19 Apr 2024

Week in review


With less than 5 weeks until AUSCERT2024, this week marks your final chance to secure sponsorship packages! Act quickly, as only a limited number is still available. Don’t miss out on maximizing your exposure at the conference – explore our branding packages too!

We are delighted to announce the esteemed presence of Piotr Kijewski as one of our keynote speakers this year! Piotr holds the distinguished positions of CEO and Trustee at the Shadowserver Foundation, a non-profit organisation dedicated to enhancing Internet security. For over 15 years, the Shadowserver Foundation has been actively providing invaluable daily cyber threat intelligence feeds to over 201 National CSIRTs across 175 countries and territories. Moreover, they have extended their services to support over 8000 other organisations worldwide, including sectoral CSIRTs, ISPs, CSPs, hosting providers, enterprises, banks, academia, hospitals, SMEs, and more!

Piotr’s session will delve into how Shadowserver operated as a large-scale information collection and sharing project, collaborating with the global cyber security defender community. He will take audience members behind the scenes, sharing the insights into their journey in recent years as they strive for sustainability, particularly after the loss of their long-term primary sponsor. Piotr will conclude by outlining his vision for advancing global cyber security while remaining true to the principles of free threat intelligence sharing.

In recent cyber-related news, Palo Alto Networks encountered a vulnerability in the GlobalProtect feature of its PAN-OS software last Friday. This vulnerability, specific to certain PAN-OS versions and distinct feature configurations, poses a significant risk, potentially allowing an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Palo Alto Networks offered mitigation strategies to be promptly implemented until permanent fixes could be applied.

The AUSCERT analyst team responded swiftly to ensure our members were promptly informed. They issued bulletin ESB-2024.2280 detailing the vulnerability on the same day and shared IoCs via our MISP platform. Additionally, security alerts were issued to the potentially affected members .

This incident serves as a reminder for our members to remain vigilant and act swiftly when such incidents occur, to reduce risks effectively.

Ivanti warns of critical flaws in its Avalanche MDM solution
Date: 2024-04-16
Author: Bleeping Computer

[AUSCERT utilised third-party search engines to identify and alert any impacted members. If you use Avalanche mobile device management (MDM) solution, we recommend patching according to the vendor's guidelines]
Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution.
Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location.

Cisco Duo warns that breach exposed phone numbers, phone carriers, metadata and other logs that could lead to downstream social engineering attacks.
Date: 2024-04-15
Author: Security Week

Cybersecurity vendor Cisco on Monday warned that hackers broke into an unidentified telephony supplier used to send Duo MFA SMS messages and stole log data that could be used in downstream attacks.
According to a customer notice from the Cisco Data Privacy and Incident Response Team, the breach exposed phone numbers, phone carriers, metadata and other logs that could lead to phishing and social engineering attacks.

Cisco warns of large-scale brute-force attacks against VPN services
Date: 2024-04-16
Author: Bleeping Computer

[AUSCERT has created a MISP event sharing IoCs from this brute force campaign]
Cisco warns about a large-scale credential brute-forcing campaign targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.
A brute force attack is the process of attempting to log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to the internal network.

Warnings of fake invoice scams after nearly 800,000 records exposed
Date: 2024-04-17
Author: Sky News

Experts have issued a fresh warning about scams involving fake invoices, after a data leak affecting a leading Australian smoke alarm company left customer records exposed online for months.
In an unusual twist, an email viewed by Sky News indicates the company knowingly left the database open after learning it was publicly accessible.
In January, independent cybersecurity researcher Jeremiah Fowler discovered a non-password protected database belonging to Smoke Alarm Solutions.

CISA orders agencies impacted by Microsoft hack to mitigate risks
Date: 2024-04-11
Author: Bleeping Computer

CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group.
Emergency Directive 24-02 was issued to Federal Civilian Executive Branch (FCEB) agencies on April 2. It requires them to investigate potentially affected emails, reset any compromised credentials (if any), and take measures to secure privileged Microsoft Azure accounts.

PoC Released For Critical Zero-Click Windows Vulnerability
Date: 2024-04-15
Author: Cyber Security News

[Please also see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2023.0055/]
Microsoft’s wide reach as a target prompted attackers to carry out intensive studies on the vulnerabilities and mitigation tools of their products and protocols.
This resulted in a new remote code execution (RCE) WinAPI CreateUri function vulnerability, introduced as part of the CVE-2023-23397 patch.
Unlike the previous two-vulnerability RCE chain, this flaw enables zero-click RCE exploitation.

ASB-2024.0085 – Oracle Communications Applications: CVSS (Max): 9.8

Oracle Communications received a total of 93 security patches this month during Oracle’s April 2024 CPU, with 71 of them specifically targeting flaws that can be exploited remotely without requiring authentication.

ASB-2024.0072 – PuTTY: CVSS (Max): None

The PuTTY developers have issued an update to address a critical vulnerability that could be used to retrieve secret keys. Versions 0.68 to 0.80 of PuTTY are impacted, but the vulnerability has been resolved in PuTTY 0.81.

ESB-2024.2383 – Cisco Integrated Management Controller (IMC): CVSS (Max): None

Cisco has issued patches for a high-severity Integrated Management Controller (IMC) vulnerability with public exploit code that enables local attackers to elevate privileges to root. Tracked as CVE-2024-20295, this security flaw is caused by insufficient validation of user-supplied input, a weakness that can be exploited using crafted CLI commands as part of low-complexity attacks.

ESB-2024.2280.3 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0

Palo Alto Networks recently released a critical alert regarding a vulnerability in the PAN-OS software used in its firewall and VPN products. This command-injection flaw, rated with a top CVSS severity score of 10 out of 10, could potentially allow an unauthenticated attacker to execute remote code with root privileges on a compromised gateway.

ESB-2024.2366 – Google Chrome: CVSS (Max): None

Google has released security updates to fix over 35 vulnerabilities in their browsers, including twelve high-severity issues. Chrome version 124 has been released in the stable channel, containing fixes for 22 bugs, with 13 of them identified by external researchers.

Stay safe, stay patched and have a good weekend!

The AusCERT team