16 Feb 2024
Week in review
Greetings,
The ACSC has developed a valuable single reporting tool to help you determine which Australian regulations apply to your organisation, as well as specifying when and to whom you need to report a cyber breach. First highlighted in the government’s Australian Cyber Security Strategy 2023-2030, the swift availability of this resource is notable. Its significance lies in simplifying the process and will undoubtedly have a positive impact on our community.
The federal government launched the Cyber Security Legislative Reforms consultation paper late last year to gather views on new legislative initiatives and proposed amendments to the Security of Critical Infrastructure Act 2018. This consultation paper outlines reforms that were part of the Australian Cyber Security Strategy action plan and covers nine areas that are worthy of a read. One being Ransomware reporting obligations which is one of the fastest growing types of cybercrime. The government is proposing that reporting ransomware incidents should become a mandatory, no-fault, no-liability obligation for businesses.
The National Office of Cyber Security’s recent review of the HWL Ebsworth cyber incident demonstrates various lessons, with one significant takeaway being the company’s close collaboration with government agencies in effectively handling the incident. Therefore, the government is considering introducing a Cyber Incident Review Board co-designed with the industry to share the lessons learned from cyber incidents with businesses and the wider public. The HWL Ebsworth breach involved the exfiltration of 4TB of data (2.2 million files), including sensitive information from 62 Australian government entities, major banks, airlines, and other multinational businesses.
In preparation for cyber incidents, consider registering for our Incident Response Planning training course! Effective cyber security incident response is essential for maintaining organisational objectives by avoiding or limiting the impact of cyber security incidents. Be equipped with the tools to write and implement a bespoke incident response plan for your organisation. Register today!.
Here are some highlights from this week’s cyber security news:
Zoom patches critical privilege elevation flaw in Windows apps
Date: 2024-02-14
Author: Bleeping Computer
[Please also see AUSCERT bulletin:https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0044]
The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network. Zoom is a popular cloud-based video conferencing service for corporate meetings, educational lessons, social interactions/gatherings, and more.
New Fortinet RCE bug is actively exploited, CISA confirms
Date: 2024-02-09
Author: Bleeping Computer
[AUSCERT has identified impacted members (where possible) and contacted them via email].
[Please also see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.0849]
CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday.
The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests.
CISA: Roundcube email server bug now exploited in attacks
Date: 2024-02-12
Author: Bleeping Computer
[AUSCERT has identified the impacted members (where possible) and contacted them via email.]
CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.
The security flaw (CVE-2023-43770) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction.
The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.
QNAP vulnerability disclosure ends up an utter shambles
Date: 2024-02-13
Author: The Register
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November.
The Taiwanese company’s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem.
QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully.
Decryptor for Rhysida ransomware is available!
Date: 2024-02-12
Author: Help Net Security
Files encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability discovered by Korean researchers and leveraged to create a decryptor.
Rhysida is a relatively new ransomware-as-a-service gang that engages in double extortion.
First observed in May 2023, it made its name by attacking the British Library, the Chilean Army, healthcare delivery organizations, and Holding Slovenske Elektrarne (HSE).
ASB-2024.0044 – Zoom Clients: CVSS (Max): 9.6
The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw.
ASB-2024.0038 – Microsoft Exchange Server: CVSS (Max): 9.8
Microsoft has released its monthly security patch update and it includes Privilege escalation vulnerability on Microsoft Exchange Servers.
ESB-2024.0913 – Adobe Acrobat and Reader: CVSS (Max): 8.8
Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak.
ESB-2024.0836.2 – UPDATED ALERT Cisco Expressway Series: CVSS (Max): 9.6
Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device.
Stay safe, stay patched and have a good weekend!
The AusCERT team