5 Jul 2024

Week in review

Greetings,

This week, we published the AUSCERT2024 recordings! To re-live your favourite sessions, head to our YouTube channel to watch them. We featured many exciting sessions that made the event truly unforgettable. This year, the conference focused on industry technology, modernizing infrastructure, data governance, and the legal aspects of cyber security.

One highlight to revisit is the live Risky Biz recording with Adam Boileau and Patrick Gray, in which they discussed some very interesting topics. MISP was another hot topic, with our Senior Security Systems Administrator, Josh Hopkins, leading a session on modernising MISP by applying Infrastructure as Code principles to your MISP services.

Data governance was another significant focus at AUSCERT2024. In Trinity McNicol’s session, she explored how organisations can manage data-related risks, protect data assets, leverage data for decision-making, meet consumer privacy expectations, and ensure compliance with data protection legislation.

Cyber security frameworks can also help organisations understand their cyber health and improve overall resilience. The Cyber Health Check Program Panel discussion went beyond theory, offering real-world case studies that highlight successful cyber security enhancements. Watch as the team embarks on an enlightening exploration of cyber security framework essentials.

Piotr Kijewski’s session provided an overview of how Shadowserver functions as a large-scale information collection and sharing project, collaborating with the global Internet defender community. Piotr described their recent journey in search of sustainability and concluded with their vision of continuing the mission to raise the bar on global cyber security without compromising their principles of free threat intelligence sharing.

Darren Kitchen’s session was a highly anticipated keynote, in which he shared tales of device deception from nearly 20 years of experience with Hak5. He discussed the innovative implants and deceptive devices equipping red teams worldwide. Darren’s successful penetration tests have resulted in a multitude of real-world stories that proved effective.

We concluded with a captivating Speed Debate featuring exciting, witty, and comical topics. Watch this session for a good laugh! The Cyber Security Conference actively focuses on community, value, and upskilling the workforce in a fun and inclusive environment. This year was no exception, with around 900 delegates attending across the four days. We can’t wait for next year, but in the meantime we have the videos to keep us entertained!


Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug
Date: 2024-07-02
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4145/]
Google has released patches for 25 documented security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component.
The critical bug, tracked as CVE-2024-31320, impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device.
“The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in an advisory.

Cisco warns of NX-OS zero-day exploited to deploy custom malware
Date: 2024-07-01
Author: Bleeping Computer

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4143/]
Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches.
Cybersecurity firm Sygnia, who reported the incidents to Cisco, linked the attacks to a Chinese state-sponsored threat actor it tracks as Velvet Ant.
"Sygnia detected this exploitation during a larger forensic investigation into the China-nexus cyberespionage group we are tracking as Velvet Ant," Amnon Kushnir, Director of Incident Response at Sygnia, told BleepingComputer.

Splunk Patches High-Severity Vulnerabilities in Enterprise Product
Date: 2024-07-02
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4152/]
Splunk on Monday announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs.
Three of the high-severity issues are remote code execution flaws that require authentication for successful exploitation.
The first of them, tracked as CVE-2024-36985, could be exploited by a low-privileged user through a lookup that likely references the ‘splunk_archiver’ application. The issue affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x.

New regreSSHion OpenSSH RCE bug gives root on Linux servers
Date: 2024-07-01
Author: Bleeping Computer

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0121/]
A new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion" gives root privileges on glibc-based Linux systems.
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP.
The flaw, discovered by researchers at Qualys in May 2024, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.

Juniper releases out-of-cycle fix for max severity auth bypass flaw
Date: 2024-06-30
Author: Bleeping Computer

[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.4117/]
Juniper Networks has released an emergency update to address a maximum severity vulnerability that leads to authentication bypass in Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products.
The security issue is tracked as CVE-2024-2973 and an attacker could exploit it to take full control of the device.

Gov launches 'overdue' cyber security network for health sector
Date: 2024-07-01
Author: iTnews

Mirroring a model already used in the financial and critical infrastructure sectors, the pilot Information Sharing and Analysis Centre (ISAC) will focus on “cyber threats, responses and preventative measures” among health organisations.
Minister for Home Affairs and cyber security Clare O’Neil said healthcare organisations’ “access to sensitive data”, and their “struggle with building and funding strong cyber protections”, had made them a threat target.
“The last two years has been the beginning of a big, overdue national journey to lift up cyber security across the country to better protect our citizens,” she said in a statement.


ESB-2024.4245 – PHP: CVSS (Max): 9.8

Ubuntu has fixed a vulnerability in PHP. The update caused a regression in parsing XML in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

ESB-2024.4211 – python-Js2Py: CVSS (Max): 9.6

SUSE has released an update that solves a vulnerability for a potential sandbox escape via untrusted JavaScript code.

ESB-2024.4144.2 – OpenSSH: CVSS (Max): 8.1

OpenSSH incorrectly handled signal management which could allow an attacker to bypass authentication and remotely access systems without proper credentials. Fixes were released to patch this vulnerability.

ESB-2024.4164 – Splunk Enterprise: CVSS (Max): 9.8

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.1, 9.1.4, 9.0.9 and higher.

ESB-2024.4174 – mySCADA myPRO: CVSS (Max): 9.8

mySCADA released an update for myPRO to address a vulnerability that could allow an attacker to remotely execute code on affected devices.


Stay safe, stay patched and have a good weekend!

The AusCERT team