//Week in review - 10 Jun 2022


With the ongoing impact of COVID-19 and the associated uncertainty easing, 2021 started with hope and the promise that our daily lives would return to a sense of normalcy.

Eventually, we saw a return to offices, with permanent hybrid working arrangements and restrictions reduced. However, the impact on personal lives, societal changes, and increased frequency and sophistication of cyber threats presented ongoing challenges.

AusCERT dealt with many of these in 2021, ensuring our proactive approach in assisting members with potential exposure to risk continued.

The 2021 Year in Review provides insight into the challenges, our accomplishments, and highlights throughout the year.

One that is sure to make the highlight list for 2022 is AusCERT2022. The four days of collaboration, education, and fun ensured that the oldest information security conference in Australia was a resounding success!
View the highlights video HERE.

With a commitment to current and comprehensive content, AusCERT’s training courses are engaging and interactive.

Facilitated by our Principal Analyst and industry-leading trainers, AusCERT training courses will deliver the outcomes required by all stakeholders.
This extends to anyone that looks after their organisation’s cyber security.

Our next course, Cyber Security Risk Management, is taking place next week on June 13th & 14th – Book Now.

The cyber security landscape is ever-changing, and AusCERT continues to be passionate about engaging our members to empower their people, capabilities, and capacities.

Microsoft: Windows Autopatch now available for public preview
Date: 2022-06-05
Author: Bleeping Computer

Microsoft said this week that Windows Autopatch, a service to automatically keep Windows and Microsoft 365 software up to date in enterprise environments, has now reached public preview.
This enterprise service was first announced in April when Redmond said it would be made generally available in July 2022 and offered free to Microsoft customers with a Windows 10/11 Enterprise E3 license or greater.
Windows Autopatch automatically manages the deployment of Windows 10 and Windows 11 quality and feature updates, drivers, firmware, and Microsoft 365 Apps for enterprise updates.

Ransomware gangs now give victims time to save their reputation
Date: 2022-06-06
Author: Bleeping Computer

Threat analysts have observed an unusual trend in ransomware group tactics, reporting that initial phases of victim extortion are becoming less open to the public as the actors tend to use hidden or anonymous entries.
By not disclosing the victim’s name immediately, the ransomware operatives give their targets a more extended opportunity to negotiate the ransom payment in secrecy while still maintaining a level of pressure in the form of a future data leak.
KELA, an Israeli cyber-intelligence specialist, has published its Q1 2022 ransomware report that illustrates this trend and highlights various changes in the field.

Atlassian patches zero-day affecting Confluence Data Center and Server
Date: 2022-06-03
Author: SC Media

[Related to AusCERT Bulletin ESB-2022.2737.4]
Atlassian on Friday issued fixes for a zero-day remote code execution vulnerability in Confluence Data Center and Server. The critical vulnerability lets an unauthenticated user execute arbitrary code on a Confluence Server or Data Center instance.
In an updated blog post, Atlassian said it fixed the following versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.
Atlassian said for customers that access Confluence via an Atlassian.net domain, it’s hosted by Atlassian and not vulnerable. The company’s investigation have not found any evidence of exploitation of Atlassian Cloud.
The critical vulnerability — CVE-2022-26134 — affected all supported versions of Confluence Server and Data Center. Confluence Server and Data Center versions after 1.3.0 are affected.

Exploit released for Atlassian Confluence RCE bug, patch now
Date: 2022-06-05
Author: Bleeping Computer

[This article references a vulnerability in AusCERT Bulletin ESB-2022.2737.4]
Proof-of-concept exploits for the actively exploited critical CVE-2022-26134 vulnerability impacting Atlassian Confluence and Data Center servers have been widely released this weekend.
The vulnerability tracked as CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0.
Successful exploitation allows unauthenticated, remote attackers to create new admin accounts, execute commands, and ultimately take over the server.

Australians lose over $200m to scams in just 4 months
Date: 2022-06-06
Author: Cyber Security Connect

The new data, released by Scamwatch, has revealed a 166 per cent increase in losses from last year.
According to the ACCC, the real losses are likely to be significantly higher as only 13 per cent of Australians are expected to refer their losses on to Scamwatch.
Investment scams have been found to be the most prolific, resulting in some $158 million lost for Australian consumers, representing a 314 per cent increase on the same time last year.
Of these, crypto currency investments have cost investors $113 million while imposter bond scams have resulted in $10.9 million lost.

HTTP/3 becomes a standard, at last
Date: 2022-06-09
Author: iTnews

Faster traffic, more encryption.
More than three years after it was first proposed, the third major version of the Hypertext Transfer Protocol, HTTP, has been adopted as an Internet Engineering Task Force (IETF) standard.
As is common, adoption of HTTP/3 has run ahead of the formal standards process.

GitLab Issues Security Patch for Critical Account Takeover Vulnerability
Date: 2022-06-03
Author: Thehackernews

GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover.
Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1.

Are You Ready for a Breach in Your Organization’s Slack Workspace?
Date: 2022-06-07
Author: Dark Reading

When organizations moved to hybrid work at the beginning of the pandemic, Slack offered a crucial way for teams to collaborate efficiently regardless of physical location. But in most organizations, Slack is a relatively new solution, bringing the typical challenges of adopting new technologies — related to culture, functionality, expected user behavior, and, of course, security. For many organizations, Slack is now the primary communication channel, replacing email and knowledge management repositories. As a result, Slack increasingly contains more sensitive information than those traditional systems.

Researchers Warn of Unpatched “DogWalk” Microsoft Windows Vulnerability
Date: 2022-06-08
Author: The Hacker News

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.
The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted “.diagcab” archive file that contains a diagnostics configuration file.

ESB-2022.2726 – ACS 3.70: CVSS (Max): 9.8

Red Hat released updated images for Red Hat Advanced Cluster Security for Kubernetes. The updated image includes bug fixes and feature

ESB-2022.2737.4 – UPDATED ALERT Confluence Server and Confluence Data Center: CVSS (Max): None

Atlassian released fixed versions to address the unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. AusCERT recommends affected Confluence users to regularly check for updated advice from Atlassian as the situation evolves

ESB-2022.2736 – Local Run Manager (LRM): CVSS (Max): 10.0

Vulnerabilities in Local Run Manager may allow an unauthenticated user to take control of the affected product remotely and take any action at the operating system level. The users are advised to take defensive measures to minimize the risk of this vulnerability.

ASB-2022.0128 – Microsoft Edge (Chromium-based): CVSS (Max): 8.3

Microsoft Security Updates for Microsoft Edge (Chromium-based) address a number of vulnerabilities. It is advised to update Edge to the latest release.

ESB-2022.1284.4 – UPDATE Atlassian Products: CVSS (Max): 8.1*

The vendor updated the advisory to include fixed version of the Confluence DC.

Stay safe, stay patched and have a good weekend!

The AusCERT team