Publications

Greetings, This week, our team travelled to Adelaide to connect with our members! We had the opportunity for meaningful one-on-one conversations, gathered valuable feedback, and shared updates on our upcoming service developments. There is still time to register for the Digital Nation exclusive Brisbane event that is on Wednesday 4th of September, which delves deep into the evolving landscape of cyber security in Australia. Don't miss the opportunity to hear insights from our General Manager Ivano Bongiovanni! Click here to register. We released a new blog post on Tabletop Exercises (TTXs) this week! TTXs are an essential tool for testing an organisation's ability to respond effectively to security incidents. These exercises help identify gaps in incident response plans and prepare teams for real-world crises by guiding participants through realistic, discussion-based scenarios focused on roles, responsibilities, coordination, and decision-making. TTXs can be tailored to meet your organisation's specific needs, whether for incident response, business continuity, crisis management, or a mix of these areas. Participants from all roles—operational staff, cybersecurity professionals, communication teams, and executives—benefit from these exercises, enhancing cross-role coordination during incidents. Click here to read the full article! In case you missed it, this week we published an analysis of the Jenkins CLI path traversal vulnerability, CVE-2024-23897, exclusively for AUSCERT members. At the time of publication, just over 4% of Jenkins servers worldwide have been updated to mitigate this critical vulnerability. It's often useful to present a trusted third party's review when prioritising patching tasks, and we hope this analysis will assist those of you striving to patch your Jenkins instance. The Analyst Team has added Critical MSINs to AUSCERT's Early Warning SMS Alert Service, in addition to the existing critical vulnerability notifications. Whilst members' existing email notifications remain the same, the contacts nominated for Early Warning SMS Alerts will also now receive a corresponding SMS for Critical MSINs. The text message will always begin with the word "AUSCERT" and will direct the recipient to check for emails from AUSCERT for further information. Members can add additional Early Warning SMS Alert contacts in the Member Portal. Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day Date: None Author: Security Week Malware hunters at Lumen Technologies have caught Chinese APT Volt Typhoon exploiting a fresh zero-day in Versa Director servers to hijack credentials to break into downstream customers’ networks. The high-severity vulnerability, tracked as CVE-2024-39717, was added to the CISA must-patch list over the weekend after Versa Networks confirmed zero-day exploitation and warned that the Versa Director GUI can be hacked to plant malware on affected devices. Exchange Online mistakenly tags emails as malware Date: None Author: Bleeping Computer Microsoft is investigating an Exchange Online false positive issue causing emails containing images to be wrongly tagged as malicious and sent to quarantine. "Users' email messages containing images may be incorrectly flagged as malware and quarantined," Microsoft said in a service alert posted on the Microsoft 365 admin center two hours ago. "We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan." Tracked under EX873252, this ongoing service degradation issue seems to be widespread, according to reports from system administrators, and it also impacts messages with image signatures. Vulnerability prioritization is only the beginning Date: None Author: Help Net Security To date, most technology solutions focused on vulnerability management have focused on the prioritization of risks. That usually took the shape of some risk-ranking structure displayed in a table with links out to the CVEs and other advisory or threat intelligence information. Three steps to secure compliance with Australia’s new technology asset stocktake requirements Date: None Author: Security Brief The recently introduced PSPF Direction 002-2024 requires Australian Government entities to identify and actively manage their technology assets. Compliance is imperative. By June 2025, all government entities and their suppliers must complete a technology asset stocktake on all internet-facing systems or services to identify all technology assets managed by, or on behalf of, the entity. This directive is a crucial step towards strengthening cybersecurity posture and ensuring efficient IT asset management. How Paris Olympic authorities battled cyberattacks, and won gold Date: None Author: SecurityIntelligence The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions. In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event. ESB-2024.5559 – Google Chrome Google has updated Chrome for Desktop versions addressing multiple vulnerabilities ESB-2024.5535 – Drupal Ubuntu has released updates for drupal7 package to patch vulnerabilities that are currently being exploited ESB-2024.5495 – F5 Products A null pointer dereference leading to DoS has been addressed in various F5 products through mitigation ESB-2024.5558 – Cisco Nexus Switches A Denial of Service vulnerability has been fixed in NX-OS Software currently affecting Cisco Nexus 3000 and 7000 Series Switches. Stay safe, stay patched and have a good weekend! The AUSCERT team

Written by AUSCERT Principal Analyst, Mark Carey-Smith Tabletop exercises are referred to by different terms, including “drills”, “simulations”, just “exercises” or “discussion exercises”, though these terms don’t always mean the same thing. NIST’s definition in SP 800-84 is: “Tabletop exercises are discussion-based exercises where personnel meet in a classroom setting or in breakout groups to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. A tabletop exercise is discussion-based only and does not involve deploying equipment or other resources.” In our context, the emergency situation usually involves a cyber incident. Tabletop exercises, or TTXs, can be oriented towards cyber incident response, business continuity, crisis management or elements of all three, depending on what the organisation running the TTX wants to achieve. Participants can be from any role; operational, cyber security, communications, executives or a combination. Why perform tabletop exercises? Having accurate and easy to understand incident response plans and playbooks is obviously important, but we just don’t know how effective they are until they are tested through use. It’s far safer to do that testing via a simulated incident in a TTX rather than a real one. Running TTXs can help provide an understanding for how people will respond to an incident. Even when we know it’s a simulation, it still gets some of the same juices flowing, which should also help people respond with lower levels of stress during an actual incident. TTXs can engage stakeholders, particularly executive ones, in a way that risk heat maps and logically structured arguments simply don’t, because if they are done well, TTXs can engage stakeholders emotionally. Emotional engagement can be a strong lever for change. By planning and executing TTXs in a progressive and supportive way that values opportunities for improvement, a culture of learning can be created that does not penalise mistakes but instead sees them as teachable moments. Some organisations have contractual obligations, for example from clients, to perform regular TTXs. Some insurance policies may require, or apply pressure via pricing mechanisms, for their clients to perform TTXs. Regulatory requirements, such as for some of the specific entities that fall under the SoCI ACT, require exercises to be performed, while others have implied obligations. The Australian Prudential Regulation Authority has requirements in CPS234 for regulated entities to: “…annually review and test its information security response plans to ensure they remain effective and fit-for-purpose”. In the associated CPG234, tabletop exercises are a recommended way to test incident preparedness. Audit findings may recommend the use of tabletops to improve or validate incident response practices. Such audits might be organisation-specific or sector-wide. To help non-technical stakeholders, like managers or execs, understand the difficulties and complexities of incident response better, such as the considerable amount of time that an incident can take to resolve, including recovery. Some useful information for designing and running TTXs: CISA’s tabletop exercise resources. Use google search “CISA CTEP filetype:docx” to find editable versions of some of their documents. ANSSI has some good resources for what they call ‘cyber crisis management’ exercises The ACSC has re-badged the original Exercise in a Box platform created by the UK’s NCSC and adapted the language and context for Australian audiences. It can be an easier and more structured way to deliver TTXs for first time facilitators. AUSCERT now delivers TTXs as part of our GRC services. We can design and deliver custom-created TTXs for organisations to suit their specific objectives. We can also assist organisations to deliver their own TTXs through assistance with planning, execution and evaluation. Please contact us for more information.

Introduction Medibank experienced a significant data breach in 2022, impacting the sensitive information of 9.7 million customers. The Office of the Australian Information Commissioner (OAIC) alleges that a contributing factor to this breach may have been the absence of Multi-Factor Authentication (MFA), which could have potentially hindered the attackers. AUSCERT compiled this information for its members and the broader community, urging organisations to consider implementing MFA as an additional verification layer before accessing accounts or sensitive information. It is important to note, however, that while MFA enhances security and reduces unauthorised access risks, it does not provide absolute protection for accounts – instances of MFA bypass by attackers have been observed for some time now.   What is Multi-Factor Authentication (MFA)? MFA goes beyond the traditional username-password combination by requiring two or more forms of identity verification to authorise access. These typically include: – Something you know (e.g., password) – Something you have (e.g., mobile device for receiving verification code) – Something you are (e.g., biometric data like fingerprints or facial recognition)   Why MFA is Essential for Security? Enhanced Security Against Password Theft: MFA adds an extra layer of protection by requiring a second form of authentication, like a mobile code or biometric scan, reducing the risk of unauthorised access even if passwords are stolen. Mitigation of Credential Stuffing: MFA disrupts credential stuffing attempts by requiring an additional factor beyond usernames and passwords. User-Friendly Security: Modern MFA solutions balance security with user-friendly options like biometric authentication and push notifications, ensuring a seamless experience while maintaining robust security. Protection of Remote Workforce: With the rise of remote work, MFA secures access to corporate networks from any location, potentially preventing unauthorised entry even on unsecured networks. Long-Term Cost-Effectiveness: Despite initial setup costs, MFA significantly reduces potential costs from data breaches and cyberattacks, safeguarding financial assets and reputation. Enhanced Consumer Trust: Implementing MFA assures customers that the organisation is implementing robust cyber security practices; this in turn can foster lasting client relationships.   Best Practices for Implementing MFA in Organisations While specific practices may vary, common best practices include: Clearly defining which systems and data assets require MFA based on risk assessments and compliance needs. Choosing authentication factors based on security requirements and user convenience. Ensuring compatibility with existing IT systems and applications using standard protocols. Implementing user-friendly MFA methods such as push notifications or biometrics to encourage adoption. Conducting regular training sessions to educate users on MFA usage and security best practices. Maintaining robust monitoring, incident response, and regular updates to keep MFA systems secure and effective. Monitoring performance metrics, gathering feedback, and adjusting MFA policies as needed to address evolving threats.   Challenges in Adopting MFA Despite its benefits, organisations may face challenges such as user resistance, integration with legacy systems, and initial investment costs during MFA implementation.   Conclusion It is crucial for organisations to adopt MFA to protect their data and maintain trust with customers and partners. By effectively implementing MFA, organisations can better defend against cyber threats and ensure the security of sensitive information. While MFA does not offer complete protection against all threats, it remains an essential component in reducing cybersecurity risks and safeguarding sensitive data.

Greetings, This week, we released Episode 36 of our Share Today, Save Tomorrow podcast titled The Changing Face of Incident Response. In this episode, Kylie Watson from DXC joins us to discuss the evolving landscape of incident response and the critical importance of having a robust decision-making process. In the second half, Bek dives deep into tabletop exercises with our Principal Analyst, Mark-Carey Smith. Tune in now! Adelaide members, check your inbox for news about our upcoming member meet-up on August 29th! These gatherings are excellent opportunities to connect with fellow members, exchange ideas, and enjoy some refreshments. During these catch ups we also host a session designed to help you maximize your membership, showcasing what AUSCERT can do for you. Our team will guide you through each of our services, and we’ll open the floor for a TLP:RED discussion, allowing members to share insights in confidence. Don’t miss out on this chance to make new connections and have a fantastic time! Keep an eye out for an invitation as we will be coming your way soon! After tremendous success in Sydney and Melbourne, Digital Nation is bringing Digital As Usual: Cyber to Brisbane, and AUSCERT is thrilled to sponsor this event! This gathering will delve into Digital Nation’s latest ‘Digital as Usual’ report, bringing together security leaders, C-level executives, and board directors to explore strategies for building more robust cyber programs. With our General Manager, Ivano Bongiovanni, among the expert speakers, we are very excited for this event! For more information and to register head to their website! Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities Date: 2024-08-14 Author: Security Week Intel and AMD have each informed customers about dozens of vulnerabilities found and patched in their products. Intel has published 43 new advisories that cover a total of roughly 70 security holes. Nine advisories describe high-severity vulnerabilities. … AMD published eight new advisories on Patch Tuesday to inform customers about 46 vulnerabilities. Fortinet, Zoom Patch Multiple Vulnerabilities Date: 2024-08-14 Author: Security Week Patches announced on Tuesday by Fortinet and Zoom address multiple vulnerabilities, including high-severity flaws leading to information disclosure and privilege escalation in Zoom products. Fortinet released patches for three security defects impacting FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiPAM, and FortiSwitchManager, including two medium-severity flaws and a low-severity bug. Critical SAP flaw allows remote attackers to bypass authentication Date: 2024-08-13 Author: Bleeping Computer SAP has released its security patch package for August 2024, addressing 17 vulnerabilities, including a critical authentication bypass that could allow remote attackers to fully compromise the system. The flaw, tracked as CVE-2024-41730 and rated 9.8 as per the CVSS v3.1 system, is a "missing authentication check" bug impacting SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and is exploitable under certain conditions. '0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk Date: 2024-08-09 Author: Dark Reading [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0162] Attackers can use a flaw that exploits the 0.0.0.0 IP address to remotely execute code on various Web browsers — Chrome, Safari, Firefox, and others — putting users at risk for data theft, malware, and other malicious activity. Researchers at open source security firm Oligo Security have discovered a way to bypass browser security and interact with services running on an organization's local network from outside the network, that they are calling "0.0.0.0 Day," because of the Web address it exploits. Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8) Date: 2024-08-09 Author: Security Online [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0161] The Django team has issued security updates for Django 5.0.8 and 4.2.15 to address multiple vulnerabilities, including potential denial-of-service (DoS) attacks and a critical SQL injection vulnerability. All Django users are strongly urged to upgrade to the patched versions as soon as possible. Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It is widely used for building secure and scalable web applications. ESB-2024.5281 – Flatpak: CVSS (Max): 10.0 An update of Flatpak was released to address a flaw in the handling of mounts for persistent directories. A malicious or compromised Flatpak app could take advantage of this flaw to access files outside of the sandbox. ESB-2024.5174 – Tenable Security Center: CVSS (Max): 9.1 Security Center leverages third-party software to help provide underlying functionality. Several of the third-party components (Apache, libcurl) were found to contain vulnerabilities, and updated versions have been made available by the providers. ASB-2024.0167 – Microsoft ESU: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of August 2024. This update resolves 42 vulnerabilities across various Windows Server products. A critical zero-click TCP/IP vulnerability in Windows, affecting all systems with IPv6 enabled, could allow remote code execution through specially crafted packets. Microsoft urges users to patch immediately due to the high risk of exploitation. ASB-2024.0163 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has released its monthly security patch update for the month of August 2024. This update resolves 65 vulnerabilities across Windows 10, 11 and Server products. ESB-2024.5158 – Python for Scientific Computing: CVSS (Max): 9.8* Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Changing face of Incident Response In this episode, AUSCERT features the following guests: Kylie Watson, DXC Mark Carey-Smith, AUSCERT Anthony sits down with Kylie Watson from DXC to talk about the the changing face of Incident Response and the inportance of having robust decision making processes. In the second half of the episode, Bek chats with Mark Carey-Smith from AUSCERT to talk about business disruption and a deep dive into Tabletop Exercises. This episode was hosted by Anthony Caruana and Bek Cheb.   Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, We continuously strive to help our members minimize their exposure to cyber threats and understand that effective prioritisation in vulnerability management is a growing concern. To assist with these efforts, AUSCERT is pleased to introduce the Exploitation Prediction Scoring System (EPSS) within our bulletins and Critical MSINs, starting August 12, 2024. Read our blog article for more information!. This week, CrowdStrike published a root cause analysis of the recent widespread outage caused by a faulty update pushed out to its Falcon customers. The report details the chain of events and multiple independent testing failures that occurred during the creation and validation of the problematic configuration file distributed to customers. After such a widespread outage causing billions of dollars in damage across multiple countries, many are questioning who is legally responsible. Microsoft, whose ecosystem was impacted, estimated the outage affected 8.5 million Windows devices. Some organisations that were significantly affected by the incident have begun seeking legal recourse against CrowdStrike for compensation for the disruption to business. Delta Air Lines, which suffered widespread flight disruptions and service failures, is seeking financial damages against CrowdStrike. The outages cost Delta an estimated US$350 million to $500 million, as they are dealing with over 176,000 refund or reimbursement requests after almost 7,000 flights were cancelled. However, CrowdStrike has rejected allegations of gross negligence or misconduct, arguing that the terms and conditions of their contracts may limit their liability to customers, thereby severely restricting options for seeking redress under contract law. This has led some law firms to explore the possibility of pursuing class action under other claims, such as negligence. This case reveals the vulnerability of global supply chains and the significant impact IT disruptions can have on organisations worldwide. Major insurance companies are closely monitoring the situation, and many businesses are now scrutinizing their cyber insurance policies. This incident has prompted many to consider whether additional legal ramifications should be established to better protect consumers and hold responsible parties more accountable for their actions. Critical Kibana Vulnerability Let Attackers Execute Arbitrary Code Date: 2024-08-07 Author: Cyber Security News [AUSCERT has identified the impacted members (where possible) and contacted them via email] Kibana, a popular open-source data visualization and exploration tool, has identified a critical security flaw that could allow attackers to execute arbitrary code. This vulnerability, tracked as CVE-2024-37287, has a CVSSv3 severity rating of 9.9, indicating its critical nature. The flaw arises from a prototype pollution vulnerability that can be exploited by attackers with access to Machine Learning (ML) and Alerting connector features and write access to internal ML indices. Exploiting this vulnerability allows attackers to execute arbitrary code, posing significant security risks, as reported by Elastic Cloud. Chrome, Firefox Updates Patch Serious Vulnerabilities Date: 2024-08-07 Author: Security Week [Please also see AUSCERT's bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.5054/ & https://portal.auscert.org.au/bulletins/ESB-2024.5049/] Mozilla and Google both updated their web browsers on Tuesday and the latest versions patch several potentially serious vulnerabilities. Google updated Chrome to version 127.0.6533.99, which fixes six vulnerabilities, including a critical out-of-bounds memory access issue in the Angle component. A reward has yet to be determined for this flaw, which is tracked as CVE-2024-7532. Critical 1Password Security Flaw Could Let Hackers Steal Unlock Key Date: 2024-08-07 Author: Forbes AgileBits, the developer of the hugely popular 1Password password manager, has confirmed that a critical security vulnerability could have allowed an attacker to exfiltrate password vault items and potentially obtain account unlock keys from macOS users. What Is CVE-2024-42219? In a 1Password support posting it was stated that CVE-2024-42219 could enable a “malicious process running locally on a machine to bypass inter-process communication protections” and allow the malicious software in question to “exfiltrate vault items, as well as obtain derived values used to sign in to 1Password, specifically the account unlock key and SRP-𝑥.” Security Bypass Vulnerability Found in Rockwell Automation Logix Controllers Date: 2024-08-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4972/] Organizations using certain Logix programmable logic controllers (PLCs) made by Rockwell Automation have been informed about a high-severity security bypass vulnerability discovered by researchers at industrial cybersecurity firm Claroty. On August 1, Claroty published a blog post describing its findings, and Rockwell and the cybersecurity agency CISA published advisories for the flaw, which is tracked as CVE-2024-6242. Google fixes Android kernel zero-day exploited in targeted attacks Date: 2024-08-07 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5013] Android security updates this month patch 46 vulnerabilities, including a high-severity remote code execution (RCE) exploited in targeted attacks. The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weakness in the Linux kernel's network route management. It requires System execution privileges for successful exploitation and allows altering the behavior of certain network connections. Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords Date: 2024-08-07 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and contacted them via email] Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week. CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash Date: 2024-08-06 Author: Security Week Embattled cybersecurity vendor CrowdStrike on Tuesday released a root cause analysis detailing the technical mishap behind a software update crash that crippled Windows systems globally and blamed the incident on a confluence of security vulnerabilities and process gaps. The new CrowdStrike root cause analysis documents a combination of factors the Falcon EDR sensor crash — a mismatch between inputs validated by a Content Validator and those provided to a Content Interpreter, an out-of-bounds read issue in the Content Interpreter, and the absence of a specific test — and a vow to work with Microsoft on secure and reliable access to the Windows kernel. ESB-2024.4645.2 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0 The Cisco PSIRT has updated its initial advisory from July 2027 to confirm that proof-of-concept exploit code is now available for the vulnerability discussed in the advisory. However, they have not reported any instances of malicious exploitation related to this vulnerability. AUSCERT advises its members to apply the patches immediately if they haven't already done so, to prevent potential exploitation. ESB-2024.5095 – Jenkins (core):CVSS (Max): 9.0 The Jenkins Security Advisory 2024-08-07 addresses critical vulnerabilities in Jenkins core that could lead to arbitrary file read and potential remote code execution (CVE-2024-43044). It also highlights a medium-severity issue allowing unauthorized access to other users' "My Views" (CVE-2024-43045). Updates in Jenkins versions 2.471 and LTS 2.452.4 resolve these vulnerabilities. ASB-2024.0160 – EPSS Score Starting August 12, 2024, AUSCERT will include Exploitation Prediction Scoring System (EPSS) scores in Bulletins and Critical MSINs to indicate the likelihood of vulnerability exploitation. The EPSS score will be displayed alongside the CVSS score for Bulletins and in the Overview of Critical MSINs. Members should use up-to-date EPSS values for informed vulnerability management. ESB-2024.5054 – Google Chrome: CVSS (Max): 8.8* On August 6, 2024, Chrome’s Stable channel updated to version 127.0.6533.99 for Windows, Mac, and Linux, introducing five security fixes. Notable fixes include critical and high-severity vulnerabilities reported by external researchers, such as out-of-bounds memory access and use-after-free issues. ESB-2024.5049 – Firefox: CVSS (Max): 9.8* Mozilla's Security Advisory 2024-33, released August 6, 2024, addresses high-impact vulnerabilities in Firefox 129. Key issues include CVE-2024-7518, which allows fullscreen dialogs to be obscured, and CVE-2024-7519, involving out-of-bounds memory access in graphics handling. Other critical fixes cover type confusion in WebAssembly and various use-after-free vulnerabilities. ESB-2024.5013 – Android: CVSS (Max): 9.8* The August 2024 Android Security Bulletin addresses high-severity vulnerabilities affecting Android devices, including critical privilege escalation issues in the Framework component. The patch levels of 2024-08-05 or later resolve these issues. Updates are available in the AOSP repository , with Android partners notified in advance. Stay safe, stay patched and have a good weekend! The AUSCERT team

We are continuously striving to help our members minimise their exposure to cyber threats and understand that managing effective prioritisation in vulnerability management is a growing concern. To assist with these efforts, AUSCERT is pleased to introduce the Exploitation Prediction Scoring System (EPSS) within our bulletins and Critical MSINs, starting August 12 2024. Important: AUSCERT advises members to research EPSS thoroughly before considering its application in vulnerability management. What is EPSS? EPSS, developed by FIRST (Forum of Incident Response and Security Teams), employs advanced algorithms to forecast the likelihood of vulnerabilities being exploited in real-world scenarios. Higher EPSS scores indicate a heightened risk of exploitation, enabling our members to prioritise their remediation efforts on the most critical vulnerabilities. This initiative is designed to bolster proactive cybersecurity measures and enhance overall resilience against potential threats. EPSS vs CVSS: CVSS serves as a reliable framework for assessing vulnerability severity, whereas EPSS offers an additional layer of insight by predicting the likelihood of exploitation. CVSS evaluates vulnerabilities based on their characteristics and potential impacts but lacks real-world threat data. In contrast, EPSS predictions draw from the latest risk intelligence sourced from the CVE repository and empirical data on actual system attacks. Where does the EPSS score appear in the AUSCERT bulletin? The EPSS (Max) score appears for each bulletin in the comments section, below the CVSS (Max) Score. Where does the EPSS score appear in the Critical MSIN? The EPSS (Max) score appears in the overview section of the AUSCERT’s Critical MSIN. Syntax: EPSS (Max): (*Probability) (**Percentile) (CVE Number) (Date EPSS calculated) For Example: EPSS (Max): 0.2% (51st) CVE-2024-XXXXX 2024-07-02 *The likelihood of exploitation of the given CVE within the next 30 days ** The vulnerability’s relative severity compared to others, ranking it within a distribution of similar security issues based on their assessed risks and potential impacts. (Important: Note that EPSS scores can change over time, so if making decisions based on EPSS it is recommended to ensure you are using a recently updated value available from FIRST) (See articles below for further details on use and interpretation) References: Understanding EPSS can require effort, and its suitability can vary depending on the environment. For those interested in exploring EPSS further and understanding its functionality, informative articles are available: [1] https://www.first.org/epss/ [2] https://www.first.org/epss/user-guide [3] https://www.first.org/epss/faq [4] https://vulners.com/blog/epss-exploit-prediction-scoring-system/ [5] https://blog.stackaware.com/p/deep-dive-into-the-epss [6] https://asimily.com/blog/epss-and-its-role-in-vulnerability-management/ [7] https://security.cms.gov/posts/assessing-vulnerability-risks-exploit-prediction-scoring-system-epss [8] https://insights.sei.cmu.edu/blog/probably-dont-rely-on-epss-yet/

Greetings, With the Olympic Games in full swing, many of us are thrilled to cheer on our country in every sport, celebrating the incredible athletic talents of all participants. Each event showcases the dedication, skill, and fairness of athletes from around the world, inspiring us with their remarkable performances and unwavering determination. It is a privilege to witness this global celebration of excellence and unity through sport. Security2Cure is back, bigger and better than ever! This year, the event will be held in Brisbane on August 9th and in Sydney on August 23rd. The event will bring more stories of survival, grief, resilience, and love from within our amazing cyber industry, and we welcome everyone to be part of this inspiring experience. Now in its fourth year, Security2Cure raises money for cancer research, support, and prevention. The day's schedule in both cities includes a range of engaging talks on various aspects of cyber security, covering both technical and non-technical topics. Places are limited! Don’t miss the opportunity to hear from industry peers, leaders, and enthusiasts as they share insights from the cyber front lines and embrace the humility and vulnerability surrounding a disease that affects us all. Support a worthy cause and be inspired by the stories of strength and determination from within our community. If you can’t attend you can still donate to this great cause, just head to the website! Apple Rolls Out Security Updates for iOS, macOS Date: 2024-07-30 Author: Security Week [Please also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.4910/, https://portal.auscert.org.au/bulletins/ESB-2024.4911/, https://portal.auscert.org.au/bulletins/ESB-2024.4912/, https://portal.auscert.org.au/bulletins/ESB-2024.4913/, https://portal.auscert.org.au/bulletins/ESB-2024.4914/, https://portal.auscert.org.au/bulletins/ESB-2024.4915/, https://portal.auscert.org.au/bulletins/ESB-2024.4916/, https://portal.auscert.org.au/bulletins/ESB-2024.4917/, https://portal.auscert.org.au/bulletins/ESB-2024.4918/] iOS 17.6 and iPadOS 17.6 were released for the latest generation iPhone and iPad devices with fixes for 35 security defects that could lead to authentication and policy bypasses, unexpected application termination or system shutdown, information disclosure, denial-of-service (DoS), and memory leaks. Microsoft confirms Azure, 365 outage linked to DDoS attack Date: 2024-07-31 Author: Cyber Security Dive Dive Brief: Microsoft said a DDoS attack led to an eight hour outage Tuesday involving its Azure portal, as well as some Microsoft 365 and Microsoft Purview services. Microsoft said an unexpected spike in usage led to intermittent errors, spikes and timeouts in Azure Front Door and Azure Content Delivery Network. An initial investigation showed an error in the company’s security response may have compounded the impact of the outage. Microsoft said it will have a preliminary review of the incident in 72 hours and a final review within two weeks, to see what went wrong and how to better respond. Google Releases Critical Security Update for Chrome Date: 2024-07-31 Author: Cyber Security News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4872/] Google has rolled out a critical security update for its Chrome browser, addressing a severe flaw that could lead to browser crashes. The update, now available on the Stable channel, brings Chrome to version 127.0.6533.88/89 for Windows and Mac and 127.0.6533.88 for Linux. This update will be distributed over the coming days and weeks. The latest update includes three significant security fixes, two of which were reported by an external researcher known as “gelatin dessert.” The details of these fixes are as follows: Cyber ransom payments will need to be disclosed by businesses under new laws Date: 2024-07-30 Author: ABC News Australian businesses are paying untold amounts of ransom to hackers, but the government is hoping to claw back some visibility with a landmark cybersecurity law. The Cyber Security Act would force Australian businesses and government entities to disclose payments or face fines, and is expected to be brought before parliament in the next sitting. Dark Angels ransomware receives record-breaking $75 million ransom Date: 2024-07-30 Author: Bleeping Computer A Fortune 50 company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang, according to a report by Zscaler ThreatLabz. "In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that's bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below)," reads the 2024 Zscaler Ransomware Report. Gov revamps cyber security leadership in ministerial shake-up Date: 2024-07-28 Author: iTnews The federal government has named Tony Burke as its new minister for cyber security as well as Home Affairs, with incumbent Clare O’Neil moved to the housing portfolio. Albanese also announced a new advisory role for MP Andrew Charlton, as “special envoy for cyber security and digital resilience”. ESB-2024.4872 – Google Chrome: CVSS (Max): None Google has released an urgent security update for its popular Chrome browser to address three vulnerabilities, including one classified as "critical." These vulnerabilities, identified as CVE-2024-6990, CVE-2024-7255, and CVE-2024-7256, could potentially enable attackers to exploit flaws in the browser, putting user security at risk. ESB-2024.4948 – Apache Commons Collections: CVSS (Max): 9.8 Apache Commons Collections could be made to execute arbitrary code if it received specially crafted input. The problem can be corrected by updating your system to libcommons-collections3-java – 3.2.1-6ubuntu0.1~esm1 available with Ubuntu Pro ESB-2024.4912 – Apple iOS and iPad OS: CVSS (Max): 7.5* Apple has released iOS and iPad OS patches to address vulnerabilities such as a maliciously crafted file potentially leading to unexpected app termination plus various bug fixes and enhancements. ESB-2024.4973 – Vonets WiFi Bridges: CVSS (Max): 10.0 Vulnerabilities were identified that could allow an attacker to disclose sensitive information, cause a denial of service condition or execute arbitrary code on affected devices. Vonets has not responded to requests by CISA to mitigate this vulnerability. CISA recommended users take defensive measures to minimize the risk of exploitation of these vulnerabilities. ESB-2024.4960 – IBM QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Stay safe, stay patched and have a good weekend! The AUSCERT team

Gathering Intel from the Certificate Transparency Initiative for the recent Crowdstrike incident and other tailored cases. The indicators of compromise listed in the Crowdstrike article of the 19th July [1] has a list of hostnames and domains that could impersonate Crowdstrike brands. The Crowdstrike article provides a disclaimer that “Some domains in this list are not currently serving malicious content or could be intended to amplify negative sentiment. However, these sites may support future social-engineering operations”. They also provide a pointer to their LogScale query to collect this information. There is another way to get similar information straight from the TLS certificates being issued through the Certificate Transparency Initiative[2]. A general overview of the Certificate Transparency scheme is also outlined on Wikipedia [3]. The following article describes steps that can be taken to collect hostnames and domains that have recently been issued a TLS certificate and check if they hold the word “crowdstrike”. In case you are looking for permutations of words from “crowdstrike” (or any other search term), you will be able to re-run your new queries on the locally collected data. The technique uses the stream of certificates being issued and published through the Certificate Transparency Initiative with a python module created by CaliDog [4]. The python module is duly named “certstream” [5][6] and running it will start to collect current certificates being issued through CaliDog’s collection and distribution server through a secure web socket [7]. This is a “live” feed and there are potentially hundreds of items every minute. Once the certstream python module[5] has been installed locally and you also have jq [8] utility installed, you are now ready to start collecting all the certificates being issued. Recording all the details of the certificate takes up significant disk space so it is recommended to just save the fields that will be useful for future queries. It is recommended to save the following information: 1) Certificate-ID, 2) Issuer Organisation Name, and 3) All listed domains in the certificate This can be achieved by using the following commands: certstream –json | jq -r ‘.data | [[(.cert_index|tostring)], [.leaf_cert.issuer.O], .leaf_cert.all_domains | join(“,”)] | join(“\t”)’ This will collect the certificate ID, the Issuer Organisation and the domains listed in that certificate as a tab separated row, and is output to the current terminal session in a scrolling fashion. A way to save the output in convenient TSV files (in batches) is as follows: certstream –json | jq -r ‘.data | [[(.cert_index|tostring)], [.leaf_cert.issuer.O], .leaf_cert.all_domains | join(“,”)] | join(“\t”)’ >> certificate-data.tsv After an amount of time (and of your choosing), you may stop the query and relaunch the query to write to a different file, to ensure continuity of collection. On the file, you may then use a utility such as “grep” [9], to find matches in the following manner : cat certificate-data.tsv | grep crowdstrike This will yield matches containing the text “crowdstrike”. If there are other key words to be searched, this can be done by substituting the word “crowdstrike” from the above example with your search term. You may also crosscheck and get further details of the certificate by searching online repositories such as in crt.sh [10] The disclaimer used in the Crowdstrike article applies to the data found through this technique. Domains and hostnames discovered may be online, not yet online, or they may be legitimate domains. Further interpretation is required but at least you now have visibility on the hostnames being registered with a TLS certificates, which is an action of intent of bringing the hostname online. AUSCERT has a number of MISP events available to members that utilise certificate transparency logs as one of the threat intelligence sources. Happy hunting! References: [1] https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/ [2] https://certificate.transparency.dev/ [3] https://en.wikipedia.org/wiki/Certificate_Transparency [4] https://calidog.io/ [5] https://certstream.calidog.io/ [6] https://github.com/CaliDog/certstream-python [7] wss://certstream.calidog.io/ [8] https://jqlang.github.io/jq/tutorial/ [9] https://www.digitalocean.com/community/tutorials/grep-command-in-linux-unix [10] https://crt.sh/ Written by AUSCERT

Greetings, Friday afternoon, CrowdStrike released a sensor configuration update that triggered errors and system crashes in millions of Windows systems, causing major outages worldwide. This event grounded flights, disrupted banks, and closed businesses, highlighting the interconnectedness and fragility of our digital infrastructure. It served as a wake-up call, emphasising that the IT industry is a critical component linking every part of the world. When mistakes are made or incidents occur, the repercussions are felt globally. Reports indicate that malicious actors are quickly capitalising on the disruption caused by this technical issue. Cyber criminals are exploiting the outage window to launch phishing campaigns and other malicious activities. Notably, there have been reports of criminals mimicking CrowdStrike support communications and even impersonating CrowdStrike staff during phone calls.CrowdStrike has also noted instances where cyber criminals posed as independent researchers, falsely asserting evidence linking the technical issue to a cyber attack. In response to these developments, cyber security organisations and authorities have issued advisories urging heightened vigilance. Users are encouraged to verify the authenticity of communications, especially during service disruptions, and to adhere strictly to official channels for updates and support. For more information regarding this issue,read our full article here Attention Brisbane Members! In partnership with WTW and Ethan Global, we will be hosting an event in the CBD on August 13th for IT Directors, Managers, CISOs, C-Suite executives, as well as Risk and Insurance Managers. During this in-person session, AUSCERT, WTW, and Ethan Global will provide attendees with insights and practical steps to understand and communicate holistic cyber risk management strategies, drawn from real-life case studies.Our speakers will examine developments in legal and regulatory changes, prioritising cyber investments, and reporting. Don't miss this opportunity to hear firsthand from thought leaders and experienced practitioners through both presentations and panel discussions. Register here Scammers will pounce on global outage caused by CrowdStrike bug, Home Affairs Minister Clare O'Neil warns Date: 2024-07-20 Author: ABC News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0159/] AUSCERT has also shared IoCs via MISP Australians have been warned scammers and hackers are trying to capitalise on CrowdStrike-triggered outages to steal personal information including bank details and to gain access to computer systems. The unprecedented outage affected a raft of major institutions in Australia and internationally, including emergency services, government agencies, banks and airlines Microsoft releases Windows repair tool to remove CrowdStrike driver Date: 2024-07-21 Author: Bleeping Computer Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday. On Friday, CrowdStrike pushed out a faulty update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops. This glitch caused massive IT outages, as companies suddenly found that all of their Windows devices no longer worked. These IT outages affected airports, hospitals, banks, companies, and government agencies worldwide. Telegram zero-day allowed sending malicious Android APKs as videos Date: 2024-07-22 Author: Bleeping Computer A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious Android APK payloads disguised as video files. A threat actor named 'Ancryno' first began selling the Telegram zero-day exploit on June 6, 2024, in a post on the Russian-speaking XSS hacking forum, stating the flaw existed in Telegram v10.14.4 and older. Australian cyber security firms to boost Indo-Pacific resilience Date: 2024-07-24 Author: Security Brief AUSCERT and the University of Queensland have announced a partnership with IDCARE to expand cyber security support across the Indo-Pacific under an Australian Government contract. The collaboration is part of the Cyber and Critical Tech Co-operation Program, aiming to bolster cyber resilience in Papua New Guinea and Fiji through tailored cyber-crime Windows July security updates send PCs into BitLocker recovery Date: 2024-07-24 Author: Bleeping Computer Microsoft warned that some Windows devices will boot into BitLocker recovery after installing the July 2024 Windows security updates. The BitLocker Windows security feature mitigates the risk of data theft or information exposure from lost, stolen, or inappropriately decommissioned devices by encrypting the storage drives. Windows computers can automatically enter BitLocker recovery mode following various events, including hardware and firmware upgrades or changes to the TPM (Trusted Platform Module), to restore access to BitLocker-protected drives that have not been unlocked via the default unlock mechanism. Over 3,000 GitHub accounts used by malware distribution service Date: 2024-07-24 Author: Bleeping Computer Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub that push information-stealing malware. The malware delivery service is called Stargazers Ghost Network and it utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives that contain malware. In most cases, the malware are infostealers, such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer. ESB-2024.4781 – Google Chrome: CVSS (Max): None Google announced the release of Chrome 127 to the stable channel with patches for 24 vulnerabilities. As usual, memory safety bugs were the most common type of security flaw addressed, representing half of the reported issues, including four high-severity ones. ASB-2024.0159 – CrowdStrike sensor configuration update AUSCERT issued an advisory regarding the global outage caused by the sensor configuration update that impacted millions of Windows systems worldwide. ESB-2024.4758 – National Instruments IO Trace: CVSS (Max): None ICS-CERT has issued an advisory for a critical vulnerability (CVE-2024-5602) in National Instruments IO Trace, a network appliance. The issue, a stack-based buffer overflow, requires user interaction to exploit but could allow arbitrary code execution. A patch is available, and users are advised to minimize network exposure and use secure remote access methods. ESB-2024.4742 – IBM Security QRadar SIEM: CVSS (Max): 7.5 IBM Security QRadar SIEM has released updates to address multiple vulnerabilities, including CVE-2024-29415, which has a CVSS score of 7.5 for server-side request forgery. The updates also fix other issues such as denial of service and HTTP request smuggling. ESB-2024.4833 – ICSA-24-207-01 Siemens SICAM Products: CVSS (Max): 9.8 Siemens SICAM products are vulnerable to critical issues, including a severe password reset flaw (CVE-2024-37998) and a missing authentication issue (CVE-2024-39601). These vulnerabilities could lead to unauthorized access and potential information leaks. Users are advised to upgrade to the latest versions and disable auto login to mitigate risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Bulletin Formats AUSCERT publishes two security bulletin formats: External Security Bulletin (ESB) – produced by vendors that are summarised and re-released by AUSCERT in a consistent format. AUSCERT Security Bulletin (ASB) – produced by AUSCERT with Overview, Impact and Mitigation information. ASBs typically describe critical vulnerabilities and emerging threats. They are collated from a variety of resources including vendors, security researchers and incident response teams around the world. Every AUSCERT bulletin contains a Bulletin Summary which highlights the essential information to assist in the vulnerability management process. The Bulletin Summary consists of the following categories (where relevant): Product Publisher Operating System Resolution CVE Names Original Bulletin URL Comment CVSS (Max) EPSS (Max) CISA KEV (if applicable) These categories are described in further detail below. ESB Structure Bulletin Titles and Email Subject Lines Bulletin titles and bulletin email subject lines display information in a concise format. The title includes the bulletin ID (eg ESB-2024.1234), revision number if applicable (eg ESB-2024.1234.2) and may include an ‘ALERT’ flag if the contents of the bulletin are time critical or reference a serious actively exploited vulnerability. The title also lists operating systems or hardware types that the vulnerability affects, and the product or product family. Example of a bulletin title: ESB-2024.1234 libarchive   Example of an email subject line: ESB-2024.1234 [SUSE] libarchive: CVSS (Max): 7.3 Bulletin Header The bulletin header consists of the ESB (or ASB) ID, a short summary of the purpose of the bulletin, and the date. Bulletin Summary The bulletin summary is an overview of the essential information in the bulletin typically used in the vulnerability management process. Both ESBs and ASBs contain a summary with individual fields as shown in this example: Product The product field displays the affected product name and version numbers (if any). Both ESBs and ASBs will have a Product field. Publisher Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. This is often a vendor such as SUSE or Red Hat but it may also be another security team or research group. Operating System This field gives a list of operating systems or operating system families that are affected by the vulnerability. Resolution The Resolution field gives a quick indication on how to protect against the vulnerability. The values are: None: No resolution is currently available. Patch/Upgrade: A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation. Mitigation: There are mitigation steps available that may be used, however there is no specific fix to the vulnerability. Alternate Program: Another program with similar functionality is available that is not vulnerable. CVE Names This field lists any CVE identifiers that relate to this vulnerability. CVEs are effective for tracking vulnerabilities that affect multiple products. Original Bulletin URL This field lists the URL of the original bulletin source. The original bulletin will often have additional links for further information. Comment This field contains any additional information that AUSCERT believes should be highlighted, including: CVSS (Max) EPSS (Max) CISA KEV (if applicable) These categories are described in detail further below. CVSS (Max) The Common Vulnerability Scoring System, or CVSS score, is included in all AUSCERT ASBs and ESBs in the Comment field. The CVSS is a published standard for assessing security vulnerabilities which classifies and scores vulnerabilities based on their severity. Scores are calculated based on a formula that depends on several metrics including required access, impact and authentication. The scores range from 0 to 10, with 10 being the most severe. This field consists of the CVSS (Max) CVSS Score, CVE-ID and CVSS description of the CVE with the highest score. If there is no CVSS (Max) score available at the time of publishing, the Comment field will show as “CVSS (Max): None”. For further information about how the CVSS (Max) is calculated and used, please see https://auscert.org.au/blogs/bulletin-impact-access-to-cvss-migration. EPSS (Max) Where an Exploitation Prediction Scoring System (EPSS Score) is available, this will also be included in the Comment field of a bulletin as “EPSS (Max)”. EPSS employs advanced algorithms to forecast the likelihood of vulnerabilities being exploited in real-world scenarios. A higher EPSS score will indicate a higher risk of exploitation which may provide input into the vulnerability management process. The syntax of the EPSS (Max) score is: EPSS (Max): (*Probability) (**Percentile) (CVE Number) (Date EPSS calculated). Probability: The likelihood of exploitation of the given CVE within the next 30 days Percentile: The vulnerability’s relative severity compared to others, ranking it within a distribution of similar security issues based on their assessed risks and potential impacts. AUSCERT advises members to research EPSS thoroughly before considering its application in vulnerability management. Understanding EPSS can require effort, and its suitability can vary depending on the environment. See articles below for further details on use and interpretation: https://www.first.org/epss https://www.first.org/epss/user-guide https://www.first.org/epss/faq https://vulners.com/blog/epss-exploit-prediction-scoring-system/ https://blog.stackaware.com/p/deep-dive-into-the-epss https://asimily.com/blog/epss-and-its-role-in-vulnerability-management/ https://security.cms.gov/posts/assessing-vulnerability-risks-exploit-prediction-scoring-system-epss CISA KEV A CISA Known Exploited Vulnerability (KEV) is also present in the Comment field if applicable. The KEV catalogue is a CISA-maintained authoritative source of vulnerabilities that have been exploited in the wild. It is recommended that all members review and monitor the KEV catalogue and prioritize remediation efforts of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. The field consists of the CISA KEV CVE(s) and the CISA KEV url for reference. For example: For further information about CISA KEV, please see https://www.cisa.gov/known-exploited-vulnerabilities. Bulletin Updates and Versioning An ESB or ASB can be updated in the event of crucially new or updated information becoming available since the original date of publication. Updates will have a version number appended to the bulletin ID, eg ESB-2024.1234 will become ESB-2024.1234.2, and the ‘UPDATE’ tag will be added. ASB Structure An ASB contains the same bulletin title, bulletin header, bulletin summary and comment sections as an ESB, however the main body of an ASB differs from an ESB. The main body of an ASB generally consists of four headings: OVERVIEW: This is a summary of the vulnerability being reported and the products that are affected. IMPACT: This section outlines in more detail what the vulnerability allows attackers to perform (eg remote code execution), and the potential outcome of these vulnerabilities (eg significant data breaches, circumvent firewalls, intrusion detection systems, etc). MITIGATION: This section outlines steps to mitigate the risk. This can range from applying available patches to address the vulnerability to restricting or segmenting access to the network, including deploying additional monitoring and alerts against specific criteria. REFERENCES: This is a list of websites that report on the vulnerability. It can be a third-party website or the vendor itself. The websites are referenced within the ASB as the source of information being reported. Examples Full example of an ESB:     Full example of an ASB: