//Week in review - 8 Sep 2023


Who can believe that there are only a mere four months left until the end of the year – where has the year gone? Time really does fly by. With that said, the AUSCERT team are well and truly planning for next year’s conference and this year’s conference is already beginning to feel like a distant memory. To remind ourselves of the amazing time we had, we often enjoy revisiting and reliving the program of outstanding speakers and activities via our YouTube channel.

One of our highlights for AUSCERT2023 was the significant presence of remarkable female speakers in our program. These include Tara Dharnikota’s session – “Staying ahead of evolving threats”, Jane O’Loughlin’s session – “What we do in the shadows” and our much-loved session led by Vanessa Wong & Shelly Mills – “You can’t ask that: Women in Cyber Security”. Not to mention our impressive keynote speaker Rachel Tobac, a globally renowned expert in the field of social engineering. Rachel is also chair of the board for the not-for-profit organisation Women in Security and Privacy (WISP) where she works to advance women to lead the future of privacy and security.

Last week we celebrated Women In Cyber Day, an initiative aimed at promoting and supporting the advancement and support of women in cyber security. Increasing the proportion of women within the industry isn’t just about equity, it’s a strategic imperative for enhancing security, innovation, and the overall effectiveness of the field. Women often possess different skills that can complement those of their colleagues, including communication, attention to detail, and a collaborative approach to problem-solving. A wider range of perspectives is also beneficial when making decisions about security policies, products and practices, which can lead to better protection for all. Diversity fosters innovation and creativity, as it brings different perceptions that can lead to innovative solutions and approaches.

To conclude, if you are looking for something to read across the weekend, NIST recently released an updated, draft guide detailing the creation of cybersecurity and privacy learning program. This is the first revision since NIST SP800-50 Building a Cybersecurity and Privacy Learning Program was introduced in 2003, a well-needed update. This initial public draft is open for community feedback until October 27, 2023. Click here to read the full document, NIST SP 800-50 Rev.1

University of Sydney data breach impacts recent applicants
Date: 2023-09-03
Author: Bleeping Computer

The University of Sydney (USYD) announced that a breach at a third-party service provider exposed personal information of recently applied and enrolled international applicants.
The public university started operations in 1850 and has nearly 70,000 students and about 8,500 academic and administrative personnel. It is considered one of Australia’s most important educational institutes.

Exploit Code Published for Critical-Severity VMware Security Defect
Date: 2023-09-01
Author: Security Week

Just days after shipping a major security update to correct vulnerabilities in its Aria Operations for Networks product line, VMware is warning that exploit code has been published online.
In an updated advisory, the virtualization technology giant confirmed the public release of exploit code that provides a roadmap for hackers to bypass SSH authentication and gain access to the Aria Operations for Networks command line interface.

Hackers exploit MinIO storage system to breach corporate networks
Date: 2023-09-04
Author: Bleeping Computer

[AusCERT has identified the impacted members (where possible) and contacted them via MSIN]
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.
Its high performance and versatility, especially for large-scale AI/ML and data lake applications, make MinIO a popular, cost-effective choice.

Australian authorities tire of excuses, delays on data breach disclosure
Date: 2023-09-05
Author: iTnews

Australian authorities had to formally invoke powers to get a client list from a breached IT services provider, as problems persist in getting organisations to notify data breaches in a timely fashion.
The issue of Australian organisations either seeking to downplay or delay mandatory notification of a data breach was raised more than two years ago.
A regulatory report, released Tuesday, shows the issue persists.
“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” Australian information commissioner and privacy commissioner Angelene Falk said in a statement.

Defence Housing Australia investigates third-party provider hack exposure
Date: 2023-09-07
Author: iTnews

Defence Housing Australia has launched an investigation to determine if it, or the data of Australian Defence personnel, has been exposed in a cyber attack on a third-party service provider.
The government business enterprise (GBE) said it is collaborating with the Defence on the investigation, which sought to establish – among other things – “if any Defence personnel or families’ information has been compromised.”

Scams Australia: Alarming surge in the number of teens being exploited online
Date: 2023-09-04
Author: 9NEWS

The number of young Australians being targeted by scammers online has surged in the last year, with concerning levels of sextortion taking place, new data suggests.
Statistics released today by Westpac Banks show the number of scams reported by customers under the age of 18 have almost quadrupled since last year, and have more than doubled for those under 30.
The data was concerning and showed a growing trend of scammers using techniques such as sextortion, Westpac General Manager of Financial Crime & Fraud Prevention, Chris Whittingham, said.

ESB-2023.5018 – GitLab Community Edition (CE) and Enterprise Edition (EE): CVSS (Max): 5.5*

GitLab released versions 16.3.1, 16.2.5 and 16.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE) which contain important security fixes.

ESB-2023.5067 – Mozilla VPN client for Linux: CVSS (Max): None

Mozilla Foundation reported Local user authentication flaws impacting Mozilla VPN client on Linux.

ESB-2023.5088 – Jenkins Plugins: CVSS (Max): 8.2*

The most recent security advisory released by Jenkins lists vulnerabilities affecting 12 Jenkins Plugins.

ESB-2023.5108 – ALERT Cisco BroadWorks Application Delivery Platform and Xtended Services Platform: CVSS (Max): 10.0

A vulnerability in Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an attacker to commit toll fraud or to execute commands at the privilege level of the affected system.

ESB-2023.5117 – Python: CVSS (Max): 9.8

Python could be made to crash or leak sensitive information if it received specially crafted input. The problem can be corrected by updating your system.

Stay safe, stay patched and have a good weekend!

The AusCERT team