Week in review

AUSCERT Week in Review for 14th June 2024

14 Jun 2024

Greetings, This week, the Australian Signals Directorate (ASD) released an update to remind small and medium businesses to assess their cyber health. As we enter a period of heightened threats and attacks, it is crucial that every business is equipped with the appropriate resources and knowledge to ensure they are cyber resilient. For small and medium-sized businesses with limited resources, prioritising the most critical elements of cyber health is essential. Cyber attacks are occurring more frequently, and recovery can be costly, making every Australian business a potential target. In the 2022-23 financial year, the average cost of cybercrime for small businesses increased to $46,000, and for medium businesses, it rose to $97,000. Such costs could potentially destroy a business, driving it into liquidation. Australian small and medium businesses can take practical steps to enhance their cyber security by implementing the Essential Eight, which covers many of the critical elements of cyber health. AUSCERT offers members advice and consultations to help improve their cyber security readiness in alignment with their business objectives. We specialise in helping organisations confidently adhere to industry frameworks, standards, and benchmarks. Our maturity assessments are designed to identify and address cyber security gaps in your organisation. By taking proactive steps, you can enhance your cyber security posture and reduce information security risks. The recent Medibank case should serve as a wake-up call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. All organisations have an ethical duty to protect the personal information they are entrusted with and many have regulatory and contractual obligations as well. The civil penalty proceedings filed by the Australian Information Commissioner against Medibank, in relation to its October 2022 data breach, exemplifies the regulatory body’s commitment to holding parties accountable. The Commissioner claims Medibank failed to take reasonable steps to protect personal information from 9.7 million Australians, in breach of the Privacy Act 1988. This failure led to the release of personal information on the dark web, exposing many Australians to severe negative ramifications. Contact us today for more information on how we can conduct a maturity assessment for your organisation and support you in meeting your business objectives. New PHP Vulnerability Exposes Windows Servers to Remote Code Execution Date: 2024-06-08 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and contacted them via email] [Please also see AUSCERT bulletin:https://portal.auscert.org.au/bulletins/ASB-2024.0111/] Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances. The vulnerability, tracked as CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system. According to DEVCORE security researcher, the shortcoming makes it possible to bypass protections put in place for another security flaw, CVE-2012-1823. Microsoft Outlook Zero-Click RCE Flaw Executes as Email is Opened Date: 2024-06-12 Author: Cyber Security News [See AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2024.0117] A critical zero-click remote code execution (RCE) vulnerability has been discovered in Microsoft Outlook. This vulnerability, designated as CVE-2024-30103, enables attackers to run arbitrary code by sending a specially designed email. When the recipient opens the email, the exploit is triggered. The vulnerability, CVE-2024-30103, is particularly alarming due to its zero-click nature. Unlike traditional phishing attacks that require user interaction, this flaw can be exploited without any action from the user. Google warns of actively exploited Pixel firmware zero-day Date: 2024-06-12 Author: Bleeping Computer Google has released patches for 50 security vulnerabilities impacting its Pixel devices and warned that one of them had already been exploited in targeted attacks as a zero-day. Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw in the Pixel firmware has been rated a high-severity security issue. Azure Service Tags could allow attackers to access private data Date: 2024-06-04 Author: ThreatDown [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0110/] Security researchers at Tenable have published a blog about what they call a vulnerability in Azure, a description that Microsoft denies. Long story, very short: It’s not a bug, it’s a feature, unless you use it incorrectly. Tenable points out that it’s possible for an attacker to bypass firewall rules based on Azure Service Tags by forging requests from trusted services. Azure Service Tags are intended to simplify network isolation. It allows you to group IP ranges and use them to define network security rules. Exploit for critical Veeam auth bypass available, patch now Date: 2024-06-10 Author: Bleeping Computer A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. Veeam Backup Enterprise Manager (VBEM) is a web-based platform for managing Veeam Backup & Replication installations via a web console. It helps control backup jobs and perform restoration operations across an organization's backup infrastructure and large-scale deployments. Veeam issued a security bulletin about the critical flaw on May 21, warning about a critical vulnerability enabling remote unauthenticated attackers to log in to VBEM's web interface as any user. SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester Date: 2024-06-07 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] SolarWinds this week announced patches for multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform, including a bug reported by a penetration tester working with NATO. Rolling out as version 2024.2, the latest SolarWinds Platform iteration includes patches for three new security defects, as well as fixes for multiple bugs in third-party components. ASB-2024.0112 – Pytorch: CVSS (Max): 10.0 A significant flaw (CVE-2024-5480) has been unearthed within PyTorch's distributed RPC framework, leaving machine learning models and confidential data vulnerable to potential remote code execution threats. AUSCERT strongly advises PyTorch users to follow the vendor's mitigation recommendations in order to safeguard themselves effectively. ASB-2024.0113 – Microsoft Windows: CVSS (Max): 9.8 During the June 2024 Patch Tuesday, Microsoft rolled out remedies for a critical vulnerability, CVE-2024-30080, concerning MSMQ (Microsoft Message Queuing). This flaw, characterized by a use-after-free vulnerability, exposes MSMQ to potential exploitation by unauthenticated attackers. Through the transmission of a specially crafted malicious MSMQ packet to an MSMQ server, these attackers can achieve remote code execution (RCE). ASB-2024.0115 – Microsoft Azure: CVSS (Max): 8.1 AUSCERT's advisory warns its members regarding a vulnerability in Microsoft Azure. This flaw enables malicious actors to circumvent firewall regulations relying on Azure Service Tags by fabricating requests originating from trusted services. A threat actor could exploit Service Tags authorized by a user's firewall in the absence of supplementary validation controls. ASB-2024.0111.2 – PHP Vulnerability impacting Windows Servers – CVE-2024-4577 A recent advisory from AUSCERT alerted its members to a vulnerability affecting all versions of PHP installed on the Windows operating system. This vulnerability has now been included in CISA's Known Exploited Vulnerabilities Catalog due to evidence of ongoing exploitation. AUSCERT emphasizes the importance of adhering to the vendor's recommended mitigation measures to ensure protection. ESB-2024.3761 – Adobe FrameMaker Publishing Server: CVSS (Max): 10.0 In its latest patch release, Adobe addressed two critical CVEs in its FrameMaker Publishing Server, which could result in privilege escalation. With a CVSS score of 10, it is crucial to apply these patches promptly to ensure protection. ASB-2024.0117 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.8 A critical zero-click remote code execution (RCE) vulnerability has been identified in Microsoft Outlook which allows attackers to execute arbitrary code through the receipt of a specifically crafted email. Upon opening the email, the exploit is activated. The seriousness of CVE-2024-30103 stems from its zero-click nature. Unlike conventional phishing attempts that rely on user interaction, this flaw can be exploited without any action required from the user. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Protecting Yourself: Safeguarding Against ATO and MyGov Phishing Scams

11 Jun 2024

With the tax season just around the corner, AUSCERT is urging individuals to remain vigilant. This period is a prime time for cybercriminals to target unsuspecting individuals through phishing scams. These are typically circulated via various channels, including phishing emails, phone calls, text messages, and even fake websites. Malicious threat actors tend to increase their fraudulent activities utilising various phishing techniques to take advantage of the heightened financial activity during this period. AUSCERT has observed a significant increase in phishing scams impersonating MyGov and the Australian Taxation Office (ATO) during previous tax seasons. From July to October in 2022, AUSCERT received reports of around 1100 tax-related phishing emails and scams, a number that surged to approximately 2500 in 2023. These phishing emails typically impersonate official entities and may contain convincing logos and language to deceive recipients and urge users to click on a link, scan a QR code or download an attachment. The emails also claim that urgent action is required to avoid account suspension, try to trick users about a pending tax refund, highlight issues with a tax return or demand immediate action to avoid penalties. However, clicking on these links can potentially lead to malicious websites that steal Personally Identifiable Information (PII) or sensitive data like user credentials or credit card details. Additionally, clicking on the links may install malware on the user’s device, creating a backdoor for cybercriminals to monitor activities, track user behaviour, and steal login information. To protect yourself from ATO and MyGov related phishing scams during the upcoming tax season, it is crucial to take precautions like: Verify the source: Do not respond to unsolicited emails, text messages, or phone calls claiming to be from the ATO or MyGov. If it is an email, double-check the email address and sender information to confirm authenticity. Remember, the ATO or MyGov will never ask for sensitive information via email or SMS. Before providing any personal information, verify the legitimacy of the request by contacting the ATO or tax professionals through their official channels. Be wary of suspicious calls: If you receive a suspicious call from someone claiming to be from the ATO and demanding payment to receive a tax refund, it is advisable to end the call immediately. Keep in mind that the ATO will not threaten you with immediate arrest or use abusive language. Exercise caution with links and attachments: Avoid clicking on links or downloading attachments from unsolicited emails or text messages. Be cautious of urgent requests: Be wary of emails, text messages and phone calls pressuring you to act quickly or provide personal information. Take the time to verify the legitimacy of the communication. Protect personal information: Avoid sharing personal or financial details in response to emails, phone calls or text messages. Always be careful when providing information online. Report suspicious activity: If you receive a suspicious email claiming to be from the ATO or MyGov, report it to the appropriate authorities, such as the ATO’s scam reporting email address, the ACSC, or IDCARE. Keep software up to date: Ensure that your devices have the latest security updates and antivirus software to protect against malware and phishing attempts. By staying informed and vigilant, and following best practices for online security, individuals can reduce the risk of falling victim to ATO and MyGov related phishing scams during tax season. If you believe that your identity has been compromised or you have fallen a victim to a tax related scam, contact IDCARE on 1800 595 160.   Written by  Senior Information Security Analyst Vishaka 

Learn more

Week in review

AUSCERT Week in Review for 7th June 2024

7 Jun 2024

Greetings, With tax season close, AUSCERT is urging vigilance, as this is a prime time for cybercriminals to target unsuspecting people through phishing scams. These scams are typically circulated via various channels, including emails, phone calls, text messages, and fake websites. Malicious actors often increase their fraudulent activities during this period to take advantage of the heightened financial activity. AUSCERT has observed a significant increase in phishing scams impersonating MyGov and the Australian Taxation Office (ATO) during previous tax seasons. From July to October in 2022, AUSCERT received reports of around 1,100 tax-related phishing emails and scams, surging to approximately 2,500 in 2023. By staying informed and following best practices for online security, individuals can reduce the risk of falling victim to ATO and MyGov-related phishing scams. This week, concerning news emerged in the area of supply chain cyber security. Australian electronic prescription provider MediSecure has gone into administration. This follows a data breach reported in mid-May 2024, in which 6.5 terabytes of prescription data were stolen and leaked on a cybercrime forum. Last week, the Minister for Cyber Security, Clare O’Neil, publicly criticised MediSecure for the "unacceptably long time" it took to provide important information about the stolen customer data. Meanwhile, cloud storage and data analytics company Snowflake was the centre of a data breach impacting several high-profile customers, including Ticketmaster. Described by some in the media as "the world’s biggest data breach — in terms of impacted individuals," this incident underscores how supply chain risks can have far-reaching consequences. It also highlights the importance of understanding and utilising the security controls provided by service providers. Reports suggest that some of Snowflake’s customers were compromised due to single-factor authentication and use of stolen credentials. The best proactive approach to staying ahead of cyber threats is to ensure that you and all members of your organization are equipped with the most relevant knowledge. Stay informed and vigilant by visiting our training website to explore the available courses you can enrol in today! Largest ever operation against botnets hits dropper malware ecosystem Date: 2024-05-30 Author: Europol [AUSCERT has identified the impacted members (where possible) and contacted them via email] Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. AUSCERT warns companies and individuals alike to be aware of tax scams Date: 2024-06-04 Author: Cyber Daily Tax time rolls around every year with the inevitability of death, but while tax and death have long been considered to go oddly hand in hand, the modern, connected world has thrown a third spanner into the mix. Scams. As Australians all over the country turn to their accountants and yearly finances, so do scammers, who relentlessly conjure new ways to bilk victims out of either their personal data or their hard-earned cash. CISA Warns of Attacks Exploiting Old Oracle WebLogic Vulnerability Date: 2024-06-04 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2017.0038/] The US cybersecurity agency CISA on Monday added an old Oracle WebLogic flaw to its Known Exploited Vulnerabilities (KEV) catalog after it was seen being exploited by Chinese hackers to deploy cryptocurrency miners. The vulnerability, tracked as CVE-2017-3506, affects Oracle WebLogic Server and allows an unauthenticated attacker to access or modify critical data, enabling arbitrary OS command execution. Attackers can achieve remote code execution via specially crafted HTTP requests. CVE-2024-2876: WordPress Plug-in Threatens 90,000+ websites Date: 2024-06-06 Author: Wallarm [AUSCERT has identified the impacted members (where possible) and contacted them via email] A highly concerning security loophole was recently discovered in a WordPress plugin called "Email Subscribers by Icegram Express," a popular tool utilized by a vast network of over 90,000+ websites. Officially designated as CVE-2024-2876 with a CVSS score of 9.8 (critical), the vulnerability represents a significant threat as it exposes numerous websites to potential attacks. Threat actor compromising Snowflake database customers Date: 2024-05-31 Author: TechTarget [Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0109] [AUSCERT has also shared IoCs associated with the Snowflake incident via MISP ] A threat actor has breached customers of cloud storage and analytics giant Snowflake by using stolen credentials to access databases, according to cloud security vendor Mitiga. According to a blog post published Thursday, the threat actor, tracked as UNC5537, "has been observed using stolen customer credentials to target organizations utilizing Snowflake databases" to conduct data theft and extortion-related activity. Apache HugeGraph-Server – Remote Command Execution (CVE-2024-27348) – Vulnerability & Exploit Database Date: 2024-06-04 Author: Pentest Tools Vulnerability description Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component. Risk description The risk exists that a remote unauthenticated attacker can fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network. ASB-2024.0109.2 – Potentially compromised Snowflake environments A cyber security incident involving Snowflake customer environments has been reported, potentially affecting large companies. ESB-2024.3426.2 – Jenkins Plugins: CVSS (Max): 8.0 Jenkins has discovered vulnerabilities in OpenText Application Automation Tools Plugin, Report Info Plugin, and Team Concert Git Plugin, including stored XSS, XXE attacks, missing permission checks, and path traversal, with fixes available for some plugins. ESB-2024.3544 – Red Hat Enterprise Linux BaseOS AUS (v.8.2): CVSS (Max): 7.8 CISA added Linux Kernel Vulnerability (CVE-2024-1086) to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are targeting it in the wild. ESB-2024.3556 – Android: CVSS (Max): 9.3 The Android Security Bulletin addresses multiple critical vulnerabilities, including severe local privilege escalation issues. Users are urged to update their devices to enhance protection through the latest Android security platform and Google Play Protect measures. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 31st May 2024

31 May 2024

Greetings, Following the amazing experience we had last week, the AUSCERT team dove straight back into work this week, leveraging the rich knowledge shared throughout the conference. With many new initiatives and projects on the horizon, our organisation is experiencing significant growth and development. Each year, our key highlight from AUSCERT2024 is reconnecting with members we’ve met before, meeting new ones, and strengthening our community bond. Beyond the cutting-edge education, the conference's vibrant community fostered idea-sharing and facilitated valuable networking opportunities. This year, we decided to give back to the community by donating the proceeds from our speaker gifts to a valuable charity in Australia. We chose RizeUp Australia, a community-driven organisation of passionate people dedicated to supporting families affected by domestic and family violence. RizeUp Australia goes beyond raising awareness through speaking engagements. They have developed various programs to support and empower families via specialist domestic and family violence organisations. Their efforts include helping victims create new homes after fleeing violent situations, supporting children in their healing process, and raising much-needed funds for families who often have nothing but the clothes on their backs. AUSCERT prioritised raising $6,500 to fund a whole house for families impacted by domestic violence. Thanks to the incredible support from our community, we exceeded our goal and raised nearly $10,000, which was directly donated to the RizeUp Foundation. These funds are dedicated to making a tangible difference in the lives of vulnerable individuals. Our mission was to create a significant impact and give back to the community, advocating for change to transform the cultural norms that adversely affect many lives in our nation. Google Patches Fourth Chrome Zero-Day in Two Weeks Date: 2024-05-24 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2024.3425/] Google on Thursday rolled out a fresh Chrome update to address another exploited vulnerability in the popular web browser, the fourth zero-day to be patched in two weeks. Tracked as CVE-2024-5274, the high-severity flaw is described as a type confusion in the V8 JavaScript and WebAssembly engine. “Google is aware that an exploit for CVE-2024-5274 exists in the wild,” the internet giant noted in an advisory. Exploit released for maximum severity Fortinet RCE bug, patch now Date: 2024-05-28 Author: Bleeping Computer [Please also see AUSCERT's updated bulletin: https://portal.auscert.org.au/bulletins/ASB-2024.0035.3/] Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February. Tracked as CVE-2024-23108, this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication. Remote Code Execution Threatens Qlik Sense Users Date: 2024-05-23 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] Qlik, a prominent player in the data analytics space, has issued a critical security advisory warning users of a high-risk vulnerability (CVE-2024-36077) in their Qlik Sense Enterprise for Windows platform. With a CVSS score of 8.8, this vulnerability could allow attackers to escalate privileges and potentially execute arbitrary code on affected servers, posing a significant threat to data integrity and confidentiality. Check Point releases emergency fix for VPN zero-day exploited in attacks Date: 2024-05-29 Author: Bleeping Computer Check Point has released hotfixes for a VPN zero-day vulnerability exploited in attacks to gain remote access to firewalls and attempt to breach corporate networks. On Monday, the company first warned about a spike in attacks targeting VPN devices, sharing recommendations on how admins can protect their devices. Later, it discovered the source of the problem, a zero-day flaw that hackers exploited against its customers. NVD Leaves Exploited Vulnerabilities Unchecked Date: 2024-05-23 Author: Info Security Magazine A majority of currently exploited software vulnerabilities are missing from the US National Vulnerability Database (NVD), a new VulnCheck report has found. In the report published on May 23, the software security provider showed that 30 out of 59 known exploited vulnerabilities (KEVs) registered since February 12 have not yet been analyzed by the NVD team. In total, 50.8% of KEVs are missing critical metadata. More than half a billion customers' details reportedly stolen by notorious hacker Date: 2024-05-29 Author: 9News A notorious hacker has claimed to have stolen the personal data of more than half a billion Ticketmaster customers, likely including Australians. In a widely reported dark web post, hacker ShinyHunters claims to have 1.3 terabytes of data from 560 million global Ticketmaster and Live Nation customers, including names, emails, addresses, phone numbers and the last four digits of credit card numbers. The hacker is selling the data, which could potentially be used to commit identity theft and other types of fraud, for $US500 million (roughly $750 million). ESB-2024.3425.3 – Google Chrome CVSS (Max): 8.8 CISA added CVE-2024-5274 to its Known Exploited Vulnerabilities Catalog and advises users to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. ASB-2024.0035.3 – FortiSIEM Horizon3's Attack Team recently released a proof-of-concept (PoC) exploit and detailed a technical analysis related to CVE-2024-23109 and CVE-2024-23108 affecting FortiSIEM. AUSCERT advises all FortiSIEM 7.1.x users to promptly update to version 7.1.2 to prevent exploitation. ESB-2024.3470 – Citrix Workspace App for Mac CVSS (Max): 7.7 A critical flaw has been discovered in the Mac version of the Citrix Workspace app, which could enable attackers to escalate their privileges from a local authenticated user to a root user. Identified as CVE-2024-5027, this vulnerability presents a serious threat to individuals and businesses that depend on Citrix Workspace for their virtual app and desktop access requirements. ESB-2024.3525 – LenelS2 NetBox CVSS (Max): 9.8 Multiple vulnerabilities have been identified in LenelS2 NetBox. If exploited, these vulnerabilities could enable an attacker to bypass authentication and carry out harmful commands with heightened privileges. ESB-2024.3515 – Google Chrome CVSS (Max): None Google has rolled out an update with 11 security patches for its Stable channel. As a result of this update, the Stable channel has been upgraded to version 125.0.6422.141/.142 for Windows and Mac, and 125.0.6422.141 for Linux. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 24th May 2024

24 May 2024

Greetings, What an amazing week it’s been at AUSCERT2024! This week was full of groundbreaking sessions, engaging workshops, and internationally renowned speakers. In addition to our great program of informative sessions, we also focused on important initiatives such as mental health, featuring several activities centred around uplifting mindfulness practices. To start their day, delegates enjoyed a morning stroll together in the Broadbeach sun, walking along the sand as the sun rose. We also offered puppy cuddles to lift attendees' spirits and had an onsite psychologist available for discussions on mental well-being and life coaching. Our "pay it forward" theme provided a platform for speakers to inspire the cyber security industry. Organisations are realising the importance of contributing to the growth and development of the community to propel it forwards. AUSCERT2024 featured keynote sessions by Piotr Kijewski, CEO of the Shadowserver Foundation, a prominent nonprofit dedicated to enhancing cyber security. The foundation is renowned for its comprehensive approach to improving internet security through data collection, analysis, and dissemination. Another highlight was keynote speaker Darren Kitchen, who presented on innovative implants and deceptive devices, equipping red teams around the world. HAK5, the platform he founded, is a significant contributor to the community, producing content that explores hacking tools and various cyber security topics to enhance collective knowledge. To top off a great week, we also released the Year in Review report! The year 2023 has been a period of remarkable achievements and developments. This comprehensive report highlights key successes, accomplishments, and projects undertaken by AUSCERT over the past year. From strategic initiatives and performance to market expansion and operational improvements, this review provides an in-depth analysis of our progress and sets the stage for our future endeavours. Critical GitHub Enterprise Server Flaw Allows Authentication Bypass Date: 2024-05-21 Author: The Hacker News [AUSCERT identified impacted members (where possible) and contacted them via email ] GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication. "On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges," the company said in an advisory. Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager Date: 2024-05-22 Author: Security Week [AUSCERT utilized third-party search engines to identify and alert any impacted members] IT software company Ivanti on Tuesday announced patches for several products, including fixes for critical vulnerabilities in Endpoint Manager (EPM). Six out of the ten security defects resolved in EPM are critical-severity SQL Injection bugs that could allow an unauthenticated attacker on the network to execute arbitrary code, Ivanti says. Unauthenticated Attackers Can Hijack 400K+ WordPress Sites via Fluent Forms Bug (CVE-2024-2771) Date: 2024-05-20 Author: Security Online [AUSCERT utilized third-party search engines to identify and alert any impacted members] Fluent Forms, a popular WordPress plugin with over 400,000 active installations, has been found to contain multiple critical security vulnerabilities, leaving websites at risk of exploitation. The vulnerabilities, tracked as CVE-2024-4709, CVE-2024-2771, and CVE-2024-2782, range from cross-site scripting (XSS) to unauthorized access and privilege escalation, potentially allowing attackers to compromise websites and steal sensitive data. Atlassian Patches RCE Flaw in Confluence Data Center and Server Date: 2024-05-21 Author: Security Online [AUSCERT identified the impacted members (where possible) and contacted them via email] Atlassian, a leading provider of collaboration and productivity software, has urgently addressed a remote code execution (RCE) vulnerability in its Confluence Data Center and Server products. Tracked as CVE-2024-21683, this flaw could allow authenticated attackers to seize control of affected systems, potentially leading to data breaches and operational disruptions. Veeam warns of critical Backup Enterprise Manager auth bypass bug Date: 2024-05-21 Author: Bleeping Computer [AUSCERT utilized third-party search engines to identify and alert any impacted members] Veeam warned customers today to patch a critical security vulnerability that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM). VBEM is a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. It helps control backup jobs and perform restoration operations across an organization's backup infrastructure and large-scale deployments. ESB-2024.3251 – VMware Products CVSS (Max): 8.1 VMware has issued a security advisory to address vulnerabilities in multiple VMware products. These vulnerabilities, if exploited, could enable attackers to run malicious code on host systems from within a virtual machine, presenting significant security threats to numerous organizations globally. ESB-2024.3252 – Atlassian Products CVSS (Max): 9.8 Atlassian has identified numerous vulnerabilities in its range of products, comprising 35 high-severity vulnerabilities and 2 critical-severity vulnerabilities. These issues have been addressed and resolved in the latest versions of the products. ESB-2024.3232 – Google Chrome CVSS (Max): None Google has introduced a Chrome 125 update that addresses six vulnerabilities, including four high-severity bugs identified by external researchers. The most recent Chrome release is currently being distributed as version 125.0.6422.76 for Linux, and as versions 125.0.6422.76/.77 for Windows and macOS. ESB-2024.3354 – Cisco Firepower Management Center (FMC) CVSS (Max): 8.8 A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could enable an authenticated, remote attacker to carry out SQL injection attacks on a compromised system. This issue arises due to inadequate validation of user input within the web-based management interface. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more

Week in review

AUSCERT Week in Review for 17th May 2024

17 May 2024

Greetings, Last Day to Register for AUSCERT2024 Before Prices Increase! Don’t miss this incredible opportunity, register now to take advantage of the lower prices! We’re excited to catch up with all our favourite people next week! With a program packed with groundbreaking workshops, innovative speakers, and exciting activities, we are prepared for an unforgettable experience! Yesterday, we were thrilled to welcome our colleagues from CIRCL Luxembourg to the AUSCERT headquarters! Long-time friends of AUSCERT, Michael Hamm and Christian Studer, visited to reconnect with old friends and share their expertise with our team. As many of you know, the CIRCL team is renowned for developing the Malware Information Sharing Platform (MISP) and tactical data feeds used worldwide. Years ago, they assisted AUSCERT in integrating MISP into our services as AusMISP, providing significant benefits to our members. During their visit, Michael and Christian offered valuable insights on MISP and other strategies to further develop the platform and enhance our capabilities. The team also had productive brainstorming sessions about future projects, fostering an environment of collaboration and innovation. This week, we have also released a new podcast episode, Episode 34: Wireless in an Undiscovered Country. In this episode, Anthony sits down with Ed Farrell from Mercury ISS, renowned for his AUSCERT Conference tutorials and his leadership in the cybersecurity industry. Ed shares his insights on wireless technology in our evolving landscape. In the second half of the episode, Bek chats with Anthony in anticipation of next week’s AUSCERT Conference! In other exciting news, our General Manager, Ivano, will be hosting a Masterclass on “Overcoming Cyber-Risks: Legal and Managerial Implications.” This course is specifically tailored for non-cyber professionals, providing essential skills to protect organisations from data breaches and mitigate reputational and financial risks. It is designed to empower participants with a comprehensive understanding of the legal and managerial aspects of cybersecurity. For more information and to register, click here! SAP Security Patch Day – May 2024 Date: 2024-05-14 Author: SecurityBridge Looking at the fifth SAP Security Patch Day of the year, the imperative for maintaining robust security measures remains paramount. Once again, SAP has released a series of security patches, prompting a closer examination of the key highlights. This time, the update comprises a set of 15 notes. In today’s digital landscape, it’s a narrative we’re all too familiar with – headlines dominated by reports of data breaches, ransomware attacks, and other cyber threats that loom over organizations. Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code Date: 2024-05-14 Author: The Hacker News [AUSCERT identified the impacted members (where possible) and contacted them via email] The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code. The most severe of the vulnerabilities are listed below – CVE-2024-25641 (CVSS score: 9.1) – An arbitrary file write vulnerability in the “Package Import” feature that allows authenticated users having the “Import Templates” permission to execute arbitrary PHP code on the web server, resulting in remote code execution. Google patches third exploited Chrome zero-day in a week Date: 2024-05-15 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2024.3100] Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week. “Google is aware that an exploit for CVE-2024-4947 exists in the wild,” the search giant said in a security advisory published on Wednesday. The company fixed the zero-day flaw with the release of 125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 (Linux). The new versions will roll out to all users in the Stable Desktop channel over the coming weeks. Citrix warns admins to manually mitigate PuTTY SSH client bug Date: 2024-05-09 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ASB-2024.0072] Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin’s private SSH key. XenCenter helps manage Citrix Hypervisor environments from a Windows desktop, including deploying and monitoring virtual machines. The security flaw (tracked as CVE-2024-31497) impacts multiple versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR, which bundle and use PuTTY to make SSH connections from XenCenter to guest VMs when clicking the “Open SSH Console” button. Largest non-bank lender in Australia warns of a data breach Date: 2024-05-12 Author: Bleeping Computer Firstmac Limited is warning customers that it suffered a data breach a day after the new Embargo cyber-extortion group leaked over 500GB of data allegedly stolen from the firm. Firstmac is a significant player in Australia’s financial services industry, focusing primarily on mortgage lending, investment management, and securitization services. Headquartered in Brisbane, Queensland, and employing 460 people, the firm has issued 100,000 home loans and currently manages $15 billion in mortgages. CISA Announces CVE Enrichment Project ‘Vulnrichment’ Date: 2024-05-09 Author: Security Week The US cybersecurity agency CISA on Wednesday announced a new project that aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes. The project is named Vulnrichment and its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data. CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to CVE.org. ESB-2024.3099 – VMware Products: CVSS (Max): 9.3 In the latest security update, Broadcom has disclosed serious vulnerabilities impacting VMware Workstation and Fusion. These issues, identified as CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, and CVE-2024-22270, pose risks such as denial of service and information exposure to users. ESB-2024.3046 – Adobe Acrobat and Reader: CVSS (Max): 7.8 Adobe has identified 35 security vulnerabilities across various products and is advising users to promptly address critical-severity issues in its popular Adobe Acrobat and Reader programs. ASB-2024.0108 – ALERT Microsoft Windows: CVSS (Max): 8.8 Microsoft has urgently addressed a critical zero-day vulnerability, CVE-2024-30051, exploited by attackers to deliver QakBot malware. This flaw in Windows Desktop Window Manager allowed threat actors to gain full control over compromised machines. ESB-2024.2988 – Google Chrome: CVSS (Max): None Google has promptly taken action to resolve a significant zero-day vulnerability in its Chrome browser that was being actively exploited. The vulnerability, known as CVE-2024-4761, is an “Out of bounds write” flaw located in V8, Chrome’s JavaScript engine. ASB-2024.0105.2 – UPDATE ALERT [WIN] Microsoft Edge: CVSS (Max): None Microsoft Edge users to urged to install the latest security update. This critical update addresses several vulnerabilities, including a zero-day flaw (CVE-2024-4671) that is actively being exploited in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 10th May 2024

10 May 2024

Greetings, Some of you might have already heard the exciting news at AUSCERT. We are thrilled to officially introduce our new General Manager – Dr. Ivano Bongiovanni! With an impressive international career spanning over two decades in cyber security and risk management, Ivano joins us from his Senior Lecturer role in Information Security, Governance and Leadership with the UQ Business School. Motivated by AUSCERT's 30-year legacy and commitment to societal good, Ivano eagerly embraced the opportunity to join the team. In today's user-centric cyber security landscape, Ivano’s capability for guiding evidence-based decisions is critical. His expertise will fuel innovation in our services, ensuring proactive adaptation to our members' evolving needs. We're enthusiastic about the fresh perspectives and innovative ideas he brings, propelling us towards providing more advanced and tailored support and advice. We are excited for the future with Ivano guiding the way forward! With Australia observing Privacy Awareness Week, which is an annual event to raise awareness of privacy issues and the importance of protecting personal information, we invite you to attend two presentations at AUSCERT2024: "Privacy Pioneers: A Blueprint for Security Professionals" and "Deciphering Australia's Cyber Security Laws." These sessions offer comprehensive insights into privacy matters, equipping you with essential knowledge in this domain. This includes understanding the Privacy Act and associated obligations under this legislation, along with how to kickstart a privacy program. Find out more. Veeam fixes RCE flaw in backup management platform (CVE-2024-29212) Date: 2024-05-08 Author: Help Net Security [AUSCERT has identified the impacted members (where possible) and notified them via email] Veeam has patched a high-severity vulnerability (CVE-2024-29212) in Veeam Service Provider Console (VSPC) and is urging customers to implement the patch. Veeam Service Provider Console is a cloud platform used by managed services providers (MSPs) and enterprises to manage and monitor data backup operations. “Service providers can deploy Veeam Service Provider Console to deliver Veeam-powered Backup-as-a-Service and Disaster Recovery-as-a-Service services to their customers. Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution Date: 2024-05-06 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and notified them via email] More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version. Citrix Addresses High-Severity Flaw in NetScaler ADC and Gateway Date: 2024-05-07 Author: Dark Reading Citrix appears to have quietly addressed a vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances that gave remote, unauthenticated attackers a way to obtain potentially sensitive information from the memory of affected systems. The bug was nearly identical to — but not as serious as — "CitrixBleed" (CVE-2023-4966), a critical zero-day vulnerability in the same two technologies that Citrix disclosed last year, according to researchers at Bishop Fox, who discovered and reported the flaw to Citrix in January. New BIG-IP Next Central Manager bugs allow device takeover Date: 2024-05-08 Author: Bleeping Computer [Please see AUSCERT bulletins: ESB-2024.2881 and ESB-2024.2882] F5 has fixed two high-severity BIG-IP Next Central Manager vulnerabilities, which can be exploited to gain admin control and create hidden rogue accounts on any managed assets. Next Central Manager allows administrators to control on-premises or cloud BIG-IP Next instances and services via a unified management user interface. The flaws are an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) found in the BIG-IP Next Central Manager API that would allow unauthenticated attackers to execute malicious SQL statements on unpatched devices remotely. CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities Date: 2024-05-03 Author: Securtiy Week The US cybersecurity agency CISA and the FBI on Thursday released a Secure by Design Alert warning of path traversal software vulnerabilities being exploited in attacks targeting critical infrastructure entities. Also known as directory traversal, path traversal flaws rely on manipulated user input to access application files and directories that should not be accessible. Successful exploitation allows threat actors to manipulate arbitrary files, read sensitive data, and potentially fully compromise the system. ESB-2024.0272.2 – UPDATE ALERT GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0 CISA issued a warning about threat actors actively exploiting a critical GitLab vulnerability, identified as CVE-2023-7028. This security flaw enables remote unauthenticated attackers to send password reset emails to email accounts they control, allowing them to change passwords and take over targeted accounts without requiring user interaction. ESB-2024.2875 – Apple iTunes: CVSS (Max): None An Apple iTunes (for Windows) vulnerability stemming from a boundary error in file processing enables a remote attacker to run arbitrary code on the target system. Apple has issued patches to resolve this security concern. ESB-2024.2860 – Google Chrome: CVSS (Max): None Two high severity vulnerabilities, CVE-2024-4558 and CVE-2024-4559, have been identified in Google Chrome. Google has released fixes to address these issues, and administrators are advised to apply the fixes to stay protected. ESB-2024.2828 – Android: CVSS (Max): 8.4* Google recently released security updates for Android, targeting 26 vulnerabilities, one of which is a critical flaw in the System component. This bug, identified as CVE-2024-23706 and affecting Android 14, has the potential to enable attackers to elevate their privileges on vulnerable devices. ESB-2024.2280.5 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0 Palo Alto issued an advisory in April regarding a critical vulnerability exists in their Global Protect feature in PAN-OS software. With a CVSS score of 10, this flaw allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vendor has since updated their advisory to provide information on the exploitation status about proof-of-concept and enhanced EFR procedure. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 3rd May 2024

3 May 2024

Only three weeks left until AUSCERT2024! Reserve your spot in your preferred program sessions now! Limited spots are still available in some exceptional sessions – act quickly to secure yours before they're filled! This year's program offers a diverse array of sessions covering a wide spectrum of topics. Notably, there's been a rise in sessions centred around MISP and information sharing platforms. Reflecting the essence of our theme for this year of ‘Pay it Forward’, sharing information within the cyber community fosters collective strength. By actively contributing to our shared knowledge, we enhance the growth and resilience of our industry. Let's unite and grow stronger together! We're excited to welcome our esteemed colleagues from CIRCL Luxembourg to AUSCERT2024, where they'll share invaluable insights about their renowned MISP platform! Join Michael Hamm and Christian Studer for an immersive, hands-on workshop highlighting the paramount importance of information sharing and showcasing MISP's extraordinary capabilities. Additionally, Shanna Daly and David Zielezna will delve into MISP Techniques, Tricks, Tips, and Traps during their session. This workshop offers a comprehensive crash course on effectively leveraging MISP for cyber threat intelligence, drawing from their extensive experience as MISP subject matter experts on prominent projects like the CTIS initiative led by the ACSC. They'll navigate through common pitfalls and offer practical strategies. Furthermore, our Senior System Administrator, Josh Hopkins, will enlighten attendees about the MISP platform, elucidating how to swiftly deploy, patch, and configure infrastructure components to bolster your business operations. Josh will highlight how MISP serves as a vital tool for threat intelligence sharing and analysis. His presentation will serve as a roadmap for planning and executing a transition to infrastructure as code, utilizing MISP as a real-world model based on our practical learnings. Sharing relevant threat intelligence and collaborating on response strategies enables organisations to efficiently contain and mitigate security incidents, thereby minimising disruptions to their operations and safeguarding their reputations. Consult our membership team about the AusMISP service! Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms Date: 2024-04-24 Author: Security Week [AUSCERT has identified impacted members located both in Australia and New Zealand (where possible) and contacted them via email. AUSCERT also shared IoCs and TTPs associated with ArcaneDoor campaign via MISP] [Please also see AUSCERT bulletins: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.2551.2/ and https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.2552.2/] Technology giant Cisco on Wednesday warned that professional, nation state-backed hacking teams are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks. HPE Aruba Networking fixes four critical RCE flaws in ArubaOS Date: 2024-05-01 Author: Bleeping Computer HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE). CISA says GitLab account takeover bug is actively exploited in attacks Date: 2024-05-01 Author: Bleeping Computer ​CISA warned today that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets. GitLab hosts sensitive data, including proprietary code and API keys, and account hijacking can have a significant impact. Successful exploitation can also lead to supply chain attacks that can compromise repositories by inserting malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments. Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data Date: 2024-05-01 Author: Security Week Malware hunters at Lumen’s Black Lotus Labs have set eyes on a new malware platform roaming around enterprise-grade and small office/home office (SOHO) routers capable of covertly harvesting public cloud authentication data from internet traffic. The platform, tagged as Cuttlefish, is designed to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN) and researchers warn that the attackers have the capability to hijack DNS and HTTP connections to private IP spaces, which are typically associated with communications within an internal network. DropBox says hackers stole customer data, auth secrets from eSignature service Date: 2024-05-01 Author: Bleeping Computer Cloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information. DropBox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures. Data breach tsunami hits Australia Date: 2024-05-27 Author: Insurance Business Australia Australia saw a substantial rise in data breaches in the first quarter of 2024 (Q1 2024), with reports indicating that 1.8 million user accounts were compromised, according to cybersecurity company Surfshark. The study is based on an analysis of email addresses associated with online services, often leaked alongside other sensitive data such as passwords and financial information. ASB-2024.0098 – Okta Identity and Access Management Solutions Okta has alerted to an increase in the "frequency and scale" of credential stuffing attacks targeting online services and recommends the implementation of mitigation measures including the use of strong passwords and two-factor authentication (2FA). ASB-2024.0099 – R programming language: CVSS (Max): 8.8 A recent finding has revealed CVE-2024-27322 in the R programming language, extensively used by statisticians and data miners. This vulnerability, rated with a CVSS v3 score of 8.8, poses a significant risk, enabling malicious actors to run arbitrary code on a targeted system. ESB-2024.2771 – Cisco IP Phone Products: CVSS (Max): 7.5 Cisco has released information regarding a vulnerability in the web-based management interface of Cisco IP Phone firmware that could allow unauthorized access and potential data breaches. Make sure to update the firmware and implement proper security measures to protect sensitive information on the devices. ESB-2024.0272.2 – UPDATE ALERT [WIN][UNIX/Linux] GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0 CISA has added CVE-2023-7028 to its KEV list. The flaw in GitLab Community Edition (CE) and Enterprise Edition (EE) allows for password reset messages to be sent to email addresses that have not been verified, enabling attackers to hijack the password reset process and take over accounts. GitLab patched the security defect in January 2024. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more

Week in review

AUSCERT Week in Review for 26th April 2024

26 Apr 2024

Greetings, Yesterday, Australians and New Zealanders commemorated Anzac Day, a meaningful occasion prompting us to pause and reflect on the profound sacrifices made for our nations. It was a time for many of us to unite in remembrance, honouring the struggles of our past while embracing hope for peace for generations to come. Communities joined together in a heartfelt display of gratitude, paying respect to the enduring legacy of our brave servicepeople. From touching dawn services to solemn marches, ceremonies, and heartfelt tributes, many people paid their respects to those who have served and continue to serve, ensuring that their courage and bravery are eternally remembered. This week, we released another exciting episode of our podcast Share today, save tomorrow – Episode 33 – delving into ‘The World of AI’. Anthony sat down with Dr. Luke Zaphir from the University of Queensland, whose background in philosophy, particularly in political and educational spheres, adds a fascinating perspective to the world of artificial intelligence. Luke critically examines the significant advancements AI has made over the past two years, including ChatGPT’s meteoric rise to prominence and its diverse applications in our lives. Unlike previous iterations, today’s AI can swiftly produce content, conduct data analysis, and generate images at a remarkable level of sophistication. However, these developments are not without their flaws and risks. The discussion also delves into the role of Cyber Security AI, which brings both positives and negatives. While it provides potentially valuable tools for detecting malicious behaviour, it also aids threat actors with more targeted tools and resources to deceive people globally. Luke emphasizes the importance of utilizing key human characteristics such as critical thinking, ethics, and media literacy to combat the negative effects of AI. In the second part of the episode, Bek and Principal Analyst Mark Carey-Smith have a chat about AUSCERT2024. Mark provides insights into the workshop he’ll be co-hosting with colleague Alex Webling, which delves into the significance of discussion exercises as an effective tool for cyber security professionals to enhance their impact within their organisations. These exercises can foster a supportive and collaborative environment, facilitating effective incident management through diverse perspectives and approaches. Leveraging the free Exercise in a Box (EiaB) resource developed by the UK’s NCSC and Australia’s ACSC, EiaB offers an intuitive, web-based platform for accessing a wide range of discussion exercises. Be sure to explore our program for more captivating and relevant workshops! Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks Date: 2024-04-20 Author: The Hacker News [AUSCERT has identified members (where possible) and contacted them via email] Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday. "This has been patched in v11.1.0." That said, customers who are operating their CrushFTP instances within a DMZ (demilitarized zone) restricted environment are protected against the attacks. FBI: Akira ransomware raked in $42 million from 250+ victims Date: 2024-04-18 Author: Bleeping Computer [AUSCERT recently shared IoCs and TTPs associated with Akira Ransomware group via MISP] According to a joint advisory from the FBI, CISA, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments. Russian hackers' custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) Date: 2024-04-23 Author: Help Net Security [Note: CVE-2022-38028 was added to the CISA KEV on 23 April 2024. Please See https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog] [Please also see the AUSCERT Bulletin published for CVE-2022-38028 : ASB-2022.0193] For nearly four years and perhaps even longer, Forest Blizzard (aka Fancy Bear, aka APT28) has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service (CVE-2022-38028). … Most recently, the group has been spotted leveraging a known Microsoft Outlook vulnerability (CVE-2023-23397) to compromise email accounts of workers at public and private entities in Poland. GPT-4 Is Capable Of Exploiting 87% Of One-Day Vulnerabilities Date: 2024-04-22 Author: Cyber Security News Large language models (LLMs) have achieved superhuman performance on many benchmarks, leading to a surge of interest in LLM agents capable of taking action, self-reflecting, and reading documents. While these agents have shown potential in areas like software engineering and scientific discovery, their ability in cybersecurity remains largely unexplored. Cybersecurity researchers Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang recently discovered that GPT-4 can exploit 87% of one-day vulnerabilities, which is a significant advancement. MITRE says state hackers breached its network via Ivanti zero-days Date: 2024-04-19 Author: Bleeping Computer The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days. The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. MITRE has since notified affected parties of the breach, contacted relevant authorities, and is now working on restoring "operational alternatives." Behavioral patterns of ransomware groups are changing Date: 2024-04-23 Author: Help Net Security In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. ESB-2024.2510 – Google Chrome: CVSS (Max): None Google has recently released security updates for its Chrome browser to address four potentially dangerous vulnerabilities. These updates, versions 124.0.6367.78/.79 for Windows and Mac, and 124.0.6367.78 for Linux, are crucial for safeguarding user data and system security. Among these vulnerabilities, CVE-2024-4058 is classified as critical. ESB-2024.2511 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5 The latest security release from GitLab focuses on addressing a range of vulnerabilities that pose significant risks to code repositories and development workflows. It is highly recommended to upgrade to versions 16.11.1, 16.10.4, or 16.9.6 to enhance security measures and mitigate potential threats effectively. ESB-2024.2280.4 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0 Palo Alto Networks has updated its advisory for CVE-2024-3400, introducing a new Threat Prevention Threat ID and a CLI command to detect potential exploit activity. The vulnerability title and description have also been clarified in these updates. AUSCERT has accordingly revised its bulletin to align with these changes. The vendor has provided fixes for the vulnerable GlobalProtect feature within PAN-OS software, and AUSCERT strongly advises its members to promptly apply these fixes to safeguard against potential exploitation risks. ESB-2024.2551.2 – UPDATE ALERT Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services: CVSS (Max): 8.6 According to Cisco Talos, the attackers are targeting software defects in certain devices running Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) products to implant malware, execute commands, and potentially exfiltrate data from compromised devices. Stay safe, stay patched and have a good weekend! The AusCERT team

Learn more