1 Dec 2023

Week in review

Greetings,

As December unfolds and ushers in the enchanting Christmas season, a wave of joy and warmth embraces us. It’s that magical time when we dust off cherished decorations and unwrap trees, inviting a festive cheer into our lives. May your December days be adorned with happiness, love and the spirit of giving as we immerse ourselves in the holiday spirit!

On that note this year’s theme for AUSCERT2024 highlights the significant influence that everyone’s actions can carry within the broader cyber community. It promotes the idea of passing it forward by demonstrating how shared knowledge and collaboration can create a ripple effect, strengthening the entire cyber industry. Submit a presentation and contributing to the growth and development of our community. Join our upcoming webinar discussion to gain support in enhancing your presentation skills

In cyber news this week, the Queensland Parliament has successfully enacted a mandatory data breach notification scheme, set to impact state agencies from mid-2025 and local governments from mid-2026. Government agencies will be subject to new requirements for managing personal information, after the ‘Information Privacy and Other Legislation Amendment Act 2023’ was passed by parliament on Wednesday. Under the scheme, agencies must notify affected individuals and the Office of the Information Commissioner of data breaches that have the potential to result in serious harm.

This proactive notification process empowers individuals by enabling them to take decisive action to manage risks and mitigate potential harm arising from a data breach. Mandating notification underscores the importance of data security for agencies, prompting a more proactive approach to preventing and managing data breaches.In essence, this legislative measure not only safeguards individuals but also serves as a catalyst for improved data security practices within government entities. Queensland has become only the second state to legislate a mandatory data breach notification scheme for public sector entities, along with NSW.

In other news, the ACSC Essential Eight Maturity Model (E8MM) was recently updated to better assist organisations in protecting their digital assets against cyber threats. Key focus areas for this update have included balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure.


Critical bug in ownCloud file sharing app exposes admin passwords
Date: 2023-11-24
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials.
ownCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform.
It is used by businesses and enterprises, educational institutes, government agencies, and privacy-conscious individuals who prefer to maintain control over their data rather than hosting it at third-party cloud storage providers.

Essential Eight Maturity Model Update
Date: 2023-11-27
Author: ASD

As the Australian Signals Directorate (ASD) is committed to providing cyber security advice that is contemporary, fit for purpose and practical, the Essential Eight Maturity Model (E8MM) is updated annually. In doing so, it is designed to assist organisations in protecting their internet-connected information technology networks against common cyber threats.
Key focus areas for this update have included balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure.

AI systems ‘subject to new types of vulnerabilities,’ British and US cyber agencies warn
Date: 2023-11-28
Author: The Record

“AI systems are subject to new types of vulnerabilities,” the 20-page document warns — specifically referring to machine-learning tools. The new guidelines have been agreed upon by 18 countries, including the members of the G7, a group that does not include China or Russia.
The guidance classifies these vulnerabilities within three categories: those “affecting the model’s classification or regression performance”; those “allowing users to perform unauthorized actions”; and those involving users “extracting sensitive model information.”

Guidelines for secure AI system development
Date: 2023-11-27
Author: NCSC

This document recommends guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools and services provided by others. Implementing these guidelines will help providers build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties.

Okta Breach Impacted All Customer Support Users—Not 1 Percent
Date: 2023-11-29
Author: WIRED

In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago.


ESB-2023.7196 – Tenable Nessus: CVSS (Max): 9.8

Several of the third-party components (HandlebarsJS, OpenSSL, and jquery-file-upload) were found to contain vulnerabilities, and updated versions have been made available by the providers

ESB-2023.7117 – ALERT Google Chrome: CVSS (Max): None

The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows. This update includes 7 security fixes

ESB-2023.7077 – Perl: CVSS (Max): 9.8

Perl incorrectly handled printing certain warning messages. An attacker could possibly use this issue to cause Perl to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS. ( CVE-2022-48522 )

ESB-2023.7135 – Delta Electronics InfraSuite Device Master: CVSS (Max): 9.8

Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code and obtain plaintext credentials

ESB-2023.7211 – ALERT Apple: CVSS (Max): None

Apple is aware of a report that this issue may have been exploited against some versions of iOS


Stay safe, stay patched and have a good weekend!

The AUSCERT team