6 Sep 2024
Week in review
Greetings,
Spring has sprung! As many of us start thinking about organising and refreshing our homes this season, it's also the perfect time to update our cyber security measures. Regularly reviewing, updating, and optimising our digital habits can greatly enhance the protection of our sensitive information and ensure a safer online experience. Take some time this month to review your security approach!
The AUSCERT team is already gearing up for next year's conference, with this year's event becoming a cherished memory. Our team is actively catching up with the program committee and will soon open the call for tutorials and presentations! To relive the fantastic moments from this year, we often revisit the outstanding sessions and activities on our YouTube channel.
Some of the highlights from AUSCERT 2024 included a session by Darren Kitchen, founder of HAK5, on innovative implants and deceptive devices—essential tools for red teams worldwide. We also thoroughly enjoyed the presentation by Piotr Kijewski, CEO and Trustee at The ShadowServer Foundation. As well as a talk from Michael Hamm and Christian Studder of CIRCL. To top it all off, there was a live podcast recording from Risky Biz, which was the perfect cherry on top!
We can't wait to see what next year has in store! So please save the date for next year's conference – 20th to 23rd May 2025 – returning to the beautiful Gold Coast! If there are keynote speakers who you're eager to see at next year's conference, send us an email with your suggestions at conference@auscert.org.au, and we'll see what we can do!
AUSCERT is excited to introduce the Exploitability Index (EI) for its Microsoft ASBs starting Wednesday, 11th September, 2024. Created by Microsoft, the Exploitability Index forecasts which vulnerabilities are likely to be exploited within 30 days of an advisory's release, helping organisations to prioritise their vulnerability management. Featuring a numerical score from 0 to 3, it assists IT professionals to target the most critical vulnerabilities, improves risk management, and facilitates clear communication about security risks. For further information about the Exploitability Index (EI), please visit this Microsoft website.
Critical flaw in Zyxel's secure routers allows OS command execution via cookie (CVE-2024-7261)
Date: 2024-09-03
Author: Help Net Security
Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices.
VMware Patches High-Severity Code Execution Flaw in Fusion
Date: 2024-09-03
Author: Security Week
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5613/]
The root cause of the issue, tracked as CVE-2024-38811 (CVSS 8.8/10), is an insecure environment variable, VMware notes in an advisory. “VMware Fusion contains a code execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the ‘Important’ severity range.”
RansomHub hits 210 victims in just 6 months
Date: 2024-08-30
Author: The Register
[AUSCERT has published a bulletin (ASB-2024.0172) regarding this and also shared IoCs and TTPs via MISP ]
As RansomHub continues to scoop up top talent from the fallen LockBit and ALPHV operations while accruing a smorgasbord of victims, security and law enforcement agencies in the US feel it's time to issue an official warning about the group that's gunning for ransomware supremacy.
According to the security advisory from CISA, the FBI, the HHS, and the MS-ISAC, RansomHub amassed at least 210 victims since spinning up in February this year.
Google Issues Android Attack Warning As 0-Day Threat Strikes
Date: 2024-09-04
Author: Forbes
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.5624/]
Although a number of security issues are addressed by the September update, there is one that demands your attention more than most. Common vulnerabilities and exposures number 32896 for this year, known as CVE-2024-32896, is the most severe, according to Google. This high-severity security vulnerability impacts the Android framework component which, as the name suggests, is rather important. The Android framework is, in effect, a set of different software components that sit at the heart of Android upon which applications are built.
Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns
Date: 2024-08-30
Author: The Hacker News
[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.0290/]
Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances.
The security vulnerability exploited is CVE-2023-22527, a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024.
ESB-2024.5618 – Mozilla Firefox: CVSS (Max): 9.8*
Multiple vulnerabilities in Mozilla Firefox could allow for arbitrary code execution by an attacker. This could enable the attacker to install programs, view, alter, or delete data, or create new accounts with full user rights, depending on the user’s privileges. Users with administrative rights are at greater risk compared to those with limited user privileges.
ASB-2024.0172 – CISA advisory, RansomHub Ransomware
RansomHub, a ransomware-as-a-service that began in February 2024 and is also known as Cyclops and Knight, is targeting sectors such as healthcare, government, and finance. It uses a double-extortion tactic, encrypting and exfiltrating data while employing various initial access methods like phishing and exploitation of vulnerabilities. AUSCERT has shared IoCs and TTPs via MISP to help organizations defend against this threat.
ESB-2024.5613 – VMware Fusion: CVSS (Max): 8.8
A high-severity vulnerability in VMware Fusion for macOS allows standard user privileges to execute arbitrary code, potentially leading to unauthorised access or data breaches. The issue is caused by an insecure environment variable. VMware has released a patched version, Fusion 13.6, and users are advised to update immediately to mitigate the risk.
ESB-2024.5624 – Google Android: CVSS (Max): 8.4*
Google's latest Android security bulletin addresses several vulnerabilities but highlights CVE-2024-32896 as the most critical. This high-severity flaw affects the Android framework and could allow attackers to escalate privileges without additional execution rights. First reported in the June Pixel update and now exploited in the wild, it has been added to the Known Exploited Vulnerabilities Catalog. Users are urged to update their devices immediately to protect against this ongoing threat.
ESB-2024.5674 – Cisco Identity Services Engine: CVSS (Max): 6.0
Cisco has patched a critical command injection vulnerability, CVE-2024-20469, in its Identity Services Engine (ISE) that allows attackers with Administrator privileges to escalate to root access. This flaw, caused by inadequate validation of user input, can be exploited through malicious CLI commands. While proof-of-concept exploit code is available, no active exploits have been reported. Cisco has released updates for affected versions and removed a backdoor account from its Smart Licensing Utility to enhance security.
Stay safe, stay patched and have a good weekend!
The AUSCERT team