals. By working together, we can build a future where data is protected, respected, and used responsibly. Here are a few key reminders: Collect Only What’s Necessary – Limit data collection to what’s essential to reduce risk and strengthen compliance. Embed Privacy in Culture – Treat privacy as a core organisational value, not just a regulatory requirement. Everyone Has a Role – From daily habits to major decisions, individual actions directly influence privacy and security. Privacy Awareness Week is more than a one-week focus – it’s a long-term commitment. By embedding privacy into our culture, practices, and mindset, we not only meet today’s standards but also lay the foundation for a safer digital future. Critical Vulnerability Patched in Citrix NetScaler Date: 2025-06-18 Author: Security Week Citrix on Tuesday announced patches for four vulnerabilities across three products, including a critical-severity issue in NetScaler ADC and NetScaler Gateway. The critical flaw, tracked as CVE-2025-5777 (CVSS score of 9.3), is described as an out-of-bounds memory read caused by insufficient input validation. Only NetScaler deployments configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as Authentication, Authorization, and Accounting (AAA) virtual server are affected, Citrix explains in its advisory. Critical Vulnerabilities Patched in Trend Micro Apex Central, Endpoint Encryption Date: 2025-06-13 Author: Security Week Trend Micro has released patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, including critical-severity flaws leading to remote code execution (RCE). The update for Apex Central resolves two critical bugs leading to RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS score of 9.8). The security defects are similar, but were discovered in different methods, the company says. Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor Date: 2025-06-17 Author: The Hacker News A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3). Google addressed the flaw later that month after Kaspersky reported in-the-wild exploitation in a campaign dubbed Operation ForumTroll targeting various Russian organizations. High-Severity Vulnerabilities Patched in Tenable Nessus Agent Date: 2025-06-16 Author: Security Week Tenable has released patches for three high-severity vulnerabilities in Nessus Agent for Windows that could be exploited to perform file operations and execute code with elevated privileges. Tracked as CVE-2025-36631 (CVSS score of 8.4), the first bug could allow users logged in to non-administrative accounts to overwrite arbitrary local system files with log content, with System privileges. The second flaw, CVE-2025-36632 (CVSS score of 7.8), allows non-administrative users to execute arbitrary code with System privileges. Finally, CVE-2025-36633 (CVSS score of 8.8) allows users in a non-administrative position to arbitrarily delete local system files, also with System privileges. Microsoft: DHCP issue hits KB5060526, KB5060531 of Windows Server Date: 2025-06-17 Author: Windows Latest [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2025.0104] Microsoft confirmed that the DHCP server service might stop responding or refuse to connect after the June 2025 Update for Windows Server. The DHCP issue affects Windows Server 2025 (KB5060842), Windows Server 2022 (KB5060526), Windows Server 2019 (KB5060531), and Windows Server 2016 (KB5061010). As per user reports spotted by Windows Latest, as soon as you install Windows Server 2016 (KB5061010) or another update listed above, you won’t be able to use the DHCP server. The DHCP server connection would immediately fail after 20-50 seconds of booting the server, but as soon as you remove the update, you’ll be able to use DHCP again. ESB-2025.3989 – Multi-Linux Manager Client Tools – CVSS (Max) 9.9 This SUSE update resolves eight vulnerabilities, fixes various bugs, contains four new features and has six security fixes. Affected products include openSUSE Leap, SUSE Linux Enterprise Desktop/High Performance Computing/Micro/Real Time/Server/Client Tools/Proxy/Retail Branch Server. ESB-2025.3938 – moodle – CVSS (Max) 10.0 This security fix resolves an SQL injection risk in the upstream AD0db library. The core Moodle LMS was NOT affected by this vulnerability, however as a precaution, this library has been upgraded to remove the risk entirely, in case any third party code/plugins uses the vulnerable code. ESB-2025.3926 – webkit2gtk – CVSS (Max) 9.8 This update resolves various vulnerabilities including denial of service, unexpected process crashes, exfiltrate data cross-origin, cross-site scripting attacks, and memory corruption. For Debian 11 bullseye, these problems have been fixed in version 2.48.3-1~deb11u1. It is recommend to upgrade webkit2gtk packages. ESB-2025.4024 – samba – CVSS (Max) 9.8 Several security issues were fixed in Samba. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service, escalate privileges, or possibly execute arbitrary code. ESB-2025.4023 – Python – CVSS (Max) 9.4 Python could be made to overwrite files from incorrectly handled tar archive extraction with the filtering option. An attacker could possibly use this issue to modify files in arbitrary filesystem locations and cause data loss. The problem can be corrected by updating the system. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Next week is Privacy Awareness Week, running from 16 to 22 June. This annual initiative encourages individuals, organisations and government agencies to take privacy seriously and raise awareness about the importance of protecting personal information. The 2025 theme is “Privacy: It’s Everyone’s Business”, and we’re being asked to shout it from the rooftops! Led by the Office of the Australian Information Commissioner (OAIC), Privacy Awareness Week is supported by state and territory privacy regulators as well as members of the Asia Pacific Privacy Authorities forum. Privacy is protected both in Australia and internationally through a range of laws. The OAIC primarily administers the Privacy Act 1988, which is the key piece of federal legislation governing the handling of personal information. In addition, each Australian state and territory has its own privacy laws that apply to their public sector agencies. A recent Help Net Security article highlights the growing threat of Vendor Email Compromise (VEC) attacks, which have led to over $300 million in attempted thefts within a year. VEC attacks involve cyber criminals impersonating trusted vendors to trick employees into actions like transferring funds or disclosing sensitive information. The report found that 72% of employees in large organisations (50,000+ staff) who read a VEC email went on to engage with it, with entry-level sales staff being particularly vulnerable. Industries like telecommunications and energy/utilities saw the highest engagement rates, and prior victims were more likely to be targeted again. The report also revealed that VEC attacks are significantly underreported—only 1.46% of advanced text-based email threats were flagged to security teams, leaving organisations unaware of many potential breaches. In regions like Europe, the Middle East and Africa, engagement with VEC was 90% higher than with BEC (Business Email Compromise) attacks, yet detection and response lag behind. Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks Date: 2025-06-09 Author: The Hacker News A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks. Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers. Critical Vulnerability Patched in SAP NetWeaver Date: 2025-06-10 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Enterprise software maker SAP on Tuesday announced the release of 14 new security patches as part of its June 2025 Security Patch Day, including a note addressing a critical-severity vulnerability in NetWeaver. Tracked as CVE-2025-42989 (CVSS score of 9.6), the critical bug is described as a missing authorization check in the NetWeaver application server for ABAP. Google patched bug leaking phone numbers tied to accounts Date: 2025-06-09 Author: Bleeping Computer A vulnerability allowed researchers to brute-force any Google account's recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks. The attack method involves abusing a now-deprecated JavaScript-disabled version of the Google username recovery form, which lacked modern anti-abuse protections. Fortinet, Ivanti Patch High-Severity Vulnerabilities Date: 2025-06-11 Author: Security Week [See AUSCERT bulletin for Fortinet: https://portal.auscert.org.au/bulletins/ESB-2025.3786] Fortinet and Ivanti on Tuesday announced fixes for over a dozen vulnerabilities across their product portfolios, including multiple high-severity flaws. Ivanti released a Workspace Control (IWC) update to address three high-severity bugs that could lead to credential leaks. Tracked as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, the issues exist because of hardcoded keys in IWC versions 10.19.0.0 and prior, which could allow authenticated attackers to decrypt stored SQL credentials and environment passwords. INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure Date: 2025-06-11 Author: The Hacker News INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants. The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns. "These coordinated efforts resulted in the takedown of 79 percent of identified suspicious IP addresses," INTERPOL said in a statement. "Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities." ESB-2025.3716 – roundcube: CVSS (Max): 9.9 Debian addresses CVE-2025-49113 in Roundcube 1.4.15+dfsg.1-1+deb11u5. This vulnerability allows authenticated attackers to execute arbitrary code via PHP object deserialization. ESB-2025.3819 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1 Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Exploitation could result in security feature bypass, privilege escalation, and arbitrary code execution. ESB-2025.3831 – GitLab Community Edition and Enterprise: CVSS (Max): 8.7 GitLab addresses several high-severity vulnerabilities, including HTML injection and cross-site scripting flaws, which could lead to account takeover or unauthorized actions across GitLab Community and Enterprise Editions. ASB-2025.0104 – Microsoft Windows: CVSS (Max): 8.8 Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities, including two actively exploited flaws. CVE-2025-33053 is a one-click WebDAV flaw that lets attackers run code remotely if a user clicks a malicious link. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The Australian Government has enacted new legislation requiring certain organisations to report ransomware and cyber extortion payments within 72 hours. Effective from 30 May 2025, the law applies to businesses with an annual turnover of at least AUD $3 million, as well as all entities within the critical infrastructure sector. If an organisation is a reporting entity, as defined under Part 3 of the Cyber Security Act 2024, they must submit a report via the Australian Signals Directorate (ASD) at cyber.gov.au/report within 72 hours of making a ransomware or cyber extortion payment or becoming aware that a payment has been made on their behalf. The regulation covers both monetary and non-monetary payments made in response to ransomware or extortion demands, whether paid directly or via a third party. Reports must include key details such as the nature of the incident, the attacker’s demands, contact information, communications, the payment amount and any other relevant information. The Department of Home Affairs will work with organisations to support the reporting process, identify challenges, and ensure smooth implementation. While the ASD will not enforce compliance within the first six months, it will support entities in responding to, mitigating, and recovering from cyber incidents. This legislation aims to increase transparency and strengthen Australia’s cyber resilience by improving visibility of ransomware activity and informing future protective measures. Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code Date: 2025-06-03 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.3551/] Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via PHP object deserialization. Hewlett Packard Enterprise warns of critical StoreOnce auth bypass Date: 2025-06-03 Author: Bleeping Computer Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution. Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue. Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion Date: 2025-06-03 Author: The Hacker News Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft Security, said. The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters. New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch Date: 2025-06-03 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.3591/] Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD). Exploit details for max severity Cisco IOS XE flaw now public Date: 2025-05-31 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.2902/] Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. The write-up by Horizon3 researchers does not contain a 'ready-to-run' proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces. Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users take action now to protect their endpoints. ESB-2025.3572 – Splunk Universal Forwarder: CVSS (Max): 9.8 Splunk has addressed multiple critical and high-severity third-party package vulnerabilities in Universal Forwarder versions 9.1.9 to 9.4.2. Users are advised to upgrade to the latest fixed versions and manually remove deprecated binaries if present. ESB-2025.3573 – Splunk Enterprise: CVSS (Max): 9.8 Splunk has addressed multiple critical and high-severity CVEs by updating or removing third-party packages in Splunk Enterprise versions 9.4.2, 9.3.4, 9.2.6, and 9.1.9. ESB-2025.3597 – Schneider Electric Wiser Home Automation: CVSS (Max): 9.8 A critical buffer overflow vulnerability in Schneider Electric's Wiser AvatarOn and Cuadro H 5P Socket devices could allow remote code injection or authentication bypass. As these products are end-of-life, users are advised to disable firmware updates or remove them from service to mitigate risk. ESB-2025.3659 – Cisco Identity Services Engine (ISE): CVSS (Max): 9.9 A critical vulnerability (CVE-2025-20286) in Cisco Identity Services Engine cloud deployments causes shared static credentials across environments, enabling unauthenticated remote attackers to access or disrupt systems. Only cloud-based Primary Admin nodes are affected; Cisco has released patches, with no workarounds available. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As the team begins to recover from an incredible week at AUSCERT2025, we're also taking a moment to reflect on some of our favourite highlights and memorable moments. One standout was the Gala Dinner, where we celebrated excellence in our community and recognised the remarkable individuals and organisations making a real difference. A heartfelt congratulations to our 2025 award winners! • Craig Ford – AUSCERT Award for Individual Excellence in Information Security Honoured for his outstanding contributions to the field, not only through technical expertise but also through his leadership and community engagement. • Paula Sillars – Diversity and Inclusion Champion Recognised for her tireless dedication and innovative efforts to advance diversity and inclusion in the cybersecurity industry. • Mark Laffan – AUSCERT Member Individual of the Year Celebrated for his long-standing commitment and invaluable impact on the broader cybersecurity community. • Cenitex – AUSCERT Member Organisation of the Year Awarded for exemplifying innovation, collaboration, and excellence in cybersecurity practices. This week, The Australian Cyber Security Centre (ACSC) has released new guidance to support organisations in implementing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms. SIEM solutions collect, centralise, and analyse log data from across an organisation’s network—helping security teams detect, investigate, and respond to threats more efficiently. Meanwhile, SOAR platforms automate cyber security functions through integration of SIEM systems and other technical security controls. Together, SIEM and SOAR enhance visibility, reduce response times, and streamline security operations—making them critical components of a modern and resilient cyber security strategy. Read the ACSC article for more information AI Data Security Date: 2025-05-23 Author: ASD’s ACSC This Cybersecurity Information Sheet (CSI) provides essential guidance on securing data used in artificial intelligence (AI) and machine learning (ML) systems. It also highlights the importance of data security in ensuring the accuracy and integrity of AI outcomes and outlines potential risks arising from data integrity issues in various stages of AI development and deployment. This CSI provides a brief overview of the AI system lifecycle and general best practices to secure data used during the development, testing, and operation of AI-based systems. 251 Amazon-Hosted IPs Used in Exploit Scan Targeting ColdFusion, Struts, and Elasticsearch Date: 2025-05-28 Author: The Hacker News Cybersecurity researchers have disclosed details of a coordinated cloud-based scanning activity that targeted 75 distinct "exposure points" earlier this month. The activity, observed by GreyNoise on May 8, 2025, involved as many as 251 malicious IP addresses that are all geolocated to Japan and hosted by Amazon. "These IPs triggered 75 distinct behaviors, including CVE exploits, misconfiguration probes, and recon activity," the threat intelligence firm said. "All IPs were silent before and after the surge, indicating temporary infrastructure rental for a single operation." GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts Date: 2025-05-23 Author: The Hacker News Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to write, review, and edit code. Built using Anthropic's Claude models, the service was first launched in June 2023. Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected Date: 2025-05-24 Author: Hack Read A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the Sednit hacking group. Learn how this flaw allows attackers to compromise user sessions and why immediate patching is crucial. A new security weakness has been discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform. This issue, classified as CVE-2024-27443, is a type of cross-site scripting (XSS) flaw that could allow attackers to steal information or take control of user accounts. Russian Government Hackers Caught Buying Passwords from Cybercriminals Date: 2025-05-27 Author: Security Week Microsoft on Tuesday published technical documentation on a new Russia-linked espionage outfit it calls “Void Blizzard,” warning that the group has spent the past year quietly looting e-mail, files and even Teams chats from government and defense contractors across Europe and North America. In a new report published in tandem with Dutch intelligence agencies, Redmond’s threat hunting team said the Kremlin hacking team is leaning heavily on the low-cost end of the cybercrime economy: buying stolen usernames and passwords from infostealer markets for use in password-spraying attacks. ESB-2025.3340 – Tomcat: CVSS (Max): 9.8 A vulnerability in Apache Tomcat (CVE-2025-24813) could allow attackers to access sensitive files or execute code via specially crafted requests. This update extends the fix to Ubuntu 24.04 LTS, 24.10, and 25.04 for the Tomcat library package. ESB-2025.3355 – Google Chrome: CVSS (Max): None Chrome 137 has been released to the stable channel for Windows, Mac, and Linux, featuring multiple fixes and enhancements. This update includes 11 security fixes. ESB-2025.3356 – Mozilla Thunderbird: CVSS (Max): 7.5* Thunderbird 139 addresses multiple critical and moderate vulnerabilities. ESB-2025.3382 – Linux kernel (Raspberry Pi): CVSS (Max): 9.1* Multiple vulnerabilities in the Linux kernel for Raspberry Pi could lead to system crashes or arbitrary code execution. The update addresses issues across numerous kernel subsystems and requires recompiling third-party modules due to ABI changes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, What a week it’s been! AUSCERT2025 kicked off with a bang, delivering a truly unforgettable experience filled with groundbreaking tutorials, exploratory presentations, and engaging initiatives that brought the cyber security community together like never before. The week launched with a diverse lineup of hands-on tutorials covering a wide spectrum of subjects — from network security, security culture and awareness, to many other topical and emerging challenges facing the infosec world today. Each session was led by passionate experts, creating an environment that encouraged learning, sharing, and thought-provoking discussion. This year’s keynote lineup truly raised the bar, featuring three standout leaders who brought bold insights and energy to the AUSCERT2025 stage. Jess Modini, Head of Technology and Security at a stealth startup, impressed with her depth of experience across AWS, ACSC, and Defence, and her ongoing cyber research at UNSW ADFA. Professor Marek Kowalkiewicz from QUT challenged us to rethink AI’s role in society, drawing from his award-winning book The Economy of Algorithms. And finally LTGEN Michelle McGuinness, Australia’s National Cyber Security Coordinator, delivered a standout keynote on national cyber strategy, shaped by decades of high-level intelligence and defence leadership. AUSCERT2025 has once again proven to be more than just a conference – it's a dynamic gathering of minds driving the future of cybersecurity. With cutting-edge tutorials, thought-provoking keynotes, and a strong sense of community, this week has sparked important conversations and inspired new ideas. As we look ahead, the connections made and knowledge shared will continue to shape and strengthen the security landscape across Australia and beyond. Here's to another year of innovation, collaboration, and resilience. Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards Date: 2025-05-19 Author: The Hacker News [AUSCERT has published security bulletins for these Firefox updates] Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. The two exploited zero-day vulnerabilities are CVE-2025-4918 – An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object, and CVE-2025-4919 – An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes. Australia Post issues warning regarding invalid postcode scam Date: 2025-05-16 Author: news.com.au Australia Post has issued an urgent warning to customers as a fresh wave of scam messages and emails sweeps across the country. Fraudulent messages impersonating Australia Post claim a parcel delivery was unsuccessful due to an invalid postcode, and requests the recipient to click a link to remedy the issue. The link leads vulnerable customers to a page that appears similar to Australia Post’s website, and prompts them to provide personal details and information. CISA tags recently patched Chrome bug as actively exploited Date: 2025-05-16 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.3057] On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser. Solidlab security researcher Vsevolod Kokorin discovered the flaw (CVE-2025-4664) and shared technical details online on May 5th. Google released security updates to patch it on Wednesday. As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome's Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages. Vic gov to spend $100m on cyber security Date: 2025-05-21 Author: iTnews The Victorian government will spend $100 million strengthening cyber security across government agencies as one of the topline technology-related measures in the state budget. The funding will cover work to “identify threats, protect against attacks, and respond to incidents”, the government said in budget papers. 100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads Date: 2025-05-20 Author: The Hacker News Since February 2024, an unknown threat actor has been creating malicious Chrome Browser extensions which masquerade as legitimate extensions. They provide the advertised features while running malicious code in the background. This enables the threat actor to steal cookies and credentials, session hijack, inject ads, and create phishing pages using DOM manipulation. Google has since taken down the identified extensions and recommends that users only install extensions from verified developers, review the requested permissions, and scrutinize reviews. ESB-2025.3190 – Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL – CVSS (Max): 10.0 Successful exploitation of this vulnerability could allow an attacker to perform unauthenticated remote code execution. All versions are affected. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. ESB-2025.3212 – Linux kernel (Raspberry Pi Real-time) – CVSS (Max) 8.1* A large number of security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. The problem can be corrected by updating your system to the package versions stipulated in the bulletin. ESB-2025.3244 – Tomcat – CVSS (Max) 9.8 Tomcat could expose sensitive files or run programs if it received specially crafted network traffic. A remote attacker could possibly use this issue to access sensitive files, inject malicious content, or execute remote code. The problem can be corrected by updating your system. ESB-2025.3253 – Cisco Identity Services Engine (ISE) – CVSS (Max) 8.6 A vulnerability in the RADIUS message processing feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. ESB-2025.3131 – xrdp – CVSS (Max) 9.8 Several vulnerabilities were discovered in xrdp, a Remote Desktop Protocol (RDP) server. For Debian 11 bullseye, these problems have been fixed in version 0.9.21.1-1~deb11u2. It is recommended to upgrade xrdp packages. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Just a few more sleeps until AUSCERT2025 kicks off! Registrations are closing soon, so if you haven’t secured your spot yet, now’s the time—don’t miss out! This year promises to impress with a fantastic line-up of empowering tutorials, thought-provoking speakers, and plenty of fun activities. Check out the full program here! This week we saw further examples of vulnerabilities in information security devices being actively exploited in the wild, namely Ivanti and Fortinet. Such devices are commonly deployed at the network edge of organisations, making them visible to anyone on the Internet and always on. Threat actors have been consistently observed specifically targeting these kinds of vulnerabilities and exploiting them. The ACSC released a critical alert for Ivanti products, highlighting how multiple moderate severity vulnerabilities can be chained together to produce potentially significant impacts. Multiple vulnerabilities in Fortinet products have also been observed being exploited, some of which have a CVSS rating of 9.8 (Critical). The Australian Taxation Office (ATO) has issued a warning about fraudulent websites disseminating false information regarding changes to superannuation preservation and withdrawal rules, purportedly effective from 1 June 2025. Deputy Commissioner Emma Rosenzweig confirms that the preservation age remains at 60 for individuals born on or after 1 July 1964. The ATO advises relying on official sources for accurate information and cautions against unofficial websites and unsolicited advice that may attempt to collect personal information. Verifying the credentials of tax professionals through the Tax Practitioners Board is also recommended. SAP patches second zero-day flaw exploited in recent attacks Date: 2025-05-13 Author: Bleeping computer SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day. The company issued security updates for this security flaw (CVE-2025-42999) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324) in SAP NetWeaver Visual Composer that was fixed in April. ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files Date: 2025-05-12 Author: The Hacker News ASUS has released updates to address two security flaws impacting ASUS DriverHub that, if successfully exploited, could enable an attacker to leverage the software in order to achieve remote code execution. DriverHub is a tool that's designed to automatically detect the motherboard model of a computer and display necessary driver updates for subsequent installation by communicating with a dedicated site hosted at "driverhub.asus[.]com." FortiOS Authentication Bypass Vulnerability Lets Attackers Take Full Control of Device Date: 2025-05-13 Author: Cyber Security News [AusCERT has identified the impacted members (where possible) and contacted them via email] Fortinet has disclosed a significant security vulnerability affecting multiple Fortinet products, allowing attackers to bypass authentication and gain administrative access to affected systems. The vulnerability, CVE-2025-22252 (Missing Authentication for Critical Function), affects FortiOS, FortiProxy, and FortiSwitchManager products configured to use TACACS+ with ASCII authentication. Hackers now testing ClickFix attacks against Linux targets Date: 2025-05-12 Author: Bleeping Computer A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible. ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware. These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware. Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks Date: 2025-05-14 Author: The Hacker News [AUSCERT has identified and contacted potentially impacted members where possible] Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below – CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system ASB-2025.0098 – Microsoft Windows: CVSS (Max): 8.8 Microsoft's May 2025 Patch Tuesday addressed 72 vulnerabilities, including five zero-day flaws currently under active exploitation. Among these, two critical elevation-of-privilege bugs in the Windows Common Log File System (CLFS) driver (CVE-2025-32701 and CVE-2025-32706) allow attackers to gain SYSTEM-level access, calling for immediate patching. ESB-2025.2958 – Apple iOS 18.5 and iPadOS 18.5: CVSS (Max): 7.8* Apple has released iOS 18.5 and macOS updates to address critical vulnerabilities that could allow attackers to execute arbitrary code simply by opening malicious images, videos, or websites. ESB-2025.3015 – Juniper Secure Analytics: CVSS (Max): 9.8 Juniper Networks has patched nearly 90 vulnerabilities in its Secure Analytics virtual appliance, which collects security events from network devices, endpoints, and applications. These vulnerabilities have been resolved in 7.5.0 UP11 IF03. ESB-2025.3070 – Intel Processors: CVSS (Max): 5.6 Intel has addressed multiple CPU vulnerabilities, including CVE-2024-45332, and is releasing microcode updates to mitigate these threats and protect against potential information leaks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Mother’s Day is coming up this weekend and while flowers and chocolates are always nice, a more meaningful gift might help your parents to stay safe online. Older generations are increasingly targeted by scammers, often due to limited familiarity with digital technology. Cyber criminals exploit this lack of understanding through phishing emails, fake calls, and deceptive websites designed to steal personal or financial information. Taking the time to show your parents how to spot scams, use strong passwords, and update their devices can go a long way to protect them. It’s a gift that offers peace of mind and empowers them to navigate the digital world more confidently. We’re thrilled to announce that Jess Modini has joined our lineup of keynote speakers for AUCERT2025! Jess is a highly accomplished technology leader, academic, and security researcher. She brings a wealth of experience as a global keynote speaker, inventor, and advisory board member. Jess is currently the Head of Technology and Security at a stealth-mode startup set to launch in 2025. Her impressive career includes senior roles at Amazon Web Services, the Australian Cyber Security Centre, and the Australian Department of Defence. Jess holds five masters degrees and is completing a Doctorate in Cyber Security at UNSW’s Australian Defence Force Academy, where she also teaches and conducts cutting-edge research. Her current work focuses on advanced persistent threat (APT) detection and cyber epidemiology in collaboration with global partners. We’re honoured to have Jess share her insights and expertise at AUCERT 2025. With less than a couple of weeks to go, excitement is building as we prepare to reconnect with our community and hear from an outstanding lineup of speakers. Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise Date: 2025-05-06 Author: Security Week Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns. The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it. Microsoft Warns of Attackers Exploiting Misconfigured Apache Pinot Installations Date: 2025-05-06 Author: Security Week Research conducted by Microsoft into the security of Kubernetes installations revealed that threat actors have targeted misconfigured Apache Pinot instances. Apache Pinot is an open source real-time analytics platform designed for querying large datasets with high speed and low latency. Pinot is used by some of the world’s biggest companies, including Walmart, Uber, Slack, LinkedIn, Wix and Stripe. In the case of Kubernetes installations, the official Apache Pinot documentation does not inform users that the default configuration is highly insecure and can expose sensitive user data. Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day Date: 2025-05-07 Author: Security Week [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2025.0059/, https://portal.auscert.org.au/bulletins/ASB-2025.0053/] Multiple ransomware groups appear to have exploited a recently patched Windows vulnerability as a zero-day, Symantec reported. The vulnerability in question is tracked as CVE-2025-29824 and it was patched by Microsoft with its April 2025 Patch Tuesday updates. The flaw impacts the Windows Common Log File System (CLFS) and it can be exploited by an attacker to escalate privileges. PoC Published for Exploited SonicWall Vulnerabilities Date: 2025-05-05 Author: Security Week The US cybersecurity agency CISA added two SonicWall flaws to the Known Exploited Vulnerabilities (KEV) catalog on the same day that proof-of-concept (PoC) exploit code targeting them was published. The exploitation of the two security defects, tracked as CVE-2023-44221 and CVE-2024-38475, came to light last week, when SonicWall updated its advisories to flag them as targeted in attacks. Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025 Date: 2025-05-07 Author: GB Hackers The healthcare sector has emerged as a prime target for cyber attackers, driven by the increasing reliance on cloud applications and the rapid integration of generative AI (genAI) tools into organizational workflows. According to the Netskope Threat Labs Report for Healthcare 2025, cybercriminals are exploiting trusted platforms like GitHub, with 13% of healthcare organizations experiencing malware downloads from the developer hub each month. ESB-2025.2740 – Google Android: CVSS (Max): 8.1* Google's May 2025 Android update patches 47 vulnerabilities, including an actively exploited zero-day (CVE-2025-27363) in the FreeType library that could allow remote code execution. The update applies to Android versions 13, 14, and 15, and users are urged to update immediately to stay protected. The zero-day, as confirmed by Google, may be under limited, targeted exploitation. ESB-2025.2790 – Google Chrome: CVSS (Max): None Google has released a critical Chrome update (version 136.0.7103.92/.93) to patch CVE-2025-4372, a Use-After-Free vulnerability in the WebAudio component. The flaw allows remote code execution via malicious HTML with minimal user interaction and no special privileges.Chrome's WebAudio component has been targeted before, with past vulnerabilities like CVE-2023-6345 and CVE-2024-0224 revealing ongoing security challenges tied to the complexity of audio processing in web browsers. ESB-2025.2902 – Cisco IOS XE Wireless Controller Software: CVSS (Max): 10.0 Cisco has patched a critical vulnerability (CVE-2025-20188) in IOS XE for Wireless LAN Controllers, caused by a hard-coded JSON Web Token. This flaw allows unauthenticated remote attackers to fully compromise affected devices by impersonating authorised users. Rated CVSS 10.0, the issue affects the Out-of-Band AP Image Download feature and poses a severe security risk. ESB-2025.2899 – GitLab Community and Enterprise Edition: CVSS (Max): 6.8 GitLab has released versions 17.11.2, 17.10.6, and 17.9.8 for CE and EE with critical bug and security fixes. These updates patch three medium-severity vulnerabilities: a Device OAuth bypass (CVE-2025-0549), a GitHub import DoS exploit (CVE-2024-8973), and a group IP restriction bypass (CVE-2025-1278). Stay safe, stay patched and have a good weekend! The AUSCERT team