Publications

AUSCERT 30 Years 30 Stories – Hank Opdam Chief Information Security Officer of Ausgrid, Hank Opdam, has enjoyed a 20-year friendship with AUSCERT. Going to his first AUSCERT conference in the early 2000s, Hank has partnered with AUSCERT through a variety of companies, valuing AUSCERT’s open communication and collaborative services. No matter your company size, Hank recommends an AUSCERT membership. So how did you first become involved with AUSCERT and what motivated you to become a member? I was working in financial services at the time, and back then, phishing takedowns were a large gap in the industry. That’s where my relationship with AUSCERT first started. These days it’s a very different exercise and we’ve been benefiting from AUSCERT’s security bulletins mostly along with having AUSCERT as a phone-a-friend organisation to bounce ideas and receive assistance with an incident. What are the key benefits of being an AUSCERT member? Apart from the services we receive, the bouncing of ideas and bulletins, the other main benefit is the relationship you build with the AUSCERT team. They are a knowledgeable group of people who care and are backed by a community that’s grown at conferences each year. What advice would you give to someone considering becoming an AUSCERT member? If you’re an organisation considering an AUSCERT membership – it’s great value, regardless of your company’s size. For smaller organisations, there’s great insights into the threat landscape and the intelligence they can receive. For bigger organisations, it’s about the community, and giving back. What do you think the future holds for AUSCERT? Realistically, who knows what the future holds for all things cyber? But one thing that has been clear is that AUSCERT will continue to facilitate events where they’ll listen to their members and community – offering to fill the gaps not being filled by others. What do you believe sets AUSCERT apart from other organisations in the cyber security space? AUSCERT is independent, and not-for-profit. You know the information you’ll receive is sound and without influence and that’s helpful when there’s so much noise in the cyber security landscape.

Greetings, This week was an eventful one for AUSCERT as part of our team journeyed to Melbourne to connect with our members and participate in the prestigious Women in Security Awards ceremony. The 2023 Australian Women in Security Awards was a night filled with grace and charm, as it embraced an enchanting masquerade theme this year. This event served as a wonderful occasion for members of the industry to come together and celebrate the achievements and contributions of both men and women who have played pivotal roles in this field. AUSCERT is a proud sponsor of the Women in Security Awards, endorsing their initiatives to foster greater diversity and break down gender-related barriers. These awards honour champions who are committed to dismantling gender discrimination in their workplace while advocating for equality within the cyber security industry. Additionally, they acknowledge organisations that are dedicated to fostering a more inclusive and empowering workplace culture. The Women in Security Awards does a great job of shining a spotlight on those who go above and beyond to create an environment that genuinely celebrates all voices and contributes to shaping a brighter and more equitable future for all. In recent developments, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a cyber security advisory (CSA) that highlights the most common misconfigurations found in large organisations, detailing the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit these misconfigurations. The CSA outlines the top 10 misconfigurations which reveal a prevailing trend of systemic vulnerabilities within many organisations, even those with well-established cyber security practices. They also provide mitigation advice to reduce vulnerabilities, including the importance of secure-by-design principles in the software supply chain. This proactive approach can alleviate the strain on defenders, making it essential in the ongoing effort to enhance cyber security resilience. In conclusion, if you’re seeking something engaging to listen to during your commute, be sure to tune in to our newest episode of our Share Today, Save Tomorrow podcast – Episode 27, Celebrating Neurodiversity! Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience on creating the best work environment for people who might see and feel the world differently. Bek and our Principal Analyst Mark Carey-Smith, sit down in the second half of the episode to discuss our new Cyber Resilience for Executives course and preparations for AUSCERT2024. HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks Date: 2023-10-10 Author: The Hacker News [Please see AUSCERT bulletin: ASB-2023.0189] Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10. New critical Citrix NetScaler flaw exposes 'sensitive' data Date: 2023-10-10 Author: Bleeping Computer [Please see AUSCERT bulletin: ESB-2023.5826] [AUSCERT has also identified the impacted members (where possible) and contacted them via email] Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances. The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity. However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks. curl vulnerabilities ironed out with patches after week-long tease Date: 2023-10-11 Author: The Register [See AUSCERT bulletin: ASB-2023.0190] Updated After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today. Described by curl project founder and lead developer Daniel Stenberg as "probably the worst curl security flaw in a long time," the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546. We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "high." Australia’s home affairs department hit by DDoS attack claimed by pro-Russia hackers Date: 2023-10-06 Author: The Guardian The department responsible for Australia’s cybersecurity, national security and immigration has confirmed it was hit with a distributed denial-of-service attack on Thursday night that took its website offline for five hours, after a pro-Russia hacker group said it would target the site over Australia’s support for Ukraine. The group posted on Telegram on Thursday night that it was targeting the home affairs department with a distributed denial-of-service (DDoS) attack after Australia announced this week that Slinger technology aimed at combating drones would be sent to Ukraine in the push back against the Russian invasion. GNOME Linux systems exposed to RCE attacks via file downloads Date: 2023-10-09 Author: Bleeping Computer A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment. libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions. Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format. Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability Date: 2023-10-10 Author: Ars Technica Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin. The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads. ASB-2023.0187 – ALERT Microsoft Office, Office Services and Web Apps: CVSS (Max): 8.4 Microsoft's most recent security patch update resolves vulnerabilities across Microsoft Office, Office Services and Web Apps. ASB-2023.0182 – ALERT Microsoft Windows: CVSS (Max): 9.8* Microsoft patched 80 vulnerabilities in Windows and Windows Server in its October 2023 Patch Tuesday release. ESB-2023.5866 – ALERT BIG-IP Configuration utility: CVSS (Max): 9.9 F5 Networks has introduced fixes to resolve a directory traversal vulnerability found in BIG-IP. These fixes are designed to address and mitigate the potential risks associated with this vulnerability. ESB-2023.5861 – ALERT FortiWLM: CVSS (Max): 9.6 Fortinet has issued patches to address a critical vulnerability in FortiWLM, related to unauthenticated command injection. ESB-2023.5878 – Adobe Photoshop: CVSS (Max): 7.8 Adobe has recently launched an update for Photoshop for both Windows and macOS operating systems. This update specifically addresses a critical vulnerability that, if exploited successfully, could potentially result in the execution of arbitrary code. ESB-2023.5917 – IBM Security QRadar SIEM: CVSS (Max): 9.8 IBM QRadar SIEM contains components that have been identified as vulnerable and can potentially be exploited using automated tools. However, IBM QRadar SIEM has taken the necessary steps to address the relevant CVEs. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT 30 Years 30 Stories – Shelly Mills Championing AUSCERT’s passion for positive change, Shelly Mills shares why she thinks AUSCERT is the best cyber organisation an organisation could partner with. Shelly has attended the AUSCERT conference four years in a row. As the Cyber Security Improvements Manager at the University of Queensland, Shelly speaks testament to AUSCERT’s virtues. How did you first become involved with AUSCERT? I started my first role at the University of Queensland, right before the AUSCERT conference. I remember having my first one-on-one with my boss, and my question was – can I go to the AUSCERT conference? That’s how I initially got involved with AUSCERT – it was the first thing I wanted to do. What are the key benefits as an AUSCERT member? A great benefit is the professional development offered by AUSCERT. The amount of professional development and networking you receive from the conference is awesome. Building those networks throughout your industry and other industries, including knowledge sharing, is a great benefit. How has AUSCERT evolved over the years? AUSCERT has definitely grown over the years – but a great thing is when you look at the management team at AUSCERT, they’re focused on giving back to the community. They strive to understand the community and make sure the services and provisioning align with what the community wants. What advice would you give someone considering becoming an AUSCERT member? You’ve got to join and be an AUSCERT member because they have the best conferences! I know it’s hard to justify budgets to go to conferences, but AUSCERT’s comes in its membership, so you’ll get to go to the conference. What do you think the future holds for AUSCERT? I know the AUSCERT management team are going to keep aligning their services to what the community wants. I predict there will be more training on a variety of different topics. How has your AUSCERT membership impacted your organisation’s overall approach to cyber security? AUSCERT also sits under the University of Queensland, so we’re somewhat related. We’re very lucky that our Cyber Security Operations Manager has been working with AUSCERT to share knowledge. Therefore, our membership has been very beneficial, especially for our Cyber Security Operations Centre. We learn from AUSCERT analysts as to how they do things and bring those skills back to our team. What sets AUSCERT apart from other organisations in the cyber security industry? Honestly, everyone at AUSCERT goes in with the purest of intentions, wanting to make a positive difference for the cyber security community and the community at large. Unfortunately, that’s not true everywhere else. I actually sent both AUSCERT managers an email two days ago saying thank you. They lead with such genuineness, authenticity and care, and that’s what makes AUSCERT so special. There’s a lot of people in the industry out for profit, who don’t care about the community. AUSCERT embodies all that’s good within the cyber security industry.

AUSCERT 30 Years 30 Stories – Chris Horsley Who better to hear from than one of AUSCERT’s original seven security analysts, Chris Horsley. Working with AUSCERT from 2004 to 2006, Chris is now the Chief Technology Officer at Cosive, a cyber security consultancy firm based in Melbourne, Sydney and New Zealand. From helping victims get their credentials returned to utilising cryptographic analysis, Chris’ years of experience in the evolving cyber world is worth a read. Can you describe a memorable experience you had while working with AUSCERT? We dealt with a lot of financial malware back in those days — it was the early days of criminals writing malware to steal money from bank accounts, usually by stealing passwords. There was one malware crew who were more sophisticated than others and they would encrypt their data. To get their victims, they would place malware on the machines they would upload the credentials to, taking them to another server. We managed to get our hands on the encrypted data to find out whose data was stolen. We then used cryptographic analysis to work out how they were doing that encryption. We managed to break their encryptions and then we went into a big program trying to get those credentials back to the people — the bank customers, the university employees and the government employees. It was a really meaningful job and very interesting in terms of the analysis work required. Can you briefly describe your role and responsibilities during your time at AUSCERT? Between 2004 to 2006 I was one of AUSCERT’s security analysts. It was a time when there were only seven of us, meaning we all had to do a bit of everything. We had what we called ‘point’, where we triaged all the correspondence coming in; whether it was a report about incident handling or a query from a member about how to approach a certain problem. We did a lot of security vulnerability work too and were constantly flooded with new information about patches and vulnerabilities. We had to analyse each and re-bundle them for AUSCERT members. Outside of this, we travelled to many conferences because we were the national CERT at this particular point in time. We would go to international conferences and talk to our counterparts in Europe, Asia, and the United States. I got a lot of opportunities to go travelling which was an amazing experience. With AUSCERT’s vast history, did you get to work on the beginning cases of phishing in Australia? Around 2004, phishing became a big problem in Australia. AUSCERT did a lot of groundbreaking work because Australia was one of the first countries to be hit. As a team, we did a lot of analysis to find out how phishing worked, how they run their servers and where they were in order to figure out the most effective way for us to take them down. We would often try to chase the credentials and get them back into the hands of the victims. Recapping on the 30 years AUSCERT has been around, how would you say the cyber security landscape has changed? The cyber security landscape has changed drastically. We didn’t have smartphones in this era – it was all desktop machines and there were no operating systems that were self-contained mobile operators. However, despite the changes, phishing is still around and continues to this day. I still do that type of work and it’s 20 years since I joined AUSCERT and started working in this industry. One thing that has been a big change in the landscape is how mainstream cyber security has become. In the early days, a lot of companies weren’t thinking about cyber security as a problem. Businesses didn’t have cyber security officers and the board didn’t think about cyber security problems. These days cyber security is very mainstream. Another big change has been the consideration of the threat of cyber warfare. Back then, a lot of people were debating whether cyber warfare could become ‘a thing’. These days, cyber warfare has definitely eventuated and it’s definitely a different playing field in terms of how cyber security and attacks on computer systems are accepted as a serious problem. What was the most significant security incident you dealt with while at AUSCERT? One of the most significant incidents I dealt with was what I called ‘credential repatriation’ where I would find financial malware uploading to servers, often gigabytes worth of stolen credentials. I ended up writing a lot of software that analysed who got their credentials stolen. I would try to write software as best I could to get their credentials back into the hands of the organisations it was stolen from. I spent a lot of time pouring through these logs and trying to get them back into the right hands so that the owners of the accounts could change passwords and remediate damages. I remember that being very rewarding work. How did AUSCERT support its members in improving their security posture, and what were some of the most effective strategies you used? Quite often members will ring us because they would be going through an incident. At that time, there was a lot less public information and supporting documentation around. Members would often have an incident that they were trying to handle, and they would ring us, so we could be a sounding board for them. When you’re handling an incident, it can be a very stressful experience and often by talking to us, we could give feedback or listen to what they had done so far and provide them with assistance. How has your experience working at AUSCERT influenced your career path and approach to cyber security? I view my time at AUSCERT as foundational. It was my first cyber security role – prior to it I’d been a software developer building web applications. My time at AUSCERT taught me so much about incident response, coordination and vulnerability handling. One of my most rewarding experiences was the relationships I built with the other seven analysts I worked with. They were a great group of people who I stay in touch with to this day. I have so many great memories of that time.

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – Celebrating Neurodiversity In this episode, AUSCERT features the following guests: Shelly Mills, The University of Queensland Trinity McNicol, University of Sunshine Coast Mark Carey-Smith, AUSCERT Anthony sits down with Shelly and Trinity to discuss neurodiversity and share their advice and experience with how to work with people who might see and feel the world differenlty. In the second half of the episode, Bek chats with Mark Carey-Smith, Principal Analyst of AUSCERT about the new Cyber Resilience for Executives course and preparations for AUSCERT2024! This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, This month is Cyber Security Awareness Month, an important time for all to enhance their knowledge of cyber security and to take proactive steps to safeguard their information and devices. At AUSCERT, we hold the belief that cyber security should be an integral part of our everyday routines and should be considered as an enabler in every organisation. Yet we recognize that for the broader public who may not be as immersed in the cyber security world, this month serves as a timely reminder of its crucial role in our lives. We’d like to emphasize the role of cyber leaders in extending their expertise and advocating everyone within their organisation, community, or home to adopt the following simple tips. Click here to read our blog for some shareable tips. Engaging in regular training is crucial for staying ahead in the field of cyber security. AUSCERT offers a diverse range of training courses that are specifically designed to provide you with the most relevant and up-to-date knowledge and skills. With experienced practitioners offering real-world advice and solutions, you can ensure you are well-equipped. In particular, the importance of data governance is continually growing in today’s data-centric business landscape. Many industries and organisations are subject to regulatory requirements regarding data management and privacy, making it a pivotal component in an effective organisation. Our Data Governance Principles and Practices training course equips participants with the fundamental skills and knowledge required to develop a structured framework that your organisation can follow to ensure it is managing data effectively. The course also includes information about how effective data governance contributes to cyber security initiatives. Hurry, this is the last opportunity for this year to register for our training course. For more information click here. In conclusion, let’s lead our community towards being safer online! With improved knowledge, we can ensure that we are cyber-wise and better prepared to protect ourselves and organisations from cyber threats. Together we can make a safer cyber world! Millions of Exim mail servers exposed to zero-day RCE attacks Date: 2023-09-29 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software can let unauthenticated attackers gain remote code execution (RCE) on Internet-exposed servers. Found by an anonymous security researcher and disclosed through Trend Micro's Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service. Atlassian patches critical Confluence zero-day exploited in attacks Date: 2023-10-04 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Australian software company Atlassian released emergency security updates to fix a maximum severity zero-day vulnerability in its Confluence Data Center and Server software, which has been exploited in attacks. "Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances," the company said. Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day Date: 2023-10-04 Author: Security Week [See AUSCERT Security Bulletin 05 October 2023: ESB-2023.5703] Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down. The Cupertino device maker on Wednesday rushed out a new patch to cover a pair of serious vulnerabilities and warned that one of the issues has already been exploited as zero-day in the wild. In a barebones advisory, Apple said the exploited CVE-2023-42824 kernel vulnerability allows a local attacker to elevate privileges, suggesting it was used in an exploit chain in observed attacks. The biggest hack of 2023 keeps getting bigger Date: 2023-10-02 Author: Wired In a field of shocking, opportunistic espionage campaigns and high-profile digital attacks on popular businesses, the biggest hack of 2023 isn’t a single incident, but a juggernaut of related attacks that keeps adding victims to its score. In the coming months, more people, as many as tens of millions, could find out that their sensitive information has been compromised. But more still will likely never learn of the situation or its impact on them. New 'Looney Tunables' Linux bug gives root on major distros Date: 2023-10-03 Author: Bleeping Computer A new Linux vulnerability known as 'Looney Tunables' enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library's ld.so dynamic loader. The GNU C Library (glibc) is the GNU system's C library and is in most Linux kernel-based systems. It provides essential functionality, including system calls like open, malloc, printf, exit, and others, necessary for typical program execution. ESB-2023.5669 – ALERT Cisco Emergency Responder: CVSS (Max): 9.8 A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted ESB-2023.5668 – ALERT Confluence Data Center and Confluence Server: CVSS (Max): 10.0 Privilege Escalation Vulnerability in Confluence Data Center and Server ESB-2023.5632 – firefox-esr: CVSS (Max): 9.8 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code ESB-2023.5637 – exim4: CVSS (Max): 9.8 Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used Stay safe, stay patched and have a good weekend! The AUSCERT team

Here are a few of our key tips to share with your family, friends, or colleagues on how to stay cyber safe! Update your devices and apps regularly Software updates often provide crucial security fixes that can rectify weaknesses that attackers can use to exploit devices. Ensure all your systems are being regularly updated, preferably automatically. Utilise strong multi-factor authentication The primary objective of multi-factor authentication is to reduce the risk of account takeovers and enhance security for users. It provides an added layer of security necessary to protect users and their data. Use passphrases and password managers A password manager is an application or program that stores passwords or passphrases for all your accounts. With a password manager, you only need to remember one master password and it can create and store complex and unique passwords. Be careful clicking links Exercise caution when encountering any links, especially those from unknown or untrusted sources. Phishing emails are often disguised as legitimate messages from reputable sources aiming to trick individuals into clicking malicious links. QR Code Phishing (“Quishing”) Only scan QR codes from trusted sources, be cautious when scanning codes received through unsolicited messages or unknown websites.[Read more about it on our blog here] Be careful using Public USB Ports  Using USB ports in public places, such as airports, can pose a security risk. Using a USB Data Blocker can block any unwanted transfer, preventing any unauthorized access or malware installation. Be mindful of Social Engineering tactics and techniques. Social engineering attacks involve manipulating individuals into revealing confidential information, performing certain actions or making security mistakes. These attacks exploit human psychology and trust to deceive victims. Educate yourself and others about common tactics such as phishing emails, pretexting (creating false scenarios to obtain information), baiting (enticing victims to download malware) and tailgating (unauthorized access to a secure area). Be careful using Public WIFI Public, or free Wi-Fi can be used to intercept data, redirect users to malicious sites and to attack devices directly. It is much safer to use the hotspot functionality of your phone. Never leave your devices unattended. You never know what criminals are lurking so it’s safe to always keep an eye on all your devices! As mobile phones are commonly used as part of multi-factor authentication they are a target for attackers. Report Report any suspicious activity! If you’re a member feel free to contact us directly and we can assist. Otherwise you can contact [Scam Watch] (https://www.scamwatch.gov.au/) Undertake training courses to better educate yourself We run a diverse range of training courses to enable you to better understand and respond to cyber threats. [For more information click here] (https://wordpress-admin.auscert.org.au/services/auscert-education/)

AUSCERT 30 years 30 Stories – Brian Hay Long term AUSCERT Cyber Security Conference presenter and supporter Brian Hay, speaks of the importance and unique qualities of AUSCERT. With a background in law enforcement within the Queensland Police, Brian now works with Cultural Cyber Security, a business whose mission is to build cyber security confidence across Australia. If you want to know why Brian wholeheartedly supports AUSCERT – read on. Working for Cultural Cyber Security, could you give us a brief history of your connection to AUSCERT? I’ve been coming to AUSCERT Cyber Security Conference for what feels like most of my life. I can’t believe it’s been 30 years! Cultural Cyber Security was born out of a need for building cyber resilience across businesses, organisations, and within people themselves. I have 37 years of experience in law enforcement as a former Detective Superintendent for Queensland Police, giving me a wonderful association with AUSCERT and an insight into how incredibly relevant the issue of cyber security is. Q: What do you think is most significant about AUSCERT? AUSCERT to me is about community, leadership and defining a difference that is meaningful for the communities of this great nation. If I had to define AUSCERT in one word, it would be thought leadership because AUSCERT brings together governments, law enforcement agencies, vendors, global brands and global speakers. The AUSCERT conference is a brilliant forum for getting thought leaders in one location to stimulate thinking today, so we’re in a better place tomorrow. How does the AUSCERT Cyber Security Conference stand out from other conferences?  When I look around at other events and I speak to a lot of people in different locations, not just in Australia but overseas, the difference is at AUSCERT you know you’re part of a community. To show you how powerful and what great allies they are, I contacted AUSCERT back in my law enforcement days if I needed a website taken down. AUSCERT could achieve it within 24 hours, as opposed to a formal process which could take weeks to achieve the same outcome. Every member needs AUSCERT as allies because we don’t know where our adversaries are and they constantly change. It’s AUSCERT and the activities that AUSCERT do with similar entities around the world, that are our best chance of defence. Looking ahead, what do you think the future holds for AUSCERT, and how do you see the organisation continuing to play a vital role in the cyber security community? The cyber security community has many moving parts and lots of self-interest, but the beauty of AUSCERT is that it’s not about self-interest. AUSCERT is more about the interests of the greater Australian community. When I look at other events, what I see is a focus on the vendor. Vendors are important, but what’s more important is the technology conversation. With AUSCERT it’s about the technology, community, leadership and what’s coming next. It may involve technology, humanity, criminals and challenges we haven’t even thought of yet. Why do you support AUSCERT? AUSCERT provides a lot of support to organisations, and I’ve connected with them throughout my career. I’ve reached out to AUSCERT to support people or entities who are not members and they do so without question. You know they’re not negotiating a contract or seeking a financial return; they are doing it because it’s simply the right thing to do. In these ever-changing times, I have faith that integrity means something. When I think of AUSCERT I think of integrity, leadership, collaboration, community, and future. Australia needs AUSCERT and AUSCERT needs Australia to support it because the future of our children rests in the hands of entities like AUSCERT, its membership base and those who support it every year. The people in the cyber community are champions, and they need a platform to share their voice, which AUSCERT provides brilliantly.

AUSCERT has recently observed a surge in incidents of “quishing” and aims to proactively inform its members regarding this emerging threat. Quishing, also known as QR Code phishing is a type of cyber attack which involves tricking someone into scanning a QR code using a mobile device. These QR codes are designed to mislead users by appearing legitimate, often resembling QR codes found on product packaging, promotional materials, or even in public spaces. Upon scanning, the malicious QR code has the potential to redirect users to fraudulent websites, thereby exposing them to risks such as identity theft, financial fraud, or the installation of malware on their devices. The distribution of malicious QR codes can take place through various channels including email, social media, or even physical flyers. During the previous week, AUSCERT conducted analysis of email samples submitted by its member organisations. The findings revealed that email recipients were being prompted to scan a QR code, and the majority of these emails falsely claimed to originate from a manager within the respective organisation. AUSCERT observed that the QR code embedded within the email contained a URL leading to a deceptive website, impersonating reputable brands or organisations such as Microsoft. This fraudulent site then prompted the recipient to provide their credentials. To avoid falling victim to QR code phishing, here are some recommended precautions: Be cautious of the source: Only scan QR codes from trusted and reputable sources. Avoid scanning codes from unknown or suspicious sources, especially if received through unsolicited messages or emails. Preview the URL behind the QR Code: To reduce risk, utilize a QR scanning tool that provides a preview of the URL contained within the QR Code. Options available include Inbuilt camera of an iPhone previews the domain that is encoded in the QR Code. You can also use a Free QR Code Scanner to read the content of a QR code (Note: Please make sure to check privacy policies first). DNS Checker (https://dnschecker.org/qr-code-scanner.php) is one of the free tools that is available online. Use a QR code scanner with built-in security features: Opt for a reliable QR code scanner app that includes security features, such as URL scanning or warning notifications for potentially harmful websites (Ex: QR Scanner-Safe QR Code Reader (https://play.google.com/store/apps/details?id=com.trendmicro.qrscan)) Keep your devices updated: Regularly update your smartphone or other scanning devices with the latest security patches and firmware updates. This helps protect against known vulnerabilities that attackers may exploit. Be cautious of personal information requests: If a scanned QR code prompts you to provide personal information, such as login credentials or financial details, exercise caution. Legitimate sources typically do not request sensitive information through QR codes. Additionally, organisations are encouraged to promote awareness and educate their staff about the risks associated with QR code phishing and implement security measures to mitigate these threats. By staying informed and taking proactive steps, we can help minimise the impact of QR code phishing attacks. More information: https://techwireasia.com/2023/08/quishing-attacks-on-the-rise/ https://www.malwarebytes.com/blog/news/2023/08/qr-codes-deployed-in-targeted-phishing-campaigns https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/five-common-qr-code-scams

AUSCERT 30 Years 30 Stories – Gary Gaskell With three decades of experience in cyber security, Gary Gaskell has been putting his skills to good use by helping those with limited cyber security knowledge grow their capabilities. Based in Brisbane, Gary is a long-time AUSCERT supporter and delivers some of AUSCERT’s training programs. With a long history in cyber security, how does the industry compare from when you started? Starting 30 years ago, it was exciting. We were on the edge of something new, doing business over the Internet. We began communicating simply across borders and much faster than fax machines and letters. For the past 20 years, I’ve been working for myself, which specifically means working for others. I help individuals lift their security levels, developing strategies and understanding their risk environment. What kind of training do you provide? And why do you think this training is important? For those who have been in the industry from the start, it’s time to give back. There’s a big skill shortage in this country, where everyone should benefit from experiences like mine. I can assist clients in tackling novel situations, direct them to good information and help improve security for their organisations. Training is a challenge due to a diversity of knowledge required to secure our complex systems today. In the beginning, we had computers we called mainframes and they were easily controlled. Now there are thousands of different technologies. Our main goal is to help individuals understand the fundamental principles. What does the future hold for AUSCERT? And how do you see the organisation continuing to play a vital role in the cyber security community? AUSCERT creates huge awareness and provides opportunities for individuals to lift their knowledge and skills. For example, leading and starting the AUSCERT conference. With AUSCERT’s leadership, they created this conference, providing a platform for practitioners to share case studies. We began to share what worked and what didn’t work, learning about the future. I go to other conferences in Australia as well, but when I return to work, the things I add to my checklist are from the high-quality speakers that attend AUSCERT. I wouldn’t miss it. What sets AUSCERT apart from other organisations in the cyber security space? AUSCERT is unique in our community. They’re eager to share their information, whilst commercial suppliers typically share a limited selection of their data. Many government competitors are conscious of classification, regulating who and what they share. Whilst AUSCERT provides a holistic approach for its members, enabling agility. It’s that can-do attitude, joined by many great technicians that makes AUSCERT stand out. How should organisations facilitate skill improvement? And why is this important? AUSCERT’s training programs aim to address the skill shortages in our community. Often incidents occur due to individuals being unaware of free security features. I believe problems occur due to a lack of awareness.  AUSCERT is here to rectify this. The Cyber Security 101 course helps organisations understand the basic features available to keep companies secure. The classes are very popular and appreciated by all those who attend. Why would you encourage others to become AUSCERT members? AUSCERT has a depth of experience in responding to crises due to its long history. Their mature approach to understanding incidents and providing management is unlike any other organisation. AUSCERT’s incident management is preparing you for the unexpected. It’s not just an individual playbook for ransomware on a Windows product. That’s a key value that AUSCERT provides.  

Greetings, As the long weekend approaches, and we eagerly anticipate time away from work and the daily grind, it's important to remain aware that holidays can create opportunities for cyber criminals to exploit vulnerabilities and launch phishing scams. Attacks tend to increase during holiday season when people are often more distracted and may be expecting various online communications and transactions related to holiday shopping, travel plans and gifts from friends and family Recently a persistent gift card phishing campaign has been circulating, leaving unsuspecting individuals vulnerable to cyber attacks. This ongoing gift card scam continues to evolve, recently employing random email accounts from Gmail or compromised domains. It typically impersonates company CEOs and targets both employees’ personal and work email addresses. Some of the deceptive Gmail accounts include aliases like “teamrecognition@gmail.com” or “ceo.name@gmail.com” making it increasingly challenging to detect. Even emails with innocent subject lines like “Recognizing Excellence” – Prompt Response!! Could be part of the scam. To say safe here’s what you can do: Know the Danger: Make sure your constituents are aware that this phishing scam is common, explain how it works and why it’s a threat. Any requests that ask for gift cards to be purchased are highly likely to be malicious. This is a great ‘red flag’ to be used in awareness messaging. Check Emails Carefully: Look closely at the sender’s email address, especially if they’re asking you to buy gift cards or give out personal information. If anything seems suspicious, contact the person using a different communications method (not using the reply-to address in the original email) to check. Using the phone is usually very effective. Have a plan: Know what to do if you think you’ve been tricked by this scam of if you spot something suspicious. Have a plan to act quickly. Stay vigilant during holidays and be cautious when receiving unsolicited requests for gift cards or any form of payment. Always verify the legitimacy of the request, especially if it seems unusual or urgent. For more information on how to stay ahead of these scams visit Avoiding and Reporting Gift Card Scams & Protecting yourself from Gift Card Scams New Cisco IOS Zero-Day Delivers a Double Punch Date: 2023-09-29 Author: Dark Reading A vulnerability affecting Cisco operating systems could enable attackers to take full control of affected devices, execute arbitrary code, and cause reloads that trigger denial of service (DoS) conditions. And at least one attempt at exploitation has already occurred in the wild. Progress warns of maximum severity WS_FTP Server vulnerability Date: 2023-09-28 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software. The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software. In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover Date: 2023-09-25 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical vulnerability in the TeamCity CI/CD server could be exploited remotely, without authentication, to execute arbitrary code and gain administrative control over a vulnerable server. Developed by JetBrains, TeamCity is a general-purpose build management and continuous integration platform available both for on-premises installation and as a cloud service. The recently identified critical flaw, tracked as CVE-2023-42793 (CVSS score of 9.8), is described as an authentication bypass impacting the on-premises version of TeamCity. Google assigns new maximum rated CVE to libwebp bug exploited in attacks Date: 2023-09-26 Author: Bleeping Computer Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago. The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format. Hackers actively exploiting Openfire flaw to encrypt servers Date: 2023-09-26 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Hackers are actively exploiting a high-severity vulnerability in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times and used extensively for secure, multi-platform chat communications. ESB-2023.5513 – macOS Sonoma 14: CVSS (Max): 9.8* Apple released macOS 14 Sonoma and the latest version of the operating system patches over 60 vulnerabilities. ESB-2023.5533 – Mozilla Firefox: CVSS (Max): None Mozilla released Firefox 118 with patches for nine vulnerabilities,including high-severity flaws. ESB-2023.5538 – Cisco Catalyst SD-WAN Manager: CVSS (Max): 9.8 Cisco has patched vulnerabilities in several versions of its Catalyst SD-WAN software.The most critical is an unauthorised access vulnerability in Catalyst SD-WAN’s security assertion markup language (SAML) APIs. ESB-2023.5547 – Cisco IOS and IOS XE Software: CVSS (Max): 6.6 Cisco has released patches for multiple vulnerabilities impacting its products, including a zero-day IOS and IOS XE software vulnerability targeted by attackers in the wild. Stay safe, stay patched and have a good weekend! The AUSCERT team

  AUSCERT 30 Years 30 Stories – Jamie Gillespie Past AUSCERT employee and long-time supporter, Jamie Gillespie kickstarted his career in cyber security as AUSCERT experienced massive growth in the early 2000s. Allowing Jamie to travel internationally, he looks back on his time with AUSCERT with appreciation. Now working at the Asia-Pacific Network Information Centre (APNIC), Jamie is a repeat speaker at AUSCERT conferences. How long did you work for AUSCERT? I was a senior security analyst for eight years in the early 2000s when AUSCERT was small and experiencing lots of growth. In 2002 AUSCERT held its first conference, which I was lucky enough to help plan, organise and execute, doing so for several years after that. We also conducted the first computer crime and security survey in 2002. Working with Katherine Kerr and the rest of the team, we asked the questions, analysed the data, and created presentations to showcase at AUSCERT and other conferences as well. What’s it like being a speaker at the AUSCERT conference? What will you be talking about this year? I’ve spoken at the AUSCERT conference for a couple of years now. Last year my presentation was on APNIC’s Vulnerability Reporting Program. This year, my presentation was on TLS implementations of SMTP servers. It’s a niche topic, but I had a good time putting the data together, and a lot of delegates were interested as well. It was great to be able to share my research and tips on improving SMTP and email security. Can you describe a particularly memorable experience you had when working at AUSCERT? The most memorable parts of working at AUSCERT was when I moved into the training team. We were delivering training in capital cities around Australia and New Zealand. We delivered technical training as well as security management training. I went to many countries doing Computer Security Incident Response Team training (CSIRT), helping them to grow or establish their teams. Thailand was my favourite, but I also travelled to Papua New Guinea, Mexico, Chile, Peru, and Singapore. I found helping other countries create their own national security teams to be very rewarding. Some governments took longer than others, but now I can look back and see these countries with established national security teams, participating in global cooperative efforts to make the internet more secure. How has the cyber security landscape changed since you worked at AUSCERT, and what new threats have emerged? Security has changed a lot since my time at AUSCERT. In the eight years I was there, we began selling security to organisations, informing them of the importance of security programs and technical security uplifts. Now with the high publicity of major security breaches, such as Optus and Medibank, it’s impacting almost everyone on a personal level. It doesn’t matter if they’re regular employees in an organisation or on the board and C-suite, employees understand security because they’re being impacted day to day. On a corporate level, this has made security discussions much easier. How do you think AUSCERT support their members in achieving their security posture and what are some of the most effective strategies you used? In the early 2000s, we had the basic incident response and training services, but now AUSCERT has expanded. The number of services that they’re providing, both technical and human interaction are wonderful. The AUSCERT Cyber Security Conference is a great forum for raising security awareness and providing knowledge sharing. When AUSCERT started in 2002, there were no good independent security conferences in Australia. Some were vendor-based, but it was largely vendor pitches. The general services that AUSCERT provide to all members have been growing and I’m excited to see what AUSCERT does next. How has your experience working at AUSCERT influenced your career path and approach to cyber security? When I started at AUSCERT in 2001, I had recently moved from Canada and while I was working in IT, I didn’t have the opportunity to concentrate on a dedicated information security role. My senior security analyst role at AUSCERT gave me the opportunity to concentrate on security. The eight years that I spent at AUSCERT really kickstarted my information and cyber security career. I have a lot to pay back to AUSCERT for the opportunity that they gave me at that time and how they helped me progress in my career. AUSCERT is responsible for a significant portion of where I am today.