Publications

AUSCERT Membership Terms and Conditions (Version: March 2024)   Download the AUSCERT Membership Terms and Conditions in PDF format below: AUSCERT Membership Terms and Conditions – Mar2024

Greetings, Today we celebrate AUSCERT’s 31ST Birthday and embrace the spirit of International Women’s Day! It fills us with immense joy to be able to celebrate this special occasion alongside the remarkable women around us! Ironically on this momentous day, we also released the 31st episode of our podcast titled “Cybercrime” featuring special guests Nigel Phair from Monash University and James Chadwick, Principal Analyst of AUSCERT. In this captivating conversation Anthony and Nigel unravel the murky world of cybercrime. Together, they explore the evolution of cybercrime over the past two decades, particularly as the internet has become more accessible to a broader audience globally. They shed light on the expanding opportunities it has provided for criminals, delving into the various tactics and approaches employed to tackle this complex issue throughout the years. In other news, as Queensland's local government elections approach, it's crucial to remain vigilant about potential voting scams that often emerge during these periods. During significant events like political elections, evil actors tend to escalate their attacks, capitalising on the heightened buzz and media attention. Here are some key points to be mindful of during this election season: Phishing Attempts: Exercise caution with emails, messages, or calls claiming to be from official election authorities. Avoid clicking on suspicious links and verify the authenticity of communication before sharing any personal information. Misinformation Campaigns: Be wary of false information circulating on social media or other platforms. Verify the accuracy of news and updates related to the election from reliable sources before sharing or acting upon them. Fraudulent Websites: Only use official and secure websites for election related information and activities. Malicious actors may create fraudulent websites to collect sensitive data or spread misinformation. Phone Impersonation Scams: Be cautious of individuals posing as election officials, candidates, or representatives. Verify the identity of anyone requesting personal information or donations related to the election. Stay informed: Keep yourself informed about common election scams and stay updated on security guidelines provided by official election authorities. You can find more information on the Australian Government’s Scamwatch website. Awareness is key to prevent falling victim to fraudulent activities! If you do encounter any of the above activities, report it here. Hackers steal Windows NTLM authentication hashes in phishing attacks Date: 2024-03-04 Author: Bleeping Computer [AUSCERT is aware of reports where Australian organisations appear to have been targeted by TA577. Please see AusCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0046.2] The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks. TA577 is considered an initial access broker (IAB), previously associated with Qbot and linked to Black Basta ransomware infections. Email security firm Proofpoint reports today that although it has seen TA577 showing a preference for deploying Pikabot recently, two recent attack waves demonstrate a different tactic. PikaBot malware on the rise: What organizations need to know Date: 2024-03-01 Author: Malwarebytes Labs [AusCERT has distributed IoCs associated with PikaBot malware through the MISP platform] A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot. A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads. Apple fixes two new iOS zero-days exploited in attacks on iPhones Date: 2024-03-05 Author: Bleeping Computer [Please see AusCERT bulletins: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1413 and https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1414] Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. TeamCity auth bypass bug exploited to mass-generate admin accounts Date: 2024-03-06 Author: Bleeping Computer [AUSCERT utilised third-party search engines to identify and alert any impacted members. If you use Teamcity, we recommend patching according to the vendor's guidelines] Hackers have started to exploit the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, which JetBrains addressed in an update on Monday. Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web. VMware Patches Critical ESXi Sandbox Escape Flaws Date: 2024-03-05 Author: Security Week [Please see AusCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1406/] Virtualization technology vendor VMware on Tuesday rolled out urgent patches for critical-severity flaws in the enterprise-facing ESXi, Workstation, Fusion and Cloud Foundation products. The company documented four vulnerabilities and warned that the most serious bugs could allow a malicious actor with local admin privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host. ESB-2024.1366 – Android: CVSS (Max): 9.8 Google has released security patches for critical security vulnerabilities affecting Android devices including a vulnerability in the System component potentially leading to remote code execution. ESB-2024.1407 – Linear eMerge E3-Series: CVSS (Max): 10.0 A critical security vulnerability in the Nice Linear eMerge E3-Series poses a severe risk with a CVSS score of 10.0. Exploitation of multiple vulnerabilities could allow a remote attacker to gain full system access. Users are advised to upgrade to the latest firmware to mitigate these risks. ESB-2024.1431 – squid: CVSS (Max): 8.6 An update for Squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support, addressing a vulnerability that could lead to a denial of service in the HTTP header parser. ESB-2024.1368 – Google Chrome: CVSS (Max): None Google released Chrome 122.0.6261.111/.112 for Windows and Mac and 122.0.6261.111 to Linux that contains 3 security fixes. ESB-2024.1461 – Jenkins Plugins: CVSS (Max): 8.0* Jenkins has released latest versions of the affected plugins to address multiple security vulnerabilities, including issues such as SSH vulnerabilities, improper input sanitization leading to cross-site scripting (XSS), and missing permission checks. Stay safe, stay patched and have a good weekend! The AusCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Cybercrime In this episode, AUSCERT features the following guests: Nigel Phair, Monash University James Chadwick, AUSCERT Anthony sits down with Nigel Phair from Monash University to discuss the murky world of Cybercrime! In the second half of the episode, Bek chats with James Chadwick, Principal Analyst of AUSCERT about the release of the NIST 2.0 Framework and the fast approaching AUSCERT Conference. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, The AUSCERT2024 program is now live! With the highest number of presentation submissions ever received, the selection committee faced the challenging task of curating a program that showcases the most relevant and impactful topics. Striving for diversity, the committee selected a wide array of subjects, ensuring a well-rounded and engaging program. If you haven't already, make sure to register as soon as possible to secure your spot! In recent news, the National Institute of Standards and Technology (NIST) has introduced version 2.0 of its cyber security framework (CSF), marking a significant update since its inception in 2014. This development is noteworthy as the framework now explicitly aims to assist all organisations, extending beyond critical infrastructure entities in managing and mitigating risks. The updated framework incorporates implementation examples, providing actionable steps to achieve various outcomes within different areas. Additionally, they have also released quick start guides to provide further direction and guidance to organisations wanting to achieve specific objectives. The updated NIST Framework places a new focus on governance. The new GOVERN function addresses the cyber security risk management strategy, expectations and policies that should be established, communicated and monitored. GOVERN essentially provides outcomes to inform what an organisation may do to achieve and prioritise the outcomes of the other five Functions within the framework (Identify, Protec, Detect, Respond & Recover). GOVERN also contains a new focus area on cyber security supply chain risk management. For member organisations seeking additional support in governance, we recommend registering for our new training course, "Data Governance Principles and Practices." In this course, our expert practitioners delve into the key components of a successful data governance framework, utilizing real-world examples to illustrate best practices. The training is designed to provide attendees with fundamental skills and knowledge essential for expediting the establishment of a successful data governance program within their organisation. Participants will also learn practices and methodologies applicable to various initiatives, including stakeholder management, identification of pain points and the development of related objectives ultimately leading to the creation of a strategy on a page. CVE-2024-26592 & 26594: Critical Linux Kernel Flaws Open Door for Code Execution and Data Theft Date: 2024-03-26 Author: Security Online A pair of critical vulnerabilities, recently patched in the Linux kernel, have raised alarms for anyone managing Linux systems. These flaws resided in the KSMBD file server, responsible for seamless file sharing with Windows machines. These vulnerabilities, dubbed CVE-2024-26592 and CVE-2024-26594, carried severe consequences, but thankfully, swift action has mitigated the threat. WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk Date: 2024-03-27 Author: The Hacker News [AusCERT has identified the impacted members (where possible) and contacted them via email ] A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack researcher Rafie Muhammad said. TeamViewer's Security Flaw Risks Password Safety Date: 2024-03-29 Author: Security Online A recently discovered security hole (CVE-2024-0819) in older TeamViewer versions (prior to 15.51.5) could have put your personal password and system security at risk. This flaw allowed even low-level users on shared computers to set a personal password, potentially leading to unauthorized remote access. Fortunately, TeamViewer has released a fix, but it’s crucial to update immediately and take this opportunity to bolster your overall security practices. Progress patches authentication bug in OpenEdge Date: 2024-03-28 Author: iTnews Progress Software’s OpenEdge authentication gateway and AdminServer need to be patched against a critical authentication bypass bug present in all supported releases of OpenEdge. According to the company’s advisory, the bug affects OpenEdge Release 11.7.18 and earlier, OpenEdge 12.2.13 and earlier, and OpenEdge 12.8.0. The bug’s Mitre entry adds: “Certain unexpected content passed into the credentials can lead to unauthorised access without proper authentication.” CVE-2023-7235: OpenVPN Vulnerability Puts Windows Users at Risk Date: 2024-03-21 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] OpenVPN has released version 2.6.9 for Windows, Mac, and Linux, addressing a severe privilege escalation vulnerability (CVE-2023-7235). This flaw, discovered by Will Dormann, affects Windows GUI installations of OpenVPN. Zyxel Patches Remote Code Execution Bug in Firewall Products Date: 2024-03-26 Author: Security Week Taiwanese networking device maker Zyxel has rolled out patches for multiple defects in its firewall and access point products alongside warnings that unpatched systems are at risk of remote code execution attacks. Zyxel, a company that has struggled with software security problems, documented at least four vulnerabilities that expose businesses to code execution, command injection and denial-of-service exploitation. ESB-2024.1257 – Google Chrome: CVSS (Max): None Google has issued an update for the Google Chrome Stable channel containing 4 security patches. This update is applicable to Mac, Linux, and Windows systems and will be gradually rolled out over the upcoming days/weeks. ESB-2024.1150 – Firefox for iOS: CVSS (Max): None Mozilla has released patches to resolve CVE-2024-26283, CVE-2024-26282, and CVE-2024-26281 in Firefox for iOS 123, preventing potential unauthorized script execution by attackers. ESB-2024.1299 – Juniper Secure Analytics (JSA): CVSS (Max): 9.8 Several vulnerabilities have been reported in Juniper Networks' Juniper Secure Analytics affecting all versions before 7.5.0 UP7. Juniper Networks has released software updates to mitigate these vulnerabilities. ESB-2024.1131.2 – UPDATE Drupal Core: CVSS (Max): None A critical vulnerability affecting Drupal core has been identified, potentially resulting in sensitive information being cached and accessible to anonymous users, thereby enabling privilege escalation. Administrators are strongly advised to install the recommended version prevent exploitation. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, AUSCERT has detected a rise in Critical MSINs being sent to members. These proactive alerts are flagged for urgent attention to mitigate potential high-priority risks, particularly when AUSCERT identifies exploitation of 0-day vulnerabilities. CISA, along with its five-eye country partners, has issued a joint advisory on 'Identifying and Mitigating Living Off the Land Techniques' (LOLT). Notably, cyber threat actors, including state-sponsored actors from the People’s Republic of China and the Russian Federation, have been observed employing LOLT to compromise and maintain persistent access to critical infrastructure organisations. This joint guide is released for network defenders and threat hunters, addressing the increasing prevalence of LOLT techniques in the broader cyber threat landscape. Understanding and countering these techniques is crucial for enhancing cybersecurity posture and mitigating risks from sophisticated adversaries. In other recent developments, the Pall Mall Process declaration between the UK and France marks a crucial stride in addressing the proliferation and irresponsible use of commercial cyber intrusion capabilities. Cyber proliferation involves the intentional or unintentional transfer of cyber capabilities among actors for network or device exploitation or attack purposes. The Pall Mall Process declaration is an innovative international initiative aimed at exploring policy options and new practices to counter this shared threat. The NCSC’s recent blog delves into what this process signifies for the future. Take a moment to read and stay informed, you can then “advance to GO”. Are you aware of Australia's Online Safety Laws? While employing measures like secure passphrases and two-factor authentication provides a strong defence against bad actors, it's equally important to report illegal and violent content online. To learn more, visit esafety.gov.au, these laws have your back! Business risks are also important. The AUSCERT Cyber Security Risk Management course is designed to provide participants with the confidence to perform a risk assessment of cyber security risks, and the ability to rate, assess, and report business risks. Calibrating cyber security as business risks rather than just technical vulnerability severity readily facilitates business leader buy-in. Register today!. Here are some highlights from this week’s cyber security news, including the significant law enforcement takeover of the prolific multinational ransomware syndicate behind LockBit. ConnectWise Rushes to Patch Critical Vulns in Remote Access Tool Date: 2024-02-20 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Enterprise IT software giant ConnectWise has released urgent patches for two critical security defects in its ScreenConnect remote desktop access product, warning there is high risk of in-the-wild exploitation. The most serious of the two bugs is described as an “authentication bypass using an alternate path or channel” and carries the maximum CVSS severity score of 10/10. A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10. Over 28,500 Exchange servers vulnerable to actively exploited bug Date: 2024-02-19 Author: Bleeping computer [Please see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0038/] Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable. Tangerine Telecom says customer data of 232,000 affected by 'cyber incident' Date: 2024-02-21 Author: iTnews Tangerine Telecom, a challenger retail service provider, says a “legacy” customer database containing details of 232,000 current and former customers was accessed by an unknown party via exploitation of a contractor’s credentials. The seller of NBN and mobile services said in a statement on Wednesday that “the unauthorised disclosure of certain personal information” occurred on Sunday, and that the management team had learned of the incident on Tuesday. LockBit ransomware disrupted by global police operation Date: 2024-02-19 Author: Bleeping Computer Law enforcement agencies from 11 countries have disrupted the notorious LockBit ransomware operation in a joint operation known as ''Operation Cronos." According to a banner displayed on LockBit's data leak website, the site is now under the control of the National Crime Agency of the United Kingdom. Government moves to expand SMS Sender ID registry Date: 2024-02-19 Author: iTnews Nine months after announcing it would require telcos to use a Sender ID Registry to combat SMS spam, the government has started consultation over whether the scheme should be mandatory or voluntary for Australia’s telcos. The registry would create a controlled list of the numbers used by registered brand names. This would prevent scammers from impersonating participants’ brands, since carriers would block texts using those brands unless the originating number is in the registry. ASB-2024.0045.3 – UPDATE AUSCERT Bulletin Service AUSCERT has recently updated its security bulletin infrastructure. — Notable changes include: * removal of PGP-signing * consolidation of operating system categories and tags to retire some end-of-life products and introduce some recent categories * minor change to email subject line and headers due to a change of the underlying systems * improved bulletin search facility on website ESB-2024.1092 – Google Chrome: CVSS (Max): None Google has released patches for several vulnerabilities for Google Chrome ESB-2024.1099 – VMware Enhanced Authentication Plug-in (EAP): CVSS (Max): 9.6 VMware has addressed vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) ESB-2024.1102 – Atlassian Products: CVSS (Max): 8.5 Atlassian has released updates to several products which were impacted by various high-severity vulnerabilities Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, The ACSC has developed a valuable single reporting tool to help you determine which Australian regulations apply to your organisation, as well as specifying when and to whom you need to report a cyber breach. First highlighted in the government’s Australian Cyber Security Strategy 2023-2030, the swift availability of this resource is notable. Its significance lies in simplifying the process and will undoubtedly have a positive impact on our community. The federal government launched the Cyber Security Legislative Reforms consultation paper late last year to gather views on new legislative initiatives and proposed amendments to the Security of Critical Infrastructure Act 2018. This consultation paper outlines reforms that were part of the Australian Cyber Security Strategy action plan and covers nine areas that are worthy of a read. One being Ransomware reporting obligations which is one of the fastest growing types of cybercrime. The government is proposing that reporting ransomware incidents should become a mandatory, no-fault, no-liability obligation for businesses. The National Office of Cyber Security’s recent review of the HWL Ebsworth cyber incident demonstrates various lessons, with one significant takeaway being the company’s close collaboration with government agencies in effectively handling the incident. Therefore, the government is considering introducing a Cyber Incident Review Board co-designed with the industry to share the lessons learned from cyber incidents with businesses and the wider public. The HWL Ebsworth breach involved the exfiltration of 4TB of data (2.2 million files), including sensitive information from 62 Australian government entities, major banks, airlines, and other multinational businesses. In preparation for cyber incidents, consider registering for our Incident Response Planning training course! Effective cyber security incident response is essential for maintaining organisational objectives by avoiding or limiting the impact of cyber security incidents. Be equipped with the tools to write and implement a bespoke incident response plan for your organisation. Register today!. Here are some highlights from this week’s cyber security news: Zoom patches critical privilege elevation flaw in Windows apps Date: 2024-02-14 Author: Bleeping Computer [Please also see AUSCERT bulletin:https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0044] The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network. Zoom is a popular cloud-based video conferencing service for corporate meetings, educational lessons, social interactions/gatherings, and more. New Fortinet RCE bug is actively exploited, CISA confirms Date: 2024-02-09 Author: Bleeping Computer [AUSCERT has identified impacted members (where possible) and contacted them via email]. [Please also see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.0849] CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday. The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests. CISA: Roundcube email server bug now exploited in attacks Date: 2024-02-12 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email.] CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks. The security flaw (CVE-2023-43770) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction. The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. QNAP vulnerability disclosure ends up an utter shambles Date: 2024-02-13 Author: The Register [AUSCERT has identified the impacted members (where possible) and contacted them via email] Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November. The Taiwanese company’s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem. QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully. Decryptor for Rhysida ransomware is available! Date: 2024-02-12 Author: Help Net Security Files encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability discovered by Korean researchers and leveraged to create a decryptor. Rhysida is a relatively new ransomware-as-a-service gang that engages in double extortion. First observed in May 2023, it made its name by attacking the British Library, the Chilean Army, healthcare delivery organizations, and Holding Slovenske Elektrarne (HSE). ASB-2024.0044 – Zoom Clients: CVSS (Max): 9.6 The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw. ASB-2024.0038 – Microsoft Exchange Server: CVSS (Max): 9.8 Microsoft has released its monthly security patch update and it includes Privilege escalation vulnerability on Microsoft Exchange Servers. ESB-2024.0913 – Adobe Acrobat and Reader: CVSS (Max): 8.8 Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak. ESB-2024.0836.2 – UPDATED ALERT Cisco Expressway Series: CVSS (Max): 9.6 Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device. Stay safe, stay patched and have a good weekend! The AusCERT team

Introduction: Valentine’s Day, often associated with expressions of love and affection, unfortunately also provides an opportune time for scammers to prey on unsuspecting individuals seeking romance. As we approach this annual celebration, it is crucial to remain vigilant and aware of the various scams and frauds that can lead to financial losses and emotional distress. The Australian government and major financial institutions have issued warnings about the rise in Valentine’s Day scams, highlighting the need for caution in online interactions and financial transactions [1][2]. The Scams and Frauds to Watch Out For: 1. Fraudulent Investment Opportunities Scammers use various methods to lure unsuspecting victims into their trap. They might promise high returns with little risk, exclusive insider information, or guaranteed profits within a short period. These scams may involve investments in stocks, cryptocurrencies, or even fictitious businesses. Victims are convinced to invest their hard-earned money, believing they have found a secure and profitable venture. 2. Gift Card Scams Scammers can pose as sellers offering discounted or limited-edition gift cards. They lure victims into purchasing these seemingly irresistible deals, but the gift cards turn out to be fake or previously used. Victims are left empty-handed, and their hard-earned money is gone. – Only purchase gift cards from trusted retailers or directly from their websites – Be cautious of deals that appear too good to be true – Verify the card’s balance before making any transactions. 3. Flower Delivery Scams Scammers set up fake florist websites or pose as legitimate flower delivery services. Victims place orders, pay in advance, but never receive the promised bouquets. This not only results in financial loss but also leaves disappointment and emotional distress. – Research the legitimacy of the florist before placing an order – Look for customer reviews and check their contact information – Consider using well-established flower delivery services with trusted reputations. 4. Online Shopping Fraud With the rise of online shopping, individuals often turn to the internet to purchase gifts for their loved ones. However, scammers take advantage of the increased online traffic by creating fake websites, social media pages, or advertisements offering attractive deals and discounts. Victims unknowingly share their payment information, only to receive counterfeit or never receive anything at all. – Stick to reputable online retailers with secure payment systems – Double-check website URLs for any misspellings or suspicious elements – Use secure payment methods which offer fraud protection. Protecting Yourself from Valentine’s Day Scams: 1. Stay Informed Stay updated on the latest scams and frauds by following alerts issued by government agencies, law enforcement, and trusted news sources. The more informed you are, the better prepared you will be to identify and avoid potential scams. 2. Trust Your Gut If something feels too good to be true or raises suspicions, trust your instincts. Scammers often exploit emotions and vulnerability, so be cautious before sharing personal information or engaging in financial transactions. 3. Watch out for phishing attempts Phishing is a common tactic used by scammers to trick individuals into revealing personal information or login credentials. Be wary of messages that ask for sensitive data, such as your credit card details. Legitimate organizations will never ask for such information via unsolicited messages. 4. Avoid clicking on suspicious links One of the most crucial steps in protecting yourself from scams is to refrain from clicking on links in messages, especially those that appear suspicious or unfamiliar. Scammers often use these links to redirect you to fraudulent websites or to install malware on your device. 5. Research Before Engaging Before interacting with someone online, take the time to research their profile, photos, and background information. Conducting a simple online search can sometimes reveal if the person is using fake pictures or has been involved in previously reported scams. 6. Report Suspicious Activity If you encounter suspicious profiles, emails, or messages, report them to the relevant dating platform or local authorities. Reporting such activities helps to protect others from falling victim to scams. 7. Educate Yourself and Others Share information about common scams and frauds with your friends, family, and social networks. By spreading awareness, you can collectively combat the efforts of scammers and protect those around you. Reference: [1] https://www.theaustralian.com.au/breaking-news/australians-warned-of-romance-scams-ahead-of-valentines-day/news-story/9a21c7a2ad7697980f291ffa87a439d5 [2] https://www.nationaltribune.com.au/government-warns-against-ruthless-romance-scammers-this-valentines-day/

Greetings, AUSCERT2024 registrations are now open – secure the early bird rates now! AUSCERT Member Tokens have been dispatched so make sure to utilise these great discounted and complimentary tickets. Our tutorial schedule offers a great selection of workshops covering diverse subjects like threat hunting, incident response, risk management, and machine learning. This year, we received the highest number of presentation submissions in the history of our conference! We're eagerly anticipating the program committee's selection of the best presentations for an exciting and informative program. Join us for an exceptional experience at AUSCERT2024! One of our favourite aspects of the conference is the chance to reconnect with our community. Each year, our goal is to curate a program featuring speakers who are experts and leaders in their fields, while also promoting diversity to ensure we incorporate different perspectives and mindsets. A notable highlight from AUSCERT2023 was the significant presence of outstanding female speakers in the program. Particularly impressive was keynote speaker Rachel Tobac, a globally renowned expert in social engineering. Speaking of social engineering, with Valentine’s Day approaching now is a great time to promote good cyber hygiene in your workplace and personal life. You can further bolster cyber security resilience in your workplace with a variety of new training courses we’ve recently added to our line-up, including the highly sought-after "Data Governance Principles and Practices." This course is designed to educate participants on the key components of a successful framework, covering best practices and real-world examples. Attendees will learn the essential skills and knowledge required to implement a successful data governance program in their organisations. Here’s some highlights from this week’s cyber security news: Critical Cisco bug exposes Expressway gateways to CSRF attacks Date: 2024-02-07 Author: Bleeping Computer [AUSCERT has identified impacted members (where possible) and contacted them via email] [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0836] Cisco has patched several vulnerabilities affecting its Expressway Series collaboration gateways, two of them rated as critical severity and exposing vulnerable devices to cross-site request forgery (CSRF) attacks. Attackers can exploit CSRF vulnerabilities to trick authenticated users into clicking malicious links or visiting attacker-controlled webpages to perform unwanted actions such as adding new user accounts, executing arbitrary code, gaining admin privileges, and more. JetBrains warns of new TeamCity auth bypass vulnerability Date: 2024-02-06 Author: Bleeping Computer JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical severity flaw impacts all versions of TeamCity On-Premises from 2017.1 through 2023.11.2 and can be exploited in remote code execution (RCE) attacks that don't require user interaction. AnyDesk says hackers breached its production servers, reset passwords Date: 2024-02-02 Author: Bleeping Computer AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack. AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers. Critical Remote Code Execution Vulnerability Patched in Android Date: 2024-02-06 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0766] Google on Monday announced patches for 46 vulnerabilities in Android, including a critical-severity bug leading to remote code execution. The flaw, tracked as CVE-2024-0031 and impacting Android Open Source Project (AOSP) versions 11, 12, 12L, 13, and 14, was identified in the platform’s System component. “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google explains in its advisory. QNAP Patches High-Severity Bugs in QTS, Qsync Central Date: 2024-02-05 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Taiwan-based QNAP Systems has released patches for two dozen vulnerabilities across its products, including two high-severity flaws leading to command execution. The bugs, tracked as CVE-2023-45025 and CVE-2023-39297, are described as OS command injection flaws that impact QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, and QuTScloud version 5.x. The first issue, QNAP says, can be exploited by users to execute commands via the network, under certain system configurations. The second bug requires authentication for successful exploitation, the company says. Critical vulnerability in Mastodon is pounced upon by fast-acting admins Date: 2024-02-02 Author: The Register Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers. With a 9.4 severity score, exploiting CVE-2024-23832 potentially allows attackers to take over Mastodon accounts remotely. While very little has been released by way of technical details – allowing admins time to patch before attackers devise exploits – vulnerabilities with such high CVSS scores tend to lead to severe consequences on the affected product and are often relatively easy to exploit. ASB-2024.0035.2 – UPDATE FortiSIEM AUSCERT has issued an advisory to its members regarding a critical flaw in Fortinet's FortiSIEM product. Initially, there were some confusions on this advisory as the vendor directed customers to a previously resolved issue from October last year. However, the confusion has since been cleared up. AUSCERT advises its members to follow the vendor's recommendations and promptly apply the necessary patches to address the issue. ESB-2024.0836 – ALERT Cisco Expressway Series: CVSS (Max): 9.6 Multiple vulnerabilities have been discovered in Cisco Expressway Series collaboration gateways, with two of them being classified as Critical. Cisco has taken action by releasing security updates to mitigate these vulnerabilities. ESB-2024.0766 – Android: CVSS (Max): 7.5* Google has recently made an announcement regarding the release of patches for 46 vulnerabilities found in Android. Among these vulnerabilities is a critical-severity bug that could potentially result in remote code execution. This particular flaw, identified as CVE-2024-0031, affects the Android Open Source Project. ESB-2024.0751 – WordPress: CVSS (Max): None WordPress has recently launched version 6.4.2, focusing on resolving 7 bug fixes in Core. Additionally, this release includes an important security fix. The users are advised to promptly update their sites to ensure optimal security and functionality. ESB-2024.0798 – Google Chrome: CVSS (Max): None Google has updated the Stable channel to 121.0.6167.160 for Mac and Linux and Windows will be rolled out over the coming days/weeks. This update includes 3 security fixes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, What better way to kickstart your cybersecurity goals this year by improving your knowledge with the most relevant strategies? This week, our team has been busy creating a schedule of training courses for our members to register for in 2024! Remember, the best way to get ahead of threats and attacks is to have the most relevant education and training in effective strategies to successfully mitigate cyber risks. Head to our Training page for more information on courses you can register for! Alternatively, contact us for more information at training@auscert.org.au. During a big week filled with security patches and updates, various vendors and platforms released fixes for different vulnerabilities. AUSCERT’s team of expert analysts worked diligently to issue bulletins, ensuring members were informed of the latest information. We specialise in vulnerability research, delivering consistently formatted bulletins across major platforms and vendors to streamline security patching. Once a patch for a vulnerability is publicly released by a vendor, it is recommended to apply it as soon as possible, as malicious actors are expected to start developing code to exploit it. Although with an abundance of updates flooding in daily, we understand the importance of prioritising effectively to ensure your resources are adequately utilised. Our security bulletins provide concise summaries, enabling quick comprehension of essential information, severity determination, and prioritisation of organisational patching efforts. Each vulnerability comes with a recommended resolution, including patching, upgrading, and mitigation suggestions. AUSCERT publishes Security Bulletins each business day, curating and checking content to ensure up-to-date information for our members. Members can also subscribe to the Daily Bulletins Digest, summarising all the Security Bulletins published throughout the day in a single email. If you would like to update your organisational Security Bulletins to the Daily Bulletins Digest simply email – membership@auscert.org.au. By maintaining clear and streamlined patch management processes and procedures, organisations can position themselves to act swiftly upon vulnerability announcements and patch releases. Strategy minimises the attack surface of systems, leading to an enhancement in your overall security posture. CVE-2024-20253 (CVSS 9.9): Cisco Unified Communications Products RCE Vulnerability Date: 2024-01-24 Author: Security Online [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0493.2] [AUSCERT has identified impacted members (where possible) and contacted them via email] Cisco has patched a critical Unified Communications and Contact Center Solutions security flaw that can let unauthenticated, remote attackers execute arbitrary code on an affected device. This security flaw is tracked as CVE-2024-20253. At the heart of CVE-2024-20253 lies a perilous gap in security: the improper handling of user-provided data as it is ingested into memory. This flaw opens the door for unauthenticated, remote attackers to craft and dispatch malicious messages to a listening port on vulnerable devices. Booking.com scams that look ‘so real’ have surged, costing Australians thousands of dollars Date: 2024-01-31 Author: ABC News Australia’s consumer rights watchdog has seen a sharp increase in Australians mentioning popular accommodation site Booking.com when they report experiencing or falling victim to a scam. Scam reports mentioning Booking.com significantly increased in 2023 and caused Australians to lose more than $337,000, according to the Australian Competition and Consumer Commission (ACCC). The ACCC said its Scamwatch program received 363 reports of scams in 2023 which mentioned Booking.com — one of the most visited travel booking sites in the world. CISA warns of patched iPhone kernel bug now exploited in attacks Date: 2024-01-31 Author: Bleeping Computer CISA warned today that a patched kernel security flaw affecting Apple iPhones, Macs, TVs, and watches is now being actively exploited in attacks. Tracked as CVE-2022-48618 and discovered by Apple’s security researchers, the bug was only disclosed on January 9th in an update to a security advisory published in December 2022. The company has yet to reveal if the vulnerability was also silently patched more than two years ago when the advisory was first issued. Bringing the Essential Eight into the Cloud Date: 2024-01-31 Author: Australian Cyber Security Magazine MIT Technology Review Insights named Australia the leader in its inaugural Cyber Defense Index country rankings for 2022-2023. In recent years, Australia has made some key moves to improve the country’s security posture. In 2020, they invested $1.67B as part of Cyber Security Strategy 2020. A year later, they updated maturity levels to the Essential Eight, their comprehensive guide for businesses trying to protect themselves against cyberattacks. In 2022, they appointed Clare O’Neil as their first-ever dedicated Minister for Cyber Security. Ransomware payments drop to record low as victims refuse to pay Date: 2024-01-29 Author: Bleeping Computer The number of ransomware victims paying ransom demands has dropped to a record low of 29% in the final quarter of 2023, according to ransomware negotiation firm Coveware. This trend became apparent in mid-2021 when the payment rate dropped to 46% after previously being 85% at the start of 2019. According to Coveware, the reason for this continual drop is multifaceted, including better preparedness by organizations, a lack of trust towards cybercriminals promising not to publish stolen data, and legal pressure in some regions where paying a ransom is illegal. ESB-2024.0667 – Google Chrome: CVSS (Max): None Google has updated Chrome to address multiple vulnerabilities ESB-2024.0714 – ALERT GitLab Community Edition and Enterprise Edition: CVSS (Max): 9.9 GitLab has addressed several vulnerabilities including a critical with CVSS 9.9. The advisory was published on 25 January ESB-2024.0670 – Splunk Add-on Builder: CVSS (Max): 8.2 An Information disclosure vulnerability has been patched in Splunk Add-on Builder Stay safe, stay patched and have a good weekend! The AUSCERT team

In the digital age, data breaches have become an unfortunate reality, with cybercriminals constantly seeking vulnerabilities to gain unauthorized access to sensitive information. Recent incidents, such as the Mother of All Breaches and Naz.api, have highlighted the severity and potential consequences of leaked credential dumps. This article aims to provide insights into these incidents, their impact, and the importance of safeguarding personal information. Naz.api: Naz.api is a recent credential dump that gained attention in the cybersecurity community. The credentials are believed to have been obtained from credential stuffing lists and information-stealing malware logs. AUSCERT conducted a scan of the dump to identify credentials belonging to its members and has contacted the affected members through the Sensitive Information Alert (SIA) service. Mother of All Breaches: Mother of All Breaches (MOAB) is another dump that recently surfaced, revealing a vast collection of 26 billion records of user information from popular services like Twitter, Dropbox, LinkedIn, Adobe, Canva and Telegram. Although this is not a new breach, it is a compilation of earlier breaches. Nonetheless, the release of such sensitive information is highly concerning. Impact and Consequences: These credential dumps pose significant threats to both individuals and organizations. Cybercriminals could potentially exploit the leaked data for malicious purposes, including identity theft, phishing scams and targeted cyberattacks. It is crucial to remain vigilant and be on the lookout for any increased phishing attempts via email, text or other media. Protecting Against Credential Dumps: To mitigate the risks associated with credential dumps, individuals and organizations must practice good credential hygiene and adopt proactive security measures. Here are some essential steps to consider: Use unique and strong passwords: Avoid reusing passwords across multiple accounts and create strong, complex passwords. Multi-Factor Authentication (MFA): Enable MFA whenever possible to add an extra layer of security to your accounts. Regular Password Updates: Change passwords periodically to minimize the impact of potential breaches. Security Awareness: Stay informed about the latest cybersecurity threats and educate yourself and your employees about best practices for online security. Monitoring Services: Consider using monitoring services that can alert you if your credentials are found in a data breach. Websites like Have I Been Pwned (haveibeenpwned.com) can help you check if your email address or username has been compromised in known breaches.

Greetings, We have released a new podcast episode titled Security Culture. In this episode, Anthony sits down with Daisy Wong, AUSCERT's Diversity and Inclusion Champion for 2023 to talk about her unique experience and background which has helped her become a security culture advocate and champion. In the second half of the episode, Bek sits down with David Stockdale, Director of AUSCERT for an exciting announcement about a new recruitment opportunity for a General Manager at AUSCERT. Applications closing this Sunday January 28, so if you’re interested apply today! This week, the Australian federal government took decisive action by officially identifying and imposing sanctions on Russian citizen Aleksandr Ermakov, over his alleged involvement in the Medibank cyber attack. This ground-breaking move marks the government's first cyber crime sanction against a perpetrator, thereby clearly conveying the message that anonymity and impunity will not be tolerated in the realm of cyberspace in Australia. The Medibank cyber attack which occurred in 2022, had severe repercussions, involving the unauthorized acquisition of 9.7million records and inflicting a staggering financial toll of $46.4million on the insurer during the 2022-2023 financial year. This enforcement action underscores the government’s commitment to holding individuals accountable for cyber offenses and serves as a pivotal step in addressing the escalating challenges posed by cyber threats. The action aligns with the dedication outlined in the 2023-2030 Australian Cyber Security Strategy, highlighting the government’s determination to both deter and respond to malicious cyber activities through the strategic use of sanctions. Such measures underscore the imperative of robust cybersecurity initiatives and signal a proactive approach to safeguarding against future cyber threats. In conclusion, if you are looking for some reading over the long weekend, we highly recommend a publication by two friends of AUSCERT, Senior Lecturer from UQ, Ivano Bongiovanni, and UQ Research Officer Bert Valkenburg. They recently published a systematic review of literature on the Three Lines Model (TLM) research. This review contains practical indications for organizations interested in exploring the adoption of the TLM as a Cyber Governance framework. It also offers reflections on some current trends observed in the industry, such as the evolution of CISOs' roles and increased involvement by senior executives. Progress Software patches critical OpenEdge vulnerability Date: 2024-01-22 Author: iTnews Progress Software has disclosed a critical vulnerability in several versions of its Progress Application Server in OpenEdge (PASOE) software. According to an advisory, CVE-2023-40051 affects OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. “An attacker can formulate a request for a web transport that allows unintended file uploads to a server directory path on the system running PASOE," the advisory states. New NTLM Hash Leak Attacks Target Outlook, Windows Programs Date: 2024-01-22 Author: Security Week [AUSCERT has identified impacted members (where possible) and contacted them via email] Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs. The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said. Mother of all breaches – a historic data leak reveals 26 billion records: check what's exposed Date: 2024-01-24 Author: Cyber News The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered. There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases. Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks Date: 2024-01-18 Author: Security Week The Rapid SCADA open source industrial automation platform is affected by several vulnerabilities that could allow hackers to gain access to sensitive industrial systems, but the flaws remain unpatched. The US cybersecurity agency CISA published an advisory last week to inform industrial organizations about seven vulnerabilities discovered by Claroty researchers in Rapid SCADA. Rapid SCADA is advertised as ideal for developing monitoring and control systems, particularly industrial automation and IIoT systems, energy accounting systems, and process control systems. High-Severity Vulnerability Patched in Splunk Enterprise Date: 2024-01-23 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Splunk on Monday announced patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances. Tracked as CVE-2024-23678, the high-severity flaw is described as an issue related to incorrect sanitization of path input data resulting in “the unsafe deserialization of untrusted data from a separate disk partition on the machine”. Deserialization of untrusted data is a type of vulnerability allowing for the use of malformed data to cause denial of service, abuse application logic, or execute arbitrary code. Exploit released for Fortra GoAnywhere MFT auth bypass bug Date: 2024-01-23 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files. ESB-2024.0386 – VMWare: CVSS (Max): 9.8 VMware issued security updates to fix a critical vCenter Server vulnerability that is being exploited in the wild to gain remote code execution attacks on vulnerable servers. ESB-2024.0412 – Splunk Enterprise: CVSS (Max): 7.5 Splunk released patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances. Splunk advises its clients to upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher. ESB-2024.0426 – ALERT macOS Sonoma 14.3: CVSS (Max): None Apple has released new iOS 17.3 and macOS Sonoma 14.3 updates fix multiple vulnerabilities that expose Apple users to code execution, denial-of-service and data exposure attacks. Multiple WebKit vulnerabilities may have been exploited as zero-day in the wild. ESB-2024.0493 – ALERT Cisco Unified Communications Products: CVSS (Max): 9.9 Cisco has released software updates that address critical-rated RCE vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that if exploited could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Security Culture In this episode, AUSCERT features the following guests: Daisy Wong, FlyBuys David Stockdale, AUSCERT Anthony sits down with Daisy Wong, AUSCERT’s Diversity and Inclusion Champion for 2023 to talk about her unique experience and background which has helped her become a security culture advocate and champion. In the second half of the episode, Bek chats with David Stockdale, Director of AUSCERT for an exciting announcement about a new recruitment opportunity. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.