28 Jun 2024

Week in review

Greetings,

Events this week underscored the critical importance of staying updated on the latest cyber security threats and trends. Australiaโ€™s proactive approach to implementing security measures and educating the community plays a crucial role in mitigating risks and enhancing overall cyber resilience. The week began with an alert from the Australian Cyber Security Centre (ACSC) highlighting increased cyber threat activity targeting Snowflake customers. Businesses and critical infrastructure in Australia were advised to bolster their security measures and remain vigilant against potential attacks.

Many organisations applied Microsoft's June 2024 Patch Tuesday updates, which addressed 51 vulnerabilities, including 18 critical remote code execution flaws. Addressing these vulnerabilities promptly helps organisations mitigate the risks associated with commonly used applications and systems.

In other news, a Wednesday court filing provided some details about the September 2022 Optus data breach, from the perspective of Australia's Communications and Media Authority (ACMA). ACMA is leveraging its regulatory powers to pursue Optus, alleging that the company failed to adequately protect personally identifiable customer information, including failing to fix an identified coding error in all of its Internet-visible APIs and to continue to operate a vulnerable API for two years despite there being no need for its operation.

The filing states that โ€œThe cyber attack was not highly sophisticated nor did it require advanced skills or proprietary knowledge of Optus's processes or systems. It was executed through a simple process of trial and error,โ€. ACMA is seeking civil penalties in the case. Singtel, the parent company of Optus, has advised investors that it cannot determine the quantum of penalties but will defend the case.

This incident exemplifies how regulatory bodies are intensifying their efforts to hold organisations accountable for failing to adhere to appropriate practices in safeguarding personal information. Ensure your organisation is compliant with the necessary regulatory standards. If you need assistance in analysing your organisation's cyber security maturity level, contact our team at – grc@auscert.org.au.


Cyber threats surge during Australia's EOFY tax season
Date: 2024-06-25
Author: Security Brief

As the end of the financial year (EOFY) approaches in Australia, organisations and individuals find themselves preoccupied with tax returns, financial statements, and compliance reports. This busy period also brings with it a heightened risk of cyber threats, creating a favourable environment for scammers and cybercriminals. Analysts have noted an uptick in seasonal cyber activities during the EOFY period, exploiting the chaos and urgency associated with tax-related activities. The most common threats include phishing scams, ransomware, business email compromise (BEC), and identity theft.

If you're using Polyfill.io code on your site โ€“ like 100,000+ are โ€“ remove it immediately
Date: 2024-06-25
Author: The Register

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year.
Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it.
The site offered polyfills โ€“ useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.

Progress quietly fixes MOVEit auth bypass flaws (CVE-2024-5805, CVE-2024-5806)
Date: 2024-06-25
Author: Help Net Security

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Progress Software has patched one critical (CVE-2024-5805) and one high-risk (CVE-2024-5806) vulnerability in MOVEit, its widely used managed file transfer (MFT) software product.
According to WatchTowr Labs researchers, the company has been privately instructing users to implement the hotfixes before they go public with the information.

Hacker Claims Theft of 30M User Records From Australia Ticketing Company TEG
Date: 2024-06-24
Author: Security Week

A threat actor is boasting on a hacking forum the theft of information pertaining to millions of Ticketek users, roughly three weeks after the company acknowledged a data breach.
On May 31, Ticketek Entertainment Group (TEG), an Australia-based live events and ticketing firm, announced that user account information had been compromised after hackers accessed a database stored on a cloud-based platform.
โ€œThe available evidence at this time indicates that, from a privacy perspective, customer names, dates of birth and email addresses may have been impacted,โ€ TEG said.

Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack
Date: 2024-06-25
Author: Ars Technica

WordPress plugins running on as many as 36,000 websites have been backdoored in a supply-chain attack with unknown origins, security researchers said on Monday.


ESB-2024.4118 – GitLab: CVSS (Max): 9.6*

Gitlab has released critical patches for GitLab Community Edition (CE) and Enterprise Edition (EE).

ESB-2024.4099 – SQLite: CVSS (Max): 9.8

SQLite could be made to crash or execute arbitrary code.

ESB-2024.4076 – OpenVPN: CVSS (Max): 9.8

OpenVPN could allow unintended access to network services.

ESB-2024.4073 – git: CVSS (Max): 9.0

Multiple vulnerabilities were found in git, a fast, scalable and distributed revision control system.

ESB-2024.4019.2 – Google Chrome: CVSS (Max): None

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution.


Stay safe, stay patched and have a good weekend!

The AusCERT team