AUSCERT Week in Review for 14th February 2025

Greetings,

Happy Valentine's Day! While celebrating with loved ones, it's crucial to stay vigilant against malicious behaviour. Enjoy the love but remain cautious. Threat actors exploit this emotional time to their advantage. Be warned: new AI-enhanced romance scams are targeting Australian hearts and bank accounts.

Researchers warn that romance scams pose a significant threat, costing nearly $35 million in 2023, with many cases going unreported. Scammers exploit dating apps and generative AI to create convincing messages. Currently the most prevalent and impactful romance scam is romance baiting, where scammers build fake relationships to gain trust and persuade victims to invest in fake cryptocurrency, stock platforms, or other scams.

The Australian government is making significant strides in consumer protection. This week, Parliament passed the world's first Scams Prevention Framework Bill, enhancing protections by establishing consistent and enforceable obligations for businesses in key sectors where scammers operate. The framework empowers the ACCC to investigate potential breaches and take enforcement action against entities that fail to fulfill their obligations.

If you're interested in gaining essential skills to navigate the legal and managerial dimensions of cyber security in your organisation, we recommend registering for our course led by General Manager Ivano Bongiovanni. The Overcoming Cyber Risks course covers legal implications and privacy laws, offering strategies to manage risk using enterprise risk frameworks, including crisis response and vendor oversight.

Lastly, a positive reminder: AUSCERT2025 registrations are officially open! Take advantage of early bird discounts and secure your favourite tutorials before spaces run out!

Massive brute force attack uses 2.8 million IPs to target VPN devices
Date: 2025-02-08
Author: Bleeping Computer

A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.
A brute force attack is when threat actors attempt to repeatedly log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to a network.

CVE-2025-25064 (CVSS 9.8): Critical SQL Injection Bug in Zimbra Collaboration
Date: 2025-02-09
Author: Security Online

Zimbra Collaboration, a widely used open-source email and collaboration platform, has been found to contain two newly discovered security vulnerabilities that pose a serious risk to businesses relying on the software for email, calendaring, file sharing, and task management. These vulnerabilities, identified as CVE-2025-25064 and CVE-2025-25065, could allow attackers to gain unauthorized access to sensitive data and internal network resources.

SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
Date: 2025-02-11
Author: Bleeping Computer

[AUSCERT contacted the impacted members (where possible) via email in January 2025]
Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application.
The vendor warned about the high exploitation possibility of the flaw in a bulletin on January 7, urging administrators to upgrade their SonicOS firewalls' firmware to address the problem.

AnyDesk Exploit Alert: CVE-2024-12754 Enables Privilege Escalation—PoC Available
Date: 2025-02-09
Author: Security Online

Security researcher Naor Hodorov has recently published an analysis of a vulnerability discovered in AnyDesk, a popular remote administration software. This vulnerability, identified as CVE-2024-12754, could allow a low-privileged user to gain elevated access and potentially take complete control of a system.
The vulnerability stems from an elevated arbitrary file read/copy operation performed by the AnyDesk service as NT AUTHORITY\SYSTEM.

Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries
Date: 2025-02-12
Author: The Hacker News

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe.
"This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the Microsoft Threat Intelligence team said in a new report shared with The Hacker News ahead of publication.

Progress LoadMaster Security Update: Multiple Vulnerabilities Addressed
Date: 2025-02-10
Author: Security Online

Progress has issued a security advisory addressing multiple vulnerabilities affecting all current LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. The vulnerabilities, identified as CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, and CVE-2024-56135, could allow authenticated attackers to execute arbitrary system commands or download sensitive files.

ASB-2025.0035 – Microsoft Office products: CVSS (Max): 9.8

CISA has issued an urgent warning about the exploitation of a critical Microsoft Outlook vulnerability (CVE-2024-21413). The flaw enables remote code execution through malicious email links, bypassing Office Protected View. Exploiting this vulnerability allows attackers to open emails in editing mode, posing serious risks to federal agencies.

ESB-2025.0830 – Trimble Cityworks: CVSS (Max): 7.2

Trimble has issued an urgent cybersecurity alert concerning a critical vulnerability in its Cityworks asset and work management software. Identified as CVE-2025-0994 with a CVSS score of 7.2, this flaw is actively being exploited, presenting a serious threat to organisations utilising the platform.

ESB-2025.1035 – Google Chrome: CVSS (Max): None

Google's latest Chrome update addresses multiple vulnerabilities, including the critical CVE-2025-0995, a "Use-After-Free" issue in the V8 JavaScript engine. The update fixes the security flaw that could allow attackers to execute malicious code remotely on vulnerable systems. The Chrome Stable channel has been updated to versions 133.0.6943.98/.99 for Windows and Mac, and 133.0.6943.98 for Linux.

ASB-2025.0043 – Microsoft Windows: CVSS (Max): 8.8

February 2025 Patch Tuesday addresses 56 vulnerabilities, including two zero-days, CVE-2025-21418 and CVE-2025-21391, under active exploitation. CVE-2025-21418, affecting the Windows Ancillary Function Driver, allows privilege escalation, while CVE-2025-21391 impacts Windows Storage, potentially leading to file deletion and service disruption. These flaws highlight ongoing risks, including possible exploitation by threat groups like Lazarus.

ESB-2025.0876 – Apple iOS 18.3.1 and iPadOS 18.3.1: CVSS (Max): None

Apple released emergency security updates for iOS and iPadOS to fix a vulnerability (CVE-2025-24200) that has been exploited in the wild. The issue, described as an authorisation flaw, could allow attackers to disable USB Restricted Mode on a locked device during a cyber-physical attack. This indicates that the attackers need physical access to the device to exploit the vulnerability.

Stay safe, stay patched and have a good weekend!

The AUSCERT team