Publications

Greetings, Some of you might have already heard the exciting news at AUSCERT. We are thrilled to officially introduce our new General Manager – Dr. Ivano Bongiovanni! With an impressive international career spanning over two decades in cyber security and risk management, Ivano joins us from his Senior Lecturer role in Information Security, Governance and Leadership with the UQ Business School. Motivated by AUSCERT's 30-year legacy and commitment to societal good, Ivano eagerly embraced the opportunity to join the team. In today's user-centric cyber security landscape, Ivano’s capability for guiding evidence-based decisions is critical. His expertise will fuel innovation in our services, ensuring proactive adaptation to our members' evolving needs. We're enthusiastic about the fresh perspectives and innovative ideas he brings, propelling us towards providing more advanced and tailored support and advice. We are excited for the future with Ivano guiding the way forward! With Australia observing Privacy Awareness Week, which is an annual event to raise awareness of privacy issues and the importance of protecting personal information, we invite you to attend two presentations at AUSCERT2024: "Privacy Pioneers: A Blueprint for Security Professionals" and "Deciphering Australia's Cyber Security Laws." These sessions offer comprehensive insights into privacy matters, equipping you with essential knowledge in this domain. This includes understanding the Privacy Act and associated obligations under this legislation, along with how to kickstart a privacy program. Find out more. Veeam fixes RCE flaw in backup management platform (CVE-2024-29212) Date: 2024-05-08 Author: Help Net Security [AUSCERT has identified the impacted members (where possible) and notified them via email] Veeam has patched a high-severity vulnerability (CVE-2024-29212) in Veeam Service Provider Console (VSPC) and is urging customers to implement the patch. Veeam Service Provider Console is a cloud platform used by managed services providers (MSPs) and enterprises to manage and monitor data backup operations. “Service providers can deploy Veeam Service Provider Console to deliver Veeam-powered Backup-as-a-Service and Disaster Recovery-as-a-Service services to their customers. Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution Date: 2024-05-06 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and notified them via email] More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that's vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version. Citrix Addresses High-Severity Flaw in NetScaler ADC and Gateway Date: 2024-05-07 Author: Dark Reading Citrix appears to have quietly addressed a vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances that gave remote, unauthenticated attackers a way to obtain potentially sensitive information from the memory of affected systems. The bug was nearly identical to — but not as serious as — "CitrixBleed" (CVE-2023-4966), a critical zero-day vulnerability in the same two technologies that Citrix disclosed last year, according to researchers at Bishop Fox, who discovered and reported the flaw to Citrix in January. New BIG-IP Next Central Manager bugs allow device takeover Date: 2024-05-08 Author: Bleeping Computer [Please see AUSCERT bulletins: ESB-2024.2881 and ESB-2024.2882] F5 has fixed two high-severity BIG-IP Next Central Manager vulnerabilities, which can be exploited to gain admin control and create hidden rogue accounts on any managed assets. Next Central Manager allows administrators to control on-premises or cloud BIG-IP Next instances and services via a unified management user interface. The flaws are an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) found in the BIG-IP Next Central Manager API that would allow unauthenticated attackers to execute malicious SQL statements on unpatched devices remotely. CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities Date: 2024-05-03 Author: Securtiy Week The US cybersecurity agency CISA and the FBI on Thursday released a Secure by Design Alert warning of path traversal software vulnerabilities being exploited in attacks targeting critical infrastructure entities. Also known as directory traversal, path traversal flaws rely on manipulated user input to access application files and directories that should not be accessible. Successful exploitation allows threat actors to manipulate arbitrary files, read sensitive data, and potentially fully compromise the system. ESB-2024.0272.2 – UPDATE ALERT GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0 CISA issued a warning about threat actors actively exploiting a critical GitLab vulnerability, identified as CVE-2023-7028. This security flaw enables remote unauthenticated attackers to send password reset emails to email accounts they control, allowing them to change passwords and take over targeted accounts without requiring user interaction. ESB-2024.2875 – Apple iTunes: CVSS (Max): None An Apple iTunes (for Windows) vulnerability stemming from a boundary error in file processing enables a remote attacker to run arbitrary code on the target system. Apple has issued patches to resolve this security concern. ESB-2024.2860 – Google Chrome: CVSS (Max): None Two high severity vulnerabilities, CVE-2024-4558 and CVE-2024-4559, have been identified in Google Chrome. Google has released fixes to address these issues, and administrators are advised to apply the fixes to stay protected. ESB-2024.2828 – Android: CVSS (Max): 8.4* Google recently released security updates for Android, targeting 26 vulnerabilities, one of which is a critical flaw in the System component. This bug, identified as CVE-2024-23706 and affecting Android 14, has the potential to enable attackers to elevate their privileges on vulnerable devices. ESB-2024.2280.5 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0 Palo Alto issued an advisory in April regarding a critical vulnerability exists in their Global Protect feature in PAN-OS software. With a CVSS score of 10, this flaw allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vendor has since updated their advisory to provide information on the exploitation status about proof-of-concept and enhanced EFR procedure. Stay safe, stay patched and have a good weekend! The AUSCERT team

Only three weeks left until AUSCERT2024! Reserve your spot in your preferred program sessions now! Limited spots are still available in some exceptional sessions – act quickly to secure yours before they're filled! This year's program offers a diverse array of sessions covering a wide spectrum of topics. Notably, there's been a rise in sessions centred around MISP and information sharing platforms. Reflecting the essence of our theme for this year of ‘Pay it Forward’, sharing information within the cyber community fosters collective strength. By actively contributing to our shared knowledge, we enhance the growth and resilience of our industry. Let's unite and grow stronger together! We're excited to welcome our esteemed colleagues from CIRCL Luxembourg to AUSCERT2024, where they'll share invaluable insights about their renowned MISP platform! Join Michael Hamm and Christian Studer for an immersive, hands-on workshop highlighting the paramount importance of information sharing and showcasing MISP's extraordinary capabilities. Additionally, Shanna Daly and David Zielezna will delve into MISP Techniques, Tricks, Tips, and Traps during their session. This workshop offers a comprehensive crash course on effectively leveraging MISP for cyber threat intelligence, drawing from their extensive experience as MISP subject matter experts on prominent projects like the CTIS initiative led by the ACSC. They'll navigate through common pitfalls and offer practical strategies. Furthermore, our Senior System Administrator, Josh Hopkins, will enlighten attendees about the MISP platform, elucidating how to swiftly deploy, patch, and configure infrastructure components to bolster your business operations. Josh will highlight how MISP serves as a vital tool for threat intelligence sharing and analysis. His presentation will serve as a roadmap for planning and executing a transition to infrastructure as code, utilizing MISP as a real-world model based on our practical learnings. Sharing relevant threat intelligence and collaborating on response strategies enables organisations to efficiently contain and mitigate security incidents, thereby minimising disruptions to their operations and safeguarding their reputations. Consult our membership team about the AusMISP service! Cisco Raises Alarm for ‘ArcaneDoor’ Zero-Days Hitting ASA Firewall Platforms Date: 2024-04-24 Author: Security Week [AUSCERT has identified impacted members located both in Australia and New Zealand (where possible) and contacted them via email. AUSCERT also shared IoCs and TTPs associated with ArcaneDoor campaign via MISP] [Please also see AUSCERT bulletins: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.2551.2/ and https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.2552.2/] Technology giant Cisco on Wednesday warned that professional, nation state-backed hacking teams are exploiting at least two zero-day vulnerabilities in its ASA firewall platforms to plant malware on telecommunications and energy sector networks. HPE Aruba Networking fixes four critical RCE flaws in ArubaOS Date: 2024-05-01 Author: Bleeping Computer HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE). CISA says GitLab account takeover bug is actively exploited in attacks Date: 2024-05-01 Author: Bleeping Computer ​CISA warned today that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets. GitLab hosts sensitive data, including proprietary code and API keys, and account hijacking can have a significant impact. Successful exploitation can also lead to supply chain attacks that can compromise repositories by inserting malicious code in CI/CD (Continuous Integration/Continuous Deployment) environments. Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data Date: 2024-05-01 Author: Security Week Malware hunters at Lumen’s Black Lotus Labs have set eyes on a new malware platform roaming around enterprise-grade and small office/home office (SOHO) routers capable of covertly harvesting public cloud authentication data from internet traffic. The platform, tagged as Cuttlefish, is designed to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN) and researchers warn that the attackers have the capability to hijack DNS and HTTP connections to private IP spaces, which are typically associated with communications within an internal network. DropBox says hackers stole customer data, auth secrets from eSignature service Date: 2024-05-01 Author: Bleeping Computer Cloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information. DropBox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures. Data breach tsunami hits Australia Date: 2024-05-27 Author: Insurance Business Australia Australia saw a substantial rise in data breaches in the first quarter of 2024 (Q1 2024), with reports indicating that 1.8 million user accounts were compromised, according to cybersecurity company Surfshark. The study is based on an analysis of email addresses associated with online services, often leaked alongside other sensitive data such as passwords and financial information. ASB-2024.0098 – Okta Identity and Access Management Solutions Okta has alerted to an increase in the "frequency and scale" of credential stuffing attacks targeting online services and recommends the implementation of mitigation measures including the use of strong passwords and two-factor authentication (2FA). ASB-2024.0099 – R programming language: CVSS (Max): 8.8 A recent finding has revealed CVE-2024-27322 in the R programming language, extensively used by statisticians and data miners. This vulnerability, rated with a CVSS v3 score of 8.8, poses a significant risk, enabling malicious actors to run arbitrary code on a targeted system. ESB-2024.2771 – Cisco IP Phone Products: CVSS (Max): 7.5 Cisco has released information regarding a vulnerability in the web-based management interface of Cisco IP Phone firmware that could allow unauthorized access and potential data breaches. Make sure to update the firmware and implement proper security measures to protect sensitive information on the devices. ESB-2024.0272.2 – UPDATE ALERT [WIN][UNIX/Linux] GitLab Community Edition (CE) and GitLab Enterprise Edition (EE): CVSS (Max): 10.0 CISA has added CVE-2023-7028 to its KEV list. The flaw in GitLab Community Edition (CE) and Enterprise Edition (EE) allows for password reset messages to be sent to email addresses that have not been verified, enabling attackers to hijack the password reset process and take over accounts. GitLab patched the security defect in January 2024. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, Yesterday, Australians and New Zealanders commemorated Anzac Day, a meaningful occasion prompting us to pause and reflect on the profound sacrifices made for our nations. It was a time for many of us to unite in remembrance, honouring the struggles of our past while embracing hope for peace for generations to come. Communities joined together in a heartfelt display of gratitude, paying respect to the enduring legacy of our brave servicepeople. From touching dawn services to solemn marches, ceremonies, and heartfelt tributes, many people paid their respects to those who have served and continue to serve, ensuring that their courage and bravery are eternally remembered. This week, we released another exciting episode of our podcast Share today, save tomorrow – Episode 33 – delving into ‘The World of AI’. Anthony sat down with Dr. Luke Zaphir from the University of Queensland, whose background in philosophy, particularly in political and educational spheres, adds a fascinating perspective to the world of artificial intelligence. Luke critically examines the significant advancements AI has made over the past two years, including ChatGPT’s meteoric rise to prominence and its diverse applications in our lives. Unlike previous iterations, today’s AI can swiftly produce content, conduct data analysis, and generate images at a remarkable level of sophistication. However, these developments are not without their flaws and risks. The discussion also delves into the role of Cyber Security AI, which brings both positives and negatives. While it provides potentially valuable tools for detecting malicious behaviour, it also aids threat actors with more targeted tools and resources to deceive people globally. Luke emphasizes the importance of utilizing key human characteristics such as critical thinking, ethics, and media literacy to combat the negative effects of AI. In the second part of the episode, Bek and Principal Analyst Mark Carey-Smith have a chat about AUSCERT2024. Mark provides insights into the workshop he’ll be co-hosting with colleague Alex Webling, which delves into the significance of discussion exercises as an effective tool for cyber security professionals to enhance their impact within their organisations. These exercises can foster a supportive and collaborative environment, facilitating effective incident management through diverse perspectives and approaches. Leveraging the free Exercise in a Box (EiaB) resource developed by the UK’s NCSC and Australia’s ACSC, EiaB offers an intuitive, web-based platform for accessing a wide range of discussion exercises. Be sure to explore our program for more captivating and relevant workshops! Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks Date: 2024-04-20 Author: The Hacker News [AUSCERT has identified members (where possible) and contacted them via email] Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday. "This has been patched in v11.1.0." That said, customers who are operating their CrushFTP instances within a DMZ (demilitarized zone) restricted environment are protected against the attacks. FBI: Akira ransomware raked in $42 million from 250+ victims Date: 2024-04-18 Author: Bleeping Computer [AUSCERT recently shared IoCs and TTPs associated with Akira Ransomware group via MISP] According to a joint advisory from the FBI, CISA, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments. Russian hackers' custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) Date: 2024-04-23 Author: Help Net Security [Note: CVE-2022-38028 was added to the CISA KEV on 23 April 2024. Please See https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog] [Please also see the AUSCERT Bulletin published for CVE-2022-38028 : ASB-2022.0193] For nearly four years and perhaps even longer, Forest Blizzard (aka Fancy Bear, aka APT28) has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service (CVE-2022-38028). … Most recently, the group has been spotted leveraging a known Microsoft Outlook vulnerability (CVE-2023-23397) to compromise email accounts of workers at public and private entities in Poland. GPT-4 Is Capable Of Exploiting 87% Of One-Day Vulnerabilities Date: 2024-04-22 Author: Cyber Security News Large language models (LLMs) have achieved superhuman performance on many benchmarks, leading to a surge of interest in LLM agents capable of taking action, self-reflecting, and reading documents. While these agents have shown potential in areas like software engineering and scientific discovery, their ability in cybersecurity remains largely unexplored. Cybersecurity researchers Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang recently discovered that GPT-4 can exploit 87% of one-day vulnerabilities, which is a significant advancement. MITRE says state hackers breached its network via Ivanti zero-days Date: 2024-04-19 Author: Bleeping Computer The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days. The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development. MITRE has since notified affected parties of the breach, contacted relevant authorities, and is now working on restoring "operational alternatives." Behavioral patterns of ransomware groups are changing Date: 2024-04-23 Author: Help Net Security In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. ESB-2024.2510 – Google Chrome: CVSS (Max): None Google has recently released security updates for its Chrome browser to address four potentially dangerous vulnerabilities. These updates, versions 124.0.6367.78/.79 for Windows and Mac, and 124.0.6367.78 for Linux, are crucial for safeguarding user data and system security. Among these vulnerabilities, CVE-2024-4058 is classified as critical. ESB-2024.2511 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5 The latest security release from GitLab focuses on addressing a range of vulnerabilities that pose significant risks to code repositories and development workflows. It is highly recommended to upgrade to versions 16.11.1, 16.10.4, or 16.9.6 to enhance security measures and mitigate potential threats effectively. ESB-2024.2280.4 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0 Palo Alto Networks has updated its advisory for CVE-2024-3400, introducing a new Threat Prevention Threat ID and a CLI command to detect potential exploit activity. The vulnerability title and description have also been clarified in these updates. AUSCERT has accordingly revised its bulletin to align with these changes. The vendor has provided fixes for the vulnerable GlobalProtect feature within PAN-OS software, and AUSCERT strongly advises its members to promptly apply these fixes to safeguard against potential exploitation risks. ESB-2024.2551.2 – UPDATE ALERT Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services: CVSS (Max): 8.6 According to Cisco Talos, the attackers are targeting software defects in certain devices running Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) products to implant malware, execute commands, and potentially exfiltrate data from compromised devices. Stay safe, stay patched and have a good weekend! The AusCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” The world of AI In this episode, AUSCERT features the following guests: Luke Zaphir, The University of Queensland Mark Carey-Smith, AUSCERT Anthony sits down with Luke Zaphir from The University of Queensland to discuss where we are in the world of AI In the second half of the episode, Bek chats with Mark Carey-Smith from AUSCERT to continue the topic of AI and the value of looking for new opportunities. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, With less than 5 weeks until AUSCERT2024, this week marks your final chance to secure sponsorship packages! Act quickly, as only a limited number is still available. Don’t miss out on maximizing your exposure at the conference – explore our branding packages too! We are delighted to announce the esteemed presence of Piotr Kijewski as one of our keynote speakers this year! Piotr holds the distinguished positions of CEO and Trustee at the Shadowserver Foundation, a non-profit organisation dedicated to enhancing Internet security. For over 15 years, the Shadowserver Foundation has been actively providing invaluable daily cyber threat intelligence feeds to over 201 National CSIRTs across 175 countries and territories. Moreover, they have extended their services to support over 8000 other organisations worldwide, including sectoral CSIRTs, ISPs, CSPs, hosting providers, enterprises, banks, academia, hospitals, SMEs, and more! Piotr’s session will delve into how Shadowserver operated as a large-scale information collection and sharing project, collaborating with the global cyber security defender community. He will take audience members behind the scenes, sharing the insights into their journey in recent years as they strive for sustainability, particularly after the loss of their long-term primary sponsor. Piotr will conclude by outlining his vision for advancing global cyber security while remaining true to the principles of free threat intelligence sharing. In recent cyber-related news, Palo Alto Networks encountered a vulnerability in the GlobalProtect feature of its PAN-OS software last Friday. This vulnerability, specific to certain PAN-OS versions and distinct feature configurations, poses a significant risk, potentially allowing an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Palo Alto Networks offered mitigation strategies to be promptly implemented until permanent fixes could be applied. The AUSCERT analyst team responded swiftly to ensure our members were promptly informed. They issued bulletin ESB-2024.2280 detailing the vulnerability on the same day and shared IoCs via our MISP platform. Additionally, security alerts were issued to the potentially affected members . This incident serves as a reminder for our members to remain vigilant and act swiftly when such incidents occur, to reduce risks effectively. Ivanti warns of critical flaws in its Avalanche MDM solution Date: 2024-04-16 Author: Bleeping Computer [AUSCERT utilised third-party search engines to identify and alert any impacted members. If you use Avalanche mobile device management (MDM) solution, we recommend patching according to the vendor's guidelines] Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution. Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location. Cisco Duo warns that breach exposed phone numbers, phone carriers, metadata and other logs that could lead to downstream social engineering attacks. Date: 2024-04-15 Author: Security Week Cybersecurity vendor Cisco on Monday warned that hackers broke into an unidentified telephony supplier used to send Duo MFA SMS messages and stole log data that could be used in downstream attacks. According to a customer notice from the Cisco Data Privacy and Incident Response Team, the breach exposed phone numbers, phone carriers, metadata and other logs that could lead to phishing and social engineering attacks. Cisco warns of large-scale brute-force attacks against VPN services Date: 2024-04-16 Author: Bleeping Computer [AUSCERT has created a MISP event sharing IoCs from this brute force campaign] Cisco warns about a large-scale credential brute-forcing campaign targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide. A brute force attack is the process of attempting to log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to the internal network. Warnings of fake invoice scams after nearly 800,000 records exposed Date: 2024-04-17 Author: Sky News Experts have issued a fresh warning about scams involving fake invoices, after a data leak affecting a leading Australian smoke alarm company left customer records exposed online for months. In an unusual twist, an email viewed by Sky News indicates the company knowingly left the database open after learning it was publicly accessible. In January, independent cybersecurity researcher Jeremiah Fowler discovered a non-password protected database belonging to Smoke Alarm Solutions. CISA orders agencies impacted by Microsoft hack to mitigate risks Date: 2024-04-11 Author: Bleeping Computer CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. Emergency Directive 24-02 was issued to Federal Civilian Executive Branch (FCEB) agencies on April 2. It requires them to investigate potentially affected emails, reset any compromised credentials (if any), and take measures to secure privileged Microsoft Azure accounts. PoC Released For Critical Zero-Click Windows Vulnerability Date: 2024-04-15 Author: Cyber Security News [Please also see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ASB-2023.0055/] Microsoft’s wide reach as a target prompted attackers to carry out intensive studies on the vulnerabilities and mitigation tools of their products and protocols. This resulted in a new remote code execution (RCE) WinAPI CreateUri function vulnerability, introduced as part of the CVE-2023-23397 patch. Unlike the previous two-vulnerability RCE chain, this flaw enables zero-click RCE exploitation. ASB-2024.0085 – Oracle Communications Applications: CVSS (Max): 9.8 Oracle Communications received a total of 93 security patches this month during Oracle’s April 2024 CPU, with 71 of them specifically targeting flaws that can be exploited remotely without requiring authentication. ASB-2024.0072 – PuTTY: CVSS (Max): None The PuTTY developers have issued an update to address a critical vulnerability that could be used to retrieve secret keys. Versions 0.68 to 0.80 of PuTTY are impacted, but the vulnerability has been resolved in PuTTY 0.81. ESB-2024.2383 – Cisco Integrated Management Controller (IMC): CVSS (Max): None Cisco has issued patches for a high-severity Integrated Management Controller (IMC) vulnerability with public exploit code that enables local attackers to elevate privileges to root. Tracked as CVE-2024-20295, this security flaw is caused by insufficient validation of user-supplied input, a weakness that can be exploited using crafted CLI commands as part of low-complexity attacks. ESB-2024.2280.3 – UPDATE ALERT GlobalProtect feature of PAN-OS: CVSS (Max): 10.0 Palo Alto Networks recently released a critical alert regarding a vulnerability in the PAN-OS software used in its firewall and VPN products. This command-injection flaw, rated with a top CVSS severity score of 10 out of 10, could potentially allow an unauthenticated attacker to execute remote code with root privileges on a compromised gateway. ESB-2024.2366 – Google Chrome: CVSS (Max): None Google has released security updates to fix over 35 vulnerabilities in their browsers, including twelve high-severity issues. Chrome version 124 has been released in the stable channel, containing fixes for 22 bugs, with 13 of them identified by external researchers. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, With less than 6 weeks remaining, we’re eagerly anticipating our return to the sunny Gold Coast, our favourite time of year! We have some exciting updates to our AUSCERT2024 program, including the addition of a workshop titled "Security in an Unmanaged Azure Environment: A Practical Example" lead by Greg Scheidel, a SANS Certified Instructor. This workshop will draw from the content of SANS SEC530: Defensible Security Architecture and Engineering, focusing on implementing Zero Trust for the Hybrid Enterprise. Limited spots available—act fast to secure your spot today! Visit our website for more details. This week marked a significant milestone in the cyber world! Nigel Phair, a Professor from Monash University, and renowned speaker who spoke at AUSCERT2023, contributes as a co-author in a new groundbreaking research study. After three years of dedicated research, an international team of researchers yesterday unveiled the first ever “World Cybercrime Index”. Developed through a collaborative effort between the University of Oxford, UNSW and funded by CRIMGOV, a European Union-supported project based at the University of Oxford and Sciences Pro, this index promises to reshape our understanding of global cybercrime dynamics. The World Cybercrime Index identifies the globe’s primary cybercrime hotspots by ranking the most prominent sources of cybercrime on a national level. The index reveals that the most significant criminal threats are concentrated in a handful of countries, with Russia leading the list, followed by Ukraine, China, the USA, Nigeria, and Romania. The research underlying the index will also shed light on the identities of cybercriminal offenders, potentially removing their veil of anonymity. Continuing to collect this data in the future will enable defenders and police agencies to monitor the emergence of any new cybercrime hotspots. Early interventions could potentially be implemented in at-risk countries before serious cybercrime problems develop. Government agencies and private enterprises tasked with combating cybercrime now have the opportunity to significantly improve their understanding of the scale of the issue within their own jurisdictions. Previously, knowledge of cybercriminal whereabouts was largely confined to specialist investigators, but now this information can be shared with the public, government, and business alike. April’s Patch Tuesday Brings Record Number of Fixes Date: 2024-04-09 Author: Krebs on Security [Please also see AUSCERT bulletins: ASB-2024.0059, ASB-2024.0060, ASB-2024.0061, ASB-2024.0062, ASB-2024.0063, ASB-2024.0064, ASB-2024.0065, ASB-2024.0066] If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month’s patch batch — a record 147 flaws in Windows and related software. Fortinet Patches Critical RCE Vulnerability in FortiClientLinux Date: 2024-04-10 Author: Security Week [Please see AUSCERT Bulletins https://www.auscert.org.au/bulletins/ESB-2024.2166 and https://www.auscert.org.au/bulletins/ESB-2024.2172] Fortinet on Tuesday announced patches for a dozen vulnerabilities in FortiOS and other products, including a critical-severity remote code execution (RCE) bug in FortiClientLinux. The critical flaw, tracked as CVE-2023-45590 (CVSS score of 9.4), is described as a code injection issue that could allow an unauthenticated, remote attacker to execute arbitrary code or commands by convincing a user to visit a malicious website. Code Execution Flaws in Multiple Adobe Software Products Date: 2024-04-09 Author: Security Week [Please also see AUSCERT bulletins: ESB-2024.2138, ESB-2024.2140, ESB-2024.2162, ESB-2024.2136, ESB-2024.2137, ESB-2024.2139, ESB-2024.2165] Software maker Adobe on Tuesday rolled out urgent security updates for multiple enterprise-facing products and warned that hackers could exploit these bugs to launch code execution attacks. As part of its scheduled batch of Patch Tuesday updates, Adobe called attention to a pair of code execution bugs in Adobe Commerce and Magento Open Source, a product used by businesses to create and manage online stories. Critical Rust flaw enables Windows command injection attacks Date: 2024-04-09 Author: Bleeping Computer Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks. Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system. GitHub rated this vulnerability as critical severity with a maximum CVSS base score of 10/10. Unauthenticated attackers can exploit it remotely, in low-complexity attacks, and without user interaction. Apple: Mercenary spyware attacks target iPhone users in 92 countries Date: 2024-04-11 Author: Bleeping Computer Apple has been notifying iPhone users in 92 countries about a "mercenary spyware attack" attempting to remotely compromise their device. In a sample notification the company shared with BleepingComputer, Apple says that it has high confidence in the warning and urges the recipient to take seriously. "Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-," reads the notification. ASB-2024.0065 – Microsoft Windows Products: CVSS (Max): 8.8 Microsoft has recently issued its monthly security patch update for April 2024 to address a total of 91 vulnerabilities found in Windows and Windows Server. Among these vulnerabilities is a zero-day exploit identified as CVE-2024-26234. This exploit involved a malicious driver that was signed using a legitimate Microsoft Hardware Publisher Certificate and was discovered to be operating as a malicious backdoor. ESB-2024.2180 – WordPress: CVSS (Max): None WordPress has rolled out version 6.5.2 to fix a Cross-Site Scripting vulnerability along with various other bugs. Failure to apply this patch could enable malicious actors to insert harmful scripts into WordPress websites. This could result in website defacement, the compromise of sensitive information, or the dissemination of malware to site visitors. WordPress strongly urges all users to promptly update their installations to mitigate these risks. ESB-2024.2166 – FortiClientLinux: CVSS (Max): 9.4 An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website. The vulnerability is resolved by performing a system update. ESB-2024.2148 – Linux kernel: CVSS (Max): 9.8* Numerous security issues were fixed in the Linux kernel, such as the IPv6 implementation of the Linux kernel not properly managing route cache memory usage, allowing a remote attacker to cause a denial of service (memory exhaustion) and the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations, allowing a local attacker to cause a denial of service (system crash). The vulnerabilities are resolved by performing a system update. ESB-2024.2099 – Django: CVSS (Max): 9.8 The password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts. The vulnerability is resolved by performing a system update. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, Today is the last chance to take advantage of early bird registrations and make the most of AUSCERT member tokens! The countdown is on for AUCERT2024 and we are very excited to join with our community, hear from industry experts, engage in ground breaking workshops and participate in exciting activities! Check out our full program for all the details! A recently published report by The Cyber Safety Review Board has highlighted a series of critical oversights by Microsoft in an incident involving a threat actor believed to be affiliated with the People’s Republic of China. This breach led to unauthorised access to email accounts of senior government officials from the United States and the United Kingdom. The incident underscores the significant threat that supply chain attacks pose to organisations, given the inherent vulnerabilities that can be introduced and exploited at any stage of the supply chain. Recent high-profile attacks on various companies and code repositories, such as the xz Utils backdoor, serve as an important reminder that attackers possess both the intent and capability to exploit weaknesses in supply chain security. Regardless of an organisation’s size or the stringency of its security measures, vigilance and preparedness for potential incidents are paramount. As this alarming trend continues to escalate, it becomes increasingly imperative for organisations to implement effective risk management measures including careful oversight of their supply chains. These steps are crucial in reducing the likelihood and impact of similar incidents in the future. The UK’s National Cyber Security Centre has provided valuable guidance in establishing effective control and oversight of supply chains, offering principles that can significantly bolster security measures. These principles revolve around four key strategies: Understand the Risks, Establishing Control, Checking Arrangements and Driving Continuous Improvement. In conclusion, supply chain attacks represent an increasing threat to organisations globally. It’s crucial to comprehend the risks associated with all supplier and partner arrangements, regardless of an organisation’s size or reputation. Establishing control and holding suppliers accountable for agreed security measures are imperative steps. Moreover, it’s vital to encourage suppliers to continuously enhance their security arrangements. By adopting these measures, organisations can bolster their defences against supply chain vulnerabilities and mitigate potential threats effectively. Security Flaw in WP-Members Plugin Leads to Script Injection Date: 2024-04-02 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] Attackers could exploit a high-severity cross-site Scripting (XSS) vulnerability in the WP-Members Membership WordPress plugin to inject arbitrary scripts into web pages, according to an advisory from security firm Defiant. The bug, tracked as CVE-2024-1852, is the result of insufficient input sanitization and output escaping, allowing an attacker to create accounts that have a malicious script stored as the value of the user’s IP address. xz-utils Backdoor Affected Kali Linux Installations: Check for Infection Date: 2024-04-02 Author: Cyber Security News A backdoor was recently discovered in the xz-utils package versions 5.6.0 to 5.6.1, shocking the Linux community. This poses a significant threat to the security of Linux distributions, including Kali Linux. The vulnerability, CVE-2024-3094, could potentially allow malicious actors to compromise sshd authentication, granting unauthorized access to systems remotely. Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites Date: 2024-04-03 Author: Security Week [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical SQL injection vulnerability in the LayerSlider plugin can be exploited to extract sensitive information from website databases, WordPress security firm Defiant warns. A WordPress slider plugin with more than one million active installations, LayerSlider provides users with visual web content editing, digital visual effects, and graphic design capabilities in a single solution. Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks Date: 2024-04-03 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. Adversaries are leveraging remote access tools now more than ever — here’s how to stop them Date: 2024-04-02 Author: Cisco Talos Since 2020, the use of remote system management/access tools such as AnyDesk and TeamViewer has exploded in popularity due to forced work-from-home during the COVID-19 pandemic. Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration, these tools play an essential role in most corporations’ digital functions. However, this convenience comes at a cost. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. Cyber 'axis of evil' poised for more attacks on Australia, expert warns Date: 2024-04-02 Author: 9News A dangerous "axis of evil in cyberspace" is primed to launch more attacks on major Australian companies, a leading cybersecurity expert has warned, claiming the compromised networks of Medibank and Optus are just phase one in a dark master plan. Highly skilled Russian and Chinese hackers will lead those cyberattacks, according to Tom Kellerman, a former cyber investigations advisor for the US Secret Service and Barack Obama's government. The motives for recent attacks on Medibank, Optus, Latitude and other institutions went far beyond theft of data and the potential for financial extortion, he said. ESB-2024.1999 – ALERT Google Chrome: CVSS (Max): None Google has updated its Stable channel for Windows, Mac and Linux. This includes a patch for a critical zero-day vulnerability (CVE-2024-3159) that was exploited during the recent Pwn2Own Vancouver 2024 hacking competition. ASB-2024.0057 – ALERT xz-utils: CVSS (Max): 10.0 The world was shocked when a Microsoft developer disclosed that a backdoor has been intentionally planted in xz Utils. Known as CVE-2024-3094, this vulnerability enables a malicious actor with the correct private key to take control of sshd, the program responsible for establishing SSH connections, and subsequently execute harmful commands. ESB-2024.2070 – Google Android devices: CVSS (Max): 6.6* Google recently revealed updates to address vulnerabilities in Android and Pixel devices, which include two issues that have been actively exploited. These vulnerabilities, known as CVE-2024-29745 and CVE-2024-29748, specifically affect Pixel's bootloader and firmware. ESB-2024.1985.3 – UPDATE VMware SD-WAN: CVSS (Max): 7.4 VMware has issued crucial security patches to resolve a number of vulnerabilities in its SD-WAN solution. Failure to apply these patches could pose significant risks to organizations that depend on VMware SD-WAN for network management. ASB-2024.0058 – HTTP/2: CVSS (Max): 7.5* Recently identified vulnerabilities in the HTTP/2 protocol, known as "CONTINUATION Flood," have the potential to launch DoS attacks against servers utilizing vulnerable implementations. Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, As Easter approaches this weekend, many of us eagerly anticipate some well-deserved time off, relishing in chocolate eggs, and cherishing moments with loved ones. However, amidst the joyous festivities, we'd like to gently remind you that our member tokens and early bird registration fees will expire on April 5th for AUSCERT2024! We're thrilled to unveil an engaging program, featuring Darren Kitchen as one of our esteemed keynote speakers. Darren's expertise promises to provide enlightening and invaluable insights for all attendees. Additionally, we're excited to announce that Risky Biz has confirmed a live podcast recording at AUSCERT2024! Be sure to seize the remaining time to secure your member tokens and early bird registration fees before this offer concludes. This week, we released episode 32 of our podcast, titled "Behaviour Change to Reduce Threats." In this thought-provoking discussion, Anthony engages with Jane O’Loughlin from CERT NZ, exploring the critical importance of behaviour modification in mitigating cyber security threats. Jane actively advocates for increased awareness and action in cyber security, striving to make it more accessible and relevant to individuals. Jane explains that despite cyber security’s widespread attention, research still indicates a concerning lack of seriousness among people regarding the issue, with many remaining unaware of the profound consequences of personal cyber attacks. Given the escalating sophistication and severity of threats, it's imperative for everyone to adopt proactive measures. Cyber attackers leverage behavioural science to meticulously craft and target attacks, enhancing their success rates. Therefore, fostering a culture of cybersecurity consciousness and implementing effective behavioural modifications are crucial steps in safeguarding against cyber threats. CERT NZ and The Research Agency have collaborated to produce "Cyber Change" – a book of behaviour change techniques aimed at promoting positive cybersecurity actions. This guide, tailored for government and industry agencies working in online security, shares valuable insights on improving the effectiveness of cyber security interventions. In conclusion, AUSCERT wishes everyone a safe and happy Easter holiday! Our offices will be closed for the Easter long weekend from Friday 29th of March until Monday 1st of April inclusive. During this time auscert@auscert.org.au will not be monitored and no bulletins will be issued. However our analysts will remain on call for the period, if you experience a cyber incident, please log into the member portal for the 24/7 member hotline number. Exploit released for Fortinet RCE bug used in attacks, patch now Date: 2024-03-21 Author: Bleeping Computer [AUSCERT utilised third-party search engines to identify and alert any impacted members] Security researchers have released a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS) software, which is now actively exploited in attacks. Tracked as CVE-2023-48788, this security flaw is an SQL injection in the DB2 Administration Server (DAS) component discovered and reported by the UK's National Cyber Security Centre (NCSC). CISA tags Microsoft SharePoint RCE bug as actively exploited Date: 2024-03-27 Author: Bleeping Computer CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. Tracked as CVE-2023-24955, this SharePoint Server vulnerability enables authenticated attackers with Site Owner privileges to execute code remotely on vulnerable servers. Australia Doubles Down On Cybersecurity After Attacks Date: 2024-03-27 Author: Dark Reading Government proposes more modern and comprehensive cybersecurity regulations for businesses, government, and critical infrastructures providers Down Under. The Australian government is carving out plans to revamp cybersecurity laws and regulations in the wake of a series of damaging high-profile data breaches that rocked the country. Government officials recently released what it called a consultation paper that outlined specific proposals and solicited input from the private sector in a proclaimed strategy to position the nation as a world leader in cybersecurity by 2030. Australian gov backs election system security after "highly likely" UK compromise Date: 2024-03-26 Author: iTnews The federal government has sought to assure Australians that electoral systems are secure after it emerged that UK electoral systems “were highly likely compromised” between 2021 and 2022. The UK government, together with its cyber security agency, attributed “two malicious cyber campaigns targeting democratic institutions and parliamentarians” to China-affiliated threat groups. Ray AI Framework Vulnerability Exploited to Hack Hundreds of Clusters Date: 2024-03-27 Author: SecurityWeek Attackers have been exploiting a missing authentication vulnerability in the Ray AI framework to compromise hundreds of clusters, application security firm Oligo reports. The issue, tracked as CVE-2023-48022 and disclosed in November 2023, exists because, in its default configuration, the open source compute framework for AI does not enforce authentication and does not support any type of authorization model. ESB-2024.1744 – Firefox: CVSS (Max): 8.8 Mozilla has updated Firefox to version 124.0.1 addressing 2 critical vulnerabilities ESB-2024.1805 – Google Chrome: CVSS (Max): None Google has updated Chrome addressing multiple vulnerabilities ESB-2024.1783 – macOS Ventura: CVSS (Max): 5.9 Apple has released an update to a remote code execution vulnerability in macOS Ventura ESB-2024.1842 – Cisco IOS XE Software: CVSS (Max): 8.6 Cisco has released software updates for a denial of service vulnerability in IOS XE Software ESB-2024.1787 – Rockwell Automation Arena Simulation Software: CVSS (Max): 7.8 Rockwell Automation has updated Arena Simulation Software to address multiple vulnerabilities Stay safe, stay patched and have a good weekend! The AusCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” Behaviour change to reduce threats In this episode, AUSCERT features the following guests: Jane O’Louglin, CERTNZ Mike Holm, AUSCERT Anthony sits down with Jane O’Louglin from CERTNZ for a fascinating discussion about why behaviour change is so critical when looking at ways to migitate threats and blocking threat actors. In the second half of the episode, Bek chats with Mike Holm from AUSCERT about the history and role of CERT teams and the fast approaching AUSCERT Conference. This episode was hosted by Anthony Caruana and Bek Cheb. Our podcasts aim to provide fascinating insights, great stories from the field and lessons you can take back to your workplace. If you have any ideas or suggestions for what we can talk about, please let us know! The AUSCERT podcast can also be found on Spotify, Apple Podcasts and Google Podcasts.

Greetings, As AUSCERT2024 approaches, we want to remind all our valued members to make the most of their Member Tokens before they expire on April 5th. Also, Early Bird Registrations are closing on this date too, so if you want to save on costs, register now! This year's program is exceptional, featuring a diverse range of cutting-edge workshops, influential speakers, and exciting activities. Seize this incredible opportunity to learn, network, and engage with industry leaders. Secure your spot today and join us for an unforgettable event! For more information, visit the AUSCERT2024 website. Charities and not-for-profit organisations in Australia are facing an escalating number of cyber threats. In the 2022-23 financial year alone, the Australian Signals Directorate (ASD) received nearly 94,000 cybercrime reports, indicating one report filed approximately every 6 minutes. Recognising this concerning trend, the ASD is urging these entities to enhance their online security measures and stay vigilant. Due to their limited resources, charities and not-for-profit organisations are increasingly vulnerable to malicious attacks. Such incidents can result in substantial costs, including financial losses, data breaches, reputational damage, loss of trust from donors and beneficiaries, and overall harm to the community they serve. Not to fear, AUSCERT is here to help! Our members have access to a team of experts who can provide guidance, support, and assistance when incidents arise! An effective cyber security incident response is essential for maintaining organisational objectives by avoiding or limiting the impact of cyber security incidents. Register for our Incident Response Planning Course to develop the skills needed to write and implement a bespoke incident response plan for your organisation. This course is designed to provide organisations with crucial information and knowledge to execute one of the critical elements of incident response preparation. Our upcoming course is scheduled for 16-17 April from 9am – 12:30pm, with limited places available so register now! Fujitsu found malware on IT systems, confirms data breach Date: 2024-03-18 Author: Bleeping Computer Japanese tech giant Fujitsu discovered that several of its systems were infected by malware and warns that the hackers stole customer data. "We have confirmed the presence of malware on several of our business computers, and as a result of our internal investigation, it has been discovered that files containing personal information and information related to our customers could be illicitly removed," reads a Fujitsu notice. New fact sheet for critical infrastructure leaders – actions to mitigate PRC state-sponsored cyber activity Date: 2024-03-20 Author: ASD Together with our international partners, we have released the PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders fact sheet. The fact sheet provides guidance for critical infrastructure leadership to protect their infrastructure and critical functions from Volt Typhoon – a state-sponsored cyber actor linked to the People’s Republic of China (PRC). Human risk factors remain outside of cybersecurity pros’ control Date: 2024-03-15 Author: Help Net Security Cyber threats are growing at an unprecedented pace, and the year ahead is fraught with cybercrime and incidents anticipated ahead of the busy election year where over 50 countries head to the polls, according to Mimecast. With new threats like AI and deepfake technology, the stakes are higher than ever to execute a strong cyber defense. Microsoft announces deprecation of 1024-bit RSA keys in Windows Date: 2024-03-18 Author: Bleeping Computer Microsoft has announced that RSA keys shorter than 2048 bits will soon be deprecated in Windows Transport Layer Security (TLS) to provide increased security. Rivest–Shamir–Adleman (RSA) is an asymmetric cryptography system that uses pairs of public and private keys to encrypt data, with the strength directly related to the length of the key. The longer these keys, the harder they are to crack. 1024-bit RSA keys have approximately 80 bits of strength, while the 2048-bit key has approximately 112 bits, making the latter four billion times longer to factor. Experts in the field consider 2048-bit keys safe until at least 2030. Threat landscape for industrial automation systems. H2 2023 Date: 2024-03-19 Author: Kaspersky ICS CERT In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%. In H2 2023, building automation once again had the highest percentage of ICS computers on which malicious objects were blocked of all industries that we looked at. Oil and Gas was the only industry to see a slight (0.5 pp) increase in the second half of the year. ESB-2024.1635 – Nessus Products: CVSS (Max): 7.8 A privilege escalation vulnerability in Nessus plugin has been addressed. This vulnerability affects Nessus and Nessus Agent ESB-2024.1680 – Atlassian Self-Managed Products: CVSS (Max): 10.0 Atlassian has released patches for multiple vulnerabilities in its monthly security update ESB-2024.1683 – Firefox: CVSS (Max): 6.5* Firefox has been updated to version 124 addressing multiple vulnerabilities ESB-2024.1717 – Jenkins (core): CVSS (Max): 7.5 Jenkins (core) has been updated to address a Denial of Service vulnerability Stay safe, stay patched and have a good weekend! The AusCERT team

Greetings, Another week is coming to a close, and what an eventful week it has been! Some of our team members travelled to Sydney to reconnect with our valued members and attended the iTnews 2024 Benchmark Awards. For over a decade, these awards have provided IT leaders and teams with an opportunity to gain recognition for their ambition, innovation, and the value they bring to government, industry, and the public. This year, the focus was on acknowledging both projects and the individuals behind Australia's best IT initiatives. AUSCERT is proud to support programs like these that highlight the hard work and important achievements of IT teams across our country! To top off a great week, the women of AUSCERT also attended a High Tea organised by the Australian Women in Security Network (AWSN), to commemorate International Women’s Day (IWD). The High Tea featured influential guest speakers, Tea Dietterich, CEO of 2M Language Services, and Jackie French, Director for the Faculty of Creative Arts at TAFE Queensland, who both discussed the concerns and issues that women often face when trying to excel in their careers. They spoke about this year's IWD theme, “Count her in: Invest in Women, Accelerate Progress,” and how it encapsulates our collective mission towards a more inclusive, innovative, and secure future for all. Women’s economic empowerment is essential if we hope to create a world where gender equality is not just a goal but a reality. When women are given equal opportunities to earn, learn, and lead, entire communities thrive. While progress has been made, women face significant obstacles to achieving equal participation in the economy. Without equal access to education, employment pathways, financial services, and literacy, how can we ever hope to reach gender equality? We must ensure that women are given equal opportunity to build capabilities and strengthen their capacity to learn, earn, and lead. To conclude, we would like to highlight the importance of empowering women and all staff through further education and training. We have recently released a whole new set of training courses specifically designed to enhance and empower staff with the essentials of cybersecurity. Check out our full list of upcoming training sessions here! Fortinet warns of critical RCE bug in endpoint management software Date: 2024-03-13 Author: Bleeping Computer [Please see AUSCERT bulletin: https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.1576] Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers. FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices. Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities Date: 2024-03-13 Author: Security Week [AUSCERT has published security bulletins for these Intel updates] Intel published eight new advisories, including two that describe high-severity vulnerabilities. One of the high-severity issues is a local privilege escalation impacting BIOS firmware for some Intel processors. The second is a local privilege escalation that impacts the on-chip debug and test interface in some 4th Generation Intel Xeon processors when using SGX or TDX technology. Adobe Patches Critical Flaws in Enterprise Products Date: 2024-03-12 Author: Security Week [AUSCERT has published security bulletins for these Adobe updates] Software maker Adobe on Tuesday released a hefty batch of security updates to fix critical-severity vulnerabilities in multiple enterprise-facing products. The Patch Tuesday rollout contains fixes for code execution flaws in the oft-targeted Adobe ColdFusion, Adobe Premiere Pro, Adobe Bridge and Adobe Lightroom. The San Jose, Calif. company called urgent attention to a mega-update for its Adobe Experience Manager software, documenting at least 46 vulnerabilities that expose users to arbitrary code execution and security feature bypass. Patch Tuesday: Microsoft Flags Major Bugs in HyperV, Exchange Server Date: 2024-03-12 Author: Security Week [AUSCERT has published security bulletins for these Microsoft updates] Microsoft on Tuesday rolled out patches for at least 60 security vulnerabilities haunting the Windows ecosystem and warned there is exposure to remote code execution attacks. The world’s largest software maker tagged two HyperV vulnerabilities — CVE-2024-21407 and CVE-2024-21408 with its highest critical-severity rating and urged users to prioritize these fixes to reduce exposure to code execution and denial-of-service attacks. Microsoft also flagged a serious flaw in Open Management Infrastructure (OMI) for urgent attention, noting that the CVE-2024-21334 bug carries a CVSS severity score of 9.8 out of 10. Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks Date: 2024-03-11 Author: Security Week [See AUSCERT bulletin https://wordpress-admin.auscert.org.au/bulletins/ESB-2024.0849] Roughly one month ago, Fortinet patched a critical FortiOS vulnerability and warned customers about potential exploitation. Many systems are impacted, but there still do not appear to be any signs of large-scale attacks. The vulnerability, tracked as CVE-2024-21762, has been described as an out-of-bounds write issue in FortiOS and FortiProxy that can allow a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted HTTP requests. When it disclosed the zero-day flaw on February 9, Fortinet said it was ‘potentially being exploited in the wild’. CISA added CVE-2024-21762 to its Known Exploited Vulnerabilities Catalog a few days later. ASB-2024.0051 – ALERT Microsoft Windows: CVSS (Max): 8.8* Microsoft released numerous updates this week as part of its monthly 'Patch Tuesday' release. ESB-2024.1541 – Adobe Premiere Pro: CVSS (Max): 7.8 Adobe joined Microsoft in releasing updates for many of its products running on Windows, Linux and macOS. ESB-2024.1565 – Intel Processors: CVSS (Max): 7.2 .. and Intel also joined Microsoft and Adobe with their regular release of fixes for vulnerabilities affecting their processors and associated hardware, firmware and software. ESB-2024.1576 – FortiClientEMS: CVSS (Max): 9.3 FortiClientEMS remote unauthenticated vulnerability reported and patched this week and referred to in this week's articles. ESB-2024.0849 – ALERT FortiOS: CVSS (Max): 9.6 Another Fortinet vulnerability patched this week and noted in this week's listed articles. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT Membership Terms and Conditions   See the attached AUSCERT Membership Terms and Conditions (Version: March 2024).   AUSCERT Membership Terms and Conditions – Mar2024