//Week in review - 14 Apr 2022


Each week of 2022 seems to be moving at a faster pace than the one before and here we are, at Easter already! Four days to relax, rejoice, reframe – and indulge in far too many chocolate eggs, bunnies, and bilbies along with some hot cross buns of course!

It’s also the first week of at least three (four if you’re in Queensland) that have one day less in the working week. Now, whilst that might be celebrated, it also means that we have fewer business days until AusCERT2022!

We have some fantastic Sponsors, Speakers, Tutorials and, some sensational surprises in store this year! Spots are filling fast so, to ensure you don’t miss out, Register today for Australia’s premier cyber security conference.

AusCERT will maintain minimal coverage for the Easter holidays from Friday 15 April to Monday 18 April. AusCERT staff will be on-call for emergencies only and email will not be monitored during this time. Any AusCERT member with an emergency may contact on-call AusCERT staff on the AusCERT Incident Hotline, details available here.

Have a safe, enjoyable and relaxing Easter break everyone!

Mandatory cyber security incident reporting now in force
Date: 2022-04-12
Author: iTnews

Home Affairs minister Karen Andrews has published the implementation of Australia’s critical infrastructure legislation, which makes reporting of information security events mandatory for several industry sectors.
Under the Security of Critical Infrastructure 2018 Act, multiple industry assets are deemed to be critical.

Security Nihilism Is Putting Your Company and Its Employees at Risk
Date: 2022-04-09
Author: Dark Reading

When it comes to staying safe and secure in our digital worlds, sometimes it can feel like giving up is the only choice. This idea of “security nihilism” isn’t new. Security teams have always faced incredibly challenging problems while trying to enable safe and trustworthy experiences across all the technology we use. It can be a difficult trap to overcome for security practitioners, but it’s even more dangerous when employees start to feel it. Security nihilism creates new and worsens existing problems that put a company’s data — and the employees who are stewards of that data — at risk.

GitHub can now alert of supply-chain bugs in new dependencies
Date: 2022-04-08
Author: Bleeping Computer

GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities.
This is achieved by adding the new Dependency Review GitHub Action to an existing workflow in one of your projects. You can do it through your repository’s Actions tab under Security or straight from the GitHub Marketplace.
It works with the help of an API endpoint that will help you understand the security impact of dependency changes before adding them to your repository at every pull request.

Creating a Security Culture Where People Can Admit Mistakes
Date: 2022-04-12
Author: Dark Reading

Andy Ellis, advisory CISO for Orca Security and a longtime Akamai veteran, likes to tell a story about a potentially serious security incident. One of his team members was testing the email integration of a new incident tracking system. Unfortunately, the test email, titled “[TEST] Meteor strike destroys the headquarters,” went to everyone in the company and created a loop that crashed the mail servers.
As Ellis recounts, “The next day the responsible employee tweeted a picture of themselves training for a 5K run, and I replied, ‘Preparing to outrun the meteor?'”

New pilot program to help meet urgent demand for cyber security skills
Date: 2022-04-12
Author: Riotact

Cyber security may have been a big winner in the Federal Budget but finding the people to make the Federal Government’s ambitious plans a reality will be challenging.
The ACT Government and Digital Skills Organisation (DSO) aims to help address the cyber skills shortage and meet the needs of the ACT’s growing tech sector with a new 12-month pilot program through the Canberra Cyber Hub.
It will focus on developing a new National Skills Framework for cyber security in cooperation with industry.

ESB-2022.1488.2 – UPDATED ALERT VMware products: CVSS (Max): 9.8

VMware has now confirmed the exploitation of CVE-2022-22954 has occurred in the wild

ESB-2022.1560 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1

Adobe Commerce and Magento Open Source are vulnerable to Remote Code Execution. Adobe has released patches to address the issue

ESB-2022.1623 – ALERT Cisco Wireless LAN Controller: CVSS (Max): 10.0

Cisco has released advisory regarding a critical authentication bypass vulnerability affecting several Wireless controllers

ASB-2022.0085 – ALERT Microsoft Windows products: CVSS (Max): 9.8

Microsoft has addressed multiple vulnerabilities during Patch Tuesday in its upstream Windows products

ASB-2022.0086.3 – UPDATE Nginx Zero-Day

Multiple mitigation measures are available for the recent zero day vulnerability for nginx web server

Stay safe, stay patched and have a good weekend!

The AusCERT team