12 Apr 2024

Week in review


With less than 6 weeks remaining, we’re eagerly anticipating our return to the sunny Gold Coast, our favourite time of year! We have some exciting updates to our AUSCERT2024 program, including the addition of a workshop titled "Security in an Unmanaged Azure Environment: A Practical Example" lead by Greg Scheidel, a SANS Certified Instructor. This workshop will draw from the content of SANS SEC530: Defensible Security Architecture and Engineering, focusing on implementing Zero Trust for the Hybrid Enterprise. Limited spots available—act fast to secure your spot today! Visit our website for more details.

This week marked a significant milestone in the cyber world! Nigel Phair, a Professor from Monash University, and renowned speaker who spoke at AUSCERT2023, contributes as a co-author in a new groundbreaking research study. After three years of dedicated research, an international team of researchers yesterday unveiled the first ever “World Cybercrime Index”. Developed through a collaborative effort between the University of Oxford, UNSW and funded by CRIMGOV, a European Union-supported project based at the University of Oxford and Sciences Pro, this index promises to reshape our understanding of global cybercrime dynamics.

The World Cybercrime Index identifies the globe’s primary cybercrime hotspots by ranking the most prominent sources of cybercrime on a national level. The index reveals that the most significant criminal threats are concentrated in a handful of countries, with Russia leading the list, followed by Ukraine, China, the USA, Nigeria, and Romania. The research underlying the index will also shed light on the identities of cybercriminal offenders, potentially removing their veil of anonymity.

Continuing to collect this data in the future will enable defenders and police agencies to monitor the emergence of any new cybercrime hotspots. Early interventions could potentially be implemented in at-risk countries before serious cybercrime problems develop.

Government agencies and private enterprises tasked with combating cybercrime now have the opportunity to significantly improve their understanding of the scale of the issue within their own jurisdictions. Previously, knowledge of cybercriminal whereabouts was largely confined to specialist investigators, but now this information can be shared with the public, government, and business alike.

April’s Patch Tuesday Brings Record Number of Fixes
Date: 2024-04-09
Author: Krebs on Security

[Please also see AUSCERT bulletins: ASB-2024.0059, ASB-2024.0060, ASB-2024.0061, ASB-2024.0062, ASB-2024.0063, ASB-2024.0064, ASB-2024.0065, ASB-2024.0066]
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software.

Fortinet Patches Critical RCE Vulnerability in FortiClientLinux
Date: 2024-04-10
Author: Security Week

[Please see AUSCERT Bulletins https://www.auscert.org.au/bulletins/ESB-2024.2166 and https://www.auscert.org.au/bulletins/ESB-2024.2172]
Fortinet on Tuesday announced patches for a dozen vulnerabilities in FortiOS and other products, including a critical-severity remote code execution (RCE) bug in FortiClientLinux.
The critical flaw, tracked as CVE-2023-45590 (CVSS score of 9.4), is described as a code injection issue that could allow an unauthenticated, remote attacker to execute arbitrary code or commands by convincing a user to visit a malicious website.

Code Execution Flaws in Multiple Adobe Software Products
Date: 2024-04-09
Author: Security Week

[Please also see AUSCERT bulletins: ESB-2024.2138, ESB-2024.2140, ESB-2024.2162, ESB-2024.2136, ESB-2024.2137, ESB-2024.2139, ESB-2024.2165]
Software maker Adobe on Tuesday rolled out urgent security updates for multiple enterprise-facing products and warned that hackers could exploit these bugs to launch code execution attacks.
As part of its scheduled batch of Patch Tuesday updates, Adobe called attention to a pair of code execution bugs in Adobe Commerce and Magento Open Source, a product used by businesses to create and manage online stories.

Critical Rust flaw enables Windows command injection attacks
Date: 2024-04-09
Author: Bleeping Computer

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.
Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.
GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction.

Apple: Mercenary spyware attacks target iPhone users in 92 countries
Date: 2024-04-11
Author: Bleeping Computer

Apple has been notifying iPhone users in 92 countries about a "mercenary spyware attack" attempting to remotely compromise their device.
In a sample notification the company shared with BleepingComputer, Apple says that it has high confidence in the warning and urges the recipient to take seriously.
"Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-," reads the notification.

ASB-2024.0065 – Microsoft Windows Products: CVSS (Max): 8.8

Microsoft has recently issued its monthly security patch update for April 2024 to address a total of 91 vulnerabilities found in Windows and Windows Server. Among these vulnerabilities is a zero-day exploit identified as CVE-2024-26234. This exploit involved a malicious driver that was signed using a legitimate Microsoft Hardware Publisher Certificate and was discovered to be operating as a malicious backdoor.

ESB-2024.2180 – WordPress: CVSS (Max): None

WordPress has rolled out version 6.5.2 to fix a Cross-Site Scripting vulnerability along with various other bugs. Failure to apply this patch could enable malicious actors to insert harmful scripts into WordPress websites. This could result in website defacement, the compromise of sensitive information, or the dissemination of malware to site visitors. WordPress strongly urges all users to promptly update their installations to mitigate these risks.

ESB-2024.2166 – FortiClientLinux: CVSS (Max): 9.4

An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website. The vulnerability is resolved by performing a system update.

ESB-2024.2148 – Linux kernel: CVSS (Max): 9.8*

Numerous security issues were fixed in the Linux kernel, such as the IPv6 implementation of the Linux kernel not
properly managing route cache memory usage, allowing a remote attacker to cause a denial of service (memory exhaustion) and the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations, allowing a local attacker to cause a denial of service (system crash). The vulnerabilities are resolved by performing a system update.

ESB-2024.2099 – Django: CVSS (Max): 9.8

The password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts. The vulnerability is resolved by performing a system update.

Stay safe, stay patched and have a good weekend!

The AusCERT team