12 Jul 2024

Week in review

Greetings,

This week, we celebrate NAIDOC Week, recognising the history, culture, and achievements of Aboriginal and Torres Strait Islander Peoples. NAIDOC Week offers an opportunity for all Australians to learn about First Nations cultures and histories and participate in celebrations of the oldest continuous living cultures on earth. Visit the NAIDOC website for a full list of local events.

This month's Patch Tuesday brought significant updates, addressing 142 security flaws across various Microsoft products. Among these, two vulnerabilities were actively exploited in the wild, posing immediate threats to users. Additionally, two zero-day vulnerabilities, which had been publicly disclosed but not yet exploited, were patched. These zero-days are particularly concerning as there may be an exploit available before a fix is released. The update also fixed five critical vulnerabilities, all classified as remote code execution (RCE) flaws.

These updates highlight the importance of regular patch management to protect systems from known threats. Users and organisations are strongly advised to apply these patches promptly to mitigate the risk of exploitation. Keeping systems updated is a crucial step in maintaining a secure IT environment and defending against cyber threats.

The National Anti-Scam Centre is urging Australians who have had money stolen by scammers to be wary of offers to recover their money for an upfront fee. Reports involving a money recovery element are on the rise. Between December 2023 and May 2024, Scam watch received 158 reports with total losses exceeding $2.9 million, including losses from the original scams. The number of reports increased by 129 percent compared to the previous six months, while financial losses decreased by 29 percent from $4.1 million. Australians aged 65 and older were the largest reporting group and suffered the highest average losses.

Victims of previous scams are easily identified by criminals who commonly keep and sell information about individuals they have exploited. The best method to stay ahead of cyber threats is through training and education. With the necessary skills and expertise, you can ensure that you and your organisation are always protected from attacks. Check out our online training schedules to find out how you can enhance your knowledge. Itโ€™s also important for victims of scams to feel able to report and share their experiences without judgement, so please share information about scams with less knowledgeable friends and family.


New OpenSSH Vulnerability CVE-2024-6409 Exposes Systems to RCE Attack
Date: 2024-07-10
Author: Cyber Security News

Security researchers have discovered a new vulnerability in OpenSSH, identified as CVE-2024-6409, which could potentially allow remote code execution attacks on affected systems.
This vulnerability, which affects OpenSSH versions 8.7 and 8.8, allows for potential remote code execution (RCE) due to a race condition in signal handling within the privilege separation (privsep) child process.

Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks
Date: 2024-07-06
Author: Security Online

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
[AUSCERT also shared IoCs and Attack Patterns via MISP]
Trend Micro, a global leader in cybersecurity, has issued a warning about a recent wave of attacks targeting misconfigured Jenkins servers. Cybercriminals are exploiting vulnerabilities in the Jenkins Script Console to illicitly install and operate cryptocurrency mining software, siphoning computational resources from unsuspecting organizations.

The Essential Eight Is An Opportunity To Drive New Strategic Value Into The Enterprise
Date: 2024-07-08
Author: IT News

The Australian Cyber Security Centre (ACSC)โ€™s Essential Eight framework has the potential to transform Australia into a global leader in cyber security. However, in challenging organisations to develop a more strategic approach to cyber security, it also introduces some new risks to IT environments that enterprises are going to need to grapple with in the coming years.

SAP Patches High-Severity Vulnerabilities in PDCE, Commerce
Date: 2024-07-09
Author: Security Week

Enterprise software maker SAP on Tuesday announced the release of 16 new and two updated security notes as part of its July 2024 patch day, including two notes dealing with high-severity vulnerabilities.
The most severe of the issues is a missing authorization check in PDCE (Product Design Cost Estimating), a lifecycle costing tool. Tracked as CVE-2024-39592 (CVSS score of 7.7/10), the bug could allow an attacker to read generic table data, according to SAP.

RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks
Date: 2024-07-09
Author: The Hacker News

[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0130]
Cybersecurity researchers have discovered a security vulnerability in the RADIUS network authentication protocol called BlastRADIUS that could be exploited by an attacker to stage Mallory-in-the-middle (MitM) attacks and bypass integrity checks under certain circumstances.
"The RADIUS protocol allows certain Access-Request messages to have no integrity or authentication checks," InkBridge Networks CEO Alan DeKok, who is the creator of the FreeRADIUS Project, said in a statement.

Nearly 10bn passwords posted to hacking forum
Date: 2024-07-08
Author: Cyber Daily

The user โ€“ named ObamaCare โ€“ made the post on 4 July on a popular hacking forum, sharing a file called rockyou2024.txt.
โ€œXmas came early this year,โ€ ObamaCare said. โ€œI present to you a new rockyou2024 password list with over 9.9 billion passwords.โ€
โ€œI updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years.โ€
The shared list has 9,948,575,739 passwords in all, and it appears to be a compilation of new and old leaks compiled into a single list. The file is a 45.6 gigabyte .zip archive.


ASB-2024.0122 – Microsoft Windows: CVSS (Max): 9.8

For July 2024 Patch Tuesday, Microsoftโ€™s security updates and patches address two zero-day vulnerabilities currently being exploited: CVE-2024-38080 in Windows Hyper-V and CVE-2024-38112 in the Windows MSHTML Platform.

ESB-2024.4425.2 – Citrix Netscaler Products: CVSS (Max): 9.4

Citrix has disclosed two critical vulnerabilities impacting its NetScaler Console, NetScaler SVM, and NetScaler Agent, which could potentially enable attackers to access sensitive information and launch denial of service attacks. The vulnerabilities, designated as CVE-2024-6235 and CVE-2024-6236, have led Citrix to issue urgent update recommendations to mitigate these risks.

ESB-2024.4427 – Palo Alto Networks Expedition: CVSS (Max): 9.3

Palo Alto Networks has issued security updates to address several vulnerabilities affecting its products, including a critical flaw that could enable authentication bypass. Tracked as CVE-2024-5910 this vulnerability is characterized as a missing authentication issue in the Expedition migration tool, potentially allowing unauthorized access to an administrator account.

ESB-2024.4429 – VMware Aria Automation: CVSS (Max): 8.5

VMware has issued security updates to address a high-severity vulnerability in their Aria Automation product. This vulnerability, a structured query language (SQL) injection flaw, could allow an authenticated attacker to execute unauthorized read or write operations in the database by sending specially crafted SQL queries.

ESB-2024.4428.2 – GitLab Community and Enterprise editions: CVSS (Max): 9.6

GitLab has released a new set of updates to address security vulnerabilities in its software development platform, including a critical flaw that enables an attacker to execute pipeline jobs as any arbitrary user. Tracked as CVE-2024-6385, this vulnerability has a CVSS score of 9.6.


Stay safe, stay patched and have a good weekend!

The AUSCERT team