19 Jan 2024

Week in review

Greetings,

This week, AUSCERT has been busy finalising our member meet-up schedule for 2024! Keep an eye out for invitations coming out soon for a catch-up in your local area! They offer invaluable moments of sharing industry expertise, knowledge sharing, and the chance to connect with old friends while making new ones within the cyber security industry.

In cyber news this week, customers of some of Australia’s well-known brands including Dan Murphy’s, Binge, Guzman y Gomez, and Event Cinemas have fallen victim to a coordinated credential stuffing attack, affecting an estimated 15,000 customers. Scammers acquired stolen login details and are exploiting online accounts to conduct fraudulent transactions, accumulating thousands in online purchases. Prime Minister Anthony Albanese emphasized the critical importance of cyber awareness and security during the recent wave of cybercrimes, highlighting the significant threat to Australia and its economic security.

A credential stuffing attack like this one involves the use of large sets of username and password combinations obtained from previous data breaches to gain unauthorised access to user accounts on various online platforms. Attackers use automated tools or scripts to test stolen credentials to gain access into different websites or services. If the login attempt is successful, the attacker gains unauthorised access to the user’s account. Attackers may then exploit the compromised account for various malicious activities such as stealing personal information, making unauthorised transactions or launching further attacks.

Here are a few helpful tips to protect against credential stuffing attacks:

• Reuse of Credentials:
– While using strong passwords, passphrases, and password managers is crucial, it's equally important to avoid using the same credentials across multiple platforms. In the event of a data breach on one site or any alternative compromise, your username and password could be exposed, leaving you susceptible to credential-stuffing attacks on other sites.

• Enable Multi-Factor Authentication (MFA):
– If possible, enabling MFA adds an additional layer of security by requiring a second form of verification along with password.

• Regularly Update Passwords:
– Users should regularly update their passwords to reduce the risk associated with compromised credentials.

• Rate Limiting & CAPTCHA:
– Online platforms can implement rate limiting to detect and prevent multiple logins. Additionally CAPTCHA challenges can help stop automated attempts.

The above steps are simple ways to enhance your cyber security posture for 2024!


GitLab warns of critical zero-click account hijacking vulnerability
Date: 2024-01-12
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
[Also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0272]
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction. The vendor strongly recommends updating as soon as possible all vulnerable versions of the DevSecOps platform (manual update required for self-hosted installations) and warns that if there is "no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

Patch now: Critical VMware, Atlassian flaws found
Date: 2024-01-16
Author: The Register

[AUSCERT has identified the impacted members for Confluence products (where possible) and contacted them via email]
[Also see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2024.0290 (Confluence) and https://portal.auscert.org.au/bulletins/ESB-2024.0292 (VMware)]
VMware and Atlassian today disclosed critical vulnerabilities and, while neither appear to have been exploited by miscreants yet, admins should patch now to avoid disappointment.
First off, a pair of issues from Atlassian. Most serious is CVE-2023-22527, a template injection flaw that can allow unauthenticated remote code execution (RCE) attacks. It scored a perfect CVSS rating of 10 out of 10 and affects Confluence Data Center and Server 8 versions released before December 5, 2023 and 8.4.5, which no longer receives fixes.

Over 178K SonicWall firewalls vulnerable to DoS, potential RCE attacks
Date: 2024-01-15
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Security researchers have found over 178,000 SonicWall next-generation firewalls (NGFW) with the management interface exposed online are vulnerable to denial-of-service (DoS) and potential remote code execution (RCE) attacks.
These appliances are affected by two DoS security flaws tracked as CVE-2022-22274 and CVE-2023-0656, the former also allowing attackers to gain remote code execution.

Google Warns of Chrome Browser Zero-Day Being Exploited
Date: 2024-01-16
Author: Security Week

[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0293]
Google has pushed out an urgent Chrome browser update to fix a trio of high-severity security defects and warned that one of the bugs is already being exploited in the wild.
The exploited zero-day, tagged as CVE-2024-0519, is described as an out-of-bounds memory access issue in the V8 JavaScript engine.
As is customary, Google did not provide any additional details on scope of the observed attacks or share telemetry to help defenders hunt for signs of compromise.

Citrix warns of new Netscaler zero-days exploited in attacks
Date: 2024-01-16
Author: Bleeping Computer

[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0318]
Citrix urged customers on Tuesday to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities.
The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively.
However, to gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access.

Have I Been Pwned adds 71 million emails from Naz.API stolen account list
Date: 2024-01-17
Author: Bleeping Computer

Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service.
The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware.


ASB-2024.0027 – Oracle MySQL: CVSS (Max): 9.8

Oracle has identified multiple vulnerabilities in MySQL and advised that 12 of the vulnerabilities may be remotely exploitable without authentication.

ESB-2024.0318 – NetScaler: CVSS (Max): 8.2

Citrix has warned of two critical zero-day vulnerabilities that have active exploitations in the wild. Tracked as CVE-2023-6548 and CVE-2023-6549, the vulnerabilities allow remote code execution and denial-of-service attacks on the affected devices.

ESB-2024.0293 – Google Chrome: CVSS (Max): 7.5

Google has pushed out an urgent Chrome browser update to fix three high-severity security defects and advised that one of the bugs, tracked as CVE-2024-0519 is already being exploited in the wild.

ESB-2024.0292 – VMware Products: CVSS (Max): 9.9

Tagged as CVE-2023-34063, missing access control problem in Aria Automation earlier of 8.16 has been reported. With a CVSS rating of 9.9 this flaw may allow unauthorized access to remote organizations and workflows.

ESB-2024.0290 – ALERT Confluence Data Center and Confluence Server: CVSS (Max): 10.0

Template injection flaw that can allow unauthenticated remote code execution has been identified in Confluence Data Center and Server. Tracked as CVE-2023-22527, the flaw scored a CVSS rating of 10 out of 10.

ESB-2024.0272 – ALERT GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0

GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities. The most critical issue is the account hijacking with no user interaction vulnerability with the maximum severity score and is being tracked as CVE-2023-7028.


Stay safe, stay patched and have a good weekend!

The AUSCERT team