21 Jun 2024

Week in review

Greetings,

We are thrilled to announce the release of another exciting episode of our podcast 'Share Today, Save Tomorrow'! In Episode 35: "Introducing Ivano", Anthony sits down with AUSCERT’s new General Manager, Ivano Bongiovanni, to discuss his career journey and future aspirations for AUSCERT. In the second half, Bek chats with Michael McAlary from AUSCERT about the recent makeover and improved user experience of the AUSCERT Member Portal, as well as future enhancements. Don't miss this insightful conversation!

In other news, as a result of the ongoing legal action by the Australian Information Commissioner, more details have been released this week of the 2022 MediBank Private breach. It has been alleged that one of the causes behind the breach was the failure to implement multi-factor authentication (MFA) for authenticating remote access users.

The MediBank story coincides with research released by Cisco Talos which links aspects of MFA to approximately half of the incidents investigated in the first quarter of 2024. Talos describes the underlying cause of 25% of incidents being users accepting attacker-originated push notifications, while 21% of incidents were caused by incorrect implementation of MFA solutions.

Both of these news stories highlight the critical importance of integrating information security controls across the domains of people, processes, and technology. Security controls are only as effective as the people who design, implement and use them. Regular training and awareness programs ensure that employees understand the importance of security protocols, such as multi-factor authentication (MFA), and know how to respond to security threats. Explore our available training courses to enhance your knowledge of cybersecurity threats.


Critical Code Execution Vulnerabilities Patched in VMware vCenter Server
Date: 2024-06-18
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.3915/]
Broadcom-owned VMware has announced patches for several serious vCenter Server vulnerabilities that can allow remote code execution or privilege escalation.
Two heap-overflow vulnerabilities, tracked as CVE-2024-37079 and CVE-2024-37080 and classified as having critical severity, impact the implementation of the DCERPC protocol.

New Wi-Fi Takeover Attack—All Windows Users Warned To Update Now
Date: 2024-06-14
Author: Forbes

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0119/ ]
Microsoft has confirmed a new and quite alarming Wi-Fi vulnerability in Windows, which has been rated 8.8 out of 10 in terms of severity using the Common Vulnerability Scoring System. The vulnerability, assigned as CVE-2024-30078, does not require an attacker to have physical access to the targeted computer, although physical proximity is needed.

Ransomware Attacks Are Getting Worse
Date: 2024-06-15
Author: WIRED

Despite years worth of efforts to eliminate the scourge of ransomware targeting schools, hospitals, and critical infrastructure worldwide, experts are warning that the crisis is only heating up, with criminal gangs growing ever more aggressive in their tactics. The threat of real-world violence now looms, some experts warn, as the data stolen grows increasingly sensitive and millions in potential profits hang in the balance. “We know where your CEO lives,” read a message reportedly received by one victim. Attacks targeting the medical sector are blooming in response to the $44 million payout by Change Healthcare this March.

Australian businesses targeted in Russia-based phishing campaign
Date: 2024-06-14
Author: Cyber Daily

A security researcher with Sophos X-Ops – the security company’s threat response team – has outlined a widespread phishing campaign based in Russia that targeted almost 800 businesses, individuals, and even elections.
Throughout late 2023, a campaign that appears to have originated in Russia sent out more than 2,000 phishing emails in an attempt to steal login credentials and money via gift card scams.

Hackers use F5 BIG-IP malware to stealthily steal data for years
Date: 2024-06-17
Author: Bleeping Computer

A group of suspected Chinese cyberespionage actors named 'Velvet Ant' are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data.
According to a Sygnia report who discovered the intrusion after they were called in to investigate the cyberattack, Velvet Ant established multiple footholds using various entry points across the network, including a legacy F5 BIG-IP appliance that served as an internal command and control (C2) server.


ESB-2024.3915 – VMware Products: CVSS (Max): 9.8

Broadcom has issued a security patch for VMware vCenter Server, a widely-used management platform, to fix critical and high-severity vulnerabilities such as CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081. AUSCERT has identified the affected members and issued a critical MSIN accordingly.

ASB-2024.0119 – Windows Wi-Fi Driver: CVSS (Max): 8.8

Microsoft has acknowledged a significant Wi-Fi vulnerability in Windows, which has received a severity rating of 8.8 out of 10. Designated as CVE-2024-30078, this vulnerability does not necessitate physical access to the targeted computer but does require physical proximity.

ESB-2024.3833 – Google Chrome: CVSS (Max): None

Mozilla has addressed a critical CVE where, under certain conditions, a malicious website could attempt to display a fake location URL in the address bar, potentially misleading users about the actual website they are visiting. This vulnerability affects Firefox for iOS.

ASB-2024.0120 – Trellix IPS Manager: CVSS (Max) 9.8

Trellix has patched a critical security vulnerability in its Intrusion Prevention System (IPS) Manager, tracked as CVE-2024-5671. This flaw, caused by insecure deserialization in certain workflows, could allow unauthenticated remote attackers to execute arbitrary code, posing a severe risk to network security.

ESB-2024.3912 – Atlassian Products: CVSS (Max) 8.2

Atlassian has fixed 9 high-severity vulnerabilities to address improper authorization, server-side request forgery and denial of service. Atlassian recommends patching to latest versions to resolve these vulnerabilities.


Stay safe, stay patched and have a good weekend!

The AUSCERT Team