27 Oct 2023

Week in review


AUSCERT2024 has officially launched! The countdown is on for another year of exciting tutorials, presentations, workshops and more! This year’s theme; ‘Pay it Forward’, is about discovering the power of amplifying your impact in the realm of cyber security and highlighting the significant influence that everyone’s actions can create. It promotes the idea of how sharing knowledge and collaborating can cause a ripple effect, strengthening the broader community.

This year, consider paying it forward by sharing your knowledge and expertise at our conference, either through tutorials or presentations. Your insights have the potential to create a significant impact and further advance the industry. Call for Tutorials is now open and will run until November 10th. Once tutorial submissions close, we will then open the Call for Presentations. We extend a warm invitation to anyone within the industry interested in speaking at the conference to submit a proposal. We offer excellent mentoring support for speakers to ensure a successful experience. Additionally, sponsorship opportunities are also now available, and you can access the sponsorship prospectus for more information on how you can get involved.

In other news, AUSCERT recently participated in the 2023 ASEAN Computer Emergency Response Team (CERT) Incident Drill (ACID). This annual drill hosted by Singapore since 2006, tests incident response capability and strengthens cyber security preparedness and cooperation among CERTs in ASEAN member states and Dialogue Partners. This year’s ACID tested the CERTs’ preparedness against multi-pronged attacks arising from hacktivism. This theme was chosen due to the increasing frequency and sophistication of global cyber attacks that are motivated by ideological beliefs. Such attacks typically include multi-pronged attacks using a combination of Distributed Denial-of-Service, data breaches and wiper wares against government websites, financial institutions, media outlets etc

This year, SingCERT moderated a new exercise using realistic real-world scenarios as a practical way to test participants’ knowledge and expertise in the field. AUSCERT takes pride in participating in this drill annually, as it plays a pivotal role in enhancing cooperation, facilitating the exchange of experiences, and fostering awareness of emerging cyber attack trends.

Critical RCE flaws found in SolarWinds access audit solution
Date: 2023-10-20
Author: Bleeping Computer

Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges.
SolarWinds ARM is a tool that enables organizations to manage and audit user access rights across their IT environments. It offers Microsoft Active Directory integration, role-based access control, visual feedback, and more.

VMware fixes critical code execution flaw in vCenter Server
Date: 2023-10-25
Author: Bleeping Computer

[AUSCERT has also identified the impacted members (where possible) and contacted them via email]
VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers.
The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation.

US energy firm shares how Akira ransomware hacked its systems
Date: 2023-10-23
Author: Bleeping Computer

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack.
BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.

Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches
Date: 2023-10-24
Author: Security Week

[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2023.6197]
The cybersecurity community discovered tens of thousands of compromised systems shortly after Cisco disclosed the existence of the first zero-day.
Rockwell informed customers last week that its Stratix 5800 and 5200 managed industrial Ethernet switches, which use the Cisco IOS XE operating system, are affected by CVE-2023-20198. The devices are only impacted if the IOS XE web UI feature is enabled.

1Password detects “suspicious activity” in its internal Okta account
Date: 2023-10-24
Author: Ars Technica

1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday.
“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

ESB-2023.6140 – Atlassian Products: CVSS (Max): 10.0

Atlassian has identified multiple vulnerabilities in their products, with 2 being classified as critical. To ensure the security of their customers, Atlassian strongly advises upgrading to the latest version

ASB-2023.0221 – Okta support case management system

Okta has recently experienced a cyber incident concerning their support case management system. In response to this, AUSCERT recommends that its members promptly implement the suggested mitigation measures to address any potential risks

ESB-2023.6197 – ALERT Rockwell Automation Stratix 5800 and Stratix 5200: CVSS (Max): 10.0

Rockwell Automation has issued patches to address a critical vulnerability found in Stratix 5800 and Stratix 5200. If successfully exploited, this vulnerability could potentially grant unauthorized control of the affected system to an attacker without authentication. It is strongly advised to apply the provided patches to mitigate this risk

ESB-2023.6234 – ALERT BIG-IP Configuration Utility: CVSS (Max): 9.8

A control plane issue which allows the attacker to execute arbitrary system commands has been fixed in BIG-IP Configuration Utility component

Stay safe, stay patched and have a good weekend!

The AUSCERT team