//Week in review - 25 Jan 2024
Greetings,
We have released a new podcast episode titled Security Culture. In this episode, Anthony sits down with Daisy Wong, AUSCERT's Diversity and Inclusion Champion for 2023 to talk about her unique experience and background which has helped her become a security culture advocate and champion. In the second half of the episode, Bek sits down with David Stockdale, Director of AUSCERT for an exciting announcement about a new recruitment opportunity for a General Manager at AUSCERT. Applications closing this Sunday January 28, so if you’re interested apply today!
This week, the Australian federal government took decisive action by officially identifying and imposing sanctions on Russian citizen Aleksandr Ermakov, over his alleged involvement in the Medibank cyber attack. This ground-breaking move marks the government's first cyber crime sanction against a perpetrator, thereby clearly conveying the message that anonymity and impunity will not be tolerated in the realm of cyberspace in Australia.
The Medibank cyber attack which occurred in 2022, had severe repercussions, involving the unauthorized acquisition of 9.7million records and inflicting a staggering financial toll of $46.4million on the insurer during the 2022-2023 financial year. This enforcement action underscores the government’s commitment to holding individuals accountable for cyber offenses and serves as a pivotal step in addressing the escalating challenges posed by cyber threats.
The action aligns with the dedication outlined in the 2023-2030 Australian Cyber Security Strategy, highlighting the government’s determination to both deter and respond to malicious cyber activities through the strategic use of sanctions. Such measures underscore the imperative of robust cybersecurity initiatives and signal a proactive approach to safeguarding against future cyber threats.
In conclusion, if you are looking for some reading over the long weekend, we highly recommend a publication by two friends of AUSCERT, Senior Lecturer from UQ, Ivano Bongiovanni, and UQ Research Officer Bert Valkenburg. They recently published a systematic review of literature on the Three Lines Model (TLM) research. This review contains practical indications for organizations interested in exploring the adoption of the TLM as a Cyber Governance framework. It also offers reflections on some current trends observed in the industry, such as the evolution of CISOs' roles and increased involvement by senior executives.
Progress Software patches critical OpenEdge vulnerability
Date: 2024-01-22
Author: iTnews
Progress Software has disclosed a critical vulnerability in several versions of its Progress Application Server in OpenEdge (PASOE) software.
According to an advisory, CVE-2023-40051 affects OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0.
“An attacker can formulate a request for a web transport that allows unintended file uploads to a server directory path on the system running PASOE," the advisory states.
New NTLM Hash Leak Attacks Target Outlook, Windows Programs
Date: 2024-01-22
Author: Security Week
[AUSCERT has identified impacted members (where possible) and contacted them via email]
Data security firm Varonis has disclosed a new vulnerability and three attack methods for obtaining NTLM v2 hashes by targeting Microsoft Outlook and two Windows programs.
The new vulnerability is tracked as CVE-2023-35636. It has been assigned an ‘important’ severity rating by Microsoft, which fixed it with its December 2023 Patch Tuesday updates. The remaining issues have been assigned a ‘moderate’ severity rating and currently remain unpatched, Varonis said.
Mother of all breaches – a historic data leak reveals 26 billion records: check what's exposed
Date: 2024-01-24
Author: Cyber News
The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered. There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases.
Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks
Date: 2024-01-18
Author: Security Week
The Rapid SCADA open source industrial automation platform is affected by several vulnerabilities that could allow hackers to gain access to sensitive industrial systems, but the flaws remain unpatched.
The US cybersecurity agency CISA published an advisory last week to inform industrial organizations about seven vulnerabilities discovered by Claroty researchers in Rapid SCADA.
Rapid SCADA is advertised as ideal for developing monitoring and control systems, particularly industrial automation and IIoT systems, energy accounting systems, and process control systems.
High-Severity Vulnerability Patched in Splunk Enterprise
Date: 2024-01-23
Author: Security Week
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Splunk on Monday announced patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances.
Tracked as CVE-2024-23678, the high-severity flaw is described as an issue related to incorrect sanitization of path input data resulting in “the unsafe deserialization of untrusted data from a separate disk partition on the machine”.
Deserialization of untrusted data is a type of vulnerability allowing for the use of malformed data to cause denial of service, abuse application logic, or execute arbitrary code.
Exploit released for Fortra GoAnywhere MFT auth bypass bug
Date: 2024-01-23
Author: Bleeping Computer
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal.
GoAnywhere MFT is a web-based managed file transfer tool that helps organizations transfer files securely with partners and keep audit logs of who accessed all shared files.
ESB-2024.0386 – VMWare: CVSS (Max): 9.8
VMware issued security updates to fix a critical vCenter Server vulnerability that is being exploited in the wild to gain remote code execution attacks on vulnerable servers.
ESB-2024.0412 – Splunk Enterprise: CVSS (Max): 7.5
Splunk released patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances.
Splunk advises its clients to upgrade Splunk Enterprise for Windows to 9.0.8, 9.1.3, or higher.
ESB-2024.0426 – ALERT macOS Sonoma 14.3: CVSS (Max): None
Apple has released new iOS 17.3 and macOS Sonoma 14.3 updates fix multiple vulnerabilities that expose Apple users to code execution, denial-of-service and data exposure attacks. Multiple WebKit vulnerabilities may have been exploited as zero-day in the wild.
ESB-2024.0493 – ALERT Cisco Unified Communications Products: CVSS (Max): 9.9
Cisco has released software updates that address critical-rated RCE vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products that if exploited could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
Stay safe, stay patched and have a good weekend!
The AusCERT team
