8 Mar 2024

Week in review


Today we celebrate AUSCERT’s 31ST Birthday and embrace the spirit of International Women’s Day! It fills us with immense joy to be able to celebrate this special occasion alongside the remarkable women around us! Ironically on this momentous day, we also released the 31st episode of our podcast titled “Cybercrime” featuring special guests Nigel Phair from Monash University and James Chadwick, Principal Analyst of AUSCERT.

In this captivating conversation Anthony and Nigel unravel the murky world of cybercrime. Together, they explore the evolution of cybercrime over the past two decades, particularly as the internet has become more accessible to a broader audience globally. They shed light on the expanding opportunities it has provided for criminals, delving into the various tactics and approaches employed to tackle this complex issue throughout the years.

In other news, as Queensland's local government elections approach, it's crucial to remain vigilant about potential voting scams that often emerge during these periods. During significant events like political elections, evil actors tend to escalate their attacks, capitalising on the heightened buzz and media attention. Here are some key points to be mindful of during this election season:

  1. Phishing Attempts: Exercise caution with emails, messages, or calls claiming to be from official election authorities. Avoid clicking on suspicious links and verify the authenticity of communication before sharing any personal information.

  2. Misinformation Campaigns: Be wary of false information circulating on social media or other platforms. Verify the accuracy of news and updates related to the election from reliable sources before sharing or acting upon them.

  3. Fraudulent Websites: Only use official and secure websites for election related information and activities. Malicious actors may create fraudulent websites to collect sensitive data or spread misinformation.

  4. Phone Impersonation Scams: Be cautious of individuals posing as election officials, candidates, or representatives. Verify the identity of anyone requesting personal information or donations related to the election.

  5. Stay informed: Keep yourself informed about common election scams and stay updated on security guidelines provided by official election authorities. You can find more information on the Australian Government’s Scamwatch website.

Awareness is key to prevent falling victim to fraudulent activities! If you do encounter any of the above activities, report it here.

Hackers steal Windows NTLM authentication hashes in phishing attacks
Date: 2024-03-04
Author: Bleeping Computer

[AUSCERT is aware of reports where Australian organisations appear to have been targeted by TA577. Please see AusCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0046.2]
The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks.
TA577 is considered an initial access broker (IAB), previously associated with Qbot and linked to Black Basta ransomware infections.
Email security firm Proofpoint reports today that although it has seen TA577 showing a preference for deploying Pikabot recently, two recent attack waves demonstrate a different tactic.

PikaBot malware on the rise: What organizations need to know
Date: 2024-03-01
Author: Malwarebytes Labs

[AusCERT has distributed IoCs associated with PikaBot malware through the MISP platform]
A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot. A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads.

Apple fixes two new iOS zero-days exploited in attacks on iPhones
Date: 2024-03-05
Author: Bleeping Computer

[Please see AusCERT bulletins: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1413 and https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1414]
Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones.
"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.
The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections.

TeamCity auth bypass bug exploited to mass-generate admin accounts
Date: 2024-03-06
Author: Bleeping Computer

[AUSCERT utilised third-party search engines to identify and alert any impacted members. If you use Teamcity, we recommend patching according to the vendor's guidelines]
Hackers have started to exploit the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, which JetBrains addressed in an update on Monday.
Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web.

VMware Patches Critical ESXi Sandbox Escape Flaws
Date: 2024-03-05
Author: Security Week

[Please see AusCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1406/]
Virtualization technology vendor VMware on Tuesday rolled out urgent patches for critical-severity flaws in the enterprise-facing ESXi, Workstation, Fusion and Cloud Foundation products.
The company documented four vulnerabilities and warned that the most serious bugs could allow a malicious actor with local admin privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host.

ESB-2024.1366 – Android: CVSS (Max): 9.8

Google has released security patches for critical security vulnerabilities affecting Android devices including a vulnerability in the System component potentially leading to remote code execution.

ESB-2024.1407 – Linear eMerge E3-Series: CVSS (Max): 10.0

A critical security vulnerability in the Nice Linear eMerge E3-Series poses a severe risk with a CVSS score of 10.0. Exploitation of multiple vulnerabilities could allow a remote attacker to gain full system access. Users are advised to upgrade to the latest firmware to mitigate these risks.

ESB-2024.1431 – squid: CVSS (Max): 8.6

An update for Squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support, addressing a vulnerability that could lead to a denial of service in the HTTP header parser.

ESB-2024.1368 – Google Chrome: CVSS (Max): None

Google released Chrome 122.0.6261.111/.112 for Windows and Mac and 122.0.6261.111 to Linux that contains 3 security fixes.

ESB-2024.1461 – Jenkins Plugins: CVSS (Max): 8.0*

Jenkins has released latest versions of the affected plugins to address multiple security vulnerabilities, including issues such as SSH vulnerabilities, improper input sanitization leading to cross-site scripting (XSS), and missing permission checks.

Stay safe, stay patched and have a good weekend!

The AusCERT team