Publications

Greetings, One of the most important yet often overlooked aspects of cyber security is providing comprehensive training to all personnel. This training ensures employees understand their security responsibilities and how to mitigate risks effectively. For staff with specialized roles or elevated access to sensitive information, tailored privilege user training is crucial in addressing the unique risks they face beyond those of standard users. By equipping your team with the necessary knowledge and skills, you can foster a proactive and resilient cyber security culture within your organisation. Yesterday, the Australian Signals Directorate (ASD) released updated Personnel Security Guidelines, highlighting the importance of strong internal security practices. One of the most frequently reported cyber crimes in Australia is Business Email Compromise (BEC), which led to financial losses exceeding $98 million in 2021–2022. While 2024 statistics are still emerging, experts expect this trend to continue due to increasingly sophisticated cyber threat actors and reliance on digital communication. Training and education are vital in mitigating BEC risks. Educating staff on identifying warning signs and establishing clear authorisation processes can significantly reduce the chances of falling victim to such attacks. The ASD has outlined several guidelines to help organisations better manage these risks. For more targeted training, AUSCERT offers a range of courses tailored to various roles and skill levels. The Cyber Security Fundamentals course is designed to provide staff with essential, practical knowledge for staying safe online. Advanced courses are also available for technical teams, covering a wide array of specialized topics. Visit the AUSCERT website for more information on upcoming training courses! Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks Date: 2024-09-20 Author: The Hacker News [AUSCERT has identified the potentially impacted members and contacted them via Critical MSIN ] Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild. The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0. CUPS flaws enable Linux remote code execution, but there’s a catch Date: 2024-09-26 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0180/ ] Under certain conditions, attackers can chain a set of vulnerabilities in multiple components of the CUPS open-source printing system to execute arbitrary code remotely on vulnerable machines. Tracked as CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) and discovered by Simone Margaritelli, these security flaws don't affect systems in their default configuration Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk Date: 2024-09-23 Author: The Hacker News A critical security flaw has been disclosed in the Microchip Advanced Software Framework (ASF) that, if successfully exploited, could lead to remote code execution. The vulnerability, tracked as CVE-2024-7490, carries a CVSS score of 9.5 out of a maximum of 10.0. It has been described as a stack-based overflow vulnerability in ASF's implementation of the tinydhcp server stemming from a lack of adequate input validation. WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites Date: 2024-09-23 Author: Cyber Security News [AUSCERT has identified the potentially impacted members and contacted them via email] Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin. The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk. New guidance on detecting and mitigating Active Directory compromises Date: 2024-09-26 Author: ACSC Alongside our international partners, we have released new guidance on Detecting and Mitigating Active Directory compromises. This guidance provides strategies to help organisations mitigate the 17 most prevalent techniques used by malicious cyber actors to target Active Directory and gain access to their networks. Detecting and mitigating Active Directory compromises builds on recent updates to the Information Security Manual (ISM) and includes a checklist with Active Directory security controls for organisations. Critical Ivanti vTM auth bypass bug now exploited in attacks Date: 2024-09-24 Author: Bleeping Computer CISA has tagged another critical Ivanti security vulnerability, which can let threat actors create rogue admin users on vulnerable Virtual Traffic Manager (vTM) appliances, as actively exploited in attacks. Tracked as CVE-2024-7593, this auth bypass flaw is caused by an incorrect implementation of an authentication algorithm that lets remote unauthenticated attackers circumvent authentication on Internet-exposed vTM admin panels. ASB-2024.0180 – Common Unix Printing System (CUPS): CVSS (Max): 9.0 Several critical vulnerabilities have been identified in the Common UNIX Printing System (CUPS) that could allow for remote code execution on Linux systems. However, these flaws necessitate specific configurations or user permissions for exploitation. Users are advised to implement the latest patches or mitigations to reduce potential risks. ESB-2024.6106 – Apache Tomcat: CVSS (Max): None A critical vulnerability has been identified in Apache Tomcat that could enable attackers to bypass security restrictions and gain unauthorised access to sensitive data. The flaw affects multiple versions of the server, necessitating prompt updates to mitigate risks. Users are urged to apply the latest patches to ensure their systems remain secure. ESB-2024.6174 – Google Chrome: CVSS (Max): None Multiple vulnerabilities have been found in Google Chrome, with the most severe enabling arbitrary code execution by attackers. This could allow them to install programs, access, modify, or delete data, or create accounts with full user rights, particularly affecting users with administrative privileges. Those with lower user rights may experience reduced impact but are still at risk. ESB-2024.6028 – OpenShift Container Platform 4.15.33: CVSS (Max): 9.9 Flaws have been identified in Red Hat OpenShift, specifically CVE-2024-45496 and CVE-2024-7387, which could lead to potential privilege escalation and denial of service. These vulnerabilities may allow attackers to gain elevated access or disrupt services. Red Hat recommends users apply the latest updates to mitigate these risks. ESB-2024.6186 – OMNTEC Proteus Tank Monitoring: CVSS (Max): 9.8 Critical vulnerabilities have been discovered in automated tank gauge systems, potentially allowing attackers to manipulate data and disrupt operations. These flaws could lead to significant safety and financial risks for organizations relying on these systems. Experts urge immediate action to address the vulnerabilities and enhance security measures. ESB-2024.6182 – Tenable Nessus Network Monitor: CVSS (Max): 9.8 Tenable has released Nessus Network Monitor 6.5.0 to address multiple vulnerabilities found in third-party components like OpenSSL, expat, curl, and libxml2, which have been updated to secure versions. Additionally, a stored cross-site scripting vulnerability (CVE-2024-9158) was fixed, allowing privileged local attackers to inject code into the UI. Users are urged to upgrade to the latest version to mitigate these risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, With school holidays upon us, many of us have little ones running wild and free – sometimes even on the internet! It's important to teach them about online safety, especially since holidays are a common time for criminals to launch phishing campaigns. Some of these scams target children by offering attractive games, promotions, or advertisements designed to entice them into clicking on malicious links or sharing personal information. To keep children safe online, take proactive steps to secure devices by keeping software up to date. Additionally, educate kids about the dangers of interacting with unknown links and the importance of protecting their personal information. Encourage them to speak up if they encounter anything suspicious or feel uncomfortable about an online interaction. By fostering open communication and awareness, we can help children navigate the internet safely and confidently, even during the busiest holiday seasons. AUSCERT's Sensitive Information Alerts (SIAs) are changing! From Wednesday 26th September, SIAs will no longer be emailed as an encrypted file. Instead, SIA emails will contain a unique URL to the AUSCERT Member Portal where you can generate a temporary link to download the file. This removes the need for encrypted files and will streamline the process! Please note that only an organisation's privileged users will initially have access to download SIAs. That person will be able to provide access to other users in the organisation by assigning the SIA role to them in the Settings/Users & Roles menu option. Privileged users will be able to check this setting a few days before the go-live date next week. To access any historical SIAs issued before the changeover, members will need to access the symmetric key from the Member Portal to decrypt the file. This will require encryption software such as PGP or GnuPG. Follow the link to the encryption keys page and match the thread ID with the received message. Import the decryption key into the encryption software, then select the encrypted file and decrypt it using the software's option. Windows vulnerability abused braille “spaces” in zero-day attacks Date: 2024-09-15 Author: Bleeping Computer [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2024.0176/, https://portal.auscert.org.au/bulletins/ASB-2024.0175/] A recently fixed "Windows MSHTML spoofing vulnerability" tracked under CVE-2024-43461 is now marked as previously exploited after it was used in attacks by the Void Banshee APT hacking group. When first disclosed as part of the September 2024 Patch Tuesday, Microsoft had not marked the vulnerability as previously exploited. However, on Friday, Microsoft updated the CVE-2024-43461 advisory to indicate it had been exploited in attacks before it was fixed. CISA warns of hackers exploiting bug for end-of-life Ivanti product Date: 2024-09-13 Author: CyberScoop An end-of-life version of Ivanti’s cloud IT service management software has a recently released vulnerability that the Cybersecurity and Infrastructure Security Agency says is being exploited. CISA warned that organizations outfitted with Ivanti’s Cloud Service Appliance version 4.6 and below are being targeted by hackers and the bug has been added to the known exploited vulnerabilities (KEV) list. The Utah-based company said on Friday that a “limited number of customers” have confirmed exploitation but did not provide further details. CVE-2024-45186: FileSender Vulnerability Poses Risk to User Credentials, Immediate Action Required Date: 2024-09-13 Author: Security Online A severe security flaw has been identified in FileSender, the popular web-based application that allows authenticated users to securely send large files. The vulnerability, classified as CVE-2024-45186, was discovered by security researcher Jonathan Bouman. This server-side template injection vulnerability allows non-authenticated users to retrieve server credentials, putting sensitive data and systems at risk. Australia Faces Surge in Data Breaches to Highest Level in 3.5 Years Date: 2024-09-16 Author: The Cyber Express The Office of the Australian Information Commissioner (OAIC) has released new statistics revealing that the first half of 2024 saw the highest number of data breach notifications in three and a half years. From January to June 2024, the OAIC report stated that it received 527 notifications of data breaches—a notable increase of 9% compared to the previous six months and the highest since the second half of 2020 in Australia. Cybersecurity incidents continue to be the leading cause of data breaches, accounting for 38% of all reported cases. CISA, FBI Urge Organizations to Eliminate XSS Vulnerabilities Date: 2024-09-18 Author: Security Week The US cybersecurity agency CISA and the FBI have issued a Secure by Design alert on the prevalence of cross-site scripting (XSS) vulnerabilities, urging organizations to eliminate them from their products. XSS flaws, the two agencies note in the alert (PDF), exist because user input is not properly validated, sanitized, or escaped, which allows threat actors to inject malicious scripts into web applications, leading to data manipulation, theft, or misuse. “Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures,” CISA and the FBI note. Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks Date: 2024-09-16 Author: The Hacker News Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials. "Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content," Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang said. ESB-2024.6010 – GitLab: CVSS (Max): 10.0 GitLab has released several new versions (17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10) for both Community and Enterprise Editions, addressing critical bug and security vulnerabilities, including a SAML authentication bypass. All users with self-managed installations are strongly urged to upgrade immediately. ESB-2024.5955 – Google Chrome: CVSS (Max): None Google has announced the release of Chrome 129, available for Windows, Mac, and Linux users, fixing nine vulnerabilities, including a high-severity flaw in V8. Users are urged to update their browsers to benefit from these security improvements and performance enhancements. ESB-2024.5949 – VMware vCenter Server: CVSS (Max): 9.8 Broadcom has issued fixes for two critical vulnerabilities in VMware vCenter Server, which could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813) when triggered by specially crafted network packets. While Broadcom states there are no known active exploits for CVE-2024-38812, they urge organizations to promptly update to the patched versions. Both vulnerabilities affect vCenter Server versions 8.0 and 7.0, as well as VMware Cloud Foundation versions 5.x and 4.x. ESB-2024.5932 – iOS 18 and iPadOS 18: CVSS (Max): 9.1* Apple has released iOS 18 and iPadOS 18, addressing several security vulnerabilities that could potentially allow unauthorized access to sensitive data or cause system malfunctions. Key issues include risks associated with Siri that could enable access to contacts and user data with physical access to the device. Additional vulnerabilities could lead to denial-of-service attacks and data leaks. ESB-2024.5900 – Citrix Workspace app for Windows: CVSS (Max): 7.0 Citrix has issued security updates for critical vulnerabilities (CVE-2024-7889 and CVE-2024-7890) in the Citrix Workspace app for Windows, which could allow local attackers to escalate privileges to SYSTEM on compromised machines. Affected versions include Current Release (CR) before 2405 and Long Term Service Release (LTSR) prior to 2402 LTSR CU1. Citrix advises users to upgrade to patched versions immediately and recommends security best practices to protect against threats. The U.S. CISA also urges prompt application of these updates. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, R U OK is encouraging everyone to ask "R U OK?" any day, because life happens every day. This reminder comes as 72% of Australians report experiencing elevated levels of distress. Each year, R U OK Day serves as a powerful reminder of the importance of checking in on others' well-being and actively listening to their concerns. Often, those facing challenges may not openly express their feelings, and a simple, empathetic conversation can make a huge difference. Asking "Are you okay?" and genuinely listening can offer emotional support and show someone they are not alone in their struggles. Meaningful connection and open dialogue about mental health help build a supportive and compassionate community. Prioritising mental health reduces stigma and creates an environment where people feel comfortable sharing their feelings and seeking help. It's a reminder that small acts of kindness and genuine concern can profoundly impact someone's life. For a range of free resources for your workplace, home or community, visit the R U OK? Day website. AUSCERT has always been a strong advocate for mental health support and services, actively implementing more mental health initiatives in the workplace and at our conferences. At AUSCERT2024, we again provided an onsite psychologist for attendees, offering the opportunity to discuss anything from mental wellbeing to life coaching. This year, we introduced mindfulness walks in the mornings that allowed delegates to start the day with a peaceful, serene stroll along the beach, and also introduced a dopamine hit of puppy pats and cuddles throughout the day – this was extremely popular! This week, Microsoft addressed and patched critical zero-day vulnerabilities as part of its monthly update. The first vulnerability, identified as CVE-2024-38217, affected Smart App Control and SmartScreen in Windows. This vulnerability allowed malicious files to bypass crucial security warnings and execute without raising any alarms. It appears to have been actively exploited by hackers for at least six years, with numerous samples detected on VirusTotal since 2018! The second vulnerability resided within the Windows Servicing Stack and allowed remote code execution (RCE). Identified as CVE-2024-43491, the cause of this vulnerability was a flaw in the Servicing Stack that essentially rolled back security fixes for optional components in Windows 10 version 1507. This left systems exposed to previously mitigated threats by removing prior security patches installed between March and August 2024. This is a timely reminder to always remain vigilant with patching systems regularly in your environment to mitigate and protect against such critical zero-day vulnerabilities. Please see this AUSCERT bulletin for more information on the above Microsoft vulnerabilities. Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild Date: 2024-09-06 Author: Security Week [AUSCERT issued a critical MSIN to the impacted members (where possible) on 26 August 2024] SonicWall is warning customers that a recently patched SonicOS vulnerability tracked as CVE-2024-40766 may be exploited in the wild. CVE-2024-40766 was disclosed on August 22, when Sonicwall announced the availability of patches for each impacted product series, including Gen 5, Gen 6 and Gen 7 firewalls. The security hole, described as an improper access control issue in the SonicOS management access and SSLVPN, can lead to unauthorized resource access and in some cases it can cause the firewall to crash. Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues Date: 2024-09-05 Author: The Hacker News Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution. The list of shortcomings is below – CVE-2024-40711 (CVSS score: 9.8) – A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution. Progress LoadMaster vulnerable to 10/10 severity RCE flaw Date: 2024-09-08 Author: Bleeping Computer Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device. The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request. Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution Date: 2024-09-08 Author: Security Online [AUSCERT issued a critical MSIN to the impacted members (where possible) on 10 September 2024] Elastic, the company behind the popular open-source data visualization and analytics platform Kibana, has issued a critical security advisory urging users to update immediately to version 8.15.1. Two severe vulnerabilities, tracked as CVE-2024-37288 and CVE-2024-37285, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise. Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities Date: 2024-09-11 Author: The Hacker News Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution. A brief description of the issues is as follows – CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution. NoName ransomware gang deploying RansomHub malware in recent attacks Date: 2024-09-10 Author: Bleeping Computer The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472). ESB-2024.5829 – Nessus: CVSS (Max): 9.8 Tenable has released Nessus 10.7.6 to address critical vulnerabilities in third-party components OpenSSL and expat, which affected earlier versions of the software. The update includes OpenSSL 3.0.15 and expat 2.6.3 to mitigate the identified security risks. Users are urged to upgrade promptly to protect against potential exploits. ASB-2024.0176 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has revealed a critical zero-day vulnerability, CVE-2024-43491, in the Windows Servicing Stack, scoring 9.8 in severity. This flaw, present since the March 2024 update, caused security patches for optional components in Windows 10 version 1507 to be rolled back, leaving systems vulnerable to previously fixed threats. While no active exploitation has been reported, attackers could potentially exploit this to achieve remote code execution. ASB-2024.0173 – ACSC advisory, GRU Unit 29155 cyber actors Russian military cyber actors are targeting critical infrastructure in the U.S. and globally, according to an alert from the Australian Cyber Security Centre. The threat actors are using sophisticated tactics to compromise essential systems. Organizations are urged to enhance their cybersecurity measures to defend against these advanced persistent threats. ESB-2024.5800 – Google Chrome: CVSS (Max): None Multiple vulnerabilities in Google Chrome, including heap buffer overflows and use-after-free issues, could allow for arbitrary code execution. Exploitation of these flaws might enable attackers to install programs, access or alter data, or create new user accounts, particularly impacting systems with administrative privileges. Users are advised to update Chrome to the latest version and follow recommended security practices to mitigate these risks. ESB-2024.5807 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe has also patched CVE-2024-41874, a severe flaw with a CVSS score of 9.8, affecting all ColdFusion 2023 versions. Recent attacks by hackers have intensified the urgency for these updates. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Conference MC Extraordinaire, Adam Spencer In this episode, AUSCERT features the following guests: Adam Spencer Ivano Bongiovanni, AUSCERT Anthony sits down with our favourite conference MC, the one and only Adam Spencer! So many highlights, reflections and changes across his fifteen AUSCERT conferences! In the second half of the episode, Bek chats with Ivano Bongiovanni from AUSCERT to talk about his recent travels to Fiji and Papua New Guinea for the DFAT Cyber and Critical Tech Cooperation Program. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, Spring has sprung! As many of us start thinking about organising and refreshing our homes this season, it's also the perfect time to update our cyber security measures. Regularly reviewing, updating, and optimising our digital habits can greatly enhance the protection of our sensitive information and ensure a safer online experience. Take some time this month to review your security approach! The AUSCERT team is already gearing up for next year's conference, with this year's event becoming a cherished memory. Our team is actively catching up with the program committee and will soon open the call for tutorials and presentations! To relive the fantastic moments from this year, we often revisit the outstanding sessions and activities on our YouTube channel. Some of the highlights from AUSCERT 2024 included a session by Darren Kitchen, founder of HAK5, on innovative implants and deceptive devices—essential tools for red teams worldwide. We also thoroughly enjoyed the presentation by Piotr Kijewski, CEO and Trustee at The ShadowServer Foundation. As well as a talk from Michael Hamm and Christian Studder of CIRCL. To top it all off, there was a live podcast recording from Risky Biz, which was the perfect cherry on top! We can't wait to see what next year has in store! So please save the date for next year's conference – 20th to 23rd May 2025 – returning to the beautiful Gold Coast! If there are keynote speakers who you're eager to see at next year's conference, send us an email with your suggestions at conference@auscert.org.au, and we'll see what we can do! AUSCERT is excited to introduce the Exploitability Index (EI) for its Microsoft ASBs starting Wednesday, 11th September, 2024. Created by Microsoft, the Exploitability Index forecasts which vulnerabilities are likely to be exploited within 30 days of an advisory's release, helping organisations to prioritise their vulnerability management. Featuring a numerical score from 0 to 3, it assists IT professionals to target the most critical vulnerabilities, improves risk management, and facilitates clear communication about security risks. For further information about the Exploitability Index (EI), please visit this Microsoft website. Critical flaw in Zyxel's secure routers allows OS command execution via cookie (CVE-2024-7261) Date: 2024-09-03 Author: Help Net Security Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices. VMware Patches High-Severity Code Execution Flaw in Fusion Date: 2024-09-03 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5613/] The root cause of the issue, tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable, VMware notes in an advisory. “VMware Fusion contains a code execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the ‘Important’ severity range.” RansomHub hits 210 victims in just 6 months Date: 2024-08-30 Author: The Register [AUSCERT has published a bulletin (ASB-2024.0172) regarding this and also shared IoCs and TTPs via MISP ] As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it's time to issue an official warning about the group that's gunning for ransomware supremacy. According to the security advisory from CISA, the FBI, the HHS, and the MS-ISAC, RansomHub amassed at least 210 victims since spinning up in February this year. Google Issues Android Attack Warning As 0-Day Threat Strikes Date: 2024-09-04 Author: Forbes [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5624/] Although a number of security issues are addressed by the September update, there is one that demands your attention more than most. Common vulnerabilities and exposures number 32896 for this year, known as CVE-2024-32896, is the most severe, according to Google. This high-severity security vulnerability impacts the Android framework component which, as the name suggests, is rather important. The Android framework is, in effect, a set of different software components that sit at the heart of Android upon which applications are built. Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns Date: 2024-08-30 Author: The Hacker News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0290/] Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. The security vulnerability exploited is CVE-2023-22527, a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024. ESB-2024.5618 – Mozilla Firefox: CVSS (Max): 9.8* Multiple vulnerabilities in Mozilla Firefox could allow for arbitrary code execution by an attacker. This could enable the attacker to install programs, view, alter, or delete data, or create new accounts with full user rights, depending on the user’s privileges. Users with administrative rights are at greater risk compared to those with limited user privileges. ASB-2024.0172 – CISA advisory, RansomHub Ransomware RansomHub, a ransomware-as-a-service that began in February 2024 and is also known as Cyclops and Knight, is targeting sectors such as healthcare, government, and finance. It uses a double-extortion tactic, encrypting and exfiltrating data while employing various initial access methods like phishing and exploitation of vulnerabilities. AUSCERT has shared IoCs and TTPs via MISP to help organizations defend against this threat. ESB-2024.5613 – VMware Fusion: CVSS (Max): 8.8 A high-severity vulnerability in VMware Fusion for macOS allows standard user privileges to execute arbitrary code, potentially leading to unauthorised access or data breaches. The issue is caused by an insecure environment variable. VMware has released a patched version, Fusion 13.6, and users are advised to update immediately to mitigate the risk. ESB-2024.5624 – Google Android: CVSS (Max): 8.4* Google's latest Android security bulletin addresses several vulnerabilities but highlights CVE-2024-32896 as the most critical. This high-severity flaw affects the Android framework and could allow attackers to escalate privileges without additional execution rights. First reported in the June Pixel update and now exploited in the wild, it has been added to the Known Exploited Vulnerabilities Catalog. Users are urged to update their devices immediately to protect against this ongoing threat. ESB-2024.5674 – Cisco Identity Services Engine: CVSS (Max): 6.0 Cisco has patched a critical command injection vulnerability, CVE-2024-20469, in its Identity Services Engine (ISE) that allows attackers with Administrator privileges to escalate to root access. This flaw, caused by inadequate validation of user input, can be exploited through malicious CLI commands. While proof-of-concept exploit code is available, no active exploits have been reported. Cisco has released updates for affected versions and removed a backdoor account from its Smart Licensing Utility to enhance security. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, our team travelled to Adelaide to connect with our members! We had the opportunity for meaningful one-on-one conversations, gathered valuable feedback, and shared updates on our upcoming service developments. There is still time to register for the Digital Nation exclusive Brisbane event that is on Wednesday 4th of September, which delves deep into the evolving landscape of cyber security in Australia. Don't miss the opportunity to hear insights from our General Manager Ivano Bongiovanni! Click here to register. We released a new blog post on Tabletop Exercises (TTXs) this week! TTXs are an essential tool for testing an organisation's ability to respond effectively to security incidents. These exercises help identify gaps in incident response plans and prepare teams for real-world crises by guiding participants through realistic, discussion-based scenarios focused on roles, responsibilities, coordination, and decision-making. TTXs can be tailored to meet your organisation's specific needs, whether for incident response, business continuity, crisis management, or a mix of these areas. Participants from all roles—operational staff, cybersecurity professionals, communication teams, and executives—benefit from these exercises, enhancing cross-role coordination during incidents. Click here to read the full article! In case you missed it, this week we published an analysis of the Jenkins CLI path traversal vulnerability, CVE-2024-23897, exclusively for AUSCERT members. At the time of publication, just over 4% of Jenkins servers worldwide have been updated to mitigate this critical vulnerability. It's often useful to present a trusted third party's review when prioritising patching tasks, and we hope this analysis will assist those of you striving to patch your Jenkins instance. The Analyst Team has added Critical MSINs to AUSCERT's Early Warning SMS Alert Service, in addition to the existing critical vulnerability notifications. Whilst members' existing email notifications remain the same, the contacts nominated for Early Warning SMS Alerts will also now receive a corresponding SMS for Critical MSINs. The text message will always begin with the word "AUSCERT" and will direct the recipient to check for emails from AUSCERT for further information. Members can add additional Early Warning SMS Alert contacts in the Member Portal. Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day Date: None Author: Security Week Malware hunters at Lumen Technologies have caught Chinese APT Volt Typhoon exploiting a fresh zero-day in Versa Director servers to hijack credentials to break into downstream customers’ networks. The high-severity vulnerability, tracked as CVE-2024-39717, was added to the CISA must-patch list over the weekend after Versa Networks confirmed zero-day exploitation and warned that the Versa Director GUI can be hacked to plant malware on affected devices. Exchange Online mistakenly tags emails as malware Date: None Author: Bleeping Computer Microsoft is investigating an Exchange Online false positive issue causing emails containing images to be wrongly tagged as malicious and sent to quarantine. "Users' email messages containing images may be incorrectly flagged as malware and quarantined," Microsoft said in a service alert posted on the Microsoft 365 admin center two hours ago. "We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan." Tracked under EX873252, this ongoing service degradation issue seems to be widespread, according to reports from system administrators, and it also impacts messages with image signatures. Vulnerability prioritization is only the beginning Date: None Author: Help Net Security To date, most technology solutions focused on vulnerability management have focused on the prioritization of risks. That usually took the shape of some risk-ranking structure displayed in a table with links out to the CVEs and other advisory or threat intelligence information. Three steps to secure compliance with Australia’s new technology asset stocktake requirements Date: None Author: Security Brief The recently introduced PSPF Direction 002-2024 requires Australian Government entities to identify and actively manage their technology assets. Compliance is imperative. By June 2025, all government entities and their suppliers must complete a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity. This directive is a crucial step towards strengthening cybersecurity posture and ensuring efficient IT asset management. How Paris Olympic authorities battled cyberattacks, and won gold Date: None Author: SecurityIntelligence The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions. In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event. ESB-2024.5559 – Google Chrome Google has updated Chrome for Desktop versions addressing multiple vulnerabilities ESB-2024.5535 – Drupal Ubuntu has released updates for drupal7 package to patch vulnerabilities that are currently being exploited ESB-2024.5495 – F5 Products A null pointer dereference leading to DoS has been addressed in various F5 products through mitigation ESB-2024.5558 – Cisco Nexus Switches A Denial of Service vulnerability has been fixed in NX-OS Software currently affecting Cisco Nexus 3000 and 7000 Series Switches. Stay safe, stay patched and have a good weekend! The AUSCERT team

Written by AUSCERT Principal Analyst, Mark Carey-Smith Tabletop exercises are referred to by different terms, including “drills”, “simulations”, just “exercises” or “discussion exercises”, though these terms don’t always mean the same thing. NIST’s definition in SP 800-84 is: “Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.” In our context, the emergency situation usually involves a cyber incident. Tabletop exercises, or TTXs, can be oriented towards cyber incident response, business continuity, crisis management or elements of all three, depending on what the organisation running the TTX wants to achieve. Participants can be from any role; operational, cyber security, communications, executives or a combination. Why perform tabletop exercises? Having accurate and easy to understand incident response plans and playbooks is obviously important, but we just don’t know how effective they are until they are tested through use. It’s far safer to do that testing via a simulated incident in a TTX rather than a real one. Running TTXs can help provide an understanding for how people will respond to an incident. Even when we know it’s a simulation, it still gets some of the same juices flowing, which should also help people respond with lower levels of stress during an actual incident. TTXs can engage stakeholders, particularly executive ones, in a way that risk heat maps and logically structured arguments simply don’t, because if they are done well, TTXs can engage stakeholders emotionally. Emotional engagement can be a strong lever for change. By planning and executing TTXs in a progressive and supportive way that values opportunities for improvement, a culture of learning can be created that does not penalise mistakes but instead sees them as teachable moments. Some organisations have contractual obligations, for example from clients, to perform regular TTXs. Some insurance policies may require, or apply pressure via pricing mechanisms, for their clients to perform TTXs. Regulatory requirements, such as for some of the specific entities that fall under the SoCI ACT, require exercises to be performed, while others have implied obligations. The Australian Prudential Regulation Authority has requirements in CPS234 for regulated entities to: “…annually review and test its information security response plans to ensure they remain effective and fit-for-purpose”. In the associated CPG234, tabletop exercises are a recommended way to test incident preparedness. Audit findings may recommend the use of tabletops to improve or validate incident response practices. Such audits might be organisation-specific or sector-wide. To help non-technical stakeholders, like managers or execs, understand the difficulties and complexities of incident response better, such as the considerable amount of time that an incident can take to resolve, including recovery. Some useful information for designing and running TTXs: CISA’s tabletop exercise resources. Use google search “CISA CTEP filetype:docx” to find editable versions of some of their documents. ANSSI has some good resources for what they call ‘cyber crisis management’ exercises The ACSC has re-badged the original Exercise in a Box platform created by the UK’s NCSC and adapted the language and context for Australian audiences. It can be an easier and more structured way to deliver TTXs for first time facilitators. AUSCERT now delivers TTXs as part of our GRC services. We can design and deliver custom-created TTXs for organisations to suit their specific objectives. We can also assist organisations to deliver their own TTXs through assistance with planning, execution and evaluation. Please contact us for more information.

Introduction Medibank experienced a significant data breach in 2022, impacting the sensitive information of 9.7 million customers. The Office of the Australian Information Commissioner (OAIC) alleges that a contributing factor to this breach may have been the absence of Multi-Factor Authentication (MFA), which could have potentially hindered the attackers. AUSCERT compiled this information for its members and the broader community, urging organisations to consider implementing MFA as an additional verification layer before accessing accounts or sensitive information. It is important to note, however, that while MFA enhances security and reduces unauthorised access risks, it does not provide absolute protection for accounts – instances of MFA bypass by attackers have been observed for some time now.   What is Multi-Factor Authentication (MFA)? MFA goes beyond the traditional username-password combination by requiring two or more forms of identity verification to authorise access. These typically include: – Something you know (e.g., password) – Something you have (e.g., mobile device for receiving verification code) – Something you are (e.g., biometric data like fingerprints or facial recognition)   Why MFA is Essential for Security? Enhanced Security Against Password Theft: MFA adds an extra layer of protection by requiring a second form of authentication, like a mobile code or biometric scan, reducing the risk of unauthorised access even if passwords are stolen. Mitigation of Credential Stuffing: MFA disrupts credential stuffing attempts by requiring an additional factor beyond usernames and passwords. User-Friendly Security: Modern MFA solutions balance security with user-friendly options like biometric authentication and push notifications, ensuring a seamless experience while maintaining robust security. Protection of Remote Workforce: With the rise of remote work, MFA secures access to corporate networks from any location, potentially preventing unauthorised entry even on unsecured networks. Long-Term Cost-Effectiveness: Despite initial setup costs, MFA significantly reduces potential costs from data breaches and cyberattacks, safeguarding financial assets and reputation. Enhanced Consumer Trust: Implementing MFA assures customers that the organisation is implementing robust cyber security practices; this in turn can foster lasting client relationships.   Best Practices for Implementing MFA in Organisations While specific practices may vary, common best practices include: Clearly defining which systems and data assets require MFA based on risk assessments and compliance needs. Choosing authentication factors based on security requirements and user convenience. Ensuring compatibility with existing IT systems and applications using standard protocols. Implementing user-friendly MFA methods such as push notifications or biometrics to encourage adoption. Conducting regular training sessions to educate users on MFA usage and security best practices. Maintaining robust monitoring, incident response, and regular updates to keep MFA systems secure and effective. Monitoring performance metrics, gathering feedback, and adjusting MFA policies as needed to address evolving threats.   Challenges in Adopting MFA Despite its benefits, organisations may face challenges such as user resistance, integration with legacy systems, and initial investment costs during MFA implementation.   Conclusion It is crucial for organisations to adopt MFA to protect their data and maintain trust with customers and partners. By effectively implementing MFA, organisations can better defend against cyber threats and ensure the security of sensitive information. While MFA does not offer complete protection against all threats, it remains an essential component in reducing cybersecurity risks and safeguarding sensitive data.

Greetings, This week, we released Episode 36 of our Share Today, Save Tomorrow podcast titled The Changing Face of Incident Response. In this episode, Kylie Watson from DXC joins us to discuss the evolving landscape of incident response and the critical importance of having a robust decision-making process. In the second half, Bek dives deep into tabletop exercises with our Principal Analyst, Mark-Carey Smith. Tune in now! Adelaide members, check your inbox for news about our upcoming member meet-up on August 29th! These gatherings are excellent opportunities to connect with fellow members, exchange ideas, and enjoy some refreshments. During these catch ups we also host a session designed to help you maximize your membership, showcasing what AUSCERT can do for you. Our team will guide you through each of our services, and we’ll open the floor for a TLP:RED discussion, allowing members to share insights in confidence. Don’t miss out on this chance to make new connections and have a fantastic time! Keep an eye out for an invitation as we will be coming your way soon! After tremendous success in Sydney and Melbourne, Digital Nation is bringing Digital As Usual: Cyber to Brisbane, and AUSCERT is thrilled to sponsor this event! This gathering will delve into Digital Nation’s latest ‘Digital as Usual’ report, bringing together security leaders, C-level executives, and board directors to explore strategies for building more robust cyber programs. With our General Manager, Ivano Bongiovanni, among the expert speakers, we are very excited for this event! For more information and to register head to their website! Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities Date: 2024-08-14 Author: Security Week Intel and AMD have each informed customers about dozens of vulnerabilities found and patched in their products. Intel has published 43 new advisories that cover a total of roughly 70 security holes. Nine advisories describe high-severity vulnerabilities. … AMD published eight new advisories on Patch Tuesday to inform customers about 46 vulnerabilities. Fortinet, Zoom Patch Multiple Vulnerabilities Date: 2024-08-14 Author: Security Week Patches announced on Tuesday by Fortinet and Zoom address multiple vulnerabilities, including high-severity flaws leading to information disclosure and privilege escalation in Zoom products. Fortinet released patches for three security defects impacting FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiPAM, and FortiSwitchManager, including two medium-severity flaws and a low-severity bug. Critical SAP flaw allows remote attackers to bypass authentication Date: 2024-08-13 Author: Bleeping Computer SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system. The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a "missing authentication check" bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions. '0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk Date: 2024-08-09 Author: Dark Reading [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0162] Attackers can use a flaw that exploits the 0.0.0.0 IP address to remotely execute code on various Web browsers — Chrome, Safari, Firefox, and others — putting users at risk for data theft, malware, and other malicious activity. Researchers at open source security firm Oligo Security have discovered a way to bypass browser security and interact with services running on an organization's local network from outside the network, that they are calling "0.0.0.0 Day," because of the Web address it exploits. Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8) Date: 2024-08-09 Author: Security Online [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0161] The Django team has issued security updates for Django 5.0.8 and 4.2.15 to address multiple vulnerabilities, including potential denial-of-service (DoS) attacks and a critical SQL injection vulnerability. All Django users are strongly urged to upgrade to the patched versions as soon as possible. Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It is widely used for building secure and scalable web applications. ESB-2024.5281 – Flatpak: CVSS (Max): 10.0 An update of Flatpak was released to address a flaw in the handling of mounts for persistent directories. A malicious or compromised Flatpak app could take advantage of this flaw to access files outside of the sandbox. ESB-2024.5174 – Tenable Security Center: CVSS (Max): 9.1 Security Center leverages third-party software to help provide underlying functionality. Several of the third-party components (Apache, libcurl) were found to contain vulnerabilities, and updated versions have been made available by the providers. ASB-2024.0167 – Microsoft ESU: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of August 2024. This update resolves 42 vulnerabilities across various Windows Server products. A critical zero-click TCP/IP vulnerability in Windows, affecting all systems with IPv6 enabled, could allow remote code execution through specially crafted packets. Microsoft urges users to patch immediately due to the high risk of exploitation. ASB-2024.0163 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of August 2024. This update resolves 65 vulnerabilities across Windows 10, 11 and Server products. ESB-2024.5158 – Python for Scientific Computing: CVSS (Max): 9.8* Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Changing face of Incident Response In this episode, AUSCERT features the following guests: Kylie Watson, DXC Mark Carey-Smith, AUSCERT Anthony sits down with Kylie Watson from DXC to talk about the the changing face of Incident Response and the inportance of having robust decision making processes. In the second half of the episode, Bek chats with Mark Carey-Smith from AUSCERT to talk about business disruption and a deep dive into Tabletop Exercises. This episode was hosted by Anthony Caruana and Bek Cheb.   Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, We continuously strive to help our members minimize their exposure to cyber threats and understand that effective prioritisation in vulnerability management is a growing concern. To assist with these efforts, AUSCERT is pleased to introduce the Exploitation Prediction Scoring System (EPSS) within our bulletins and Critical MSINs, starting August 12, 2024. Read our blog article for more information!. This week, CrowdStrike published a root cause analysis of the recent widespread outage caused by a faulty update pushed out to its Falcon customers. The report details the chain of events and multiple independent testing failures that occurred during the creation and validation of the problematic configuration file distributed to customers. After such a widespread outage causing billions of dollars in damage across multiple countries, many are questioning who is legally responsible. Microsoft, whose ecosystem was impacted, estimated the outage affected 8.5 million Windows devices. Some organisations that were significantly affected by the incident have begun seeking legal recourse against CrowdStrike for compensation for the disruption to business. Delta Air Lines, which suffered widespread flight disruptions and service failures, is seeking financial damages against CrowdStrike. The outages cost Delta an estimated US$350 million to $500 million, as they are dealing with over 176,000 refund or reimbursement requests after almost 7,000 flights were cancelled. However, CrowdStrike has rejected allegations of gross negligence or misconduct, arguing that the terms and conditions of their contracts may limit their liability to customers, thereby severely restricting options for seeking redress under contract law. This has led some law firms to explore the possibility of pursuing class action under other claims, such as negligence. This case reveals the vulnerability of global supply chains and the significant impact IT disruptions can have on organisations worldwide. Major insurance companies are closely monitoring the situation, and many businesses are now scrutinizing their cyber insurance policies. This incident has prompted many to consider whether additional legal ramifications should be established to better protect consumers and hold responsible parties more accountable for their actions. Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code Date: 2024-08-07 Author: Cyber Security News [AUSCERT has identified the impacted members (where possible) and contacted them via email] Kibana, a popular open-source data visualization and exploration tool, has identified a critical security flaw that could allow attackers to execute arbitrary code. This vulnerability, tracked as CVE-2024-37287, has a CVSSv3 severity rating of 9.9, indicating its critical nature. The flaw arises from a prototype pollution vulnerability that can be exploited by attackers with access to Machine Learning (ML) and Alerting connector features and write access to internal ML indices. Exploiting this vulnerability allows attackers to execute arbitrary code, posing significant security risks, as reported by Elastic Cloud. Chrome, Firefox Updates Patch Serious Vulnerabilities Date: 2024-08-07 Author: Security Week [Please also see AUSCERT's bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.5054/ & https://portal.auscert.org.au/bulletins/ESB-2024.5049/] Mozilla and Google both updated their web browsers on Tuesday and the latest versions patch several potentially serious vulnerabilities. Google updated Chrome to version 127.0.6533.99, which fixes six vulnerabilities, including a critical out-of-bounds memory access issue in the Angle component. A reward has yet to be determined for this flaw, which is tracked as CVE-2024-7532. Critical 1Password Security Flaw Could Let Hackers Steal Unlock Key Date: 2024-08-07 Author: Forbes AgileBits, the developer of the hugely popular 1Password password manager, has confirmed that a critical security vulnerability could have allowed an attacker to exfiltrate password vault items and potentially obtain account unlock keys from macOS users. What Is CVE-2024-42219? In a 1Password support posting it was stated that CVE-2024-42219 could enable a “malicious process running locally on a machine to bypass inter-process communication protections” and allow the malicious software in question to “exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and SRP-𝑥.” Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers Date: 2024-08-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4972/] Organizations using certain Logix programmable logic controllers (PLCs) made by Rockwell Automation have been informed about a high-severity security bypass vulnerability discovered by researchers at industrial cybersecurity firm Claroty. On August 1, Claroty published a blog post describing its findings, and Rockwell and the cybersecurity agency CISA published advisories for the flaw, which is tracked as CVE-2024-6242. Google fixes Android kernel zero-day exploited in targeted attacks Date: 2024-08-07 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5013] Android security updates this month patch 46 vulnerabilities, including a high-severity remote code execution (RCE) exploited in targeted attacks. The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weakness in the Linux kernel's network route management. It requires System execution privileges for successful exploitation and allows altering the behavior of certain network connections. Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords Date: 2024-08-07 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and contacted them via email] Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week. CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash Date: 2024-08-06 Author: Security Week Embattled cybersecurity vendor CrowdStrike on Tuesday released a root cause analysis detailing the technical mishap behind a software update crash that crippled Windows systems globally and blamed the incident on a confluence of security vulnerabilities and process gaps. The new CrowdStrike root cause analysis documents a combination of factors the Falcon EDR sensor crash — a mismatch between inputs validated by a Content Validator and those provided to a Content Interpreter, an out-of-bounds read issue in the Content Interpreter, and the absence of a specific test — and a vow to work with Microsoft on secure and reliable access to the Windows kernel. ESB-2024.4645.2 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0 The Cisco PSIRT has updated its initial advisory from July 2027 to confirm that proof-of-concept exploit code is now available for the vulnerability discussed in the advisory. However, they have not reported any instances of malicious exploitation related to this vulnerability. AUSCERT advises its members to apply the patches immediately if they haven't already done so, to prevent potential exploitation. ESB-2024.5095 – Jenkins (core):CVSS (Max): 9.0 The Jenkins Security Advisory 2024-08-07 addresses critical vulnerabilities in Jenkins core that could lead to arbitrary file read and potential remote code execution (CVE-2024-43044). It also highlights a medium-severity issue allowing unauthorized access to other users' "My Views" (CVE-2024-43045). Updates in Jenkins versions 2.471 and LTS 2.452.4 resolve these vulnerabilities. ASB-2024.0160 – EPSS Score Starting August 12, 2024, AUSCERT will include Exploitation Prediction Scoring System (EPSS) scores in Bulletins and Critical MSINs to indicate the likelihood of vulnerability exploitation. The EPSS score will be displayed alongside the CVSS score for Bulletins and in the Overview of Critical MSINs. Members should use up-to-date EPSS values for informed vulnerability management. ESB-2024.5054 – Google Chrome: CVSS (Max): 8.8* On August 6, 2024, Chrome’s Stable channel updated to version 127.0.6533.99 for Windows, Mac, and Linux, introducing five security fixes. Notable fixes include critical and high-severity vulnerabilities reported by external researchers, such as out-of-bounds memory access and use-after-free issues. ESB-2024.5049 – Firefox: CVSS (Max): 9.8* Mozilla's Security Advisory 2024-33, released August 6, 2024, addresses high-impact vulnerabilities in Firefox 129. Key issues include CVE-2024-7518, which allows fullscreen dialogs to be obscured, and CVE-2024-7519, involving out-of-bounds memory access in graphics handling. Other critical fixes cover type confusion in WebAssembly and various use-after-free vulnerabilities. ESB-2024.5013 – Android: CVSS (Max): 9.8* The August 2024 Android Security Bulletin addresses high-severity vulnerabilities affecting Android devices, including critical privilege escalation issues in the Framework component. The patch levels of 2024-08-05 or later resolve these issues. Updates are available in the AOSP repository , with Android partners notified in advance. Stay safe, stay patched and have a good weekend! The AUSCERT team