//Week in review - 28 Apr 2023

This week we commemorated the Anzac soldiers for their bravery, courage, and ultimate sacrifice for our great nations. We pay respect to the victims and their families and vow to always honour and remember them. Lest we forget!

In other less sombre news we released our new podcast episode this week featuring Eric Pinkerton titled ‘Changing Behaviour in Cyber’. Eric, CEO of Phronesis, Australia’s first B-Corp certified cyber security company committed to doing good. In this episode Eric and Anthony examine how people’s behaviours changed during the pandemic and how we can use this knowledge to influence the cyber world. Understanding people’s behaviours is important to understanding the tactics that hackers may take. Hackers pry on our natural instincts and emotions as humans to bait us into a vulnerable position.

Scammers are luring naïve consumers into becoming their money mules and exploiting the widening knowledge gap of fraudulent activity. Sadly, emotionally vulnerable people are the most targeted as hackers utilise key methods to exploit
their feelings and reap rewards. The Australian Competition and Consumer Commission (ACCC) reported investment scams or ‘get rich schemes’ were the highest reported scams with an astonishing $377 million lost. Dating and Romance scams were the second most targeted approach with the ACC reporting 40 million lost to this last year. Hackers would pull at heart strings to get funds from helpless victims, arguably one of the cruellest forms of consumer-facing fraud as it would often cause significant distress. The preferred method of contact that scammers preferred was phone calls or text messages with 55% of all scams last year being via phone devices.

Angry consumers believe the accountability lies with banks to provide reimbursement if they fall victim to a scam or a third-party fraud. To combat scam losses the government is looking into different initiatives to better safeguard consumers. A $10million commitment has been announced to fund a SMS sender register to prevent sender ID scams imitating key industry or government brand names in text message headers. As criminals get more authentic we as a society
must also be more vigilant on the warning signs of a scam and ensure not to fall victim to their emotive baiting techniques.

New SLP bug can lead to massive 2,200x DDoS amplification attacks
Date: 2023-04-25
Author: Bleeping Computer

A new reflective Denial-of-Service (DoS) amplification vulnerability in the Service Location Protocol (SLP) allows threat actors to launch massive denial-of-service attacks with 2,200X amplification.
This flaw, tracked as CVE-2023-29552, was discovered by researchers at BitSight and Curesec, who say that over 2,000 organizations are using devices that expose roughly 54,000 exploitable SLP instances for use in DDoS amplification attacks.
Vulnerable services include VMware ESXi Hypervisors, Konica Minolta printers, IBM Integrated Management Modules, and Planex Routers deployed by unsuspecting organizations worldwide.

Clop, LockBit ransomware gangs behind PaperCut server attacks
Date: 2023-04-26
Author: Bleeping Computer

"Members who potentially utilize this product have been notified"
Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.
Last month, two vulnerabilities were fixed in the PaperCut Application Server that allows remote attackers to perform unauthenticated remote code execution and information disclosure.

Decoy Dog malware toolkit found after analyzing 70 billion DNS queries
Date: 2023-04-23
Author: Bleeping Computer

A new enterprise-targeting malware toolkit called ‘Decoy Dog’ has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.
Decoy Dog helps threat actors evade standard detection methods through strategic domain aging and DNS query dribbling, aiming to establish a good reputation with security vendors before switching to facilitating cybercrime operations.
Researchers from Infoblox discovered the toolkit in early April 2023 as part of its analysis of over 70 billion DNS records daily to look for signs of abnormal or suspicious activity.

Gov to fund SMS sender ID register with $10m
Date: 2023-04-24
Author: itnews

A government-run register of SMS sender IDs will go ahead courtesy of a $10 million commitment to be made in next month’s federal budget.
Communications minister Michelle Rowland said yesterday that the funding, to be announced as part of the 2023-24 Budget on May 9, would run over four years.
Rowland had asked the ACMA to investigate a local register, and other models, back in February as a way to combat rising scam losses.

Investigation into PostalFurious: a Chinese-speaking phishing gang targeting Singapore and Australia
Date: 2023-04-21
Author: Group-IB

Phishing attacks are becoming ever more sophisticated and their scale is increasing exponentially. The automation of many processes and the growing popularity and accessibility of phishing kits over recent years has made it much easier for cybercriminals to set up fraudulent infrastructure to steal user credentials, bank card details, addresses, OTP codes, IP addresses, and other sensitive information.

ESB-2023.2371 – Tenable.sc: CVSS (Max): 8.1

One of the third-party components (PHP) of Tenable.sc was found to contain vulnerabilities, and updated versions have been made available by the providers

ESB-2023.2370 – VMware Workstation Pro / Player (Workstation) and VMware Fusion: CVSS (Max): 9.3

Multiple security vulnerabilities in VMware Workstation and Fusion were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in the affected VMware products

ESB-2023.2311 – thunderbird: CVSS (Max): 8.2

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code

ESB-2023.2293 – curl: CVSS (Max): 9.8

This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system

Stay safe, stay patched and have a good weekend!

The AusCERT team