Week in review

AUSCERT Week in Review for 9th February 2024

Greetings, AUSCERT2024 registrations are now open – secure the early bird rates now! AUSCERT Member Tokens have been dispatched so make sure to utilise these great discounted and complimentary tickets. Our tutorial schedule offers a great selection of workshops covering diverse subjects like threat hunting, incident response, risk management, and machine learning. This year, we received the highest number of presentation submissions in the history of our conference! We're eagerly anticipating the program committee's selection of the best presentations for an exciting and informative program. Join us for an exceptional experience at AUSCERT2024! One of our favourite aspects of the conference is the chance to reconnect with our community. Each year, our goal is to curate a program featuring speakers who are experts and leaders in their fields, while also promoting diversity to ensure we incorporate different perspectives and mindsets. A notable highlight from AUSCERT2023 was the significant presence of outstanding female speakers in the program. Particularly impressive was keynote speaker Rachel Tobac, a globally renowned expert in social engineering. Speaking of social engineering, with Valentine’s Day approaching now is a great time to promote good cyber hygiene in your workplace and personal life. You can further bolster cyber security resilience in your workplace with a variety of new training courses we’ve recently added to our line-up, including the highly sought-after "Data Governance Principles and Practices." This course is designed to educate participants on the key components of a successful framework, covering best practices and real-world examples. Attendees will learn the essential skills and knowledge required to implement a successful data governance program in their organisations. Here’s some highlights from this week’s cyber security news: Critical Cisco bug exposes Expressway gateways to CSRF attacks Date: 2024-02-07 Author: Bleeping Computer [AUSCERT has identified impacted members (where possible) and contacted them via email] [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0836] Cisco has patched several vulnerabilities affecting its Expressway Series collaboration gateways, two of them rated as critical severity and exposing vulnerable devices to cross-site request forgery (CSRF) attacks. Attackers can exploit CSRF vulnerabilities to trick authenticated users into clicking malicious links or visiting attacker-controlled webpages to perform unwanted actions such as adding new user accounts, executing arbitrary code, gaining admin privileges, and more. JetBrains warns of new TeamCity auth bypass vulnerability Date: 2024-02-06 Author: Bleeping Computer JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical severity flaw impacts all versions of TeamCity On-Premises from 2017.1 through 2023.11.2 and can be exploited in remote code execution (RCE) attacks that don't require user interaction. AnyDesk says hackers breached its production servers, reset passwords Date: 2024-02-02 Author: Bleeping Computer AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack. AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers. Critical Remote Code Execution Vulnerability Patched in Android Date: 2024-02-06 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0766] Google on Monday announced patches for 46 vulnerabilities in Android, including a critical-severity bug leading to remote code execution. The flaw, tracked as CVE-2024-0031 and impacting Android Open Source Project (AOSP) versions 11, 12, 12L, 13, and 14, was identified in the platform’s System component. “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google explains in its advisory. QNAP Patches High-Severity Bugs in QTS, Qsync Central Date: 2024-02-05 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Taiwan-based QNAP Systems has released patches for two dozen vulnerabilities across its products, including two high-severity flaws leading to command execution. The bugs, tracked as CVE-2023-45025 and CVE-2023-39297, are described as OS command injection flaws that impact QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, and QuTScloud version 5.x. The first issue, QNAP says, can be exploited by users to execute commands via the network, under certain system configurations. The second bug requires authentication for successful exploitation, the company says. Critical vulnerability in Mastodon is pounced upon by fast-acting admins Date: 2024-02-02 Author: The Register Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers. With a 9.4 severity score, exploiting CVE-2024-23832 potentially allows attackers to take over Mastodon accounts remotely. While very little has been released by way of technical details – allowing admins time to patch before attackers devise exploits – vulnerabilities with such high CVSS scores tend to lead to severe consequences on the affected product and are often relatively easy to exploit. ASB-2024.0035.2 – UPDATE FortiSIEM AUSCERT has issued an advisory to its members regarding a critical flaw in Fortinet's FortiSIEM product. Initially, there were some confusions on this advisory as the vendor directed customers to a previously resolved issue from October last year. However, the confusion has since been cleared up. AUSCERT advises its members to follow the vendor's recommendations and promptly apply the necessary patches to address the issue. ESB-2024.0836 – ALERT Cisco Expressway Series: CVSS (Max): 9.6 Multiple vulnerabilities have been discovered in Cisco Expressway Series collaboration gateways, with two of them being classified as Critical. Cisco has taken action by releasing security updates to mitigate these vulnerabilities. ESB-2024.0766 – Android: CVSS (Max): 7.5* Google has recently made an announcement regarding the release of patches for 46 vulnerabilities found in Android. Among these vulnerabilities is a critical-severity bug that could potentially result in remote code execution. This particular flaw, identified as CVE-2024-0031, affects the Android Open Source Project. ESB-2024.0751 – WordPress: CVSS (Max): None WordPress has recently launched version 6.4.2, focusing on resolving 7 bug fixes in Core. Additionally, this release includes an important security fix. The users are advised to promptly update their sites to ensure optimal security and functionality. ESB-2024.0798 – Google Chrome: CVSS (Max): None Google has updated the Stable channel to 121.0.6167.160 for Mac and Linux and Windows will be rolled out over the coming days/weeks. This update includes 3 security fixes. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 2nd February 2024

Greetings, What better way to kickstart your cybersecurity goals this year by improving your knowledge with the most relevant strategies? This week, our team has been busy creating a schedule of training courses for our members to register for in 2024! Remember, the best way to get ahead of threats and attacks is to have the most relevant education and training in effective strategies to successfully mitigate cyber risks. Head to our Training page for more information on courses you can register for! Alternatively, contact us for more information at training@auscert.org.au. During a big week filled with security patches and updates, various vendors and platforms released fixes for different vulnerabilities. AUSCERT’s team of expert analysts worked diligently to issue bulletins, ensuring members were informed of the latest information. We specialise in vulnerability research, delivering consistently formatted bulletins across major platforms and vendors to streamline security patching. Once a patch for a vulnerability is publicly released by a vendor, it is recommended to apply it as soon as possible, as malicious actors are expected to start developing code to exploit it. Although with an abundance of updates flooding in daily, we understand the importance of prioritising effectively to ensure your resources are adequately utilised. Our security bulletins provide concise summaries, enabling quick comprehension of essential information, severity determination, and prioritisation of organisational patching efforts. Each vulnerability comes with a recommended resolution, including patching, upgrading, and mitigation suggestions. AUSCERT publishes Security Bulletins each business day, curating and checking content to ensure up-to-date information for our members. Members can also subscribe to the Daily Bulletins Digest, summarising all the Security Bulletins published throughout the day in a single email. If you would like to update your organisational Security Bulletins to the Daily Bulletins Digest simply email – membership@auscert.org.au. By maintaining clear and streamlined patch management processes and procedures, organisations can position themselves to act swiftly upon vulnerability announcements and patch releases. Strategy minimises the attack surface of systems, leading to an enhancement in your overall security posture. CVE-2024-20253 (CVSS 9.9): Cisco Unified Communications Products RCE Vulnerability Date: 2024-01-24 Author: Security Online [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0493.2] [AUSCERT has identified impacted members (where possible) and contacted them via email] Cisco has patched a critical Unified Communications and Contact Center Solutions security flaw that can let unauthenticated, remote attackers execute arbitrary code on an affected device. This security flaw is tracked as CVE-2024-20253. At the heart of CVE-2024-20253 lies a perilous gap in security: the improper handling of user-provided data as it is ingested into memory. This flaw opens the door for unauthenticated, remote attackers to craft and dispatch malicious messages to a listening port on vulnerable devices. Booking.com scams that look ‘so real’ have surged, costing Australians thousands of dollars Date: 2024-01-31 Author: ABC News Australia’s consumer rights watchdog has seen a sharp increase in Australians mentioning popular accommodation site Booking.com when they report experiencing or falling victim to a scam. Scam reports mentioning Booking.com significantly increased in 2023 and caused Australians to lose more than $337,000, according to the Australian Competition and Consumer Commission (ACCC). The ACCC said its Scamwatch program received 363 reports of scams in 2023 which mentioned Booking.com — one of the most visited travel booking sites in the world. CISA warns of patched iPhone kernel bug now exploited in attacks Date: 2024-01-31 Author: Bleeping Computer CISA warned today that a patched kernel security flaw affecting Apple iPhones, Macs, TVs, and watches is now being actively exploited in attacks. Tracked as CVE-2022-48618 and discovered by Apple’s security researchers, the bug was only disclosed on January 9th in an update to a security advisory published in December 2022. The company has yet to reveal if the vulnerability was also silently patched more than two years ago when the advisory was first issued. Bringing the Essential Eight into the Cloud Date: 2024-01-31 Author: Australian Cyber Security Magazine MIT Technology Review Insights named Australia the leader in its inaugural Cyber Defense Index country rankings for 2022-2023. In recent years, Australia has made some key moves to improve the country’s security posture. In 2020, they invested $1.67B as part of Cyber Security Strategy 2020. A year later, they updated maturity levels to the Essential Eight, their comprehensive guide for businesses trying to protect themselves against cyberattacks. In 2022, they appointed Clare O’Neil as their first-ever dedicated Minister for Cyber Security. Ransomware payments drop to record low as victims refuse to pay Date: 2024-01-29 Author: Bleeping Computer The number of ransomware victims paying ransom demands has dropped to a record low of 29% in the final quarter of 2023, according to ransomware negotiation firm Coveware. This trend became apparent in mid-2021 when the payment rate dropped to 46% after previously being 85% at the start of 2019. According to Coveware, the reason for this continual drop is multifaceted, including better preparedness by organizations, a lack of trust towards cybercriminals promising not to publish stolen data, and legal pressure in some regions where paying a ransom is illegal. ESB-2024.0667 – Google Chrome: CVSS (Max): None Google has updated Chrome to address multiple vulnerabilities ESB-2024.0714 – ALERT GitLab Community Edition and Enterprise Edition: CVSS (Max): 9.9 GitLab has addressed several vulnerabilities including a critical with CVSS 9.9. The advisory was published on 25 January ESB-2024.0670 – Splunk Add-on Builder: CVSS (Max): 8.2 An Information disclosure vulnerability has been patched in Splunk Add-on Builder Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Understanding the Threat

In the digital age, data breaches have become an unfortunate reality, with cybercriminals constantly seeking vulnerabilities to gain unauthorized access to sensitive information. Recent incidents, such as the Mother of All Breaches and Naz.api, have highlighted the severity and potential consequences of leaked credential dumps. This article aims to provide insights into these incidents, their impact, and the importance of safeguarding personal information. Naz.api: Naz.api is a recent credential dump that gained attention in the cybersecurity community. The credentials are believed to have been obtained from credential stuffing lists and information-stealing malware logs. AUSCERT conducted a scan of the dump to identify credentials belonging to its members and has contacted the affected members through the Sensitive Information Alert (SIA) service. Mother of All Breaches: Mother of All Breaches (MOAB) is another dump that recently surfaced, revealing a vast collection of 26 billion records of user information from popular services like Twitter, Dropbox, LinkedIn, Adobe, Canva and Telegram. Although this is not a new breach, it is a compilation of earlier breaches. Nonetheless, the release of such sensitive information is highly concerning. Impact and Consequences: These credential dumps pose significant threats to both individuals and organizations. Cybercriminals could potentially exploit the leaked data for malicious purposes, including identity theft, phishing scams and targeted cyberattacks. It is crucial to remain vigilant and be on the lookout for any increased phishing attempts via email, text or other media. Protecting Against Credential Dumps: To mitigate the risks associated with credential dumps, individuals and organizations must practice good credential hygiene and adopt proactive security measures. Here are some essential steps to consider: Use unique and strong passwords: Avoid reusing passwords across multiple accounts and create strong, complex passwords. Multi-Factor Authentication (MFA): Enable MFA whenever possible to add an extra layer of security to your accounts. Regular Password Updates: Change passwords periodically to minimize the impact of potential breaches. Security Awareness: Stay informed about the latest cybersecurity threats and educate yourself and your employees about best practices for online security. Monitoring Services: Consider using monitoring services that can alert you if your credentials are found in a data breach. Websites like Have I Been Pwned (haveibeenpwned.com) can help you check if your email address or username has been compromised in known breaches.

Learn more

Week in review

AUSCERT Week in Review for 25th January 2024

Greetings, We have released a new podcast episode titled Security Culture. In this episode, Anthony sits down with Daisy Wong, AUSCERT's Diversity and Inclusion Champion for 2023 to talk about her unique experience and background which has helped her become a security culture advocate and champion. In the second half of the episode, Bek sits down with David Stockdale, Director of AUSCERT for an exciting announcement about a new recruitment opportunity for a General Manager at AUSCERT. Applications closing this Sunday January 28, so if you’re interested apply today! This week, the Australian federal government took decisive action by officially identifying and imposing sanctions on Russian citizen Aleksandr Ermakov, over his alleged involvement in the Medibank cyber attack. This ground-breaking move marks the government's first cyber crime sanction against a perpetrator, thereby clearly conveying the message that anonymity and impunity will not be tolerated in the realm of cyberspace in Australia. The Medibank cyber attack which occurred in 2022, had severe repercussions, involving the unauthorized acquisition of 9.7million records and inflicting a staggering financial toll of $46.4million on the insurer during the 2022-2023 financial year. This enforcement action underscores the government’s commitment to holding individuals accountable for cyber offenses and serves as a pivotal step in addressing the escalating challenges posed by cyber threats. The action aligns with the dedication outlined in the 2023-2030 Australian Cyber Security Strategy, highlighting the government’s determination to both deter and respond to malicious cyber activities through the strategic use of sanctions. Such measures underscore the imperative of robust cybersecurity initiatives and signal a proactive approach to safeguarding against future cyber threats. In conclusion, if you are looking for some reading over the long weekend, we highly recommend a publication by two friends of AUSCERT, Senior Lecturer from UQ, Ivano Bongiovanni, and UQ Research Officer Bert Valkenburg. They recently published a systematic review of literature on the Three Lines Model (TLM) research. This review contains practical indications for organizations interested in exploring the adoption of the TLM as a Cyber Governance framework. It also offers reflections on some current trends observed in the industry, such as the evolution of CISOs' roles and increased involvement by senior executives. Progress Software patches critical OpenEdge vulnerability Date: 2024-01-22 Author: iTnews Progress Software has disclosed a critical vulnerability in several versions of its Progress Application Server in OpenEdge (PASOE) software. According to an advisory, CVE-2023-40051 affects OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. “An attacker can formulate a request for a web transport that allows unintended file uploads to a server directory path on the system running PASOE," the advisory states. New NTLM Hash Leak Attacks Target Outlook, Windows Programs Date: 2024-01-22 Author: Security Week [AUSCERT has identified impacted members (where possible) and contacted them via email] Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs. The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said. Mother of all breaches – a historic data leak reveals 26 billion records: check what's exposed Date: 2024-01-24 Author: Cyber News The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered. There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases. Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks Date: 2024-01-18 Author: Security Week The Rapid SCADA open source industrial automation platform is affected by several vulnerabilities that could allow hackers to gain access to sensitive industrial systems, but the flaws remain unpatched. The US cybersecurity agency CISA published an advisory last week to inform industrial organizations about seven vulnerabilities discovered by Claroty researchers in Rapid SCADA. Rapid SCADA is advertised as ideal for developing monitoring and control systems, particularly industrial automation and IIoT systems, energy accounting systems, and process control systems. High-Severity Vulnerability Patched in Splunk Enterprise Date: 2024-01-23 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Splunk on Monday announced patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances. Tracked as CVE-2024-23678, the high-severity flaw is described as an issue related to incorrect sanitization of path input data resulting in “the unsafe deserialization of untrusted data from a separate disk partition on the machine”. Deserialization of untrusted data is a type of vulnerability allowing for the use of malformed data to cause denial of service, abuse application logic, or execute arbitrary code. Exploit released for Fortra GoAnywhere MFT auth bypass bug Date: 2024-01-23 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files. ESB-2024.0386 – VMWare: CVSS (Max): 9.8 VMware issued security updates to fix a critical vCenter Server vulnerability that is being exploited in the wild to gain remote code execution attacks on vulnerable servers. ESB-2024.0412 – Splunk Enterprise: CVSS (Max): 7.5 Splunk released patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances. Splunk advises its clients to upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher. ESB-2024.0426 – ALERT macOS Sonoma 14.3: CVSS (Max): None Apple has released new iOS 17.3 and macOS Sonoma 14.3 updates fix multiple vulnerabilities that expose Apple users to code execution, denial-of-service and data exposure attacks. Multiple WebKit vulnerabilities may have been exploited as zero-day in the wild. ESB-2024.0493 – ALERT Cisco Unified Communications Products: CVSS (Max): 9.9 Cisco has released software updates that address critical-rated RCE vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that if exploited could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th January 2024

Greetings, This week, AUSCERT has been busy finalising our member meet-up schedule for 2024! Keep an eye out for invitations coming out soon for a catch-up in your local area! They offer invaluable moments of sharing industry expertise, knowledge sharing, and the chance to connect with old friends while making new ones within the cyber security industry. In cyber news this week, customers of some of Australia’s well-known brands including Dan Murphy’s, Binge, Guzman y Gomez, and Event Cinemas have fallen victim to a coordinated credential stuffing attack, affecting an estimated 15,000 customers. Scammers acquired stolen login details and are exploiting online accounts to conduct fraudulent transactions, accumulating thousands in online purchases. Prime Minister Anthony Albanese emphasized the critical importance of cyber awareness and security during the recent wave of cybercrimes, highlighting the significant threat to Australia and its economic security. A credential stuffing attack like this one involves the use of large sets of username and password combinations obtained from previous data breaches to gain unauthorised access to user accounts on various online platforms. Attackers use automated tools or scripts to test stolen credentials to gain access into different websites or services. If the login attempt is successful, the attacker gains unauthorised access to the user’s account. Attackers may then exploit the compromised account for various malicious activities such as stealing personal information, making unauthorised transactions or launching further attacks. Here are a few helpful tips to protect against credential stuffing attacks: • Reuse of Credentials: – While using strong passwords, passphrases, and password managers is crucial, it's equally important to avoid using the same credentials across multiple platforms. In the event of a data breach on one site or any alternative compromise, your username and password could be exposed, leaving you susceptible to credential-stuffing attacks on other sites. • Enable Multi-Factor Authentication (MFA): – If possible, enabling MFA adds an additional layer of security by requiring a second form of verification along with password. • Regularly Update Passwords: – Users should regularly update their passwords to reduce the risk associated with compromised credentials. • Rate Limiting & CAPTCHA: – Online platforms can implement rate limiting to detect and prevent multiple logins. Additionally CAPTCHA challenges can help stop automated attempts. The above steps are simple ways to enhance your cyber security posture for 2024! GitLab warns of critical zero-click account hijacking vulnerability Date: 2024-01-12 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0272] GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction. The vendor strongly recommends updating as soon as possible all vulnerable versions of the DevSecOps platform (manual update required for self-hosted installations) and warns that if there is "no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.” Patch now: Critical VMware, Atlassian flaws found Date: 2024-01-16 Author: The Register [AUSCERT has identified the impacted members for Confluence products (where possible) and contacted them via email] [Also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.0290 (Confluence) and https://portal.auscert.org.au/bulletins/ESB-2024.0292 (VMware)] VMware and Atlassian today disclosed critical vulnerabilities and, while neither appear to have been exploited by miscreants yet, admins should patch now to avoid disappointment. First off, a pair of issues from Atlassian. Most serious is CVE-2023-22527, a template injection flaw that can allow unauthenticated remote code execution (RCE) attacks. It scored a perfect CVSS rating of 10 out of 10 and affects Confluence Data Center and Server 8 versions released before December 5, 2023 and 8.4.5, which no longer receives fixes. Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks Date: 2024-01-15 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Security researchers have found over 178,000 SonicWall next-generation firewalls (NGFW) with the management interface exposed online are vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks. These appliances are affected by two DoS security flaws tracked as CVE-2022-22274 and CVE-2023-0656, the former also allowing attackers to gain remote code execution. Google Warns of Chrome Browser Zero-Day Being Exploited Date: 2024-01-16 Author: Security Week [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0293] Google has pushed out an urgent Chrome browser update to fix a trio of high-severity security defects and warned that one of the bugs is already being exploited in the wild. The exploited zero-day, tagged as CVE-2024-0519, is described as an out-of-bounds memory access issue in the V8 JavaScript engine. As is customary, Google did not provide any additional details on scope of the observed attacks or share telemetry to help defenders hunt for signs of compromise. Citrix warns of new Netscaler zero-days exploited in attacks Date: 2024-01-16 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0318] Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities. The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively. However, to gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access. Have I Been Pwned adds 71 million emails from Naz.API stolen account list Date: 2024-01-17 Author: Bleeping Computer Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. ASB-2024.0027 – Oracle MySQL: CVSS (Max): 9.8 Oracle has identified multiple vulnerabilities in MySQL and advised that 12 of the vulnerabilities may be remotely exploitable without authentication. ESB-2024.0318 – NetScaler: CVSS (Max): 8.2 Citrix has warned of two critical zero-day vulnerabilities that have active exploitations in the wild. Tracked as CVE-2023-6548 and CVE-2023-6549, the vulnerabilities allow remote code execution and denial-of-service attacks on the affected devices. ESB-2024.0293 – Google Chrome: CVSS (Max): 7.5 Google has pushed out an urgent Chrome browser update to fix three high-severity security defects and advised that one of the bugs, tracked as CVE-2024-0519 is already being exploited in the wild. ESB-2024.0292 – VMware Products: CVSS (Max): 9.9 Tagged as CVE-2023-34063, missing access control problem in Aria Automation earlier of 8.16 has been reported. With a CVSS rating of 9.9 this flaw may allow unauthorized access to remote organizations and workflows. ESB-2024.0290 – ALERT Confluence Data Center and Confluence Server: CVSS (Max): 10.0 Template injection flaw that can allow unauthenticated remote code execution has been identified in Confluence Data Center and Server. Tracked as CVE-2023-22527, the flaw scored a CVSS rating of 10 out of 10. ESB-2024.0272 – ALERT GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0 GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities. The most critical issue is the account hijacking with no user interaction vulnerability with the maximum severity score and is being tracked as CVE-2023-7028. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 12th January 2024

Greetings, As the new year is in full swing, and many of us have returned to work, now is a great time to commence the development of our organisational goals and objectives for the year. Cyber security practices should stand as a fundamental pillar within all organisations, given the increased frequency and heightened sophistication of cyber attacks. This week, Microsoft initiated their first Patch Tuesday of the new year, addressing various flaws and vulnerabilities. This serves as a timely reminder for the new year to stay secure and keep your systems patched by addressing these vulnerabilities. Small and medium sized businesses are often the most severely impacted when targeted in cyber attacks. Even a minor incident can have devastating consequences, resulting in significant losses that may be challenging to recover from. Employing robust cyber security measures is crucial for safeguarding financial stability, reputation and ensuring business continuity. The ASD has released a helpful guide for small businesses, offering valuable insights into basic security measures to protect against common security threats. To better prepare consumers, NAB scam experts have shared their top tips to spot the red flags of scam trends predicted to impact Australians in 2024. According to the bank’s fraud and cyber security experts, emerging scams to watch out for include AI voice scams and QR code phishing. The top six scams to be vigilant of: AI voice impersonation scams Term deposit investment scams Remote access scams using chat Romance scams Ticket scams QR code phishing scams NAB has reported a significant rise in AI voice scams, emphasizing the need for heightened vigilance in 2024. These scams can be created with as little as three seconds of audio sources from social media posts, voicemails or videos on websites. It is crucial to stay vigilant and promptly report any red flags. NAB has implemented a comprehensive bank-wide strategy to address the global scam epidemic. Make sure to read through it and ensure you are familiar with all the key points! Cisco says critical Unity Connection bug lets attackers get root Date: None Author: Bleeping Computer [Please also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.0247 and https://portal.auscert.org.au/bulletins/ESB-2024.0249 ] Cisco has patched a critical Unity Connection security flaw that can let unauthenticated attackers remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support. Ivanti patches two exploited zero-day bugs Date: None Author: iTnews [AUSCERT has identified the impacted members (where possible) and contacted them via email] Ivanti is warning users against two zero-day vulnerabilities in its Connect Secure VPN devices after they were discovered and disclosed by security researchers from Volexity. Volexity spotted the vulnerabilities while analysing a system that was attacked by a group it dubbed “UTA0178”, which it has “reason to believe … is a Chinese nation-state level threat actor”. The bugs, described here, comprise an authentication bypass and a command injection bug, which can be chained together. Critical Xwiki vulnerability risks RCE attacks Date: None Author: Cyber News Xwiki, an application development platform, has a critical vulnerability that could open it up for remote code execution (RCE) attacks. Xwiki is vulnerable to remote code execution (RCE) attacks through its user registration feature. The vulnerability, tracked as CVE-2024-21650 allows an attacker to execute arbitrary code by crafting malicious payloads in the “first name” or “last name” fields during user registration. Ivanti warns critical EPM bug lets hackers hijack enrolled devices Date: None Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Ivanti fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers hijack enrolled devices or the core server. Ivanti EPM helps manage client devices running a wide range of platforms, from Windows and macOS to Chrome OS and IoT operating systems. The security flaw (tracked as CVE-2023-39366) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5. Cybersecurity trends and challenges to watch out for in 2024 Date: None Author: We Live Security What are some of the key cybersecurity trends that people and organizations should have on their radars this year? As 2024 dawns, it's time to look ahead to the challenges that are set to face people and organizations across the world this year. In this week's video, ESET Chief Security Evangelist Tony Anscombe looks at: how the upcoming presidential election in the US comes into play why small and medium-sized businesses in particular should be on their guard the ransomware landscape the AI cybersecurity conundrum expected developments in cybersecurity legislation Android’s January 2024 Security Update Patches 58 Vulnerabilities Date: None Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0092] The first part of Android’s January 2024 update, which arrives on devices as the 2024-01-01 security patch level, addresses ten security holes in the Framework and System components, all rated ‘high severity’. “The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google notes in its advisory. ESB-2024.0219 – ALERT Security Director Insights: CVSS (Max): 10.0 Juniper Networks has released Security Director Insights 23.1R1 to address critical vulnerabilities in 3rd party libraries. Juniper Networks has also released information on how to mitigate the issues. ESB-2024.0149 – Splunk Enterprise Security: CVSS (Max): 9.8 Splunk Enterprise Security Third-Party Package Updates for January 2024 fix common vulnerabilities and exposures identified in Third Party Packages. Splunk administrators are urged to update Splunk Enterprise Security to versions 7.1.2, 7.2.0, 7.3.0 or higher. ASB-2024.0008 – Microsoft Windows Products: CVSS (Max): 9.0* Microsoft's first patch update for the new year resolves 40 vulnerabilities across Windows and Windows Server. This includes two critical Security Feature Bypass and Remote Code Execution flaws. ESB-2024.0249 – ALERT Cisco Unity Connection: CVSS (Max): 7.3 Cisco Systems has released patches to address a critical vulnerability in the Unity Connection unified messaging and voicemail solution. This vulnerability, identified as CVE-2024-20272, has the potential to be remotely exploited without authentication. If successfully exploited, it could allow unauthorized individuals to upload arbitrary files, execute commands on the underlying operating system, and gain elevated privileges to root. ESB-2024.0171 – Adobe Substance 3D Stager: CVSS (Max): 5.5 Adobe has recently released an update for Adobe Substance 3D Stager that targets and resolves significant vulnerabilities. These vulnerabilities, if successfully exploited, could result in memory leaks and the execution of arbitrary code within the current user's context. It is highly recommended to install this update to ensure the security and stability of Adobe Substance 3D Stager. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Member information

Membership Services and Benefits

Membership Services and Benefits AUSCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We’ll help you prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland, AUSCERT provides a range of comprehensive services to strengthen your cyber security strategy. AUSCERT services are split across three capability pillars: Incident Support, Vulnerability Management and Threat Intelligence. These services are all included in AUSCERT Membership. Incident Support Incident Support – Assists your organisation to detect, interpret and respond to attacks from around the world. Includes access to our highly skilled team of analysts and developers who are available through email, Slack or a 24/7 hotline. Phishing Takedown – Designed to help your organisation with targeted phishing, spear phishing and whaling attacks. Vulnerability Management Security Bulletins – Provides information on threats and vulnerabilities affecting a range of platforms, applications and devices. Member Security Incident Notifications – Customised composite security report containing incident notifications relevant to your organisation’s domains and IP ranges. Proactively informs about security incidents affecting your organisation’s data, systems or networks. Early Warning SMS – Receive SMS notifications for the most critical security threats and vulnerabilities. Threat Intelligence AusMISP – Our MISP service provides threat indicators acquired from trusted communities and organisations to enhance your cyber security posture. Malicious URL Feed – AUSCERT provides a list of active phishing, malware, malware logging or mule recruitment web sites which can added to your firewall blacklist. Sensitive Information Alert – Alert notification for sensitive material and breached credentials found online by our analyst team which specifically targets your organisation. Additional Benefits Member benefits for the annual AUSCERT Cyber Security Conference, Australia’s longest running information security conference. The next conference will be held in May 2025 at The Star Gold Coast. Further details are available here: https://conference.auscert.org.au/ Reduced registration price (available to all members) 50% off one conference registration or 1-day registration (small members) One or more conference registrations (medium members and above). Member pricing for AUSCERT’s range of cyber security training courses. Course information, pricing and calendar are available here: https://auscert.org.au/services/training/ Access to AUSCERT member meetups, workshops and events. Download AUSCERT Membership Services & Benefits (PDF)

Learn more

Week in review

AUSCERT Week in Review for 5th January 2024

Greetings, As the calendar turns the page to the dawn of 2024 a sense of excitement and anticipation fills the air. The arrival of the new year symbolises a journey towards development and progression for every one of us. We stand prepared to embrace new challenges, learn from the past and propel ourselves forward into an era of growth and prosperity. Just as individuals set resolutions for the new year to pursue good health and fortune, businesses must also create resolutions for improved cybersecurity practices. In our rapidly evolving digital ecosystem, the year ahead promises both ground-breaking strides and the continuous evolution of technology advancements. As organisations gear up to defend against ever-more-sophisticated cyber threats, the role of artificial intelligence and machine learning has elevated threats to new heights. Collaboration is a cornerstone in the cyber realm, as information sharing among industries, governments, and security communities becomes integral to staying one step ahead of cyber threats. The exchange of threat intelligence, best practices and incident response strategies becomes integral to creating a resilient defence ecosystem. The start of 2024 emphasizes the need for a united front against cyber-attacks, as threats become increasingly borderless and interconnected. Therefore our theme for AUSCERT2024 is “Pay it Forward,” as it highlights the importance of passing it forward by demonstrating how shared knowledge and collaboration can create a ripple effect, strengthening the entire field of cyber security. Cyber Conferences serve as an invaluable platform to cultivate new relationships, establish improved communication channels, and facilitate information sharing across organisations and the broader community. Join us at AUSCERT2024 and discover the power of amplifying your impact in the realm of cyber security. The theme for this year highlights the significant influence that everyone’s action can carry within the broader cyber community. We are already hard at work, developing a ground-breaking program of tutorials and presentations, so keep your eyes peeled for more updates. Please note Call for Presentations closes on the 29th of January. We encourage you to submit as soon as possible! Critical Apache OFBiz Vulnerability in Attacker Crosshairs Date: 2024-01-29 Author: Security Week [Please also see AUSCERT bulletin: ASB-2024.0001.2 ] The Shadowserver Foundation has been seeing attempts to exploit a critical vulnerability affecting the Apache OFBiz open source enterprise resource planning (ERP) system. Apache OFBiz is leveraged by several ERP and other types of projects, including the widely used Atlassian Jira issue tracking and project management software. The nonprofit cybersecurity organization Shadowserver reported seeing signs of in-the-wild exploitation for an Apache OFBiz vulnerability tracked as CVE-2023-49070 shortly after details of a different OFBiz bug, CVE-2023-51467, were disclosed by SonicWall. Barracuda Zero-Day Used to Target Government, Tech Organizations in US, APJ Date: 2024-01-28 Author: Security Week [ AUSCERT has shared the indicators of compromise associated with CVE-2023-7102 through MISP.] The recently disclosed vulnerability affecting Barracuda Email Security Gateway (ESG) appliances has been exploited as a zero-day to target government, high-tech and IT organizations, according to Mandiant. The ESG vulnerability, tracked as CVE-2023-7102, is an arbitrary code execution flaw impacting ‘Spreadsheet::ParseExcel’, an open source library used by ESG devices to check Excel email attachments for malware Victoria State's court suffers 'unsettling' and 'distressing' cyber hack Date: 2024-01-02 Author: 9 News Victoria's court system has confirmed that it suffered a cyberattack, with bosses admitting it could be "unsettling" and "distressing" for those affected. ďťżCourt Services Victoria said "unauthorised access" was gained to the courts audiovisual technology network just before Christmas. It means hackers have got hold of some video and audio recordings as well as transcriptions of court proceedings from between November 1 and December 21. Mandiant’s account on X hacked to push cryptocurrency scam Date: 2024-01-03 Author: Bleeping Computer The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. "We are aware of the incident impacting the Mandiant X account and are working to resolve the issue," a Mandiant spokesperson told BleepingComputer. The law enforcement operations targeting cybercrime in 2023 Date: 2024-01-01 Author: Bleeping Computer In 2023, we saw numerous law enforcement operations targeting cybercrime operations, including cryptocurrency scams, phishing attacks, credential theft, malware development, and ransomware attacks. While some of these operations were more successful than others, law enforcement has been increasingly using hack-back tactics to infiltrate operations and disrupt them. 21 New Mac Malware Families Emerged in 2023 Date: 2024-01-03 Author: Security Week A total of 21 new malware families designed to target macOS systems were discovered in 2023, according to Patrick Wardle, a researcher specializing in the security of Apple devices. Wardle has published a blog post analyzing the new malware families that emerged last year and the total number represents an increase of over 50% compared to 2022. For each of the new malware families, Wardle’s blog describes the infection vector, persistence mechanism, features, and purpose. Malware samples have also been made available. ASB-2024.0001 – Apache OFBiz AUSCERT has recently issued its initial ASB for the year, which highlights an important security concern. The bulletin addresses an Authentication Bypass vulnerability, identified as CVE-2023-51467, affecting Apache OfBiz. To ensure the safety of your systems, AUSCERT strongly advises its members who utilize OfBiz to promptly update to the recommended version. ESB-2024.0093 – Google Chrome: CVSS (Max): None Several vulnerabilities have been discovered in Google Chrome. These vulnerabilities have the potential to be exploited by remote attackers, leading to remote code execution and denial of service of the affected system. Google has released patches to mitigate these issues. ESB-2024.0092 – Android: CVSS (Max): 9.8* Multiple vulnerabilities have been identified in Android devices, with one of the most critical being a high-security vulnerability found in the Framework component. This particular vulnerability has the potential to result in a local escalation of privilege, requiring no additional execution privileges. It is crucial to address this issue promptly to ensure the security of the Android devices. ESB-2024.0096 – IBM Cloud Pak System Software: CVSS (Max): 9.8 IBM has recently released an advisory reporting a vulnerability in its WebSphere Application Server Pattern which can impact IBM Cloud Pak System. IBM has released updates to address the issue. ESB-2024.0108 – Rockwell Automation FactoryTalk Activation: CVSS (Max): 9.8 An Out-of-Bounds Write flaw has been detected in Rockwell Automation's FactoryTalk Activation Manager, which if exploited could result in an attacker gaining full access to the system. Users of the affected software are strongly recommended to promptly implement the necessary risk mitigations. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 22nd December 2023

Greetings, As the final workday is here, we can’t help but reflect on the incredible year we’ve had! AUSCERT2023 stands out as a massive success, featuring world-renowned speakers such as the impressive Rachel Tobac, who shared valuable insights on the importance of social engineering. If you wish to revisit any treasured memories from this year’s conference remember that the recordings are available on our YouTube channel. Fond memories were forged with our valued members across various cities, as we engaged in discussions about our services and exchanged valuable feedback. Notably, celebrating the milestone of turning 30 added another layer of significance to this remarkable year. Our 30 Years 30 Stories campaign, made this even more special as we shared beautiful stories from our valued community, members, and staff. As we persist in our journey of growth and prosperity, we eagerly anticipate what the next year holds for us. Heartfelt thanks to everyone who contributed to making this year truly unforgettable. If you are looking for something interesting to listen to while you wrap up your day, we have released a new episode of ‘Share Today Save Tomorrow’ this week! In episode 29, Anthony sits down with former AUSCERT employee Chris from Cosive to discuss Cyber Threat Intelligence, emphasizing the importance of information and why context matters so much. Also to conclude, a friendly reminder to our members that our 24/7 hotline will remain open if any emergencies arise over the break. We will be staffing it as usual, so please don’t hesitate to reach out! 3CX Urges Customers to Disable Integration Due to Potential Vulnerability Date: 2023-12-18 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Business communication company 3CX is urging customers to disable SQL database integrations to prevent a vulnerability that occurs in certain configurations. In a security advisory published on Friday, the company revealed that 3CX versions 18 and 20 are impacted by an integration bug. “Only 0.25% of our user base have sequel integrated. It’s an old-style integration meant for an on-premise firewall secured network. Nevertheless, if you are using an SQL database integration, it’s subject potentially to a vulnerability – depending upon the configuration,” the company said. Before you go away for Xmas: You've patched that critical Perforce Server hole, right? Date: 2023-12-19 Author: The Register Four vulnerabilities in Perforce Helix Core Server, including one critical remote code execution bug, should be patched "immediately," according to Microsoft, which spotted the flaws and disclosed them to the software vendor. Perforce Server is a source code management platform used across gaming, government, military, and tech sectors. Microsoft operates GitHub, also a widely used source code management platform, among other services that compete against Perforce. Ivanti releases patches for 13 critical Avalanche RCE flaws Date: 2023-12-20 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution. Avalanche allows admins to manage over 100,000 mobile devices from a single, central location over the Internet, deploy software, and schedule updates. As Ivanti explained on Wednesday, these security flaws are due to WLAvalancheService stack or heap-based buffer overflow weaknesses reported by Tenable security researchers and Trend Micro's Zero Day Initiative. Google fixes 8th Chrome zero-day exploited in attacks this year Date: 2023-12-20 Author: Bleeping Computer [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.7619] Google has released emergency updates to fix another Chrome zero-day vulnerability exploited in the wild, the eighth patched since the start of the year. "Google is aware that an exploit for CVE-2023-7024 exists in the wild," a security advisory published Wednesday said. The company fixed the zero-day bug for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows users (120.0.6099.129/130) and Mac and Linux users (120.0.6099.129) one day after being reported to Google. Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds Date: 2023-12-16 Author: The Hacker News Dec 16, 2023 Newsroom Online Security / Cybercrime Holiday Gift Card Frauds Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens ESB-2023.7574 – Adobe Experience Manager (AEM) Forms on JEE: CVSS (Max): 9.8 Adobe has recently issued security updates for AEM Forms on JEE versions 6.5.19.0 and earlier. These updates address a critical vulnerability that, if exploited, could potentially result in arbitrary code execution. ESB-2023.7491.2 – UPDATE Cisco Products: CVSS (Max): 9.8 Cisco has advised that it is investigating its product line to identify any potential impact from the vulnerability in Apache Struts. As a part of this effort, a table of vulnerable products has been added to the advisory that was initially released on 14 December 2023. ESB-2023.7619 – Google Chrome: CVSS (Max): None Google has released emergency updates to fix a zero-day vulnerability in Google Chrome that may be exploited in the wild. It is strongly recommended to apply these updates to protect against any potential threats. ESB-2023.7573 – Apache Struts: CVSS (Max): 9.8 While F5 products remain unaffected by the Apache Struts vulnerability (CVE-2023-50164), F5 Networks has still released an advisory regarding this vulnerability due to its critical nature. This proactive measure aims to inform and raise awareness among users about the potential risks associated with the vulnerability. ESB-2023.7616 – macOS Sonoma: CVSS (Max): None A session rendering issue has been resolved through improved session tracking in macOS Sonoma 14.2.1. This update addresses the issue where users who share their screen may unintentionally share incorrect content. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

30 Years 30 Stories

AUSCERT 30 Years 30 Stories – Mark Chin Valuing the trusted and easily accessible information provided by AUSCERT, Mark Chin reflects on why he remains an AUSCERT member. As a Security Specialist at Carsales.com, receiving up-to-date information regarding threats and phishing tactics is a must. Mark recommends all organisations do their research into the services AUSCERT provides. How did you first become involved with AUSCERT? Initially, I learned of AUSCERT through my organisation’s membership. At first I didn’t know what membership entailed, until my colleagues showed me how to request phishing domain takedowns with AUSCERT. That’s how I initially started engaging with AUSCERT, and they’ve been great ever since. Having someone who can investigate suspicious emails or share them amongst their community to triage a solution has been amazing. What AUSCERT service do you use the most? Apart from the phishing takedowns, I am also part of the Slack channel. The channel is good for finding out what the latest ransoms are circulating to the public. It’s a great forum for networking and being able to ask the questions you don’t have answers to. How has AUSCERT evolved over the years? I haven’t been around long enough to observe changes in AUSCERT, but being around for 30 years, you must be doing something right. What I like about AUSCERT is that it’s a neutral organisation. You’re not competing with a vendor or coming from the government. People are more open to working with AUSCERT and networking with AUSCERT members due to this. What advice would you give to someone considering an AUSCERT membership? Start by doing your research into AUSCERT and gaining knowledge of the services they provide to see what’s on offer. What does the future hold for AUSCERT? I hope AUSCERT sticks around and can continue to support its members. How has your AUSCERT membership impacted your organisation? In a very positive way – we have a lot of threat intel coming through from AUSCERT. This is through the bulletins that share new vulnerabilities. AUSCERT has its finger on the pulse and is a trusted source of information. Rather than trying to find information, you can see similar organisations encountering the same issues.  

Learn more