//Week in review - 17 Nov 2023


With Black Friday sales already underway, it’s a good reminder to remain vigilant. Each year the deals claim to be bigger and better, drawing people into excessive spending. Cyber criminals have become very sophisticated in exploiting this opportunity to execute cyber attacks. Educate your family and friends on the potential dangers of online shopping during this time!

This week, the Australian Signals Directorate (ASD) released its annual cyber security threat report,revealing some very concerning statistics. The report indicates that cyber crimes continued to be a pervasive and endemic threat to Australia’s economic and social prosperity throughout 2022-23. Australia is perceived as a very popular target due to its booming e-commerce industry and relative wealth. The report revealed the most common cyber attacks on individuals consisted of identity fraud, online banking fraud and online shopping fraud.

For Australian businesses, the cost of cyber crime has climbed by 14% with the most identified attack being compromised emails. Business email compromise fraud continues to significantly impact businesses with almost $80 million in reported losses. Malicious cyber actors often exploit unpatched and misconfigured systems or take advantage of weak or re-used credentials to access systems and networks. To defend against email attacks, set aside time for regular cyber security training and ensure staff are cautious of emails that contain requests for payment of change of bank details

Thankfully for our nation we have a proactive Cyber Security Minister, Clare O’Neil, who understands the growing concerns of individuals and businesses and is taking proactive steps to mitigate these threats to our economy. Ms O’Neil is planning to create new legislation that would classify telecommunication companies as critical infrastructure for the first time, requiring company boards to comply with strict rules that already cover hospitals, utilities, ports, and energy generation assets. Following the high-profile Optus attack last year and nationwide network outage last week, the Australian government believes it is necessary to include telcos under the Security of Critical Infrastructure Act. This means they will now be required to sign off on a new cyber risk management program every year or face potentially hundreds of thousands of dollars in penalties.

To conclude, we are excited to notify you our Call for Presentations for AUSCERT2024 is now open! Submit your papers today!

Microsoft Warns of Critical Bugs Being Exploited in the Wild
Date: 2023-11-14
Author: Security Week

[Please see AUSCERT bulletins: https://auscert.org.au/bulletins/ASB-2023.0226 and https://auscert.org.au/bulletins/ASB-2023.0223]
The world’s largest software maker Microsoft on Tuesday released patches with cover for at least 59 documented security vulnerabilities, including a pair of critical-severity zero-days already being exploited in the wild.
Redmond’s security response team documented a wide range of security defects in a range of Windows OS and components and called special attention to two vulnerabilities — CVE-2023-36033 and CVE-2023-36036 — being exploited in active attacks.

LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed
Date: 2023-11-14
Author: Bleeping Computer

[AUSCERT identified the impacted members (where possible) and notified them via email on 11 October 2023]
[We urge impacted members to promptly apply the patches in accordance with the vendor's recommendations, if they have not already done so]
The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.
Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S.

Novel backdoor persists even after critical Confluence vulnerability is patched
Date: 2023-11-14
Author: The Register

[AUSCERT identified the impacted members (where possible) and notified them via email on 01 November 2023]
[We urge impacted members to promptly apply the patches in accordance with the vendor's recommendations, if they have not already done so]
A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence.
The backdoor provides attackers remote access to a victim, both its Confluence server and other network resources, and is found to persist even after Confluence patches are applied.

Azure CLI credential leak part of Microsoft's monthly patch rollup
Date: 2023-11-15
Author: iTnews

[Please see AUSCERT bulletin: https://auscert.org.au/bulletins/ASB-2023.0224]
One of the critical vulnerabilities, CVE-2023-36052, is important enough to receive a detailed technical discussion in this blog post.
The bug leaks credentials to GitHub Actions logs through the Azure command-line interface (CLI).
Aviad Hahami of Palo Alto’s Prisma Cloud found that Azure CLI commands could be used to show sensitive data and output to continuous integration and continuous deployment (CI/CD) logs, Microsoft explained.

Intel patches high-severity vulnerability affecting central processing units
Date: 2023-11-15
Author: The Record

The U.S. chip manufacturer Intel has patched a high-severity vulnerability affecting central processing units in its desktop, mobile and server products.
The successful exploitation of the bug could allow hackers to gain higher-level access to the system, obtain sensitive information and even cause the machine to crash.
The vulnerability, tracked as CVE-2023-23583 and codenamed Reptar, carries the CVSS severity score of 8.8 out of 10. There haven't been any reported incidents of an attack through Reptar in the wild.

CISA warns of actively exploited Juniper pre-auth RCE exploit chain
Date: 2023-11-13
Author: Bleeping Computer

CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain.
The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.
"Juniper SIRT is now aware of successful exploitation of these vulnerabilities. Customers are urged to immediately upgrade," the company said.

ESB-2023.6749 – FortiSIEM: CVSS (Max): 9.3

Fortinet has recently identified a critical vulnerability in the FortiSIEM report server. This vulnerability involves an OS command injection and could potentially be exploited by remote, unauthenticated attackers. By sending specially crafted API requests, these attackers may be able to execute arbitrary commands on the affected system. It is crucial for customers to be aware of this vulnerability and take appropriate measures to mitigate the risk.

ESB-2023.6734 – Google Chrome: CVSS (Max): None

Google has released an update for the Google Chrome Stable channel. The update version 119.0.6045.159 is specifically for Mac and Linux users, while Windows users will receive either version 119.0.6045.159 or 119.0.6045.160. It is recommended that users of Google Chrome on these platforms update to the latest version to ensure they have the most recent security enhancements and bug fixes.

ESB-2023.6639 – Adobe ColdFusion: CVSS (Max): 9.8

Adobe has released an update for ColdFusion that addresses critical vulnerabilities. These vulnerabilities have the potential to result in the deserialization of untrusted data, improper access control, and other security issues

ASB-2023.0223 – ALERT Microsoft Windows: CVSS (Max): 9.8*

Microsoft has recently issued its monthly security patch update for November 2023. This update addresses a total of 32 vulnerabilities found in Windows and Windows Server. It is important to note that Microsoft has confirmed the active exploitation of CVE-36025, CVE-2023-36033, and CVE-2023-36036.

ESB-2023.6704 – VMware Cloud Director Appliance: CVSS (Max): 9.8

An authentication bypass vulnerability has been identified in VMware Cloud Director Appliance with the CVE identifier CVE-2023-34060. This vulnerability affects VMware products that have been upgraded to version 10.5 from a previous version. To address this issue, updates have been released by VMware

Stay safe, stay patched and have a good weekend!

The AusCERT team