WA Cyber Security Unit (Office of Digital Government)

This site contains technical information to support WA Government Cyber Security activities. Please propose updates directly via the edit link on each page or email cybersecurity@dpc.wa.gov.au with any feedback. The site is built with Material for MkDocs (reference) which includes several extensions to markdown for enhanced technical writing.

RSS Feeds

If you would like to subscribe to updates for this site please use the RSS or ATOM feeds.

WA Security Operations Centre (WA SOC)

• Connecting to the WA SOC (Sentinel Guidance)
• Advisories (TLP:CLEAR)
• Incident Reporting User Guide (Jira)
• Threat Hunting (MITRE ATT&CK Tactics and Techniques)
• ACSC Essential Eight Assessment Process Guide

Baselines & Guidelines

Baselines are for use as self-assessment checklists, and guidelines are for general implementation guidance.

Baselines

• Security Operations Baseline - aligned with MITRE 11 Strategies of a World-Class Cybersecurity Operations Center and ACSC's Cyber Incident Response Plan Resource.
• Detection Coverage Baseline - telemetry collection and detection analytics aligned to the MITRE ATT&CK Framework.
• Vulnerability Management Baseline - focused on undertaking operational Identify and Protect capabilities.

Critical Infrastructure Entities and Operational Technology

The CISA Cross-Sector Cybersecurity Performance Goals are clear targeted recommendations focusing on most common and impactful threats, including cost, complexity and impact ratings against each recommendation. These are highly relevant targets for entities in scope of SOCI regulatory obligations.

Guidelines

• Supply Chain Risk Management Guideline - Implementation guidance for ACSC Cyber Supply Chain Risk Management.
• Guide to Securing Remote Access Software (CISA) - remote access software overview, including the malicious use of remote access software, detection methods, and recommendations for all organizations.
• #StopRansomware Guide (CISA) - one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.
• Microsoft Sentinel Guidance - Implementation guidance for using Sentinel for ACSC Guidelines for System Monitoring
• Network Management Guideline - Implementation guidance for ACSC Network gateway hardening.
• Patch Management Guideline - Implementation guidance for ACSC Assessing Security Vulnerabilities and Applying Patches.

Additional documentation

The below documents are for general use.

Technical Documentation

• SOC Analyst Induction
• Collecting Digital Forensic Evidence
• Cyber Security Playbooks

Recent Advisories

2024 April

• Progress Software Telerik Reporting ObjectReader Vulnerability - 20240426003
• GitLab Critical Security Update - 20240426002
• ArcaneDoor Exploiting Cisco ASA Vulnerabilities - 20240426001
• Microsoft pulls fix for Outlook bug behind ICS security alerts - 20240424003
• Windows DOS-to-NT Path Conversion Process Exploited - 20240424002
• Microsoft Exchange Server Remote Code Execution Vulnerability - 20240424001
• Windows Print Spooler Elevation of Privilege Vulnerability - 20240423002
• VirtualBox Privilege Escalation Vulnerability - 20240423001
• Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability - 20240422002
• HashiCorp Vulnerability in go-getter Library - 20240422001
• Libreswan Popular VPN Software Vulnerability - 20240419004
• Critical PuTTY Vulnerability Exposes Private Keys - 20240419003
• Oracle Critical Patch Update for April 2024 - 20240419002
• Cisco Patches Vulnerabilities in Integrated Management Controller - 20240419001
• Ivanti Avalanche Multiple RCE Vulnerabilities - 20240418004
• Botnets Swarm Exploited in TP-Link Archer Routers - 20240418003
• Google Chrome Multiple RCE Vulnerabilities - 20240418002
• Microsoft QUIC Denial of Service Vulnerability - 20240417002
• Multiple Vulnerabilities in Mozilla Products - 20240417001
• Critical Rust Standard Library Vulnerability - 20240416004
• Google Chrome V8 Enum Cache Out-Of-Bounds Read RCE Vulnerability - 20240416003
• SAP Security Advisory April 2024 - 20240416002
• Node.js Security Patch for Critical Vulnerability - 20240416001
• Juniper Security Updates for Multiple Products - 20240415003
• Bitdefender Critical Vulnerabilities in GravityZone and Endpoint Security - 20240415002
• Palo Alto Networks PAN-OS Command Injection Vulnerability - 20240415001
• Chrome Security Update - 20240412001
• Adobe Releases Security Updates for Multiple Products  - 20240410004
• Microsoft Releases April Security Updates - 20240410003
• Fortinet Releases Security Updates for Multiple Products - 20240410002
• D-Link Critical Vulnerability - 20240410001
• Podman Buildah Vulnerability - 20240408004
• Google Releases Patches for Pixel Zero-Days - 20240408003
• Cisco Vulnerability in Discontinued Small Business Routers - 20240408002
• PGAdmin Remote Code Execution Vulnerability - 20240408001
• Apache HTTP Server Triple Vulnerabilities - 20240405003
• Microsoft Edge Spoofing Vulnerability - 20240405002
• Ivanti Security Update for Connect Secure and Policy Secure Gateways - 20240405001
• VMware SD-WAN Edge and SD-WAN Orchestrator Multiple Security Updates - 20240404001
• JetBrains TeamCity Cross-Site Scripting Vulnerability - 20240402006
• Linux Kernel Vulnerability - 20240402005
• WallEscape util-Linux Vulnerability - 20240402004
• GitLab Stored XSS Vulnerability - 20240402003
• Supply Chain Compromise Affecting XZ Utils Data Compression Library - 20240402002
• Cisco Security Updates for Multiple Products - 20240402001

2024 March

• Chrome Zero Days - 20240328002
• Apple Released Security Updates for Safari and macOS - 20240328001
• Firefox Patches Critical Zero-Day Vulnerabilities - 20240327003
• Apache Tomcat Denial of Service Vulnerabilities - 20240327002
• CISA Releases Multiple Critical Infrastructure Related Advisories - 20240327001
• Microsoft Edge Chromium based Security Feature Bypass Vulnerability - 20240326003
• Microsoft Edge Chromium based Security Feature Bypass Vulnerability - 20240326003
• .NET Framework Information Disclosure Vulnerability - 20240326002
• Ivanti Endpoint Manager Code Injection Vulnerability - 20240326001
• Advantech WebAccess/SCADA SQL Injection Vulnerability - 20240322003
• Ivanti Neurons for ITSM and Standalone Sentry Security Updates - 20240322002
• Chrome Security Update - 20240322001
• Xbox Gaming Services Elevation of Privilege Vulnerability - 20240321002
• Mozilla Security Updates For Multiple Products - 20240320001
• WordPress miniOrange Plugins Critical Vulnerability - 20240319002
• Directory Traversal PoC in FileCatalyst Workflow - 20240319001
• WordPress Plugin File Manager and File Manager Pro Critical Vulnerability- 20240318004
• Fortinet Critical SQLi Vulnerability in FortiClientEMS Software - 20240318003
• Akamai Kubernetes Vulnerability - 20240318002
• Arcserve UDP Software Critical Vulnerabilities - 20240318001
• CISA Releases Fifteen Industrial Control Systems Advisories - 20240315003
• Cisco Security Updates for IOS XR Software - 20240315001
• DNSSEC Verification Complexity Vulnerability - 20240313004
• Adobe Releases Security Updates for Multiple Products - 20240313003
• Fortinet Releases Security Updates for Multiple Products - 20240313002
• Microsoft Releases Security Updates for Multiple Products - 20240313001
• Word Press Plugin 3DPrint Lite Critical Vulnerability - 20240311003
• Fortinet FortiOS Critical Vulnerability - 20240311002
• Apple Multiple Products Security Advisory - 20240311001
• Veritas NetBackup Server and Client RCE Vulnerability - 20240308005
• Android security advisory -- March 2024 Monthly Rollup (AV24-119)- 20240308004
• Windows Themes Spoofing Vulnerability - 20240308003
• Microsoft Edge for Android Spoofing Vulnerability - 20240308002
• Cisco Releases Security Advisories for Multiple Products - 20240308001
• VMware Releases Security Advisory for Multiple Products - 20240307002
• Known Exploited Apple iOS and iPad Zeroday Vulnerabilities - 20240307001
• Android Pixel Vulnerability added to CISA Known Exploited Catalog - 20240306001
• JetBrains TeamCity Vulnerability Added to CISAs Known Exploited Catalog - 20240305003
• Adobe Acrobat Reader Multiple Vulnerabilities - 20240305002
• Cisco Patches NX-OS DoS Vulnerabilities - 20240305001

2024 February

• Linux Kernel Code Execution Vulnerability - 20240226003
• Junos OS RCE Vulnerability - 20240226002
• Microsoft Edge Spoofing and Information Disclosure Vulnerabilities - 20240226001
• Zero-Click Apple Shortcuts Vulnerability - 20240223002
• Critical Vulnerability in Progress Kemp products - 20240223001
• Mozilla Releases Security Updates for Firefox and Thunderbird - 20240222001
• CISA Adds ConnectWise ScreenConnect Known Exploited Vulnerability - 20240221004
• Apache Dolphinscheduler RCE Vulnerability - 20240221003
• Zyxel security advisory for multiple vulnerabilities in firewalls and APs - 20240221002
• Critical Vulnerability in Deprecated VMware EAP - 20240221001
• WordPress's Bricks Builder RCE Flaw - 20240220001
• Guidance following nation state attack on Microsoft - 20240219002
• SolarWinds Releases Patches for Vulnerabilities - 20240219001
• SolarWinds Releases Patches for Access Rights Manager vulnerabilities - 20240219001
• Cisco ASA and FTD Information Disclosure Vulnerability - 20240216001
• Zoom Critical Security Updates - 20240215001
• Adobe Releases Security Updates for Multiple Products - 20240214003
• Microsoft Releases Security Updates for Multiple Products - 20240214002
• Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure - 20240214001
• Roundcube Webmail added to CISA Known Exploited Catalog - 20240213001
• Microsoft Streaming Service Vulnerability Exploited - 20240212001
• Google Chrome Security Updates - 20240209003
• Fortinet Multiple RCE Vulnerabilities Exploited - 20240209002
• Ivanti Critical Patch for Multiple Products - 20240209001
• Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities - 20240208003
• VMware Releases Security Advisory for Aria Operations for Networks - 20240208002
• Shim Bootloader RCE Vulnerability - 20240208002
• VMware Releases Security Advisory for Aria Operations for Networks - 20240208001
• FortiSIEM - Citical Command Injection Vulnerabilities - 20240207003
• Critical Android Security Advisory - 20240207002
• CISA Adds One Known Exploited Vulnerability to Catalog - 20240207001
• Google Chrome Security Updates - 20240205002
• Juniper Networks Security Advisory - 20240205001
• Microsoft Edge Security Updates - 20240202003
• Docker Container Runtime Component Vulnerabilities - 20240202002
• CISA Known Exploited Catalog - 20240202001
• CISA Added Known Exploited Vulnerabilities to Catalog - 20240201001

WA SOC - Recent Threat Activity (March 2024)

Based on recent high impact incidents seen by the WA SOC, security teams should be focusing on the below areas of improvement:

WASOC Guidance targeted on recent threat activity

• Phishing campaigns that attempt to impersonate legitimate webpages "Spoofing" of organisations
• Publication on the SVR activity targeting Government cloud infrastructure. Review and adapt the SCuBA Toolset to validate security controls.

Recent WA SOC advisories this month worth staying across include:

• Fortinet Services
• XZ Utility

Agencies should review the latest NIST CSF 2.0 and the new AI Policy and Assurance Framework.

Security Hardening remains a focus for all organisations. Please refer to the below guides to ensure all external and internal sign-ins are appropriately monitored.

• ASD Blueprint for Secure Cloud (E8)