Publications

AUSCERT 30 Years 30 Stories – David Stockdale With a professional and ethical approach to delivering cyber security throughout Australia, the AUSCERT 30 Years 30 Stories would be incomplete without sitting down with current AUSCERT Director, David Stockdale. Praising AUSCERT’s trust and influential community, David’s insight into what sets our organisation apart is a heart-warming read. How did you first become involved with AUSCERT, and what motivated you to apply for your position? The Director of AUSCERT position was included in a job that I applied for at the University of Queensland. It was the area I least understood in the role, and yet it’s become the piece I adore most. How do you think AUSCERT has evolved over the years? What do you think our future holds? AUSCERT has experienced plenty of change in the last three decades – 30 years ago, AUSCERT was one of the first computer emergency response teams in the world. What AUSCERT provided then was unique, but there are now many big players in the sector. We’ve evolved to provide new and niche offerings, that other companies are not able to provide. As AUSCERT is a not-for-profit organisation, we’re not government-aligned nor commercial, we’re able to establish an element of trust. This trust is our superpower and means we can provide services others can’t. What are the key benefits of being a part of the AUSCERT community? AUSCERT transcends more than just its members, age, services and employees; it’s much bigger than that. To be part of an organisation that aims to provide good services and lift the security of our community – is a fantastic cause. What advice would you give to a prospective AUSCERT member? Do it! Looking at the low cost of our services, it’s easy to assume that they are not worth a lot. That couldn’t be further from the truth. Once you start using AUSCERT and leveraging our offerings, you’ll find there’s value-upon-value-upon-value. That said, the real value of being an AUSCERT member is not necessarily the services, but the community we create, whether it’s through our conference, or events. We connect sectors together, and it’s this quality that separates us from others. When you’re an AUSCERT member, you become part of a trusted community. What do you believe sets AUSCERT apart from other organisations in the cybersecurity space? It’s AUSCERT’s not-for-profit qualities – we aren’t aligned to any vendors so we are, in some ways, a trusted free spirit. This trust is what sets AUSCERT apart; and we do the best cybersecurity conference in Australia, without a doubt. AUSCERT, Happy 30th Birthday! You are the best organisation I’ve ever known, and I’m so proud to be part of it.  

Greetings, AUSCERT2024 has officially launched! The countdown is on for another year of exciting tutorials, presentations, workshops and more! This year’s theme; ‘Pay it Forward’, is about discovering the power of amplifying your impact in the realm of cyber security and highlighting the significant influence that everyone’s actions can create. It promotes the idea of how sharing knowledge and collaborating can cause a ripple effect, strengthening the broader community. This year, consider paying it forward by sharing your knowledge and expertise at our conference, either through tutorials or presentations. Your insights have the potential to create a significant impact and further advance the industry. Call for Tutorials is now open and will run until November 10th. Once tutorial submissions close, we will then open the Call for Presentations. We extend a warm invitation to anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent mentoring support for speakers to ensure a successful experience. Additionally, sponsorship opportunities are also now available, and you can access the sponsorship prospectus for more information on how you can get involved. In other news, AUSCERT recently participated in the 2023 ASEAN Computer Emergency Response Team (CERT) Incident Drill (ACID). This annual drill hosted by Singapore since 2006, tests incident response capability and strengthens cyber security preparedness and cooperation among CERTs in ASEAN member states and Dialogue Partners. This year’s ACID tested the CERTs’ preparedness against multi-pronged attacks arising from hacktivism. This theme was chosen due to the increasing frequency and sophistication of global cyber attacks that are motivated by ideological beliefs. Such attacks typically include multi-pronged attacks using a combination of Distributed Denial-of-Service, data breaches and wiper wares against government websites, financial institutions, media outlets etc This year, SingCERT moderated a new exercise using realistic real-world scenarios as a practical way to test participants’ knowledge and expertise in the field. AUSCERT takes pride in participating in this drill annually, as it plays a pivotal role in enhancing cooperation, facilitating the exchange of experiences, and fostering awareness of emerging cyber attack trends. Critical RCE flaws found in SolarWinds access audit solution Date: 2023-10-20 Author: Bleeping Computer Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges. SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments. It offers Microsoft Active Directory integration, role-based access control, visual feedback, and more. VMware fixes critical code execution flaw in vCenter Server Date: 2023-10-25 Author: Bleeping Computer [AUSCERT has also identified the impacted members (where possible) and contacted them via email] VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation. US energy firm shares how Akira ransomware hacked its systems Date: 2023-10-23 Author: Bleeping Computer In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities. Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches Date: 2023-10-24 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6197] The cybersecurity community discovered tens of thousands of compromised systems shortly after Cisco disclosed the existence of the first zero-day. Rockwell informed customers last week that its Stratix 5800 and 5200 managed industrial Ethernet switches, which use the Cisco IOS XE operating system, are affected by CVE-2023-20198. The devices are only impacted if the IOS XE web UI feature is enabled. 1Password detects “suspicious activity” in its internal Okta account Date: 2023-10-24 Author: Ars Technica 1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday. “On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.” ESB-2023.6140 – Atlassian Products: CVSS (Max): 10.0 Atlassian has identified multiple vulnerabilities in their products, with 2 being classified as critical. To ensure the security of their customers, Atlassian strongly advises upgrading to the latest version ASB-2023.0221 – Okta support case management system Okta has recently experienced a cyber incident concerning their support case management system. In response to this, AUSCERT recommends that its members promptly implement the suggested mitigation measures to address any potential risks ESB-2023.6197 – ALERT Rockwell Automation Stratix 5800 and Stratix 5200: CVSS (Max): 10.0 Rockwell Automation has issued patches to address a critical vulnerability found in Stratix 5800 and Stratix 5200. If successfully exploited, this vulnerability could potentially grant unauthorized control of the affected system to an attacker without authentication. It is strongly advised to apply the provided patches to mitigate this risk ESB-2023.6234 – ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8 A control plane issue which allows the attacker to execute arbitrary system commands has been fixed in BIG-IP Configuration Utility component Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Heath Marks Partnering with AUSCERT for 13 years, Heath Marks is the CEO of the Australian Access Federation (AAF), which provides the National Authentication Framework for Australian Higher Education Research. Assisting the Federal Government’s National Research Infrastructure Strategy, Heath leads development in the trust and identity sector. Through a mutual partnership with AUSCERT, Heath shares the benefits of aligning with cooperative communities like ours. What is your biggest takeaway from AUSCERT’s service? Working in the trust and identity environment, we are naturally linked to cyber security. Being aligned with AUSCERT’s deliverables and leveraging their services is highly important to us. Additionally, joining the community and further advancing the cyber security industry as a national strategy is considered invaluable to us at AAF. An initiative that the AAF and AUSCERT have partnered together from the beginning is the establishment of the Australasian Higher Education Cyber Security Service. Together with the entire AHECS group, we collectively advance cyber security initiatives within the sector. How long have you been an AUSCERT member? The AAF have been AUSCERT members from the very beginning.  We began with the certificate service and later continued that relationship throughout the years. AUSCERT provide training, support, engagement and a number of useful services that we enjoy engaging with as a team. What advice would you give to those considering to become an AUSCERT member? Why do you think the AUSCERT membership is valued in organisations? It’s critical that we’re part of initiatives like AUSCERT A key distinction of AUSCERT is that it’s a service delivered for the sector, by the sector. AUSCERT is a shared, cost-effective service. The membership costs are very low, for the value you receive. There’s a plethora of cyber security services available, the majority of which are expensive and often questionable. Being part of a passionate community, catered to sharing intelligence and knowledge on cyber security is vital and important – it’s the reason why we’re AUSCERT members. As AUSCERT turns 30, do you want to add anything else? Congratulations, AUSCERT, for making 30 years! AUSCERT is an integral part of the sector and we appreciate everything you do in supporting us, delivering what we need for our customers, our colleagues, and our daily jobs. Thank you very much.

The recent escalation of tensions between Israel and Hamas has not only led to a surge in physical violence but has also raised concerns about the potential for increased cyber-attacks. As the conflict intensifies, Australia as a close ally of Israel has been targeted by a threat actor group named ‘IRoX Team’ [1][2][3]. According to emerging reports, Australia has been identified as a specific target for potential cyber-attacks on October 25 [1]. These attacks are expected to involve Distributed Denial of Service (DDoS) techniques [2][3]. While the credibility of the reports is unknown to us, we strongly recommend that our members enhance their vigilance and situational awareness during this period of uncertainty. We also encourage our members to practice good cyber hygiene to ensure the security of their systems and promptly report any suspicious activities or information to the relevant authorities for further investigation. Reference: [1] https://cyberknow.substack.com/p/irox-team-declares-global-hacktivist [2] https://www.theguardian.com/australia-news/2023/oct/11/israel-hamas-war-cyber-attacks-cyberx [3] https://cybercx.com.au/blog/hamas-israel-conflict/

AUSCERT 30 Years 30 Stories – Duke Erdenebat One of AUSCERT’s security analysts, Duke Erdenebat, shares how AUSCERT enables him to make positive contributions to the cybersecurity industry. Duke’s day-to-day work involves writing code, scripting, automation and a multitude of services that assist AUSCERT members. Inspired by AUSCERT’s goodwill, check out Duke’s AUSCERT connection story. Within your time in your role, what are the key benefits you’ve experienced? The main benefit has undoubtedly been AUSCERT’s not-for-profit status, with a focus on its members. This focus doesn’t just end with members but extends to the whole of Australia and the globe. We attempt to reach people who are in danger and try to enrich them. What do you envision for AUSCERT within the next 5 to 10 years? The current AUSCERT service is fantastic. But recently, we’re trying to integrate Malware Information Sharing Platform (MISP) in an attempt to share more information. This is an area where individuals can share threat activity and threat actors, helping others find compromise indicators. In the future, I believe our MISP integration will be strong enough to encourage members to check threats themselves. What advice would you give to someone considering becoming an AUSCERT member? Those considering an AUSCERT membership should research what AUSCERT services could benefit them and contact our team directly. Simply look through AUSCERT’s services – there are educational programs and plenty more – and see what AUSCERT is doing differently from other security companies. What does the AUSCERT community mean to you? AUSCERT has been around for 30 years – which means the community is robust. There are plenty of people who know about AUSCERT, and who AUSCERT know personally. If there’s a new source of information or incident, there’s open communication and sharing of that information, which makes it a great community to be a part of. What do you believe sets AUSCERT apart from other organisations in the cyber security space? AUSCERT has utmost respect for its members and there’s open communication of information, through Slack channels, MISP events and emails.

Greetings, Yesterday we successfully launched our new Cyber Resilience for Senior Executives training course in Brisbane. Conducted by one of our most experienced Principal Analysts and a highly knowledgeable industry partner, participants had the valuable opportunity to grasp key concepts through real-world examples. Senior executives play a key role in making strategic decisions that impact their organisations’ risk management. Understanding the importance of cyber resilience allows them to factor cyber security considerations into long-term planning, investment, and resource allocation decisions. This course empowers leaders on the importance of adapting and evolving their approach to cyber security risk management to ensure organisational resilience. Ransomware continues to be a persistent threat, disrupting critical services, businesses, and communities on a global scale. Alarmingly, a significant number of these incidents are carried out by ransomware actors exploiting well-documented vulnerabilities. Because of this, it’s essential to acknowledge that organisations may be unaware of the existence of these vulnerabilities within their networks. CISA identifies and documents vulnerabilities that are known to be used by ransomware operators. Recently they have also updated their KEV catalogue to include a new entry that identifies if the vulnerability has been exploited in ransomware attacks. This information has been incorporated into AUSCERT Security Bulletins. CISA have also released a second resource that serves as a companion to the KEV; a list of misconfigurations and weaknesses exploited by ransomware operators that are not CVE-based. To conclude we would like to bring your attention to an exciting upcoming event that is being held jointly by AWSN, Queensland Police and APIO – “Brisbane’s Hacking the Human: Understanding Social Attacks. This session is designed to unveil the secrets behind social engineering attacks and instruct participants on the tactics employed by cyber-criminals to exploit human vulnerabilities. Our Principal Analyst, Mark Carey-Smith, will be among the experts who will guide you through the fundamental aspects of these attacks. Additionally, you’ll gain insights into the legal aspects associated and the role of law enforcement in combatting cybercrime. By the end of this session, you’ll be equipped to identify common social engineering tactics and develop effective defence strategies to protect your personal and professional data. Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks Date: 2023-10-16 Author: CISA The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation. CISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware Date: 2023-10-13 Author: SecurityWeek The US cybersecurity agency CISA is stepping up its efforts to prevent ransomware by making it easier for organizations to learn about vulnerabilities and misconfigurations exploited in these attacks. The first of these resources is a new column in the Known Exploited Vulnerabilities catalog, which flags flaws that CISA is aware of being associated with ransomware campaigns. The other new resource CISA is offering now is a new table on the StopRansomware project’s website, which lists information on the misconfigurations and weaknesses that ransomware operators have been observed targeting in their attacks. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks Date: 2023-10-17 Author: Bleeping Computer Attackers have exploited a recently disclosed critical zero-day bug to compromise and infect more than 10,000 Cisco IOS XE devices with malicious implants. The list of products running Cisco IOS XE software includes enterprise switches, aggregation and industrial routers, access points, wireless controllers, and more. Ransomware Attacks Double: Are Companies Prepared for 2024’s Cyber Threats? Date: 2023-10-13 Author: The Hacker News Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies. Russia and China-linked hackers exploit WinRAR bug Date: 2023-10-19 Author: The Record Hackers connected to the governments of Russia and China are allegedly using a vulnerability in a popular Windows tool to attack targets around the world, including in Ukraine and Papua New Guinea. Google’s Threat Analysis Group’s said that in recent weeks it has seen multiple government-backed groups exploiting CVE-2023-38831, a vulnerability affecting the Windows file archiver tool WinRAR. The bug, which has been patched, was initially exploited by criminal groups throughout early 2023. ESB-2023.6043 – ALERT Cisco iOS XE Software: CVSS (Max): 10.0 A Critical vulnerability has been identified in Cisco IOS XE software. AUSCERT has sent MSINs to the affected members regarding this vulnerability. ESB-2023.6064 – Jira Service Management Server and Data Center: CVSS (Max): 8.4 An XXE vulnerability in Jira products has been addressed by Atlassian ESB-2023.6078 – Google Chrome: CVSS (Max): None Google has released updates to Chrome which includes 1 security fix ASB-2023.0192 – ALERT Oracle PeopleSoft: CVSS (Max): 9.8 This critical patch update contains 5 new security patches for Oracle PeopleSoft Stay safe, stay patched and have a good weekend! The AUSCERT team

  AUSCERT 30 Years 30 Stories – Mark Carey-Smith A staff member of AUSCERT for the past two and a half years, but long-time member, Mark Carey-Smith is AUSCERT’s Principal Analyst. As an organisation whose sole focus is to benefit its members and wider community, Mark is a proud AUSCERT employee, and continues to improve AUSCERT’s educational offerings and other services. What motivated you to apply for a job at AUSCERT? With thanks to the conference, I had six or seven years of experience with AUSCERT. I knew some of AUSCERT’s main employees and had developed a good relationship with them over the years. I wanted to pursue cyber security education more, so I spoke with AUSCERT about how I could contribute to the development and improvement of AUSCERT’s educational services. What are some of the key benefits you’ve experienced being a part of the AUSCERT community? Community is the main word – at events, when we’ve run into members, community always comes up. A tight-knit community is certainly how I envisaged AUSCERT both before I was a staff member and now that I am, and there’s no doubt a micro-community between AUSCERT, its staff and members. How has AUSCERT evolved over the years that you’ve been with them? With my experience with AUSCERT as both a member and now employee, I’ve been involved with AUSCERT for about eight years in total. Some of the ways that we’ve evolved have been in the maturing of existing services and the development of new services. There are many ways AUSCERT remains true to its roots and community. I think in more recent times, there’s been a focus on getting in touch with our members and understanding their needs. We focus our future development on what our members need from us. What do you think the future holds for AUSCERT? I hope that in some ways it’s more of the same. I hope that we expand our range of educational offerings in particular so they suit member needs, and we continue to grow while maintaining our focus on community. Many vendors have no interest in community and just want to take money. With AUSCERT, we’re much more concerned with creating a space that works for the community. What do you believe sets AUSCERT apart from other organisations in the cyber security industry? Compared to other vendors, AUSCERT is not-for-profit, meaning we operate in a space where the focus is on our member’s needs. Without a focus on profit margins, we don’t cut corners, dissemble or exaggerate. Unfortunately, the cyber security vendor space is one where there’s some unethical behaviour. The focus on behaving ethically and supporting our mission, which is member-focused, is a main differentiator. As a staff member, I also think one of our differentiators is the way in which we support one another, providing a positive and friendly environment. What does AUSCERT mean to you? It all comes back to community. There are different ways you can interpret that word, and there are different ways in which we facilitate and nurture community. The conference is certainly not the only community-focused offering, but it’s a beautiful example of how we collectively create a community space.

AUSCERT 30 Years 30 Stories – Hank Opdam Chief Information Security Officer of Ausgrid, Hank Opdam, has enjoyed a 20-year friendship with AUSCERT. Going to his first AUSCERT conference in the early 2000s, Hank has partnered with AUSCERT through a variety of companies, valuing AUSCERT’s open communication and collaborative services. No matter your company size, Hank recommends an AUSCERT membership. So how did you first become involved with AUSCERT and what motivated you to become a member? I was working in financial services at the time, and back then, phishing takedowns were a large gap in the industry. That’s where my relationship with AUSCERT first started. These days it’s a very different exercise and we’ve been benefiting from AUSCERT’s security bulletins mostly along with having AUSCERT as a phone-a-friend organisation to bounce ideas and receive assistance with an incident. What are the key benefits of being an AUSCERT member? Apart from the services we receive, the bouncing of ideas and bulletins, the other main benefit is the relationship you build with the AUSCERT team. They are a knowledgeable group of people who care and are backed by a community that’s grown at conferences each year. What advice would you give to someone considering becoming an AUSCERT member? If you’re an organisation considering an AUSCERT membership – it’s great value, regardless of your company’s size. For smaller organisations, there’s great insights into the threat landscape and the intelligence they can receive. For bigger organisations, it’s about the community, and giving back. What do you think the future holds for AUSCERT? Realistically, who knows what the future holds for all things cyber? But one thing that has been clear is that AUSCERT will continue to facilitate events where they’ll listen to their members and community – offering to fill the gaps not being filled by others. What do you believe sets AUSCERT apart from other organisations in the cyber security space? AUSCERT is independent, and not-for-profit. You know the information you’ll receive is sound and without influence and that’s helpful when there’s so much noise in the cyber security landscape.

Greetings, This week was an eventful one for AUSCERT as part of our team journeyed to Melbourne to connect with our members and participate in the prestigious Women in Security Awards ceremony. The 2023 Australian Women in Security Awards was a night filled with grace and charm, as it embraced an enchanting masquerade theme this year. This event served as a wonderful occasion for members of the industry to come together and celebrate the achievements and contributions of both men and women who have played pivotal roles in this field. AUSCERT is a proud sponsor of the Women in Security Awards, endorsing their initiatives to foster greater diversity and break down gender-related barriers. These awards honour champions who are committed to dismantling gender discrimination in their workplace while advocating for equality within the cyber security industry. Additionally, they acknowledge organisations that are dedicated to fostering a more inclusive and empowering workplace culture. The Women in Security Awards does a great job of shining a spotlight on those who go above and beyond to create an environment that genuinely celebrates all voices and contributes to shaping a brighter and more equitable future for all. In recent developments, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a cyber security advisory (CSA) that highlights the most common misconfigurations found in large organisations, detailing the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit these misconfigurations. The CSA outlines the top 10 misconfigurations which reveal a prevailing trend of systemic vulnerabilities within many organisations, even those with well-established cyber security practices. They also provide mitigation advice to reduce vulnerabilities, including the importance of secure-by-design principles in the software supply chain. This proactive approach can alleviate the strain on defenders, making it essential in the ongoing effort to enhance cyber security resilience. In conclusion, if you’re seeking something engaging to listen to during your commute, be sure to tune in to our newest episode of our Share Today, Save Tomorrow podcast – Episode 27, Celebrating Neurodiversity! Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience on creating the best work environment for people who might see and feel the world differently. Bek and our Principal Analyst Mark Carey-Smith, sit down in the second half of the episode to discuss our new Cyber Resilience for Executives course and preparations for AUSCERT2024. HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks Date: 2023-10-10 Author: The Hacker News [Please see AUSCERT bulletin: ASB-2023.0189] Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10. New critical Citrix NetScaler flaw exposes 'sensitive' data Date: 2023-10-10 Author: Bleeping Computer [Please see AUSCERT bulletin: ESB-2023.5826] [AUSCERT has also identified the impacted members (where possible) and contacted them via email] Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances. The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity. However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks. curl vulnerabilities ironed out with patches after week-long tease Date: 2023-10-11 Author: The Register [See AUSCERT bulletin: ASB-2023.0190] Updated After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today. Described by curl project founder and lead developer Daniel Stenberg as "probably the worst curl security flaw in a long time," the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546. We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "high." Australia’s home affairs department hit by DDoS attack claimed by pro-Russia hackers Date: 2023-10-06 Author: The Guardian The department responsible for Australia’s cybersecurity, national security and immigration has confirmed it was hit with a distributed denial-of-service attack on Thursday night that took its website offline for five hours, after a pro-Russia hacker group said it would target the site over Australia’s support for Ukraine. The group posted on Telegram on Thursday night that it was targeting the home affairs department with a distributed denial-of-service (DDoS) attack after Australia announced this week that Slinger technology aimed at combating drones would be sent to Ukraine in the push back against the Russian invasion. GNOME Linux systems exposed to RCE attacks via file downloads Date: 2023-10-09 Author: Bleeping Computer A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment. libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions. Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format. Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability Date: 2023-10-10 Author: Ars Technica Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin. The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads. ASB-2023.0187 – ALERT Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.4 Microsoft's most recent security patch update resolves vulnerabilities across Microsoft Office, Office Services and Web Apps. ASB-2023.0182 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft patched 80 vulnerabilities in Windows and Windows Server in its October 2023 Patch Tuesday release. ESB-2023.5866 – ALERT BIG-IP Configuration utility: CVSS (Max): 9.9 F5 Networks has introduced fixes to resolve a directory traversal vulnerability found in BIG-IP. These fixes are designed to address and mitigate the potential risks associated with this vulnerability. ESB-2023.5861 – ALERT FortiWLM: CVSS (Max): 9.6 Fortinet has issued patches to address a critical vulnerability in FortiWLM, related to unauthenticated command injection. ESB-2023.5878 – Adobe Photoshop: CVSS (Max): 7.8 Adobe has recently launched an update for Photoshop for both Windows and macOS operating systems. This update specifically addresses a critical vulnerability that, if exploited successfully, could potentially result in the execution of arbitrary code. ESB-2023.5917 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM QRadar SIEM has taken the necessary steps to address the relevant CVEs. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Shelly Mills Championing AUSCERT’s passion for positive change, Shelly Mills shares why she thinks AUSCERT is the best cyber organisation an organisation could partner with. Shelly has attended the AUSCERT conference four years in a row. As the Cyber Security Improvements Manager at the University of Queensland, Shelly speaks testament to AUSCERT’s virtues. How did you first become involved with AUSCERT? I started my first role at the University of Queensland, right before the AUSCERT conference. I remember having my first one-on-one with my boss, and my question was – can I go to the AUSCERT conference? That’s how I initially got involved with AUSCERT – it was the first thing I wanted to do. What are the key benefits as an AUSCERT member? A great benefit is the professional development offered by AUSCERT. The amount of professional development and networking you receive from the conference is awesome. Building those networks throughout your industry and other industries, including knowledge sharing, is a great benefit. How has AUSCERT evolved over the years? AUSCERT has definitely grown over the years – but a great thing is when you look at the management team at AUSCERT, they’re focused on giving back to the community. They strive to understand the community and make sure the services and provisioning align with what the community wants. What advice would you give someone considering becoming an AUSCERT member? You’ve got to join and be an AUSCERT member because they have the best conferences! I know it’s hard to justify budgets to go to conferences, but AUSCERT’s comes in its membership, so you’ll get to go to the conference. What do you think the future holds for AUSCERT? I know the AUSCERT management team are going to keep aligning their services to what the community wants. I predict there will be more training on a variety of different topics. How has your AUSCERT membership impacted your organisation’s overall approach to cyber security? AUSCERT also sits under the University of Queensland, so we’re somewhat related. We’re very lucky that our Cyber Security Operations Manager has been working with AUSCERT to share knowledge. Therefore, our membership has been very beneficial, especially for our Cyber Security Operations Centre. We learn from AUSCERT analysts as to how they do things and bring those skills back to our team. What sets AUSCERT apart from other organisations in the cyber security industry? Honestly, everyone at AUSCERT goes in with the purest of intentions, wanting to make a positive difference for the cyber security community and the community at large. Unfortunately, that’s not true everywhere else. I actually sent both AUSCERT managers an email two days ago saying thank you. They lead with such genuineness, authenticity and care, and that’s what makes AUSCERT so special. There’s a lot of people in the industry out for profit, who don’t care about the community. AUSCERT embodies all that’s good within the cyber security industry.

AUSCERT 30 Years 30 Stories – Chris Horsley Who better to hear from than one of AUSCERT’s original seven security analysts, Chris Horsley. Working with AUSCERT from 2004 to 2006, Chris is now the Chief Technology Officer at Cosive, a cyber security consultancy firm based in Melbourne, Sydney and New Zealand. From helping victims get their credentials returned to utilising cryptographic analysis, Chris’ years of experience in the evolving cyber world is worth a read. Can you describe a memorable experience you had while working with AUSCERT? We dealt with a lot of financial malware back in those days — it was the early days of criminals writing malware to steal money from bank accounts, usually by stealing passwords. There was one malware crew who were more sophisticated than others and they would encrypt their data. To get their victims, they would place malware on the machines they would upload the credentials to, taking them to another server. We managed to get our hands on the encrypted data to find out whose data was stolen. We then used cryptographic analysis to work out how they were doing that encryption. We managed to break their encryptions and then we went into a big program trying to get those credentials back to the people — the bank customers, the university employees and the government employees. It was a really meaningful job and very interesting in terms of the analysis work required. Can you briefly describe your role and responsibilities during your time at AUSCERT? Between 2004 to 2006 I was one of AUSCERT’s security analysts. It was a time when there were only seven of us, meaning we all had to do a bit of everything. We had what we called ‘point’, where we triaged all the correspondence coming in; whether it was a report about incident handling or a query from a member about how to approach a certain problem. We did a lot of security vulnerability work too and were constantly flooded with new information about patches and vulnerabilities. We had to analyse each and re-bundle them for AUSCERT members. Outside of this, we travelled to many conferences because we were the national CERT at this particular point in time. We would go to international conferences and talk to our counterparts in Europe, Asia, and the United States. I got a lot of opportunities to go travelling which was an amazing experience. With AUSCERT’s vast history, did you get to work on the beginning cases of phishing in Australia? Around 2004, phishing became a big problem in Australia. AUSCERT did a lot of groundbreaking work because Australia was one of the first countries to be hit. As a team, we did a lot of analysis to find out how phishing worked, how they run their servers and where they were in order to figure out the most effective way for us to take them down. We would often try to chase the credentials and get them back into the hands of the victims. Recapping on the 30 years AUSCERT has been around, how would you say the cyber security landscape has changed? The cyber security landscape has changed drastically. We didn’t have smartphones in this era – it was all desktop machines and there were no operating systems that were self-contained mobile operators. However, despite the changes, phishing is still around and continues to this day. I still do that type of work and it’s 20 years since I joined AUSCERT and started working in this industry. One thing that has been a big change in the landscape is how mainstream cyber security has become. In the early days, a lot of companies weren’t thinking about cyber security as a problem. Businesses didn’t have cyber security officers and the board didn’t think about cyber security problems. These days cyber security is very mainstream. Another big change has been the consideration of the threat of cyber warfare. Back then, a lot of people were debating whether cyber warfare could become ‘a thing’. These days, cyber warfare has definitely eventuated and it’s definitely a different playing field in terms of how cyber security and attacks on computer systems are accepted as a serious problem. What was the most significant security incident you dealt with while at AUSCERT? One of the most significant incidents I dealt with was what I called ‘credential repatriation’ where I would find financial malware uploading to servers, often gigabytes worth of stolen credentials. I ended up writing a lot of software that analysed who got their credentials stolen. I would try to write software as best I could to get their credentials back into the hands of the organisations it was stolen from. I spent a lot of time pouring through these logs and trying to get them back into the right hands so that the owners of the accounts could change passwords and remediate damages. I remember that being very rewarding work. How did AUSCERT support its members in improving their security posture, and what were some of the most effective strategies you used? Quite often members will ring us because they would be going through an incident. At that time, there was a lot less public information and supporting documentation around. Members would often have an incident that they were trying to handle, and they would ring us, so we could be a sounding board for them. When you’re handling an incident, it can be a very stressful experience and often by talking to us, we could give feedback or listen to what they had done so far and provide them with assistance. How has your experience working at AUSCERT influenced your career path and approach to cyber security? I view my time at AUSCERT as foundational. It was my first cyber security role – prior to it I’d been a software developer building web applications. My time at AUSCERT taught me so much about incident response, coordination and vulnerability handling. One of my most rewarding experiences was the relationships I built with the other seven analysts I worked with. They were a great group of people who I stay in touch with to this day. I have so many great memories of that time.

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – Celebrating Neurodiversity In this episode, AUSCERT features the following guests: Shelly Mills, The University of Queensland Trinity McNicol, University of Sunshine Coast Mark Carey-Smith, AUSCERT Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience with how to work with people who might see and feel the world differenlty. In the second half of the episode, Bek chats with Mark Carey-Smith, Principal Analyst of AUSCERT about the new Cyber Resilience for Executives course and preparations for AUSCERT2024! This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.