20 Jan 2023

Week in review

Greetings,

Some of us are currently in “planning mode”, setting the tone for 2023. We recently blogged on the importance of cyber preparedness, giving tips for those responsible for briefing management on this topic.

For the rest of us, if you’re thinking “another year, more vulnerabilities and data breaches”, you’re not alone. Although cyber security professionals are often restricted due to the sensitive nature of our work, it’s pleasing to note that during several recent cyber security incidents, the affected organisations reached out to AUSCERT and asked us to share important information with our community. “Indicators of compromise” or just “IoCs” for short can be shared quickly (and anonymously if required) to help others defend against similar attacks.

In many cases these days, MISP (Malware Informaiton Sharing Platform) or even Slack is used to share this data. AUSCERT’s Member Slack is also good place to discuss what’s important and reach out to other like-minded professionals to compare notes on priority, sightings of threats and mitigation techniques.

If you’ve got a story to tell at the AUSCERT2023 Cyber Security Conference, whether a success or a learning experience you’ve had, you’ll need to head to the Call For Papers website before January 27. If you don’t think you’ve got a story, why not register for the free webinar on Tuesday January 24, “I don’t have anything to talk about”? We’re really keen to support first time presenters!


Too many default ‘admin1234’ passwords increase risk for industrial systems, research finds
Date: 2023-01-18
Author: CyberScoop

Easily guessed default passwords can be a malicious hackers’ easiest way to infiltrate a target. And all too often, according to research released Wednesday, operators of critical infrastructure companies aren’t updating off-the-shelf security credentials in internet devices connected to industrial systems.
“We’re seeing a lot of the ‘admin1234,’ meaning that [hackers are] still going to be using default credentials in hopes that no one is changing the credentials for IoT devices — which is pretty accurate,” said Roya Gordon, security research evangelist at Nozomi Networks, a cybersecurity firm that specializes in industrial security.

Over 4,000 Sophos Firewall devices vulnerable to RCE attacks
Date: 2023-01-17
Author: Bleeping Computer

Over 4,000 Sophos Firewall devices exposed to Internet access are vulnerable to attacks targeting a critical remote code execution (RCE) vulnerability.
Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022).
The company warned at the time that the RCE bug was being exploited in the wild in attacks against organizations from South Asia.

Azure Services SSRF Vulnerabilities Exposed Internal Endpoints, Sensitive Data
Date: 2023-01-17
Author: SecurityWeek.Com

Cloud security company Orca has published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services, including two bugs that could have been exploited without authentication.
SSRF flaws, Orca explains, typically allow attackers to access the host’s IMDS (Cloud Instance Metadata Service), enabling them to view information such as hostnames, MAC addresses, and security groups.
Furthermore, such security defects could be exploited to retrieve tokens, execute code remotely, and move to another host.

Deserialized web security roundup – Slack, Okta security breaches, lax US government passwords report, and more
Date: 2023-01-13
Author: The Daily Swig

Slack suffered a security breach recently, “involving unauthorized access to a subset of Slack’s code repositories” according to the messaging platform.
The company said that although no customers were affected, an internal investigation revealed that an unknown actor downloaded private code repositories on or around December 27.
“We discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” a statement read.
“No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Researchers: Brace for Zoho ManageEngine ‘Spray and Pray’ Attacks
Date: 2023-01-16
Author: SecurityWeek.Com

Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.
The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.

Fortinet Says Recently Patched Vulnerability Exploited to Hack Governments
Date: 2023-01-13
Author: SecurityWeek.Com

Fortinet reported this week that a recently patched vulnerability tracked as CVE-2022-42475 has been exploited in highly targeted attacks aimed at government organizations.
The security hole impacts the FortiOS SSL-VPN and it can allow a remote, unauthenticated hacker to execute arbitrary code or commands using specially crafted requests.
The vulnerability’s existence was disclosed on December 12, 2022, when Fortinet warned that it was aware of in-the-wild exploitation. The company at the time announced patches and shared indicators of compromise (IoCs).

Norton LifeLock says 925,000 accounts targeted by credential-stuffing attacks
Date: 2023-01-17
Author: The Record

Nearly one million active and inactive Norton LifeLock accounts have been targeted by credential stuffing attacks, according to a statement from the cybersecurity product’s parent company.
Gen Digital – which owns Norton LifeLock and several other consumer cybersecurity brands – told The Record that 925,000 inactive and active accounts were locked down after their security team identified a high number of Norton account login attempts. The incident centered around Norton Password Manager users


ESB-2023.0269 – Firefox ESR: CVSS (Max): 8.8*

Multiple security issues have been found in the Mozilla Firefox ESR , which could potentially result in the execution of arbitrary code, information disclosure or spoofing. Security Vulnerabilities can be fixed by upgrading to Firefox ESR 102.7.

ASB-2023.0019 – Oracle Communications: CVSS (Max): 9.9

Oracle released a critical patch update contains 79 new security patches, plus additional third party patches for Oracle Communications.

ASB-2023.0013 – Oracle MySQL: CVSS (Max): 9.8

Oracle’s most recent patch update contains 37 new security patches for MySQL.

ESB-2023.0278 – Nessus: CVSS (Max): 9.1

Tenable has released Nessus 10.4.2 to address a privilege escalation vulnerability in Nessus versions 10.4.1 and earlier.

ESB-2023.0277 – Drupal Core: CVSS (Max): None

Drupal reports a vulnerability in Drupal Core which potentially could result in users with access to edit content seeing metadata about media items they are not authorized to access. Drupal advises its clients to apply provided updates.


Stay safe, stay patched and have a good weekend!

The AUSCERT team