4 Apr 2025

Week in review

Greetings,

We’re excited to introduce two new courses to our training offerings this year, designed to help organisations tackle key cyber security challenges.

Due to high demand, we’ve added the Understanding and Implementing the ASD Essential Eight course to help security managers and technical specialists navigate the Essential Eight—a set of critical cyber security strategies published by the Australian Government. By completing this course, participants will gain a solid understanding of the ASD Essential Eight (E8), valuable insights into implementation options, and a clear grasp of the E8 maturity model. The course also covers how to prepare for an E8 assessment by an ASD-certified assessor. The next session for this course is coming up on July 29 &30—register now before it books out!

Another course we’ve recently introduced is Managing Third-Party Cyber Security Risk, designed for professionals across various industries. This course focuses on securing organisations against risks posed by third-party suppliers and partners. Participants will gain a comprehensive understanding of third-party cyber risks, their impact on business operations and data security, and how to effectively identify and assess supplier risks. The course also covers mitigation strategies, industry best practices, and continuous monitoring techniques to strengthen an organisation’s cyber security posture. The next session is on August 5 & 6—register now!

Looking for a streamlined approach to staff training? Our in-house training and volume booking options provide flexible, tailored solutions to meet your organisation’s needs. Contact us today to discuss how we can align our training with your organisation’s objectives for maximum impact!


Hackers abuse WordPress MU-Plugins to hide malicious code
Date: 2025-03-31
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.
The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.
"The fact that we've seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold," explains Sucuri's security analyst Puja Srivastava.

CISA Analyzes Malware Used in Ivanti Zero-Day Attacks
Date: 2025-03-31
Author: Security Week

The US cybersecurity agency CISA on Friday published its analysis of the malware used by Chinese hackers in attacks exploiting an Ivanti Connect Secure zero-day patched in January 2025.
The issue, tracked as CVE-2025-0282 (CVSS score of 9.0), is described as a stack-based buffer overflow enabling attackers to execute arbitrary code remotely, without authentication.

24,000 unique IP addresses target PAN-OS GlobalProtect gateways
Date: 2025-04-01
Author: SC Media

A significant surge in scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateway portals was observed in which over the last 30 days, nearly 24,000 unique IP addresses have attempted to access the PAN-OS devices.
The increased activity suggests a coordinated effort to probe network defenses and identify vulnerable systems, potentially as a precursor to targeted exploitation.

GitHub expands security tools after 39 million secrets leaked in 2024
Date: 2025-04-02
Author: Bleeping Computer

GitHub announced updates to its Advanced Security platform after it detected over 39 million leaked secrets in repositories during 2024, including API keys and credentials, exposing users and organizations to serious security risks.
In a new report by GitHub, the development company says the 39 million secrets were found through its secret scanning service, a security feature that detects API keys, passwords, tokens, and other secrets in repositories.
"Secret leaks remain one of the most common—and preventable—causes of security incidents," reads GitHub's announcement.

U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog
Date: 2025-04-02
Author: Security Affairs

[See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.1669.2]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apache Tomcat path equivalence vulnerability, tracked as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog.
The Apache Tomcat vulnerability CVE-2025-24813 was recently disclosed and is being actively exploited just 30 hours after a public PoC was released.
The issue is a path equivalence flaw in Apache Tomcat that allows remote code execution or information disclosure if specific conditions are met.


ESB-2025.2011 – Apple iOS 15.8.4 and iPadOS 15.8.4: CVSS (Max): 8.8

Apple addressed two zero-day vulnerabilities: CVE-2025-24201 in WebKit, which allows attackers to escape the Web Content sandbox, and CVE-2025-24200, which lets attackers with physical access disable USB Restricted Mode on a locked device. Both were exploited in a sophisticated attack on specific targets. Security updates were released for iOS and iPadOS to fix these issues.

ESB-2025.2035 – Google Chrome: CVSS (Max): None

Chrome 135 has been released with 14 security fixes, including nine from external researchers. The most severe is a high-risk use-after-free flaw (CVE-2025-3066) in Navigations. The update also addresses medium- and low-severity issues in areas like Custom Tabs, Extensions, and Autofill.

ESB-2025.2095 – Jenkins (core) and Jenkins Plugins: CVSS (Max): 8.8

Jenkins released a high-priority security advisory addressing multiple vulnerabilities in its core platform and plugins. The most critical issue, CVE-2025-31722, allows arbitrary code execution via the Templating Engine Plugin, with a CVSSv3 score of 8.8.

ESB-2025.2048 – VMware Products: CVSS (Max): 7.8

VMware has released a critical security advisory (VMSA-2025-0006) for a high-severity privilege escalation vulnerability (CVE-2025-22231) in its Aria Operations platform, affecting multiple products. The flaw, rated 7.8 on the CVSSv3 scale, allows attackers with local admin access to gain root control over the system. Patches are now available for affected VMware platforms.

ESB-2025.2045 – Firefox ESR: CVSS (Max): 8.1

Mozilla released Firefox 137 fixing critical vulnerabilities. The update addresses a high-impact use-after-free bug (CVE-2025-3028) and memory safety issues (CVE-2025-3030), which could lead to arbitrary code execution. Users are urged to update immediately to protect against these severe risks.


Stay safe, stay patched and have a good weekend!

The AUSCERT team