26 Apr 2024

Week in review

Greetings,

Yesterday, Australians and New Zealanders commemorated Anzac Day, a meaningful occasion prompting us to pause and reflect on the profound sacrifices made for our nations. It was a time for many of us to unite in remembrance, honouring the struggles of our past while embracing hope for peace for generations to come. Communities joined together in a heartfelt display of gratitude, paying respect to the enduring legacy of our brave servicepeople. From touching dawn services to solemn marches, ceremonies, and heartfelt tributes, many people paid their respects to those who have served and continue to serve, ensuring that their courage and bravery are eternally remembered.

This week, we released another exciting episode of our podcast Share today, save tomorrow – Episode 33 – delving into ‘The World of AI’. Anthony sat down with Dr. Luke Zaphir from the University of Queensland, whose background in philosophy, particularly in political and educational spheres, adds a fascinating perspective to the world of artificial intelligence. Luke critically examines the significant advancements AI has made over the past two years, including ChatGPT’s meteoric rise to prominence and its diverse applications in our lives. Unlike previous iterations, today’s AI can swiftly produce content, conduct data analysis, and generate images at a remarkable level of sophistication. However, these developments are not without their flaws and risks.

The discussion also delves into the role of Cyber Security AI, which brings both positives and negatives. While it provides potentially valuable tools for detecting malicious behaviour, it also aids threat actors with more targeted tools and resources to deceive people globally. Luke emphasizes the importance of utilizing key human characteristics such as critical thinking, ethics, and media literacy to combat the negative effects of AI.

In the second part of the episode, Bek and Principal Analyst Mark Carey-Smith have a chat about AUSCERT2024. Mark provides insights into the workshop he’ll be co-hosting with colleague Alex Webling, which delves into the significance of discussion exercises as an effective tool for cyber security professionals to enhance their impact within their organisations. These exercises can foster a supportive and collaborative environment, facilitating effective incident management through diverse perspectives and approaches. Leveraging the free Exercise in a Box (EiaB) resource developed by the UK’s NCSC and Australia’s ACSC, EiaB offers an intuitive, web-based platform for accessing a wide range of discussion exercises. Be sure to explore our program for more captivating and relevant workshops!


Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks
Date: 2024-04-20
Author: The Hacker News

[AUSCERT has identified members (where possible) and contacted them via email]
Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild.
"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday. "This has been patched in v11.1.0."
That said, customers who are operating their CrushFTP instances within a DMZ (demilitarized zone) restricted environment are protected against the attacks.

FBI: Akira ransomware raked in $42 million from 250+ victims
Date: 2024-04-18
Author: Bleeping Computer

[AUSCERT recently shared IoCs and TTPs associated with Akira Ransomware group via MISP]
According to a joint advisory from the FBI, CISA, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments.

Russian hackers' custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
Date: 2024-04-23
Author: Help Net Security

[Note: CVE-2022-38028 was added to the CISA KEV on 23 April 2024. Please See https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog]
[Please also see the AUSCERT Bulletin published for CVE-2022-38028 : ASB-2022.0193]
For nearly four years and perhaps even longer, Forest Blizzard (aka Fancy Bear, aka APT28) has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service (CVE-2022-38028).

Most recently, the group has been spotted leveraging a known Microsoft Outlook vulnerability (CVE-2023-23397) to compromise email accounts of workers at public and private entities in Poland.

GPT-4 Is Capable Of Exploiting 87% Of One-Day Vulnerabilities
Date: 2024-04-22
Author: Cyber Security News

Large language models (LLMs) have achieved superhuman performance on many benchmarks, leading to a surge of interest in LLM agents capable of taking action, self-reflecting, and reading documents.
While these agents have shown potential in areas like software engineering and scientific discovery, their ability in cybersecurity remains largely unexplored.
Cybersecurity researchers Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang recently discovered that GPT-4 can exploit 87% of one-day vulnerabilities, which is a significant advancement.

MITRE says state hackers breached its network via Ivanti zero-days
Date: 2024-04-19
Author: Bleeping Computer

The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days.
The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development.
MITRE has since notified affected parties of the breach, contacted relevant authorities, and is now working on restoring "operational alternatives."

Behavioral patterns of ransomware groups are changing
Date: 2024-04-23
Author: Help Net Security

In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals.


ESB-2024.2510 – Google Chrome: CVSS (Max): None

Google has recently released security updates for its Chrome browser to address four potentially dangerous vulnerabilities. These updates, versions 124.0.6367.78/.79 for Windows and Mac, and 124.0.6367.78 for Linux, are crucial for safeguarding user data and system security. Among these vulnerabilities, CVE-2024-4058 is classified as critical.

ESB-2024.2511 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5

The latest security release from GitLab focuses on addressing a range of vulnerabilities that pose significant risks to code repositories and development workflows. It is highly recommended to upgrade to versions 16.11.1, 16.10.4, or 16.9.6 to enhance security measures and mitigate potential threats effectively.

ESB-2024.2280.4 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0

Palo Alto Networks has updated its advisory for CVE-2024-3400, introducing a new Threat Prevention Threat ID and a CLI command to detect potential exploit activity. The vulnerability title and description have also been clarified in these updates. AUSCERT has accordingly revised its bulletin to align with these changes. The vendor has provided fixes for the vulnerable GlobalProtect feature within PAN-OS software, and AUSCERT strongly advises its members to promptly apply these fixes to safeguard against potential exploitation risks.

ESB-2024.2551.2 – UPDATE ALERT Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services: CVSS (Max): 8.6

According to Cisco Talos, the attackers are targeting software defects in certain devices running Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) products to implant malware, execute commands, and potentially exfiltrate data from compromised devices.


Stay safe, stay patched and have a good weekend!

The AusCERT team