23 Aug 2024

Week in review

Greetings,

For over a decade, the iTnews Benchmark Awards have celebrated the achievements of Australian IT leaders. This year, they are introducing the inaugural Benchmark Awards: Security—a dedicated conference and awards program that honours leadership in cybersecurity across Australian businesses. The event will recognize CISOs, CSOs, and senior cybersecurity leaders for their outstanding contributions to both their security teams and the broader organisation in driving effective cyber security programs.

The 2024 Benchmark Security Awards will be presented at a Gala Dinner and Conference on October 16 in Sydney. The AUSCERT community has been invited to submit entries for various award categories. The deadline has been extended to August 30th. Click here to submit your entries today!

Microsoft has released a detailed timeline for its upcoming enforcement of multi-factor authentication (MFA) across its platforms. Starting in October 2024, MFA will be mandatory for Admin users accessing the Azure portal, Microsoft Entra admin centre, and Intune admin centre. Admins will receive emails and notifications to enable MFA for their accounts or face losing access to their paid services. Microsoft’s initiative underscores the growing need for enhanced security measures across all platforms.

AUSCERT released a blog this week for its members and the broader community, urging organisations to implement MFA as an essential layer of security. MFA significantly strengthens protection by requiring multiple forms of identity verification, reducing the risk of unauthorized access. It is crucial for organisations to adopt MFA to protect their data and maintain trust with stakeholders. By effectively implementing MFA, organisations can better defend against cyber threats and increase protection of sensitive information. While MFA does not offer complete protection against all threats, it remains an essential component in reducing cybersecurity risks and safeguarding data.


Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover a moment…
Date: 2024-08-20
Author: Security Week

[AUSCERT has identified the potentially impacted members (where possible) and contacted them via email]
A critical vulnerability in the GiveWP WordPress plugin exposed over 100,000 websites to remote code execution and arbitrary file deletion attacks, WordPress security firm Defiant reports. Tracked as CVE-2024-5932 (CVSS score of 10/10), the bug is described as a PHP object injection via the deserialization of untrusted input from the ‘give_title’ parameter.

GitHub Enterprise Server vulnerable to critical auth bypass flaw
Date: 2024-08-21
Author: Bleeping Computer

[AUSCERT has identified the potentially impacted members (where possible) and have contacted them via email]
A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine.
The security issue is identified as CVE-2024-6800 and received a 9.5 severity rating as per the CVSS 4.0 standard. It is described as an XML signature wrapping problem that occurs when using the Security Assertion Markup Language (SAML) authentication standard with certain identity providers.

Litespeed Cache bug exposes millions of WordPress sites to takeover attacks
Date: 2024-08-21
Author: Bleeping Computer

[AUSCERT has identified the potentially impacted members (where possible) and contacted them via email]
A critical vulnerability in the LiteSpeed Cache WordPress plugin can let attackers take over millions of websites after creating rogue admin accounts.
LiteSpeed Cache is open-source and the most popular WordPress site acceleration plugin, with over 5 million active installations and support for WooCommerce, bbPress, ClassicPress, and Yoast SEO.
The unauthenticated privilege escalation vulnerability (CVE-2024-28000) was found in the plugin's user simulation feature and is caused by a weak hash check in LiteSpeed Cache up to and including version 6.3.0.1.

Android Vulnerability Impacting Millions of Pixel Devices Worldwide
Date: 2024-08-16
Author: Cyber Security News

An Android package, “Showcase.apk,” preinstalled on a significant portion of Pixel devices since 2017, possesses extensive system permissions enabling remote code execution and package installation.
It fetches a configuration file via unsecured HTTP from a single US-based AWS domain, rendering it susceptible to tampering, while the combination of excessive privileges and insecure configuration exposes millions of Pixel devices to MITM attacks, facilitating malicious code injection and spyware infiltration.

PoC Exploit Released for Windows 0-Day Downgrade Attack
Date: 2024-08-20
Author: Cyber Security News

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0171/]
A proof-of-concept (PoC) exploit has been publicly released for a pair of critical zero-day vulnerabilities in Microsoft Windows that enable a novel “downgrade attack.” The flaws tracked as CVE-2024-38202 and CVE-2024-21302 were originally disclosed by SafeBreach researcher Alon Leviev at Black Hat USA 2024 and DEF CON 32 earlier this month.
The vulnerabilities allow an attacker to manipulate the Windows Update process to stealthily downgrade a fully patched Windows system to an older, vulnerable state.

Azure domains and Google abused to spread disinformation and malware
Date: 2024-08-17
Author: Bleeping Computer

A clever disinformation campaign engages several Microsoft Azure and OVH cloud subdomains as well as Google search to promote malware and spam sites.
Android users receive a "new info related to…" Google search notification about a subject they have previously searched about, but are then presented with misleading search results, driving traffic to scam websites disguised as infotainment articles.


ESB-2024.5343 – Zoom CVSS (Max): 8.5

A buffer overflow vulnerability in several Zoom Workplace apps and clients could allow an authenticated user to escalate privileges via network access. This issue affects various platforms including Linux, Windows, macOS, iOS, and Android apps, as well as Zoom Rooms apps. Users should update to the latest version available to mitigate the risk.

ESB-2024.0495.2 – Jenkins (core) and Deliverables CVSS (Max): 9.8

Jenkins has announced critical vulnerabilities, including CVE-2024-23897, which allows arbitrary file reads and potential remote code execution (RCE) due to unsafe CLI command handling. Updates to Jenkins versions 2.442 and LTS 2.426.3 are recommended to address these issues. Additionally, several plugins are affected, requiring updates to their latest versions for comprehensive protection.

ASB-2024.0171 – Microsoft Windows CVSS (Max): 7.3

AUSCERT has issued a security bulletin highlighting critical zero-day vulnerabilities in Microsoft Windows: CVE-2024-38202 and CVE-2024-21302. These vulnerabilities enable downgrade attacks, allowing attackers to revert fully updated systems to a vulnerable state and exploit previously patched issues. Microsoft is developing a security update and has provided interim mitigation steps to protect affected customers.

ESB-2024.5429 – Google Chrome CVSS (Max): 8.3

An urgent update for Google Chrome has been issued to address a critical zero-day vulnerability, CVE-2024-7971. This exploit is currently active and poses significant risks, potentially allowing attackers to execute arbitrary code on compromised systems. Users are strongly advised to update their Chrome browsers immediately to the latest version to mitigate the threat.


Stay safe, stay patched and have a good weekend!

The AUSCERT team