28 Mar 2025

Week in review

Greetings,

This week has been an exciting one with the release of AUSCERT’s 2024 Year in Review! This report provides our members with a valuable snapshot of our efforts behind the scenes, offering insights into the services available and the opportunities they can take advantage of. It also offers valuable insights into industry trends and the ongoing progress across key areas.

These milestones highlight our unwavering commitment to equipping members with the tools, knowledge, and support needed to navigate the ever-evolving cyber security landscape with confidence. Read the full report here

We’re excited to announce another keynote speaker for AUSCERT2025 – Chris Rock! No, not the comedian, but the renowned cyber mercenary! With 30 years of experience across the Middle East, US, and Asia, Chris has worked with both government and private organisations. He is the Chief Information Security Officer and co-founder of SIEMonster and has presented three times at the world’s largest hacking conferences. Want to learn more? Listen to Chris’s episode on Darknet Diaries

Oracle has rejected claims that its cloud systems were compromised after a cyber criminal advertised the alleged theft of sensitive data from Oracle Cloud. The attacker claimed to have exploited a vulnerability in Oracle’s Single Sign-On (SSO) login servers, but Oracle denied this, stating no breach occurred and that the leaked credentials were unrelated to Oracle Cloud.

The situation intensified when the threat actor released a 10,000-line sample of the purportedly stolen data, apparently to substantiate their claim of exfiltrating 6 million records from Oracle Cloud. Bleeping Computer contacted some of the alleged victim organisations, some of whom reportedly validated the stolen information was theirs.

AUSCERT has issued a Critical Member Security Information Notification to potentially impacted members. We are actively monitoring the situation and will continue to update members as it unfolds. Despite these developments, Oracle maintains there has been no breach and is proceeding with its investigation.


Critical 'IngressNightmare' Vulns Imperil Kubernetes Environments
Date: 2025-03-25
Author: Dark Reading

The maintainers of Kubernetes have released patches for four critical vulnerabilities in the Ingress NGINX Controller, affecting 6,500, or 41%, of all Internet-facing container orchestration clusters, including those used by several Fortune 500 companies.
The vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands in affected environments and completely take over Kubernetes clusters, according to researchers at Wiz who discovered the flaws.

Researchers raise alarm about critical Next.js vulnerability
Date: 2025-03-24
Author: CyberScoop

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
The software defect in the widely used open-source JavaScript framework allows attackers to bypass middleware-based authorization.
Researchers warn that attackers could exploit a recently discovered critical vulnerability in the open-source JavaScript framework Next.js to bypass authorization in middleware and gain access to targeted systems.
Vercel, the San Francisco-based company that created and maintains Next.js, released a patch for CVE-2025-29927 in Next.js 15.2.3 on March 18 and published a security advisory on March 21.

Google Patches Chrome Sandbox Escape Zero-Day Caught by Kaspersky
Date: 2025-03-25
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1867/]
Google late Tuesday rushed out a patch a sandbox escape in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign targeting organizations in Russia.

CrushFTP warns users to patch unauthenticated access flaw immediately
Date: 2025-03-25
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
CrushFTP warned customers of an unauthenticated HTTP(S) port access vulnerability and urged them to patch their servers immediately.
As the company also explained in an email sent to customers on Friday (seen by BleepingComputer), the security flaw enables attackers to gain unauthenticated access to unpatched servers if they are exposed on the Internet over HTTP(S).
"Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon," the company warned.

VMware Patches Authentication Bypass Flaw in Windows Tools Suite
Date: 2025-03-25
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.1852/]
Virtualization technology giant VMware on Tuesday released an urgent fix for an authentication bypass security defect affecting its VMware Tools for Windows utilities suite. The vulnerability, tagged as CVE-2025-22230, opens the door for a malicious actor with non-administrative privileges on a Windows guest virtual machine to perform certain high-privilege operations within that VM.

Oracle customers confirm data stolen in alleged cloud breach is valid
Date: 2025-03-26
Author: Bleeping Computer

Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users


ASB-2025.0050 – AUSCERT Bulletin Service – Oracle Cloud breach

AUSCERT released an advisory regarding an alleged Oracle Cloud breach, where a threat actor claims to have stolen 6 million sensitive records. Oracle has denied the breach despite data samples appearing legitimate. The impact remains unclear, and mitigation measures should be evaluated based on the organisation’s policies.

ESB-2025.1921 – GitLab Community and Enterprise Editions: CVSS (Max): 8.7

GitLab issued a security advisory urging users to upgrade to versions 17.10.1, 17.9.3, or 17.8.6 to address multiple vulnerabilities, including two high-severity XSS flaws (CVSS 8.7): CVE-2025-2255, which allows XSS via merge-request error messages, and CVE-2025-0811, caused by improper rendering of certain file types, both affecting versions prior to 17.8.6, 17.9.3, and 17.10.1.

ESB-2025.1867 – Google Chrome: CVSS (Max): None

Google fixed a high-severity Chrome zero-day vulnerability (CVE-2025-2783) exploited to escape the browser's sandbox and deploy malware in espionage attacks targeting Russian media and education organisations. The flaw was related to an incorrect handle in Mojo on Windows. The fix is rolling out globally for Windows users in Chrome version 134.0.6998.178, with automatic updates available.

ESB-2025.1852 – VMware Tools: CVSS (Max): 7.8

Broadcom issued security patches for a high-severity authentication bypass vulnerability in VMware Tools for Windows, tracked as CVE-2025-22230, rated 7.8 CVSS. The flaw allows attackers with non-admin privileges to perform high-privilege operations within a Windows guest VM. The vulnerability affects VMware Tools versions 11.x.x and 12.x.x and is fixed in version 12.5.1.

ESB-2025.1840 – F5 Products: CVSS (Max): 9.8

Multiple vulnerabilities were discovered in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to remote code execution. These vulnerabilities, including CVE-2025-1974 (CVSS 9.8), allow unauthenticated attackers to execute arbitrary code and access all secrets in the Kubernetes cluster. F5 Networks has released an advisory and is actively investigating the issue to assess how these flaws may impact their products.


Stay safe, stay patched and have a good weekend!

The AUSCERT team