Publications

Greetings, Many hackers employ the principles of persuasion to tell you lies and play on your vulnerabilities as a human being to obtain your sensitive information. In our latest episode of ‘Share Today Save Tomorrow’ Anthony sits down with Rachel Tobac, CEO of Social Proof Security and explores human vulnerabilities – Episode 24: People, People, People, Process and Technology.. Rachel explains the importance of verifying the authenticity of any request by employing different tools and methods to justify the credentials of the sender and searching for hidden agendas. In the spirit of full disclosure giant global corporation Microsoft has been heavily targeted by a hacktivist group ‘Anonymous Sudan’. However, Microsoft has chosen not to disclose specific details of these incidents publicly. Earlier this week, Microsoft denied public claims made by the group regarding a data breach which allegedly resulted in 30 million customer account details being compromised. Anonymous Sudan posted a sample of the stolen data online offering it for sale, yet Microsoft denied the validity of these allegations. Over a month ago Microsoft experienced a distributed denial of service (DDoS) attack orchestrated by the same group and resulted in the disruption of several of its services.. At the time Microsoft did not provide specific information regarding the attacks, prompting Anonymous Sudan to publicly call them out for their alleged dishonesty and issue threats to teach them a lesson via a statement on their public Telegram channel.. It’s important to note the situation is still developing and we are awaiting further updates from Microsoft as the investigation progresses. Only the truth will be able to determine the best possible solution for all the parties implicated. By encouraging open collaboration and information exchange, we strive to collectively strengthen our defences against cyber threats. We are currently seeking a skilled and driven Senior Security Systems Administrator to join our team. The due date to apply has been extended to Monday 10th July , so if you or anyone you know are interested in joining our team, please apply soon. Apply here MITRE Updates CWE Top 25 Most Dangerous Software Weaknesses Date: 2023-07-30 Author: Security Week The MITRE Corporation has published an updated Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list to reflect the latest trends in the adversarial landscape. The 2023 CWE Top 25 lists more common and impactful weaknesses leading to serious software vulnerabilities that are often exploited in malicious attacks to take over systems, steal information, or cause denial-of-service (DoS). Apple, Google, and MOVEit Just Patched Serious Security Flaws Date: 2023-07-30 Author: WIRED Summer software updates are coming thick and fast, with Apple, Google, and Microsoft issuing multiple patches for serious security flaws in June. Enterprise software firms have also been busy, with fixes released for scary holes in VMware, Cisco, Fortinet, and Progress Software’s MOVEit products. A significant number of security bugs squashed during the month are being used in real-life attacks, so read on, take note, and patch your affected systems as soon as you can. Who’s Behind the DomainNetworks Snail Mail Scam? Date: 2023-07-03 Author: Krebs on Security If you’ve ever owned a domain name, the chances are good that at some point you’ve received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don’t need, and probably will never receive. Here’s a look at the most recent incarnation of this scam — DomainNetworks — and some clues about who may be behind it. The DomainNetworks mailer may reference a domain that is or was at one point registered to your name and address. 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug Date: 2023-07-03 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Hundreds of thousands of FortiGate firewalls are vulnerable to a critical security issue identified as CVE-2023-27997, almost a month after Fortinet released an update that addresses the problem. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem in FortiOS, the operating system that connects all Fortinet networking components to integrate them in the vendor's Security Fabric platform. CVE-2023-27997 is exploitable and allows an unauthenticated attacker to execute code remotely on vulnerable devices with the SSL VPN interface exposed on the web. Cisco not patching Nexus switch vulnerability Date: 2023-07-06 Author: iTnews Cisco has disclosed a serious vulnerability in the encryption used in some of its Nexus 9000 switches, but said the bug will not be fixed. “A vulnerability in the Cisco ACI [application-centric infrastructure] multi-site CloudSec encryption feature of Cisco Nexus 9000 Series fabric switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic,” Cisco’s advisory states. ESB-2023.3824 – Android OS: CVSS (Max): 9.8* Security vulnerabilities have been identified affecting Android devices. The most severe of these vulnerabilities is in the System component that could lead to remote code execution. Android has released security patches to address all of the issues. ESB-2023.3818 – Cisco ACI Multi-Site CloudSec: CVSS (Max): 7.4 Cisco warned customers of a high-severity vulnerability impacting Cisco Nexus 9000 Series Fabric Switches in ACI mode. No software updates have been released to resolve the vulnerability. Impacted customers are advised to contact their support organisation to discuss alternative options. ESB-2023.3817 – Cisco Webex Meetings: CVSS (Max): 5.4 Cisco has released software updates to address multiple vulnerabilities in Cisco Webex Meetings which, if exploited could result in cross-site scripting or cross-site request forgery attacks. ESB-2023.3804 – Firefox: CVSS (Max): None Mozilla Foundation has released fixes for a number of security vulnerabilities in Firefox 115. ESB-2023.3843 – Nessus Agent: CVSS (Max): 5.9 Tenable has reported vulnerabilities in OpenSSL which is a third-party software used by Nessus Agent for its underlying functionality. Nessus 10.4.1 has been released to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – People, People, People, Process and Technology In this episode, AUSCERT features the following guests: Rachel Tobac, SocialProof Security David Stockdale, AUSCERT Anthony sits down with Rachel Tobac, CEO of SocialProof Security to discuss how to boost the human side of People, Process and Technology to make your organisation more secure. Bek talks with David Stockdale, Director of AUSCERT about the recent Member Survey results and the upcoming events in each capital city to give Members the opportunity to provide feedback and help shape the future of AUSCERT and its services. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, As we approach the end of the financial year, we find ourselves in a critical season where scammers are actively targeting individuals and businesses. It is important to stay aware this tax time as scams impersonating the Australian Taxation Office (ATO) are likely to spike in the following weeks. The ATO reported in May this year they had already received 1,978 reports of impersonation scams a 70% increase from the previous month. Together let’s explore the primary channels that scammers have recently been using to deceive unsuspecting citizens. Social Media Scams The ATO has reported a huge increase in social media accounts impersonating them on Facebook, Twitter, Instagram, and other platforms. Fake accounts have been asking users to send their personal and sensitive information to help process their enquiry. The best way to verify an account is to investigate their followers and recent activity to see if there is anything suspicious. The ATO’s Facebook & LinkedIn has over 200,000 followers and its Twitter account has over 65,000. Also, they should have been operating for over 10 years and have a verified tick next to their account name. Phone & SMS Scams Phone scams impersonating the ATO are a common trend usually using a pre-recorded message alerting you of your outstanding debt or fee and requiring your sensitive personal information. Similarly SMS scams will include a payment link that will direct you to a fake ATO webpage and ask for your details. The ATO has confirmed that they will never send a pre-recorded message to your phone, threaten you with immediate arrest or demand immediate payment through unusual methods or links. Email Scams Email is probably the most common method used by scammers to impersonate the ATO or MyGov utilising authentic looking content to seem legitimate. These emails usually contain phishing links or attachments that request your banking details or other sensitive information. It is very important to be extra cautious and do not open any attachments or links until you can 100% verify the identity. Remember the ATO or MyGov would not usually send an email directly asking for any personal information. They will usually instruct you to lodge it via their online portals. Stay aware this tax time! If you think something isn’t genuine do not engage with it. You can contact the ATO directly on 1800 008 540 to check with them. Or click here to see how to verify or report a scam Exploit released for new Arcserve UDP auth bypass vulnerability Date: 2023-06-28 Author: Bleeping Computer Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges. According to the company, Arcserve UDP is a data and ransomware protection solution designed to help customers thwart ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity. Fortinet fixes critical FortiNAC remote command execution flaw Date: 2023-06-23 Author: Bleeping Computer [See AUSCERT Security Bulletin https://portal.auscert.org.au/bulletins/ESB-2023.3637] Cybersecurity solutions company Fortinet has updated its zero-trust access solution FortiNAC to address a critical-severity vulnerability that attackers could leverage to execute code and commands. FortiNAC is a allows organizations to manage network-wide access policies, gain visibility of devices and users, and secure the network against unauthorized access and threats. The security issue is tracked as CVE-2023-33299 and received a critical severity score of 9.6 out of 10. It is a deserialization of untrusted data that may lead to remote code execution (RCE) without authentication. Governments across Australia embark on identity reform Date: 2023-06-27 Author: iTnews Commonwealth, state and territory digital ministers have signed off on sweeping identity reforms, designed to make Australians’ digital identities harder to steal, and easier to restore. After a Data and Digital Ministers’ meeting last week, the group published a National Strategy for Identity Resilience. Under the strategy, the ministers have pledged to make government-issued digital IDs more interoperable. Two major energy corporations added to growing MOVEit victim list Date: 2023-06-27 Author: CyberScoop Two major energy corporations have fallen victim to the MOVEit breach, the latest targets in an ongoing hacking campaign that has struck a growing number of organizations including government agencies, states and universities. CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims. Hundreds of devices found violating new CISA federal agency directive Date: 2023-06-27 Author: Bleeping Computer Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies. Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang Date: 2023-06-28 Author: Security Week A ransomware gang named 8Base was the second most active group in June 2023, claiming roughly 30 victims, VMware reports. Active since March 2022 and mainly focused on small businesses, the group engages in double extortion tactics, publicly naming and shaming victims to compel them to pay the ransom. To date, the 8Base gang has hit approximately 80 organizations across sectors such as automotive, business services, construction, finance, healthcare, hospitality, IT, manufacturing, and real estate. ESB-2023.3637 – FortiNAC: CVSS (Max): 9.6 Fortinet has released software updates that address a vulnerability in FortiNAC that if exploited could allow an unauthenticated user to execute unauthorized code or commands. ESB-2023.3638 – IBM QRadar SIEM: CVSS (Max): 6.5 IBM has addressed the verification bypass vulnerability in Google OAuth Client Library for Java as used by IBM QRadar SIEM. ESB-2023.3646 – Tenable.io, Tenable Security Center and Nessus: CVSS (Max): 6.3 Tenable has discovered vulnerability in Nessus Plugin, and released updates to address this issue. The updates have been distributed via the Tenable plugin feed ID #202306261202. ESB-2023.3752 – GitLab Community Edition & Enterprise Edition: CVSS (Max): 7.5 Gitlab released security updates for GitLab Community Edition (CE) and Enterprise Edition (EE) which contain important security fixes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, the world celebrated Wi-Fi Day! In our very digitalised lives we take Wi-Fi for granted and overlook the appreciation it truly deserves. Nowadays the ability to connect to the internet anytime and anywhere has become an expectation that we all demand. It has become an essential part of our daily lives and has revolutionized our society and reshaped our global landscape. Although Wi-Fi should be used with caution and diligence as it can also act as a gateway providing hackers with a direct channel into your computer or devices.. It is essential to adopt safe practices when using Wi-Fi networks, here are a few tips: 1) Connect to only known and trusted networks. It is crucial to use common sense when connecting to Wi-Fi networks and only use trusted and reliable sources. When you encounter an unfamiliar network offering free internet in exchange for your details, be wary this could be a tactic to collect your personal information. It is risky to use free public WiFi as you don’t know how it has been set up or what safeguards or encryptions are in place. On these networks avoid internet activity that includes your sensitive or personal information. Utilising your own personal mobile hot-spot is ultimately the safest option when on the go. 2) Be careful what you open Modern internet browsers such as Google Chrome will often let you know if you are visiting a site that uses an unencrypted HTTP link by labelling it “Not Secure”. People on the same Wi-Fi network as you can watch what you are doing on these sites relatively easily. So be careful what information you put on these sites as chances are someone could be watching it. Also turn off your filesharing and airdrop settings on your phone and laptop when using unsecure internet networks to ensure no one is able to discover your devices. 3) Stay Vigilant Vigilance is key! We know no one reads the terms and conditions but in this case it could be the very thing that stops your data from being stolen for malicious intent. Often the red flags will be clear and should hinder you from clicking accept and signing on. Also an additional safeguard is to ensure your computer is equipped with the latest anti-virus protection and to keep on top of all your software updates. Having strong passwords and multi-factor authentication also provides an additional layer of protection. Following these simple tips can ensure your Wi-Fi experience is enjoyable and will avoid you becoming a victim to malicious activity. MOVEit Customers Urged to Patch Third Critical Vulnerability Date: 2023-06-19 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Progress Software is urging MOVEit customers to apply patches to a third critical vulnerability in the file transfer software in less than one month. Tracked as CVE-2023-35708, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated attacker to escalate privileges and access the MOVEit Transfer database. VMware warns of critical vRealize flaw exploited in attacks Date: 2023-06-20 Author: Bleeping Computer [See AUSCERT Security Bulletin 14 June 2023 ESB-2023.3381.2] VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks. “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild,” the company said today. Reddit hackers threaten to leak data stolen in February breach Date: 2023-06-18 Author: Bleeping Computer The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company. On February 9th, Reddit disclosed that its systems were hacked on February 5th after an employee fell victim to a phishing attack. This phishing attack allowed the threat actors to gain access to Reddit’s systems and steal internal documents, source code, employee data, and limited data about the company’s advertisers. Data leak at major law firm sets Australia’s government and elites scrambling Date: 2023-06-20 Author: The Register An infosec incident at a major Australian law firm has sparked fear among the nation’s governments, banks and businesses – and a free speech debate. The firm, HWL Ebsworth, has acknowledged that on April 28, “we became aware that a threat actor identified as ALPHV/BlackCat made a post on a dark web forum claiming to have exfiltrated data from HWL Ebsworth.” A Vulnerability in ShareFile Storage Zones Controller Could Allow for Remote Code Execution Date: 2023-06-20 Author: Center for Internet Security [See AUSCERT Security Bulletin 14 June 2023 ESB-2023.3357] A vulnerability have been discovered in ShareFile Storage Zones Controller which could allow for remote code execution. Storage Zones Controller extends the ShareFile Software as a Service (SaaS) cloud storage. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. ESB-2023.3381.2 – UPDATED ALERT VMware Aria Operations for Networks: CVSS (Max): 9.8 VMware has released patches to remediate multiple vulnerabilities in Aria Operations for Networks which maybe exploited in the wild. ESB-2023.3483 – Jenkins and Jenkins-2-plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting Jenkins and Jenkins-2-plugins have been addressed by the vendor. ESB-2023.3521 – iOS 15.7.7 and iPadOS 15.7.7: CVSS (Max): None Apple addressed three zero-day vulnerabilities used to deploy Triangulation spyware on iPhones via iMessage zero-click exploits. ESB-2023.3522 – macOS Ventura: CVSS (Max): None Apple pushed a new macOS Ventura 13.4.1 update which includes bug fixes and security updates for CVE-2023-32439 and CVE-2023-32434 which may be exploited in the wild. ESB-2023.3550 – Cisco Duo Two-Factor Authentication: CVSS (Max): 6.2 Cisco has released software updates that address bypass vulnerability in Cisco Duo Two-Factor Authentication for macOS. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, At AUSCERT, we recognize that continuous growth and development are vital aspects of a successful organisation. As part of our commitment to providing the most valuable services, we are currently focusing on understanding the needs and preferences of our members. To achieve this, we conducted a comprehensive member survey and are now about to embark on the next phase of our journey by organising intimate focus groups in each of your respective cities. We highly value your direct input and are eager to hear your thoughts, opinions, and suggestions. Your feedback will play a pivotal role in driving our continuous improvement and development. We will contact you soon with the more details so please stay tuned! In the spirit of continuous development, we have launched a new training course that is designed to build on the skills developed in our Introduction to Cyber for IT Professionals. Our new course, Intermediate Cyber Security – Internet Technologies is designed to provide participants with awareness on the security issues utilising a range of internet-oriented technologies and protocols. As well as practical guidance for how participants can safeguard their organisation. In today’s digital landscape we rely heavily on the internet for both daily business operations and government service delivery, making it critical to have a comprehensive understanding of the current threat environment. As the internet advances and cyber crimes become more sophisticated, it is important to recognize the evolving threat landscape so we can adopt appropriate measures to safeguard our information. Even the Australian government is being targeted by hackers searching for vulnerabilities through their internal suppliers and networks. Recently HWL Ebsworth Law Firm was targeted as they have an extensive client base encompassing both commercial and government entities across every state and territory. The Russian-linked ransomware group claimed it had stolen employee and client data, including financial information, network maps and credentials. The Tasmanian government were among the impacted, reporting that they have been in touch with the federal government and are investigating the possible leak of government data. It is crucial to stay one step ahead of hackers by continuously expanding your knowledge and enhancing your skills. This way you can effectively identify vulnerabilities in your organisation before they are exploited. Massive phishing campaign uses 6,000 sites to impersonate 100 brands Date: 2023-06-13 Author: Bleeping Computer A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now Date: 2023-06-11 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices. The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023. New MOVEit Transfer critical flaws found after security audit, patch now Date: 2023-06-09 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via MSIN] Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer (MFT) solution that can let attackers steal information from customers' databases. These security bugs were discovered with the help of cybersecurity firm Huntress following detailed code reviews initiated by Progress on May 31, when it addressed a flaw exploited as a zero-day by the Clop ransomware gang in data theft attacks. They affect all MOVEit Transfer versions and enable unauthenticated attackers to compromise Internet-exposed servers to alter or extract customer information. Microsoft Patches Critical Windows Vulns, Warn of Code Execution Risks Date: 2023-06-13 Author: Security Week Microsoft’s security response team on Tuesday rolled out a massive batch of software updates to address major security gaps in its flagship Windows operating system and software components. Redmond’s monthly Patch Tuesday updates cover at least 70 documented vulnerabilities affecting the Windows ecosystem, including six critical issues that expose users to dangerous code execution attacks. According to Microsoft, none of the vulnerabilities have been publicly discussed or exploited in the wild. Qld gov agencies have 'more to do' to be ready for future data breach reporting Date: 2023-06-14 Author: iTnews Queensland government agencies have “more work to do” to prepare for a future mandatory data breach reporting scheme, based on a readiness survey by the state’s information commissioner. The survey [pdf] attracted 107 responses from 221 agencies. Of those that responded, 52 agencies – a bit less than half – had a “documented data breach response plan”, with some “more comprehensive than others”. ESB-2023.3376 – FortiOS and FortiProxy: CVSS (Max): 7.6 A cleartext transmission of sensitive information vulnerability [CWE-319] in FortiOS & FortiProxy may allow an authenticated attacker with readonly superadmin privileges to intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands. ESB-2023.3366 – FortiOS: CVSS (Max): 8.3 A use of externally-controlled format string vulnerability [CWE-134] in the Fclicense daemon of FortiOS may allow a remote authenticated attacker to execute arbitrary code or commands via specially crafted requests. ASB-2023.0113 – Windows Server 2008: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of June 2023 which includes fixes for 18 vulnerabilities in Windows Server. ESB-2023.3355 – Adobe Commerce and Magneto Open Source: CVSS (Max): 9.1 Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The ocean is an indispensable life source as it blankets 70% of our planet’s surface and generates at least 50% of Earths oxygen. To commemorate World Ocean Day I would like to pose a challenge for you all, whenever you visit the beach, choose to make a positive impact by leaving it in a better condition than when you arrived by collecting at least one piece of rubbish. Remember even small steps contribute to significant successes! Just like the vastness of the ocean, the digital landscape is a deep-sea of data that remains largely unexplored and not fully comprehended. Where possible we need to take the advice of experts to ensure we are staying ahead of attackers and protecting ourselves as best we can. In our newest episode of Share Today Save Tomorrow, Anthony explores Mobile Device Security with Martin McGregor CEO of Devici. To enhance the security of your device and ensure the safety of your data, consider downloading an authenticator app on your phone. This app will provide an additional layer of security for all your applications, adding an extra layer to the authentication process and safeguarding your sensitive information. Just as the ocean is in constant motion, cyber security threats continuously evolve and come in waves. They can be unpredictable and relentless constantly crashing on our shores and causing havoc. Recently an attack on MOVEit a private file-sharing platform faced a significant security breach which has sparked global concern. The cyber extortion group known as Clop, has come forward identifying themselves as being behind the attack and threatening to release stolen data unless the targeted organisations meet their ransom demands. Authorities have issued warnings regarding the global-supply chain attack as reportedly hundreds of organisations across different sectors could be impacted.The deep and unknown depths of the dark web can cause concern and requires awareness and proactive measure to navigate through these murky waters. But remember small steps to safeguard your businesses can make the biggest impacts! If you would like further advice on how to better safeguard yourself against possible attacks get in contact with us today! Clop ransomware claims responsibility for MOVEit extortion attacks Date: 2023-06-05 Author: Bleeping Computer The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach multiple companies' servers and steal data. This confirms Microsoft's Sunday night attribution to the hacking group they track as 'Lace Tempest,' also known as TA505 and FIN11. The Clop representative further confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday, as previously disclosed by Mandiant. Don't Overlook Twitter's Trove of Threat Intel for Enterprise Cybersecurity Date: 2023-06-06 Author: Dark Reading Tagged, organized, and free for anyone who wants it, social media posts and data are an underused threat intelligence resource for many enterprise cybersecurity teams. Just as cybercriminals have found social media platforms useful for gathering information on targets and launching attacks, network defenders should likewise be looking at Twitter and other similar public-facing social media data sources, so called open source intelligence (OSINT), to help inform cyber defenses, according to experts. Sextortionists are making AI nudes from your social media images Date: 2023-06-06 Author: Bleeping Computer The Federal Bureau of Investigation (FBI) is warning of a rising trend of malicious actors creating deepfake content to perform sextortion attacks. Sextortion is a form of online blackmail where malicious actors threaten their targets with publicly leaking explicit images and videos they stole (through hacking) or acquired (through coercion), typically demanding money payments for withholding the material. In many cases of sextortion, compromising content is not real, with the threat actors only pretending to have access to scare victims into paying an extortion demand. Law Council says privacy should be considered in cyber security review Date: 2023-06-07 Author: iTnews The Law Council of Australia has asked the government to deal with invasive personal data collection practices as part of a potential Cyber Security Act. The council’s submission to the government’s cyber security discussion paper, published yesterday [pdf', said any Cyber Security Act should also look at ways Australians can verify their identity without providing excessive amounts of personal data. Barracuda says hacked ESG appliances must be replaced immediately Date: 2023-06-07 Author: Bleeping Computer [Please also see AUSCERT bulletin ASB-2023.0107] Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in an update to the initial advisory issued on Tuesday. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." According to Barracuda, affected customers have already been notified through breached ESGs' user interface. Customers who haven't yet replaced their devices are urged to contact support urgently via email. ASB-2023.0107 – Barracuda Email Security Gateway Appliance (ESG): CVSS (Max): 9.8 A remote connection injection vulnerability has been detected in Barracuda Email Security Gateway devices. Barracuda advise its customers to replace impacted devices immediately. ESB-2023.3285 – VMware Aria Operations for Networks: CVSS (Max): 9.8 VMware has released patches to remediate the command injection vulnerability in Aria Operations for Networks. ESB-2023.3248 – ALERT Google Chrome: CVSS (Max): None Google has released updates to its stable and extended stable channels, which will roll out over the coming days/weeks. ESB-2023.3195 – Android OS: CVSS (Max): 9.8* Security patch levels of 2023-06-05 or later address the security vulnerabilities affecting Android devices. ESB-2023.3194 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 The most recent security patch release for GitLab Community Edition (CE) and Enterprise Edition (EE) contains important security fixes. The users are strongly advised to apply the patches as soon as possible to avoid being exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Education: Terms and Conditions   Eligibility Registration to participate in the course is restricted to employees of AUSCERT Member organisations. If a non-member is found to have registered, they will be refused entry into the course and refunded. If required, eligibility can be confirmed by AUSCERT prior to registration. Payment The University of Queensland (UQ) will provide a Tax Invoice to the Participant upon finalisation of registration and payment. Or if requested, UQ can provide a tax invoice prior to payment. Registration and participation in the course will be confirmed upon receipt of full course fee payment. Cancellations All cancellations must be 2 business days or more before a course delivery date. Should the cancellation be made in this timeframe, participants have ONE of the following options: Transfer their booking to an alternate course to be held within 12 months of the original course. Send a substitute in their place, OR AUSCERT reserves the right to cancel courses due to unforeseen circumstances and will provide participants with written notice in such circumstances. If the course is cancelled, Participants may choose between: Transferring their registration to a new date of the same course 100% of the course fee paid to be refunded. The University of Queensland is not responsible for any expenses that may have been incurred in attending or related to the attendance of a course. Intellectual Property Rights AUSCERT owns all Intellectual Property Rights in the Services and Deliverables and in anything (including in electronic form) used or created by AUSCERT or its personnel (including staff, contractors and subcontractors) for or in connection with the supply of the Services. Confidentiality and Privacy The Participant must obtain AUSCERT’s written approval before publishing or publicising any information relating to AUSCERT or the Services. AUSCERT may publish material relating to the conduct and conclusions of the Services, including the Deliverables. Subject to clause below, if any personal information is provided to AUSCERT, that personal information will be subject to UQ’s Privacy Management Policy, which can be viewed here. More information on privacy in relation to AUSCERT and UQ can be obtained from the Right to Information and Privacy Office here. AUSCERT may retain, use and disclose personal information provided by the Participant to: provide the Services and Deliverables; inform the Participant of future events or activities at AUSCERT; undertake statistical analysis of de-identified data; provide to third party contractors that are performing some or all of the Services under this Contract; and assist AUSCERT in relation to exercising or enforcing AUSCERT’s rights. The Participant consents to AUSCERT taking photographs and videos of the Services being provided which may include images of the Participant and agrees that AUSCERT can use those images in the ordinary course of its business.  

Greetings, With the arrival of dropping temperatures, shorter days, and thicker coats we can confidently say winter is finally upon us. In Queensland, winters are truly delightful, striking a perfect balance between cool breezes and the warming sunshine. It’s the season that allows you to relish the outdoors for extended periods of time without beads of sweat forming on your forehead. The only time hot beverages and soups don’t leave you feeling uncomfortably hot. The only time gathering around a fire provides warmth rather than just entertainment. So here’s to winter! Embrace the cold air with open arms and allow the refreshing chill to invigorate your spirit. If you haven’t watched Mark McPherson’s inspiring seminar on the history of AUSCERT watch it now! Titled ‘AUSCERT this is your life’, Mark explores the first decade of operation for our organisation, the unexpected incidents and unique moments that shaped our business model and operating structure. Mark describes our very founding moments and the historical realisation from governing bodies that a central source for information security and protection was desperately required in Australia. We evolved rapidly and in recent years have also expanded our services to include a range of cybersecurity training courses to address the growing demand for cybersecurity expertise in the workplace. Informing and empowering staff through relevant, engaging and focused professional training experiences is a critical component of organisational cyber security resilience. For more information on our upcoming training courses visit AUSCERT Education. In cyber security news this week, PayID scams are on a rapid rise with the second-hand sales market taking a huge hit. With the cost of living skyrocketing many Australians are struggling for cash and have turned to the online second-hand market to turn some of their previously loved items into much needed funds. Realising this market has significantly grown in popularity, scammers saw an easy way to infiltrate the payment systems known as PayID to steal funds. PayID is a popular payment system that is frequently used on Facebook Marketplace and Gumtree and supported by almost every Bank. NAB Executive Chirs Sheehan warned consumers of the increasing PayID scams saying criminals are becoming increasingly sophisticated with their fraudulent message.He went on to say educating yourself about PayID and remaining vigilant means being able to identify the red flags, for tips on what these are read the full article here. Microsoft finds macOS bug that lets hackers bypass SIP root restrictions Date: 2023-05-30 Author: Bleeping Computer Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks. Discovered and reported to Apple by a team of Microsoft security researchers, the flaw (dubbed Migraine) is now tracked as CVE-2023-32369. Apple has patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18. Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards Date: 2023-05-31 Author: Security Week Researchers at firmware and hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor functionality that could pose a significant risk to organizations. The backdoor was discovered by Eclypsium based on behavior associated with the functionality, which triggered an alert in the company’s platform. Specifically, the researchers determined that the firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers. Hackers exploit critical Zyxel firewall flaw in ongoing attacks Date: 2023-05-31 Author: Bleeping Computer Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware. The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability: ATP – ZLD V4.60 to V5.35 USG FLEX – ZLD V4.60 to V5.35 VPN- ZLD V4.60 to V5.35 ZyWALL/USG – ZLD V4.60 to V4.73 New Mirai Variant Campaigns are Targeting IoT Devices Date: 2023-05-29 Author: Infosecurity Magazine Unit 42, Palo Alto Networks threat research team, has found new malicious activity targeting IoT devices, using a variant of Mirai, a piece of malware that turns networked devices running Linux, typically small IoT devices, into remotely controlled bots that can be used in large-scale network attacks. Dubbed IZ1H9, this variant was first discovered in August 2018 and has since become one of the most active Mirai variants. ‘Dark Pink’ APT attacks governments, militaries, more in Thailand, Brunei, Belgium, Vietnam and Indonesia Date: 2023-06-01 Author: The Record The Dark Pink hacker group has been tied to five new attacks on governments, militaries and organizations based in Belgium, Thailand, Brunei, Vietnam and Indonesia. Researchers from Group-IB have been tracking the group for months and said it has been active since mid-2021, compromising at least 13 organizations across Europe and the Asia-Pacific region. ESB-2023.3083 – Advantech WebAccess/SCADA: CVSS (Max): 7.3 Advantech released a new version 9.1.4 to address a vulnerability in SCADA which, if exploited, could allow an attacker to gain full control of the server. ESB-2023.3086 – VMware Products: CVSS (Max): 6.1 An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was reported to VMware. Updates are available to address this vulnerability in affected VMware products. ESB-2023.3060 – Red Hat Advanced Cluster Management: CVSS (Max): 9.8 Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability has released fixes for security issues and update container images. ESB-2023.3119 – texlive-bin: CVSS (Max): 9.8 It was discovered that the patch to fix CVE-2023-32700 in texlive-bin, released as DLA-3427-1, was incomplete and caused an error when running the lualatex command. This has been addressed in a texlive-bin package upgrade. ESB-2023.3099 – wireshark: CVSS (Max): 8.8 An update for wireshark has fixed six vulnerabilities and various application crashing issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”, Mobile Device Security In this episode, AUSCERT features the following guests: Martin McGregor, Devicie Anthony and Bek take a rare moment to chat together at the AUSCERT2023 conference and provide a wrap up of the conference and the celebrations for 30 years of AUSCERT. Anthony sits down with Martin McGregor, CEO of Devicie to discuss mobile device security and why the Essential 8 applies to mobile devices. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, Today, we respectfully recognise and remember the unjust treatment endured by Aboriginal and Torres Strait Islander individuals and communities who have been forcibly separated from their families and culture. National Sorry Day is an opportunity for us to come together as a nation to commemorate the strength and resilience of the Stolen Generation survivors and reflect on how we can all contribute to the healing process. With National Reconciliation Week just around the corner, there are plenty of opportunities to learn about our shared histories, cultures and achievements and to explore how each of us can contribute to achieving reconciliation in Australia. Registrations are now open for AUSCERT’s upcoming training courses, designed to enhance your skills and empower your mind! Our courses are facilitated by trainers who possess extensive industry experience and pride themselves on creating engaging, interactive and high quality learning experiences. In two half-day, online sessions they will guide you through the principles and practices whilst also drawing from their own valuable career insights to enrich your learning experience. Our first upcoming course, Cyber Security Risk Management, is designed to provide participants with the ability to perform risk assessments including how to rate, assess and report business risks rather than technical vulnerabilities. We have a wide range of courses to choose from, for more information visit AUSCERT Education. In other news, Telstra has launched a new scam reporting service allowing customers to forward suspicious SMS and MMS messages to a national phone number (7226) to help identify and block scam messages. With scams on a rapid rise in Australia the best defence is to stay informed and question every unexpected communication regardless of the sender. Although, it is becoming increasing difficult to detect a fraudulent message as scammers are appearing more and more authentic. For tips and tools on how to recognise, avoid and report scams visit Scamwatch. Or alternatively, if you’re an AUSCERT member you can contact our 24/7 Incident Support Service where we can help you detect, interpret and respond to attacks. It’s better to be too safe than sorry when it comes to scams! Experts Warn of Voice Cloning-as-a-Service Date: 2023-05-19 Author: Infosecurity Magazine Security experts are warning of surging threat actor interest in voice cloning-as-a-service (VCaaS) offerings on the dark web, designed to streamline deepfake-based fraud. Recorded Future’s latest report, I Have No Mouth and I Must Do Crime, is based on threat intelligence analysis of chatter on the cybercrime underground. Deepfake audio technology can mimic the voice of a target to bypass multi-factor authentication, spread mis- and disinformation and enhance the effectiveness of social engineering in business email compromise (BEC)-style attacks, among other things. Google will delete accounts inactive for more than 2 years Date: 2023-05-21 Author: Bleeping Computer Google has updated its policy for personal accounts across its services to allow a maximum period of inactivity of two years. After that time has passed, the accounts "may" be deleted, along with all their contents, settings, preferences, and user-saved data. This includes all data stored on services such as Gmail, Docs, Drive, Meet, Calendar, Google Photos, and YouTube. Here's how you can help report SMS and MMS scams to Telstra Date: 2023-05-24 Author: techAU Telstra has launched a new scam reporting service that allows customers to forward suspicious SMS and MMS messages to a national phone number. The service, which is free to use, will help Telstra to better identify and block scam messages. To report a scam message, customers simply need to forward the message to 7226. Telstra will then investigate the message and take appropriate action, such as blocking the sender or reporting the message to the relevant authorities. Australian critical infrastructure operators urged to move off Chinese tech Date: 2023-05-23 Author: iTnews A sweep of Chinese-made hardware and software from the federal government could be expanded to cover critical infrastructure operators as well, with the government already assessing its powers for “market intervention”. The comments, made by Home Affairs officials at senate estimates yesterday, come as the government increasingly suspends its use of Chinese-made technology over security concerns. Home Affairs to migrate AUSTRAC, ACIC out of cyber hub Date: 2023-05-23 Author: iTnews Home Affairs will spend $3.7 million helping AUSTRAC and the Australian Criminal Intelligence Commission (ACIC) transition off cyber security services it provided under the government’s axed cyber hubs pilot. The pilot was discontinued earlier this month after a Finance-led review of the pilot scheme. ESB-2023.2979 – Tomcat: CVSS (Max): 7.5 The previous fix for CVE-2023-24998 was incomplete. Apache has released regression update to address the issue ESB-2023.3006 – ALERT GitLab Community Edition and Enterprise Edition: CVSS (Max): 10.0 A critical file read vulnerability has been addressed in the new releases of GitLab ESB-2023.3025 – jenkins and jenkins-2-plugins: CVSS (Max): 9.8 An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for Red Hat OCP ESB-2023.2965 – WordPress: CVSS (Max): None WordPress 6.2.2 is now available which addresses 1 security issue and 1 bug issue Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Although our bodies are feeling a bit worse for wear from last week’s conference our minds are buzzing with new information, skills, and possibilities! After the amazing week we had last week it’s safe to say the AUSCERT team was a little slower this week, taking vital time to rest and recover after all the shenanigans. Although it was all worth it to catch up with past members, meet new members and strengthen our community bond! In addition to providing cutting-edge education, one of the most significant attractions of the conference lies in its vibrant community, fostering idea sharing and facilitating valuable networking opportunities. Google has sparked a lot of controversy with its roll out of new ‘.zip’ and ‘.mov’ top level domains (TLDs). The reason for the concern is that these domains are commonly used for file extensions and may aid threat actors in misleading potential victims. Cybersecurity researchers and professionals are concerned that this will add unnecessary risk to an already risky environment and increase phishing scams and malware downloads. Threat actors could potentially obtain a ZIP domain with the same name as other trusted brands and create fake sites to manipulate unknowing consumers into providing personal information or transferring funds. This has triggered a controversial debate online with many researchers also rebutting these arguments and claiming it’s not that bad and everyone shouldn’t panic. Google mimicked these arguments by saying it takes phishing and malware seriously and has existing mechanisms in place to protect users if new threats emerge. Only time will tell whether this was a smart move by Google or whether it will give further ammunition to scammers. In more positive news, the federal government has announced it will spend $58 million to create the national anti-scams centre to report scams and distribute information more efficiently to banks, law enforcement and vulnerable communities. This will facilitate faster responses to reported scams by establishing a team of industry and law enforcement experts to act efficiently on scam trends. After the ACCC reported a loss of billions due to scams last year, the government and banks have been put under considerable pressure by consumers to develop safer systems, including a new method of dealing with fraudulent transactions. The Australian Banking Association has announced its new digital platform called ‘Fraud Reporting Exchange’, which will allow banks to share information about scam transactions quickly between each other. At least we are taking steps in the right direction to work together to put a stop to scammers. TechnologyOne still investigating impact of M365 cyber incident Date: 2023-05-12 Author: iTnews TechnologyOne said it had managed to contain an incident that impacted its internally-used Microsoft 365 instance earlier this week, and that the system is operating again. In an update [pdf], the software maker said M365 was “successfully restored and is fully operational”. On Wednesday, TechnologyOne disclosed there had been unauthorised access to its M365 instance. It said that “security experts” had since “confirmed our Microsoft 365 system is secure”. Google's .zip Top Level domain is already used in phishing attacks Date: 2023-05-15 Author: ghacks.net Google released the top-level domain .zip to the public recently, which means that interested organizations and users may register .zip domains. Cyber criminals are already using .zip domains in phishing campaigns. According to the SANS Internet Storm Center, about 1230 names have been registered so far. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public registration alongside seven other domain extensions. It seems that Google has reduced the registration price to $15 per year for a .zip domain last week, which appears to be less than halve the previous price. Drug and alcohol tests of graduate paramedics revealed in Ambulance Victoria data breach Date: 2023-05-12 Author: The Guardian The confidential drug and alcohol test results of graduate paramedics were available for every Ambulance Victoria staff member to view under a significant breach that has been reported to the state’s privacy watchdog. The Ambulance Victoria chief executive, Jane Miller, confirmed on Friday afternoon that the “unacceptable” breach involved 600 test results relating to a “few hundred” people, and offered her unreserved apology to those impacted. Parental control app with 5 million downloads vulnerable to attacks Date: 2023-05-16 Author: Bleeping Computer Kiddowares 'Parental Control – Kids Place' app for Android is impacted by multiple vulnerabilities that could enable attackers to upload arbitrary files on protected devices, steal user credentials, and allow children to bypass restrictions without the parents noticing. The Kids Place app is a parental control suite with 5 million downloads on Google Play, offering monitoring and geolocation capabilities, internet access and purchasing restrictions, screen time management, harmful content blocking, remote device access, and more. MalasLocker ransomware targets Zimbra servers, demands charity donation Date: 2023-05-17 Author: Bleeping Computer A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted. Microsoft is scanning the inside of password-protected zip files for malware Date: 2023-05-16 Author: Ars Technica Microsoft cloud services are scanning for malware by peeking inside users’ zip files, even when they’re protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code. ESB-2023.2867 – WordPress: CVSS (Max): None WordPress released WordPress 6.2.1 that features 20 bug fixes in Core and 10 bug fixes for the block editor. ESB-2023.2892 – Cisco Small Business Series Switches: CVSS (Max): 9.8 Cisco has released software updates that address multiple vulnerabilities in the web-based user interface of certain Cisco Small Business Series Switches. ESB-2023.2910 – Google Chrome: CVSS (Max): None Google released Chrome 113.0.5672.126 for Mac and Linux and 113.0.5672.126/.127 for Windows that contains 12 security fixes. ESB-2023.2911 – Jenkins Plugins: CVSS (Max): 8.8 Multiple vulnerabilities affecting various Jenkins plugins have been addressed by Jenkins Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, What an amazing week it’s been at AUSCERT2023! Attending cyber security conferences can be wonderfully rewarding, but also quite daunting for first time attendees or those with a neuro-diverse background. This year at AUSCERT2023 we once again featured an onsite psychologist for attendees to visit and discuss anything from mental wellbeing right through to life coaching. In addition, The University of Queensland’s Shelly Mills coordinated a panel discussion with Trinity McNicol from Sunshine Coast University on neurodiversity in the workplace, and how employers and team members can support these individuals. With “Back to the Future” for our theme, past AUSCERT team member Mark McPherson joined forces with present-day AUSCERT Senior Analyst Eric Halil to present a wonderful trip down memory lane beginning in the late 1980s, when the seeds were planted to form the AUSCERT we know today. If you missed this or any of the presentations, watch out for the YouTube uploads later on. Organisations are realising that data governance is an extremely important mitigating control against breaches, and this shift has brought professionals from both the cybersecurity and data governance fields together. The AUSCERT2023 Conference featured Troy Hunt, long-time cyber security expert and creator of the Have I Been Pwned website, Craig Rowlands, Director of Technology Data at Bupa, Kate Carruthers, Chief Data & Insights Officer for UNSW Sydney and The University of Queensland’s Sasenka Abeysooriya, Strategist and Data Governance Expert in a cross-discipline discussion on the importance of data governance and cyber security strategy. At the heart of this week’s AUSCERT2023 Conference was a strong theme of working together to achieve common goals. An amazing number of “hallway conversations” took place amongst the delegates, sharing ideas and comparing notes with other professionals from many disciplines. Next week delegates will return to their workplaces armed with a wealth of knowledge from those conversations, tutorials and the very latest content from the presentations. The coming weekend will hopefully give our delegates a chance to restore a healthy work-life balance and rest up, especially after celebrating last night at the Back to the Future themed gala dinner, featuring once again the amazing DJ Clariti and AUSCERT Awards! In case you missed this week’s cyber security news while attending AUSCERT2023, here’s the top stories: Western Digital says hackers stole customer data in March cyberattack Date: 2023-05-07 Author: Bleeping Computer Western Digital has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers’ data was stored in a Western Digital database stolen during the attack. “Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers,” Western Digital said. Microsoft: Iranian hacking groups join Papercut attack spree Date: 2023-05-08 Author: Bleeping Computer Microsoft says Iranian state-backed hackers have joined the ongoing assault targeting vulnerable PaperCut MF/NG print management servers. These groups are tracked as Mango Sandstorm (aka Mercury or Muddywater and linked to Iran’s Ministry of Intelligence and Security) and Mint Sandstorm (also known as Phosphorus or APT35 and tied to Iran’s Islamic Revolutionary Guard Corps). 1 Million Impacted by Data Breach at NextGen Healthcare Date: 2023-05-08 Author: Security Week Healthcare solutions provider NextGen Healthcare has started informing roughly one million individuals that their personal information was compromised in a data breach. Headquartered in Atlanta, Georgia, the company makes and sells electronic health records software and provides doctors and medical professionals with practice management services. FluHorse: New Android Threat Stealing 2FA Codes and Passwords Date: 2023-05-08 Author: Cyware Hacker News According to a recent report by Check Point Research, a new type of malware, named FluHorse, has been discovered. The malware comprises a cluster of Android apps that masquerade as genuine applications. Shockingly, the fake apps have already been downloaded by more than one million users. FluHorse is created to pilfer personal information such as usernames, passwords, and 2FA codes. The distribution of the FluHorse malware occurs through email, and it targets various sectors in the Eastern Asian market. NodeStealer: New Information-stealing Threat Terminated by Facebook Date: 2023-05-09 Author: Cyware Hacker News A new information-stealing malware, named NodeStealer, has been discovered by Facebook. It can steal browser cookies to hijack accounts on the platform, as well as Outlook and Gmail accounts. Furthermore, it allows its operator to bypass 2FA. About the campaign Facebook’s engineers spotted the NodeStealer malware first in late January and linked the attacks to Vietnamese threat actors. Cybercriminals aim to hijack the Facebook account’s ability to run advertising campaigns and push misinformation or lead audiences to sites spreading malware. ESB-2023.2521 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 9.6 GitLab has released versions 15.11.2, 15.10.6, and 15.9.7 for Community Edition (CE) and Enterprise Edition (EE). ASB-2023.0103 – ALERT Microsoft Windows: CVSS (Max): 9.8 Microsoft’s most recent patch update resolves 27 vulnerabilities across Windows, Windows Server, Remote Desktop and Av1 Video Extension. ASB-2023.0105 – ALERT Microsoft ESU: CVSS (Max): 9.8 Microsoft has resolved 14 vulnerabilities with Windows Server 2008 variants. ESB-2023.2691 – emacs: CVSS (Max): 9.8 Issues have been discovered in Emacs which, if exploited, could result in the execution of arbitrary shell commands. This has been fixed in a new version. ESB-2023.2694 – Citrix ADC and Citrix Gateway: CVSS (Max): 6.3 Citrix reports vulnerabilities in ADC and Gateway, and advises its users to install relevant updated versions. ESB-2023.2693 – Nessus Network Monitor: CVSS (Max): 9.8 Tenable has discovered vulnerabilities in Nessus Network Monitor, and released a critical patch to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team