3 May 2024

Week in review

Only three weeks left until AUSCERT2024! Reserve your spot in your preferred program sessions now! Limited spots are still available in some exceptional sessions – act quickly to secure yours before they're filled!

This year's program offers a diverse array of sessions covering a wide spectrum of topics. Notably, there's been a rise in sessions centred around MISP and information sharing platforms. Reflecting the essence of our theme for this year of ‘Pay it Forward’, sharing information within the cyber community fosters collective strength. By actively contributing to our shared knowledge, we enhance the growth and resilience of our industry. Let's unite and grow stronger together!

We're excited to welcome our esteemed colleagues from CIRCL Luxembourg to AUSCERT2024, where they'll share invaluable insights about their renowned MISP platform! Join Michael Hamm and Christian Studer for an immersive, hands-on workshop highlighting the paramount importance of information sharing and showcasing MISP's extraordinary capabilities.

Additionally, Shanna Daly and David Zielezna will delve into MISP Techniques, Tricks, Tips, and Traps during their session. This workshop offers a comprehensive crash course on effectively leveraging MISP for cyber threat intelligence, drawing from their extensive experience as MISP subject matter experts on prominent projects like the CTIS initiative led by the ACSC. They'll navigate through common pitfalls and offer practical strategies.

Furthermore, our Senior System Administrator, Josh Hopkins, will enlighten attendees about the MISP platform, elucidating how to swiftly deploy, patch, and configure infrastructure components to bolster your business operations. Josh will highlight how MISP serves as a vital tool for threat intelligence sharing and analysis. His presentation will serve as a roadmap for planning and executing a transition to infrastructure as code, utilizing MISP as a real-world model based on our practical learnings.

Sharing relevant threat intelligence and collaborating on response strategies enables organisations to efficiently contain and mitigate security incidents, thereby minimising disruptions to their operations and safeguarding their reputations. Consult our membership team about the AusMISP service!


Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms
Date: 2024-04-24
Author: Security Week

[AUSCERT has identified impacted members located both in Australia and New Zealand (where possible) and contacted them via email. AUSCERT also shared IoCs and TTPs associated with ArcaneDoor campaign via MISP]
[Please also see AUSCERT bulletins: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.2551.2/ and https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.2552.2/]

Technology giant Cisco on Wednesday warned that professional, nation state-backed hacking teams are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks.

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
Date: 2024-05-01
Author: Bleeping Computer

HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE).

CISA says GitLab account takeover bug is actively exploited in attacks
Date: 2024-05-01
Author: Bleeping Computer

​CISA warned today that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets.
GitLab hosts sensitive data, including proprietary code and API keys, and account hijacking can have a significant impact. Successful exploitation can also lead to supply chain attacks that can compromise repositories by inserting malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments.

Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data
Date: 2024-05-01
Author: Security Week

Malware hunters at Lumen’s Black Lotus Labs have set eyes on a new malware platform roaming around enterprise-grade and small office/home office (SOHO) routers capable of covertly harvesting public cloud authentication data from internet traffic.
The platform, tagged as Cuttlefish, is designed to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN) and researchers warn that the attackers have the capability to hijack DNS and HTTP connections to private IP spaces, which are typically associated with communications within an internal network.

DropBox says hackers stole customer data, auth secrets from eSignature service
Date: 2024-05-01
Author: Bleeping Computer

Cloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information.
DropBox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures.

Data breach tsunami hits Australia
Date: 2024-05-27
Author: Insurance Business Australia

Australia saw a substantial rise in data breaches in the first quarter of 2024 (Q1 2024), with reports indicating that 1.8 million user accounts were compromised, according to cybersecurity company Surfshark.
The study is based on an analysis of email addresses associated with online services, often leaked alongside other sensitive data such as passwords and financial information.


ASB-2024.0098 – Okta Identity and Access Management Solutions

Okta has alerted to an increase in the "frequency and scale" of credential stuffing attacks targeting online services and recommends the implementation of mitigation measures including the use of strong passwords and two-factor authentication (2FA).

ASB-2024.0099 – R programming language: CVSS (Max): 8.8

A recent finding has revealed CVE-2024-27322 in the R programming language, extensively used by statisticians and data miners. This vulnerability, rated with a CVSS v3 score of 8.8, poses a significant risk, enabling malicious actors to run arbitrary code on a targeted system.

ESB-2024.2771 – Cisco IP Phone Products: CVSS (Max): 7.5

Cisco has released information regarding a vulnerability in the web-based management interface of Cisco IP Phone firmware that could allow unauthorized access and potential data breaches. Make sure to update the firmware and implement proper security measures to protect sensitive information on the devices.

ESB-2024.0272.2 – UPDATE ALERT [WIN][UNIX/Linux] GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0

CISA has added CVE-2023-7028 to its KEV list. The flaw in GitLab Community Edition (CE) and Enterprise Edition (EE) allows for password reset messages to be sent to email addresses that have not been verified, enabling attackers to hijack the password reset process and take over accounts. GitLab patched the security defect in January 2024.


Stay safe, stay patched and have a good weekend!

The AusCERT team