2 Jun 2023

Week in review


With the arrival of dropping temperatures, shorter days, and thicker coats we can confidently say winter is finally upon us. In Queensland, winters are truly delightful, striking a perfect balance between cool breezes and the warming sunshine. It’s the season that allows you to relish the outdoors for extended periods of time without beads of sweat forming on your forehead. The only time hot beverages and soups don’t leave you feeling uncomfortably hot. The only time gathering around a fire provides warmth rather than just entertainment. So here’s to winter! Embrace the cold air with open arms and allow the refreshing chill to invigorate your spirit.

If you haven’t watched Mark McPherson’s inspiring seminar on the history of AUSCERT watch it now! Titled ‘AUSCERT this is your life’, Mark explores the first decade of operation for our organisation, the unexpected incidents and unique moments that shaped our business model and operating structure. Mark describes our very founding moments and the historical realisation from governing bodies that a central source for information security and protection was desperately required in Australia. We evolved rapidly and in recent years have also expanded our services to include a range of cybersecurity training courses to address the growing demand for cybersecurity expertise in the workplace. Informing and empowering staff through relevant, engaging and focused professional training experiences is a critical component of organisational cyber security resilience. For more information on our upcoming training courses visit AUSCERT Education.

In cyber security news this week, PayID scams are on a rapid rise with the second-hand sales market taking a huge hit. With the cost of living skyrocketing many Australians are struggling for cash and have turned to the online second-hand market to turn some of their previously loved items into much needed funds. Realising this market has significantly grown in popularity, scammers saw an easy way to infiltrate the payment systems known as PayID to steal funds. PayID is a popular payment system that is frequently used on Facebook Marketplace and Gumtree and supported by almost every Bank. NAB Executive Chirs Sheehan warned consumers of the increasing PayID scams saying criminals are becoming increasingly sophisticated with their fraudulent message.He went on to say educating yourself about PayID and remaining vigilant means being able to identify the red flags, for tips on what these are read the full article here.

Microsoft finds macOS bug that lets hackers bypass SIP root restrictions
Date: 2023-05-30
Author: Bleeping Computer

Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks.
Discovered and reported to Apple by a team of Microsoft security researchers, the flaw (dubbed Migraine) is now tracked as CVE-2023-32369.
Apple has patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18.

Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Date: 2023-05-31
Author: Security Week

Researchers at firmware and hardware security company Eclypsium discovered that hundreds of motherboard models made by Taiwanese computer components giant Gigabyte include backdoor functionality that could pose a significant risk to organizations.
The backdoor was discovered by Eclypsium based on behavior associated with the functionality, which triggered an alert in the company’s platform.
Specifically, the researchers determined that the firmware on many Gigabyte systems drops a Windows binary that is executed when the operating system boots up. The dropped file then downloads and runs another payload fetched from Gigabyte servers.

Hackers exploit critical Zyxel firewall flaw in ongoing attacks
Date: 2023-05-31
Author: Bleeping Computer

Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware.
The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device.
Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability:
ATP – ZLD V4.60 to V5.35
USG FLEX – ZLD V4.60 to V5.35
VPN- ZLD V4.60 to V5.35
ZyWALL/USG – ZLD V4.60 to V4.73

New Mirai Variant Campaigns are Targeting IoT Devices
Date: 2023-05-29
Author: Infosecurity Magazine

Unit 42, Palo Alto Networks threat research team, has found new malicious activity targeting IoT devices, using a variant of Mirai, a piece of malware that turns networked devices running Linux, typically small IoT devices, into remotely controlled bots that can be used in large-scale network attacks.
Dubbed IZ1H9, this variant was first discovered in August 2018 and has since become one of the most active Mirai variants.

‘Dark Pink’ APT attacks governments, militaries, more in Thailand, Brunei, Belgium, Vietnam and Indonesia
Date: 2023-06-01
Author: The Record

The Dark Pink hacker group has been tied to five new attacks on governments, militaries and organizations based in Belgium, Thailand, Brunei, Vietnam and Indonesia.
Researchers from Group-IB have been tracking the group for months and said it has been active since mid-2021, compromising at least 13 organizations across Europe and the Asia-Pacific region.

ESB-2023.3083 – Advantech WebAccess/SCADA: CVSS (Max): 7.3

Advantech released a new version 9.1.4 to address a vulnerability in SCADA which, if exploited, could allow an attacker to gain full control of the server.

ESB-2023.3086 – VMware Products: CVSS (Max): 6.1

An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was reported to VMware. Updates are available to address this vulnerability in affected VMware products.

ESB-2023.3060 – Red Hat Advanced Cluster Management: CVSS (Max): 9.8

Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability has released fixes for security issues and update container images.

ESB-2023.3119 – texlive-bin: CVSS (Max): 9.8

It was discovered that the patch to fix CVE-2023-32700 in texlive-bin, released as DLA-3427-1, was incomplete and caused an error when running the lualatex command. This has been addressed in a texlive-bin package upgrade.

ESB-2023.3099 – wireshark: CVSS (Max): 8.8

An update for wireshark has fixed six vulnerabilities and various application crashing issues.

Stay safe, stay patched and have a good weekend!

The AUSCERT team