//Week in review - 10 Nov 2023


Thirty-five years ago the ‘Morris Worm’ carved a path of destruction and chaos that inadvertently triggered a ripple effect of events, paving the way for the thriving cyber security industry we have today. Prior to this incident, cyber security wasn’t really a consideration by the public. However, this event, along with subsequent ones, quickly changed peoples' perspectives. Although many within the field already familiar with the story may see it as a ‘ho-hum’ history tale, it’s important to remember that understanding our history is crucial for building a stronger future.

Robert Morris Jr, intent on discovering how big the internet was, accidentally set loose the first ever internet worm upon thousands of computers. The young grad student was completing his graduate degree at Cornell when he launched the experiment that would change the cyber world forever.

Previously no attack had affected so many computers, taking down systems in government facilities, hospitals, and military bases in addition to privately owned computers. The experiment resulted in US$100,000 – 10,000,000 dollars’ worth of damage, taking hundreds of people days to clean up the mess left in its wake. This event became a tale of caution to many students studying in the field as probing vulnerabilities out of curiosity can have huge detrimental and unintended consequences.

In response to incidents like the Morris Worm, the concept of Computer Emergency Response Teams (CERTs) emerged, highlighting the need for coordinated efforts to respond to and mitigate cyber incidents. Some key takeaways from incidents like the Morris Worm include the importance of proactive measures, the need for rapid incident response teams and the continuous evolution of security measures to stay ahead of emerging threats. In the context of growth and development we should not dismiss the past but instead learn from it. Click here to read more insights about the event from industry luminary Gene Spafford.

What better way to create your own ripple effect in the community than by contributing your time and expertise to our upcoming AUSCERT2024 conference? Your knowledge and skills have the potential to create a significant impact and further advance the industry. Call for Tutorials submissions portal is closing today, so don’t miss out! Presentation submissions will be opening on November 16, next week! We invite anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent benefits such as travel and accommodation, as well as mentoring support for speakers. Additionally, sponsorship opportunities are also now available on our website.

Critical Atlassian Confluence bug exploited in Cerber ransomware attacks
Date: 2023-11-06
Author: Bleeping Computer

Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware.
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software.

Veeam warns of critical bugs in Veeam ONE monitoring platform
Date: 2023-11-06
Author: Bleeping Computer

[AUSCERT has directly notified members about this vulnerability where possible]
Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical.
The company assigned almost maximum severity ratings (9.8 and 9.9/10 CVSS base scores) to the critical security flaws since they let attackers gain remote code execution (RCE) and steal NTLM hashes from vulnerable servers. The remaining two are medium-severity bugs that require user interaction or have limited impact.

Hacker Leaks 35 Million Scraped LinkedIn User Records
Date: 2023-11-07
Author: Hack Read

The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records.
A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, Breach Forums.

Government looks at passwordless access for myGov
Date: 2023-11-09
Author: iTnews

The federal government intends to change how citizens authenticate to the myGov system from next year, moving to passwordless approaches such as passkeys and facial recognition.
At the press conference, government services minister Bill Shorten said the government planned to "upgrade the security of the myGov system."
He said myGov "will benefit from a number of changes to how customers can sign-in, ensuring that accounts and personal information remain protected.”

New Microsoft Exchange zero-days allow RCE, data theft attacks
Date: 2023-11-03
Author: Bleeping Computer

Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations.
The zero-day vulnerabilities were disclosed by Trend Micro's Zero Day Initiative (ZDI) yesterday, who reported them to Microsoft on September 7th and 8th, 2023.
Despite Microsoft acknowledging the reports, its security engineers decided the flaws weren't severe enough to guarantee immediate servicing, postponing the fixes for later.

ESB-2023.6043.3 – UPDATED ALERT Cisco iOS XE Software: CVSS (Max): 10.0

Cisco provided fixes as a result of an ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE software. The investigation determined that the treat actors exploited two previously unknown issues documented in CVE-2023-20198 and CVE-2023-20273.

ESB-2023.6313.2 – UPDATED ALERT Confluence Data Center and Server: CVSS (Max): 10.0

Atlassian observed several active exploits and reports of threat actors using ransomware in relation to Confluence. Atlassian has released fixes to mitigate this threat in new versions of Confluence Data Center and Server.

ESB-2023.6480 – Jira: CVSS (Max): 10.0

Certain versions of Jira Service Management Data Center and Server allowed authenticated attackers to initiate an XML External Entity Injection attack using job descriptions. Atlassian has released fixes to mitigate this vulnerabiliy in new versions of Jira Service Management Data Center and Server.

ESB-2023.6481 – cacti: CVSS (Max): 9.8

Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in
cross-site scripting, SQL injection, an open redirect or command injection. Updating cacti packages addresses these vulnerabilies.

ESB-2023.6438 – webkit2gtk3: CVSS (Max): 8.8

SUSE released an update that solves eight vulnerabilities and contains two security fixes which addresses issues where processing malicious web content could lead to arbitrary code execution.

Stay safe, stay patched and have a good weekend!

The AusCERT team