23 Feb 2024

Week in review


AUSCERT has detected a rise in Critical MSINs being sent to members. These proactive alerts are flagged for urgent attention to mitigate potential high-priority risks, particularly when AUSCERT identifies exploitation of 0-day vulnerabilities.

CISA, along with its five-eye country partners, has issued a joint advisory on 'Identifying and Mitigating Living Off the Land Techniques' (LOLT). Notably, cyber threat actors, including state-sponsored actors from the People’s Republic of China and the Russian Federation, have been observed employing LOLT to compromise and maintain persistent access to critical infrastructure organisations. This joint guide is released for network defenders and threat hunters, addressing the increasing prevalence of LOLT techniques in the broader cyber threat landscape. Understanding and countering these techniques is crucial for enhancing cybersecurity posture and mitigating risks from sophisticated adversaries.

In other recent developments, the Pall Mall Process declaration between the UK and France marks a crucial stride in addressing the proliferation and irresponsible use of commercial cyber intrusion capabilities. Cyber proliferation involves the intentional or unintentional transfer of cyber capabilities among actors for network or device exploitation or attack purposes. The Pall Mall Process declaration is an innovative international initiative aimed at exploring policy options and new practices to counter this shared threat. The NCSC’s recent blog delves into what this process signifies for the future. Take a moment to read and stay informed, you can then “advance to GO”.

Are you aware of Australia's Online Safety Laws? While employing measures like secure passphrases and two-factor authentication provides a strong defence against bad actors, it's equally important to report illegal and violent content online. To learn more, visit esafety.gov.au, these laws have your back!

Business risks are also important. The AUSCERT Cyber Security Risk Management course is designed to provide participants with the confidence to perform a risk assessment of cyber security risks, and the ability to rate, assess, and report business risks. Calibrating cyber security as business risks rather than just technical vulnerability severity readily facilitates business leader buy-in. Register today!.

Here are some highlights from this week’s cyber security news, including the significant law enforcement takeover of the prolific multinational ransomware syndicate behind LockBit.

ConnectWise Rushes to Patch Critical Vulns in Remote Access Tool
Date: 2024-02-20
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Enterprise IT software giant ConnectWise has released urgent patches for two critical security defects in its ScreenConnect remote desktop access product, warning there is high risk of in-the-wild exploitation.
The most serious of the two bugs is described as an “authentication bypass using an alternate path or channel” and carries the maximum CVSS severity score of 10/10.
A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10.

Over 28,500 Exchange servers vulnerable to actively exploited bug
Date: 2024-02-19
Author: Bleeping computer

[Please see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0038/]
Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting.
Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable.

Tangerine Telecom says customer data of 232,000 affected by 'cyber incident'
Date: 2024-02-21
Author: iTnews

Tangerine Telecom, a challenger retail service provider, says a “legacy” customer database containing details of 232,000 current and former customers was accessed by an unknown party via exploitation of a contractor’s credentials.
The seller of NBN and mobile services said in a statement on Wednesday that “the unauthorised disclosure of certain personal information” occurred on Sunday, and that the management team had learned of the incident on Tuesday.

LockBit ransomware disrupted by global police operation
Date: 2024-02-19
Author: Bleeping Computer

Law enforcement agencies from 11 countries have disrupted the notorious LockBit ransomware operation in a joint operation known as ''Operation Cronos."
According to a banner displayed on LockBit's data leak website, the site is now under the control of the National Crime Agency of the United Kingdom.

Government moves to expand SMS Sender ID registry
Date: 2024-02-19
Author: iTnews

Nine months after announcing it would require telcos to use a Sender ID Registry to combat SMS spam, the government has started consultation over whether the scheme should be mandatory or voluntary for Australia’s telcos.
The registry would create a controlled list of the numbers used by registered brand names.
This would prevent scammers from impersonating participants’ brands, since carriers would block texts using those brands unless the originating number is in the registry.

ASB-2024.0045.3 – UPDATE AUSCERT Bulletin Service

AUSCERT has recently updated its security bulletin infrastructure.

Notable changes include:
* removal of PGP-signing
* consolidation of operating system categories and tags to retire some end-of-life products and introduce some recent categories
* minor change to email subject line and headers due to a change of the underlying systems
* improved bulletin search facility on website

ESB-2024.1092 – Google Chrome: CVSS (Max): None

Google has released patches for several vulnerabilities for Google Chrome

ESB-2024.1099 – VMware Enhanced Authentication Plug-in (EAP): CVSS (Max): 9.6

VMware has addressed vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP)

ESB-2024.1102 – Atlassian Products: CVSS (Max): 8.5

Atlassian has released updates to several products which were impacted by various high-severity vulnerabilities

Stay safe, stay patched and have a good weekend!

The AusCERT team