20 Sep 2024

Week in review

Greetings,

With school holidays upon us, many of us have little ones running wild and free – sometimes even on the internet! It's important to teach them about online safety, especially since holidays are a common time for criminals to launch phishing campaigns. Some of these scams target children by offering attractive games, promotions, or advertisements designed to entice them into clicking on malicious links or sharing personal information.

To keep children safe online, take proactive steps to secure devices by keeping software up to date. Additionally, educate kids about the dangers of interacting with unknown links and the importance of protecting their personal information. Encourage them to speak up if they encounter anything suspicious or feel uncomfortable about an online interaction. By fostering open communication and awareness, we can help children navigate the internet safely and confidently, even during the busiest holiday seasons.

AUSCERT's Sensitive Information Alerts (SIAs) are changing! From Wednesday 26th September, SIAs will no longer be emailed as an encrypted file. Instead, SIA emails will contain a unique URL to the AUSCERT Member Portal where you can generate a temporary link to download the file. This removes the need for encrypted files and will streamline the process!

Please note that only an organisation's privileged users will initially have access to download SIAs. That person will be able to provide access to other users in the organisation by assigning the SIA role to them in the Settings/Users & Roles menu option. Privileged users will be able to check this setting a few days before the go-live date next week.

To access any historical SIAs issued before the changeover, members will need to access the symmetric key from the Member Portal to decrypt the file. This will require encryption software such as PGP or GnuPG. Follow the link to the encryption keys page and match the thread ID with the received message. Import the decryption key into the encryption software, then select the encrypted file and decrypt it using the software's option.


Windows vulnerability abused braille “spaces” in zero-day attacks
Date: 2024-09-15
Author: Bleeping Computer

[Please see AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ASB-2024.0176/, https://portal.auscert.org.au/bulletins/ASB-2024.0175/]
A recently fixed "Windows MSHTML spoofing vulnerability" tracked under CVE-2024-43461 is now marked as previously exploited after it was used in attacks by the Void Banshee APT hacking group.
When first disclosed as part of the September 2024 Patch Tuesday, Microsoft had not marked the vulnerability as previously exploited. However, on Friday, Microsoft updated the CVE-2024-43461 advisory to indicate it had been exploited in attacks before it was fixed.

CISA warns of hackers exploiting bug for end-of-life Ivanti product
Date: 2024-09-13
Author: CyberScoop

An end-of-life version of Ivanti’s cloud IT service management software has a recently released vulnerability that the Cybersecurity and Infrastructure Security Agency says is being exploited.
CISA warned that organizations outfitted with Ivanti’s Cloud Service Appliance version 4.6 and below are being targeted by hackers and the bug has been added to the known exploited vulnerabilities (KEV) list. The Utah-based company said on Friday that a “limited number of customers” have confirmed exploitation but did not provide further details.

CVE-2024-45186: FileSender Vulnerability Poses Risk to User Credentials, Immediate Action Required
Date: 2024-09-13
Author: Security Online

A severe security flaw has been identified in FileSender, the popular web-based application that allows authenticated users to securely send large files. The vulnerability, classified as CVE-2024-45186, was discovered by security researcher Jonathan Bouman. This server-side template injection vulnerability allows non-authenticated users to retrieve server credentials, putting sensitive data and systems at risk.

Australia Faces Surge in Data Breaches to Highest Level in 3.5 Years
Date: 2024-09-16
Author: The Cyber Express

The Office of the Australian Information Commissioner (OAIC) has released new statistics revealing that the first half of 2024 saw the highest number of data breach notifications in three and a half years. From January to June 2024, the OAIC report stated that it received 527 notifications of data breaches—a notable increase of 9% compared to the previous six months and the highest since the second half of 2020 in Australia.
Cybersecurity incidents continue to be the leading cause of data breaches, accounting for 38% of all reported cases.

CISA, FBI Urge Organizations to Eliminate XSS Vulnerabilities
Date: 2024-09-18
Author: Security Week

The US cybersecurity agency CISA and the FBI have issued a Secure by Design alert on the prevalence of cross-site scripting (XSS) vulnerabilities, urging organizations to eliminate them from their products.
XSS flaws, the two agencies note in the alert (PDF), exist because user input is not properly validated, sanitized, or escaped, which allows threat actors to inject malicious scripts into web applications, leading to data manipulation, theft, or misuse.
“Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures,” CISA and the FBI note.

Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks
Date: 2024-09-16
Author: The Hacker News

Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials.
"Unlike other phishing webpage distribution behavior through HTML content, these attacks use the response header sent by a server, which occurs before the processing of the HTML content," Palo Alto Networks Unit 42 researchers Yu Zhang, Zeyu You, and Wei Wang said.


ESB-2024.6010 – GitLab: CVSS (Max): 10.0

GitLab has released several new versions (17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10) for both Community and Enterprise Editions, addressing critical bug and security vulnerabilities, including a SAML authentication bypass. All users with self-managed installations are strongly urged to upgrade immediately.

ESB-2024.5955 – Google Chrome: CVSS (Max): None

Google has announced the release of Chrome 129, available for Windows, Mac, and Linux users, fixing nine vulnerabilities, including a high-severity flaw in V8. Users are urged to update their browsers to benefit from these security improvements and performance enhancements.

ESB-2024.5949 – VMware vCenter Server: CVSS (Max): 9.8

Broadcom has issued fixes for two critical vulnerabilities in VMware vCenter Server, which could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813) when triggered by specially crafted network packets. While Broadcom states there are no known active exploits for CVE-2024-38812, they urge organizations to promptly update to the patched versions. Both vulnerabilities affect vCenter Server versions 8.0 and 7.0, as well as VMware Cloud Foundation versions 5.x and 4.x.

ESB-2024.5932 – iOS 18 and iPadOS 18: CVSS (Max): 9.1*

Apple has released iOS 18 and iPadOS 18, addressing several security vulnerabilities that could potentially allow unauthorized access to sensitive data or cause system malfunctions. Key issues include risks associated with Siri that could enable access to contacts and user data with physical access to the device. Additional vulnerabilities could lead to denial-of-service attacks and data leaks.

ESB-2024.5900 – Citrix Workspace app for Windows: CVSS (Max): 7.0

Citrix has issued security updates for critical vulnerabilities (CVE-2024-7889 and CVE-2024-7890) in the Citrix Workspace app for Windows, which could allow local attackers to escalate privileges to SYSTEM on compromised machines. Affected versions include Current Release (CR) before 2405 and Long Term Service Release (LTSR) prior to 2402 LTSR CU1. Citrix advises users to upgrade to patched versions immediately and recommends security best practices to protect against threats. The U.S. CISA also urges prompt application of these updates.


Stay safe, stay patched and have a good weekend!

The AUSCERT team