AUSCERT Week in Review for 29th September 2023

Greetings,

As the long weekend approaches, and we eagerly anticipate time away from work and the daily grind, it's important to remain aware that holidays can create opportunities for cyber criminals to exploit vulnerabilities and launch phishing scams. Attacks tend to increase during holiday season when people are often more distracted and may be expecting various online communications and transactions related to holiday shopping, travel plans and gifts from friends and family

Recently a persistent gift card phishing campaign has been circulating, leaving unsuspecting individuals vulnerable to cyber attacks. This ongoing gift card scam continues to evolve, recently employing random email accounts from Gmail or compromised domains. It typically impersonates company CEOs and targets both employees’ personal and work email addresses. Some of the deceptive Gmail accounts include aliases like “teamrecognition@gmail.com” or “ceo.name@gmail.com” making it increasingly challenging to detect. Even emails with innocent subject lines like “Recognizing Excellence” – Prompt Response!! Could be part of the scam. To say safe here’s what you can do:

1. Know the Danger: Make sure your constituents are aware that this phishing scam is common, explain how it works and why it’s a threat. Any requests that ask for gift cards to be purchased are highly likely to be malicious. This is a great ‘red flag’ to be used in awareness messaging.

2. Check Emails Carefully: Look closely at the sender’s email address, especially if they’re asking you to buy gift cards or give out personal information. If anything seems suspicious, contact the person using a different communications method (not using the reply-to address in the original email) to check. Using the phone is usually very effective.

3. Have a plan: Know what to do if you think you’ve been tricked by this scam of if you spot something suspicious. Have a plan to act quickly.

Stay vigilant during holidays and be cautious when receiving unsolicited requests for gift cards or any form of payment. Always verify the legitimacy of the request, especially if it seems unusual or urgent. For more information on how to stay ahead of these scams visit Avoiding and Reporting Gift Card Scams & Protecting yourself from Gift Card Scams

New Cisco IOS Zero-Day Delivers a Double Punch
Date: 2023-09-29
Author: Dark Reading

A vulnerability affecting Cisco operating systems could enable attackers to take full control of affected devices, execute arbitrary code, and cause reloads that trigger denial of service (DoS) conditions. And at least one attempt at exploitation has already occurred in the wild.

Progress warns of maximum severity WS_FTP Server vulnerability
Date: 2023-09-28
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software.
The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software.

In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
Date: 2023-09-25
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
A critical vulnerability in the TeamCity CI/CD server could be exploited remotely, without authentication, to execute arbitrary code and gain administrative control over a vulnerable server.
Developed by JetBrains, TeamCity is a general-purpose build management and continuous integration platform available both for on-premises installation and as a cloud service.
The recently identified critical flaw, tracked as CVE-2023-42793 (CVSS score of 9.8), is described as an authentication bypass impacting the on-premises version of TeamCity.

Google assigns new maximum rated CVE to libwebp bug exploited in attacks
Date: 2023-09-26
Author: Bleeping Computer

Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago.
The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format.

Hackers actively exploiting Openfire flaw to encrypt servers
Date: 2023-09-26
Author: Bleeping Computer

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Hackers are actively exploiting a high-severity vulnerability in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers.
Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times and used extensively for secure, multi-platform chat communications.

ESB-2023.5513 – macOS Sonoma 14: CVSS (Max): 9.8*

Apple released macOS 14 Sonoma and the latest version of the operating system patches over 60 vulnerabilities.

ESB-2023.5533 – Mozilla Firefox: CVSS (Max): None

Mozilla released Firefox 118 with patches for nine vulnerabilities,including high-severity flaws.

ESB-2023.5538 – Cisco Catalyst SD-WAN Manager: CVSS (Max): 9.8

Cisco has patched vulnerabilities in several versions of its Catalyst SD-WAN software.The most critical is an unauthorised access vulnerability in Catalyst SD-WAN’s security assertion markup language (SAML) APIs.

ESB-2023.5547 – Cisco IOS and IOS XE Software: CVSS (Max): 6.6

Cisco has released patches for multiple vulnerabilities impacting its products, including a zero-day IOS and IOS XE software vulnerability targeted by attackers in the wild.

Stay safe, stay patched and have a good weekend!

The AUSCERT team