18 Oct 2024

Week in review

Greetings,

This week, our team participated in the 19th ASEAN CERT Incident Drill (ACID), organised by the Cyber Security Agency of Singapore (CSA) under the theme "Navigating the Rise of AI-Enabled Cyber Attacks."
With the rapid adoption of Artificial Intelligence (AI) technologies, the threat of AI-powered cyberattacks is growing quickly. These attacks include the utilisation of machine learning to assess targets and deploy the most effective techniques for compromising organisational security. As generative AI tools enable increasingly sophisticated attacks, defenders face mounting challenges in detecting and mitigating these threats.

ACID, an annual drill hosted by Singapore since 2006, tests incident response procedures and strengthens cybersecurity preparedness and cooperation among CERTs from ASEAN Member States and ASEAN Dialogue Partners. Teams from across the region, including AUSCERT, participated in this year’s exercise, reinforcing regional collaboration in combating evolving cyber threats.

Additionally, a few members of our team travelled to Sydney to attend the inaugural iTnews Benchmark Awards: Security. For over a decade, the iTnews Benchmark Awards have recognised Australian IT leaders across the nation. This year, a new category was introduced to celebrate leadership in cybersecurity. CISOs, CSOs, and senior cybersecurity leaders were honoured for their outstanding leadership in their organisations and their efforts to drive effective cybersecurity programs.

While in Sydney, our team also participated in a session co-hosted by AUSCERT, WTW, and Ethan Global. The session provided valuable insights into holistic cyber risk management strategies, drawn from real-life case studies. Our general manager, Ivano Bongiovanni, was a panellist alongside industry thought leaders and experienced practitioners, discussing key developments in legal and regulatory changes, prioritising cyber investments, and effective reporting. It was an excellent event!

To our Melbourne members: this event is coming your way on Thursday, 31 October! Spaces are still available—don’t miss out! Register here


ASIC warns of identity theft leading to stolen shares
Date: 2024-10-15
Author: Cyber Daily

The Australian Securities and Investments Commission is warning investors to be on the lookout following a “significant increase” in reports of identity theft leading to shares being stolen or sold off without the victims being aware.
According to ASIC, ongoing data breaches that have compromised the personal data of a large number of Australians are leading to fraudsters being able to successfully use stolen identities to access shares illegally.

HashiCorp Cloud Vault Vulnerability Let Attackers Escalate Privileges
Date: 2024-10-13
Author: Cyber Security News

HashiCorp, a leading provider of cloud infrastructure automation software, has disclosed a critical security vulnerability in its Vault secret management platform.
The flaw, identified as CVE-2024-9180, could allow privileged attackers to escalate their privileges to the highly sensitive root policy, potentially compromising the entire Vault instance.

Thousands of Fortinet Devices Remain Exposed to RCE CVE-2024-23113 Vulnerability
Date: 2024-10-13
Author: Security Online

[A Shadowserver report (MSIN) has been sent to the potentially exposed members]
[Also see AUSCERT's bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0851.2]
A recent report from the Shadowserver Foundation has revealed a concerning number of Fortinet devices remain vulnerable to a critical remote code execution (RCE) vulnerability, despite patches being available for months and active exploitation in the wild.

VMware Patches High-Severity SQL Injection Flaw in HCX Platform
Date: 2024-10-16
Author: Security Week

[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.6776/]
VMware on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform.
The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager.
“A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor.

NAB, Vodafone and Microsoft listed in alleged Cisco data breach
Date: 2024-10-15
Author: Cyber Daily

Cisco is a network hardware and software manufacturer, best known for the production of its routers.
In a post on a popular cyber crime forum, threat actor IntelBroker said it gained access to Cisco’s systems on 6 October, stealing large amounts of data belonging to it and its customers.
Data allegedly includes “Github projects, Gitlab Projects, SonarQube projects, source code, hard-coded credentials, certificates, customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!”

Education under siege: How cybercriminals target our schools
Date: 2024-10-10
Author: Microsoft

The cyberthreats that Microsoft observes across different industries tend to be compounded in education, and threat actors have realized that this sector is inherently vulnerable. With an average of 2,507 cyberattack attempts per week, universities are prime targets for malware, phishing, and IoT vulnerabilities.

SolarWinds Web Help Desk flaw is now exploited in attacks
Date: 2024-10-16
Author: Bleeping Computer

CISA has added three flaws to its 'Known Exploited Vulnerabilities' (KEV) catalog, among which is a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) that the vendor fixed in late August 2024. SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations.


ASB-2024.0190 – CSA Advisory: SVR cyber operations

A joint advisory has been released outlining the TTPs used by SVR in recent cyber operations. It highlights the significant threats posed by SVR activities to national security and critical infrastructure, stressing the importance of vigilance and proactive defence measures. The advisory also recommends key mitigation strategies for network defenders to combat these cyber threats effectively.

ESB-2024.6776 – VMware HCX: CVSS (Max): 8.8

VMware has addressed a high-severity SQL injection vulnerability in its HCX platform, allowing non-admin users to execute remote code on the HCX manager. The flaw affects versions 4.8.x, 4.9.x, and 4.10.x. VMware advises users to update to patched versions 4.8.3, 4.9.2, and 4.10.1 to mitigate the risk.

ESB-2024.6720 – Mozilla Firefox: CVSS (Max): None

CVE-2024-10004 is a critical vulnerability in Firefox for iOS, affecting versions below 131.2. Disclosed by Mozilla, the flaw allows an HTTP website opened from an external link to mistakenly display a secure HTTPS padlock icon if the browser was previously closed with an HTTPS tab open. This misleading indicator can lead users to believe a non-secure site is secure, increasing the risk of data interception or phishing attacks. Mozilla urges users to update to version 131.2 or later to address this issue and improve security.

ESB-2024.6701 – Google Chrome: CVSS (Max): None

Google has released Chrome 130, fixing 17 security vulnerabilities, including the high-severity use-after-free flaw CVE-2024-9954 in the AI component. The update is being rolled out for Windows, Mac, and Linux users, and includes several medium-severity issues. Users are urged to update their browsers promptly to enhance security.

ESB-2024.6667 – Splunk Enterprise: CVSS (Max): 8.8

Splunk has released fixes for 11 vulnerabilities in Splunk Enterprise. The most critical issue, CVE-2024-45733, involves an insecure session storage configuration, allowing non-admin users to execute code remotely. Affected users are advised to update, as only Windows instances running Splunk Web are vulnerable.

ESB-2024.6621 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 10.0

An exploit for the critical GitLab authentication bypass vulnerability CVE-2024-45409 has been released, affecting self-managed installations with SAML authentication. This flaw allows attackers to bypass signature validation, granting access as any user. GitLab urges admins to upgrade to fixed versions immediately to prevent exploitation.


Stay safe, stay patched and have a good weekend!

The AUSCERT team