Publications

Greetings, This week, many of us excitedly dusted off our costumes and indulged in Halloween celebrations. The tradition is gradually gaining more traction in Australia, with an increasing number of children embracing the thrill of trick-or-treating. Both youngsters and adults enthusiastically engage in the festivities, dressing in a wide variety of costumes ranging from monsters to fairies. This festive time also provides a good opportunity for our children to learn about the various personas people can adopt in our community and digital world, some helpful and some unfortunately harmful. Cyber security threats can be highly detrimental to an organisation’s reputation, financial stability and overall success. Gone are the days of cyber security being solely the IT department’s responsibility. Today, leadership at all levels must actively support policies and practices throughout the organisation. Fostering a progressive and active cyber security culture within the workplace is crucial for achieving organisational resilience. Leaders and senior executives are now expected to possess a comprehensive understanding of cyber security risk management to ensure the safety and well-being of their organisation and its stakeholders. In a surprising development on Monday that has spooked some in the cybersecurity community, the Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cyber security practices and known risks. While this case is still unfolding, it serves as a valuable learning experience for us all. It underlines the critical importance of actively implementing strong cyber security risk management practices. Leadership plays a pivotal role in ensuring the safety of their organisation by possessing a comprehensive understanding of the cyber security risks relevant to them, and leading accordingly. Instead of jumping to conclusions, we should utilise this case as an opportunity to reflect on the significance of cyber security risk within organisations and the detrimental impacts that deceptive behaviour can have. AUSCERT recognizes the increasing demands and pressures on leadership to possess cyber security risk management knowledge and skills. Therefore, we have launched a new training course designed to empower leaders in this critical area. The Cyber Resilience for Senior Executives course equips participants with the knowledge and skills required to effectively lead their organisation’s strategic response to the cyber security challenge and improve their organisational resilience. This course is suitable for any senior executives, with any background and no technical knowledge is required. Critical vulnerability found in Atlassian Confluence software Date: 2023-11-01 Author: iTnews [AUSCERT has identified the impacted members (where possible) and contacted them via email. Also please see our bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6313 ] The company’s advisory for CVE-2023-22518 attributed a message to the company’s CISO, Bala Sathiamurthy, saying the users are “vulnerable to significant data loss” if the vulnerability is exploited. “There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” Sathiamurthy wrote. RCE exploit for Wyze Cam v3 publicly released, patch now Date: 2023-10-30 Author: Bleeping Computer A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices. Wyze Cam v3 is a top-selling, inexpensive indoor/outdoor security camera with support for color night vision, SD card storage, cloud connectivity for smartphone control, IP65 weatherproofing, and more. Security researcher Peter Geissler (aka bl4sty) recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices. 3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online Date: 2023-11-01 Author: Bleeping Computer Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability. Apache ActiveMQ is a scalable open-source message broker that fosters communication between clients and servers, supporting Java and various cross-language clients and many protocols, including AMQP, MQTT, OpenWire, and STOMP Citrix Bleed: Mass exploitation in progress (CVE-2023-4966) Date: 2023-10-30 Author: Help Net Security [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.5826.2] CVE-2023-4966, aka “Citrix Bleed”, a critical information disclosure vulnerability affecting Citrix NetScaler ADC/Gateway devices, is being massively exploited by threat actors. According to security researcher Kevin Beaumont’s cybersecurity industry sources, one ransomware group has already distributed a Python script to automate the attack chain to their operators, and other groups have started leveraging a working exploit. New CVSS 4.0 vulnerability severity rating standard released Date: 2023-11-01 Author: Bleeping Computer The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. CVSS is a standardized framework for assessing software security vulnerabilities' severity used to assign numerical scores or qualitative representation (such as low, medium, high, and critical) based on exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores denoting more severe vulnerabilities. ESB-2023.6234.3 – UPDATED ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8 F5 is warning BIG-IP admins about recently disclosed Configuration utility unauthenticated remote code execution vulnerability (CVE-2023-46747) ESB-2023.6266 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM has taken the necessary steps to address the relevant CVEs. ESB-2023.6321 – Zavio IP Camera: CVSS (Max): 9.8 Users of Zavio IP cameras are strongly urged to change their devices since proper updates to patch these vulnerabilities will not be available. ESB-2023.6344 – ALERT Tenable Security Center: CVSS (Max): 9.8 Tenable has discovered vulnerabilities in Tenable Security Center, and released a critical patch to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Peter Newman Utilising AUSCERT’s services in the gambling industry, Peter Newman has a long history with AUSCERT. Initially working for University of Queensland (UQ), Peter Newman is now the Head of Threat at The Lottery Corporation. Providing insight into AUSCERT’s services and predicting its future, check out Peter’s AUSCERT connection story. What motivated your organisation to become a member? The Lottery Corporation is only a year old, recently splitting from Tabcorp. As a flow-on organisation of Tabcorp we utilise the same services. As Tabcorp were already AUSCERT members, we decided to continue the same framework with an AUSCERT membership for The Lottery Corporation. As an AUSCERT member, what are the key benefits? The Lottery Corporation use the bulletin service, which is a primary feed into our vulnerability management program. We also use AUSCERT’s seven-day feed for malware URLs. With this resource, we look at the domains our users are visiting, and if that domain is listed as a malicious URL, we investigate further. How has AUSCERT evolved over the years? When I began with AUSCERT, they were focused on incident response. Currently, AUSCERT have been developing its threat intelligence resources and feeds associated with that. Another aspect that AUSCERT has done well over the years, is maintaining relationships with other certs around the world – enabling them to become highly efficient at phishing take downs. What advice would you give to someone considering becoming an AUSCERT member? Understanding what AUSCERT can do for you is a challenge; a lot of the people that become members only use one or two services. Knowing everything AUSCERT can do for your business is the best advice I can give. What do you think the future holds for AUSCERT? AUSCERT will need to continually pivot even though its staples are solid. As a community organisation, AUSCERT must keep adjusting to the community itself and how it changes. I predict AUSCERT will continue to grow in the threat intelligence area and more in education. What sets AUSCERT apart from other organisations in the cyber security space? Being vendor-agnostic specifically sets AUSCERT apart – everybody in cyber security is trying to sell you something. Although AUSCERT is selling you something, it’s in a not-for-profit method. Due to this, AUSCERT can leverage their community to feedback on itself.

AUSCERT 30 Years 30 Stories – David Stockdale With a professional and ethical approach to delivering cyber security throughout Australia, the AUSCERT 30 Years 30 Stories would be incomplete without sitting down with current AUSCERT Director, David Stockdale. Praising AUSCERT’s trust and influential community, David’s insight into what sets our organisation apart is a heart-warming read. How did you first become involved with AUSCERT, and what motivated you to apply for your position? The Director of AUSCERT position was included in a job that I applied for at the University of Queensland. It was the area I least understood in the role, and yet it’s become the piece I adore most. How do you think AUSCERT has evolved over the years? What do you think our future holds? AUSCERT has experienced plenty of change in the last three decades – 30 years ago, AUSCERT was one of the first computer emergency response teams in the world. What AUSCERT provided then was unique, but there are now many big players in the sector. We’ve evolved to provide new and niche offerings, that other companies are not able to provide. As AUSCERT is a not-for-profit organisation, we’re not government-aligned nor commercial, we’re able to establish an element of trust. This trust is our superpower and means we can provide services others can’t. What are the key benefits of being a part of the AUSCERT community? AUSCERT transcends more than just its members, age, services and employees; it’s much bigger than that. To be part of an organisation that aims to provide good services and lift the security of our community – is a fantastic cause. What advice would you give to a prospective AUSCERT member? Do it! Looking at the low cost of our services, it’s easy to assume that they are not worth a lot. That couldn’t be further from the truth. Once you start using AUSCERT and leveraging our offerings, you’ll find there’s value-upon-value-upon-value. That said, the real value of being an AUSCERT member is not necessarily the services, but the community we create, whether it’s through our conference, or events. We connect sectors together, and it’s this quality that separates us from others. When you’re an AUSCERT member, you become part of a trusted community. What do you believe sets AUSCERT apart from other organisations in the cybersecurity space? It’s AUSCERT’s not-for-profit qualities – we aren’t aligned to any vendors so we are, in some ways, a trusted free spirit. This trust is what sets AUSCERT apart; and we do the best cybersecurity conference in Australia, without a doubt. AUSCERT, Happy 30th Birthday! You are the best organisation I’ve ever known, and I’m so proud to be part of it.  

Greetings, AUSCERT2024 has officially launched! The countdown is on for another year of exciting tutorials, presentations, workshops and more! This year’s theme; ‘Pay it Forward’, is about discovering the power of amplifying your impact in the realm of cyber security and highlighting the significant influence that everyone’s actions can create. It promotes the idea of how sharing knowledge and collaborating can cause a ripple effect, strengthening the broader community. This year, consider paying it forward by sharing your knowledge and expertise at our conference, either through tutorials or presentations. Your insights have the potential to create a significant impact and further advance the industry. Call for Tutorials is now open and will run until November 10th. Once tutorial submissions close, we will then open the Call for Presentations. We extend a warm invitation to anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent mentoring support for speakers to ensure a successful experience. Additionally, sponsorship opportunities are also now available, and you can access the sponsorship prospectus for more information on how you can get involved. In other news, AUSCERT recently participated in the 2023 ASEAN Computer Emergency Response Team (CERT) Incident Drill (ACID). This annual drill hosted by Singapore since 2006, tests incident response capability and strengthens cyber security preparedness and cooperation among CERTs in ASEAN member states and Dialogue Partners. This year’s ACID tested the CERTs’ preparedness against multi-pronged attacks arising from hacktivism. This theme was chosen due to the increasing frequency and sophistication of global cyber attacks that are motivated by ideological beliefs. Such attacks typically include multi-pronged attacks using a combination of Distributed Denial-of-Service, data breaches and wiper wares against government websites, financial institutions, media outlets etc This year, SingCERT moderated a new exercise using realistic real-world scenarios as a practical way to test participants’ knowledge and expertise in the field. AUSCERT takes pride in participating in this drill annually, as it plays a pivotal role in enhancing cooperation, facilitating the exchange of experiences, and fostering awareness of emerging cyber attack trends. Critical RCE flaws found in SolarWinds access audit solution Date: 2023-10-20 Author: Bleeping Computer Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges. SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments. It offers Microsoft Active Directory integration, role-based access control, visual feedback, and more. VMware fixes critical code execution flaw in vCenter Server Date: 2023-10-25 Author: Bleeping Computer [AUSCERT has also identified the impacted members (where possible) and contacted them via email] VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation. US energy firm shares how Akira ransomware hacked its systems Date: 2023-10-23 Author: Bleeping Computer In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities. Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches Date: 2023-10-24 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6197] The cybersecurity community discovered tens of thousands of compromised systems shortly after Cisco disclosed the existence of the first zero-day. Rockwell informed customers last week that its Stratix 5800 and 5200 managed industrial Ethernet switches, which use the Cisco IOS XE operating system, are affected by CVE-2023-20198. The devices are only impacted if the IOS XE web UI feature is enabled. 1Password detects “suspicious activity” in its internal Okta account Date: 2023-10-24 Author: Ars Technica 1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday. “On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.” ESB-2023.6140 – Atlassian Products: CVSS (Max): 10.0 Atlassian has identified multiple vulnerabilities in their products, with 2 being classified as critical. To ensure the security of their customers, Atlassian strongly advises upgrading to the latest version ASB-2023.0221 – Okta support case management system Okta has recently experienced a cyber incident concerning their support case management system. In response to this, AUSCERT recommends that its members promptly implement the suggested mitigation measures to address any potential risks ESB-2023.6197 – ALERT Rockwell Automation Stratix 5800 and Stratix 5200: CVSS (Max): 10.0 Rockwell Automation has issued patches to address a critical vulnerability found in Stratix 5800 and Stratix 5200. If successfully exploited, this vulnerability could potentially grant unauthorized control of the affected system to an attacker without authentication. It is strongly advised to apply the provided patches to mitigate this risk ESB-2023.6234 – ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8 A control plane issue which allows the attacker to execute arbitrary system commands has been fixed in BIG-IP Configuration Utility component Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Heath Marks Partnering with AUSCERT for 13 years, Heath Marks is the CEO of the Australian Access Federation (AAF), which provides the National Authentication Framework for Australian Higher Education Research. Assisting the Federal Government’s National Research Infrastructure Strategy, Heath leads development in the trust and identity sector. Through a mutual partnership with AUSCERT, Heath shares the benefits of aligning with cooperative communities like ours. What is your biggest takeaway from AUSCERT’s service? Working in the trust and identity environment, we are naturally linked to cyber security. Being aligned with AUSCERT’s deliverables and leveraging their services is highly important to us. Additionally, joining the community and further advancing the cyber security industry as a national strategy is considered invaluable to us at AAF. An initiative that the AAF and AUSCERT have partnered together from the beginning is the establishment of the Australasian Higher Education Cyber Security Service. Together with the entire AHECS group, we collectively advance cyber security initiatives within the sector. How long have you been an AUSCERT member? The AAF have been AUSCERT members from the very beginning.  We began with the certificate service and later continued that relationship throughout the years. AUSCERT provide training, support, engagement and a number of useful services that we enjoy engaging with as a team. What advice would you give to those considering to become an AUSCERT member? Why do you think the AUSCERT membership is valued in organisations? It’s critical that we’re part of initiatives like AUSCERT A key distinction of AUSCERT is that it’s a service delivered for the sector, by the sector. AUSCERT is a shared, cost-effective service. The membership costs are very low, for the value you receive. There’s a plethora of cyber security services available, the majority of which are expensive and often questionable. Being part of a passionate community, catered to sharing intelligence and knowledge on cyber security is vital and important – it’s the reason why we’re AUSCERT members. As AUSCERT turns 30, do you want to add anything else? Congratulations, AUSCERT, for making 30 years! AUSCERT is an integral part of the sector and we appreciate everything you do in supporting us, delivering what we need for our customers, our colleagues, and our daily jobs. Thank you very much.

The recent escalation of tensions between Israel and Hamas has not only led to a surge in physical violence but has also raised concerns about the potential for increased cyber-attacks. As the conflict intensifies, Australia as a close ally of Israel has been targeted by a threat actor group named ‘IRoX Team’ [1][2][3]. According to emerging reports, Australia has been identified as a specific target for potential cyber-attacks on October 25 [1]. These attacks are expected to involve Distributed Denial of Service (DDoS) techniques [2][3]. While the credibility of the reports is unknown to us, we strongly recommend that our members enhance their vigilance and situational awareness during this period of uncertainty. We also encourage our members to practice good cyber hygiene to ensure the security of their systems and promptly report any suspicious activities or information to the relevant authorities for further investigation. Reference: [1] https://cyberknow.substack.com/p/irox-team-declares-global-hacktivist [2] https://www.theguardian.com/australia-news/2023/oct/11/israel-hamas-war-cyber-attacks-cyberx [3] https://cybercx.com.au/blog/hamas-israel-conflict/

AUSCERT 30 Years 30 Stories – Duke Erdenebat One of AUSCERT’s security analysts, Duke Erdenebat, shares how AUSCERT enables him to make positive contributions to the cybersecurity industry. Duke’s day-to-day work involves writing code, scripting, automation and a multitude of services that assist AUSCERT members. Inspired by AUSCERT’s goodwill, check out Duke’s AUSCERT connection story. Within your time in your role, what are the key benefits you’ve experienced? The main benefit has undoubtedly been AUSCERT’s not-for-profit status, with a focus on its members. This focus doesn’t just end with members but extends to the whole of Australia and the globe. We attempt to reach people who are in danger and try to enrich them. What do you envision for AUSCERT within the next 5 to 10 years? The current AUSCERT service is fantastic. But recently, we’re trying to integrate Malware Information Sharing Platform (MISP) in an attempt to share more information. This is an area where individuals can share threat activity and threat actors, helping others find compromise indicators. In the future, I believe our MISP integration will be strong enough to encourage members to check threats themselves. What advice would you give to someone considering becoming an AUSCERT member? Those considering an AUSCERT membership should research what AUSCERT services could benefit them and contact our team directly. Simply look through AUSCERT’s services – there are educational programs and plenty more – and see what AUSCERT is doing differently from other security companies. What does the AUSCERT community mean to you? AUSCERT has been around for 30 years – which means the community is robust. There are plenty of people who know about AUSCERT, and who AUSCERT know personally. If there’s a new source of information or incident, there’s open communication and sharing of that information, which makes it a great community to be a part of. What do you believe sets AUSCERT apart from other organisations in the cyber security space? AUSCERT has utmost respect for its members and there’s open communication of information, through Slack channels, MISP events and emails.

Greetings, Yesterday we successfully launched our new Cyber Resilience for Senior Executives training course in Brisbane. Conducted by one of our most experienced Principal Analysts and a highly knowledgeable industry partner, participants had the valuable opportunity to grasp key concepts through real-world examples. Senior executives play a key role in making strategic decisions that impact their organisations’ risk management. Understanding the importance of cyber resilience allows them to factor cyber security considerations into long-term planning, investment, and resource allocation decisions. This course empowers leaders on the importance of adapting and evolving their approach to cyber security risk management to ensure organisational resilience. Ransomware continues to be a persistent threat, disrupting critical services, businesses, and communities on a global scale. Alarmingly, a significant number of these incidents are carried out by ransomware actors exploiting well-documented vulnerabilities. Because of this, it’s essential to acknowledge that organisations may be unaware of the existence of these vulnerabilities within their networks. CISA identifies and documents vulnerabilities that are known to be used by ransomware operators. Recently they have also updated their KEV catalogue to include a new entry that identifies if the vulnerability has been exploited in ransomware attacks. This information has been incorporated into AUSCERT Security Bulletins. CISA have also released a second resource that serves as a companion to the KEV; a list of misconfigurations and weaknesses exploited by ransomware operators that are not CVE-based. To conclude we would like to bring your attention to an exciting upcoming event that is being held jointly by AWSN, Queensland Police and APIO – “Brisbane’s Hacking the Human: Understanding Social Attacks. This session is designed to unveil the secrets behind social engineering attacks and instruct participants on the tactics employed by cyber-criminals to exploit human vulnerabilities. Our Principal Analyst, Mark Carey-Smith, will be among the experts who will guide you through the fundamental aspects of these attacks. Additionally, you’ll gain insights into the legal aspects associated and the role of law enforcement in combatting cybercrime. By the end of this session, you’ll be equipped to identify common social engineering tactics and develop effective defence strategies to protect your personal and professional data. Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks Date: 2023-10-16 Author: CISA The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation. CISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware Date: 2023-10-13 Author: SecurityWeek The US cybersecurity agency CISA is stepping up its efforts to prevent ransomware by making it easier for organizations to learn about vulnerabilities and misconfigurations exploited in these attacks. The first of these resources is a new column in the Known Exploited Vulnerabilities catalog, which flags flaws that CISA is aware of being associated with ransomware campaigns. The other new resource CISA is offering now is a new table on the StopRansomware project’s website, which lists information on the misconfigurations and weaknesses that ransomware operators have been observed targeting in their attacks. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks Date: 2023-10-17 Author: Bleeping Computer Attackers have exploited a recently disclosed critical zero-day bug to compromise and infect more than 10,000 Cisco IOS XE devices with malicious implants. The list of products running Cisco IOS XE software includes enterprise switches, aggregation and industrial routers, access points, wireless controllers, and more. Ransomware Attacks Double: Are Companies Prepared for 2024’s Cyber Threats? Date: 2023-10-13 Author: The Hacker News Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies. Russia and China-linked hackers exploit WinRAR bug Date: 2023-10-19 Author: The Record Hackers connected to the governments of Russia and China are allegedly using a vulnerability in a popular Windows tool to attack targets around the world, including in Ukraine and Papua New Guinea. Google’s Threat Analysis Group’s said that in recent weeks it has seen multiple government-backed groups exploiting CVE-2023-38831, a vulnerability affecting the Windows file archiver tool WinRAR. The bug, which has been patched, was initially exploited by criminal groups throughout early 2023. ESB-2023.6043 – ALERT Cisco iOS XE Software: CVSS (Max): 10.0 A Critical vulnerability has been identified in Cisco IOS XE software. AUSCERT has sent MSINs to the affected members regarding this vulnerability. ESB-2023.6064 – Jira Service Management Server and Data Center: CVSS (Max): 8.4 An XXE vulnerability in Jira products has been addressed by Atlassian ESB-2023.6078 – Google Chrome: CVSS (Max): None Google has released updates to Chrome which includes 1 security fix ASB-2023.0192 – ALERT Oracle PeopleSoft: CVSS (Max): 9.8 This critical patch update contains 5 new security patches for Oracle PeopleSoft Stay safe, stay patched and have a good weekend! The AUSCERT team

  AUSCERT 30 Years 30 Stories – Mark Carey-Smith A staff member of AUSCERT for the past two and a half years, but long-time member, Mark Carey-Smith is AUSCERT’s Principal Analyst. As an organisation whose sole focus is to benefit its members and wider community, Mark is a proud AUSCERT employee, and continues to improve AUSCERT’s educational offerings and other services. What motivated you to apply for a job at AUSCERT? With thanks to the conference, I had six or seven years of experience with AUSCERT. I knew some of AUSCERT’s main employees and had developed a good relationship with them over the years. I wanted to pursue cyber security education more, so I spoke with AUSCERT about how I could contribute to the development and improvement of AUSCERT’s educational services. What are some of the key benefits you’ve experienced being a part of the AUSCERT community? Community is the main word – at events, when we’ve run into members, community always comes up. A tight-knit community is certainly how I envisaged AUSCERT both before I was a staff member and now that I am, and there’s no doubt a micro-community between AUSCERT, its staff and members. How has AUSCERT evolved over the years that you’ve been with them? With my experience with AUSCERT as both a member and now employee, I’ve been involved with AUSCERT for about eight years in total. Some of the ways that we’ve evolved have been in the maturing of existing services and the development of new services. There are many ways AUSCERT remains true to its roots and community. I think in more recent times, there’s been a focus on getting in touch with our members and understanding their needs. We focus our future development on what our members need from us. What do you think the future holds for AUSCERT? I hope that in some ways it’s more of the same. I hope that we expand our range of educational offerings in particular so they suit member needs, and we continue to grow while maintaining our focus on community. Many vendors have no interest in community and just want to take money. With AUSCERT, we’re much more concerned with creating a space that works for the community. What do you believe sets AUSCERT apart from other organisations in the cyber security industry? Compared to other vendors, AUSCERT is not-for-profit, meaning we operate in a space where the focus is on our member’s needs. Without a focus on profit margins, we don’t cut corners, dissemble or exaggerate. Unfortunately, the cyber security vendor space is one where there’s some unethical behaviour. The focus on behaving ethically and supporting our mission, which is member-focused, is a main differentiator. As a staff member, I also think one of our differentiators is the way in which we support one another, providing a positive and friendly environment. What does AUSCERT mean to you? It all comes back to community. There are different ways you can interpret that word, and there are different ways in which we facilitate and nurture community. The conference is certainly not the only community-focused offering, but it’s a beautiful example of how we collectively create a community space.

AUSCERT 30 Years 30 Stories – Hank Opdam Chief Information Security Officer of Ausgrid, Hank Opdam, has enjoyed a 20-year friendship with AUSCERT. Going to his first AUSCERT conference in the early 2000s, Hank has partnered with AUSCERT through a variety of companies, valuing AUSCERT’s open communication and collaborative services. No matter your company size, Hank recommends an AUSCERT membership. So how did you first become involved with AUSCERT and what motivated you to become a member? I was working in financial services at the time, and back then, phishing takedowns were a large gap in the industry. That’s where my relationship with AUSCERT first started. These days it’s a very different exercise and we’ve been benefiting from AUSCERT’s security bulletins mostly along with having AUSCERT as a phone-a-friend organisation to bounce ideas and receive assistance with an incident. What are the key benefits of being an AUSCERT member? Apart from the services we receive, the bouncing of ideas and bulletins, the other main benefit is the relationship you build with the AUSCERT team. They are a knowledgeable group of people who care and are backed by a community that’s grown at conferences each year. What advice would you give to someone considering becoming an AUSCERT member? If you’re an organisation considering an AUSCERT membership – it’s great value, regardless of your company’s size. For smaller organisations, there’s great insights into the threat landscape and the intelligence they can receive. For bigger organisations, it’s about the community, and giving back. What do you think the future holds for AUSCERT? Realistically, who knows what the future holds for all things cyber? But one thing that has been clear is that AUSCERT will continue to facilitate events where they’ll listen to their members and community – offering to fill the gaps not being filled by others. What do you believe sets AUSCERT apart from other organisations in the cyber security space? AUSCERT is independent, and not-for-profit. You know the information you’ll receive is sound and without influence and that’s helpful when there’s so much noise in the cyber security landscape.

Greetings, This week was an eventful one for AUSCERT as part of our team journeyed to Melbourne to connect with our members and participate in the prestigious Women in Security Awards ceremony. The 2023 Australian Women in Security Awards was a night filled with grace and charm, as it embraced an enchanting masquerade theme this year. This event served as a wonderful occasion for members of the industry to come together and celebrate the achievements and contributions of both men and women who have played pivotal roles in this field. AUSCERT is a proud sponsor of the Women in Security Awards, endorsing their initiatives to foster greater diversity and break down gender-related barriers. These awards honour champions who are committed to dismantling gender discrimination in their workplace while advocating for equality within the cyber security industry. Additionally, they acknowledge organisations that are dedicated to fostering a more inclusive and empowering workplace culture. The Women in Security Awards does a great job of shining a spotlight on those who go above and beyond to create an environment that genuinely celebrates all voices and contributes to shaping a brighter and more equitable future for all. In recent developments, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a cyber security advisory (CSA) that highlights the most common misconfigurations found in large organisations, detailing the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit these misconfigurations. The CSA outlines the top 10 misconfigurations which reveal a prevailing trend of systemic vulnerabilities within many organisations, even those with well-established cyber security practices. They also provide mitigation advice to reduce vulnerabilities, including the importance of secure-by-design principles in the software supply chain. This proactive approach can alleviate the strain on defenders, making it essential in the ongoing effort to enhance cyber security resilience. In conclusion, if you’re seeking something engaging to listen to during your commute, be sure to tune in to our newest episode of our Share Today, Save Tomorrow podcast – Episode 27, Celebrating Neurodiversity! Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience on creating the best work environment for people who might see and feel the world differently. Bek and our Principal Analyst Mark Carey-Smith, sit down in the second half of the episode to discuss our new Cyber Resilience for Executives course and preparations for AUSCERT2024. HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks Date: 2023-10-10 Author: The Hacker News [Please see AUSCERT bulletin: ASB-2023.0189] Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10. New critical Citrix NetScaler flaw exposes 'sensitive' data Date: 2023-10-10 Author: Bleeping Computer [Please see AUSCERT bulletin: ESB-2023.5826] [AUSCERT has also identified the impacted members (where possible) and contacted them via email] Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances. The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity. However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks. curl vulnerabilities ironed out with patches after week-long tease Date: 2023-10-11 Author: The Register [See AUSCERT bulletin: ASB-2023.0190] Updated After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today. Described by curl project founder and lead developer Daniel Stenberg as "probably the worst curl security flaw in a long time," the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546. We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "high." Australia’s home affairs department hit by DDoS attack claimed by pro-Russia hackers Date: 2023-10-06 Author: The Guardian The department responsible for Australia’s cybersecurity, national security and immigration has confirmed it was hit with a distributed denial-of-service attack on Thursday night that took its website offline for five hours, after a pro-Russia hacker group said it would target the site over Australia’s support for Ukraine. The group posted on Telegram on Thursday night that it was targeting the home affairs department with a distributed denial-of-service (DDoS) attack after Australia announced this week that Slinger technology aimed at combating drones would be sent to Ukraine in the push back against the Russian invasion. GNOME Linux systems exposed to RCE attacks via file downloads Date: 2023-10-09 Author: Bleeping Computer A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment. libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions. Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format. Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability Date: 2023-10-10 Author: Ars Technica Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin. The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads. ASB-2023.0187 – ALERT Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.4 Microsoft's most recent security patch update resolves vulnerabilities across Microsoft Office, Office Services and Web Apps. ASB-2023.0182 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft patched 80 vulnerabilities in Windows and Windows Server in its October 2023 Patch Tuesday release. ESB-2023.5866 – ALERT BIG-IP Configuration utility: CVSS (Max): 9.9 F5 Networks has introduced fixes to resolve a directory traversal vulnerability found in BIG-IP. These fixes are designed to address and mitigate the potential risks associated with this vulnerability. ESB-2023.5861 – ALERT FortiWLM: CVSS (Max): 9.6 Fortinet has issued patches to address a critical vulnerability in FortiWLM, related to unauthenticated command injection. ESB-2023.5878 – Adobe Photoshop: CVSS (Max): 7.8 Adobe has recently launched an update for Photoshop for both Windows and macOS operating systems. This update specifically addresses a critical vulnerability that, if exploited successfully, could potentially result in the execution of arbitrary code. ESB-2023.5917 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM QRadar SIEM has taken the necessary steps to address the relevant CVEs. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Shelly Mills Championing AUSCERT’s passion for positive change, Shelly Mills shares why she thinks AUSCERT is the best cyber organisation an organisation could partner with. Shelly has attended the AUSCERT conference four years in a row. As the Cyber Security Improvements Manager at the University of Queensland, Shelly speaks testament to AUSCERT’s virtues. How did you first become involved with AUSCERT? I started my first role at the University of Queensland, right before the AUSCERT conference. I remember having my first one-on-one with my boss, and my question was – can I go to the AUSCERT conference? That’s how I initially got involved with AUSCERT – it was the first thing I wanted to do. What are the key benefits as an AUSCERT member? A great benefit is the professional development offered by AUSCERT. The amount of professional development and networking you receive from the conference is awesome. Building those networks throughout your industry and other industries, including knowledge sharing, is a great benefit. How has AUSCERT evolved over the years? AUSCERT has definitely grown over the years – but a great thing is when you look at the management team at AUSCERT, they’re focused on giving back to the community. They strive to understand the community and make sure the services and provisioning align with what the community wants. What advice would you give someone considering becoming an AUSCERT member? You’ve got to join and be an AUSCERT member because they have the best conferences! I know it’s hard to justify budgets to go to conferences, but AUSCERT’s comes in its membership, so you’ll get to go to the conference. What do you think the future holds for AUSCERT? I know the AUSCERT management team are going to keep aligning their services to what the community wants. I predict there will be more training on a variety of different topics. How has your AUSCERT membership impacted your organisation’s overall approach to cyber security? AUSCERT also sits under the University of Queensland, so we’re somewhat related. We’re very lucky that our Cyber Security Operations Manager has been working with AUSCERT to share knowledge. Therefore, our membership has been very beneficial, especially for our Cyber Security Operations Centre. We learn from AUSCERT analysts as to how they do things and bring those skills back to our team. What sets AUSCERT apart from other organisations in the cyber security industry? Honestly, everyone at AUSCERT goes in with the purest of intentions, wanting to make a positive difference for the cyber security community and the community at large. Unfortunately, that’s not true everywhere else. I actually sent both AUSCERT managers an email two days ago saying thank you. They lead with such genuineness, authenticity and care, and that’s what makes AUSCERT so special. There’s a lot of people in the industry out for profit, who don’t care about the community. AUSCERT embodies all that’s good within the cyber security industry.