Publications

Greetings, With less than 6 weeks remaining, we’re eagerly anticipating our return to the sunny Gold Coast, our favourite time of year! We have some exciting updates to our AUSCERT2024 program, including the addition of a workshop titled "Security in an Unmanaged Azure Environment: A Practical Example" lead by Greg Scheidel, a SANS Certified Instructor. This workshop will draw from the content of SANS SEC530: Defensible Security Architecture and Engineering, focusing on implementing Zero Trust for the Hybrid Enterprise. Limited spots available—act fast to secure your spot today! Visit our website for more details. This week marked a significant milestone in the cyber world! Nigel Phair, a Professor from Monash University, and renowned speaker who spoke at AUSCERT2023, contributes as a co-author in a new groundbreaking research study. After three years of dedicated research, an international team of researchers yesterday unveiled the first ever “World Cybercrime Index”. Developed through a collaborative effort between the University of Oxford, UNSW and funded by CRIMGOV, a European Union-supported project based at the University of Oxford and Sciences Pro, this index promises to reshape our understanding of global cybercrime dynamics. The World Cybercrime Index identifies the globe’s primary cybercrime hotspots by ranking the most prominent sources of cybercrime on a national level. The index reveals that the most significant criminal threats are concentrated in a handful of countries, with Russia leading the list, followed by Ukraine, China, the USA, Nigeria, and Romania. The research underlying the index will also shed light on the identities of cybercriminal offenders, potentially removing their veil of anonymity. Continuing to collect this data in the future will enable defenders and police agencies to monitor the emergence of any new cybercrime hotspots. Early interventions could potentially be implemented in at-risk countries before serious cybercrime problems develop. Government agencies and private enterprises tasked with combating cybercrime now have the opportunity to significantly improve their understanding of the scale of the issue within their own jurisdictions. Previously, knowledge of cybercriminal whereabouts was largely confined to specialist investigators, but now this information can be shared with the public, government, and business alike. April’s Patch Tuesday Brings Record Number of Fixes Date: 2024-04-09 Author: Krebs on Security [Please also see AUSCERT bulletins: ASB-2024.0059, ASB-2024.0060, ASB-2024.0061, ASB-2024.0062, ASB-2024.0063, ASB-2024.0064, ASB-2024.0065, ASB-2024.0066] If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software. Fortinet Patches Critical RCE Vulnerability in FortiClientLinux Date: 2024-04-10 Author: Security Week [Please see AUSCERT Bulletins https://www.auscert.org.au/bulletins/ESB-2024.2166 and https://www.auscert.org.au/bulletins/ESB-2024.2172] Fortinet on Tuesday announced patches for a dozen vulnerabilities in FortiOS and other products, including a critical-severity remote code execution (RCE) bug in FortiClientLinux. The critical flaw, tracked as CVE-2023-45590 (CVSS score of 9.4), is described as a code injection issue that could allow an unauthenticated, remote attacker to execute arbitrary code or commands by convincing a user to visit a malicious website. Code Execution Flaws in Multiple Adobe Software Products Date: 2024-04-09 Author: Security Week [Please also see AUSCERT bulletins: ESB-2024.2138, ESB-2024.2140, ESB-2024.2162, ESB-2024.2136, ESB-2024.2137, ESB-2024.2139, ESB-2024.2165] Software maker Adobe on Tuesday rolled out urgent security updates for multiple enterprise-facing products and warned that hackers could exploit these bugs to launch code execution attacks. As part of its scheduled batch of Patch Tuesday updates, Adobe called attention to a pair of code execution bugs in Adobe Commerce and Magento Open Source, a product used by businesses to create and manage online stories. Critical Rust flaw enables Windows command injection attacks Date: 2024-04-09 Author: Bleeping Computer Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system. GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction. Apple: Mercenary spyware attacks target iPhone users in 92 countries Date: 2024-04-11 Author: Bleeping Computer Apple has been notifying iPhone users in 92 countries about a "mercenary spyware attack" attempting to remotely compromise their device. In a sample notification the company shared with BleepingComputer, Apple says that it has high confidence in the warning and urges the recipient to take seriously. "Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-," reads the notification. ASB-2024.0065 – Microsoft Windows Products: CVSS (Max): 8.8 Microsoft has recently issued its monthly security patch update for April 2024 to address a total of 91 vulnerabilities found in Windows and Windows Server. Among these vulnerabilities is a zero-day exploit identified as CVE-2024-26234. This exploit involved a malicious driver that was signed using a legitimate Microsoft Hardware Publisher Certificate and was discovered to be operating as a malicious backdoor. ESB-2024.2180 – WordPress: CVSS (Max): None WordPress has rolled out version 6.5.2 to fix a Cross-Site Scripting vulnerability along with various other bugs. Failure to apply this patch could enable malicious actors to insert harmful scripts into WordPress websites. This could result in website defacement, the compromise of sensitive information, or the dissemination of malware to site visitors. WordPress strongly urges all users to promptly update their installations to mitigate these risks. ESB-2024.2166 – FortiClientLinux: CVSS (Max): 9.4 An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website. The vulnerability is resolved by performing a system update. ESB-2024.2148 – Linux kernel: CVSS (Max): 9.8* Numerous security issues were fixed in the Linux kernel, such as the IPv6 implementation of the Linux kernel not properly managing route cache memory usage, allowing a remote attacker to cause a denial of service (memory exhaustion) and the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations, allowing a local attacker to cause a denial of service (system crash). The vulnerabilities are resolved by performing a system update. ESB-2024.2099 – Django: CVSS (Max): 9.8 The password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts. The vulnerability is resolved by performing a system update. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, Today is the last chance to take advantage of early bird registrations and make the most of AUSCERT member tokens! The countdown is on for AUCERT2024 and we are very excited to join with our community, hear from industry experts, engage in ground breaking workshops and participate in exciting activities! Check out our full program for all the details! A recently published report by The Cyber Safety Review Board has highlighted a series of critical oversights by Microsoft in an incident involving a threat actor believed to be affiliated with the People’s Republic of China. This breach led to unauthorised access to email accounts of senior government officials from the United States and the United Kingdom. The incident underscores the significant threat that supply chain attacks pose to organisations, given the inherent vulnerabilities that can be introduced and exploited at any stage of the supply chain. Recent high-profile attacks on various companies and code repositories, such as the xz Utils backdoor, serve as an important reminder that attackers possess both the intent and capability to exploit weaknesses in supply chain security. Regardless of an organisation’s size or the stringency of its security measures, vigilance and preparedness for potential incidents are paramount. As this alarming trend continues to escalate, it becomes increasingly imperative for organisations to implement effective risk management measures including careful oversight of their supply chains. These steps are crucial in reducing the likelihood and impact of similar incidents in the future. The UK’s National Cyber Security Centre has provided valuable guidance in establishing effective control and oversight of supply chains, offering principles that can significantly bolster security measures. These principles revolve around four key strategies: Understand the Risks, Establishing Control, Checking Arrangements and Driving Continuous Improvement. In conclusion, supply chain attacks represent an increasing threat to organisations globally. It’s crucial to comprehend the risks associated with all supplier and partner arrangements, regardless of an organisation’s size or reputation. Establishing control and holding suppliers accountable for agreed security measures are imperative steps. Moreover, it’s vital to encourage suppliers to continuously enhance their security arrangements. By adopting these measures, organisations can bolster their defences against supply chain vulnerabilities and mitigate potential threats effectively. Security Flaw in WP-Members Plugin Leads to Script Injection Date: 2024-04-02 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Attackers could exploit a high-severity cross-site Scripting (XSS) vulnerability in the WP-Members Membership WordPress plugin to inject arbitrary scripts into web pages, according to an advisory from security firm Defiant. The bug, tracked as CVE-2024-1852, is the result of insufficient input sanitization and output escaping, allowing an attacker to create accounts that have a malicious script stored as the value of the user’s IP address. xz-utils Backdoor Affected Kali Linux Installations: Check for Infection Date: 2024-04-02 Author: Cyber Security News A backdoor was recently discovered in the xz-utils package versions 5.6.0 to 5.6.1, shocking the Linux community. This poses a significant threat to the security of Linux distributions, including Kali Linux. The vulnerability, CVE-2024-3094, could potentially allow malicious actors to compromise sshd authentication, granting unauthorized access to systems remotely. Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites Date: 2024-04-03 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical SQL injection vulnerability in the LayerSlider plugin can be exploited to extract sensitive information from website databases, WordPress security firm Defiant warns. A WordPress slider plugin with more than one million active installations, LayerSlider provides users with visual web content editing, digital visual effects, and graphic design capabilities in a single solution. Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks Date: 2024-04-03 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. Adversaries are leveraging remote access tools now more than ever — here’s how to stop them Date: 2024-04-02 Author: Cisco Talos Since 2020, the use of remote system management/access tools such as AnyDesk and TeamViewer has exploded in popularity due to forced work-from-home during the COVID-19 pandemic. Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration, these tools play an essential role in most corporations’ digital functions. However, this convenience comes at a cost. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. Cyber 'axis of evil' poised for more attacks on Australia, expert warns Date: 2024-04-02 Author: 9News A dangerous "axis of evil in cyberspace" is primed to launch more attacks on major Australian companies, a leading cybersecurity expert has warned, claiming the compromised networks of Medibank and Optus are just phase one in a dark master plan. Highly skilled Russian and Chinese hackers will lead those cyberattacks, according to Tom Kellerman, a former cyber investigations advisor for the US Secret Service and Barack Obama's government. The motives for recent attacks on Medibank, Optus, Latitude and other institutions went far beyond theft of data and the potential for financial extortion, he said. ESB-2024.1999 – ALERT Google Chrome: CVSS (Max): None Google has updated its Stable channel for Windows, Mac and Linux. This includes a patch for a critical zero-day vulnerability (CVE-2024-3159) that was exploited during the recent Pwn2Own Vancouver 2024 hacking competition. ASB-2024.0057 – ALERT xz-utils: CVSS (Max): 10.0 The world was shocked when a Microsoft developer disclosed that a backdoor has been intentionally planted in xz Utils. Known as CVE-2024-3094, this vulnerability enables a malicious actor with the correct private key to take control of sshd, the program responsible for establishing SSH connections, and subsequently execute harmful commands. ESB-2024.2070 – Google Android devices: CVSS (Max): 6.6* Google recently revealed updates to address vulnerabilities in Android and Pixel devices, which include two issues that have been actively exploited. These vulnerabilities, known as CVE-2024-29745 and CVE-2024-29748, specifically affect Pixel's bootloader and firmware. ESB-2024.1985.3 – UPDATE VMware SD-WAN: CVSS (Max): 7.4 VMware has issued crucial security patches to resolve a number of vulnerabilities in its SD-WAN solution. Failure to apply these patches could pose significant risks to organizations that depend on VMware SD-WAN for network management. ASB-2024.0058 – HTTP/2: CVSS (Max): 7.5* Recently identified vulnerabilities in the HTTP/2 protocol, known as "CONTINUATION Flood," have the potential to launch DoS attacks against servers utilizing vulnerable implementations. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, As Easter approaches this weekend, many of us eagerly anticipate some well-deserved time off, relishing in chocolate eggs, and cherishing moments with loved ones. However, amidst the joyous festivities, we'd like to gently remind you that our member tokens and early bird registration fees will expire on April 5th for AUSCERT2024! We're thrilled to unveil an engaging program, featuring Darren Kitchen as one of our esteemed keynote speakers. Darren's expertise promises to provide enlightening and invaluable insights for all attendees. Additionally, we're excited to announce that Risky Biz has confirmed a live podcast recording at AUSCERT2024! Be sure to seize the remaining time to secure your member tokens and early bird registration fees before this offer concludes. This week, we released episode 32 of our podcast, titled "Behaviour Change to Reduce Threats." In this thought-provoking discussion, Anthony engages with Jane O’Loughlin from CERT NZ, exploring the critical importance of behaviour modification in mitigating cyber security threats. Jane actively advocates for increased awareness and action in cyber security, striving to make it more accessible and relevant to individuals. Jane explains that despite cyber security’s widespread attention, research still indicates a concerning lack of seriousness among people regarding the issue, with many remaining unaware of the profound consequences of personal cyber attacks. Given the escalating sophistication and severity of threats, it's imperative for everyone to adopt proactive measures. Cyber attackers leverage behavioural science to meticulously craft and target attacks, enhancing their success rates. Therefore, fostering a culture of cybersecurity consciousness and implementing effective behavioural modifications are crucial steps in safeguarding against cyber threats. CERT NZ and The Research Agency have collaborated to produce "Cyber Change" – a book of behaviour change techniques aimed at promoting positive cybersecurity actions. This guide, tailored for government and industry agencies working in online security, shares valuable insights on improving the effectiveness of cyber security interventions. In conclusion, AUSCERT wishes everyone a safe and happy Easter holiday! Our offices will be closed for the Easter long weekend from Friday 29th of March until Monday 1st of April inclusive. During this time auscert@auscert.org.au will not be monitored and no bulletins will be issued. However our analysts will remain on call for the period, if you experience a cyber incident, please log into the member portal for the 24/7 member hotline number. Exploit released for Fortinet RCE bug used in attacks, patch now Date: 2024-03-21 Author: Bleeping Computer [AUSCERT utilised third-party search engines to identify and alert any impacted members] Security researchers have released a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS) software, which is now actively exploited in attacks. Tracked as CVE-2023-48788, this security flaw is an SQL injection in the DB2 Administration Server (DAS) component discovered and reported by the UK's National Cyber Security Centre (NCSC). CISA tags Microsoft SharePoint RCE bug as actively exploited Date: 2024-03-27 Author: Bleeping Computer CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. Tracked as CVE-2023-24955, this SharePoint Server vulnerability enables authenticated attackers with Site Owner privileges to execute code remotely on vulnerable servers. Australia Doubles Down On Cybersecurity After Attacks Date: 2024-03-27 Author: Dark Reading Government proposes more modern and comprehensive cybersecurity regulations for businesses, government, and critical infrastructures providers Down Under. The Australian government is carving out plans to revamp cybersecurity laws and regulations in the wake of a series of damaging high-profile data breaches that rocked the country. Government officials recently released what it called a consultation paper that outlined specific proposals and solicited input from the private sector in a proclaimed strategy to position the nation as a world leader in cybersecurity by 2030. Australian gov backs election system security after "highly likely" UK compromise Date: 2024-03-26 Author: iTnews The federal government has sought to assure Australians that electoral systems are secure after it emerged that UK electoral systems “were highly likely compromised” between 2021 and 2022. The UK government, together with its cyber security agency, attributed “two malicious cyber campaigns targeting democratic institutions and parliamentarians” to China-affiliated threat groups. Ray AI Framework Vulnerability Exploited to Hack Hundreds of Clusters Date: 2024-03-27 Author: SecurityWeek Attackers have been exploiting a missing authentication vulnerability in the Ray AI framework to compromise hundreds of clusters, application security firm Oligo reports. The issue, tracked as CVE-2023-48022 and disclosed in November 2023, exists because, in its default configuration, the open source compute framework for AI does not enforce authentication and does not support any type of authorization model. ESB-2024.1744 – Firefox: CVSS (Max): 8.8 Mozilla has updated Firefox to version 124.0.1 addressing 2 critical vulnerabilities ESB-2024.1805 – Google Chrome: CVSS (Max): None Google has updated Chrome addressing multiple vulnerabilities ESB-2024.1783 – macOS Ventura: CVSS (Max): 5.9 Apple has released an update to a remote code execution vulnerability in macOS Ventura ESB-2024.1842 – Cisco IOS XE Software: CVSS (Max): 8.6 Cisco has released software updates for a denial of service vulnerability in IOS XE Software ESB-2024.1787 – Rockwell Automation Arena Simulation Software: CVSS (Max): 7.8 Rockwell Automation has updated Arena Simulation Software to address multiple vulnerabilities Stay safe, stay patched and have a good weekend! The AusCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Behaviour change to reduce threats In this episode, AUSCERT features the following guests: Jane O’Louglin, CERTNZ Mike Holm, AUSCERT Anthony sits down with Jane O’Louglin from CERTNZ for a fascinating discussion about why behaviour change is so critical when looking at ways to migitate threats and blocking threat actors. In the second half of the episode, Bek chats with Mike Holm from AUSCERT about the history and role of CERT teams and the fast approaching AUSCERT Conference. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, As AUSCERT2024 approaches, we want to remind all our valued members to make the most of their Member Tokens before they expire on April 5th. Also, Early Bird Registrations are closing on this date too, so if you want to save on costs, register now! This year's program is exceptional, featuring a diverse range of cutting-edge workshops, influential speakers, and exciting activities. Seize this incredible opportunity to learn, network, and engage with industry leaders. Secure your spot today and join us for an unforgettable event! For more information, visit the AUSCERT2024 website. Charities and not-for-profit organisations in Australia are facing an escalating number of cyber threats. In the 2022-23 financial year alone, the Australian Signals Directorate (ASD) received nearly 94,000 cybercrime reports, indicating one report filed approximately every 6 minutes. Recognising this concerning trend, the ASD is urging these entities to enhance their online security measures and stay vigilant. Due to their limited resources, charities and not-for-profit organisations are increasingly vulnerable to malicious attacks. Such incidents can result in substantial costs, including financial losses, data breaches, reputational damage, loss of trust from donors and beneficiaries, and overall harm to the community they serve. Not to fear, AUSCERT is here to help! Our members have access to a team of experts who can provide guidance, support, and assistance when incidents arise! An effective cyber security incident response is essential for maintaining organisational objectives by avoiding or limiting the impact of cyber security incidents. Register for our Incident Response Planning Course to develop the skills needed to write and implement a bespoke incident response plan for your organisation. This course is designed to provide organisations with crucial information and knowledge to execute one of the critical elements of incident response preparation. Our upcoming course is scheduled for 16-17 April from 9am – 12:30pm, with limited places available so register now! Fujitsu found malware on IT systems, confirms data breach Date: 2024-03-18 Author: Bleeping Computer Japanese tech giant Fujitsu discovered that several of its systems were infected by malware and warns that the hackers stole customer data. "We have confirmed the presence of malware on several of our business computers, and as a result of our internal investigation, it has been discovered that files containing personal information and information related to our customers could be illicitly removed," reads a Fujitsu notice. New fact sheet for critical infrastructure leaders – actions to mitigate PRC state-sponsored cyber activity Date: 2024-03-20 Author: ASD Together with our international partners, we have released the PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders fact sheet. The fact sheet provides guidance for critical infrastructure leadership to protect their infrastructure and critical functions from Volt Typhoon – a state-sponsored cyber actor linked to the People’s Republic of China (PRC). Human risk factors remain outside of cybersecurity pros’ control Date: 2024-03-15 Author: Help Net Security Cyber threats are growing at an unprecedented pace, and the year ahead is fraught with cybercrime and incidents anticipated ahead of the busy election year where over 50 countries head to the polls, according to Mimecast. With new threats like AI and deepfake technology, the stakes are higher than ever to execute a strong cyber defense. Microsoft announces deprecation of 1024-bit RSA keys in Windows Date: 2024-03-18 Author: Bleeping Computer Microsoft has announced that RSA keys shorter than 2048 bits will soon be deprecated in Windows Transport Layer Security (TLS) to provide increased security. Rivest–Shamir–Adleman (RSA) is an asymmetric cryptography system that uses pairs of public and private keys to encrypt data, with the strength directly related to the length of the key. The longer these keys, the harder they are to crack. 1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030. Threat landscape for industrial automation systems. H2 2023 Date: 2024-03-19 Author: Kaspersky ICS CERT In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%. In H2 2023, building automation once again had the highest percentage of ICS computers on which malicious objects were blocked of all industries that we looked at. Oil and Gas was the only industry to see a slight (0.5 pp) increase in the second half of the year. ESB-2024.1635 – Nessus Products: CVSS (Max): 7.8 A privilege escalation vulnerability in Nessus plugin has been addressed. This vulnerability affects Nessus and Nessus Agent ESB-2024.1680 – Atlassian Self-Managed Products: CVSS (Max): 10.0 Atlassian has released patches for multiple vulnerabilities in its monthly security update ESB-2024.1683 – Firefox: CVSS (Max): 6.5* Firefox has been updated to version 124 addressing multiple vulnerabilities ESB-2024.1717 – Jenkins (core): CVSS (Max): 7.5 Jenkins (core) has been updated to address a Denial of Service vulnerability Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, Another week is coming to a close, and what an eventful week it has been! Some of our team members travelled to Sydney to reconnect with our valued members and attended the iTnews 2024 Benchmark Awards. For over a decade, these awards have provided IT leaders and teams with an opportunity to gain recognition for their ambition, innovation, and the value they bring to government, industry, and the public. This year, the focus was on acknowledging both projects and the individuals behind Australia's best IT initiatives. AUSCERT is proud to support programs like these that highlight the hard work and important achievements of IT teams across our country! To top off a great week, the women of AUSCERT also attended a High Tea organised by the Australian Women in Security Network (AWSN), to commemorate International Women’s Day (IWD). The High Tea featured influential guest speakers, Tea Dietterich, CEO of 2M Language Services, and Jackie French, Director for the Faculty of Creative Arts at TAFE Queensland, who both discussed the concerns and issues that women often face when trying to excel in their careers. They spoke about this year's IWD theme, “Count her in: Invest in Women, Accelerate Progress,” and how it encapsulates our collective mission towards a more inclusive, innovative, and secure future for all. Women’s economic empowerment is essential if we hope to create a world where gender equality is not just a goal but a reality. When women are given equal opportunities to earn, learn, and lead, entire communities thrive. While progress has been made, women face significant obstacles to achieving equal participation in the economy. Without equal access to education, employment pathways, financial services, and literacy, how can we ever hope to reach gender equality? We must ensure that women are given equal opportunity to build capabilities and strengthen their capacity to learn, earn, and lead. To conclude, we would like to highlight the importance of empowering women and all staff through further education and training. We have recently released a whole new set of training courses specifically designed to enhance and empower staff with the essentials of cybersecurity. Check out our full list of upcoming training sessions here! Fortinet warns of critical RCE bug in endpoint management software Date: 2024-03-13 Author: Bleeping Computer [Please see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1576] Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers. FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices. Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities Date: 2024-03-13 Author: Security Week [AUSCERT has published security bulletins for these Intel updates] Intel published eight new advisories, including two that describe high-severity vulnerabilities. One of the high-severity issues is a local privilege escalation impacting BIOS firmware for some Intel processors. The second is a local privilege escalation that impacts the on-chip debug and test interface in some 4th Generation Intel Xeon processors when using SGX or TDX technology. Adobe Patches Critical Flaws in Enterprise Products Date: 2024-03-12 Author: Security Week [AUSCERT has published security bulletins for these Adobe updates] Software maker Adobe on Tuesday released a hefty batch of security updates to fix critical-severity vulnerabilities in multiple enterprise-facing products. The Patch Tuesday rollout contains fixes for code execution flaws in the oft-targeted Adobe ColdFusion, Adobe Premiere Pro, Adobe Bridge and Adobe Lightroom. The San Jose, Calif. company called urgent attention to a mega-update for its Adobe Experience Manager software, documenting at least 46 vulnerabilities that expose users to arbitrary code execution and security feature bypass. Patch Tuesday: Microsoft Flags Major Bugs in HyperV, Exchange Server Date: 2024-03-12 Author: Security Week [AUSCERT has published security bulletins for these Microsoft updates] Microsoft on Tuesday rolled out patches for at least 60 security vulnerabilities haunting the Windows ecosystem and warned there is exposure to remote code execution attacks. The world’s largest software maker tagged two HyperV vulnerabilities — CVE-2024-21407 and CVE-2024-21408 with its highest critical-severity rating and urged users to prioritize these fixes to reduce exposure to code execution and denial-of-service attacks. Microsoft also flagged a serious flaw in Open Management Infrastructure (OMI) for urgent attention, noting that the CVE-2024-21334 bug carries a CVSS severity score of 9.8 out of 10. Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks Date: 2024-03-11 Author: Security Week [See AUSCERT bulletin https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.0849] Roughly one month ago, Fortinet patched a critical FortiOS vulnerability and warned customers about potential exploitation. Many systems are impacted, but there still do not appear to be any signs of large-scale attacks. The vulnerability, tracked as CVE-2024-21762, has been described as an out-of-bounds write issue in FortiOS and FortiProxy that can allow a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted HTTP requests. When it disclosed the zero-day flaw on February 9, Fortinet said it was ‘potentially being exploited in the wild’. CISA added CVE-2024-21762 to its Known Exploited Vulnerabilities Catalog a few days later. ASB-2024.0051 – ALERT Microsoft Windows: CVSS (Max): 8.8* Microsoft released numerous updates this week as part of its monthly 'Patch Tuesday' release. ESB-2024.1541 – Adobe Premiere Pro: CVSS (Max): 7.8 Adobe joined Microsoft in releasing updates for many of its products running on Windows, Linux and macOS. ESB-2024.1565 – Intel Processors: CVSS (Max): 7.2 .. and Intel also joined Microsoft and Adobe with their regular release of fixes for vulnerabilities affecting their processors and associated hardware, firmware and software. ESB-2024.1576 – FortiClientEMS: CVSS (Max): 9.3 FortiClientEMS remote unauthenticated vulnerability reported and patched this week and referred to in this week's articles. ESB-2024.0849 – ALERT FortiOS: CVSS (Max): 9.6 Another Fortinet vulnerability patched this week and noted in this week's listed articles. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Membership Terms and Conditions   See the attached AUSCERT Membership Terms and Conditions (Version: March 2024).   AUSCERT Membership Terms and Conditions – Mar2024

Greetings, Today we celebrate AUSCERT’s 31ST Birthday and embrace the spirit of International Women’s Day! It fills us with immense joy to be able to celebrate this special occasion alongside the remarkable women around us! Ironically on this momentous day, we also released the 31st episode of our podcast titled “Cybercrime” featuring special guests Nigel Phair from Monash University and James Chadwick, Principal Analyst of AUSCERT. In this captivating conversation Anthony and Nigel unravel the murky world of cybercrime. Together, they explore the evolution of cybercrime over the past two decades, particularly as the internet has become more accessible to a broader audience globally. They shed light on the expanding opportunities it has provided for criminals, delving into the various tactics and approaches employed to tackle this complex issue throughout the years. In other news, as Queensland's local government elections approach, it's crucial to remain vigilant about potential voting scams that often emerge during these periods. During significant events like political elections, evil actors tend to escalate their attacks, capitalising on the heightened buzz and media attention. Here are some key points to be mindful of during this election season: Phishing Attempts: Exercise caution with emails, messages, or calls claiming to be from official election authorities. Avoid clicking on suspicious links and verify the authenticity of communication before sharing any personal information. Misinformation Campaigns: Be wary of false information circulating on social media or other platforms. Verify the accuracy of news and updates related to the election from reliable sources before sharing or acting upon them. Fraudulent Websites: Only use official and secure websites for election related information and activities. Malicious actors may create fraudulent websites to collect sensitive data or spread misinformation. Phone Impersonation Scams: Be cautious of individuals posing as election officials, candidates, or representatives. Verify the identity of anyone requesting personal information or donations related to the election. Stay informed: Keep yourself informed about common election scams and stay updated on security guidelines provided by official election authorities. You can find more information on the Australian Government’s Scamwatch website. Awareness is key to prevent falling victim to fraudulent activities! If you do encounter any of the above activities, report it here. Hackers steal Windows NTLM authentication hashes in phishing attacks Date: 2024-03-04 Author: Bleeping Computer [AUSCERT is aware of reports where Australian organisations appear to have been targeted by TA577. Please see AusCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0046.2] The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks. TA577 is considered an initial access broker (IAB), previously associated with Qbot and linked to Black Basta ransomware infections. Email security firm Proofpoint reports today that although it has seen TA577 showing a preference for deploying Pikabot recently, two recent attack waves demonstrate a different tactic. PikaBot malware on the rise: What organizations need to know Date: 2024-03-01 Author: Malwarebytes Labs [AusCERT has distributed IoCs associated with PikaBot malware through the MISP platform] A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot. A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads. Apple fixes two new iOS zero-days exploited in attacks on iPhones Date: 2024-03-05 Author: Bleeping Computer [Please see AusCERT bulletins: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1413 and https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1414] Apple released emergency security updates to fix two iOS zero-day vulnerabilities that were exploited in attacks on iPhones. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the iOS Kernel (CVE-2024-23225) and RTKit (CVE-2024-23296), both allowing attackers with arbitrary kernel read and write capabilities to bypass kernel memory protections. TeamCity auth bypass bug exploited to mass-generate admin accounts Date: 2024-03-06 Author: Bleeping Computer [AUSCERT utilised third-party search engines to identify and alert any impacted members. If you use Teamcity, we recommend patching according to the vendor's guidelines] Hackers have started to exploit the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, which JetBrains addressed in an update on Monday. Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web. VMware Patches Critical ESXi Sandbox Escape Flaws Date: 2024-03-05 Author: Security Week [Please see AusCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1406/] Virtualization technology vendor VMware on Tuesday rolled out urgent patches for critical-severity flaws in the enterprise-facing ESXi, Workstation, Fusion and Cloud Foundation products. The company documented four vulnerabilities and warned that the most serious bugs could allow a malicious actor with local admin privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host. ESB-2024.1366 – Android: CVSS (Max): 9.8 Google has released security patches for critical security vulnerabilities affecting Android devices including a vulnerability in the System component potentially leading to remote code execution. ESB-2024.1407 – Linear eMerge E3-Series: CVSS (Max): 10.0 A critical security vulnerability in the Nice Linear eMerge E3-Series poses a severe risk with a CVSS score of 10.0. Exploitation of multiple vulnerabilities could allow a remote attacker to gain full system access. Users are advised to upgrade to the latest firmware to mitigate these risks. ESB-2024.1431 – squid: CVSS (Max): 8.6 An update for Squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support, addressing a vulnerability that could lead to a denial of service in the HTTP header parser. ESB-2024.1368 – Google Chrome: CVSS (Max): None Google released Chrome 122.0.6261.111/.112 for Windows and Mac and 122.0.6261.111 to Linux that contains 3 security fixes. ESB-2024.1461 – Jenkins Plugins: CVSS (Max): 8.0* Jenkins has released latest versions of the affected plugins to address multiple security vulnerabilities, including issues such as SSH vulnerabilities, improper input sanitization leading to cross-site scripting (XSS), and missing permission checks. Stay safe, stay patched and have a good weekend! The AusCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Cybercrime In this episode, AUSCERT features the following guests: Nigel Phair, Monash University James Chadwick, AUSCERT Anthony sits down with Nigel Phair from Monash University to discuss the murky world of Cybercrime! In the second half of the episode, Bek chats with James Chadwick, Principal Analyst of AUSCERT about the release of the NIST 2.0 Framework and the fast approaching AUSCERT Conference. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, The AUSCERT2024 program is now live! With the highest number of presentation submissions ever received, the selection committee faced the challenging task of curating a program that showcases the most relevant and impactful topics. Striving for diversity, the committee selected a wide array of subjects, ensuring a well-rounded and engaging program. If you haven't already, make sure to register as soon as possible to secure your spot! In recent news, the National Institute of Standards and Technology (NIST) has introduced version 2.0 of its cyber security framework (CSF), marking a significant update since its inception in 2014. This development is noteworthy as the framework now explicitly aims to assist all organisations, extending beyond critical infrastructure entities in managing and mitigating risks. The updated framework incorporates implementation examples, providing actionable steps to achieve various outcomes within different areas. Additionally, they have also released quick start guides to provide further direction and guidance to organisations wanting to achieve specific objectives. The updated NIST Framework places a new focus on governance. The new GOVERN function addresses the cyber security risk management strategy, expectations and policies that should be established, communicated and monitored. GOVERN essentially provides outcomes to inform what an organisation may do to achieve and prioritise the outcomes of the other five Functions within the framework (Identify, Protec, Detect, Respond & Recover). GOVERN also contains a new focus area on cyber security supply chain risk management. For member organisations seeking additional support in governance, we recommend registering for our new training course, "Data Governance Principles and Practices." In this course, our expert practitioners delve into the key components of a successful data governance framework, utilizing real-world examples to illustrate best practices. The training is designed to provide attendees with fundamental skills and knowledge essential for expediting the establishment of a successful data governance program within their organisation. Participants will also learn practices and methodologies applicable to various initiatives, including stakeholder management, identification of pain points and the development of related objectives ultimately leading to the creation of a strategy on a page. CVE-2024-26592 & 26594: Critical Linux Kernel Flaws Open Door for Code Execution and Data Theft Date: 2024-03-26 Author: Security Online A pair of critical vulnerabilities, recently patched in the Linux kernel, have raised alarms for anyone managing Linux systems. These flaws resided in the KSMBD file server, responsible for seamless file sharing with Windows machines. These vulnerabilities, dubbed CVE-2024-26592 and CVE-2024-26594, carried severe consequences, but thankfully, swift action has mitigated the threat. WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk Date: 2024-03-27 Author: The Hacker News [AusCERT has identified the impacted members (where possible) and contacted them via email ] A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack researcher Rafie Muhammad said. TeamViewer's Security Flaw Risks Password Safety Date: 2024-03-29 Author: Security Online A recently discovered security hole (CVE-2024-0819) in older TeamViewer versions (prior to 15.51.5) could have put your personal password and system security at risk. This flaw allowed even low-level users on shared computers to set a personal password, potentially leading to unauthorized remote access. Fortunately, TeamViewer has released a fix, but it’s crucial to update immediately and take this opportunity to bolster your overall security practices. Progress patches authentication bug in OpenEdge Date: 2024-03-28 Author: iTnews Progress Software’s OpenEdge authentication gateway and AdminServer need to be patched against a critical authentication bypass bug present in all supported releases of OpenEdge. According to the company’s advisory, the bug affects OpenEdge Release 11.7.18 and earlier, OpenEdge 12.2.13 and earlier, and OpenEdge 12.8.0. The bug’s Mitre entry adds: “Certain unexpected content passed into the credentials can lead to unauthorised access without proper authentication.” CVE-2023-7235: OpenVPN Vulnerability Puts Windows Users at Risk Date: 2024-03-21 Author: Security Online [AUSCERT has identified the impacted members (where possible) and contacted them via email] OpenVPN has released version 2.6.9 for Windows, Mac, and Linux, addressing a severe privilege escalation vulnerability (CVE-2023-7235). This flaw, discovered by Will Dormann, affects Windows GUI installations of OpenVPN. Zyxel Patches Remote Code Execution Bug in Firewall Products Date: 2024-03-26 Author: Security Week Taiwanese networking device maker Zyxel has rolled out patches for multiple defects in its firewall and access point products alongside warnings that unpatched systems are at risk of remote code execution attacks. Zyxel, a company that has struggled with software security problems, documented at least four vulnerabilities that expose businesses to code execution, command injection and denial-of-service exploitation. ESB-2024.1257 – Google Chrome: CVSS (Max): None Google has issued an update for the Google Chrome Stable channel containing 4 security patches. This update is applicable to Mac, Linux, and Windows systems and will be gradually rolled out over the upcoming days/weeks. ESB-2024.1150 – Firefox for iOS: CVSS (Max): None Mozilla has released patches to resolve CVE-2024-26283, CVE-2024-26282, and CVE-2024-26281 in Firefox for iOS 123, preventing potential unauthorized script execution by attackers. ESB-2024.1299 – Juniper Secure Analytics (JSA): CVSS (Max): 9.8 Several vulnerabilities have been reported in Juniper Networks' Juniper Secure Analytics affecting all versions before 7.5.0 UP7. Juniper Networks has released software updates to mitigate these vulnerabilities. ESB-2024.1131.2 – UPDATE Drupal Core: CVSS (Max): None A critical vulnerability affecting Drupal core has been identified, potentially resulting in sensitive information being cached and accessible to anonymous users, thereby enabling privilege escalation. Administrators are strongly advised to install the recommended version prevent exploitation. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, AUSCERT has detected a rise in Critical MSINs being sent to members. These proactive alerts are flagged for urgent attention to mitigate potential high-priority risks, particularly when AUSCERT identifies exploitation of 0-day vulnerabilities. CISA, along with its five-eye country partners, has issued a joint advisory on 'Identifying and Mitigating Living Off the Land Techniques' (LOLT). Notably, cyber threat actors, including state-sponsored actors from the People’s Republic of China and the Russian Federation, have been observed employing LOLT to compromise and maintain persistent access to critical infrastructure organisations. This joint guide is released for network defenders and threat hunters, addressing the increasing prevalence of LOLT techniques in the broader cyber threat landscape. Understanding and countering these techniques is crucial for enhancing cybersecurity posture and mitigating risks from sophisticated adversaries. In other recent developments, the Pall Mall Process declaration between the UK and France marks a crucial stride in addressing the proliferation and irresponsible use of commercial cyber intrusion capabilities. Cyber proliferation involves the intentional or unintentional transfer of cyber capabilities among actors for network or device exploitation or attack purposes. The Pall Mall Process declaration is an innovative international initiative aimed at exploring policy options and new practices to counter this shared threat. The NCSC’s recent blog delves into what this process signifies for the future. Take a moment to read and stay informed, you can then “advance to GO”. Are you aware of Australia's Online Safety Laws? While employing measures like secure passphrases and two-factor authentication provides a strong defence against bad actors, it's equally important to report illegal and violent content online. To learn more, visit esafety.gov.au, these laws have your back! Business risks are also important. The AUSCERT Cyber Security Risk Management course is designed to provide participants with the confidence to perform a risk assessment of cyber security risks, and the ability to rate, assess, and report business risks. Calibrating cyber security as business risks rather than just technical vulnerability severity readily facilitates business leader buy-in. Register today!. Here are some highlights from this week’s cyber security news, including the significant law enforcement takeover of the prolific multinational ransomware syndicate behind LockBit. ConnectWise Rushes to Patch Critical Vulns in Remote Access Tool Date: 2024-02-20 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Enterprise IT software giant ConnectWise has released urgent patches for two critical security defects in its ScreenConnect remote desktop access product, warning there is high risk of in-the-wild exploitation. The most serious of the two bugs is described as an “authentication bypass using an alternate path or channel” and carries the maximum CVSS severity score of 10/10. A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10. Over 28,500 Exchange servers vulnerable to actively exploited bug Date: 2024-02-19 Author: Bleeping computer [Please see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0038/] Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on February 13, when it had already been leveraged as a zero-day. Currently, 28,500 servers have been identified as being vulnerable. Tangerine Telecom says customer data of 232,000 affected by 'cyber incident' Date: 2024-02-21 Author: iTnews Tangerine Telecom, a challenger retail service provider, says a “legacy” customer database containing details of 232,000 current and former customers was accessed by an unknown party via exploitation of a contractor’s credentials. The seller of NBN and mobile services said in a statement on Wednesday that “the unauthorised disclosure of certain personal information” occurred on Sunday, and that the management team had learned of the incident on Tuesday. LockBit ransomware disrupted by global police operation Date: 2024-02-19 Author: Bleeping Computer Law enforcement agencies from 11 countries have disrupted the notorious LockBit ransomware operation in a joint operation known as ''Operation Cronos." According to a banner displayed on LockBit's data leak website, the site is now under the control of the National Crime Agency of the United Kingdom. Government moves to expand SMS Sender ID registry Date: 2024-02-19 Author: iTnews Nine months after announcing it would require telcos to use a Sender ID Registry to combat SMS spam, the government has started consultation over whether the scheme should be mandatory or voluntary for Australia’s telcos. The registry would create a controlled list of the numbers used by registered brand names. This would prevent scammers from impersonating participants’ brands, since carriers would block texts using those brands unless the originating number is in the registry. ASB-2024.0045.3 – UPDATE AUSCERT Bulletin Service AUSCERT has recently updated its security bulletin infrastructure. — Notable changes include: * removal of PGP-signing * consolidation of operating system categories and tags to retire some end-of-life products and introduce some recent categories * minor change to email subject line and headers due to a change of the underlying systems * improved bulletin search facility on website ESB-2024.1092 – Google Chrome: CVSS (Max): None Google has released patches for several vulnerabilities for Google Chrome ESB-2024.1099 – VMware Enhanced Authentication Plug-in (EAP): CVSS (Max): 9.6 VMware has addressed vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) ESB-2024.1102 – Atlassian Products: CVSS (Max): 8.5 Atlassian has released updates to several products which were impacted by various high-severity vulnerabilities Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, The ACSC has developed a valuable single reporting tool to help you determine which Australian regulations apply to your organisation, as well as specifying when and to whom you need to report a cyber breach. First highlighted in the government’s Australian Cyber Security Strategy 2023-2030, the swift availability of this resource is notable. Its significance lies in simplifying the process and will undoubtedly have a positive impact on our community. The federal government launched the Cyber Security Legislative Reforms consultation paper late last year to gather views on new legislative initiatives and proposed amendments to the Security of Critical Infrastructure Act 2018. This consultation paper outlines reforms that were part of the Australian Cyber Security Strategy action plan and covers nine areas that are worthy of a read. One being Ransomware reporting obligations which is one of the fastest growing types of cybercrime. The government is proposing that reporting ransomware incidents should become a mandatory, no-fault, no-liability obligation for businesses. The National Office of Cyber Security’s recent review of the HWL Ebsworth cyber incident demonstrates various lessons, with one significant takeaway being the company’s close collaboration with government agencies in effectively handling the incident. Therefore, the government is considering introducing a Cyber Incident Review Board co-designed with the industry to share the lessons learned from cyber incidents with businesses and the wider public. The HWL Ebsworth breach involved the exfiltration of 4TB of data (2.2 million files), including sensitive information from 62 Australian government entities, major banks, airlines, and other multinational businesses. In preparation for cyber incidents, consider registering for our Incident Response Planning training course! Effective cyber security incident response is essential for maintaining organisational objectives by avoiding or limiting the impact of cyber security incidents. Be equipped with the tools to write and implement a bespoke incident response plan for your organisation. Register today!. Here are some highlights from this week’s cyber security news: Zoom patches critical privilege elevation flaw in Windows apps Date: 2024-02-14 Author: Bleeping Computer [Please also see AUSCERT bulletin:https://wordpress-admin.auscert.org.au/bulletins/ASB-2024.0044] The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network. Zoom is a popular cloud-based video conferencing service for corporate meetings, educational lessons, social interactions/gatherings, and more. New Fortinet RCE bug is actively exploited, CISA confirms Date: 2024-02-09 Author: Bleeping Computer [AUSCERT has identified impacted members (where possible) and contacted them via email]. [Please also see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.0849] CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday. The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests. CISA: Roundcube email server bug now exploited in attacks Date: 2024-02-12 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email.] CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks. The security flaw (CVE-2023-43770) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction. The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. QNAP vulnerability disclosure ends up an utter shambles Date: 2024-02-13 Author: The Register [AUSCERT has identified the impacted members (where possible) and contacted them via email] Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November. The Taiwanese company’s coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity of the security problem. QNAP assigned CVE-2023-50358 a middling 5.8-out-of-10 severity score, the breakdown of which revealed it was classified as a high-complexity attack that would have a low impact if exploited successfully. Decryptor for Rhysida ransomware is available! Date: 2024-02-12 Author: Help Net Security Files encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability discovered by Korean researchers and leveraged to create a decryptor. Rhysida is a relatively new ransomware-as-a-service gang that engages in double extortion. First observed in May 2023, it made its name by attacking the British Library, the Chilean Army, healthcare delivery organizations, and Holding Slovenske Elektrarne (HSE). ASB-2024.0044 – Zoom Clients: CVSS (Max): 9.6 The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw. ASB-2024.0038 – Microsoft Exchange Server: CVSS (Max): 9.8 Microsoft has released its monthly security patch update and it includes Privilege escalation vulnerability on Microsoft Exchange Servers. ESB-2024.0913 – Adobe Acrobat and Reader: CVSS (Max): 8.8 Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak. ESB-2024.0836.2 – UPDATED ALERT Cisco Expressway Series: CVSS (Max): 9.6 Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device. Stay safe, stay patched and have a good weekend! The AusCERT team