13 Sep 2024
Week in review
Greetings,
R U OK is encouraging everyone to ask "R U OK?" any day, because life happens every day. This reminder comes as 72% of Australians report experiencing elevated levels of distress. Each year, R U OK Day serves as a powerful reminder of the importance of checking in on others' well-being and actively listening to their concerns. Often, those facing challenges may not openly express their feelings, and a simple, empathetic conversation can make a huge difference. Asking "Are you okay?" and genuinely listening can offer emotional support and show someone they are not alone in their struggles.
Meaningful connection and open dialogue about mental health help build a supportive and compassionate community. Prioritising mental health reduces stigma and creates an environment where people feel comfortable sharing their feelings and seeking help. It's a reminder that small acts of kindness and genuine concern can profoundly impact someone's life. For a range of free resources for your workplace, home or community, visit the R U OK? Day website.
AUSCERT has always been a strong advocate for mental health support and services, actively implementing more mental health initiatives in the workplace and at our conferences. At AUSCERT2024, we again provided an onsite psychologist for attendees, offering the opportunity to discuss anything from mental wellbeing to life coaching. This year, we introduced mindfulness walks in the mornings that allowed delegates to start the day with a peaceful, serene stroll along the beach, and also introduced a dopamine hit of puppy pats and cuddles throughout the day – this was extremely popular!
This week, Microsoft addressed and patched critical zero-day vulnerabilities as part of its monthly update.
The first vulnerability, identified as CVE-2024-38217, affected Smart App Control and SmartScreen in Windows. This vulnerability allowed malicious files to bypass crucial security warnings and execute without raising any alarms. It appears to have been actively exploited by hackers for at least six years, with numerous samples detected on VirusTotal since 2018!
The second vulnerability resided within the Windows Servicing Stack and allowed remote code execution (RCE). Identified as CVE-2024-43491, the cause of this vulnerability was a flaw in the Servicing Stack that essentially rolled back security fixes for optional components in Windows 10 version 1507. This left systems exposed to previously mitigated threats by removing prior security patches installed between March and August 2024.
This is a timely reminder to always remain vigilant with patching systems regularly in your environment to mitigate and protect against such critical zero-day vulnerabilities. Please see this AUSCERT bulletin for more information on the above Microsoft vulnerabilities.
Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild
Date: 2024-09-06
Author: Security Week
[AUSCERT issued a critical MSIN to the impacted members (where possible) on 26 August 2024]
SonicWall is warning customers that a recently patched SonicOS vulnerability tracked as CVE-2024-40766 may be exploited in the wild.
CVE-2024-40766 was disclosed on August 22, when Sonicwall announced the availability of patches for each impacted product series, including Gen 5, Gen 6 and Gen 7 firewalls.
The security hole, described as an improper access control issue in the SonicOS management access and SSLVPN, can lead to unauthorized resource access and in some cases it can cause the firewall to crash.
Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues
Date: 2024-09-05
Author: The Hacker News
Veeam has shipped security updates to address a total of 18 security flaws impacting its software products, including five critical vulnerabilities that could result in remote code execution.
The list of shortcomings is below –
CVE-2024-40711 (CVSS score: 9.8) – A vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution.
Progress LoadMaster vulnerable to 10/10 severity RCE flaw
Date: 2024-09-08
Author: Bleeping Computer
Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device.
The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMasterโs management interface using a specially crafted HTTP request.
Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution
Date: 2024-09-08
Author: Security Online
[AUSCERT issued a critical MSIN to the impacted members (where possible) on 10 September 2024]
Elastic, the company behind the popular open-source data visualization and analytics platform Kibana, has issued a critical security advisory urging users to update immediately to version 8.15.1. Two severe vulnerabilities, tracked as CVE-2024-37288 and CVE-2024-37285, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.
Ivanti Releases Urgent Security Updates for Endpoint Manager Vulnerabilities
Date: 2024-09-11
Author: The Hacker News
Ivanti has released software updates to address multiple security flaws impacting Endpoint Manager (EPM), including 10 critical vulnerabilities that could result in remote code execution.
A brief description of the issues is as follows –
CVE-2024-29847 (CVSS score: 10.0) – A deserialization of untrusted data vulnerability that allows a remote unauthenticated attacker to achieve code execution.
NoName ransomware gang deploying RansomHub malware in recent attacks
Date: 2024-09-10
Author: Bleeping Computer
The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate.
The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472).
ESB-2024.5829 – Nessus: CVSS (Max): 9.8
Tenable has released Nessus 10.7.6 to address critical vulnerabilities in third-party components OpenSSL and expat, which affected earlier versions of the software. The update includes OpenSSL 3.0.15 and expat 2.6.3 to mitigate the identified security risks. Users are urged to upgrade promptly to protect against potential exploits.
ASB-2024.0176 – Microsoft Windows: CVSS (Max): 9.8
Microsoft has revealed a critical zero-day vulnerability, CVE-2024-43491, in the Windows Servicing Stack, scoring 9.8 in severity. This flaw, present since the March 2024 update, caused security patches for optional components in Windows 10 version 1507 to be rolled back, leaving systems vulnerable to previously fixed threats. While no active exploitation has been reported, attackers could potentially exploit this to achieve remote code execution.
ASB-2024.0173 – ACSC advisory, GRU Unit 29155 cyber actors
Russian military cyber actors are targeting critical infrastructure in the U.S. and globally, according to an alert from the Australian Cyber Security Centre. The threat actors are using sophisticated tactics to compromise essential systems. Organizations are urged to enhance their cybersecurity measures to defend against these advanced persistent threats.
ESB-2024.5800 – Google Chrome: CVSS (Max): None
Multiple vulnerabilities in Google Chrome, including heap buffer overflows and use-after-free issues, could allow for arbitrary code execution. Exploitation of these flaws might enable attackers to install programs, access or alter data, or create new user accounts, particularly impacting systems with administrative privileges. Users are advised to update Chrome to the latest version and follow recommended security practices to mitigate these risks.
ESB-2024.5807 – Adobe ColdFusion: CVSS (Max): 9.8
Adobe has also patched CVE-2024-41874, a severe flaw with a CVSS score of 9.8, affecting all ColdFusion 2023 versions. Recent attacks by hackers have intensified the urgency for these updates.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
