Week in review

AUSCERT Week in Review for 26th July 2024

Greetings, Friday afternoon, CrowdStrike released a sensor configuration update that triggered errors and system crashes in millions of Windows systems, causing major outages worldwide. This event grounded flights, disrupted banks, and closed businesses, highlighting the interconnectedness and fragility of our digital infrastructure. It served as a wake-up call, emphasising that the IT industry is a critical component linking every part of the world. When mistakes are made or incidents occur, the repercussions are felt globally. Reports indicate that malicious actors are quickly capitalising on the disruption caused by this technical issue. Cyber criminals are exploiting the outage window to launch phishing campaigns and other malicious activities. Notably, there have been reports of criminals mimicking CrowdStrike support communications and even impersonating CrowdStrike staff during phone calls.CrowdStrike has also noted instances where cyber criminals posed as independent researchers, falsely asserting evidence linking the technical issue to a cyber attack. In response to these developments, cyber security organisations and authorities have issued advisories urging heightened vigilance. Users are encouraged to verify the authenticity of communications, especially during service disruptions, and to adhere strictly to official channels for updates and support. For more information regarding this issue,read our full article here Attention Brisbane Members! In partnership with WTW and Ethan Global, we will be hosting an event in the CBD on August 13th for IT Directors, Managers, CISOs, C-Suite executives, as well as Risk and Insurance Managers. During this in-person session, AUSCERT, WTW, and Ethan Global will provide attendees with insights and practical steps to understand and communicate holistic cyber risk management strategies, drawn from real-life case studies.Our speakers will examine developments in legal and regulatory changes, prioritising cyber investments, and reporting. Don't miss this opportunity to hear firsthand from thought leaders and experienced practitioners through both presentations and panel discussions. Register here Scammers will pounce on global outage caused by CrowdStrike bug, Home Affairs Minister Clare O'Neil warns Date: 2024-07-20 Author: ABC News [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0159/] AUSCERT has also shared IoCs via MISP Australians have been warned scammers and hackers are trying to capitalise on CrowdStrike-triggered outages to steal personal information including bank details and to gain access to computer systems. The unprecedented outage affected a raft of major institutions in Australia and internationally, including emergency services, government agencies, banks and airlines Microsoft releases Windows repair tool to remove CrowdStrike driver Date: 2024-07-21 Author: Bleeping Computer Microsoft has released a custom WinPE recovery tool to find and remove the faulty CrowdStrike update that crashed an estimated 8.5 million Windows devices on Friday. On Friday, CrowdStrike pushed out a faulty update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops. This glitch caused massive IT outages, as companies suddenly found that all of their Windows devices no longer worked. These IT outages affected airports, hospitals, banks, companies, and government agencies worldwide. Telegram zero-day allowed sending malicious Android APKs as videos Date: 2024-07-22 Author: Bleeping Computer A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious Android APK payloads disguised as video files. A threat actor named 'Ancryno' first began selling the Telegram zero-day exploit on June 6, 2024, in a post on the Russian-speaking XSS hacking forum, stating the flaw existed in Telegram v10.14.4 and older. Australian cyber security firms to boost Indo-Pacific resilience Date: 2024-07-24 Author: Security Brief AUSCERT and the University of Queensland have announced a partnership with IDCARE to expand cyber security support across the Indo-Pacific under an Australian Government contract. The collaboration is part of the Cyber and Critical Tech Co-operation Program, aiming to bolster cyber resilience in Papua New Guinea and Fiji through tailored cyber-crime Windows July security updates send PCs into BitLocker recovery Date: 2024-07-24 Author: Bleeping Computer Microsoft warned that some Windows devices will boot into BitLocker recovery after installing the July 2024 Windows security updates. The BitLocker Windows security feature mitigates the risk of data theft or information exposure from lost, stolen, or inappropriately decommissioned devices by encrypting the storage drives. Windows computers can automatically enter BitLocker recovery mode following various events, including hardware and firmware upgrades or changes to the TPM (Trusted Platform Module), to restore access to BitLocker-protected drives that have not been unlocked via the default unlock mechanism. Over 3,000 GitHub accounts used by malware distribution service Date: 2024-07-24 Author: Bleeping Computer Threat actors known as 'Stargazer Goblin' have created a malware Distribution-as-a-Service (DaaS) from over 3,000 fake accounts on GitHub that push information-stealing malware. The malware delivery service is called Stargazers Ghost Network and it utilizes GitHub repositories along with compromised WordPress sites to distribute password-protected archives that contain malware. In most cases, the malware are infostealers, such as RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer. ESB-2024.4781 – Google Chrome: CVSS (Max): None Google announced the release of Chrome 127 to the stable channel with patches for 24 vulnerabilities. As usual, memory safety bugs were the most common type of security flaw addressed, representing half of the reported issues, including four high-severity ones. ASB-2024.0159 – CrowdStrike sensor configuration update AUSCERT issued an advisory regarding the global outage caused by the sensor configuration update that impacted millions of Windows systems worldwide. ESB-2024.4758 – National Instruments IO Trace: CVSS (Max): None ICS-CERT has issued an advisory for a critical vulnerability (CVE-2024-5602) in National Instruments IO Trace, a network appliance. The issue, a stack-based buffer overflow, requires user interaction to exploit but could allow arbitrary code execution. A patch is available, and users are advised to minimize network exposure and use secure remote access methods. ESB-2024.4742 – IBM Security QRadar SIEM: CVSS (Max): 7.5 IBM Security QRadar SIEM has released updates to address multiple vulnerabilities, including CVE-2024-29415, which has a CVSS score of 7.5 for server-side request forgery. The updates also fix other issues such as denial of service and HTTP request smuggling. ESB-2024.4833 – ICSA-24-207-01 Siemens SICAM Products: CVSS (Max): 9.8 Siemens SICAM products are vulnerable to critical issues, including a severe password reset flaw (CVE-2024-37998) and a missing authentication issue (CVE-2024-39601). These vulnerabilities could lead to unauthorized access and potential information leaks. Users are advised to upgrade to the latest versions and disable auto login to mitigate risks. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Member information

AUSCERT Bulletin Formats

AUSCERT Bulletin Formats AUSCERT publishes two security bulletin formats: External Security Bulletin (ESB) – produced by vendors that are summarised and re-released by AUSCERT in a consistent format. AUSCERT Security Bulletin (ASB) – produced by AUSCERT with Overview, Impact and Mitigation information. ASBs typically describe critical vulnerabilities and emerging threats. They are collated from a variety of resources including vendors, security researchers and incident response teams around the world. Every AUSCERT bulletin contains a Bulletin Summary which highlights the essential information to assist in the vulnerability management process. The Bulletin Summary consists of the following categories (where relevant): Product Publisher Operating System Resolution CVE Names Original Bulletin URL Comment CVSS (Max) EPSS (Max) CISA KEV (if applicable) These categories are described in further detail below. ESB Structure Bulletin Titles and Email Subject Lines Bulletin titles and bulletin email subject lines display information in a concise format. The title includes the bulletin ID (eg ESB-2024.1234), revision number if applicable (eg ESB-2024.1234.2) and may include an ‘ALERT’ flag if the contents of the bulletin are time critical or reference a serious actively exploited vulnerability. The title also lists operating systems or hardware types that the vulnerability affects, and the product or product family. Example of a bulletin title: ESB-2024.1234 libarchive   Example of an email subject line: ESB-2024.1234 [SUSE] libarchive: CVSS (Max): 7.3 Bulletin Header The bulletin header consists of the ESB (or ASB) ID, a short summary of the purpose of the bulletin, and the date. Bulletin Summary The bulletin summary is an overview of the essential information in the bulletin typically used in the vulnerability management process. Both ESBs and ASBs contain a summary with individual fields as shown in this example: Product The product field displays the affected product name and version numbers (if any). Both ESBs and ASBs will have a Product field. Publisher Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. This is often a vendor such as SUSE or Red Hat but it may also be another security team or research group. Operating System This field gives a list of operating systems or operating system families that are affected by the vulnerability. Resolution The Resolution field gives a quick indication on how to protect against the vulnerability. The values are: None: No resolution is currently available. Patch/Upgrade: A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation. Mitigation: There are mitigation steps available that may be used, however there is no specific fix to the vulnerability. Alternate Program: Another program with similar functionality is available that is not vulnerable. CVE Names This field lists any CVE identifiers that relate to this vulnerability. CVEs are effective for tracking vulnerabilities that affect multiple products. Original Bulletin URL This field lists the URL of the original bulletin source. The original bulletin will often have additional links for further information. Comment This field contains any additional information that AUSCERT believes should be highlighted, including: CVSS (Max) EPSS (Max) CISA KEV (if applicable) These categories are described in detail further below. CVSS (Max) The Common Vulnerability Scoring System, or CVSS score, is included in all AUSCERT ASBs and ESBs in the Comment field. The CVSS is a published standard for assessing security vulnerabilities which classifies and scores vulnerabilities based on their severity. Scores are calculated based on a formula that depends on several metrics including required access, impact and authentication. The scores range from 0 to 10, with 10 being the most severe. This field consists of the CVSS (Max) CVSS Score, CVE-ID and CVSS description of the CVE with the highest score. If there is no CVSS (Max) score available at the time of publishing, the Comment field will show as “CVSS (Max): None”. For further information about how the CVSS (Max) is calculated and used, please see https://auscert.org.au/blogs/bulletin-impact-access-to-cvss-migration. EPSS (Max) Where an Exploitation Prediction Scoring System (EPSS Score) is available, this will also be included in the Comment field of a bulletin as “EPSS (Max)”. EPSS employs advanced algorithms to forecast the likelihood of vulnerabilities being exploited in real-world scenarios. A higher EPSS score will indicate a higher risk of exploitation which may provide input into the vulnerability management process. The syntax of the EPSS (Max) score is: EPSS (Max): (*Probability) (**Percentile) (CVE Number) (Date EPSS calculated). Probability: The likelihood of exploitation of the given CVE within the next 30 days Percentile: The vulnerability’s relative severity compared to others, ranking it within a distribution of similar security issues based on their assessed risks and potential impacts. AUSCERT advises members to research EPSS thoroughly before considering its application in vulnerability management. Understanding EPSS can require effort, and its suitability can vary depending on the environment. See articles below for further details on use and interpretation: https://www.first.org/epss https://www.first.org/epss/user-guide https://www.first.org/epss/faq https://vulners.com/blog/epss-exploit-prediction-scoring-system/ https://blog.stackaware.com/p/deep-dive-into-the-epss https://asimily.com/blog/epss-and-its-role-in-vulnerability-management/ https://security.cms.gov/posts/assessing-vulnerability-risks-exploit-prediction-scoring-system-epss CISA KEV A CISA Known Exploited Vulnerability (KEV) is also present in the Comment field if applicable. The KEV catalogue is a CISA-maintained authoritative source of vulnerabilities that have been exploited in the wild. It is recommended that all members review and monitor the KEV catalogue and prioritize remediation efforts of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. The field consists of the CISA KEV CVE(s) and the CISA KEV url for reference. For example: For further information about CISA KEV, please see https://www.cisa.gov/known-exploited-vulnerabilities. Bulletin Updates and Versioning An ESB or ASB can be updated in the event of crucially new or updated information becoming available since the original date of publication. Updates will have a version number appended to the bulletin ID, eg ESB-2024.1234 will become ESB-2024.1234.2, and the ‘UPDATE’ tag will be added. ASB Structure An ASB contains the same bulletin title, bulletin header, bulletin summary and comment sections as an ESB, however the main body of an ASB differs from an ESB. The main body of an ASB generally consists of four headings: OVERVIEW: This is a summary of the vulnerability being reported and the products that are affected. IMPACT: This section outlines in more detail what the vulnerability allows attackers to perform (eg remote code execution), and the potential outcome of these vulnerabilities (eg significant data breaches, circumvent firewalls, intrusion detection systems, etc). MITIGATION: This section outlines steps to mitigate the risk. This can range from applying available patches to address the vulnerability to restricting or segmenting access to the network, including deploying additional monitoring and alerts against specific criteria. REFERENCES: This is a list of websites that report on the vulnerability. It can be a third-party website or the vendor itself. The websites are referenced within the ASB as the source of information being reported. Examples Full example of an ESB:     Full example of an ASB:    

Learn more

Blogs

CrowdStrike Technical Outage Exploited by Cyber Criminals – Stay Vigilant!

CrowdStrike Technical Outage Exploited by Cyber Criminals – Stay Vigilant! On Friday 19 July, CrowdStrike released a sensor configuration update that triggered errors and system crashes in millions of Windows systems causing major business outages worldwide [2][3].  CrowdStrike has assured users that the outage was not due to a cyberattack [2]. Reports have since surfaced indicating that malicious actors are swiftly capitalising on the disruption created by this technical issue [1][4]. Reports from cybersecurity experts and industry analysts suggest that cyber criminals are leveraging the outage window to launch phishing campaigns and other malicious activities. These efforts aim to exploit emotions such as fear or urgency to manipulate users into making quick, uninformed decisions. This tactic aims to bypass users’ critical thinking and make fraudulent schemes more successful. Phishing attacks, in particular, have been observed mimicking CrowdStrike support communications. There also have been incidents where cyber criminals impersonated CrowdStrike staff in phone calls [1]. CrowdStrike has additionally noted instances where cyber criminals posed as independent researchers, falsely asserting evidence linking the technical issue to a cyberattack. They have offered supposed remediation insights and marketed scripts claiming to automate recovery from the content update problem [1]. In response to these developments, cybersecurity organisations and authorities have issued advisories urging heightened vigilance. Users are encouraged to verify the authenticity of communications, especially during service disruptions, and to adhere strictly to official channels for updates and support. CrowdStrike has shared a list of domains impersonating CrowdStrike’s brand during the outage. While some domains in this list are not currently hosting malicious content and may be intended to amplify negative sentiment, they could potentially support future social-engineering operations [1]. As CrowdStrike continues to restore full service functionality, the incident serves as a stark reminder of the evolving tactics used by cyber criminals. Organizations and individuals alike must remain vigilant, maintain updated security measures, and exercise caution in response to such incidents to mitigate potential risks effectively. The swift and coordinated response from cybersecurity communities highlights the importance of proactive measures in safeguarding against opportunistic cyber threats, ensuring resilience in the face of technical disruptions and potential exploitation by malicious actors. [1] “Falcon Sensor Content Issue from July 19, 2024, Likely Used to Target CrowdStrike Customers” – https://www.crowdstrike.com/blog/falcon-sensor-issue-use-to-target-crowdstrike-customers/ [2] “Technical Details: Falcon Content Update for Windows Hosts” – https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/ [3] “CrowdStrike Falcon flaw sends Windows computers into chaos worldwide” – https://cyberscoop.com/crowdstrike-falcon-flaw-microsoft-outage-flights-grounded-windows/ [4] “Widespread outages relating to CrowdStrike software update” – https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/widespread-outages-relating-crowdstrike-software-update Written by Vishaka Wijekoon for AUSCERT

Learn more

Week in review

AUSCERT Week in Review for 19th July 2024

Greetings, The winds picked up in the sunny state this week, bringing a noticeable drop in temperatures and allowing us to truly feel the winter chill. Perhaps we can also blame the winds for Queensland’s disappointing loss to New South Wales in the men's State of Origin. The Blues secured one of their greatest victories, defeating Queensland 14-4 at Suncorp Stadium, breaking a 19-year inability to win a decider there. Although it was a sad loss for the Maroons, we applaud the Blues for a good game and a great win. Until next time, Blues! This week, our analyst team distributed critical MSINS to affected members, alerting them to the Exim Flaw vulnerability, which is tracked as CVSS 9.1. Successful exploitation of this security defect could allow attackers to deliver executable attachments to inboxes, potentially leading to code execution and system compromise if the user opens the attachment. All organisations that had their Google Domains service migrated to Squarespace recently are advised to enable two-factor authentication on their Squarespace account, as it is not enabled by default. A number of cryptocurrency-related businesses appear to have been caught up in DNS hijacking attacks as a result of the way Squarespace migrated the service. Most of the noteworthy cases have been resolved; however, hundreds of domains are still alleged to be at risk of similar DNS hijacking, so it may not be over yet. It is crucial for organisations to adopt multi-factor authentication (MFA) to protect their data and maintain trust with customers and partners. By effectively implementing MFA, organisations can better defend against cyber threats and ensure the security of sensitive information. While MFA does not offer complete protection against all threats, it remains an essential component in reducing cyber security risks and safeguarding sensitive data. Atlassian Patches High-Severity Vulnerabilities in Bamboo, Confluence, Jira Date: 2024-07-17 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4634/] Software vendor Atlassian on Tuesday released security-themed updates to fix several high-severity vulnerabilities in its Bamboo, Confluence and Jira products. The Australian firm called urgent attention to the Bamboo Data Center and Server updates that resolve two high-severity bugs, including one affecting the UriComponentsBuilder dependency that could allow an unauthenticated attacker to perform a server-side request forgery (SSRF) attack. Critical Exim Flaw Allows Attackers to Deliver Malicious Executables to Mailboxes Date: 2024-07-12 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical vulnerability in over 1.5 million internet-accessible Exim mail transfer agent (MTA) installations potentially allows attackers to deliver malicious executables to user mailboxes, Censys warns. The issue, tracked as CVE-2024-39929 (CVSS score of 9.1) and impacting RFC 2231 header parsing, results in filenames being incorrectly parsed, which could allow remote attackers to bypass the filename extension-blocking protection mechanisms. Organizations Warned of Exploited GeoServer Vulnerability Date: 2024-07-16 Author: Security Week [AUSCERT contacted the potentially vulnerable members (where possible) on 04 July 2024] The US cybersecurity agency CISA is urging federal agencies to patch a critical-severity vulnerability in GeoServer as soon as possible, warning of evidence of active exploitation. The bug, tracked as CVE-2024-36401 (CVSS score of 9.8), is described as the unsafe evaluation of property names as XPath expressions, which could allow unauthenticated attackers to execute code remotely, through crafted input against a default GeoServer installation. Critical Apache HTTP Server Vulnerabilities Expose Millions of Websites Date: 2024-07-18 Author: Cyber Security News [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4720/] The Apache Software Foundation has disclosed several critical vulnerabilities in the Apache HTTP Server, which could potentially expose millions of websites to cyber-attacks. These vulnerabilities, identified by their Common Vulnerabilities and Exposures (CVE) numbers, affect various versions of the Apache HTTP Server and could lead to severe consequences such as source code disclosure, server-side request forgery (SSRF), and denial of service (DoS). Infoseccers claim Squarespace migration linked to DNS hijackings at Web3 firms Date: 2024-07-15 Author: The Register Security researchers are claiming a spate of DNS hijackings at web3 businesses is linked to Squarespace's acquisition of Google Domains last year. The theory is that cybercriminals may have picked up on a flaw in the method Squarespace used to migrate Google Domains customer data over to its servers, allowing them to guess the email addresses associated with admin accounts and register the account for themselves. Hackers use PoC exploits in attacks 22 minutes after release Date: 2024-07-13 Author: Bleeping Computer Threat actors are quick to weaponize available proof-of-concept (PoC) exploits in actual attacks, sometimes as quickly as 22 minutes after exploits are made publicly available. That is according to Cloudflare's Application Security report for 2024, which covers activity between May 2023 and March 2024 and highlights emerging threat trends. Cloudflare, which currently processes an average of 57 million HTTP requests per second, continues to see heightened scanning activity for disclosed CVEs, followed by command injections and attempts to weaponize available PoCs. ESB-2024.4635 – Google Chrome CVSS (Max): None The latest Chrome 126 update addresses several critical issues, including an inappropriate implementation flaw and a type confusion in V8, as well as use-after-free vulnerabilities in Screen Capture, Media Stream, Audio, and Navigation. Additionally, it fixes a race condition in DevTools and an out-of-bounds memory access in V8. ASB-2024.0134.2 – Oracle MySQL: CVSS (Max): 9.8 Oracle's latest quarterly Critical Patch Update addresses 386 security vulnerabilities, with 37 patches specifically for Oracle MySQL. Among these, 11 vulnerabilities can be exploited remotely without authentication. Notably, CVE-2023-37920 in MySQL Cluster is rated critical with a CVSS score of 9.8, potentially allowing remote attackers to exploit these vulnerabilities through simple network attacks. ESB-2024.4645 – Cisco Smart Software Manager On-Prem (SSM On-Prem): CVSS (Max): 10.0 Cisco has issued patches for a critical security flaw affecting Smart Software Manager On-Prem (Cisco SSM On-Prem). This vulnerability, identified as CVE-2024-20419 and rated with a maximum CVSS score of 10.0, could allow a remote, unauthenticated attacker to alter the passwords of any users, including administrative accounts. ESB-2024.4631 – Rockwell Automation Pavilion 8: CVSS (Max): 8.8 A vulnerability in Rockwell Automation Pavilion 8 permits a remote attacker to gain elevated privileges on the system. This security flaw arises from incorrect permission assignments on critical resources, enabling a remote user to access sensitive data and create new user accounts. ESB-2024.4633 – Mozilla Thunderbird: CVSS (Max): 9.8 The Mozilla Foundation has issued patches for vulnerabilities in Thunderbird 128. While these flaws generally cannot be exploited through email within Thunderbird due to disabled scripting when reading mail, they pose potential risks in browser or browser-like environments. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 12th July 2024

Greetings, This week, we celebrate NAIDOC Week, recognising the history, culture, and achievements of Aboriginal and Torres Strait Islander Peoples. NAIDOC Week offers an opportunity for all Australians to learn about First Nations cultures and histories and participate in celebrations of the oldest continuous living cultures on earth. Visit the NAIDOC website for a full list of local events. This month's Patch Tuesday brought significant updates, addressing 142 security flaws across various Microsoft products. Among these, two vulnerabilities were actively exploited in the wild, posing immediate threats to users. Additionally, two zero-day vulnerabilities, which had been publicly disclosed but not yet exploited, were patched. These zero-days are particularly concerning as there may be an exploit available before a fix is released. The update also fixed five critical vulnerabilities, all classified as remote code execution (RCE) flaws. These updates highlight the importance of regular patch management to protect systems from known threats. Users and organisations are strongly advised to apply these patches promptly to mitigate the risk of exploitation. Keeping systems updated is a crucial step in maintaining a secure IT environment and defending against cyber threats. The National Anti-Scam Centre is urging Australians who have had money stolen by scammers to be wary of offers to recover their money for an upfront fee. Reports involving a money recovery element are on the rise. Between December 2023 and May 2024, Scam watch received 158 reports with total losses exceeding $2.9 million, including losses from the original scams. The number of reports increased by 129 percent compared to the previous six months, while financial losses decreased by 29 percent from $4.1 million. Australians aged 65 and older were the largest reporting group and suffered the highest average losses. Victims of previous scams are easily identified by criminals who commonly keep and sell information about individuals they have exploited. The best method to stay ahead of cyber threats is through training and education. With the necessary skills and expertise, you can ensure that you and your organisation are always protected from attacks. Check out our online training schedules to find out how you can enhance your knowledge. It’s also important for victims of scams to feel able to report and share their experiences without judgement, so please share information about scams with less knowledgeable friends and family. New OpenSSH Vulnerability CVE-2024-6409 Exposes Systems to RCE Attack Date: 2024-07-10 Author: Cyber Security News Security researchers have discovered a new vulnerability in OpenSSH, identified as CVE-2024-6409, which could potentially allow remote code execution attacks on affected systems. This vulnerability, which affects OpenSSH versions 8.7 and 8.8, allows for potential remote code execution (RCE) due to a race condition in signal handling within the privilege separation (privsep) child process. Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks Date: 2024-07-06 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] [AUSCERT also shared IoCs and Attack Patterns via MISP] Trend Micro, a global leader in cybersecurity, has issued a warning about a recent wave of attacks targeting misconfigured Jenkins servers. Cybercriminals are exploiting vulnerabilities in the Jenkins Script Console to illicitly install and operate cryptocurrency mining software, siphoning computational resources from unsuspecting organizations. The Essential Eight Is An Opportunity To Drive New Strategic Value Into The Enterprise Date: 2024-07-08 Author: IT News The Australian Cyber Security Centre (ACSC)’s Essential Eight framework has the potential to transform Australia into a global leader in cyber security. However, in challenging organisations to develop a more strategic approach to cyber security, it also introduces some new risks to IT environments that enterprises are going to need to grapple with in the coming years. SAP Patches High-Severity Vulnerabilities in PDCE, Commerce Date: 2024-07-09 Author: Security Week Enterprise software maker SAP on Tuesday announced the release of 16 new and two updated security notes as part of its July 2024 patch day, including two notes dealing with high-severity vulnerabilities. The most severe of the issues is a missing authorization check in PDCE (Product Design Cost Estimating), a lifecycle costing tool. Tracked as CVE-2024-39592 (CVSS score of 7.7/10), the bug could allow an attacker to read generic table data, according to SAP. RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks Date: 2024-07-09 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0130] Cybersecurity researchers have discovered a security vulnerability in the RADIUS network authentication protocol called BlastRADIUS that could be exploited by an attacker to stage Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain circumstances. "The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks," InkBridge Networks CEO Alan DeKok, who is the creator of the FreeRADIUS Project, said in a statement. Nearly 10bn passwords posted to hacking forum Date: 2024-07-08 Author: Cyber Daily The user – named ObamaCare – made the post on 4 July on a popular hacking forum, sharing a file called rockyou2024.txt. “Xmas came early this year,” ObamaCare said. “I present to you a new rockyou2024 password list with over 9.9 billion passwords.” “I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years.” The shared list has 9,948,575,739 passwords in all, and it appears to be a compilation of new and old leaks compiled into a single list. The file is a 45.6 gigabyte .zip archive. ASB-2024.0122 – Microsoft Windows: CVSS (Max): 9.8 For July 2024 Patch Tuesday, Microsoft’s security updates and patches address two zero-day vulnerabilities currently being exploited: CVE-2024-38080 in Windows Hyper-V and CVE-2024-38112 in the Windows MSHTML Platform. ESB-2024.4425.2 – Citrix Netscaler Products: CVSS (Max): 9.4 Citrix has disclosed two critical vulnerabilities impacting its NetScaler Console, NetScaler SVM, and NetScaler Agent, which could potentially enable attackers to access sensitive information and launch denial of service attacks. The vulnerabilities, designated as CVE-2024-6235 and CVE-2024-6236, have led Citrix to issue urgent update recommendations to mitigate these risks. ESB-2024.4427 – Palo Alto Networks Expedition: CVSS (Max): 9.3 Palo Alto Networks has issued security updates to address several vulnerabilities affecting its products, including a critical flaw that could enable authentication bypass. Tracked as CVE-2024-5910 this vulnerability is characterized as a missing authentication issue in the Expedition migration tool, potentially allowing unauthorized access to an administrator account. ESB-2024.4429 – VMware Aria Automation: CVSS (Max): 8.5 VMware has issued security updates to address a high-severity vulnerability in their Aria Automation product. This vulnerability, a structured query language (SQL) injection flaw, could allow an authenticated attacker to execute unauthorized read or write operations in the database by sending specially crafted SQL queries. ESB-2024.4428.2 – GitLab Community and Enterprise editions: CVSS (Max): 9.6 GitLab has released a new set of updates to address security vulnerabilities in its software development platform, including a critical flaw that enables an attacker to execute pipeline jobs as any arbitrary user. Tracked as CVE-2024-6385, this vulnerability has a CVSS score of 9.6. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Policies and agreements

Cyber Leaders Network: Terms and Conditions

Cyber Leaders Network: Terms and Conditions Version 1.0 (11 July 2024)   At the core of the Cyber Leaders Network is a commitment to fostering a collaborative and respectful environment for all members. These T&C’s outline the principles and expectations that guide our interactions. This is a living document and may be subject to revisions as the initiative evolves. Mission Statement The Cyber Leaders Network is a group of like-minded cybersecurity professionals that regularly meet, under the coordination and organisation of The University of Queensland (UQ) and AUSCERT, to share best practices and exchange ideas on all cybersecurity matters. The Network functions as a trusted, collaborative, and multi-disciplinary ecosystem, bringing together cyber-professionals with varying degrees of experience in the field, to nurture the development of future leaders. Our primary objective is to provide comprehensive, evidence-based resources while fostering the exchange of best practices and innovative ideas. For this purpose, the Network is vendor and technology agnostic. Participant’s engagement with, and participation in, the Network, stems from the two-fold perspective of seeking personal/professional enrichment and mentoring and leveraging the experience for the betterment of the cybersecurity practices in their workplaces. Code of Conduct Inclusivity: The Cyber Leaders Network is committed to creating an inclusive environment that values and respects the unique perspectives and backgrounds of all participants. Discrimination and exclusion are strictly prohibited. It embraces a culture that encourages active participation from all members regardless of role, experience, or any other factor. Everyone’s insights contribute to the collective success of the network. Respectful Communication: Treat all members with courtesy and professionalism, both in-person and in digital communications. Avoid offensive language, personal attacks, or any behaviour that may create a hostile environment. Members are to demonstrate respect by actively listening to other perspectives, even if they differ from their own. Open dialogue is encouraged. Collaboration and Participation: Members in the Network are expected to maximise their attendance to the events, to bring value to the initiative. In case of the inability to attend an event, the Network member can delegate attendance to a suitable work colleague. Shared knowledge, insights, and resources for the benefit of the entire Cyber Leaders Network can only be pursued through collaboration. Feedback shall be focused on constructive and supportive language. For example, creative critique of ideas, as opposed to individuals, whilst aiming to offer solutions and alternatives. Professional Integrity: Act with transparency and honesty in interactions within the Cyber Leaders Network. Disclose any potential conflicts of interest that may impact the integrity of discussions or decisions within the Network. Uphold ethical values by abiding by legal and ethical standards in all activities related to the Network. Avoid engaging in any actions that could compromise the trust and credibility of the Cyber Leaders Network. The Chatham House Rule Applies: When a workshop, coffee catch-up, or other related meeting is held under the Chatham House Rule, members are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed. By participating in the Cyber Leaders Network as a member, you accept these terms and conditions. As a member you also commit to upholding all principles and contributing to a positive and inclusive Network focused on advancing cybersecurity leadership. Violations of this Code of Conduct may result in the coordination team re-considering membership and participation. Payment AUSCERT/UQ will provide a Tax Invoice to the member upon finalisation of registration and payment. Or if requested, a tax invoice prior to payment can be provided. Registration and participation in the network will be confirmed upon receipt of full membership fee payment. Fees, Cancellations & Refunds Membership is an annual fee. This period commences from the first workshop which will be scheduled in Q4 2024. AUSCERT/UQ reserves the right to cancel workshops and other informal catch-ups due to unforeseen circumstances and will provide participants with written notice in such circumstances. However, 4 workshops and 4 ‘coffee catch-ups’ a year are guaranteed to be delivered to the network. If a workshop or other event offered by the Network cannot be attended, no refund is given. AUSCERT/UQ is not responsible for any expenses that may have been incurred in attending or related to the attendance of any Cyber Leader event. Intellectual Property Rights IP produced by the members of the Network remains the property of the Network itself. Members can use such IP for professional purposes within their organisation (e.g., for training and awareness purposes; for best practice sharing; etc.), but cannot use the IP for commercial purposes (e.g., re-selling the IP). Further IP arrangements will be discussed during the initial stages of the Network creation, for the Network members to be able to contribute their views. Privacy Any personal information provided to AUSCERT/UQ will be subject to UQ’s Privacy Management Policy, which can be viewed here. More information on privacy in relation to AUSCERT/UQ can be obtained from the Right to Information and Privacy Office here. The member consents to AUSCERT taking photographs and videos of the services associated with membership, which may include images of the member and agrees that AUSCERT can use those images in the ordinary course of its business. If a participant wishes to opt out of this consent, they can inform the coordination team beforehand.

Learn more

Week in review

AUSCERT Week in Review for 5th July 2024

Greetings, This week, we published the AUSCERT2024 recordings! To re-live your favourite sessions, head to our YouTube channel to watch them. We featured many exciting sessions that made the event truly unforgettable. This year, the conference focused on industry technology, modernizing infrastructure, data governance, and the legal aspects of cyber security. One highlight to revisit is the live Risky Biz recording with Adam Boileau and Patrick Gray, in which they discussed some very interesting topics. MISP was another hot topic, with our Senior Security Systems Administrator, Josh Hopkins, leading a session on modernising MISP by applying Infrastructure as Code principles to your MISP services. Data governance was another significant focus at AUSCERT2024. In Trinity McNicol’s session, she explored how organisations can manage data-related risks, protect data assets, leverage data for decision-making, meet consumer privacy expectations, and ensure compliance with data protection legislation. Cyber security frameworks can also help organisations understand their cyber health and improve overall resilience. The Cyber Health Check Program Panel discussion went beyond theory, offering real-world case studies that highlight successful cyber security enhancements. Watch as the team embarks on an enlightening exploration of cyber security framework essentials. Piotr Kijewski’s session provided an overview of how Shadowserver functions as a large-scale information collection and sharing project, collaborating with the global Internet defender community. Piotr described their recent journey in search of sustainability and concluded with their vision of continuing the mission to raise the bar on global cyber security without compromising their principles of free threat intelligence sharing. Darren Kitchen’s session was a highly anticipated keynote, in which he shared tales of device deception from nearly 20 years of experience with Hak5. He discussed the innovative implants and deceptive devices equipping red teams worldwide. Darren’s successful penetration tests have resulted in a multitude of real-world stories that proved effective. We concluded with a captivating Speed Debate featuring exciting, witty, and comical topics. Watch this session for a good laugh! The Cyber Security Conference actively focuses on community, value, and upskilling the workforce in a fun and inclusive environment. This year was no exception, with around 900 delegates attending across the four days. We can’t wait for next year, but in the meantime we have the videos to keep us entertained! Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug Date: 2024-07-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4145/] Google has released patches for 25 documented security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component. The critical bug, tracked as CVE-2024-31320, impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device. “The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in an advisory. Cisco warns of NX-OS zero-day exploited to deploy custom malware Date: 2024-07-01 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4143/] Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches. Cybersecurity firm Sygnia, who reported the incidents to Cisco, linked the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant. "Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant," Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer. Splunk Patches High-Severity Vulnerabilities in Enterprise Product Date: 2024-07-02 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4152/] Splunk on Monday announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs. Three of the high-severity issues are remote code execution flaws that require authentication for successful exploitation. The first of them, tracked as CVE-2024-36985, could be exploited by a low-privileged user through a lookup that likely references the ‘splunk_archiver’ application. The issue affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x. New regreSSHion OpenSSH RCE bug gives root on Linux servers Date: 2024-07-01 Author: Bleeping Computer [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0121/] A new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion" gives root privileges on glibc-based Linux systems. OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. The flaw, discovered by researchers at Qualys in May 2024, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. Juniper releases out-of-cycle fix for max severity auth bypass flaw Date: 2024-06-30 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4117/] Juniper Networks has released an emergency update to address a maximum severity vulnerability that leads to authentication bypass in Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. The security issue is tracked as CVE-2024-2973 and an attacker could exploit it to take full control of the device. Gov launches 'overdue' cyber security network for health sector Date: 2024-07-01 Author: iTnews Mirroring a model already used in the financial and critical infrastructure sectors, the pilot Information Sharing and Analysis Centre (ISAC) will focus on “cyber threats, responses and preventative measures” among health organisations. Minister for Home Affairs and cyber security Clare O’Neil said healthcare organisations’ “access to sensitive data”, and their “struggle with building and funding strong cyber protections”, had made them a threat target. “The last two years has been the beginning of a big, overdue national journey to lift up cyber security across the country to better protect our citizens,” she said in a statement. ESB-2024.4245 – PHP: CVSS (Max): 9.8 Ubuntu has fixed a vulnerability in PHP. The update caused a regression in parsing XML in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. ESB-2024.4211 – python-Js2Py: CVSS (Max): 9.6 SUSE has released an update that solves a vulnerability for a potential sandbox escape via untrusted JavaScript code. ESB-2024.4144.2 – OpenSSH: CVSS (Max): 8.1 OpenSSH incorrectly handled signal management which could allow an attacker to bypass authentication and remotely access systems without proper credentials. Fixes were released to patch this vulnerability. ESB-2024.4164 – Splunk Enterprise: CVSS (Max): 9.8 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.1, 9.1.4, 9.0.9 and higher. ESB-2024.4174 – mySCADA myPRO: CVSS (Max): 9.8 mySCADA released an update for myPRO to address a vulnerability that could allow an attacker to remotely execute code on affected devices. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more

Week in review

AUSCERT Week in Review for 28th June 2024

Greetings, Events this week underscored the critical importance of staying updated on the latest cyber security threats and trends. Australia’s proactive approach to implementing security measures and educating the community plays a crucial role in mitigating risks and enhancing overall cyber resilience. The week began with an alert from the Australian Cyber Security Centre (ACSC) highlighting increased cyber threat activity targeting Snowflake customers. Businesses and critical infrastructure in Australia were advised to bolster their security measures and remain vigilant against potential attacks. Many organisations applied Microsoft's June 2024 Patch Tuesday updates, which addressed 51 vulnerabilities, including 18 critical remote code execution flaws. Addressing these vulnerabilities promptly helps organisations mitigate the risks associated with commonly used applications and systems. In other news, a Wednesday court filing provided some details about the September 2022 Optus data breach, from the perspective of Australia's Communications and Media Authority (ACMA). ACMA is leveraging its regulatory powers to pursue Optus, alleging that the company failed to adequately protect personally identifiable customer information, including failing to fix an identified coding error in all of its Internet-visible APIs and to continue to operate a vulnerable API for two years despite there being no need for its operation. The filing states that “The cyber attack was not highly sophisticated nor did it require advanced skills or proprietary knowledge of Optus's processes or systems. It was executed through a simple process of trial and error,”. ACMA is seeking civil penalties in the case. Singtel, the parent company of Optus, has advised investors that it cannot determine the quantum of penalties but will defend the case. This incident exemplifies how regulatory bodies are intensifying their efforts to hold organisations accountable for failing to adhere to appropriate practices in safeguarding personal information. Ensure your organisation is compliant with the necessary regulatory standards. If you need assistance in analysing your organisation's cyber security maturity level, contact our team at – grc@auscert.org.au. Cyber threats surge during Australia's EOFY tax season Date: 2024-06-25 Author: Security Brief As the end of the financial year (EOFY) approaches in Australia, organisations and individuals find themselves preoccupied with tax returns, financial statements, and compliance reports. This busy period also brings with it a heightened risk of cyber threats, creating a favourable environment for scammers and cybercriminals. Analysts have noted an uptick in seasonal cyber activities during the EOFY period, exploiting the chaos and urgency associated with tax-related activities. The most common threats include phishing scams, ransomware, business email compromise (BEC), and identity theft. If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately Date: 2024-06-25 Author: The Register [AUSCERT has identified the impacted members (where possible) and contacted them via email] The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year. Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it. The site offered polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers. Progress quietly fixes MOVEit auth bypass flaws (CVE-2024-5805, CVE-2024-5806) Date: 2024-06-25 Author: Help Net Security [AUSCERT has identified the impacted members (where possible) and contacted them via email] Progress Software has patched one critical (CVE-2024-5805) and one high-risk (CVE-2024-5806) vulnerability in MOVEit, its widely used managed file transfer (MFT) software product. According to WatchTowr Labs researchers, the company has been privately instructing users to implement the hotfixes before they go public with the information. Hacker Claims Theft of 30M User Records From Australia Ticketing Company TEG Date: 2024-06-24 Author: Security Week A threat actor is boasting on a hacking forum the theft of information pertaining to millions of Ticketek users, roughly three weeks after the company acknowledged a data breach. On May 31, Ticketek Entertainment Group (TEG), an Australia-based live events and ticketing firm, announced that user account information had been compromised after hackers accessed a database stored on a cloud-based platform. “The available evidence at this time indicates that, from a privacy perspective, customer names, dates of birth and email addresses may have been impacted,” TEG said. Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack Date: 2024-06-25 Author: Ars Technica WordPress plugins running on as many as 36,000 websites have been backdoored in a supply-chain attack with unknown origins, security researchers said on Monday. ESB-2024.4118 – GitLab: CVSS (Max): 9.6* Gitlab has released critical patches for GitLab Community Edition (CE) and Enterprise Edition (EE). ESB-2024.4099 – SQLite: CVSS (Max): 9.8 SQLite could be made to crash or execute arbitrary code. ESB-2024.4076 – OpenVPN: CVSS (Max): 9.8 OpenVPN could allow unintended access to network services. ESB-2024.4073 – git: CVSS (Max): 9.0 Multiple vulnerabilities were found in git, a fast, scalable and distributed revision control system. ESB-2024.4019.2 – Google Chrome: CVSS (Max): None Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more

Week in review

AUSCERT Week in Review for 21st June 2024

Greetings, We are thrilled to announce the release of another exciting episode of our podcast 'Share Today, Save Tomorrow'! In Episode 35: "Introducing Ivano", Anthony sits down with AUSCERT’s new General Manager, Ivano Bongiovanni, to discuss his career journey and future aspirations for AUSCERT. In the second half, Bek chats with Michael McAlary from AUSCERT about the recent makeover and improved user experience of the AUSCERT Member Portal, as well as future enhancements. Don't miss this insightful conversation! In other news, as a result of the ongoing legal action by the Australian Information Commissioner, more details have been released this week of the 2022 MediBank Private breach. It has been alleged that one of the causes behind the breach was the failure to implement multi-factor authentication (MFA) for authenticating remote access users. The MediBank story coincides with research released by Cisco Talos which links aspects of MFA to approximately half of the incidents investigated in the first quarter of 2024. Talos describes the underlying cause of 25% of incidents being users accepting attacker-originated push notifications, while 21% of incidents were caused by incorrect implementation of MFA solutions. Both of these news stories highlight the critical importance of integrating information security controls across the domains of people, processes, and technology. Security controls are only as effective as the people who design, implement and use them. Regular training and awareness programs ensure that employees understand the importance of security protocols, such as multi-factor authentication (MFA), and know how to respond to security threats. Explore our available training courses to enhance your knowledge of cybersecurity threats. Critical Code Execution Vulnerabilities Patched in VMware vCenter Server Date: 2024-06-18 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.3915/] Broadcom-owned VMware has announced patches for several serious vCenter Server vulnerabilities that can allow remote code execution or privilege escalation. Two heap-overflow vulnerabilities, tracked as CVE-2024-37079 and CVE-2024-37080 and classified as having critical severity, impact the implementation of the DCERPC protocol. New Wi-Fi Takeover Attack—All Windows Users Warned To Update Now Date: 2024-06-14 Author: Forbes [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0119/ ] Microsoft has confirmed a new and quite alarming Wi-Fi vulnerability in Windows, which has been rated 8.8 out of 10 in terms of severity using the Common Vulnerability Scoring System. The vulnerability, assigned as CVE-2024-30078, does not require an attacker to have physical access to the targeted computer, although physical proximity is needed. Ransomware Attacks Are Getting Worse Date: 2024-06-15 Author: WIRED Despite years worth of efforts to eliminate the scourge of ransomware targeting schools, hospitals, and critical infrastructure worldwide, experts are warning that the crisis is only heating up, with criminal gangs growing ever more aggressive in their tactics. The threat of real-world violence now looms, some experts warn, as the data stolen grows increasingly sensitive and millions in potential profits hang in the balance. “We know where your CEO lives,” read a message reportedly received by one victim. Attacks targeting the medical sector are blooming in response to the $44 million payout by Change Healthcare this March. Australian businesses targeted in Russia-based phishing campaign Date: 2024-06-14 Author: Cyber Daily A security researcher with Sophos X-Ops – the security company’s threat response team – has outlined a widespread phishing campaign based in Russia that targeted almost 800 businesses, individuals, and even elections. Throughout late 2023, a campaign that appears to have originated in Russia sent out more than 2,000 phishing emails in an attempt to steal login credentials and money via gift card scams. Hackers use F5 BIG-IP malware to stealthily steal data for years Date: 2024-06-17 Author: Bleeping Computer A group of suspected Chinese cyberespionage actors named 'Velvet Ant' are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data. According to a Sygnia report who discovered the intrusion after they were called in to investigate the cyberattack, Velvet Ant established multiple footholds using various entry points across the network, including a legacy F5 BIG-IP appliance that served as an internal command and control (C2) server. ESB-2024.3915 – VMware Products: CVSS (Max): 9.8 Broadcom has issued a security patch for VMware vCenter Server, a widely-used management platform, to fix critical and high-severity vulnerabilities such as CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081. AUSCERT has identified the affected members and issued a critical MSIN accordingly. ASB-2024.0119 – Windows Wi-Fi Driver: CVSS (Max): 8.8 Microsoft has acknowledged a significant Wi-Fi vulnerability in Windows, which has received a severity rating of 8.8 out of 10. Designated as CVE-2024-30078, this vulnerability does not necessitate physical access to the targeted computer but does require physical proximity. ESB-2024.3833 – Google Chrome: CVSS (Max): None Mozilla has addressed a critical CVE where, under certain conditions, a malicious website could attempt to display a fake location URL in the address bar, potentially misleading users about the actual website they are visiting. This vulnerability affects Firefox for iOS. ASB-2024.0120 – Trellix IPS Manager: CVSS (Max) 9.8 Trellix has patched a critical security vulnerability in its Intrusion Prevention System (IPS) Manager, tracked as CVE-2024-5671. This flaw, caused by insecure deserialization in certain workflows, could allow unauthenticated remote attackers to execute arbitrary code, posing a severe risk to network security. ESB-2024.3912 – Atlassian Products: CVSS (Max) 8.2 Atlassian has fixed 9 high-severity vulnerabilities to address improper authorization, server-side request forgery and denial of service. Atlassian recommends patching to latest versions to resolve these vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT Team

Learn more

Week in review

AUSCERT Week in Review for 14th June 2024

Greetings, This week, the Australian Signals Directorate (ASD) released an update to remind small and medium businesses to assess their cyber health. As we enter a period of heightened threats and attacks, it is crucial that every business is equipped with the appropriate resources and knowledge to ensure they are cyber resilient. For small and medium-sized businesses with limited resources, prioritising the most critical elements of cyber health is essential. Cyber attacks are occurring more frequently, and recovery can be costly, making every Australian business a potential target. In the 2022-23 financial year, the average cost of cybercrime for small businesses increased to $46,000, and for medium businesses, it rose to $97,000. Such costs could potentially destroy a business, driving it into liquidation. Australian small and medium businesses can take practical steps to enhance their cyber security by implementing the Essential Eight, which covers many of the critical elements of cyber health. AUSCERT offers members advice and consultations to help improve their cyber security readiness in alignment with their business objectives. We specialise in helping organisations confidently adhere to industry frameworks, standards, and benchmarks. Our maturity assessments are designed to identify and address cyber security gaps in your organisation. By taking proactive steps, you can enhance your cyber security posture and reduce information security risks. The recent Medibank case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. All organisations have an ethical duty to protect the personal information they are entrusted with and many have regulatory and contractual obligations as well. The civil penalty proceedings filed by the Australian Information Commissioner against Medibank, in relation to its October 2022 data breach, exemplifies the regulatory body’s commitment to holding parties accountable. The Commissioner claims Medibank failed to take reasonable steps to protect personal information from 9.7 million Australians, in breach of the Privacy Act 1988. This failure led to the release of personal information on the dark web, exposing many Australians to severe negative ramifications. Contact us today for more information on how we can conduct a maturity assessment for your organisation and support you in meeting your business objectives. New PHP Vulnerability Exposes Windows Servers to Remote Code Execution Date: 2024-06-08 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please also see AUSCERT bulletin:https://portal.auscert.org.au/bulletins/ASB-2024.0111/] Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances. The vulnerability, tracked as CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system. According to DEVCORE security researcher, the shortcoming makes it possible to bypass protections put in place for another security flaw, CVE-2012-1823. Microsoft Outlook Zero-Click RCE Flaw Executes as Email is Opened Date: 2024-06-12 Author: Cyber Security News [See AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2024.0117] A critical zero-click remote code execution (RCE) vulnerability has been discovered in Microsoft Outlook. This vulnerability, designated as CVE-2024-30103, enables attackers to run arbitrary code by sending a specially designed email. When the recipient opens the email, the exploit is triggered. The vulnerability, CVE-2024-30103, is particularly alarming due to its zero-click nature. Unlike traditional phishing attacks that require user interaction, this flaw can be exploited without any action from the user. Google warns of actively exploited Pixel firmware zero-day Date: 2024-06-12 Author: Bleeping Computer Google has released patches for 50 security vulnerabilities impacting its Pixel devices and warned that one of them had already been exploited in targeted attacks as a zero-day. Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw in the Pixel firmware has been rated a high-severity security issue. Azure Service Tags could allow attackers to access private data Date: 2024-06-04 Author: ThreatDown [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0110/] Security researchers at Tenable have published a blog about what they call a vulnerability in Azure, a description that Microsoft denies. Long story, very short: It’s not a bug, it’s a feature, unless you use it incorrectly. Tenable points out that it’s possible for an attacker to bypass firewall rules based on Azure Service Tags by forging requests from trusted services. Azure Service Tags are intended to simplify network isolation. It allows you to group IP ranges and use them to define network security rules. Exploit for critical Veeam auth bypass available, patch now Date: 2024-06-10 Author: Bleeping Computer A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. Veeam Backup Enterprise Manager (VBEM) is a web-based platform for managing Veeam Backup & Replication installations via a web console. It helps control backup jobs and perform restoration operations across an organization's backup infrastructure and large-scale deployments. Veeam issued a security bulletin about the critical flaw on May 21, warning about a critical vulnerability enabling remote unauthenticated attackers to log in to VBEM's web interface as any user. SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester Date: 2024-06-07 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] SolarWinds this week announced patches for multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform, including a bug reported by a penetration tester working with NATO. Rolling out as version 2024.2, the latest SolarWinds Platform iteration includes patches for three new security defects, as well as fixes for multiple bugs in third-party components. ASB-2024.0112 – Pytorch: CVSS (Max): 10.0 A significant flaw (CVE-2024-5480) has been unearthed within PyTorch's distributed RPC framework, leaving machine learning models and confidential data vulnerable to potential remote code execution threats. AUSCERT strongly advises PyTorch users to follow the vendor's mitigation recommendations in order to safeguard themselves effectively. ASB-2024.0113 – Microsoft Windows: CVSS (Max): 9.8 During the June 2024 Patch Tuesday, Microsoft rolled out remedies for a critical vulnerability, CVE-2024-30080, concerning MSMQ (Microsoft Message Queuing). This flaw, characterized by a use-after-free vulnerability, exposes MSMQ to potential exploitation by unauthenticated attackers. Through the transmission of a specially crafted malicious MSMQ packet to an MSMQ server, these attackers can achieve remote code execution (RCE). ASB-2024.0115 – Microsoft Azure: CVSS (Max): 8.1 AUSCERT's advisory warns its members regarding a vulnerability in Microsoft Azure. This flaw enables malicious actors to circumvent firewall regulations relying on Azure Service Tags by fabricating requests originating from trusted services. A threat actor could exploit Service Tags authorized by a user's firewall in the absence of supplementary validation controls. ASB-2024.0111.2 – PHP Vulnerability impacting Windows Servers – CVE-2024-4577 A recent advisory from AUSCERT alerted its members to a vulnerability affecting all versions of PHP installed on the Windows operating system. This vulnerability has now been included in CISA's Known Exploited Vulnerabilities Catalog due to evidence of ongoing exploitation. AUSCERT emphasizes the importance of adhering to the vendor's recommended mitigation measures to ensure protection. ESB-2024.3761 – Adobe FrameMaker Publishing Server: CVSS (Max): 10.0 In its latest patch release, Adobe addressed two critical CVEs in its FrameMaker Publishing Server, which could result in privilege escalation. With a CVSS score of 10, it is crucial to apply these patches promptly to ensure protection. ASB-2024.0117 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.8 A critical zero-click remote code execution (RCE) vulnerability has been identified in Microsoft Outlook which allows attackers to execute arbitrary code through the receipt of a specifically crafted email. Upon opening the email, the exploit is activated. The seriousness of CVE-2024-30103 stems from its zero-click nature. Unlike conventional phishing attempts that rely on user interaction, this flaw can be exploited without any action required from the user. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Protecting Yourself: Safeguarding Against ATO and MyGov Phishing Scams

With the tax season just around the corner, AUSCERT is urging individuals to remain vigilant. This period is a prime time for cybercriminals to target unsuspecting individuals through phishing scams. These are typically circulated via various channels, including phishing emails, phone calls, text messages, and even fake websites. Malicious threat actors tend to increase their fraudulent activities utilising various phishing techniques to take advantage of the heightened financial activity during this period. AUSCERT has observed a significant increase in phishing scams impersonating MyGov and the Australian Taxation Office (ATO) during previous tax seasons. From July to October in 2022, AUSCERT received reports of around 1100 tax-related phishing emails and scams, a number that surged to approximately 2500 in 2023. These phishing emails typically impersonate official entities and may contain convincing logos and language to deceive recipients and urge users to click on a link, scan a QR code or download an attachment. The emails also claim that urgent action is required to avoid account suspension, try to trick users about a pending tax refund, highlight issues with a tax return or demand immediate action to avoid penalties. However, clicking on these links can potentially lead to malicious websites that steal Personally Identifiable Information (PII) or sensitive data like user credentials or credit card details. Additionally, clicking on the links may install malware on the user’s device, creating a backdoor for cybercriminals to monitor activities, track user behaviour, and steal login information. To protect yourself from ATO and MyGov related phishing scams during the upcoming tax season, it is crucial to take precautions like: Verify the source: Do not respond to unsolicited emails, text messages, or phone calls claiming to be from the ATO or MyGov. If it is an email, double-check the email address and sender information to confirm authenticity. Remember, the ATO or MyGov will never ask for sensitive information via email or SMS. Before providing any personal information, verify the legitimacy of the request by contacting the ATO or tax professionals through their official channels. Be wary of suspicious calls: If you receive a suspicious call from someone claiming to be from the ATO and demanding payment to receive a tax refund, it is advisable to end the call immediately. Keep in mind that the ATO will not threaten you with immediate arrest or use abusive language. Exercise caution with links and attachments: Avoid clicking on links or downloading attachments from unsolicited emails or text messages. Be cautious of urgent requests: Be wary of emails, text messages and phone calls pressuring you to act quickly or provide personal information. Take the time to verify the legitimacy of the communication. Protect personal information: Avoid sharing personal or financial details in response to emails, phone calls or text messages. Always be careful when providing information online. Report suspicious activity: If you receive a suspicious email claiming to be from the ATO or MyGov, report it to the appropriate authorities, such as the ATO’s scam reporting email address, the ACSC, or IDCARE. Keep software up to date: Ensure that your devices have the latest security updates and antivirus software to protect against malware and phishing attempts. By staying informed and vigilant, and following best practices for online security, individuals can reduce the risk of falling victim to ATO and MyGov related phishing scams during tax season. If you believe that your identity has been compromised or you have fallen a victim to a tax related scam, contact IDCARE on 1800 595 160.   Written by  Senior Information Security Analyst Vishaka 

Learn more