• Realm: Open-Source Adversary Emulation Framework
  "Realm is an open-source adversary emulation framework emphasizing scalability, reliability, and automation. It’s designed to handle engagements of any size. “Realm is unique in its custom interpreter written in Rust. This allows us to write complex TTPs as code. With these actions as code, defenders can replay attack actions, and red teams can create repositories of their TTPs and processes for multiple engagements. Realm is also extremely scalable! Group actions are easy to create in our Web GUI, allowing you to get information from multiple hosts at once,” a spokesperson for the project told Help Net Security."
  https://www.helpnetsecurity.com/2024/07/15/realm-open-source-adversary-emulation-framework/
  https://github.com/spellshift/realm

Vulnerabilities

• Critical Vulnerability Patched In Backup And Staging By WP Time Capsule Plugin
  "This blog post is about the WP Time Capsule plugin vulnerability. If you’re a WP Time Capsule plugin user, please update to at least version 1.22.21."
  https://patchstack.com/articles/critical-vulnerability-patched-in-backup-and-staging-by-wp-time-capsule-plugin/
  https://www.infosecurity-magazine.com/news/wp-time-capsule-plugin-flaw/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.CVE-2024-36401 OSGeo GeoServer GeoTools Eval Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2024/07/15/cisa-adds-one-known-exploited-vulnerability-catalog
• CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer In Zero-Day Attacks
  "Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched."
  https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html

Malware

• MuddyWater Threat Group Deploys New BugSleep Backdoor
  "CPR has been tracking MuddyWater, the Iranian threat group affiliated with the country’s Ministry of Intelligence and Security (MOIS), since 2019. Now, the group has significantly increased its activities in Israel since the beginning of the Israel-Hamas war in October 2023. In addition to their usual phishing campaigns, with malicious deployment of legitimate Remote Management Tools, MuddyWater has begun deploying a new, previously undocumented backdoor. This backdoor, which Check Point Research has named BugSleep, is being specifically used to target organizations in Israel."
  https://blog.checkpoint.com/research/muddywater-threat-group-deploys-new-bugsleep-backdoor/
  https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/
  https://www.bleepingcomputer.com/news/security/new-bugsleep-malware-implant-deployed-in-muddywater-attacks/
• SEXi Ransomware Rebrands To APT INC, Continues VMware ESXi Attacks
  "The SEXi ransomware operation, known for targeting VMware ESXi servers, has rebranded under the name APT INC and has targeted numerous organizations in recent attacks. The threat actors started attacking organizations in February 2024 using the leaked Babuk encryptor to target VMware ESXi servers and the leaked LockBit 3 encryptor to target Windows. The cybercriminals soon gained media attention for a massive attack on IxMetro Powerhost, a Chilean hosting provider whose VMware ESXi servers were encrypted in the attack."
  https://www.bleepingcomputer.com/news/security/sexi-ransomware-rebrands-to-apt-inc-continues-vmware-esxi-attacks/
  https://www.darkreading.com/threat-intelligence/sexi-ransomware-rebrands-maintains-original-methods-of-operation
• Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01
  "The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed to take over Facebook accounts, steal credential information from affected users' browsers, and then leverage legitimate accounts to further the spread of the malware."
  https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/facebook-malvertising-epidemic-unraveling-a-persistent-threat-sys01/
  https://www.trustwave.com/en-us/resources/library/documents/facebook-malvertising-epidemic-unraveling-a-persistent-threat-sys01/
  https://www.bleepingcomputer.com/news/security/facebook-ads-for-windows-themes-push-sys01-info-stealing-malware/
• Threat Spotlight: Attackers Abuse URL Protection Services To Mask Phishing Links
  "As defenders tighten their grip on the tools and techniques used in phishing attacks, adversaries are finding new ways to bypass detection and target potential victims. For example, many phishing attacks rely on convincing users to click on a compromised link that leads them to a webpage where attackers try to harvest their credentials."
  https://blog.barracuda.com/2024/07/15/threat-spotlight-attackers-abuse-url-protection-services
  https://www.infosecurity-magazine.com/news/attackers-exploit-url-protections/
• Beware Of The Latest Phishing Tactic Targeting Employees
  "Phishing attacks are becoming increasingly sophisticated, and the latest attack strategy targeting employees highlights this evolution. In this blog post, we’ll dissect a recent phishing attempt that impersonates a company’s Human Resources (HR) department, and we’ll provide detailed insights to help you recognize and avoid falling victim to such scams. This phishing email is designed to look like an official communication from your company’s HR department. It arrives in your inbox with a subject line that grabs attention, urging you to review the employee handbook."
  https://cofense.com/blog/beware-of-the-latest-phishing-tactic-targeting-employees/
• Malicious Python Packages Reveal Extensive Cybercriminal Operation Based In Iraq
  "Recently, malicious Python packages – uploaded to PyPI by user “dsfsdfds” – were found to be exfiltrating sensitive user data without consent, to a Telegram chat bot. The Telegram bot is linked to multiple cybercriminal operations based in Iraq. The bot has activity dating back to 2022 and contains over 90,000 messages, mostly in Arabic. The bot functions also as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data."
  https://checkmarx.com/blog/malicious-python-packages-reveal-extensive-cybercriminal-operation-based-in-iraq/
  https://www.darkreading.com/threat-intelligence/cybercriminal-ecosystem-flourishes-iraq
• Hacktivist Groups “People’s Cyber Army” And “HackNeT” Launch Trial DDoS Attacks On French Websites; Prior To The Onslaught During Paris Olympics
  "On June 23, 2024, Cyble Research & Intelligence Labs (CRIL) researchers noted that a Russian hacktivist group with a wide audience called “People​’s​ Cyber Army” (aka Народная Cyber Армия) and their allies HackNeT announced DDoS attacks on multiple French websites ahead of the Olympics. People’s Cyber Army stated that this attack was a “training DDoS attack.” This is the first documented attack on French websites by state-affiliated Russian hacktivists during the run-up to the Paris Olympics. People’s Cyber Army is linked to APT441 (commonly known as Sandworm, FROZENBARENTS, and Seashell Blizzard)."
  https://cyble.com/blog/hacktivist-groups-peoples-cyber-army-and-hacknet-launch-trial-ddos-attacks-on-french-websites-prior-to-the-onslaught-during-paris-olympics/
  https://www.darkreading.com/cyberattacks-data-breaches/trial-ddos-attacks-on-french-sites-portend-greater-olympics-threats
• Cybersecurity Stop Of The Month: Reeling In DarkGate Malware Attacks From The Beach
  "Last year, the number of malware attacks worldwide reached 6.08 billion. That’s a 10% increase compared with 2022. Why are cybercriminals developing so much malware? Because it is a vital tool to help them infiltrate businesses, networks or specific computers to steal or destroy sensitive data. or destroy sensitive data. There are many types of malware infections. Here are just three examples."
  https://www.proofpoint.com/us/blog/email-and-cloud-threats/darkgate-malware
  https://www.theregister.com/2024/07/16/darkgate_malware/

Breaches/Hacks/Leaks

• Binary Secret Scanning Helped Us Prevent (what Might Have Been) The Worst Supply Chain Attack You Can Imagine
  "The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious packages and leaked secrets. The team reports any findings to the relevant maintainers before attackers can take advantage of them."
  https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack/
  https://thehackernews.com/2024/07/github-token-leak-exposes-pythons-core.html

General News

• How Manufacturers Can Secure Themselves Against Cyber Threats
  "Manufacturers have been feeling urgency around cybersecurity for several years — and it's little wonder given their sector remains the No. 1 ransomware target. Ransomware attacks threaten to affect manufacturers by interrupting operations that ripple through supply chains, leading to significant financial losses through ransom payments, revenue decline, and recovery costs."
  https://www.darkreading.com/ics-ot-security/securing-manufacturers-against-cyber-threats
• Crypto Scammer Returns $9.27 Million Out Of $24M Crypto Theft
  "A crypto scammer has returned $9.27 million in stablecoins to a victim. This restitution, equating to 38.26% of the total stolen amount, was reported by Scam Sniffer, an anti-scam platform focused on the cryptocurrency industry. Scam Sniffer disclosed the details of this unusual event on its official X account, revealing that the original theft occurred in September 2023. During this incident, the victim lost $24.23 million in various crypto assets, including rETH and stETH coins."
  https://hackread.com/crypto-scammer-returns-9m-24m-crypto-theft/
• Risk Related To Non-Human Identities: Believe The Hype, Reject The FUD
  "The hype surrounding unmanaged and exposed non-human identities (NHIs), or machine-to-machine credentials – such as service accounts, system accounts, certificates and API keys – has recently skyrocketed. A steady stream of NHI-related breaches is causing some of the chatter surrounding NHI risk to veer into FUD (fear, uncertainty and doubt). Given the rate at which NHis are outnumbering human identities – by some reports by as much as 45-to-1 – the hype seems warranted. The FUD, however, is not."
  https://www.helpnetsecurity.com/2024/07/15/non-human-identities-nhi-risk/
• Discover The Growing Threats To Data Security
  "In this Help Net Security interview, Pranava Adduri, CEO at Bedrock Security, discusses how businesses can identify and prioritize their data security risks. Adduri emphasizes the necessity of ongoing monitoring and automation to keep up with evolving threats and maintain the shortest possible MTTD/MTTR. He also discusses the role of AI in enhancing security measures while acknowledging the new risks it introduces."
  https://www.helpnetsecurity.com/2024/07/15/pranava-adduri-bedrock-security-data-security-risks/
• Pressure Mounts For C-Suite Executives To Implement GenAI Solutions
  "87% of C-Suite executives feel under pressure to implement GenAI solutions at speed and scale, according to RWS. Despite these pressures, 76% expressed an overwhelming excitement across their organization for the potential benefits of GenAI."
  https://www.helpnetsecurity.com/2024/07/15/genai-organizations-approach/
• Cybersecurity Crisis Communication: What To Do
  "Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication."
  https://securityintelligence.com/articles/cybersecurity-crisis-communication-what-to-do/
• 10,000 Victims a Day: Infostealer Garden Of Low-Hanging Fruit
  "Imagine you could gain access to any Fortune 100 company for $10 or less, or even for free. Terrifying thought, isn't it? Or exciting, depending on which side of the cybersecurity barricade you are on. Well, that's basically the state of things today. Welcome to the infostealer garden of low-hanging fruit. Over the last few years, the problem has grown bigger and bigger, and only now are we slowly learning its full destructive potential. In this article, we will describe how the entire cybercriminal ecosystem operates, the ways various threat actors exploit data originating from it, and most importantly, what you can do about it."
  https://thehackernews.com/2024/07/10000-victims-day-infostealer-garden-of.html
• Tether Freezes $29 Million Of Cryptocurrency Connected To Cambodian Marketplace Accused Of Fueling Scams
  "The cryptocurrency company Tether has frozen more than 29 million of its stablecoins reportedly connected to a massive Cambodian online marketplace offering up services for so-called pig butchering scams. Researchers from Elliptic last week pulled back the curtain on Huione Guarantee, documenting how the online marketplace has become a critical ecosystem for cybercriminal operations in Southeast Asia. Merchants across thousands of instant messaging channels sell money laundering services, deepfake technology, stolen data and even equipment like shackles for restraining trafficked workers, with Huione acting as a guarantor for all transactions. Over three years, the researchers tracked $11 billion in transactions on the platform they believe to be connected to scams."
  https://therecord.media/tether-freezes-29-million-crypto-connected-to-scam-marketplace
  https://www.itnews.com.au/news/north-korean-hackers-sent-stolen-crypto-to-wallet-used-by-asian-payment-firm-609780
• ZDI Shames Microsoft For – Yet Another – Coordinated Vulnerability Disclosure Snafu
  "A Microsoft zero-day vulnerability that Trend Micro's Zero Day Initiative team claims it found and reported to Redmond in May was disclosed and patched by the Windows giant in July's Patch Tuesday – but without any credit given to ZDI. The flaw, tracked as CVE-2024-38112, is in MSHTML aka Trident aka Microsoft's proprietary browser engine for Internet Explorer. Redmond called it a spoofing vulnerability, noted that it was being exploited in the wild, and assigned it a 7.5-out-of-10 CVSS severity score."
  https://www.theregister.com/2024/07/15/zdi_microsoft_vulnerability/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

• CVE-2024-38112
• CVE-2024-38080
• CVE-2024-23692

อ้างอิง
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

• MySCADA MyPRO
  "Successful exploitation of this vulnerability could allow an attacker to remotely execute code on the affected device."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02

• Johnson Controls Kantech Door Controllers
  "Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive information."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-01

• ICONICS And Mitsubishi Electric Products
  "Successful exploitation of these vulnerabilities could result in denial of service, improper privilege management, or potentially remote code execution."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03

Vulnerabilities

• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  CVE-2024-20399 Cisco NX-OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2024/07/02/cisa-adds-one-known-exploited-vulnerability-catalog

• Securing Passkeys: Thwarting Authentication Method Redaction Attacks
  "In the past year, the uptake of passkeys has surged, with industry giants such as Apple, Microsoft and Google championing their adoption. Joe Stewart, Principal Security Researcher with eSentire’s Threat Response Unit (TRU), has been reviewing many of the leading software providers’ implementation of passkey technology and their current “authentication process.”"
  https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks
  https://www.darkreading.com/cloud-security/passkey-redaction-attacks-subvert-github-microsoft-authentication

• Splunk Patches High-Severity Vulnerabilities In Enterprise Product
  "Splunk on Monday announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs. Three of the high-severity issues are remote code execution flaws that require authentication for successful exploitation. The first of them, tracked as CVE-2024-36985, could be exploited by a low-privileged user through a lookup that likely references the ‘splunk_archiver’ application. The issue affects Splunk Enterprise versions 9.2.x, 9.1.x, and 9.0.x."
  https://www.securityweek.com/splunk-patches-high-severity-vulnerabilities-in-enterprise-product/

• Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug
  "Google has released patches for 25 documented security vulnerabilities in the Android operating system, including a critical-severity flaw in the Framework component. The critical bug, tracked as CVE-2024-31320, impacts Android versions 12 and 12L and allows an attacker to escalate privileges on a vulnerable device. “The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed,” Google explains in an advisory."
  https://www.securityweek.com/google-patches-25-android-flaws-including-critical-privilege-escalation-bug/

Malware

• Hijacked: How Hacked YouTube Channels Spread Scams And Malware
  "As one of today’s most popular social media platforms, YouTube is often in the crosshairs of cybercriminals who exploit it to peddle scams and distribute malware. The lures run the gamut, but often involve videos posing as tutorials about popular software or ads for crypto giveaways. In other scenarios, fraudsters embed links to malicious websites in video descriptions or comments, disguising them as genuine resources related to the video’s content."
  https://www.welivesecurity.com/en/scams/hijacked-hacked-youtube-channels-scams-malware/

Breaches/Hacks/Leaks

• Patelco Shuts Down Banking Systems Following Ransomware Attack
  "Patelco Credit Union has disclosed it experienced a ransomware attack that led to the proactive shutdown of several of its customer-facing banking systems to contain the incident's impact. Patelco is an American credit union with assets exceeding $9 billion. It offers a wide range of financial services, including checking and savings accounts, loans, credit cards, investment services, and insurance plans."
  https://www.bleepingcomputer.com/news/security/patelco-shuts-down-banking-systems-following-ransomware-attack/

• Affirm Says Cardholders Impacted By Evolve Bank Data Breach
  "Buy now, pay later loan company Affirm is warning that holders of its payment cards had their personal information exposed due to a data breach at its third-party issuer, Evolve Bank & Trust (Evolve). Affirm is a fintech firm that provides consumer-friendly alternatives to traditional credit options. It also offers point-of-sale financing, virtual cards on a mobile app, and a fully integrated physical card called the 'Affirm Card.'"
  https://www.bleepingcomputer.com/news/security/affirm-says-cardholders-impacted-by-evolve-bank-data-breach/
  https://therecord.media/affirm-lender-data-breach-evolve-bank-cyberattack
  https://techcrunch.com/2024/07/01/fintech-company-wise-says-some-customers-affected-by-evolve-bank-data-breach/
  https://www.darkreading.com/cyberattacks-data-breaches/fintech-frenzy-affirm-and-others-emerge-as-victims-in-evolve-breach
  https://www.bankinfosecurity.com/evolve-ransomware-hack-affects-affirm-fintech-companies-a-25680
  https://www.securityweek.com/evolve-bank-shares-data-breach-details-as-fintech-firms-report-being-hit/
  https://securityaffairs.com/165130/cyber-crime/evolve-bank-data-breach-impacted-wise-affirm.html
  https://www.theregister.com/2024/07/02/affirm_evolve_ransomware_breach/

General News

• The Impossibility Of “getting Ahead” In Cyber Defense
  "As a security professional, it can be tempting to believe that with sufficient resources we can achieve of state of parity, or even relative dominance, over cyber attackers. After all, if we got to an ideal state – fully staffed teams of highly capable experts, enough funding to buy the best defensive tools, and a fully mature defensive operation – why wouldn’t we be able to get to an ideal “secure” state? It seems reasonable enough."
  https://www.helpnetsecurity.com/2024/07/02/getting-ahead-resilience/

• Stress-Testing Our Security Assumptions In a World Of New & Novel Risks
  "Categorizing and stress-testing fundamental assumptions is a necessary exercise for any leader interested in ensuring long-term security and resilience in the face of an uncertain future."
  https://www.darkreading.com/vulnerabilities-threats/stress-testing-our-security-assumptions-new-novel-risks

• What Cybersecurity Defense Looks Like For School Districts
  "Dark Reading chats with Johnathan Kim, director of technology at the Woodland Hills School District in North Braddock, Penn., about why cybercriminals target schools — and what they can do about it."
  https://www.darkreading.com/cybersecurity-operations/what-cybersecurity-defense-looks-like-for-school-districts

• Ransomware Attack Demands Reach a Staggering $5.2m In 2024
  "The average extortion demand per ransomware attack was over $5.2m (£4.1m) in the first half of 2024, according to a new analysis by Comparitech. This figure was calculated from 56 known ransom demands issued by threat actors from January-June 2024. The biggest of these was a $100m (£78.9m) ransom following an attack on India’s Regional Cancer Center (RCC) in April 2024."
  https://www.infosecurity-magazine.com/news/ransomware-demands-staggering-5m/

• Election 2024 Mobile Political Spam Volume Jumps 3X Compared With 2022 Midterms
  "U.S. voters’ appetite for digital information about the 2024 presidential election is growing. But as they consume news via digital media, including from mobile messaging channels, they must keep in mind that cybercriminals may be impersonating the sources that they trust."
  https://www.proofpoint.com/us/blog/email-and-cloud-threats/election-2024-mobile-political-spam-volume-jumps-3x-compared-2022
  https://www.infosecurity-magazine.com/news/political-spam-surges-threefold/

• It All Adds Up: Pretexting In Executive Compromise
  "Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords."
  https://securityintelligence.com/articles/pretexting-in-executive-compromise-social-engineering/

• From The SOC To Everyday Success: Data-Driven Life Lessons From a Security Analyst
  "Many of you have likely noticed that I enjoy looking for life lessons in the real-world that we can apply to the challenges we face in the security domain. In this piece, I’d like to take the opposite approach. I’d like to try and take the lessons I learned during my time as a security analyst working in various Security Operations Centers (SOCs) and apply them to life. My reason for this is simple. I believe that as security professionals, the healthier and happier we are, the better able we are to protect our respective organizations."
  https://www.securityweek.com/from-the-soc-to-everyday-success-data-driven-life-lessons-from-a-security-analyst/

• Caught In The Net: Using Infostealer Logs To Unmask CSAM Consumers
  "In this proof-of-concept report, Recorded Future's Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the dark web. Data was escalated to law enforcement for further action."
  https://www.recordedfuture.com/caught-in-the-net-using-infostealer-logs-to-unmask-csam-consumers
  https://go.recordedfuture.com/hubfs/reports/cta-2024-0702.pdf
  https://therecord.media/stolen-credentials-csam-unmasked-report

• 3 Ways To Chill Attacks On Snowflake
  "Multifactor authentication is a good first step, but businesses should look to collect and analyze data to hunt for threats, manage identities more closely, and limit the impact of attacks."
  https://www.darkreading.com/cybersecurity-operations/three-ways-to-chill-attacks-on-snowflake

อ้างอิง
Electronic Transactions Development Agency(ETDA)

การใช้ประโยชน์จากช่องโหว่การแทรก SQL ในสคริปต์ facebookConnect.php Ajax ของ pkfacebook ช่วยให้ผู้โจมตีจากระยะไกลสามารถปลอมแปลงการโจมตีการแทรก SQL และเข้าถึงฐานข้อมูล PrestaShop ที่เกี่ยวข้องโดยไม่ได้รับอนุญาต ซึ่งช่องโหว่นี้มีผลกับทุกเวอร์ชันก่อนหน้า 1.0.1 เนื่องจากทุกเวอร์ชันได้รับการพิจารณาว่าอาจได้รับผลกระทบ เราขอแนะนำให้ผู้ใช้และผู้ดูแลระบบของเว็บไซต์ PrestaShop

แนะนำอัปเดตเป็น pkfacebook เวอร์ชันล่าสุด ซึ่งจะปิดใช้งานการดำเนินการหลายคำค้นหาตรวจสอบให้แน่ใจว่า มีการใช้ pSQL เพื่อหลีกเลี่ยงช่องโหว่ Stored XSS เนื่องจากมีฟังก์ชัน strip_tags เพื่อเพิ่มความปลอดภัยแก้ไขคำนำหน้า " ps_ " เริ่มต้นให้ยาวขึ้นตามต้องการเพื่อปรับปรุงความปลอดภัยเปิดใช้งาน กฎ OWASP 942 บน Web Application Firewall (WAF)

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-074

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ที่มาแหล่งข่าว
https://thehackernews.com/2024/06/nicerat-malware-targets-south-korean.html

• New ARM 'TIKTAG' Attack Impacts Google Chrome, Linux Systems
  "A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature. The paper, co-signed by a team of Korean researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, demonstrates the attack against Google Chrome and the Linux kernel. MTE is a feature added in the ARM v8.5-A architecture (and later), designed to detect and prevent memory corruption."
  https://www.bleepingcomputer.com/news/security/new-arm-tiktag-attack-impacts-google-chrome-linux-systems/
  https://arxiv.org/pdf/2406.08719
  https://www.theregister.com/2024/06/18/arm_memory_tag_extensions_leak/

Malware

• Malicious Emails Trick Consumers Into False Election Contributions
  "Major regional and global events – such as military exercises, political or economic summits, political conventions, and elections – drove cyber threat activities, according to Trellix."
  https://www.helpnetsecurity.com/2024/06/17/global-cyber-threat-activities/

• Backdoor BadSpace Delivered By High-Ranking Infected Websites
  "Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, there's an unwelcome surprise: the BadSpace backdoor. What is this new threat capable of, and how is it eerily similar to a warm cookie?"
  https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor
  https://thehackernews.com/2024/06/hackers-exploit-legitimate-websites-to.html

• From Clipboard To Compromise: A PowerShell Self-Pwn
  "Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. Threat actors including initial access broker TA571 and at least one fake update activity set are using this method to deliver malware including DarkGate, Matanbuchus, NetSupport, and various information stealers."
  https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
  https://www.bleepingcomputer.com/news/security/fake-google-chrome-errors-trick-you-into-running-malicious-powershell-scripts/
  https://www.helpnetsecurity.com/2024/06/17/social-engineering-malware-installation/

• China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers For Persistence
  "In late 2023, a large organization was the victim of a serious cyber attack. Sygnia’s forensic investigation into the attack revealed a sophisticated threat actor who exhibited robust capabilities and employed a methodical approach. The evidence gathered suggests the involvement of a China-nexus state-sponsored threat actor."
  https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/
  https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/
  https://thehackernews.com/2024/06/china-linked-hackers-infiltrate-east.html
  https://www.darkreading.com/cyberattacks-data-breaches/china-velvet-ant-apt-multiyear-espionage
  https://securityaffairs.com/164598/apt/velvet-ant-malware-target-f5-big-ip.html

Breaches/Hacks/Leaks

• Los Angeles Public Health Department Discloses Large Data Breach
  "Los Angeles County Department of Public Health (DPH) has disclosed a data breach impacting more than 200,000 individuals. The data stolen includes personal, medical and financial information. The incident, which took place between February 19 and 20, 2024, was caused by an attacker gaining the log-in credentials of 53 Public Health employees through a phishing email."
  https://www.infosecurity-magazine.com/news/los-angeles-health-data-breach/
  https://www.darkreading.com/remote-workforce/la-county-dept-of-public-health-data-breach-impacts-200k
  https://securityaffairs.com/164585/data-breach/la-countys-department-of-public-health-dph-data-breach.html
  https://www.securityweek.com/200000-impacted-by-data-breach-at-los-angeles-county-public-health-agency/

General News

• Low Code, High Stakes: Addressing SQL Injection
  "Like a bad movie that seems to go on forever, SQL injection (SQLi) attacks have lingered since the late 1990s. Due to various factors, they remain the third most common source of web application vulnerabilities. Reasons include human error, new technologies that lack mature code, and a growing use of open-source code that diminishes control for developers."
  https://www.helpnetsecurity.com/2024/06/17/sqli-attacks/

• The Rise Of SaaS Security Teams
  "In this Help Net Security interview, Hillary Baron, Senior Technical Director for Research at CSA, highlights that the recent surge in organizations establishing dedicated SaaS security teams is driven by significant data breaches involving widely used platforms."
  https://www.helpnetsecurity.com/2024/06/17/hillary-baron-csa-saas-security-teams/

• Empire Market Owners Charged For Enabling $430M In Dark Web Transactions
  "Two men have been charged in a Chicago federal court for operating "Empire Market," a dark web marketplace that facilitated over $430 million in illegal transactions between February 2018 and August 2020. Empire Market was a popular dark web marketplace that sold illegal drugs, chemicals, jewelry, credit card numbers, counterfeit money bills, malware, and other illicit goods, offering payment options including Monero, Litecoin, and Bitcoin."
  https://www.bleepingcomputer.com/news/legal/empire-market-owners-charged-for-enabling-430m-in-dark-web-transactions/
  https://therecord.media/empire-market-suspects-charged-potential-life-sentences
  https://securityaffairs.com/164619/deep-web/empire-market-owners-charged.html
  https://www.theregister.com/2024/06/17/empire_market_arrests/

• Hackers Plead Guilty After Breaching Law Enforcement Portal
  "Two hackers pleaded guilty Monday in federal court to conspiring to commit computer intrusion and aggravated identity theft. Authorities said they used a law enforcement officer's stolen password to gain unauthorized access to a nonpublic portal maintained by a U.S. law enforcement agency, according to the Justice Department."
  https://www.bankinfosecurity.com/hackers-plead-guilty-after-breaching-law-enforcement-portal-a-25544

• Ratted Out: Group-IB Contributes To Operation DISTANTHILL Leading To The Arrest Of 16 Cybercriminals Behind The Android Remote Access Trojan Campaigns Resulting In Over US$25 Million In Financial Losses Across Southeast Asia
  "Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today that it contributed to a joint operation by the Singapore Police Force (SPF), the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP). Dubbed “Operation DISTANTHILL”, it culminated in the arrest of the cyber fraud syndicates that were responsible for an Android Remote Access Trojan (RAT) campaign which gained notoriety in Singapore and Hong Kong in 2023. In the lead-up to the operation, Group-IB spent months collecting and analysing the data derived from the Android trojans, uncovering the scale of the cybercriminals network used for attacks and its administrators."
  https://www.group-ib.com/media-center/press-releases/operation-distanthill/
  https://www.bankinfosecurity.com/police-dismantle-asian-crime-ring-behind-25m-android-fraud-a-25541

• Addressing Misinformation In Critical Infrastructure Security
  "The Francis Scott Key Bridge collapse in Baltimore, Md., in late March sent shockwaves through the country. Almost immediately, there was widespread speculation and conspiracy theories regarding its cause, including fears of a cyberattack. Although investigations ruled out deliberate sabotage, the incident raised public concern about the vulnerability of physical infrastructure."
  https://www.darkreading.com/cyber-risk/addressing-misinformation-in-critical-infrastructure-security

• Space: The Final Frontier For Cyberattacks
  "A failure to imagine — and prepare for — threats to outer-space related assets could be a huge mistake at a time when nation-states and private companies are rushing to deploy devices in a frantic new space race."
  https://www.darkreading.com/cyber-risk/space-final-frontier-cyberattacks

• Academics Develop Testing Benchmark For LLMs In Cyber Threat Intelligence
  "Large language models (LLMs) are increasingly used for cyber defense applications, although concerns about their reliability and accuracy remain a significant limitation in critical use cases. A team of researchers from the Rochester Institute of Technology (RIT) launched CTIBench, the first benchmark designed to assess the performance of LLMs in cyber threat intelligence applications."
  https://www.infosecurity-magazine.com/news/testing-benchmark-llm-cyber-threat/

• Online Job Offers, The Reshipping And Money Mule Scams
  "Often, behind these enticing offers are pyramid schemes in which profits are generated through the recruitment of new participants, rather than through actual service, sometimes even causing significant financial losses. Other false offers may require initial investment without ever seeing a significant return or promise job opportunities with hidden fees. t is into this scenario that illicit practices such as moneny mules and reshipping scams can fit."
  https://securityaffairs.com/164566/security/online-job-offers-reshipping-money-mule-scams.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ที่มาแหล่งข่าว
https://www.bleepingcomputer.com/news/security/london-hospitals-face-blood-shortage-after-synnovis-ransomware-attack/

• ICS Patch Tuesday: Advisories Published By Siemens, Schneider Electric, Aveva, CISA
  "Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their industrial and OT products."
  https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siemens-schneider-electric-aveva-cisa/

• NIST Publishes Draft OT Cybersecurity Guide For Water Sector
  "Networked control systems in municipal water systems are inescapable even for the localities that would prefer otherwise. New equipment with default remote access and an over-stretched repair workforce mean cutting off municipal water systems from the internet isn't a real option."
  https://www.bankinfosecurity.com/nist-publishes-draft-ot-cybersecurity-guide-for-water-sector-a-25505
  https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/securing-water-and-wastewater-utilities-project-description-final.pdf

• Rockwell's ICS Directive Comes As Critical Infrastructure Risk Peaks
  "Citing "heightened geopolitical tensions and adversarial cyber activity globally," industrial control systems (ICS) giant Rockwell Automation last month took the unusual step of telling its customers to disconnect their gear from the Internet. The move showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say."
  https://www.darkreading.com/ics-ot-security/rockwell-ics-directive-critical-infrastructure-risk-peaks

Vulnerabilities

• Google Warns Of Actively Exploited Pixel Firmware Zero-Day
  "Google has released patches for 50 security vulnerabilities impacting its Pixel devices and warned that one of them had already been exploited in targeted attacks as a zero-day. Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw in the Pixel firmware has been rated a high-severity security issue. "There are indications that CVE-2024-32896 may be under limited, targeted exploitation," the company warned this Tuesday."
  https://www.bleepingcomputer.com/news/security/google-warns-of-actively-exploited-pixel-firmware-zero-day/
  https://source.android.com/docs/security/bulletin/pixel/2024-06-01
  https://www.securityweek.com/google-warns-of-pixel-firmware-zero-day-under-limited-targeted-exploitation/

• Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities
  "Google and Mozilla on Tuesday announced the release of Chrome 126 and Firefox 127 to the stable channel with patches for multiple high-severity memory safety vulnerabilities. Chrome 126 includes 21 security fixes, including 18 for defects reported by external researchers. The reporting researchers, Google notes in its advisory, received over $160,000 in bug bounty rewards for their findings."
  https://www.securityweek.com/chrome-126-firefox-127-patch-high-severity-vulnerabilities/

• CISA Adds Two Known Exploited Vulnerabilities To Catalog
  "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
  CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability"
  https://www.cisa.gov/news-events/alerts/2024/06/12/cisa-adds-two-known-exploited-vulnerabilities-catalog
  https://securityaffairs.com/164488/hacking/cisa-adds-arm-mali-gpu-kernel-driver-php-bugs-to-its-known-exploited-vulnerabilities-catalog.html

Malware

• Attacks Against Linux SSH Services Detected By AhnLab EDR
  "Secure SHell (SSH) is a standard protocol for secure terminal connections and is generally used for controlling remote Linux systems. Unlike Windows OS that individual users use for desktops, Linux systems mainly fulfill the role of servers providing web, database, FTP, DNS, and other services. Of course, Windows also supports these services as a server."
  https://asec.ahnlab.com/en/66695/

• Bondnet Using Miner Bots As C2
  "Bondnet first became known to the public in an analysis report published by GuardiCore in 20171 and Bondnet’s backdoor was covered in an analysis report on XMRig miner targeting SQL servers released by DFIR Report in 20222. There has not been any information on the Bondnet threat actor’s activities thereon, but it was confirmed that they had continued their attacks until recent times."
  https://asec.ahnlab.com/en/66662/

• Phone Scammers Impersonating CISA Employees
  "Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret."
  https://www.cisa.gov/news-events/alerts/2024/06/12/phone-scammers-impersonating-cisa-employees
  https://www.bleepingcomputer.com/news/security/cisa-warns-of-criminals-impersonating-its-employees-in-phone-calls/
  https://www.bankinfosecurity.com/fraudsters-impersonate-cisa-in-money-scams-a-25501

• New Phishing Toolkit Uses PWAs To Steal Login Credentials
  "A new phishing kit has been released that allows red teamers and cybercriminals to create progressive web Apps (PWAs) that display convincing corporate login forms to steal credentials. A PWA is a web-based app created using HTML, CSS, and JavaScript that can be installed from a website like a regular desktop application. Once installed, the operating system will create a PWA shortcut and add it to Add or Remove Programs in Windows and under the /Users//Applications/ folder in macOS."
  https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-uses-pwas-to-steal-login-credentials/

• Ransomware Attackers May Have Used Privilege Escalation Vulnerability As Zero-Day
  "The Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may have been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day. The vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service. If exploited on affected systems, it can permit an attacker to elevate their privileges. The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day."
  https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
  https://thehackernews.com/2024/06/black-basta-ransomware-may-have.html
  https://therecord.media/black-basta-ransomware-zero-day-windows
  https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-linked-to-windows-zero-day-attacks/
  https://www.securityweek.com/ransomware-group-may-have-exploited-windows-vulnerability-as-zero-day/
  https://www.theregister.com/2024/06/12/black_basta_ransomware_windows/

• Search & Spoof: Abuse Of Windows Search To Redirect To Malware
  "Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors. Let’s break down the HTML and the Windows search code to better understand their roles in the attack chain."
  https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/search-spoof-abuse-of-windows-search-to-redirect-to-malware/
  https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/

• The Evolution Of QR Code Phishing: ASCII-Based QR Codes
  "Quishing—QR code phishing—is a rapidly evolving threat. Starting around August, when we saw the first rapid increase, we’ve also seen a change in the type of QR code attacks. It started with standard MFA authentication requests. It then evolved to conditional routing and custom targeting. Now, we’re seeing another evolution, into the manipulation of QR codes."
  https://blog.checkpoint.com/harmony-email/the-evolution-of-qr-code-phishing-ascii-based-qr-codes/

• STR RAT – Phishing Malware Baseline
  "STR RAT is a remote access trojan (RAT) written in Java that was first seen in 2020. Like other RATs, it gives threat actors full control when it is successfully installed onto a machine. STR RAT is capable of keylogging, stealing credentials, and even delivering additional malicious payloads. The malware receives a version update every year, on average. These updates correlate with the renewed use of STR RAT by threat actors. Currently, 60% of the STR RAT samples that Cofense analyzed from January 2023 to April 2024 are delivered directly to the email as opposed to an embedded link."
  https://cofense.com/blog/str-rat-phishing-malware-baseline/

• Worldwide Web: An Analysis Of Tactics And Techniques Attributed To Scattered Spider
  "In early 2024, we identified a current affiliate of the RansomHub RaaS group as a former Alphv/Black Cat affiliate. We assess with high confidence that the same affiliate is a present or former affiliate of the Scattered Spider threat group, also tracked as UNC3944, Muddled Libra, Octo Tempest, Scatter Swine, and Starfraud. Our high-confidence assessment is based on the following pieces of evidence observed by GuidePoint’s DFIR and GRIT practices:"
  https://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/
  https://www.darkreading.com/threat-intelligence/ransomhub-brings-scattered-spider-into-its-raas-fold
  https://www.infosecurity-magazine.com/news/scattered-spider-affiliated/

• Self-Replicating Morris II Worm Targets AI Email Assistants
  "The proliferation of generative artificial intelligence (GenAI) email assistants such as OpenAI’s GPT-3 and Google’s Smart Compose has revolutionized communication workflows. Unfortunately, it has also introduced novel attack vectors for cyber criminals. Leveraging recent advancements in AI and natural language processing, malicious actors can exploit vulnerabilities in GenAI systems to orchestrate sophisticated cyberattacks with far-reaching consequences. Recent studies have uncovered the insidious capabilities of self-replicating malware, exemplified by the “Morris II” strain created by researchers."
  https://securityintelligence.com/posts/morris-ii-self-replicating-malware-genai-email-assistants/

• Pause Off My Cluster: DERO Cryptojacking Takes a New Shape
  "We have detected a new variant of an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters in our customers’ cloud environments. In this incident, the threat actor abused anonymous access to an Internet-facing cluster to launch malicious container images hosted at Docker Hub, some of which have more than 10,000 pulls. These docker images contain a UPX-packed DERO miner named "pause"."
  https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection
  https://thehackernews.com/2024/06/cryptojacking-campaign-targets.html

Breaches/Hacks/Leaks

• Life360 Says Hacker Tried To Extort Them After Tile Data Breach
  "Safety and location services company Life360 says it was the target of an extortion attempt after a threat actor breached and stole sensitive information from a Tile customer support platform. Life360 provides real-time location tracking, crash detection, and emergency roadside assistance services to more than 66 million members worldwide. In December 2021, it acquired Bluetooth tracking service provider Tile in a $205 million deal."
  https://www.bleepingcomputer.com/news/security/life360-says-hacker-tried-to-extort-them-after-tile-data-breach/
  https://www.theregister.com/2024/06/13/tile_life360_extortion/

• Toronto School Board Reports Ransomware Attack On Test Environment
  "Hackers attempted to attack a technology testing environment used by the Toronto District School Board (TDSB) with ransomware, officials said Wednesday. The school board is the largest in Canada and manages 582 schools for about 235,000 students."
  https://therecord.media/toronto-school-board-ransomware-attack

General News

• Forced-Labor Camps Fuel Billions Of Dollars In Cyber Scams
  "Greater collaboration between financial and law enforcement officials is needed to dismantle cybercrime scam centers in Cambodia, Laos, and Myanmar, which rake in tens of billions of dollars annually — and affect victims worldwide."
  https://www.darkreading.com/cyber-risk/forced-labor-camps-fuel-billions-of-dollars-in-cyber-scams

• Open-Source Security In AI
  "New AI products are coming onto the market faster than we have seen in any previous technology revolution. Companies’ free access and right to use open source in AI software models has allowed them to prototype an AI product to market cheaper than ever and at hypersonic speed."
  https://www.helpnetsecurity.com/2024/06/12/ai-open-source-security/

• Security And Privacy Strategies For CISOs In a Mobile-First World
  "In this Help Net Security interview, Jim Dolce, CEO at Lookout, discusses securing mobile devices to mitigate escalating cloud threats. He emphasizes that organizations must shift their approach to data security, acknowledging the complexities introduced by mobile access to cloud-based corporate data."
  https://www.helpnetsecurity.com/2024/06/12/jim-dolce-lookout-securing-mobile-devices/

• Police Arrest Conti And LockBit Ransomware Crypter Specialist
  "The Ukraine cyber police have arrested a 28-year-old Russian man in Kyiv for working with Conti and LockBit ransomware operations to make their malware undetectable by antivirus software and conducting at least one attack himself. The investigation was backed by information shared by the Dutch police who responded to a ransomware attack on a Dutch multinational, followed by data-theft extortion."
  https://www.bleepingcomputer.com/news/security/police-arrest-conti-and-lockbit-ransomware-crypter-specialist/
  https://therecord.media/ukraine-suspected-lockbit-conti-affiliate
  https://www.darkreading.com/cyberattacks-data-breaches/lockbit-and-conti-ransomware-hacker-busted-in-ukraine
  https://securityaffairs.com/164475/breaking-news/developer-crypter-conti-lockbit-ransomware.html

• Mass Exploitation: The Vulnerable Edge Of Enterprise Security
  "The cyber threat landscape in 2023 and so far 2024 has been dominated by mass exploitation. Previous WithSecure reporting on the professionalization of cybercrime noted the growing importance of mass exploitation as an infection vector, but the volume and severity of this vector have now truly exploded. Several recent reports indicate that mass exploitation may have overtaken botnets as the primary vector for ransomware incidents, and there has been a rapid tempo of security incidents caused by mass exploitation of vulnerable software including, but not limited to: MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect."
  https://labs.withsecure.com/publications/mass-exploitation-the-vulnerable-edge-of-enterprise-security
  https://www.infosecurity-magazine.com/news/withsecure-exploitation-edge/

• 70% Of Cybersecurity Pros Often Work Weekends, 64% Looking For New Jobs
  "Over 70% of cybersecurity professionals often have to work weekends to address security concerns at their organization, according to a new report by Bitdefender. This intense workload appears to correlate strongly with job dissatisfaction, with around two-thirds (64%) of the 1200 cyber professionals surveyed stating that they are planning on looking for a new job in the next 12 months."
  https://www.infosecurity-magazine.com/news/cyber-pros-weekends-new-jobs/

• Lessons From The Ticketmaster-Snowflake Breach
  "Last week, the notorious hacker gang, ShinyHunters, sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million Ticketmaster users. This colossal breach, with a price tag of $500,000, could expose the personal information of a massive swath of the live event company's clientele, igniting a firestorm of concern and outrage."
  https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html

• White House Report Dishes Deets On All 11 Major Government Breaches From 2023
  "The number of cybersecurity incidents reported by US federal agencies rose 9.9 percent year-on-year (YoY) in 2023 to a total of 32,211, per a new White House report, which also spilled the details on the most serious incidents suffered across the government. Of the total number of incidents, the majority (38 percent) were classed as "improper usage," meaning a system was used in a way that violated the agency's acceptable use policies. The report stated that agencies have the capability to detect when security policies are being violated, but not the ability to prevent it from actually happening."
  https://www.theregister.com/2024/06/12/white_house_report/
  https://www.whitehouse.gov/wp-content/uploads/2024/06/FY23-FISMA-Report.pdf

อ้างอิง
Electronic Transactions Development Agency(ETDA)

การใช้ประโยชน์จากช่องโหว่ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับอนุญาตสามารถดำเนินการยกระดับสิทธิ์ได้

ช่องโหว่นี้ส่งผลต่อผลิตภัณฑ์ Pixel ที่รองรับทั้งหมด

ผู้ใช้งานผลิตภัณฑ์ที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดทันที
หากต้องการใช้การอัปเดตความปลอดภัย ผู้ใช้งาน Pixel ควรไปที่ การตั้งค่า > ความปลอดภัยและความเป็นส่วนตัว > ระบบและการอัปเดต > การอัปเดตความปลอดภัยแตะ ติดตั้งและรีสตาร์ทอุปกรณ์เพื่อดำเนินการอัปเดตให้เสร็จสิ้น

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-070

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ที่มาแหล่งข่าว
https://www.helpnetsecurity.com/2024/06/05/cyber-threat-landscape-statistics-2024/

ที่มาแหล่งข่าว
https://thehackernews.com/2024/06/chinese-state-backed-cyber-espionage.html

การใช้บริการ VPN อาจมีฟีเจอร์ด้านความปลอดภัยที่กล่าวมาข้างต้น แต่การรับส่งข้อมูลผู้ใช้งานยังคงถูกกำหนดเส้นทางไปยังอินเทอร์เน็ตผ่านเซิร์ฟเวอร์ VPN ซึ่งทำให้เกิดความล้มเหลวเพียงจุดเดียว หากผู้โจมตีประสบความสำเร็จในการบุกรุกเซิร์ฟเวอร์ VPN ด้วยการโจมตีแบบ bruteforce หรือโดยการใช้ประโยชน์จากช่องโหว่หรือการกำหนดค่าที่ไม่ถูกต้อง การรักษาความลับและความสมบูรณ์ของข้อมูลของผู้ใช้งานที่ถูกส่งไปยังอินเทอร์เน็ตอาจยังคงได้รับผลกระทบอยู่

ผู้โจมตียังถูกพบว่ากระจายมัลแวร์โดยปลอมแปลงเป็นบริการ VPN ฟรี เมื่อเหยื่อที่ไม่สงสัยติดตั้งมัลแวร์นี้ พร็อกซีที่อยู่อาศัยจะถูกสร้างขึ้น ซึ่งช่วยให้ผู้โจมตีสามารถช่องทางการรับส่งข้อมูลอินเทอร์เน็ตผ่านที่อยู่ IP ของอุปกรณ์ที่ติดไวรัสเหล่านี้ เพื่อปกปิดแหล่งที่มาของกิจกรรมที่เป็นอันตราย พร็อกซีที่อยู่อาศัยเหล่านี้อาจถูกเช่าให้กับผู้โจมตีรายอื่นโดยมีค่าธรรมเนียมในการโจมตีทางไซเบอร์

คำแนะนำสำหรับผู้ใช้งานควรพิจารณาที่สำคัญเมื่อเลือกบริการ VPN และขั้นตอนที่สามารถทำได้เพื่อกำหนดค่าและทดสอบบริการ VPN ที่เลือก

วิธีเลือกผู้ให้บริการ VPN ที่เหมาะสม

เนื่องจากความพร้อมใช้งานอย่างแพร่หลายของบริการ VPN ทั้งแบบชำระเงินและฟรี จึงควรพิจารณาเงื่อนไขต่อไปนี้เมื่อเลือกผู้ให้บริการ VPN ที่เหมาะสมที่สุดที่ตรงกับความต้องการของคุณมากที่สุด:

ชื่อเสียงของผู้ให้บริการ VPN

ใช้บริการ VPN ที่ให้บริการโดยผู้ให้บริการที่มีชื่อเสียงเสมอ และดาวน์โหลดซอฟต์แวร์ VPN จากแหล่งที่เป็นทางการ เช่น เว็บไซต์ของผู้ให้บริการ Google Play Store หรือ Apple App Store ผู้ให้บริการที่ก่อตั้งขึ้นซึ่งมีชื่อเสียงที่ดีมักจะมีประวัติที่ดีในการแก้ไขช่องโหว่ที่ทราบอย่างรวดเร็ว และปฏิบัติตามแนวทางปฏิบัติที่ดีที่สุด เช่น การบังคับใช้ข้อมูลประจำตัวการรับรองความถูกต้องที่รัดกุม สิ่งนี้จะช่วยลดโอกาสในการโจมตีสำเร็จผ่านบริการ VPN นอกจากนี้ โอกาสที่มัลแวร์จะถูกเผยแพร่ผ่านผู้ให้บริการที่มีชื่อเสียงจะต่ำกว่ามากเมื่อเทียบกับแบรนด์ที่ไม่รู้จัก ด้วยเหตุนี้ ผู้ใช้จึงควรตรวจสอบความคิดเห็นจากแหล่งข้อมูลออนไลน์ต่างๆ เกี่ยวกับผู้ให้บริการ VPN ในอนาคต ก่อนที่จะเลือกผู้ให้บริการที่ตรงกับความต้องการมากที่สุด

นโยบายความเป็นส่วนตัวของผู้ใช้งาน

ขึ้นอยู่กับนโยบายความเป็นส่วนตัวของผู้ใช้ ผู้ให้บริการ VPN อาจบันทึกกิจกรรมของผู้ใช้ ผู้ให้บริการฟรีบางรายอาจรวบรวมและขายข้อมูลผู้ใช้ให้กับบุคคลที่สาม เช่น บริษัทโฆษณาเพื่อหากำไร ดังนั้น คุณควรตรวจสอบนโยบายความเป็นส่วนตัวของผู้ใช้ในเรื่องต่อไปนี้ (ขั้นต่ำ)

• วัตถุประสงค์ของการรวบรวมข้อมูล ถ้ามี
• การใช้ข้อมูลที่เก็บรวบรวม
• มาตรการรักษาความปลอดภัยที่ใช้เพื่อปกป้องข้อมูล
• การกำหนดค่าซอฟต์แวร์ VPN ส่วนบุคคล

การกำหนดค่าซอฟต์แวร์ VPN อาจแตกต่างกันไปสำหรับผู้จำหน่ายแต่ละราย ดังนั้นจึงจำเป็นที่คุณจะต้องตรวจสอบเอกสารการกำหนดค่าใดๆ ที่ผู้ให้บริการ VPN ของคุณให้มา อย่างไรก็ตาม คุณสมบัติทั่วไปที่ใช้ได้กับซอฟต์แวร์ VPN ส่วนใหญ่มีดังต่อไปนี้

ใช้ข้อความรหัสผ่านที่คาดเดายากสำหรับการตรวจสอบสิทธิ์และเปิดใช้งาน Multi-Factor Authentication (MFA) หากมี การใช้ข้อความรหัสผ่านที่รัดกุมซึ่งเป็นรหัสผ่าน แต่ยาวกว่าและประกอบด้วยคำต่างๆ จะทำให้ผู้โจมตีทำการโจมตีแบบ Brute Force ในบัญชี VPN ของคุณได้ยาก นอกจากนี้ การเปิดใช้งาน MFA ทุกครั้งที่เป็นไปได้จะช่วยเพิ่มระดับการรักษาความปลอดภัยเพิ่มเติมหากข้อความรหัสผ่านของคุณถูกบุกรุก คุณสามารถดูบทความของเราที่นี่เพื่อดูรายละเอียดเพิ่มเติมเกี่ยวกับการใช้ข้อความรหัสผ่านที่รัดกุมและ MFA

อัปเดตซอฟต์แวร์ VPN เป็นประจำ ด้วยการอัพเดตซอฟต์แวร์ VPN ของคุณให้ทันสมัยอยู่เสมอ คุณสามารถลดความเสี่ยงที่เกิดจากช่องโหว่และจุดบกพร่องที่ทราบได้อย่างมาก และลดพื้นที่การโจมตีที่ผู้โจมตีต้องใช้ประโยชน์

เลือกความแข็งแกร่งของการเข้ารหัสที่เหมาะสม บริการ VPN ส่วนใหญ่มีระดับการเข้ารหัสที่แตกต่างกัน โดยทั่วไปจะมีการเข้ารหัสระหว่าง 128 บิตและ 256 บิต ความแรงของการเข้ารหัสที่สูงขึ้น (เช่น 256 บิต) อาจให้ความปลอดภัยที่ดีกว่า แต่ความเร็วการเชื่อมต่อจะลดลง ดังนั้น คุณอาจต้องการเลือกความแข็งแกร่งของการเข้ารหัสที่ให้ความสมดุลที่ดีที่สุดระหว่างความปลอดภัยและประสิทธิภาพ ขึ้นอยู่กับความต้องการด้านความปลอดภัยของคุณ

การทดสอบความปลอดภัย VPN

หลังจากที่คุณเลือกผู้ให้บริการ VPN แล้ว คุณอาจต้องการทำการทดสอบต่อไปนี้เพื่อให้แน่ใจว่าไม่มีความเสี่ยงด้านความปลอดภัยที่ซ่อนอยู่ซึ่งสืบทอดมาจากผู้ให้บริการ VPN ของคุณ

การทดสอบการรั่วไหลของระบบชื่อโดเมน (DNS) การทดสอบการรั่วไหลของ DNS จะกำหนดว่าการสืบค้น DNS ใด ๆ ถูกส่งไปนอกอุโมงค์ VPN ที่ปลอดภัยหรือไม่ คุณอาจต้องการทำการทดสอบนี้ที่นี่

การทดสอบการรั่วไหลของที่อยู่ IP การทดสอบการรั่วไหลของที่อยู่ IP ใช้เพื่อตรวจสอบว่า IP ต้นทางของคุณถูกซ่อนอย่างถูกต้องหรือไม่ คุณอาจต้องการทำการทดสอบนี้ ที่นี่

ผู้ใช้งานจะได้รับการเตือนให้เลือกผู้ให้บริการ VPN ที่มีชื่อเสียง และกำหนดค่า VPN ของคุณอย่างเหมาะสม เนื่องจากเป็นสิ่งสำคัญอย่างยิ่งในการรับรองความปลอดภัยทางไซเบอร์ของอุปกรณ์และข้อมูลที่ส่งระหว่างอุปกรณ์ของคุณและอินเทอร์เน็ต เพื่อให้มั่นใจถึงการรักษาความลับและความสมบูรณ์ของข้อมูลของคุณ

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-011

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

รายการช่องโหว่มีดังนี้

• CVE-2024-29895: การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถดำเนินการเรียกใช้โค้ดจากระยะไกลได้ ช่องโหว่นี้มีคะแนน CVSSv :10
• CVE-2024-25641: การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีที่ได้รับการรับรองความถูกต้องด้วยสิทธิ์ "นำเข้าเทมเพลต" สามารถเขียนไฟล์ที่กำหนดเองหรือรันโค้ด PHP ที่เป็นอันตรายบนเซิร์ฟเวอร์ที่ได้รับผลกระทบ ช่องโหว่นี้มีคะแนน CVSSv :9.1
• CVE-2024-34340: การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีสามารถเลี่ยงการรับรองความถูกต้องและเข้าถึงเซิร์ฟเวอร์ที่ได้รับผลกระทบได้ ช่องโหว่นี้มีคะแนน CVSSv :9.1

ช่องโหว่ร้ายแรงส่งผลกระทบต่อเวอร์ชันของ Cacti ก่อน 1.2.27

แนะนำให้ผู้ใช้งานและผู้ดูแลระบบเวอร์ชันผลิตภัณฑ์ที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดทันที

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-063

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

โดย HAIT Plus จะมีรายงานผลสำรวจการดำเนินงานตามข้อกำหนด HAIT Plus : 2567 และแนวทางการดำเนินงานด้านการรักษาความมั่นคงปลอดภัยไซเบอร์สำหรับโรงพยาบาลของรัฐ (HAIT Plus) : 2567

สามารถศึกษารายละเอียดเพิ่มเติมได้ที่ https://tmi.or.th/downloads/

เนื่องจากฟังก์ชันการทำงานที่กว้างขวางและความสามารถในการบูรณาการของ Microsoft Graph API เข้ากับบริการต่างๆ ของ Microsoft มีรายงานว่าอาชญากรไซเบอร์ถูกละเมิดอย่างแข็งขันเพื่ออำนวยความสะดวกในการโจมตีที่อาศัยอยู่นอกพื้นที่ ด้วยการใช้ประโยชน์จาก Microsoft Graph API อาชญากรไซเบอร์จึงสามารถดำเนินกิจกรรมที่เป็นอันตรายภายในโครงสร้างพื้นฐานของแอปพลิเคชันและบริการที่ถูกต้องตามกฎหมาย ดังนั้นจึงประสบความสำเร็จในการผสมผสานกิจกรรมของพวกเขาเข้ากับการรับส่งข้อมูลที่ถูกกฎหมาย ตัวอย่างเช่น หลังจากที่ประนีประนอมอุปกรณ์ได้สำเร็จ อาชญากรไซเบอร์สามารถปรับใช้มัลแวร์ที่สร้างการเชื่อมต่อกับ Microsoft Graph API เพื่อใช้ OneDrive ซึ่งเป็นแพลตฟอร์มที่โดยทั่วไปใช้สำหรับฟังก์ชันที่ถูกต้องตามกฎหมาย เช่น การถ่ายโอนไฟล์ เป็นเซิร์ฟเวอร์ C2 สำหรับการอัพโหลดและดาวน์โหลดไฟล์ที่เป็นอันตราย

ผู้ดูแลระบบอาจต้องการพิจารณาติดตามและIOC ที่เกี่ยวข้องกับมัลแวร์ที่ใช้ประโยชน์จาก Microsoft Graph API IOC ที่เป็นไปได้ที่เกี่ยวข้องกับมัลแวร์ที่เกี่ยวข้องในตารางด้านล่าง

องค์กรอาจพิจารณาใช้มาตรการป้องกันต่อไปนี้เพื่อเสริมสร้างมาตรการรักษาความปลอดภัยทางไซเบอร์และเสริมการป้องกันเพื่อปกป้องตนเองจากเหตุการณ์ดังกล่าว
• ตรวจสอบการรับส่งข้อมูลเครือข่ายขาเข้าและขาออกสำหรับการสื่อสารที่น่าสงสัย
• กำหนดค่ากฎไฟร์วอลล์เพื่อบล็อกการเชื่อมต่อขาออกไปยังที่อยู่ IP ที่เชื่อมโยงกับเซิร์ฟเวอร์ C2
• ใช้ระบบตรวจจับการบุกรุก (IDS) และระบบป้องกันการบุกรุก (IPS) เพื่อตรวจจับและบล็อกการรับส่งข้อมูลที่น่าสงสัย
• ใช้การควบคุมการเข้าถึงที่เข้มงวดตามบทบาทและความรับผิดชอบของพนักงาน เพื่อป้องกันการเข้าถึงแพลตฟอร์มระบบคลาวด์ของ Microsoft โดยไม่ได้รับอนุญาต
• ตรวจสอบบัญชีผู้ใช้ Microsoft ทั้งหมดเป็นประจำและปิดการใช้งานบัญชีที่ไม่ได้ใช้งาน
• อัปเดตระบบ แอปพลิเคชัน และซอฟต์แวร์ให้เป็นเวอร์ชันล่าสุด และดาวน์โหลดแพตช์รักษาความปลอดภัยล่าสุด
• ปรับใช้โซลูชัน Endpoint Detection and Response (EDR) เพื่อตรวจจับและป้องกันมัลแวร์จากการพยายามสร้างการสื่อสารกับเซิร์ฟเวอร์ C2
• ติดตั้งซอฟต์แวร์ป้องกันไวรัส/ป้องกันมัลแวร์ และอัปเดตซอฟต์แวร์ (และไฟล์คำจำกัดความ) อยู่เสมอ ทำการสแกนระบบและเครือข่ายอย่างสม่ำเสมอ และสแกนไฟล์ที่ได้รับทั้งหมด

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-010

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand