Publications

 AUSCERT 30 Years 30 Stories – Dave O’Loan Long-time AUSCERT affiliate and member, Dave O’Loan shares his journey with AUSCERT. As Head of Cyber Relations at the Australian Academic Research Network (AARNet), Dave has had many touchpoints with AUSCERT throughout his career. The sharing of information and diverse collaboration is why Dave continues to support and remain a member of AUSCERT. How did you first get involved with AUSCERT and what motivated you to become a member? AUSCERT is a partner with AARNet within AHECS, the Australian Higher Education Cyber Security Service. Prior to that, I had a long history of working within the academic and research sector. AUSCERT is part of The University of Queensland, linking with AARNet as a shareholder. Therefore, we have a close relationship around securing our sector and broadly sharing information. What are some of the key benefits and experiences of an AUSCERT membership? AARNet gains a lot of benefits through the sharing of threat intelligence, technical indicators, advisories, and bulletins. We also gain a lot from the AUSCERT community, including the conference, and other communities that bring security individuals together to share information effectively. How has AUSCERT evolved over the years, and what changes have you seen in the cybersecurity landscape that have affected the organisation’s work? AUSCERT has evolved by leveraging events like the annual conference and building a strong, information-sharing community. The evolution includes stronger partnerships, distributing information, and bringing different industry verticals together. AUSCERT plays a significant role in ensuring the CERT function is carried out and making sure there’s timely advice available for members. What advice would you give to someone considering becoming an AUSCERT member? AUSCERT memberships have numerous benefits, providing access to information, people, skills, and knowledge that an organisation might not have in-house. The membership allows for asking questions, gaining guidance, and receiving information that helps protect systems, networks, and people. AUSCERT’s training contributes to the cybersecurity maturity of an organisation. What do you think the future holds for AUSCERT, and how do you see the organisation continuing to play a vital role in the cybersecurity community? Many people don’t like answering this question, but I see a bright future for AUSCERT. With the evolving cybersecurity landscape, more entities need to be involved in the broader uplift. AUSCERT’s long history of support and leveraging its capabilities will contribute significantly to achieving a more secure nation. How has your membership in AUSCERT impacted your organisation’s overall approach to cybersecurity? The membership has provided unique information sharing, a subscription model with significant value, and the ability to maintain multiple cybersecurity partners. Different partners contribute advice and guidance across various aspects like risk, threat intel, and governance. What do you believe sets AUSCERT apart from other organisations in the cybersecurity space? AUSCERT’s unique nature lies in the shared information it has available through different partners. Maintaining different cybersecurity partners is critical because no single organisation has the knowledge or capacity to understand all risks, threats and governance challenges an organisation could face.

Greetings, As December unfolds and ushers in the enchanting Christmas season, a wave of joy and warmth embraces us. It’s that magical time when we dust off cherished decorations and unwrap trees, inviting a festive cheer into our lives. May your December days be adorned with happiness, love and the spirit of giving as we immerse ourselves in the holiday spirit! On that note this year’s theme for AUSCERT2024 highlights the significant influence that everyone’s actions can carry within the broader cyber community. It promotes the idea of passing it forward by demonstrating how shared knowledge and collaboration can create a ripple effect, strengthening the entire cyber industry. Submit a presentation and contributing to the growth and development of our community. Join our upcoming webinar discussion to gain support in enhancing your presentation skills In cyber news this week, the Queensland Parliament has successfully enacted a mandatory data breach notification scheme, set to impact state agencies from mid-2025 and local governments from mid-2026. Government agencies will be subject to new requirements for managing personal information, after the ‘Information Privacy and Other Legislation Amendment Act 2023’ was passed by parliament on Wednesday. Under the scheme, agencies must notify affected individuals and the Office of the Information Commissioner of data breaches that have the potential to result in serious harm. This proactive notification process empowers individuals by enabling them to take decisive action to manage risks and mitigate potential harm arising from a data breach. Mandating notification underscores the importance of data security for agencies, prompting a more proactive approach to preventing and managing data breaches.In essence, this legislative measure not only safeguards individuals but also serves as a catalyst for improved data security practices within government entities. Queensland has become only the second state to legislate a mandatory data breach notification scheme for public sector entities, along with NSW. In other news, the ACSC Essential Eight Maturity Model (E8MM) was recently updated to better assist organisations in protecting their digital assets against cyber threats. Key focus areas for this update have included balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure. Critical bug in ownCloud file sharing app exposes admin passwords Date: 2023-11-24 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials. ownCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform. It is used by businesses and enterprises, educational institutes, government agencies, and privacy-conscious individuals who prefer to maintain control over their data rather than hosting it at third-party cloud storage providers. Essential Eight Maturity Model Update Date: 2023-11-27 Author: ASD As the Australian Signals Directorate (ASD) is committed to providing cyber security advice that is contemporary, fit for purpose and practical, the Essential Eight Maturity Model (E8MM) is updated annually. In doing so, it is designed to assist organisations in protecting their internet-connected information technology networks against common cyber threats. Key focus areas for this update have included balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure. AI systems ‘subject to new types of vulnerabilities,’ British and US cyber agencies warn Date: 2023-11-28 Author: The Record “AI systems are subject to new types of vulnerabilities,” the 20-page document warns — specifically referring to machine-learning tools. The new guidelines have been agreed upon by 18 countries, including the members of the G7, a group that does not include China or Russia. The guidance classifies these vulnerabilities within three categories: those “affecting the model’s classification or regression performance”; those “allowing users to perform unauthorized actions”; and those involving users “extracting sensitive model information.” Guidelines for secure AI system development Date: 2023-11-27 Author: NCSC This document recommends guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools and services provided by others. Implementing these guidelines will help providers build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties. Okta Breach Impacted All Customer Support Users—Not 1 Percent Date: 2023-11-29 Author: WIRED In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago. ESB-2023.7196 – Tenable Nessus: CVSS (Max): 9.8 Several of the third-party components (HandlebarsJS, OpenSSL, and jquery-file-upload) were found to contain vulnerabilities, and updated versions have been made available by the providers ESB-2023.7117 – ALERT Google Chrome: CVSS (Max): None The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows. This update includes 7 security fixes ESB-2023.7077 – Perl: CVSS (Max): 9.8 Perl incorrectly handled printing certain warning messages. An attacker could possibly use this issue to cause Perl to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS. ( CVE-2022-48522 ) ESB-2023.7135 – Delta Electronics InfraSuite Device Master: CVSS (Max): 9.8 Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code and obtain plaintext credentials ESB-2023.7211 – ALERT Apple: CVSS (Max): None Apple is aware of a report that this issue may have been exploited against some versions of iOS Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, This week we released a new episode of our Share Today, Save Tomorrow podcast – episode 28: Cyber Artefacts. In this episode Anthony sits down with Mike Pritchard from Cydarm Technologies to discuss Mike’s passion for collecting hardware artefacts that provide insights into the history of cyber security. Mike showcases extraordinary artefacts dating back 60-70 years, offering a glimpse into the foundations of the computer industry. In the final part of the episode, Anthony hands over to Bek Cheb, AUSCERT’s Business Manager, who has a chat with our Principal Analyst, Mark Carey-Smith, about AUSCERT2024 and the exceptional mentoring support available for speakers. If you’re interested in speaking at AUSCERT2024 but are unsure about what to present or struggling to choose a topic, we’re hosting a webinar to address any concerns and guide you through the process of formulating a concept for your presentation. If you’d like to attend, please register here AUSCERT is thrilled to introduce a new service for our members – AusMISP. So, what is AusMISP, you might be asking? Well, AusMISP is a platform that facilitates the sharing of threat intelligence with members. The platform features a shared curated feed of threat indicators that members can utilise to enhance their network security. This collaborative effort includes threat intelligence acquired from trusted communities and organisations, contributing to the enhancement of members' cyber security posture. For our higher education members, we have an existing special sector specific platform AHECS ISAC, which includes AusMISP data and additional threat indicators relevant to this sector. Eager to learn more about AusMISP and exactly what it entails? Head to our website or message our membership team who can provide you with a Starter Guide and other resources to help your organisation implement it as part of your cyber security strategy! To conclude if you’re looking for some captivating reading this weekend, then delve into the “Australia’s Strategic Vision in Cyber Security” written by Sasenka Abeysooriya, Program Director and Senior Strategic Advisor at UQ and AUSCERT Director and UQ CISO David Stockdale. The article summarises the visionary leadership, strategic layers of defence, and the broader implications of Australia’s 2023-2030 Cyber Security Strategy. Securing Customer Personal Data for Small to Medium Businesses Date: 2023-11-17 Author: ASD The latest Annual Cyber Threat Report found that cybercrime reports have increased compared to data from the previous year, with one report now received every 6 minutes. During the 2022-23 financial year, the cost of cybercrime to businesses increased by 14%. Per cybercrime report, small businesses experienced an average financial loss of $46,000, while cybercrime cost medium businesses an average of $97,200. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has launched a new publication on Securing Customer Personal Data for Small and Medium Businesses. Gov commits $18.2m for SME cyber security boost Date: 2023-11-21 Author: iTnews The federal government has announced two initiatives aimed at boosting support to small and medium businesses (SMEs) to fortify their cyber security skills. The government has promised $7.2 million to set up a voluntary cyber health-check program, enabling access to a free, self-assessments of cyber security maturity. It’s also committed another $11 million towards the Small Business Cyber Resilience Service, which offers one-on-one assistance towards cyber challenges, and covers cyber attack recovery. Malware dev says they can revive expired Google auth cookies Date: 2023-11-21 Author: Bleeping Computer The Lumma information-stealer malware (aka 'LummaC2') is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Session cookies are specific web cookies used to allow a browsing session to log in to a website's services automatically. As these cookies allow anyone possessing them to log in to the owner's account, they commonly have a limited lifespan for security reasons to prevent misuse if stolen. Researchers want more detail on industrial control system alerts Date: 2023-11-22 Author: CyberScoop At the beginning of July, Rockwell Automation released a security advisory about a vulnerability in one of its products. Working with the U.S. government, the company said it had become aware that a state-backed hacking unit had developed the ability to run malicious code on the communication modules of an industrial controller. The company wouldn’t identify who had this ability to attack its products and an accompanying advisory from the Cybersecurity and Infrastructure Security Agency said there were no known instances of the vulnerability being exploited in the wild. Cybersecurity Investment Involves More Than Just Technology Date: 2023-11-17 Author: Dark Reading Organizations are looking for a "high value for money" when deciding how to allocate their cybersecurity budgets, and there is a "greater focus on getting value from existing resources," according to S-RM's "Cyber Security Insights Report 2023." The report, which reflects responses from 600 C-suite business leaders and senior IT professionals within large organizations, found that the top five investment areas were cybersecurity technologies (49%), threat intelligence (46%), risk assessment (42%), cyber insurance (42%), and third-party risk management (40%). Fewer organizations highlighted technology as good value for money in 2023 (49%) than in 2022 (58%). ESB-2023.6886 – Tenable Security Center: CVSS (Max): 8.8 Tenable Security Center has been updated to address vulnerabilities affecting third-party components ESB-2023.6945 – Atlassian Products: CVSS (Max): 8.5 Several high severity vulnerabilities have been patched in various Atlassian products ESB-2023.6949 – Firefox: CVSS (Max): 7.5 Mozilla has updated Firefox to address multiple vulnerabilities ESB-2023.6997 – Intel NUC Software Products: CVSS (Max): 8.8 Intel has addressed several vulnerabilities affecting NUC Software products in its quarterly update Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Trace Borrero Trace Borrero works at the University of Southern Queensland and through the university’s connection to AUSCERT, Trace has developed into a well-trained and active part of the AUSCERT community. From graduate to professional, check out Trace’s AUSCERT story. How did you first become a member of AUSCERT? I came directly out of my degree in cyber security and landed in a role at the University of Southern Queensland. The university were already members, so I became a member. How do you use the AUSCERT service and what benefit do you receive? We use the Malware Information Sharing Platform (MISP) a lot, and we’ve learned to automate from there. When I graduated there was a lot of talk about the intel and IOCs that came from AUSCERT. We would be looking for them in our environment and acting on them if needed. Whenever we’d see widespread phishing, we’d be able to send it to AUSCERT and they would handle it. To me as a graduate, it was magic. I didn’t understand what was going on, but I knew that it was taken care of. Now that I’ve learned the ropes, it’s a plus, because there is a lot of groundwork in the backend that AUSCERT handle for you. How do you think AUSCERT has evolved over the years? I’ve been a member for five years, so I’ve seen lots of change in the direction the industry is heading. AUSCERT is trying to remain cutting edge, which is important. Recently, automation is the new buzzword. Automation is one place that AUSCERT have adapted successfully, preparing their members to automate and thinking about what type of automation that members want. What advice would you give to someone considering becoming an AUSCERT member? It’s worth it – one of the best things you could do, is simply attend the conference and see what it’s all about. It’s hard to see AUSCERT’s benefit purely from the website. Meeting AUSCERT’s members, attending events, or just the conference, is a good place to start. What do you think the future holds for AUSCERT? I assume AUSCERT will continue to try and stay cutting edge. They will also continue to look out for their members as best they can, in whatever way that means. What sets AUSCERT apart from other organisations in the cyber security industry? AUSCERT are looking out for you. Obviously, they have their own interests, but their interests are their members. You don’t see that very often, specifically when you look at other vendors. Simply having someone to bounce your ideas off, and then receiving feedback from AUSCERT and its member community is fantastic. To be able to say: “Oh, hey, I’ve seen this phishing email. Has anyone else seen it?” “Oh, yes, we’ve seen it, and these are the other IOCs or other attributes of it.” It’s truly a community of learning and collaboration.

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – Cyber artefacts In this episode, AUSCERT features the following guests: Mike Pritchard, Cydarm Technologies Mark Carey-Smith, AUSCERT Anthony sits down with Mike to discuss his passion for collecting hardware artefacts that help us understand the history of cyber. In the second half of the episode, Bek chats with Mark Carey-Smith, Principal Analyst of AUSCERT about the launch AusMISP and the AUSCERT2024 mentoring program and call for presentations. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, With Black Friday sales already underway, it’s a good reminder to remain vigilant. Each year the deals claim to be bigger and better, drawing people into excessive spending. Cyber criminals have become very sophisticated in exploiting this opportunity to execute cyber attacks. Educate your family and friends on the potential dangers of online shopping during this time! This week, the Australian Signals Directorate (ASD) released its annual cyber security threat report,revealing some very concerning statistics. The report indicates that cyber crimes continued to be a pervasive and endemic threat to Australia’s economic and social prosperity throughout 2022-23. Australia is perceived as a very popular target due to its booming e-commerce industry and relative wealth. The report revealed the most common cyber attacks on individuals consisted of identity fraud, online banking fraud and online shopping fraud. For Australian businesses, the cost of cyber crime has climbed by 14% with the most identified attack being compromised emails. Business email compromise fraud continues to significantly impact businesses with almost $80 million in reported losses. Malicious cyber actors often exploit unpatched and misconfigured systems or take advantage of weak or re-used credentials to access systems and networks. To defend against email attacks, set aside time for regular cyber security training and ensure staff are cautious of emails that contain requests for payment of change of bank details Thankfully for our nation we have a proactive Cyber Security Minister, Clare O’Neil, who understands the growing concerns of individuals and businesses and is taking proactive steps to mitigate these threats to our economy. Ms O’Neil is planning to create new legislation that would classify telecommunication companies as critical infrastructure for the first time, requiring company boards to comply with strict rules that already cover hospitals, utilities, ports, and energy generation assets. Following the high-profile Optus attack last year and nationwide network outage last week, the Australian government believes it is necessary to include telcos under the Security of Critical Infrastructure Act. This means they will now be required to sign off on a new cyber risk management program every year or face potentially hundreds of thousands of dollars in penalties. To conclude, we are excited to notify you our Call for Presentations for AUSCERT2024 is now open! Submit your papers today! Microsoft Warns of Critical Bugs Being Exploited in the Wild Date: 2023-11-14 Author: Security Week [Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2023.0226 and https://portal.auscert.org.au/bulletins/ASB-2023.0223] The world’s largest software maker Microsoft on Tuesday released patches with cover for at least 59 documented security vulnerabilities, including a pair of critical-severity zero-days already being exploited in the wild. Redmond’s security response team documented a wide range of security defects in a range of Windows OS and components and called special attention to two vulnerabilities — CVE-2023-36033 and CVE-2023-36036 — being exploited in active attacks. LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed Date: 2023-11-14 Author: Bleeping Computer [AUSCERT identified the impacted members (where possible) and notified them via email on 11 October 2023] [We urge impacted members to promptly apply the patches in accordance with the vendor's recommendations, if they have not already done so] The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files. Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S. Novel backdoor persists even after critical Confluence vulnerability is patched Date: 2023-11-14 Author: The Register [AUSCERT identified the impacted members (where possible) and notified them via email on 01 November 2023] [We urge impacted members to promptly apply the patches in accordance with the vendor's recommendations, if they have not already done so] A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence. The backdoor provides attackers remote access to a victim, both its Confluence server and other network resources, and is found to persist even after Confluence patches are applied. Azure CLI credential leak part of Microsoft's monthly patch rollup Date: 2023-11-15 Author: iTnews [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2023.0224] One of the critical vulnerabilities, CVE-2023-36052, is important enough to receive a detailed technical discussion in this blog post. The bug leaks credentials to GitHub Actions logs through the Azure command-line interface (CLI). Aviad Hahami of Palo Alto’s Prisma Cloud found that Azure CLI commands could be used to show sensitive data and output to continuous integration and continuous deployment (CI/CD) logs, Microsoft explained. Intel patches high-severity vulnerability affecting central processing units Date: 2023-11-15 Author: The Record The U.S. chip manufacturer Intel has patched a high-severity vulnerability affecting central processing units in its desktop, mobile and server products. The successful exploitation of the bug could allow hackers to gain higher-level access to the system, obtain sensitive information and even cause the machine to crash. The vulnerability, tracked as CVE-2023-23583 and codenamed Reptar, carries the CVSS severity score of 8.8 out of 10. There haven't been any reported incidents of an attack through Reptar in the wild. CISA warns of actively exploited Juniper pre-auth RCE exploit chain Date: 2023-11-13 Author: Bleeping Computer CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild. "Juniper SIRT is now aware of successful exploitation of these vulnerabilities. Customers are urged to immediately upgrade," the company said. ESB-2023.6749 – FortiSIEM: CVSS (Max): 9.3 Fortinet has recently identified a critical vulnerability in the FortiSIEM report server. This vulnerability involves an OS command injection and could potentially be exploited by remote, unauthenticated attackers. By sending specially crafted API requests, these attackers may be able to execute arbitrary commands on the affected system. It is crucial for customers to be aware of this vulnerability and take appropriate measures to mitigate the risk. ESB-2023.6734 – Google Chrome: CVSS (Max): None Google has released an update for the Google Chrome Stable channel. The update version 119.0.6045.159 is specifically for Mac and Linux users, while Windows users will receive either version 119.0.6045.159 or 119.0.6045.160. It is recommended that users of Google Chrome on these platforms update to the latest version to ensure they have the most recent security enhancements and bug fixes. ESB-2023.6639 – Adobe ColdFusion: CVSS (Max): 9.8 Adobe has released an update for ColdFusion that addresses critical vulnerabilities. These vulnerabilities have the potential to result in the deserialization of untrusted data, improper access control, and other security issues ASB-2023.0223 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft has recently issued its monthly security patch update for November 2023. This update addresses a total of 32 vulnerabilities found in Windows and Windows Server. It is important to note that Microsoft has confirmed the active exploitation of CVE-36025, CVE-2023-36033, and CVE-2023-36036. ESB-2023.6704 – VMware Cloud Director Appliance: CVSS (Max): 9.8 An authentication bypass vulnerability has been identified in VMware Cloud Director Appliance with the CVE identifier CVE-2023-34060. This vulnerability affects VMware products that have been upgraded to version 10.5 from a previous version. To address this issue, updates have been released by VMware Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Peter Degotardi AUSCERT member in the education industry, Peter Degotardi is the Manager of Cyber Security Capability at the University of Technology Sydney. Joining the University in 2015, Peter has benefited from the information his AUSCERT membership provides. Keeping his organisation up-to-date and ahead of the game, Peter’s AUSCERT story is one of community and collaboration. What are some of the key benefits you’ve experienced as an AUSCERT member? The main benefit I receive from AUSCERT is the community and the sense of camaraderie we have. This community is a sight to behold; everyone talks to each other and trusts one another. The information we receive is phenomenal, giving great value out of the membership. Often, we’re alerted to vulnerable hosts before we’re even aware it’s happened. We can’t live without [phishing] site takedown services, along with phishing emails that AUSCERT handles for us. How has AUSCERT evolved over the years? I was involved with AUSCERT before I started in the cyber security sector, and I’ve always dreamed of going to the AUSCERT conference. Initially, AUSCERT was a ‘techie’ organisation but now it’s evolved to helping businesses secure themselves. Although technology is one part of the AUSCERT offering, they now focus on the governance and risk management services. What advice would you give to someone considering becoming an AUSCERT member, and why do you believe that membership is valuable for organisations of all sizes and industries? Be ready to ingest a huge amount of information; you’re going to receive a lot. The value is in the information sharing you receive, not just from AUSCERT itself but other members – everyone helps everyone else. What do you think the future holds for AUSCERT? Everything evolves – technology, processes, people, organisations, but no matter what changes, it needs to be secured. I’m looking at AUSCERT to provide timely information to be able to do just that – provide recommendations to stay one step ahead of the baddies. What do you believe sets AUSCERT apart from other organisations in the cyber security space? AUSCERT is Australian born and bred and it has the connections to its equivalents across the world. AUSCERT gives me the information I don’t have readily accessible, which will help us to develop a better security position for the organisation.

Greetings, Thirty-five years ago the ‘Morris Worm’ carved a path of destruction and chaos that inadvertently triggered a ripple effect of events, paving the way for the thriving cyber security industry we have today. Prior to this incident, cyber security wasn’t really a consideration by the public. However, this event, along with subsequent ones, quickly changed peoples' perspectives. Although many within the field already familiar with the story may see it as a ‘ho-hum’ history tale, it’s important to remember that understanding our history is crucial for building a stronger future. Robert Morris Jr, intent on discovering how big the internet was, accidentally set loose the first ever internet worm upon thousands of computers. The young grad student was completing his graduate degree at Cornell when he launched the experiment that would change the cyber world forever. Previously no attack had affected so many computers, taking down systems in government facilities, hospitals, and military bases in addition to privately owned computers. The experiment resulted in US$100,000 – 10,000,000 dollars’ worth of damage, taking hundreds of people days to clean up the mess left in its wake. This event became a tale of caution to many students studying in the field as probing vulnerabilities out of curiosity can have huge detrimental and unintended consequences. In response to incidents like the Morris Worm, the concept of Computer Emergency Response Teams (CERTs) emerged, highlighting the need for coordinated efforts to respond to and mitigate cyber incidents. Some key takeaways from incidents like the Morris Worm include the importance of proactive measures, the need for rapid incident response teams and the continuous evolution of security measures to stay ahead of emerging threats. In the context of growth and development we should not dismiss the past but instead learn from it. Click here to read more insights about the event from industry luminary Gene Spafford. What better way to create your own ripple effect in the community than by contributing your time and expertise to our upcoming AUSCERT2024 conference? Your knowledge and skills have the potential to create a significant impact and further advance the industry. Call for Tutorials submissions portal is closing today, so don’t miss out! Presentation submissions will be opening on November 16, next week! We invite anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent benefits such as travel and accommodation, as well as mentoring support for speakers. Additionally, sponsorship opportunities are also now available on our website. Critical Atlassian Confluence bug exploited in Cerber ransomware attacks Date: 2023-11-06 Author: Bleeping Computer Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware. Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software. Veeam warns of critical bugs in Veeam ONE monitoring platform Date: 2023-11-06 Author: Bleeping Computer [AUSCERT has directly notified members about this vulnerability where possible] Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical. The company assigned almost maximum severity ratings (9.8 and 9.9/10 CVSS base scores) to the critical security flaws since they let attackers gain remote code execution (RCE) and steal NTLM hashes from vulnerable servers. The remaining two are medium-severity bugs that require user interaction or have limited impact. Hacker Leaks 35 Million Scraped LinkedIn User Records Date: 2023-11-07 Author: Hack Read The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records. A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, Breach Forums. Government looks at passwordless access for myGov Date: 2023-11-09 Author: iTnews The federal government intends to change how citizens authenticate to the myGov system from next year, moving to passwordless approaches such as passkeys and facial recognition. At the press conference, government services minister Bill Shorten said the government planned to "upgrade the security of the myGov system." He said myGov "will benefit from a number of changes to how customers can sign-in, ensuring that accounts and personal information remain protected.” New Microsoft Exchange zero-days allow RCE, data theft attacks Date: 2023-11-03 Author: Bleeping Computer Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations. The zero-day vulnerabilities were disclosed by Trend Micro's Zero Day Initiative (ZDI) yesterday, who reported them to Microsoft on September 7th and 8th, 2023. Despite Microsoft acknowledging the reports, its security engineers decided the flaws weren't severe enough to guarantee immediate servicing, postponing the fixes for later. ESB-2023.6043.3 – UPDATED ALERT Cisco iOS XE Software: CVSS (Max): 10.0 Cisco provided fixes as a result of an ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE software. The investigation determined that the treat actors exploited two previously unknown issues documented in CVE-2023-20198 and CVE-2023-20273. ESB-2023.6313.2 – UPDATED ALERT Confluence Data Center and Server: CVSS (Max): 10.0 Atlassian observed several active exploits and reports of threat actors using ransomware in relation to Confluence. Atlassian has released fixes to mitigate this threat in new versions of Confluence Data Center and Server. ESB-2023.6480 – Jira: CVSS (Max): 10.0 Certain versions of Jira Service Management Data Center and Server allowed authenticated attackers to initiate an XML External Entity Injection attack using job descriptions. Atlassian has released fixes to mitigate this vulnerabiliy in new versions of Jira Service Management Data Center and Server. ESB-2023.6481 – cacti: CVSS (Max): 9.8 Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection. Updating cacti packages addresses these vulnerabilies. ESB-2023.6438 – webkit2gtk3: CVSS (Max): 8.8 SUSE released an update that solves eight vulnerabilities and contains two security fixes which addresses issues where processing malicious web content could lead to arbitrary code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Bek Cheb Hard-working Bek Cheb embodies the heart of AUSCERT’s passion and community and is responsible for keeping the business side of AUSCERT running. As Business Manager, Bek oversees AUSCERT’s events, marketing, communications, and membership. Read on to discover Bek’s fondest AUSCERT moments and where she sees the future of AUSCERT headed. Whilst working at AUSCERT, is there a memorable experience that stands out? Not surprisingly, many of my memorable moments have been at the AUSCERT conference. AUSCERT attracts plenty of big-industry names that I’ve fanned over for years.  To meet these inspirations face-to-face and feel their human compassion is amazing. Adam Spencer is our MC, and each year I still get excited to hang out with Adam for a few days. This year Rachel Tobac, an expert in the world of social engineering, was AUSCERT’s keynote. To have such expertise on stage and learn from them is just magical. What would you say to someone considering becoming an AUSCERT member? Every organisation should become an AUSCERT member and I’m not just saying that because I work for AUSCERT. I understand the pressure there is on individuals and businesses to understand cyber security. Knowing that you’ve got a community ready to assist you, let alone the value in the individual services, builds confidence. There are many obvious services that AUSCERT are known for such as security bulletins and early warning SMS, but recently phishing takedowns are requested more often; where AUSCERT acts as an extension of your team. Where do you see AUSCERT going in the future? Thinking about AUSCERT’s future is thrilling – I think we have a lot of opportunities. Because we’re not owned by the government, the best part of AUSCERT is our agility. We can grow and change to whatever our members need us to be – so the growth opportunities for AUSCERT are endless. Education is going to play a big role in our future, innovating how we can expand our courses and offerings. There’s a high demand for new skill sets and growth within our industry, so I can’t wait to see our numbers grow. What sets AUSCERT apart from other organisations in the cyber security space? Every organisation needs to consider their network of cyber security partners. There’s no one-size-fits-all when it comes to protection, and you can’t put all your eggs in one basket. It’s important to have a layered approach by ensuring you’ve got different people representing your business on different issues. AUSCERT is that important piece of the puzzle, where you won’t find a sales pitch. We’re not trying to make an extra buck in our sales targets that month – instead we’re part of the cyber security community.

Greetings, This week, many of us excitedly dusted off our costumes and indulged in Halloween celebrations. The tradition is gradually gaining more traction in Australia, with an increasing number of children embracing the thrill of trick-or-treating. Both youngsters and adults enthusiastically engage in the festivities, dressing in a wide variety of costumes ranging from monsters to fairies. This festive time also provides a good opportunity for our children to learn about the various personas people can adopt in our community and digital world, some helpful and some unfortunately harmful. Cyber security threats can be highly detrimental to an organisation’s reputation, financial stability and overall success. Gone are the days of cyber security being solely the IT department’s responsibility. Today, leadership at all levels must actively support policies and practices throughout the organisation. Fostering a progressive and active cyber security culture within the workplace is crucial for achieving organisational resilience. Leaders and senior executives are now expected to possess a comprehensive understanding of cyber security risk management to ensure the safety and well-being of their organisation and its stakeholders. In a surprising development on Monday that has spooked some in the cybersecurity community, the Securities and Exchange Commission charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures for allegedly misleading investors about its cyber security practices and known risks. While this case is still unfolding, it serves as a valuable learning experience for us all. It underlines the critical importance of actively implementing strong cyber security risk management practices. Leadership plays a pivotal role in ensuring the safety of their organisation by possessing a comprehensive understanding of the cyber security risks relevant to them, and leading accordingly. Instead of jumping to conclusions, we should utilise this case as an opportunity to reflect on the significance of cyber security risk within organisations and the detrimental impacts that deceptive behaviour can have. AUSCERT recognizes the increasing demands and pressures on leadership to possess cyber security risk management knowledge and skills. Therefore, we have launched a new training course designed to empower leaders in this critical area. The Cyber Resilience for Senior Executives course equips participants with the knowledge and skills required to effectively lead their organisation’s strategic response to the cyber security challenge and improve their organisational resilience. This course is suitable for any senior executives, with any background and no technical knowledge is required. Critical vulnerability found in Atlassian Confluence software Date: 2023-11-01 Author: iTnews [AUSCERT has identified the impacted members (where possible) and contacted them via email. Also please see our bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6313 ] The company’s advisory for CVE-2023-22518 attributed a message to the company’s CISO, Bala Sathiamurthy, saying the users are “vulnerable to significant data loss” if the vulnerability is exploited. “There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances,” Sathiamurthy wrote. RCE exploit for Wyze Cam v3 publicly released, patch now Date: 2023-10-30 Author: Bleeping Computer A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices. Wyze Cam v3 is a top-selling, inexpensive indoor/outdoor security camera with support for color night vision, SD card storage, cloud connectivity for smartphone control, IP65 weatherproofing, and more. Security researcher Peter Geissler (aka bl4sty) recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices. 3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online Date: 2023-11-01 Author: Bleeping Computer Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability. Apache ActiveMQ is a scalable open-source message broker that fosters communication between clients and servers, supporting Java and various cross-language clients and many protocols, including AMQP, MQTT, OpenWire, and STOMP Citrix Bleed: Mass exploitation in progress (CVE-2023-4966) Date: 2023-10-30 Author: Help Net Security [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.5826.2] CVE-2023-4966, aka “Citrix Bleed”, a critical information disclosure vulnerability affecting Citrix NetScaler ADC/Gateway devices, is being massively exploited by threat actors. According to security researcher Kevin Beaumont’s cybersecurity industry sources, one ransomware group has already distributed a Python script to automate the attack chain to their operators, and other groups have started leveraging a working exploit. New CVSS 4.0 vulnerability severity rating standard released Date: 2023-11-01 Author: Bleeping Computer The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. CVSS is a standardized framework for assessing software security vulnerabilities' severity used to assign numerical scores or qualitative representation (such as low, medium, high, and critical) based on exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores denoting more severe vulnerabilities. ESB-2023.6234.3 – UPDATED ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8 F5 is warning BIG-IP admins about recently disclosed Configuration utility unauthenticated remote code execution vulnerability (CVE-2023-46747) ESB-2023.6266 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM has taken the necessary steps to address the relevant CVEs. ESB-2023.6321 – Zavio IP Camera: CVSS (Max): 9.8 Users of Zavio IP cameras are strongly urged to change their devices since proper updates to patch these vulnerabilities will not be available. ESB-2023.6344 – ALERT Tenable Security Center: CVSS (Max): 9.8 Tenable has discovered vulnerabilities in Tenable Security Center, and released a critical patch to address these issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Peter Newman Utilising AUSCERT’s services in the gambling industry, Peter Newman has a long history with AUSCERT. Initially working for University of Queensland (UQ), Peter Newman is now the Head of Threat at The Lottery Corporation. Providing insight into AUSCERT’s services and predicting its future, check out Peter’s AUSCERT connection story. What motivated your organisation to become a member? The Lottery Corporation is only a year old, recently splitting from Tabcorp. As a flow-on organisation of Tabcorp we utilise the same services. As Tabcorp were already AUSCERT members, we decided to continue the same framework with an AUSCERT membership for The Lottery Corporation. As an AUSCERT member, what are the key benefits? The Lottery Corporation use the bulletin service, which is a primary feed into our vulnerability management program. We also use AUSCERT’s seven-day feed for malware URLs. With this resource, we look at the domains our users are visiting, and if that domain is listed as a malicious URL, we investigate further. How has AUSCERT evolved over the years? When I began with AUSCERT, they were focused on incident response. Currently, AUSCERT have been developing its threat intelligence resources and feeds associated with that. Another aspect that AUSCERT has done well over the years, is maintaining relationships with other certs around the world – enabling them to become highly efficient at phishing take downs. What advice would you give to someone considering becoming an AUSCERT member? Understanding what AUSCERT can do for you is a challenge; a lot of the people that become members only use one or two services. Knowing everything AUSCERT can do for your business is the best advice I can give. What do you think the future holds for AUSCERT? AUSCERT will need to continually pivot even though its staples are solid. As a community organisation, AUSCERT must keep adjusting to the community itself and how it changes. I predict AUSCERT will continue to grow in the threat intelligence area and more in education. What sets AUSCERT apart from other organisations in the cyber security space? Being vendor-agnostic specifically sets AUSCERT apart – everybody in cyber security is trying to sell you something. Although AUSCERT is selling you something, it’s in a not-for-profit method. Due to this, AUSCERT can leverage their community to feedback on itself.

AUSCERT 30 Years 30 Stories – David Stockdale With a professional and ethical approach to delivering cyber security throughout Australia, the AUSCERT 30 Years 30 Stories would be incomplete without sitting down with current AUSCERT Director, David Stockdale. Praising AUSCERT’s trust and influential community, David’s insight into what sets our organisation apart is a heart-warming read. How did you first become involved with AUSCERT, and what motivated you to apply for your position? The Director of AUSCERT position was included in a job that I applied for at the University of Queensland. It was the area I least understood in the role, and yet it’s become the piece I adore most. How do you think AUSCERT has evolved over the years? What do you think our future holds? AUSCERT has experienced plenty of change in the last three decades – 30 years ago, AUSCERT was one of the first computer emergency response teams in the world. What AUSCERT provided then was unique, but there are now many big players in the sector. We’ve evolved to provide new and niche offerings, that other companies are not able to provide. As AUSCERT is a not-for-profit organisation, we’re not government-aligned nor commercial, we’re able to establish an element of trust. This trust is our superpower and means we can provide services others can’t. What are the key benefits of being a part of the AUSCERT community? AUSCERT transcends more than just its members, age, services and employees; it’s much bigger than that. To be part of an organisation that aims to provide good services and lift the security of our community – is a fantastic cause. What advice would you give to a prospective AUSCERT member? Do it! Looking at the low cost of our services, it’s easy to assume that they are not worth a lot. That couldn’t be further from the truth. Once you start using AUSCERT and leveraging our offerings, you’ll find there’s value-upon-value-upon-value. That said, the real value of being an AUSCERT member is not necessarily the services, but the community we create, whether it’s through our conference, or events. We connect sectors together, and it’s this quality that separates us from others. When you’re an AUSCERT member, you become part of a trusted community. What do you believe sets AUSCERT apart from other organisations in the cybersecurity space? It’s AUSCERT’s not-for-profit qualities – we aren’t aligned to any vendors so we are, in some ways, a trusted free spirit. This trust is what sets AUSCERT apart; and we do the best cybersecurity conference in Australia, without a doubt. AUSCERT, Happy 30th Birthday! You are the best organisation I’ve ever known, and I’m so proud to be part of it.