7 Jun 2024

Week in review


With tax season close, AUSCERT is urging vigilance, as this is a prime time for cybercriminals to target unsuspecting people through phishing scams. These scams are typically circulated via various channels, including emails, phone calls, text messages, and fake websites. Malicious actors often increase their fraudulent activities during this period to take advantage of the heightened financial activity.

AUSCERT has observed a significant increase in phishing scams impersonating MyGov and the Australian Taxation Office (ATO) during previous tax seasons. From July to October in 2022, AUSCERT received reports of around 1,100 tax-related phishing emails and scams, surging to approximately 2,500 in 2023. By staying informed and following best practices for online security, individuals can reduce the risk of falling victim to ATO and MyGov-related phishing scams.

This week, concerning news emerged in the area of supply chain cyber security. Australian electronic prescription provider MediSecure has gone into administration. This follows a data breach reported in mid-May 2024, in which 6.5 terabytes of prescription data were stolen and leaked on a cybercrime forum. Last week, the Minister for Cyber Security, Clare O’Neil, publicly criticised MediSecure for the "unacceptably long time" it took to provide important information about the stolen customer data.

Meanwhile, cloud storage and data analytics company Snowflake was the centre of a data breach impacting several high-profile customers, including Ticketmaster. Described by some in the media as "the world’s biggest data breach — in terms of impacted individuals," this incident underscores how supply chain risks can have far-reaching consequences. It also highlights the importance of understanding and utilising the security controls provided by service providers. Reports suggest that some of Snowflake’s customers were compromised due to single-factor authentication and use of stolen credentials.

The best proactive approach to staying ahead of cyber threats is to ensure that you and all members of your organization are equipped with the most relevant knowledge. Stay informed and vigilant by visiting our training website to explore the available courses you can enrol in today!

Largest ever operation against botnets hits dropper malware ecosystem
Date: 2024-05-30
Author: Europol

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software.

AUSCERT warns companies and individuals alike to be aware of tax scams
Date: 2024-06-04
Author: Cyber Daily

Tax time rolls around every year with the inevitability of death, but while tax and death have long been considered to go oddly hand in hand, the modern, connected world has thrown a third spanner into the mix.
As Australians all over the country turn to their accountants and yearly finances, so do scammers, who relentlessly conjure new ways to bilk victims out of either their personal data or their hard-earned cash.

CISA Warns of Attacks Exploiting Old Oracle WebLogic Vulnerability
Date: 2024-06-04
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2017.0038/]
The US cybersecurity agency CISA on Monday added an old Oracle WebLogic flaw to its Known Exploited Vulnerabilities (KEV) catalog after it was seen being exploited by Chinese hackers to deploy cryptocurrency miners.
The vulnerability, tracked as CVE-2017-3506, affects Oracle WebLogic Server and allows an unauthenticated attacker to access or modify critical data, enabling arbitrary OS command execution. Attackers can achieve remote code execution via specially crafted HTTP requests.

CVE-2024-2876: WordPress Plug-in Threatens 90,000+ websites
Date: 2024-06-06
Author: Wallarm

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
A highly concerning security loophole was recently discovered in a WordPress plugin called "Email Subscribers by Icegram Express," a popular tool utilized by a vast network of over 90,000+ websites. Officially designated as CVE-2024-2876 with a CVSS score of 9.8 (critical), the vulnerability represents a significant threat as it exposes numerous websites to potential attacks.

Threat actor compromising Snowflake database customers
Date: 2024-05-31
Author: TechTarget

[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0109]
[AUSCERT has also shared IoCs associated with the Snowflake incident via MISP ]
A threat actor has breached customers of cloud storage and analytics giant Snowflake by using stolen credentials to access databases, according to cloud security vendor Mitiga.
According to a blog post published Thursday, the threat actor, tracked as UNC5537, "has been observed using stolen customer credentials to target organizations utilizing Snowflake databases" to conduct data theft and extortion-related activity.

Apache HugeGraph-Server – Remote Command Execution (CVE-2024-27348) – Vulnerability & Exploit Database
Date: 2024-06-04
Author: Pentest Tools

Vulnerability description
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.
Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.

ASB-2024.0109.2 – Potentially compromised Snowflake environments

A cyber security incident involving Snowflake customer environments has been reported, potentially affecting large companies.

ESB-2024.3426.2 – Jenkins Plugins: CVSS (Max): 8.0

Jenkins has discovered vulnerabilities in OpenText Application Automation Tools Plugin, Report Info Plugin, and Team Concert Git Plugin, including stored XSS, XXE attacks, missing permission checks, and path traversal, with fixes available for some plugins.

ESB-2024.3544 – Red Hat Enterprise Linux BaseOS AUS (v.8.2): CVSS (Max): 7.8

CISA added Linux Kernel Vulnerability (CVE-2024-1086) to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are targeting it in the wild.

ESB-2024.3556 – Android: CVSS (Max): 9.3

The Android Security Bulletin addresses multiple critical vulnerabilities, including severe local privilege escalation issues. Users are urged to update their devices to enhance protection through the latest Android security platform and Google Play Protect measures.

Stay safe, stay patched and have a good weekend!

The AUSCERT team