Publications

Greetings, This week, we released a new episode of our podcast, "Share Today, Save Tomorrow." In Episode 39 – AI, Evolving Threats & the End of Attribution?, Anthony sits down with Michael Hamm from CIRCL (the CERT of Luxembourg and core maintainers of MISP) to explore AI’s impact on cybersecurity, the shifting threat landscape, and whether attribution is becoming impossible. In the second half, Bek speaks with AUSCERT’s General Manager, Ivano Bongiovanni, about what’s ahead for 2025. The recent news of the surge in popularity of the AI application DeepSeek highlights how highly publicised products can create cyber security and privacy risks. 1.Phishing Lures & Malicious Software: The hype surrounding ‘the next big thing’ creates opportunities for threat actors to craft phishing lures and fake, malicious software (mobile apps, browser plugins, etc.) that mimic the original. 2.Unauthorised Adoption: Staff members may rapidly adopt new products and services without seeking advice from cyber security professionals and accidentally disclose confidential information. Without proper oversight, staff may unknowingly enter sensitive company data into AI-powered tools, unaware that the platform may store, process, or even share the information externally. 3.Data Privacy & Compliance Risks: AI applications often require access to large volumes of personal or proprietary data, raising significant privacy and compliance concerns. If organisations fail to verify how an AI tool stores and processes data, they risk violating compliance obligations. To embrace AI while minimising cyber security risks, organisations should: •Educate staff on the risks of AI adoption and ‘free’ software in general. •Implement security policies that provide practical guidance on AI usage within the organisation. •Monitor emerging threats, such as phishing campaigns targeting trending AI applications. •Conduct security assessments as part of third party risk management practices before integrating AI tools into business workflows. By staying proactive and security-conscious, organisations can harness AI’s potential without compromising cyber security or privacy. VMware Warns of High-Risk Blind SQL Injection Bug in Avi Load Balancer Date: 2025-01-28 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.0601/] Virtualization technology giant VMware on Tuesday issued an urgent alert for a blind SQL injection flaw in its Avi Load Balancer, warning that attackers would exploit the issue to gain broader database access. The vulnerability, tracked as CVE-2025-22217, carries a CVSS severity score of 8.6/10. The company described the security defect as an unauthenticated blind SQL Injection vulnerability and urged enterprise admins to apply available patches urgently as there are no pre-patch workarounds. CVE-2025-0065: TeamViewer Patches Privilege Escalation Vulnerability in Windows Clients Date: 2025-01-29 Author: Security Online TeamViewer, a popular remote access and support software, has issued a critical security advisory addressing a vulnerability that could allow attackers to gain elevated privileges on Windows systems. The vulnerability, tracked as CVE-2025-0065 and assigned a CVSS score of 7.8 (High), affects TeamViewer Clients for Windows prior to version 15.62. According to the advisory, the flaw stems from “Improper Neutralization of Argument Delimiters in the TeamViewer_service.exe component.” New Zyxel Zero-Day Under Attack, No Patch Available Date: 2025-01-29 Author: Security Week Malware hunters at GreyNoise are reporting active exploitation of a newly discovered zero-day vulnerability in Zyxel CPE devices alongside warnings that there are no patches available from the vendor. GreyNoise, which monitors the internet for malicious activity, described the flaw as a critical command injection issue that opens the door for attackers to gain full system compromise. Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era Date: 2025-01-30 Author: ACSC With the rise of advanced tools that enable the rapid creation, alteration, and distribution of images, videos, and other digital content, there are many ways to manipulate what people see and believe. The ability to manipulate media is not new, but the accessibility, speed, and quality of these modifications today, powered by artificial intelligence (AI) and machine learning tools, have reached unprecedented levels and may not be caught by traditional verification methods. GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs Date: 2025-01-27 Author: The Hacker News Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user's Git credentials. "Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper," GMO Flatt Security researcher Ry0taK, who discovered the flaws, said in an analysis published Sunday. "Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways." ESB-2025.0595 – Rockwell Automation FactoryTalk: CVSS (Max): 9.8 Rockwell Automation released six security advisories addressing critical vulnerabilities. Notable issues include CVE-2025-24479, a local code execution vulnerability, and CVE-2025-24480, a remote code execution vulnerability. Both flaws pose significant security risks and require prompt action. ESB-2025.0576 – Google Chrome: EPSS (Max): None Google has released a patch for CVE-2025-0762, a medium-severity use-after-free memory issue in Chrome’s DevTools function. This vulnerability impacts users on Linux, Mac, and Windows, though Android appears unaffected for now. Users are urged to update to address the security risk. ESB-2025.0560 – Juniper Networks Juniper Secure Analytics: CVSS (Max): 9.8 Multiple critical vulnerabilities were discovered in Juniper Secure Analytics versions prior to 7.5.0 UP10 IF02, identified by various CVEs. Exploiting these flaws could lead to remote code execution, denial of service, data confidentiality breaches, and security policy bypass. Juniper has released security updates as of January 2025, to address these issues. ESB-2025.0549 – Apple iOS and Apple iPadOS: CVSS (Max): 7.8* iOS 18.3 and iPadOS 18.3 address multiple security vulnerabilities across various components, including AirPlay, CoreMedia, and WebKit. These updates fix issues such as privilege escalation, denial-of-service, and unauthorised access, impacting devices like iPhone XS and later, and several iPad models. The update includes fixes for issues and is available via iTunes or Software Update. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow”  AI, Evolving Threats & the End of Attribution? In this episode, AUSCERT features the following guests: Michael Hamm, CIRCL Ivano Bongiovanni, AUSCERT Anthony sits down with the Michael Hamm from CIRCL the CERT of Luxembourg and creators of MISP. They discuss AI, the emerging threat landscape and whether attribution is going to become impossible In the second half of the episode, Bek chats with Ivano Bongiovanni from AUSCERT to discuss what AUSCERT has in store for 2025. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify and Apple Podcasts

Greetings, This week, Oracle released patches addressing a staggering 320 security vulnerabilities. Among the most critical issues are those affecting Oracle Communications Applications and Fusion Middleware, both with a CVSS score of 9.8. These vulnerabilities allow attackers to exploit systems over a network without requiring authentication. Make sure you stay on top of updates and patches to protect your systems. A final reminder the Call for Presentations for the AUSCERT2025 conference closes at midnight on 28 January! This is your last chance to submit a proposal. If you're a first-time speaker or would like support with your delivery or presentation, you can opt in to our Speaker Mentoring Program when submitting your proposal. This program provides personalised guidance to help refine your presentation, improve delivery, and build confidence. Our experienced mentors are here to assist you every step of the way. We're also excited to announce that the Tutorials Program for AUSCERT2025 is now live on our website! This year’s program features some returning favourites with new content, as well as fresh perspectives on exciting subjects. Topics include Incident Response Handling, Network Security, Red Teaming, Information Security Innovation, Awareness and Culture, Cyberpsychology, and Governance, Risk and Compliance (GRC). Whether you’re looking to deepen your expertise or explore new areas, this year’s program has something for everyone. Head to our website to explore the full list of tutorials, detailed descriptions, and instructor profiles. Registrations will be opening soon, so don’t miss your chance to secure a spot in these highly sought-after sessions! Stay tuned for updates, and we look forward to seeing you at AUSCERT2025! CISA, FBI Update Software Security Recommendations Date: 2025-01-20 Author: Security Week The US cybersecurity agency CISA and the FBI have updated their guidance on risky software security bad practices to include the feedback received during a public comment period. Called Product Security Bad Practices, the guidance provides an overview of the security practices considered exceptionally risky, provides recommendations on addressing them, and urges makers of software for the critical infrastructure to prioritize security. Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released Date: 2025-01-20 Author: Cyber Security News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0188.3/] A critical vulnerability, CVE-2024-43468, has been identified in Microsoft Configuration Manager (ConfigMgr), posing a severe security risk to organizations relying on this widely used systems management software. Rated with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute remote code on affected systems, potentially leading to complete system compromise. Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications Date: 2025-01-22 Author: CISA [AUSCERT has shared IoCs via MISP] According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers. Telegram captcha tricks you into running malicious PowerShell scripts Date: 2025-01-22 Author: Bleeping Computer Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into run PowerShell code that infects them with malware. The attack, spotted by vx-underground, is a new variant of the "Click-Fix" tactic that has become very popular among threat actors to distribute malware over the past year. However, instead of being fixes for common errors, this variant pretends to be a captcha or verification system that users must run to join the channel. ESB-2025.0471 – ClamAV: CVSS (Max): 5.3 Cisco has released a patch for heap-based buffer overflow (CVE-2025-20128) affecting Cisco Secure Endpoint Connector. The buffer overflow flaw could disrupt ClamAV scanning on endpoints, and a proof-of-concept exploit is available but has not been observed in the wild. ESB-2025.0463 – Google Chrome: CVSS (Max): None Google has released a critical security update for Chrome, addressing three vulnerabilities, including two high severity issues in the V8 JavaScript engine. CVE-2025-0611 allows object corruption, potentially leading to arbitrary code execution, while CVE-2025-0612 involves out-of-bounds memory access that could crash the browser or enable code execution. Users are urged to update to version 132.0.6834.110/111 immediately. ESB-2025.0467 – Cisco Meeting Management: CVSS (Max): 9.9 Cisco has released updates to address a critical privilege escalation vulnerability (CVE-2025-20156) in its Meeting Management system's REST API. With a CVSS score of 9.9, the flaw could allow authenticated attackers to gain administrator privileges on affected instances. Exploiting the vulnerability involves sending API requests to a specific endpoint, potentially giving attackers control over managed edge nodes. ESB-2025.0470 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 8.7 GitLab has released security updates (versions 17.8.1, 17.7.3, and 17.6.4) to address multiple vulnerabilities, including a high-severity XSS flaw (CVE-2025-0314). The vulnerability allows attackers to inject malicious scripts into GitLab instances via improper file rendering, potentially leading to session hijacking or control over affected systems. Users are urged to update to the latest versions to mitigate the risks. ASB-2025.0031 – Oracle Supply Chain: CVSS (Max): 9.9 Oracle’s January 2025 Critical Patch Update addressed several vulnerabilities across its products, including six new patches for Oracle Supply Chain. Notably, CVE-2025-21556 and CVE-2024-23807 are high-severity flaws, allowing unauthenticated attackers to exploit Oracle Agile PLM Framework and Oracle Agile Engineering Data Management remotely. Successful exploitation could result in unauthorised access to critical data or system takeovers. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week served as a valuable reminder, as we begin the new year, of the critical importance of maintaining vigilance in cyber security practices. Keeping systems patched and updated is essential because software updates often address newly discovered vulnerabilities that attackers could exploit. Failing to apply these updates can leave systems vulnerable to threats such as malware, ransomware, and unauthorised access. Each patch typically resolves security gaps, enhances functionality, and improves software stability. Therefore, regularly checking for updates and applying patches promptly is crucial for maintaining robust defences in the ever-evolving cyber security landscape. This week, Microsoft rolled out fixes for 160 security flaws across a range of Windows OS and applications, marking the highest number of CVEs addressed in a single month since 2017. This update included patches for three actively exploited zero-day vulnerabilities affecting Windows Hyper-V NT Kernel Integration VSP, remote code execution risks in Microsoft Digest Authentication, Remote Desktop Services, Windows OLE, Microsoft Excel, and Windows RMCAST. Additionally, the Australian Signals Directorate (ASD) published an article on "Secure by Design" principles, highlighting common weaknesses in operational technology components. These weaknesses include weak authentication, known software vulnerabilities, limited logging, insecure default settings and passwords, and outdated protocols. Such flaws can be easily exploited by cyber threat actors to gain unauthorised access to systems. Over 660,000 Rsync servers exposed to code execution attacks Date: 2025-01-15 Author: Bleeping Computer Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers. Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. It supports local file systems transfers, remote transfers over secure protocols like SSH, and direct file syncing via its own daemon. Ivanti Patches Critical Vulnerabilities in Endpoint Manager Date: 2025-01-15 Author: Security Week Ivanti on Tuesday announced patches for multiple critical- and high-severity vulnerabilities in Avalanche, Application Control Engine, and Endpoint Manager (EPM). The most severe of the resolved flaws are four absolute path traversal issues in Ivanti EPM that could allow remote, unauthenticated attackers to leak sensitive information. Tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8), the bugs impact EMP versions 2024 and 2022 SU6 that have the November 2024 security update installed. Zyxel Urges Patch Application for Privilege Escalation Vulnerability (CVE-2024-12398) Date: 2025-01-13 Author: Security Online Zyxel has issued an advisory for a newly identified security vulnerability, CVE-2024-12398, that affects multiple access points (AP) and security routers. With a CVSS score of 8.8, this vulnerability underscores the urgency for users to apply patches immediately to protect their systems from potential exploitation. The vulnerability is an improper privilege management flaw within the web management interface of certain Zyxel AP and router firmware versions. CVE-2025-22777 (CVSS 9.8): Critical Security Alert for GiveWP Plugin with 100,000 Active Installations Date: 2025-01-11 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] A severe vulnerability has been identified in the GiveWP plugin, one of WordPress’s most widely used tools for online donations and fundraising. Tracked as CVE-2025-22777, the flaw has a CVSS score of 9.8, signaling its criticality. With over 100,000 active installations, the GiveWP plugin powers countless donation platforms worldwide. New macOS Exploit Revealed: PoC for CVE-2024-54498 Breaks Sandbox Security Date: 2025-01-12 Author: Security Online Recently, security researcher @wh1te4ever has revealed a proof of concept (PoC) exploit for CVE-2024-54498, a vulnerability that allows applications to escape the confines of the macOS Sandbox. The PoC, published on GitHub, demonstrates how malicious actors could leverage this flaw to gain unauthorized access to sensitive user data. The macOS Sandbox is a critical security feature that restricts applications from accessing or modifying files and resources outside their designated area. This safeguard protects users from malicious software that might attempt to steal personal information, corrupt system files, or install malware. Fortinet warns of auth bypass zero-day exploited to hijack firewalls Date: 2025-01-14 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.0250/] Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks. This security flaw (tracked as CVE-2024-55591) impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module. ESB-2025.0199 – Google Chrome: CVSS (Max): None Google has issued an urgent warning about 13 security vulnerabilities in Chrome, affecting Windows, Mac, Linux, and Android. This follows a recent exploit discovered in the "Sign In With Google" feature, risking sensitive data theft. Users are advised to update Chrome immediately to address these critical issues. ESB-2025.0224 – Adobe Photoshop: CVSS (Max): 7.8 Adobe has released critical security fixes for over a dozen vulnerabilities across its products, including Photoshop for Windows and macOS. The updates address two high-severity arbitrary code execution flaws in Photoshop, which could be exploited by hackers. Users are urged to apply the updates immediately to mitigate the risks of remote code execution attacks. ASB-2025.0001 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has warned of three exploited zero-day vulnerabilities in the Windows Hyper-V platform, affecting the NT Kernel Integration Virtualisation Service Provider. These flaws could allow attackers to escalate privileges and gain SYSTEM-level access. Microsoft has urged urgent attention but has not provided technical details or indicators of compromise. ESB-2025.0225 – Hitachi Energy FOXMAN-UN: CVSS (Max): 10 ICS-CERT has released an advisory regarding multiple critical vulnerabilities in Hitachi Energy's FOXMAN-UN products, including authentication bypass, argument injection, buffer overflow, improper user management, and more. These flaws could allow remote attackers to exploit the systems, potentially gaining unauthorised access and executing arbitrary code. ESB-2025.0244 – Zoom: CVSS (Max): 8.8 Zoom has issued six security bulletins addressing multiple vulnerabilities across its product ecosystem, impacting Linux, Windows, macOS, and Android. The most critical, CVE-2025-0147, is a high-severity type confusion vulnerability in the Zoom Workplace App for Linux, allowing privilege escalation via network. Users and administrators are urged to apply updates to mitigate potential risks such as data loss, privilege escalation, and DoS attacks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As we return to work, holiday scams continue to affect Australians. NAB’s fraud and cyber security experts have outlined emerging scams to watch for in 2025: AI-Driven Scams Criminals use deepfakes—AI-generated impersonations of people—to create realistic voicemails, videos, or social media posts. Be cautious of investment opportunities promoted by high-profile figures and always do your own research. Cryptocurrency Investment Scams Scammers lure victims into fake crypto-trading apps with promises of high returns. While small withdrawals may seem legitimate, larger ones will encounter hidden fees or lockouts. Always verify credentials and research the investment. Bucket List Scams Scammers target people dreaming of international travel or events, using social media to offer false opportunities. Research the seller's profile, activity, and reviews before proceeding. Remote Access Scams Targeting Businesses Scammers impersonate trusted organisations, like banks, convincing businesses to grant remote access to sensitive information. Never give remote access to unexpected callers or emails, and investigate suspicious requests. Phishing Scams Phishing remains common, with criminals impersonating banks, government agencies, or even friends. A new trend targets people with messages about expiring rewards points. Be sceptical of unsolicited contact—delete or hang up if in doubt. Stay safe and vigilant! SonicWall urges admins to patch exploitable SSLVPN bug immediately Date: 2025-01-08 Author: Bleeping Computer SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is "susceptible to actual exploitation." In an email sent to SonicWall customers and shared on Reddit, the firewall vendor says the patches are available as of yesterday, and all impacted customers should install them immediately to prevent exploitation. Exploit Code Published for Potentially Dangerous Windows LDAP Vulnerability Date: 2025-01-03 Author: Security Week SafeBreach has published proof-of-concept (PoC) exploit code targeting a recently resolved denial-of-service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP). The issue, tracked as CVE-2024-49113 (CVSS score of 7.5), was patched on December 10 along with a critical remote code execution (RCE) flaw in LDAP (CVE-2024-49112, CVSS score of 9.8). Next.js Patches Denial-of-Service Vulnerability (CVE-2024-56332) in Server Actions Date: 2025-01-03 Author: Security Online The popular React framework, Next.js, has addressed a security vulnerability that could have allowed attackers to launch denial-of-service (DoS) attacks against applications using Server Actions. The vulnerability, tracked as CVE-2024-56332, was responsibly disclosed by the PackDraw team. Next.js, known for its performance and developer-friendly features, is used by many high-traffic websites and applications. Server Actions, a relatively new feature, enable server-side data fetching and mutations, enhancing application performance and security. Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product Date: 2025-01-08 Author: Security Week [AUSCERT identified the impacted members (where possible) and contacted them via email] Embattled IT software vendor Ivanti on Wednesday raised an alarm for a pair of remotely exploitable vulnerabilities in its enterprise-facing products and warned that one of the bugs has already been exploited in the wild. The high-severity vulnerabilities, tagged as CVE-2025-0282 and CVE-2025-0283, allow unauthenticated remote attackers to launch code execution and privilege escalation attacks. “We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. Bad Tenable plugin updates take down Nessus agents worldwide Date: 2025-01-03 Author: Bleeping Computer Tenable says customers must manually upgrade their software to revive Nessus vulnerability scanner agents taken offline on December 31st due to buggy differential plugin updates. As the cybersecurity company acknowledged in an incident report issued after pausing plugin updates to prevent the issue from impacting even more systems, the agents went offline "for certain users on all sites." This ongoing incident affects systems updated to Nessus Agent versions 10.8.0 and 10.8.1 across the Americas, Europe, and Asia. Tenable has since pulled the bad versions and released Nessus Agent version 10.8.2 to fix the issue causing agents to shut down. ESB-2025.0099 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 9.9* GitLab has released patch updates (versions 17.7.1, 17.6.3, 17.5.5) to fix security vulnerabilities in its import functionality and core features. The vulnerabilities (CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970) could allow system exploitation. The user contribution mapping functionality has been redesigned to resolve these issues. ESB-2025.0103 – Expedition Migration Tool: CVSS (Max): 7.8 Palo Alto Networks released a security advisory for vulnerabilities in its Expedition migration tool, which could expose sensitive data and allow unauthorised actions. The tool helps organisations transition to Palo Alto's next-gen firewall platform. Identified vulnerabilities could lead to unauthorised access to usernames, passwords, and device configurations. ESB-2025.0039 – Android: CVSS (Max): 9.8* Android's first security update of the year addresses several critical and high-severity vulnerabilities affecting many devices. The update highlights five critical remote code execution (RCE) flaws in Android's core system components, potentially allowing attackers to execute code without extra privileges. These vulnerabilities pose significant security risks to affected devices. ESB-2025.0057 – ABB ASPECT-Enterprise, NEXUS, and MATRIX series: CVSS (Max): 10 Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code. The vendor has identified the specific workarounds and mitigations users can apply to reduce risks. ESB-2025.0056 – Mozilla Foundation Products: CVSS (Max): None Multiple vulnerabilities were identified in Mozilla Products. A remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege, security restriction bypass, denial of service condition, remote code execution and spoofing on the targeted system. ESB-2025.0048 – Google Chrome: CVSS (Max): None Google released a critical security update for Chrome to fix a high-severity "Type Confusion" vulnerability in its V8 JavaScript engine. The flaw, tracked as CVE-2025-0291, could allow attackers to execute malicious code and compromise user systems. The update is being rolled out for Windows, Mac, and Linux users. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, As we step into 2025, we are presented with both challenges and opportunities. Now is the perfect time to set clear objectives for ourselves and our organisations, laying the groundwork for the year ahead. It’s also an ideal opportunity to strengthen cyber hygiene and invest in training to further develop our individual and collective expertise. The start of this new year marks a chapter filled with potential for growth, progress, and innovation. We are ready to embrace the challenges ahead, learn from past experiences, and move forward into a period of development and success. As cyber attacks continue to rise, it is no longer a question of if, but when. To ensure organisations are properly prepared, it’s crucial to test the readiness of teams, policies, and strategies. Subsequently, tabletop exercises and maturity assessments should be prioritised as vital components of a robust cyber security strategy. Tabletop exercises simulate realistic cyber attack scenarios, enabling teams to evaluate their response plans, improve coordination, and identify vulnerabilities in their incident response processes. These exercises foster collaboration across departments, helping ensure that all stakeholders are ready to respond quickly and effectively to emerging threats. In addition, maturity assessments provide organisations with a comprehensive evaluation of the effectiveness of their cyber security frameworks. These assessments help identify gaps in policies, processes, and technologies while benchmarking progress against industry standards. By regularly conducting both tabletop exercises and maturity assessments, organisations can maintain a resilient, adaptive cyber security posture, prepared to defend against increasingly sophisticated threats. Interested in tabletop exercises or maturity assessments? Reach out to us for a quote today! New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites Date: 2025-01-01 Author: The Hacker News Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo. New details reveal how hackers hijacked 35 Google Chrome extensions Date: 2024-12-31 Author: Bleeping Computer New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven. Although initial reports focused on Cyberhaven's security-focused extension, subsequent investigations revealed that the same code had been injected into at least 35 extensions collectively used by roughly 2,600,000 people. DrayTek Devices Vulnerability Let Attackers Arbitrary Commands Remotely Date: 2025-01-01 Author: GB Hackers The DrayTek Gateway devices, more specifically the Vigor2960 and Vigor300B models, are susceptible to a critical command injection vulnerability. Exploitable via the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, attackers can inject arbitrary commands into the system by manipulating the session parameter within a crafted HTTP request. FortiGuard Labs Links New EC2 Grouper Hackers to AWS Credential Exploits Date: 2025-01-01 Author: Hack Read According to the latest research from Fortinet’s FortiGuard Labs Threat Research team, this group is characterized by its consistent use of AWS tools and a unique security group naming convention in its attacks. Researchers tracked this actor in several dozen customer environments due to similar user agents and security group naming conventions. ESB-2025.0025 – IBM Db2 OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems. ESB-2025.0018 – python-django It was discovered that there was a potential Denial of Service (DoS) vulnerability, in Django, a popular Python-based web development framework. ESB-2025.0010 – gst-plugins-good1.0 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially executing arbitrary code if a malformed media file is opened. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Security Awareness + Education culture = Behaviour change In this episode, AUSCERT features the following guests: Kelsy Luengen, SEEK David Stockdale, AUSCERT Anthony sits down with the amazing Kelsy Luengen, Security Influencer from SEEK to look at how security awareness and education culture come together to create behaviour change. In the second half of the episode, Bek chats with David Stockdale from AUSCERT to reflect on the year that was and what we can expect in 2025. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, As the year draws to a close, we take pride in reflecting on the remarkable achievements of AUSCERT in 2024. This year has been defined by innovation, growth, and collaboration, marked by significant milestones that have further enhanced the value we deliver to our members. AUSCERT has strengthened its reputation as a trusted ally in cyber security by introducing transformative initiatives, enhancing existing services, and fostering deeper connections within the global cyber security community. These accomplishments demonstrate our unwavering commitment to equipping our members with the tools, knowledge, and support they need to confidently navigate the ever-evolving cyber security landscape. One of the standout moments of the year was the successful delivery of AUSCERT2024, which welcomed over 900 delegates—a record-breaking achievement! The conference featured ground-breaking workshops, insightful presentations, and key initiatives designed to strengthen and advance the cyber security industry. For those who missed conference presentations or wish to revisit them, recordings are available on our YouTube Channel. This year, we celebrated a major milestone with the launch of our rebrand—a refreshed identity that proudly reflects our new position as an “Ally in Cyber Security.” As part of this transformation, we unveiled an updated member portal featuring enhanced functionality designed to provide a more seamless and improved experience for our members. Our commitment to continuous improvement and service excellence remains unwavering. We invite our members to share their thoughts and ideas for future enhancements. Your feedback is invaluable—please submit your suggestions through the feedback feature in the member portal. Together, we can shape the future of our services to better meet your needs. Additionally, we expanded our offerings to include Governance, Risk, and Compliance (GRC) services. These encompass maturity assessments and tabletop exercises tailored to help our members navigate the complexities of GRC while aligning cyber security practices with their business objectives. Our proactive approach identifies and provides advice to address cyber security gaps, mitigate risks, and enhance organisational resilience. Through close collaboration, we aim to elevate security and compliance standards across your organisation. Looking ahead to 2025, we are excited to build on this momentum and continue delivering exceptional value to our members. Together, we will achieve even greater success in the coming year. CVE-2024-51479: Next.js Authorization Bypass Vulnerability Affects Millions of Developers Date: 2024-12-18 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] A recently disclosed security vulnerability in Next.js, a popular React framework used by millions of developers worldwide, could have allowed unauthorized access to sensitive application data. The vulnerability, tracked as CVE-2024-51479 and assigned a CVSS score of 7.5, was discovered by tyage from GMO Cybersecurity by IERAE. It affects Next.js versions 9.5.5 through 14.2.14. Clop is back to wreak havoc via vulnerable file-transfer software Date: 2024-12-17 Author: CyberScoop In what we can assure you is a new cybersecurity incident despite sounding incredibly similar to incidents of past notoriety: threat actors tied to a notorious ransomware and extortion group have exploited file-transfer software to carry out attacks. Clop has claimed responsibility for attacks tied to vulnerabilities in software made by Cleo, an Illinois-based IT company that sells various types of enterprise software. The vulnerabilities, which affected Cleo’s LexiCom, VLTrader, and Harmony products, have led to worries that sensitive data across various industries could be swiped by the group in a repeat of some of the most damaging security incidents of the past few years. CISA confirms critical Cleo bug exploitation in ransomware attacks Date: 2024-12-13 Author: Bleeping Computer CISA confirmed today that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks. This flaw (tracked as CVE-2024-50623 and impacting all versions before version 5.8.0.21) enables unauthenticated attackers to gain remote code execution on vulnerable servers exposed online. Cleo released security updates to fix it in October and warned all customers to "immediately upgrade instances" to additional potential attack vectors. Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances Date: 2024-12-16 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Citrix has issued a fresh warning on password spraying attacks targeting NetScaler and NetScaler Gateway appliances deployed by organizations worldwide. The attacks appear to be related to a broad campaign that was initially detailed in April 2024, targeting VPN and SSH services from Cisco, CheckPoint, Fortinet, SonicWall, and other organizations to brute-force them. Cisco patched a vulnerability related to these attacks in early October, and later that month Microsoft warned of password spray attacks targeting routers from multiple vendors. Curl Vulnerability Let Attackers Access Sensitive Information Date: 2024-12-15 Author: Cyber Security News [Please sere AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.8235/] A critical security flaw has been discovered in the popular data transfer tool Curl, potentially allowing attackers to access sensitive information. The vulnerability, identified as CVE-2024-11053, affects curl versions 6.5 through 8.11.0 and could lead to the exposure of passwords to unauthorized parties. Windows kernel bug now exploited in attacks to gain SYSTEM privileges Date: 2024-12-16 Author: Bleeping Computer [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2024.0118/, https://portal.auscert.org.au/bulletins/ASB-2024.0113/, https://portal.auscert.org.au/bulletins/ESB-2024.1544/] [AUSCERT has also identified the impacted members (where possible) for the Improper Access Control Vulnerability in Adobe ColdFusion and has contacted them via email] CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability. Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction. ESB-2024.8323 – Google Chrome CVSS (Max): None Google has rolled out an important update for its Chrome browser, fixing five security vulnerabilities, some of which are classified as “High” severity. Users are strongly advised to upgrade to the latest Stable channel version (131.0.6778.204/.205 for Windows and Mac, 131.0.6778.204 for Linux) at their earliest convenience. The update addresses various issues, with special attention given to the V8 JavaScript engine. ESB-2024.8334 – FortiWLM CVSS (Max): 9.6 A critical vulnerability in FortiWLM, enables unauthenticated attackers to access sensitive files. With a CVSS score of 9.6, this flaw arises from a relative path traversal issue, allowing attackers to obtain unauthorized access to confidential data. ESB-2024.8264 – Apache Tomcat CVSS (Max): 9.8 The Apache Software Foundation has released a patch to address a critical vulnerability in Apache Tomcat. This flaw enables a malicious actor to upload harmful files disguised as legitimate ones, potentially leading to remote code execution (RCE). ESB-2024.8163 – Apache Struts CVSS (Max): 9.5 Researchers have alerted that threat actors are attempting to exploit the vulnerability CVE-2024-53677 in Apache Struts. A remote attacker could leverage this flaw to upload malicious files, potentially resulting in arbitrary code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, we were reminded of the critical importance of strong operational security (OPSEC) in protecting sensitive information, as poor security practices can not only compromise data but also expose criminal activities and lead to arrests. A 19-year-old Californian resident was recently arrested for an alleged role in cyber crimes committed by the Scattered Spider group. According to court documents released this week, investigators were able to identify the suspect by linking together online accounts, IP and physical addresses, and the use of a money laundering service that was operated by the FBI. In a similar case, alleged cyber criminals who had stolen source code, credentials, and other sensitive data were uncovered due to their own poor cyber security practices. Security researchers discovered more than 2 terabytes of stolen data as a result of overly permissive access control settings on their AWS S3 bucket. These incidents underscore the need for vigilance and robust security practices—not only for those seeking to protect against cyber threats but ironically also for those who perpetrate them. Mitel MiCollab zero-day flaw gets proof-of-concept exploit Date: 2024-12-05 Author: Bleeping Computer [AUSCERT identified the impacted members (where possible) and contacted them via email] Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server's filesystem. Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities. Fully patched Cleo products under renewed 'zero-day-ish' mass attack Date: 2024-12-10 Author: The Register Researchers at security shop Huntress are seeing mass exploitation of a vulnerability affecting three Cleo file management products, even on patched systems. Cleo issued patches for CVE-2024-50623, an unauthenticated remote code execution (RCE) bug affecting Harmony, VLTrader, and LexiCom running version 5.8.0.21 – marketed as secure file integration and transfer products – back in October. The situation was described by Huntress on Reddit as "zero-day-ish." It's a zero-day in the sense that it involves the novel exploit of a vulnerability, but "ish" because that vulnerability was already addressed, or so Cleo thought. SonicWall Patches 6 Vulnerabilities in Secure Access Gateway Date: 2024-12-06 Author: Security Week [AUSCERT identified the impacted members (where possible) and contacted them via email] SonicWall this week announced patches for multiple vulnerabilities in the SMA100 SSL-VPN secure access gateway, including high-severity flaws leading to remote code execution (RCE). The most severe of these issues are two buffer overflow bugs affecting the web management interface and a library loaded by the Apache web server. Django Releases Patches for CVE-2024-53907 and CVE-2024-53908 to Mitigate DoS and SQLi Threats Date: 2024-12-05 Author: Security Online [AUSCERT identified the impacted members (where possible) and contacted them via email] The Django team has recently announced the release of Django 5.1.4, Django 5.0.10, and Django 4.2.17 to address two security vulnerabilities. All users are strongly encouraged to upgrade their Django installations as soon as possible. CVE-2024-53907: Potential Denial-of-Service Attack The first vulnerability, identified as CVE-2024-53907, involves a potential denial-of-service (DoS) vulnerability in the django.utils.html.strip_tags() method and striptags template filter. Microsoft NTLM Zero-Day to Remain Unpatched Until April Date: 2024-12-10 Author: Dark Reading [Please see AUSCERT advisory: https://portal.auscert.org.au/bulletins/ASB-2024.0236/ ] The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice. QNAP Patches Vulnerabilities Exploited at Pwn2Own Date: 2024-12-09 Author: Security Week Taiwan-based QNAP Systems over the weekend announced patches for multiple QTS and QuTS Hero vulnerabilities demonstrated at the Pwn2Own Ireland 2024 hacking contest. At Pwn2Own, participants earned tens of thousands of dollars for QNAP product exploits, and one entry even earned white hat hackers $100,000, but it involved chaining not only QNAP but also TrueNAS device vulnerabilities. ASB-2024.0236 – Windows Workstation and Server AUSCERT issued an advisory warning its members about the zero-day vulnerability in Windows NTLM. Microsoft has not yet released a patch but has provided new guidance to organisations on how to mitigate NTLM relay attacks. ESB-2024.8086 – Atlassian Products: CVSS (Max): 8.1 Atlassian has released fixes for 10 high-severity vulnerabilities affecting Bamboo, Bitbucket, and Confluence Data Center and Server products. The patches address issues in third-party dependencies like Apache, AWS SDK, and Hazelcast. Users are urged to update their instances. ASB-2024.0233 – Microsoft Windows: CVSS (Max): 9.8 Microsoft has issued security updates for 59 vulnerabilities across Windows 10, 11, and Server, with Windows 7 and 8.1 no longer receiving support. CVE-2024-49138, a high-risk buffer overflow vulnerability in the shared protocol file system driver, is actively being targeted, allowing attackers to gain elevated system privileges. Users are advised to update to Windows 10 22H2 or Windows 11 23H2 for continued security. ESB-2024.8056 – Google Chrome: CVSS (Max): None Google has released a Chrome update (version 131.0.6778.139/140) for Windows, Mac, and Linux, addressing several security vulnerabilities, including two rated "High" severity. Notably, CVE-2024-12381 (Type Confusion in V8) and CVE-2024-12382 (Use After Free in Translate) were fixed, reducing risks of arbitrary code execution and system control. ESB-2024.8062 – Adobe Connect: CVSS (Max): 9.3 Adobe has released a security update for Adobe Connect, addressing critical, important, and moderate vulnerabilities that could lead to arbitrary code execution, privilege escalation, and security feature bypass. Affected versions include Adobe Connect 12.6 and earlier, as well as 11.4.7 and earlier. The update, rated priority 3, is available for all platforms, and users are urged to upgrade to Adobe Connect 12.7 or 11.4.9. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The festive season is a time for celebration, but it’s also a period when cyber criminals ramp up their efforts to exploit busy, distracted, or unsuspecting individuals. As online shopping surges during Christmas, it’s essential to stay vigilant and take proactive steps to safeguard your personal information and devices. As cyber security professionals, it’s critical to not only apply best practices personally but also reinforce awareness among less tech-savvy colleagues, friends, and family members. Phishing scams, fake e-commerce promotions, and delivery fraud are rampant during this period. Scammers create convincing fake websites, pay for top placement in search results, and set up fraudulent stores on social media to deceive consumers. Common tactics include fake travel deals, parcel delivery scams, and offers that seem too good to be true—designed to steal payments or personal data. To protect yourself, always verify URLs for accuracy and security, avoid clicking on links in emails or messages, and download apps only from trusted sources. Use secure payment methods with consumer protections like PayPal or credit cards, and consider a low-limit credit card for online transactions. Avoid saving payment details in online accounts, and the more risky payment methods like bank transfers or cryptocurrencies. Strengthen account and device security with unique passwords, multi-factor authentication, and regular software updates. Stay alert to parcel scams, verifying any messages even if expecting a delivery. If a deal seems too good to be true, access the retailer’s website directly to confirm its legitimacy. Remember these three steps to avoid scams: Stop—Don’t rush into action; Check—Verify the offer through official channels or reviews; and Report—inform your bank and update passwords if you suspect a scam. By staying proactive, you can enjoy a safe and secure holiday season for all! CVE-2024-42330 (CVSS 9.1): Zabbix Patches Critical Remote Code Execution Vulnerability Date: 2024-11-28 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] Popular open-source monitoring tool Zabbix has released urgent security updates to address a critical vulnerability that could allow attackers to execute arbitrary code on vulnerable systems. The vulnerability, tracked as CVE-2024-42330 and assigned a CVSS score of 9.1, affects multiple versions of Zabbix 6.0, 6.4, and 7.0. Zabbix is widely used by organizations of all sizes to monitor their IT infrastructure, including networks, servers, and cloud services. RomCom exploits Firefox and Windows zero days in the wild Date: 2024-11-26 Author: We Live Security [Please see the AUSCERT bulletin published in October for CVE-2024-9680: https://portal.auscert.org.au/bulletins/ESB-2024.6620/] ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit. ESET researchers discovered a previously unknown vulnerability in Mozilla products, exploited in the wild by Russia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023. CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks Date: 2024-12-04 Author: Security Week The US cybersecurity agency CISA on Tuesday warned that a path traversal vulnerability in multiple Zyxel firewall appliances has been exploited in the wild. The issue, tracked as CVE-2024-11667 (CVSS score of 7.5), is a high-severity flaw affecting the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Veeam warns of critical RCE bug in Service Provider Console Date: 2024-12-03 Author: Bleeping Computer ​Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads. Exploit released for critical WhatsUp Gold RCE flaw, patch now Date: 2024-12-03 Author: Bleeping Computer A proof-of-concept (PoC) exploit for a critical-severity remote code execution flaw in Progress WhatsUp Gold has been published, making it critical to install the latest security updates as soon as possible. The flaw is tracked as CVE-2024-8785 (CVSS v3.1 score: 9.8) and was discovered by Tenable in mid-August 2024. It exists in the NmAPI.exe process in WhatsUp Gold versions from 2023.1.0 and before 24.0.1. ESB-2024.7833 – Google Chrome: CVSS (Max): 8.8 Google has released a security update for Chrome to fix a high-severity "type confusion" vulnerability (CVE-2024-12053) in the V8 JavaScript engine. This flaw could allow attackers to execute arbitrary code, bypassing Chrome’s sandbox and compromising system security. The issue was promptly patched in Chrome version 131.0.6778.108/.109 for Windows, Mac, and Linux. ESB-2024.7802 – Cisco Adaptive Security Appliance WebVPN: CVSS (Max): 6.1 Cisco warns that the decade-old ASA vulnerability (CVE-2014-2120) is being actively exploited in attacks. This flaw, found in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) software, allows unauthenticated remote attackers to conduct cross-site scripting (XSS) attacks. Cisco urges customers to upgrade to fixed software versions following new exploitation attempts detected in November 2024. ESB-2024.7832 – Siemens RUGGEDCOM APE1808: CVSS (Max): 10.0 Siemens products are affected by multiple vulnerabilities. These vulnerabilities could allow attackers to gain unauthorised access, cause denial-of-service conditions, or escalate privileges. Affected devices should be updated using Siemens patches, and access to the management interface should be limited to trusted IP addresses. CISA recommends protective measures to reduce exploitation risks, including securing network access and following industrial security guidelines. Additionally, users should be vigilant against social engineering attacks. ESB-2024.7785 – Google Android: CVSS (Max): 8.4* The Android Security Bulletin highlights critical vulnerabilities, with the most severe being a high-risk flaw in the System component, potentially allowing remote code execution without requiring additional privileges. The vulnerability could severely impact devices if platform and service mitigations are bypassed or disabled. Security patch levels of 2024-12-05 or later address all issues. Android partners were notified in advance, and source code patches have been released in the AOSP repository. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week, we had the exciting opportunity to reconnect with our Melbourne community at an AUSCERT member meetup. It was an inspiring space for collaboration, where participants shared experiences, discussed challenges in a supportive environment. Coming together in person highlighted the passion, innovation, and drive that are the heart of our community, reminding us of the importance of meaningful interactions as we work towards our common goals. Following the meet up, the AUSCERT team attended the AISA Melbourne CyberCon where our General Manager, Ivano Bongiovanni, delivered three engaging sessions. These focused on the future of cyber security, the vital role of data governance, and decision-making in the age of AI. It was a great opportunity to reconnect with the AISA community and engage with the wider cyber security industry in Melbourne during this event! This week the Australian government has passed its first standalone Cyber Security Act as part of the 2023–2030 Cyber Security Strategy. This landmark legislation aims to strengthen the nation's cyber resilience with provisions such as enhanced incident reporting, mandatory smart device security standards, and the creation of a Cyber Incident Review Board. A notable feature is the "limited use" obligation, which safeguards organisations that share data during cyber incidents, promoting greater collaboration between government and industry. The Act also updates critical infrastructure protections and broadens government powers to address emerging cyber threats. Key elements of the legislative package include: Mandatory Ransomware Payment Reporting: Businesses with annual turnovers above AUD 3 million must disclose ransomware payments within a set timeframe, enhancing transparency and response efforts. IoT Security Standards: New regulations bring Australian IoT devices, like home security cameras and smart appliances, in line with international security standards to reduce vulnerabilities. Enhanced Protections for Data and Critical Infrastructure: Updates to laws such as the Privacy Act 1988 and the Security of Critical Infrastructure Act 2018 aim to fortify the security of critical infrastructure and improve data management. Liability Protections: The new rules offer [businesses "no-fault" protections when reporting cyber incidents, encouraging greater transparency without the fear of legal consequences. These reforms represent a major step toward building a more secure digital environment across Australia. QNAP addresses critical flaws across NAS, router software Date: 2024-11-25 Author: Bleeping Computer QNAP has released security bulletins over the weekend, which address multiple vulnerabilities, including three critical severity flaws that users should address as soon as possible. Starting with QNAP Notes Station 3, a note-taking and collaboration application used in the firm's NAS systems, the following two vulnerabilities impact it: CVE-2024-38643 – Missing authentication for critical functions could allow remote attackers to gain unauthorized access and execute specific system functions. The lack of proper authentication mechanisms makes it possible for attackers to exploit this flaw without prior credentials, leading to potential system compromise. (CVSS v4 score: 9.3, "critical") CVE-2024-38645 – Server-side request forgery (SSRF) vulnerability that could enable remote attackers with authentication credentials to send crafted requests that manipulate server-side behavior, potentially exposing sensitive application data. CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks Date: 2024-11-26 Author: The Hacker News The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that could be exploited to achieve arbitrary code execution remotely. Fixes (version 9.4.0.484) for the security shortcoming were released by the network hardware vendor in March 2023. Cyber security bill passes parliament Date: 2024-11-26 Author: iTnews Australia’s first cyber security legislation has been passed by parliament after being approved by the senate yesterday. The package of legislation was introduced last month as part of the government’s 2023-2030 Australian Cyber Security Strategy. Now, businesses that pay ransomware hackers will be compelled to report it to the government. There is also a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD) to share information from a victim during an incident. macOS Vulnerability (CVE-2023-32428) Grants Root Access, PoC Published Date: 2024-11-26 Author: Security Online Security researcher Gergely Kalman has detailed a high-severity vulnerability in Apple’s MallocStackLogging framework that could allow attackers to gain local privilege escalation (LPE) on macOS systems. The flaw, designated CVE-2023-32428 with a CVSS score of 7.8, demonstrates how seemingly helpful developer tools can be manipulated to bypass security measures and compromise high-privilege operations. CVE-2024-8114: GitLab Vulnerability Allows Privilege Escalation Date: 2024-11-26 Author: Security Online GitLab has released critical security updates to address multiple vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) products. Versions 17.6.1, 17.5.3, and 17.4.5 contain important bug and security fixes, including patches for a high severity privilege escalation vulnerability. “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said in its security advisory. ESB-2024.7747 – GitLab Community Edition (CE) and Enterprise Edition (EE) GitLab has released critical security updates to address multiple vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) products. ESB-2024.7745 – GlobalProtect App An insufficient certification validation issue in the Palo Alto Networks GlobalProtect app enables attackers to connect the GlobalProtect app to arbitrary servers. ESB-2024.7714 – OpenSSL Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 3.2.2, 4.2.2 and higher. ESB-2024.7561.2 – Palo Alto PAN-OS An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The call for presentations at AUSCERT2025 is officially open! As the longest-running event of its kind in Australia, AUSCERT has built a strong, collaborative network of professionals committed to advancing the industry. This event not only fosters the exchange of cutting-edge ideas but also offers networking opportunities with top experts, innovators, and industry leaders. Contributing to the collective knowledge at AUSCERT2025 is more critical than ever. By sharing your insights, research, and strategies, you can help drive innovation and ensure the industry continues to evolve and thrive in this dynamic environment. The Australian Signals Directorate (ASD) has released its 2023–24 Annual Cyber Threat Report, shedding light on the growing sophistication of cyber threats. Over the past financial year, the ASD received over 36,700 calls to its Cyber Security Hotline—an increase of 12% from the previous year—and responded to more than 1,100 cyber incidents. These figures highlight the persistent targeting of Australian organisations by both criminal and state-sponsored actors, particularly governments and critical infrastructure. The report also highlights the increasing use of artificial intelligence by cyber criminals, reducing the expertise required to execute attacks. Common threats like business email compromise, fraud, ransomware, and data theft extortion continue to disrupt businesses and individuals. With global tensions escalating, the ASD stresses the importance of closer collaboration between governments, industries, and international partners. Strong public-private partnerships and proactive incident reporting are essential to building national cyber resilience. The report underscores the urgent need for improved cyber security measures, knowledge-sharing, and unified efforts to safeguard Australia’s digital infrastructure. Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover Date: 2024-11-15 Author: Security Week A critical-severity vulnerability in the Really Simple Security plugin for WordPress potentially exposed four million websites to complete takeover, WordPress security firm Defiant warns. Tracked as CVE-2024-10924 (CVSS score of 9.8), the issue is described as an authentication bypass that allows an unauthenticated attacker to log in as any user, including an administrator. According to Defiant, the security defect exists because of an improper user check error handling in the plugin’s two-factor REST API action. Specifically, the bug is triggered if two-factor authentication (2FA) is enabled. Palo Alto Networks Releases IoCs for New Firewall Zero-Day Date: 2024-11-18 Author: Security Week [AUSCERT has contacted members where possible. Also see AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2024.7561, IOCs published on MISP] Palo Alto Networks has released indicators of compromise (IoCs) for the attacks exploiting a newly uncovered firewall zero-day vulnerability. The company recently came across claims regarding a previously unknown remote code execution vulnerability in its PAN-OS operating system. A security advisory published by the company on November 8 urged customers to ensure that access to the PAN-OS management interface is secured, but said there had been no indication of a zero-day being exploited in attacks. Critical RCE bug in VMware vCenter Server now exploited in attacks Date: 2024-11-18 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2024.7542] Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. TZL security researchers reported the RCE vulnerability (CVE-2024-38812) during China's 2024 Matrix Cup hacking contest. It is caused by a heap overflow weakness in the vCenter's DCE/RPC protocol implementation and affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation. Apple fixes two zero-days used in attacks on Intel-based Macs Date: 2024-11-19 Author: Bleeping Computer Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS. Cyber security bill recommended for 'urgent' parliamentary approval Date: 2024-11-18 Author: IT News Proposed legislation compelling businesses to disclose their ransomware payments to the government has been recommended for “urgent” parliamentary approval. Introduced last month by cyber security minister Tony Burke, the Cyber Security Bill 2024 aims to enforce mandatory reporting of ransomware payments to “build [the government’s] understanding of the ransomware threat”. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) recommended the bill be urgently passed by parliament. ESB-2024.7592 – IBM Security QRadar SIEM: CVSS (Max): 10.0 The product includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. IBM has addressed these vulnerabilities with an update. ESB-2024.7542.2 – VMware vCenter Server: CVSS (Max): 9.8 VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) ESB-2024.7565 – Atlassian Products: CVSS (Max): 10.0 19 high severity vulnerabilities have been fixed in new versions of Atlassian products. The addressed vulnerabilities emcompassed DoS (Denial of Service and Remote Code Execution (RCE) flaws. ESB-2024.7561 – Palo Alto PAN-OS: CVSS (Max): 9.3 An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. This has been addressed in release of new versions of the software. ESB-2024.7610 – mySCADA myPRO Manager: CVSS (Max): 10.0 An identified vulnerability could allow a remote attacker to execute arbitrary commands or disclose sensitive information. mySCADA recommends updating to latest versions of the software to address the issue. Stay safe, stay patched and have a good weekend! The AUSCERT team