5 Apr 2024

Week in review


Today is the last chance to take advantage of early bird registrations and make the most of AUSCERT member tokens! The countdown is on for AUCERT2024 and we are very excited to join with our community, hear from industry experts, engage in ground breaking workshops and participate in exciting activities! Check out our full program for all the details!

A recently published report by The Cyber Safety Review Board has highlighted a series of critical oversights by Microsoft in an incident involving a threat actor believed to be affiliated with the People’s Republic of China. This breach led to unauthorised access to email accounts of senior government officials from the United States and the United Kingdom. The incident underscores the significant threat that supply chain attacks pose to organisations, given the inherent vulnerabilities that can be introduced and exploited at any stage of the supply chain.

Recent high-profile attacks on various companies and code repositories, such as the xz Utils backdoor, serve as an important reminder that attackers possess both the intent and capability to exploit weaknesses in supply chain security. Regardless of an organisation’s size or the stringency of its security measures, vigilance and preparedness for potential incidents are paramount.

As this alarming trend continues to escalate, it becomes increasingly imperative for organisations to implement effective risk management measures including careful oversight of their supply chains. These steps are crucial in reducing the likelihood and impact of similar incidents in the future. The UK’s National Cyber Security Centre has provided valuable guidance in establishing effective control and oversight of supply chains, offering principles that can significantly bolster security measures.

These principles revolve around four key strategies: Understand the Risks, Establishing Control, Checking Arrangements and Driving Continuous Improvement.

In conclusion, supply chain attacks represent an increasing threat to organisations globally. It’s crucial to comprehend the risks associated with all supplier and partner arrangements, regardless of an organisation’s size or reputation. Establishing control and holding suppliers accountable for agreed security measures are imperative steps. Moreover, it’s vital to encourage suppliers to continuously enhance their security arrangements. By adopting these measures, organisations can bolster their defences against supply chain vulnerabilities and mitigate potential threats effectively.

Security Flaw in WP-Members Plugin Leads to Script Injection
Date: 2024-04-02
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Attackers could exploit a high-severity cross-site Scripting (XSS) vulnerability in the WP-Members Membership WordPress plugin to inject arbitrary scripts into web pages, according to an advisory from security firm Defiant.
The bug, tracked as CVE-2024-1852, is the result of insufficient input sanitization and output escaping, allowing an attacker to create accounts that have a malicious script stored as the value of the user’s IP address.

xz-utils Backdoor Affected Kali Linux Installations: Check for Infection
Date: 2024-04-02
Author: Cyber Security News

A backdoor was recently discovered in the xz-utils package versions 5.6.0 to 5.6.1, shocking the Linux community. This poses a significant threat to the security of Linux distributions, including Kali Linux.
The vulnerability, CVE-2024-3094, could potentially allow malicious actors to compromise sshd authentication, granting unauthorized access to systems remotely.

Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites
Date: 2024-04-03
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
A critical SQL injection vulnerability in the LayerSlider plugin can be exploited to extract sensitive information from website databases, WordPress security firm Defiant warns.
A WordPress slider plugin with more than one million active installations, LayerSlider provides users with visual web content editing, digital visual effects, and graphic design capabilities in a single solution.

Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
Date: 2024-04-03
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.
Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.

Adversaries are leveraging remote access tools now more than ever — here’s how to stop them
Date: 2024-04-02
Author: Cisco Talos

Since 2020, the use of remote system management/access tools such as AnyDesk and TeamViewer has exploded in popularity due to forced work-from-home during the COVID-19 pandemic.
Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration, these tools play an essential role in most corporations’ digital functions. However, this convenience comes at a cost. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software.

Cyber 'axis of evil' poised for more attacks on Australia, expert warns
Date: 2024-04-02
Author: 9News

A dangerous "axis of evil in cyberspace" is primed to launch more attacks on major Australian companies, a leading cybersecurity expert has warned, claiming the compromised networks of Medibank and Optus are just phase one in a dark master plan.
Highly skilled Russian and Chinese hackers will lead those cyberattacks, according to Tom Kellerman, a former cyber investigations advisor for the US Secret Service and Barack Obama's government.
The motives for recent attacks on Medibank, Optus, Latitude and other institutions went far beyond theft of data and the potential for financial extortion, he said.

ESB-2024.1999 – ALERT Google Chrome: CVSS (Max): None

Google has updated its Stable channel for Windows, Mac and Linux. This includes a patch for a critical zero-day vulnerability (CVE-2024-3159) that was exploited during the recent Pwn2Own Vancouver 2024 hacking competition.

ASB-2024.0057 – ALERT xz-utils: CVSS (Max): 10.0

The world was shocked when a Microsoft developer disclosed that a backdoor has been intentionally planted in xz Utils. Known as CVE-2024-3094, this vulnerability enables a malicious actor with the correct private key to take control of sshd, the program responsible for establishing SSH connections, and subsequently execute harmful commands.

ESB-2024.2070 – Google Android devices: CVSS (Max): 6.6*

Google recently revealed updates to address vulnerabilities in Android and Pixel devices, which include two issues that have been actively exploited. These vulnerabilities, known as CVE-2024-29745 and CVE-2024-29748, specifically affect Pixel's bootloader and firmware.

ESB-2024.1985.3 – UPDATE VMware SD-WAN: CVSS (Max): 7.4

VMware has issued crucial security patches to resolve a number of vulnerabilities in its SD-WAN solution. Failure to apply these patches could pose significant risks to organizations that depend on VMware SD-WAN for network management.

ASB-2024.0058 – HTTP/2: CVSS (Max): 7.5*

Recently identified vulnerabilities in the HTTP/2 protocol, known as "CONTINUATION Flood," have the potential to launch DoS attacks against servers utilizing vulnerable implementations.

Stay safe, stay patched and have a good weekend!

The AusCERT team