//Week in review - 3 Feb 2023


Beazley’s new Cyber Services Snapshot report confirms two things most of us probably expected: in 2023 the way threat actors use stolen data will continue to worsen, and the categories “fraudulent instruction as a cause of loss” and “cyber extortion incidents with data exfiltration” are both increasing significantly year-on-year.

The report calls for organisations to “get smarter” about educating employees to spot fraudulent instruction tactics like spoofed emails or domains, however cynics may point out that the cybersecurity industry has been attempting this for a couple of decades already, so why isn’t it working? Perhaps some organisations haven’t adopted a top down approach to cybersecurity, with management leading by example.

Senior management and board members have an important role to play here, and the AICD released a set of Cybersecurity Governance Principles late last year on this topic. Similarly ASIC has published a document on key questions for an organisation’s board of directors to consider.

We know that time is precious for senior management and board members, so in 2023 AusCERT plans to help our members provide timely briefings and short education courses for this type of audience. We’re also expanding our existing AusCERT Education courses to include data governance training and assistance with implementation.

In the short term however, there are still places available in the existing “Intro to Cyber for IT Professionals”, “Cyber Security Risk Management” and “Incident Response Planning” courses, so while it’s still quiet why not consider a quick, economical upskilling for your team?

To further help our members, AusCERT and WTW are hosting a live forum in Brisbane on Thursday, 16 February to discuss the key lessons from major cyber incidents and losses of 2022, and the impact on the cyber and technology risk insurance market, third-party risk assessment, and risk management. You can register here.

GitHub says hackers cloned code-signing certificates in breached repository
Date: 2023-01-31
Author: Ars Technica

GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom.
Code-signing certificates place a cryptographic stamp on code to verify it was developed by the listed organization, which in this case is GitHub. If decrypted, the certificates could allow an attacker to sign unofficial versions of the apps that had been maliciously tampered with and pass them off as legitimate updates from GitHub. Current versions of Desktop and Atom are unaffected by the credential theft.

myGov report warns against digital ID fragmentation
Date: 2023-01-31
Author: iTnews

The federal government’s slow movement on digital ID risks creating “digital rail gauges … where a credential issued by one jurisdiction won’t be accepted in another," a review of myGov, which also covered digital identity, has warned.
The report, in two volumes, [pdf] and [pdf], highlights how slow decision-making at the federal level, along with a lack of legislative support for digital ID, have left Australians vulnerable.

Facebook two-factor authentication bypass issue patched
Date: 2023-01-27
Author: The Daily Swig

Meta has patched a vulnerability in Facebook that could have allowed an attacker to bypass SMS-based two-factor authentication (2FA).
The bug – which earned its finder a $27,200 bounty – did this by confirming the targeted user’s already-verified Facebook mobile number using the Meta Accounts Center in Instagram.
It exploited a rate-limiting issue in Instagram that enabled an attacker to brute force the verification pin required to confirm someone’s phone number.

JD Sports says hackers stole data of 10 million customers
Date: 2023-01-30
Author: Bleeping Computer

UK sports apparel chain JD Sports is warning customers of a data breach after a server was hacked that contained online order information for 10 million customers.
In data breach notices shared by affected customers, the company warns that the "attack" exposed customer information for orders placed between November 2018 and October 2020.
JD Sports says it detected the unauthorized access immediately and responded quickly to secure the breached server, preventing subsequent access attempts.

OpenAI releases tool to detect AI-written text
Date: 2023-01-31
Author: Bleeping Computer

OpenAI has released an AI text classifier that attempts to detect whether input content was generated using artificial intelligence tools like ChatGPT.
"The AI Text Classifier is a fine-tuned GPT model that predicts how likely it is that a piece of text was generated by AI from a variety of sources, such as ChatGPT," explains a new OpenAI blog post.
OpenAI released the tool today after numerous universities and K-12 school districts banned the company's popular ChatGPT AI chatbot due to its ability to complete students' homework, such as writing book reports and essays, and even finishing programming assignments.

KeePass disputes vulnerability allowing stealthy password theft
Date: 2023-01-30
Author: Bleeping Computer

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden.

ESB-2023.0612 – Apache HTTP Server: CVSS (Max): 9.0

It was discovered that the Apache HTTP Server mod_dav module incorrectly handled certain If: request headers. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service

ESB-2023.0600 – python-django: CVSS (Max): 7.5

It was discovered that there was a potential Denial of Service (DoS) vulnerability in Django, a popular Python-based web development framework

ESB-2023.0567 – Tenable products: CVSS (Max): 9.1

This vulnerability allows a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges

ESB-2023.0533 – git: CVSS (Max): 9.8

Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell

Stay safe, stay patched and have a good weekend!

The AusCERT team