Week in review
AUSCERT Week in Review for 26th July 2024
Greetings,
Friday afternoon, CrowdStrike released a sensor configuration update that triggered errors and system crashes in millions of Windows systems, causing major outages worldwide. This event grounded flights, disrupted banks, and closed businesses, highlighting the interconnectedness and fragility of our digital infrastructure. It served as a wake-up call, emphasising that the IT industry is a critical component linking every part of the world. When mistakes are made or incidents occur, the repercussions are felt globally.
Reports indicate that malicious actors are quickly capitalising on the disruption caused by this technical issue. Cyber criminals are exploiting the outage window to launch phishing campaigns and other malicious activities. Notably, there have been reports of criminals mimicking CrowdStrike support communications and even impersonating CrowdStrike staff during phone calls.CrowdStrike has also noted instances where cyber criminals posed as independent researchers, falsely asserting evidence linking the technical issue to a cyber attack. In response to these developments, cyber security organisations and authorities have issued advisories urging heightened vigilance. Users are encouraged to verify the authenticity of communications, especially during service disruptions, and to adhere strictly to official channels for updates and support. For more information regarding this issue,read our full article here
Attention Brisbane Members! In partnership with WTW and Ethan Global, we will be hosting an event in the CBD on August 13th for IT Directors, Managers, CISOs, C-Suite executives, as well as Risk and Insurance Managers. During this in-person session, AUSCERT, WTW, and Ethan Global will provide attendees with insights and practical steps to understand and communicate holistic cyber risk management strategies, drawn from real-life case studies.Our speakers will examine developments in legal and regulatory changes, prioritising cyber investments, and reporting. Don't miss this opportunity to hear firsthand from thought leaders and experienced practitioners through both presentations and panel discussions. Register here
Scammers will pounce on global outage caused by CrowdStrike bug, Home Affairs Minister Clare O'Neil warns
Date: 2024-07-20
Author: ABC News
[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0159/]
AUSCERT has also shared IoCs via MISP
Australians have been warned scammers and hackers are trying to capitalise on CrowdStrike-triggered outages to steal personal information including bank details and to gain access to computer systems.
The unprecedented outage affected a raft of major institutions in Australia and internationally, including emergency services, government agencies, banks and airlines
Microsoft releases Windows repair tool to remove CrowdStrike driver
Date: 2024-07-21
Author: Bleeping Computer
Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday.
On Friday, CrowdStrike pushed out a faulty update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops.
This glitch caused massive IT outages, as companies suddenly found that all of their Windows devices no longer worked. These IT outages affected airports, hospitals, banks, companies, and government agencies worldwide.
Telegram zero-day allowed sending malicious Android APKs as videos
Date: 2024-07-22
Author: Bleeping Computer
A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious Android APK payloads disguised as video files. A threat actor named 'Ancryno' first began selling the Telegram zero-day exploit on June 6, 2024, in a post on the Russian-speaking XSS hacking forum, stating the flaw existed in Telegram v10.14.4 and older.
Australian cyber security firms to boost Indo-Pacific resilience
Date: 2024-07-24
Author: Security Brief
AUSCERT and the University of Queensland have announced a partnership with IDCARE to expand cyber security support across the Indo-Pacific under an Australian Government contract.
The collaboration is part of the Cyber and Critical Tech Co-operation Program, aiming to bolster cyber resilience in Papua New Guinea and Fiji through tailored cyber-crime
Windows July security updates send PCs into BitLocker recovery
Date: 2024-07-24
Author: Bleeping Computer
Microsoft warned that some Windows devices will boot into BitLocker recovery after installing the July 2024 Windows security updates.
The BitLocker Windows security feature mitigates the risk of data theft or information exposure from lost, stolen, or inappropriately decommissioned devices by encrypting the storage drives.
Windows computers can automatically enter BitLocker recovery mode following various events, including hardware and firmware upgrades or changes to the TPM (Trusted Platform Module), to restore access to BitLocker-protected drives that have not been unlocked via the default unlock mechanism.
Over 3,000 GitHub accounts used by malware distribution service
Date: 2024-07-24
Author: Bleeping Computer
Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub that push information-stealing malware.
The malware delivery service is called Stargazers Ghost Network and it utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives that contain malware. In most cases, the malware are infostealers, such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer.
ESB-2024.4781 – Google Chrome: CVSS (Max): None
Google announced the release of Chrome 127 to the stable channel with patches for 24 vulnerabilities.
As usual, memory safety bugs were the most common type of security flaw addressed, representing half of the reported issues, including four high-severity ones.
ASB-2024.0159 – CrowdStrike sensor configuration update
AUSCERT issued an advisory regarding the global outage caused by the sensor configuration update
that impacted millions of Windows systems worldwide.
ESB-2024.4758 – National Instruments IO Trace: CVSS (Max): None
ICS-CERT has issued an advisory for a critical vulnerability (CVE-2024-5602) in National Instruments IO Trace, a network appliance. The issue, a stack-based buffer overflow, requires user interaction to exploit but could allow arbitrary code execution. A patch is available, and users are advised to minimize network exposure and use secure remote access methods.
ESB-2024.4742 – IBM Security QRadar SIEM: CVSS (Max): 7.5
IBM Security QRadar SIEM has released updates to address multiple vulnerabilities, including CVE-2024-29415, which has a CVSS score of 7.5 for server-side request forgery. The updates also fix other issues such as denial of service and HTTP request smuggling.
ESB-2024.4833 – ICSA-24-207-01 Siemens SICAM Products: CVSS (Max): 9.8
Siemens SICAM products are vulnerable to critical issues, including a severe password reset flaw (CVE-2024-37998) and a missing authentication issue (CVE-2024-39601). These vulnerabilities could lead to unauthorized access and potential information leaks. Users are advised to upgrade to the latest versions and disable auto login to mitigate risks.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
Learn more