สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
Global Moderators
Forum wide moderators
-
โรมาเนียเผชิญภัยโจมตีทางไซเบอร์กับระบบเลือกตั้งกว่า 85,000 ครั้ง
-
ภัยคุกคามจากภายในองค์กรพุ่งสูงขึ้น จากรายงาน Cybersecurity Insiders 2024 เผยสถิติที่น่าตกใจ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 2 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) CISA ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 2 รายการ เมื่อวันที่ 5 ธันวาคม 2567 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้
ICSA-24-340-01 AutomationDirect C-More EA9 Programming Software
ICSA-24-340-02 Planet Technology Planet WGS-804HPTทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2024/12/05/cisa-releases-two-industrial-control-systems-advisories
-
Cisco เตือนช่องโหว่ CVE-2014-2120 ใน ASA ถูกโจมตี
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
เอฟบีไอ เตือนบริษัทโทรคมนาคมให้เพิ่มการรักษาความปลอดภัยหลังเกิดแคมเปญแฮกเกอร์จีนเจาะเครือข่ายโทรคมนาคมสหรัฐฯ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 06 December 2024
Industrial Sector
- AutomationDirect C-More EA9 Programming Software
"Successful exploitation of these vulnerabilities could result in memory corruption; a buffer overflow condition may allow remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-01 - Planet Technology Planet WGS-804HPT
"Successful exploitation of these vulnerabilities could result in remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-02
New Tooling
- Announcing The Launch Of Vanir: Open-Source Security Patch Validation
"Today, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. Vanir significantly accelerates patch validation by automating this process, allowing OEMs to ensure devices are protected with critical security updates much faster than traditional methods. This strengthens the security of the Android ecosystem, helping to keep Android users around the world safe."
https://security.googleblog.com/2024/12/announcing-launch-of-vanir-open-source.html
https://github.com/google/vanir
Vulnerabilities
- Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day
"It is not just APTs that like to target telephone systems, but ourselves at watchTowr too. We can't overstate the consequences of an attacker crossing the boundary from the 'computer system' to the 'telephone system'. We've seen attackers realise this in 2024, with hacks against legal intercept systems widely reported in the news. VoIP platforms, which handle telephone calls for an organization, are a really juicy target for an APT. Imagine being able to listen in on the phone calls of your target, as they're happening - or even to interfere with them and block them at will! It's a very powerful thing to be able to do, and a godsend for an outcome-motivated attacker."
https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
https://www.bleepingcomputer.com/news/security/mitel-micollab-zero-day-flaw-gets-proof-of-concept-exploit/
https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html
https://www.darkreading.com/vulnerabilities-threats/bypass-bug-critical-n-day-mitel-micollab
https://www.bankinfosecurity.com/mitel-micollab-voip-software-zero-day-vulnerability-alert-a-26979
https://cyberscoop.com/russian-surveillance-spyware-threat-citizen-lab/
https://www.helpnetsecurity.com/2024/12/05/mitel-micollab-zero-day-and-poc-exploit-unveiled/ - Cisco Releases Security Updates For NX-OS Software
"Cisco released security updates to address a vulnerability in Cisco NX-OS software. A cyber threat actor could exploit this vulnerability to take control of an affected system."
https://www.cisa.gov/news-events/alerts/2024/12/05/cisco-releases-security-updates-nx-os-software
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL
https://www.securityweek.com/bootloader-vulnerability-impacts-over-100-cisco-switches/
https://securityaffairs.com/171729/security/cisco-switches-bootloader-flaw-cve-2024-20397.html
Malware
- MOONSHINE Exploit Kit And DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
"We have been continuously monitoring the MOONSHINE exploit kit’s activity since 2019. During our research, we discovered a MOONSHINE exploit kit server with improper operational security: Its server exposed MOONSHINE’s toolkits and operation logs, which revealed the information of possible victims and the attack tactics of a threat actor we have named Earth Minotaur."
https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html
https://thehackernews.com/2024/12/hackers-target-uyghurs-and-tibetans.html
https://www.darkreading.com/cyberattacks-data-breaches/earth-minotaur-exploits-wechat-bugs-spyware-uyghurs - U.S. Organization In China Targeted By Attackers
"A large U.S. organization with a significant presence in China was the subject of a targeted attack earlier this year, during which the attackers obtained a persistent presence on its network, seemingly for the purpose of intelligence gathering. The attack was likely carried out by a China-based threat actor, since some of the tools used in this attack have been previously associated with Chinese attackers."
https://www.security.com/threat-intelligence/us-china-espionage
https://thehackernews.com/2024/12/researchers-uncover-4-month-cyberattack.html
https://www.bleepingcomputer.com/news/security/us-org-suffered-four-month-intrusion-by-chinese-hackers/
https://therecord.media/us-org-with-presence-in-china-hacked-symantec
https://hackread.com/chinese-hackers-breach-us-firm-network-for-months/ - Device Confiscated By Russian Authorities Returned With Monokle-Type Spyware Installed
"The First Department is a legal assistance organization founded by exiled Russian human rights lawyer Ivan Pavlov that specializes in defending those accused of treason and espionage in Russia. Pavlov left Russia in September 2021 after facing persecution for his legal work. The First Department plays an essential role in supporting individuals targeted for repression by the Russian government. The organization has been headed by Dmitry Zair-Bek since May 2022."
https://citizenlab.ca/2024/12/device-confiscated-by-russian-authorities-returned-with-monokle-type-spyware-installed/
https://therecord.media/russian-authorities-infected-detainee-phone-with-spyware
https://www.bleepingcomputer.com/news/security/new-android-spyware-found-on-phone-seized-by-russian-fsb/
https://www.bankinfosecurity.com/russian-forces-accused-secretly-planting-spyware-on-phone-a-26984 - BlueAlpha Abuses Cloudflare Tunneling Service For GammaDrop Staging Infrastructure
"BlueAlpha is a state-sponsored cyber threat group operating under the directive of the Russian Federal Security Service (FSB) that overlaps with the publicly reported groups Gamaredon, Shuckworm, Hive0051, and UNC530. BlueAlpha has been active since at least 2014 and continues to target Ukrainian organizations through relentless spearphishing campaigns to distribute custom malware. Since at least October 2023 BlueAlpha has delivered the custom VBScript malware GammaLoad, enabling data exfiltration, credential theft, and persistent access to compromised networks."
https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service
https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf
https://therecord.media/russian-state-hackers-abuse-cloudflare-tunnels-spy-on-ukraine
https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels - Our Secret Ingredient For Reverse Engineering
"Nowadays, a lot of cybersecurity professionals use IDA Pro as their primary tool for reverse engineering. While IDA is a complex tool that implements a multitude of features useful for dissecting binaries, many reverse engineers use various plugins to add further functionality to this software. We in the Global Research and Analysis Team do the same – and over the years we have developed our own IDA plugin named hrtng that is specifically designed to aid us with malware reverse engineering."
https://securelist.com/hrtng-ida-pro-plugin/114780/ - Romania's Election Systems Targeted In Over 85,000 Cyberattacks
"A declassified report from Romania’s Intelligence Service says that the country’s election infrastructure was targeted by more than 85,000 cyberattacks. Threat actors also obtained access credentials for election-related websites and leaked them on a Russian hacker forum less than a week before the first presidential election round."
https://www.bleepingcomputer.com/news/security/romanias-election-systems-targeted-in-over-85-000-cyberattacks/ - Threat Actor Targets The Manufacturing Industry With Lumma Stealer And Amadey Bot
"CRIL recently identified a multi-stage cyberattack campaign originating from an LNK file. The initial infection vector remains unknown; however, the attack likely begins with a spear-phishing email, prompting the recipient to click on a link that leads to an LNK shortcut file disguised as a PDF document."
https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/ - Microsoft: Another Chinese Cyberspy Crew Targeting US Critical Orgs 'as Of Yesterday'
"A Chinese government-linked group that Microsoft tracks as Storm-0227 yesterday started targeting critical infrastructures organisations and US government agencies, according to Redmond's threat intel team. The crew has been active since at least January, and while Microsoft declined to enumerate Storm-0227's victim count, "there are indicators that this group is active as of yesterday, actively pursuing threat activity," Sherrod DeGrippo, director of threat intelligence strategy, told The Register."
https://www.theregister.com/2024/12/06/chinese_cyberspy_us_data/
Breaches/Hacks/Leaks
- Major USAID Contractor Chemonics Says 263,000 Affected By 2023 Data Breach
"A large contractor for the U.S. government said a 2023 cyberattack exposed the critical personal information of more than 263,000 people. Chemonics, an international development firm with $1.4 billion in U.S. government contracts, announced the incident this week — notifying regulators in several states and posting a notice on its website."
https://therecord.media/chemonics-data-breach-usaid-contractor
https://www.securityweek.com/chemonics-international-data-breach-impacts-260000-individuals/
General News
- Infostealer Logs Analysis Report
"The purpose of this report is to provide a comprehensive insight into the cyber threat environment by conducting a deep analysis of the log data stolen by Infostealer malware. Unlike other reports that cover the analysis and trends of Infostealer malware, this report is based on the data of the actual infected systems to derive threat actors’ strategies, types of damages, and effective response measures. This report also analyzed 28,248,895 infection cases worldwide to identify the characteristics and patterns by region, system, and user type."
https://asec.ahnlab.com/en/84967/ - Preparing For Q-Day: The Essential Role Of Cloud Migration In Securing Enterprise Data
"As the era of quantum computing draws closer, businesses face a new and unprecedented threat to data security: “Q-day.” This looming turning point—when quantum machines can break traditional encryption with ease—has the potential to upend cybersecurity, rendering current encryption ineffective."
https://www.helpnetsecurity.com/2024/12/05/preparing-for-q-day/ - How The Shadowserver Foundation Helps Network Defenders With Free Intelligence Feeds
"In this Help Net Security interview, Piotr Kijewski, CEO of The Shadowserver Foundation, discusses the organization’s mission to enhance internet security by exposing vulnerabilities, malicious activity, and emerging threats. Kijewski explains the foundation’s automated efforts to track and disrupt cybercrime, while providing support to law enforcement and offering capacity-building services globally."
https://www.helpnetsecurity.com/2024/12/05/piotr-kijewski-shadowserver-foundation-secure-internet/ - Pro-Russian Hacktivist Group Claims 6600 Attacks Targeting Europe
"Pro-Russian hacktivist gang Noname has claimed over 6600 attacks since March 2022, almost exclusively targeting European nations, new research from Orange Cyberdefense has shown. The cybersecurity vendor’s Security Navigator 2025 report found that 96% of Noname’s attacks targets included Ukraine, Czech Republic, Spain, Poland and Italy and have been ongoing since Russia began its invasion of Ukraine in early 2022. The hacktivist group has not targeted the US once during this period, the researchers found."
https://www.infosecurity-magazine.com/news/pro-russian-hacktivist-attacks/
https://www.orangecyberdefense.com/ch/insights/whitepapers-reports/security-navigator-2025 - ASD’s ACSC, CISA, And US And International Partners Release Guidance On Choosing Secure And Verifiable Technologies
"Today, CISA—in partnership with the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC), and other international partners—released updates to a Secure by Design Alert, Choosing Secure and Verifiable Technologies."
https://www.cisa.gov/news-events/alerts/2024/12/05/asds-acsc-cisa-and-us-and-international-partners-release-guidance-choosing-secure-and-verifiable
https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/choosing-secure-and-verifiable-technologies - US Arrests Scattered Spider Suspect Linked To Telecom Hacks
"U.S. authorities have arrested a 19-year-old teenager linked to the notorious Scattered Spider cybercrime gang who is now charged with breaching a U.S. financial institution and two unnamed telecommunications firms. Remington Goy Ogletree (also known online as "remi") breached the three companies' networks using credentials stolen in text and voice phishing messages targeting their employees. He also impersonated the victims' IT support departments in calls designed to pressure the employees into accessing phishing sites where they were asked to enter their user names and passwords."
https://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/ - Fraudulent Shopping Sites Tied To Cybercrime Marketplace Taken Offline
"Europol has supported the dismantling of a sophisticated criminal network responsible for facilitating large-scale online fraud. In an operation led by the Hanover Police Department (Polizeidirektion Hannover) and the Verden Public Prosecutor’s Office (Staatsanwaltschaft Verden) in Germany, and supported by law enforcement authorities across Europe, over 50 servers were seized, significant digital evidence was secured, and two key suspects were placed in pretrial detention."
https://www.europol.europa.eu/media-press/newsroom/news/fraudulent-shopping-sites-tied-to-cybercrime-marketplace-taken-offline
https://www.bleepingcomputer.com/news/security/police-shuts-down-manson-cybercrime-market-fake-shops-arrests-key-suspects/
https://thehackernews.com/2024/12/europol-shuts-down-manson-market-fraud.html
https://hackread.com/police-dismantle-manson-market-seize-servers-evidence/
https://www.helpnetsecurity.com/2024/12/05/manson-market-shuttered-by-law-enforcement/
https://www.securityweek.com/50-servers-linked-to-cybercrime-marketplace-and-phishing-sites-seized-by-law-enforcement/ - Wolves In Sheep's Clothing: Industry-Specific Targeted Phishing Attacks
"Subject customization using either the recipient’s name, email address, phone number, or company name is a common tactic used in phishing emails to deceive recipients. Threat actors often include the company name or designated recipient’s personal information to disguise the true intent of the email. Our analysis shows that certain industries are more targeted by these types of attacks than others. From data drawn from Q3 2023 to Q3 2024, Cofense Intelligence identified the top five targeted industries and the common subject customization tactics that were seen within each industry."
https://cofense.com/blog/wolves-in-sheep-s-clothing-industry-specific-targeted-phishing-attacks - Feds Are Probing 764, The Com’s Use Of Cybercriminal Tactics To Carry Out Violent Crimes
"The child sextortion group 764 and the global collective of loosely associated groups known as “The Com” are using tools and techniques normally used for financially motivated cybercrime tactics — such as SIM swapping, IP grabbing and social engineering — to commit violent crimes, according to exclusive law enforcement and intelligence reports reviewed by CyberScoop."
https://cyberscoop.com/the-com-764-cybercrime-violent-crime-fbi-intellignce-report/ - LLMs Raise Efficiency, Productivity Of Cybersecurity Teams
"Security professionals say adding LLM/GenAI capabilities to security programs improves efficiency in threat detection and increases productivity of analysts, according to Dark Reading's latest research on enterprise security. Efficiency and effectiveness were recurring themes. In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, the top three benefits of using GenAI and LLMs in a cybersecurity program were more efficient threat detection (28%), improved analyst productivity and efficiency (27%), and better threat intelligence analysis (23%)."
https://www.darkreading.com/vulnerabilities-threats/llms-raise-efficiency-productivity-of-cybersecurity-teams - Vulnerability Management Challenges In IoT & OT Environments
"As Internet of Things (IoT) andoperational technology (OT) devices proliferate across critical infrastructure, manufacturing, healthcare, and other sectors, they bring with them unique and significant security challenges. These devices are increasingly woven into the fabric of everyday business operations, making them essential, yet difficult to secure. While vulnerability management is a well-understood practice in traditional IT environments, IoT and OT introduce complexities that render many of these traditional practices less effective, if not completely obsolete. Here are some of the key challenges, along with strategies for tackling them."
https://www.darkreading.com/vulnerabilities-threats/vulnerability-management-challenges-iot-ot-environments
Forecasting The 2025 Cloudscape
"As we prepare to step into 2025, cloud security continues to remodel in response to emerging needs – the wide adoption of AI, regulatory demands and increasing cyberthreats. Our company’s cloud security leaders are on the heels of these threats with Palo Alto Networks global 2025 predictions, laying out the top cloud security predictions for the coming year."
https://www.paloaltonetworks.com/blog/2024/12/forecasting-the-2025-cloudscape/ - Burnout In SOCs: How AI Can Help Analysts Focus On High-Value Tasks
"Security Operations Center (SOC) analyst burnout is a very real problem. These are some of the most important cybersecurity professionals out there, and many of them are being worked to exhaustion. Amidst an already overstretched cybersecurity workforce—ISC2 estimated in 2023 that there was a 4 million gap between supply and demand—it’s enormously important that we address this problem."
https://securityaffairs.com/171724/security/burnout-in-socs-how-ai-can-help-analysts-focus-on-high-value-tasks.html
อ้างอิง
Electronic Transactions Development Agency(ETDA) - AutomationDirect C-More EA9 Programming Software
-
Cyber Threat Intelligence 05 December 2024
Telecom Sector
- White House: Salt Typhoon Hacked Telcos In Dozens Of Countries
"Chinese state hackers, known as Salt Typhoon, have breached telecommunications companies in dozens of countries, President Biden's deputy national security adviser Anne Neuberger said today. During a Wednesday press briefing, the White House official told reporters that these breaches include a total of eight telecom firms in the United States, with only four previously known. While these attacks have been underway for "likely one to two years, "at this time, we don't believe any classified communications have been compromised," Neuberger added, as the Journal first reported."
https://www.bleepingcomputer.com/news/security/white-house-salt-typhoon-hacked-telcos-in-dozens-of-countries/
https://therecord.media/eight-telcos-breached-salt-typhoon-nsc
https://therecord.media/salt-typhoon-csrb-review
https://cyberscoop.com/salt-typhoon-national-security-council-chinese-spying/ - T-Mobile US CSO: Spies Jumped From One Telco To Another In a Way 'I've Not Seen In My Career'
"While Chinese-government-backed spies maintained access to US telecommunications providers' networks for months – and in some cases still haven't been booted out – T-Mobile US thwarted successful attacks on its systems "within a single-digit number of days," according to the carrier's security boss Jeff Simon. T-Mo's CSO, in an interview with The Register Wednesday, declined to make public the exact timeline of the intrusion attempts by the Beijing-run crew. "They were active for a single-digit number of days, and it was within the last couple of months," was all he would reveal."
https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/
New Tooling
- SafeLine: Open-Source Web Application Firewall (WAF)
"SafeLine is an open-source and self-hosted Web Application Firewall (WAF) that protects websites from cyber attacks. “SafeLine WAF was created to protect web applications for small and medium-sized enterprises from cyber threats by monitoring and filtering HTTP/HTTPS traffic. More importantly, with the widespread use of Gen AI, automated website traffic has become increasingly overwhelming, negatively impacting the normal user experience and business operations. Therefore, we aim to create a WAF with robust anti-bot and anti-HTTP flood DDoS attack capabilities,” Ztrix, the product director of SafeLine WAF, told Help Net Security."
https://www.helpnetsecurity.com/2024/12/04/safeline-open-source-web-application-firewall-waf/
https://github.com/chaitin/SafeLine
Vulnerabilities
- CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-51378 CyberPanel Incorrect Default Permissions Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/12/04/cisa-adds-one-known-exploited-vulnerability-catalog - Japan Warns Of IO-Data Zero-Day Router Flaws Exploited In Attacks
"Japan's CERT is warning that hackers are exploiting zero-day vulnerabilities in I-O Data router devices to modify device settings, execute commands, or even turn off the firewall. The vendor has acknowledged the flaws in a security bulletin published on its website. However, the fixes are expected to land on December 18, 2024, so users will be exposed to risks until then unless mitigations are enabled."
https://www.bleepingcomputer.com/news/security/japan-warns-of-io-data-zero-day-router-flaws-exploited-in-attacks/
https://jvn.jp/en/jp/JVN46615026/index.html - The Road To Agentic AI: Exposed Foundations
"“Move fast and break things” seems to be the current motto in the field of AI. Ever since the introduction of ChatGPT in 2022, it seems everyone is jumping on the bandwagon. In some fields, people have been happy to just use OpenAI's offerings, but many enterprises have specialized needs. As Nick Turley, OpenAI's head of product, recently said, LLMs are a “calculator for words” and this new technology has opened up many possibilities for enterprises. However, some engineering is needed to use this “word calculator” effectively and while we wait for proper agentic AI systems, the current technology of choice is retrieval augmented generation (RAG)."
https://www.trendmicro.com/en_us/research/24/k/agentic-ai.html
Malware
- DroidBot: Insights From a New Turkish MaaS Fraud Operation
"DroidBot is an advanced Android Remote Access Trojan (RAT) that combines classic hidden VNC and overlay capabilities with features often associated with spyware. It includes a keylogger and monitoring routines that enable the interception of user interactions, making it a powerful tool for surveillance and credential theft. A distinctive characteristic of DroidBot is its dual-channel communication mechanism: outbound data from infected devices is transmitted using the MQTT protocol, while inbound commands, such as overlay target specifications, are received over HTTPS. This separation enhances its operational flexibility and resilience."
https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation
https://www.bleepingcomputer.com/news/security/new-droidbot-android-malware-targets-77-banking-crypto-apps/ - FBI Shares Tips On How To Tackle AI-Powered Fraud Schemes
"The FBI warns that scammers are increasingly using artificial intelligence to improve the quality and effectiveness of their online fraud schemes, ranging from romance and investment scams to job hiring schemes. "The FBI is warning the public that criminals exploit generative artificial intelligence (AI) to commit fraud on a larger scale which increases the believability of their schemes," reads the PSA. "Generative AI reduces the time and effort criminals must expend to deceive their targets.""
https://www.bleepingcomputer.com/news/security/fbi-shares-tips-on-how-to-tackle-ai-powered-fraud-schemes/
https://www.ic3.gov/PSA/2024/PSA241203 - Supply Chain Attack Detected In Solana's Web3.js Library
"A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets."
https://socket.dev/blog/supply-chain-attack-solana-web3-js-library
https://thehackernews.com/2024/12/researchers-uncover-backdoor-in-solanas.html
https://www.bleepingcomputer.com/news/security/solana-web3js-library-backdoored-to-steal-secret-private-keys/
https://www.securityweek.com/solana-web3-js-library-backdoored-in-supply-chain-attack/
https://www.helpnetsecurity.com/2024/12/04/solana-web3-js-supply-chain-compromise/ - Snowblind: The Invisible Hand Of Secret Blizzard
"Lumen’s Black Lotus Labs has uncovered a longstanding campaign orchestrated by the Russian-based threat actor known as “Secret Blizzard” (also referred to as Turla). This group has successfully infiltrated 33 separate command-and-control (C2) nodes used by Pakistani-based actor, “Storm-0156.” Known for their focus on espionage, Storm-0156 is associated in public reporting with two activity clusters, “SideCopy” and “Transparent Tribe.” This latest campaign, spanning the last two years, is the fourth recorded case of Secret Blizzard embedding themselves in another group’s operations since 2019 when they were first seen repurposing the C2s of an Iranian threat group."
https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/
https://www.bleepingcomputer.com/news/security/russian-turla-hackers-hijack-pakistani-apt-servers-for-cyber-espionage-attacks/
https://thehackernews.com/2024/12/russia-linked-turla-exploits-pakistani.html
https://www.darkreading.com/threat-intelligence/russian-fsb-hackers-breach-pakistan-storm-0156
https://cyberscoop.com/turla-infiltrates-pakistani-apt-networks-microsoft-lumen/
https://www.securityweek.com/spy-v-spy-russian-apt-turla-caught-stealing-from-pakistani-apt/ - iVerify Mobile Threat Investigation Uncovers New Pegasus Samples
"For years, our understanding of mobile device threats was built on a dangerously narrow foundation. Mobile malware investigations were limited to a microscopic sample of devices – typically those belonging to high-risk targets like journalists, political activists, and government officials. These early investigations were critical to helping the world understand a new wave of capability, but their limited nature still leaves a massive blind spot to understanding the scope of mobile device compromise."
https://iverify.io/blog/iverify-mobile-threat-investigation-uncovers-new-pegasus-samples
https://www.darkreading.com/endpoint-security/pegasus-spyware-infections-ios-android-devices
https://cyberscoop.com/study-shows-potentially-higher-prevalence-of-spyware-infections-than-previously-thought/
https://www.helpnetsecurity.com/2024/12/04/detect-mercenary-spyware/
Breaches/Hacks/Leaks
- BT Unit Took Servers Offline After Black Basta Ransomware Breach
"Multinational telecommunications giant BT Group (formerly British Telecom) has confirmed that its BT Conferencing business division shut down some of its servers following a Black Basta ransomware breach. BT Group is the United Kingdom's leading fixed and mobile telecom provider. It also provides managed telecommunications, security, and network and IT infrastructure services to customers in 180 countries. A company spokesperson told BleepingComputer that the security incident didn't impact BT Group's operations or BT Conferencing services, so it is unclear if any systems were encrypted or only data stolen."
https://www.bleepingcomputer.com/news/security/bt-conferencing-division-took-servers-offline-after-black-basta-ransomware-attack/
https://therecord.media/bt-group-cyberattack-black-basta
https://securityaffairs.com/171668/breaking-news/black-basta-ransomware-attack-bt-group.html
General News
- 70% Of Open-Source Components Are Poorly Or No Longer Maintained
"The geographic distribution of open-source contributions introduces geopolitical risks that organizations must urgently consider, especially with rising nation-state attacks, according to Lineaje. Microsoft estimates that its customers face 600 million cyberattacks daily, 24% of which are nation-state attackers targeting the IT sector. With software supporting increasingly vital systems, the origin of code has become a matter of national and economic security."
https://www.helpnetsecurity.com/2024/12/04/open-source-contributions-risks/ - Securing AI’s New Frontier: Visibility, Governance, And Mitigating Compliance Risks
"In this Help Net Security interview, Niv Braun, CEO at Noma Security, discusses the difficulties security teams face due to the fragmented nature of AI processes, tools, and teams across the data and AI lifecycle. Braun also shares insights on how organizations can address these challenges and improve their AI security posture."
https://www.helpnetsecurity.com/2024/12/04/niv-braun-noma-security-data-ai-lifecycle/ - CISA Releases New Public Version Of CDM Data Model Document
"Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an updated public version of the Continuous Diagnostics and Mitigation (CDM) Data Model Document. Version 5.0.1 aligns with fiscal year 2023 Federal Information Security Modernization Act (FISMA) metrics. The CDM Data Model Document provides a comprehensive description of a common data schema to ensure that prescribed diagnostic activities within CDM solutions are consistent across all participating federal agencies."
https://www.cisa.gov/news-events/alerts/2024/12/04/cisa-releases-new-public-version-cdm-data-model-document
https://www.cisa.gov/resources-tools/resources/cdm-data-model-document-501 - Operation Destabilise: NCA Disrupts $multi-Billion Russian Money Laundering Networks With Links To, Drugs, Ransomware And Espionage, Resulting In 84 Arrests
"An international NCA-led investigation - Operation Destabilise - has exposed and disrupted Russian money laundering networks supporting serious and organised crime around the world: spanning from the streets of the UK, to the Middle East, Russia, and South America. Investigators have identified two Russian-speaking networks collaborating at the heart of the criminal enterprise; Smart and TGR. Operation Destabilise is being revealed today as the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announces sanctions against the Russian-speaking men and women at the head of these networks, as well as four businesses linked to TGR."
https://www.nationalcrimeagency.gov.uk/news/operation-destabilise-nca-disrupts-multi-billion-russian-money-laundering-networks-with-links-to-drugs-ransomware-and-espionage-resulting-in-84-arrests
https://therecord.media/russian-money-laundering-networks-trafficking-cybercrime-kremlin
https://www.bleepingcomputer.com/news/security/uk-disrupts-russian-money-laundering-networks-used-by-ransomware/
https://www.bankinfosecurity.com/russian-money-laundering-services-busted-in-uk-led-operation-a-26974 - Navigating The Changing Landscape Of Cybersecurity Regulations
"In 2024, the cybersecurity regulatory landscape underwent significant changes, as major economies worldwide introduced new rules to combat increasingly sophisticated cyber threats, such as advanced ransomware and AI-driven attacks. For businesses, navigating this evolving landscape is not merely a compliance issue but a strategic imperative that demands careful attention and adaptation."
https://www.darkreading.com/vulnerabilities-threats/navigating-changing-landscape-cybersecurity-regulations - Digital Certificates With Shorter Lifespans Reduce Security Vulnerabilities
"Shortening the life cycle of Transport Layer Security (TLS) certificates can significantly reduce the vulnerability of websites and hardware devices that require these certificates. TLS certificates are exchanged between Web server and Web client (or server to server) to establish a secure connection and safeguard sensitive data. The majority of today's digital certificates have a time-to-live of 398 days — that's a 365-day certificate with a 33-day grace period, equaling 398 actual days before the certificate expires. If the proposals from Google and Apple are approved, however, that life cycle could drop to 100 days (90 days plus a grace period) or even 47 days (30 days plus a grace period)."
https://www.darkreading.com/vulnerabilities-threats/digital-certificate-shorter-lifespan-reduces-security-vulnerabilities - API Security In Open Banking: Balancing Innovation With Risk Management
"Any technological innovation comes with security risks, and open banking is no exception. Open banking relies on APIs to connect banks (and their essential services) to their customers. While it is exceptionally convenient and provides several valuable services for consumers, open banking relies on APIs to function."
https://hackread.com/api-security-open-banking-balancing-risk-management/ - Ransomware Costs Manufacturing Sector $17bn In Downtime
"Ransomware attacks on manufacturing companies have caused an estimated $17bn in downtime since 2018. According to new figures by Comparitech, these incidents have disrupted operations at 858 manufacturers worldwide, with each day of downtime costing an average of $1.9m. This significant financial impact stems from the widespread disruption of ransomware attacks. Beyond halting production, they jeopardize customer orders, damage relationships and lead to prolonged recovery efforts."
https://www.infosecurity-magazine.com/news/ransomware-manufacturing-dollar17b/ - Security Risks Persist In Open Source Ecosystem
"Significant security risks continue to be prevalent in open source software practices, a new report by the Linux Foundation, OpenSSF and Harvard University has found. The CENSUS III project was based on 12 million observations of free and open source software (FOSS) libraries used in production apps at over 10,000 companies. It highlighted a number of concerning cybersecurity practices relating to open source software, which is widely used across all industries. The project aims to provide a clearer picture of the structural issues that threaten the FOSS ecosystem."
https://www.infosecurity-magazine.com/news/security-risks-open-source/ - EU’s First Ever Report On The State Of Cybersecurity In The Union
"In accordance with Article 18 of the NIS 2 Directive, ENISA was tasked to prepare a biennial report on the state of cybersecurity in the Union. The report provides an evidence-based overview of the cybersecurity maturity state of play as well as an assessment of cybersecurity capabilities across Europe. The report also includes policy recommendations to address identified shortcomings and increase the level of cybersecurity in the EU."
https://www.enisa.europa.eu/news/eus-first-ever-report-on-the-state-of-cybersecurity-in-the-union
https://www.infosecurity-magazine.com/news/enisa-launches-first-state-eu/ - Kaspersky Security Bulletin 2024. Statistics
"All statistics in this report come from Kaspersky Security Network (KSN), a global cloud service that receives information from components in our security solutions voluntarily provided by Kaspersky users. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2023 through October 2024. The report doesn’t cover mobile statistics, which we will share in our annual mobile malware report."
https://securelist.com/ksb-2024-statistics/114795/ - Spotting The Charlatans: Red Flags For Enterprise Security Teams
"Most of the security professionals I’ve worked with over the course of my career have been sincere, talented, constructive players. These types of people know that the whole is greater than the sum of the parts, and they work collaboratively to build up both their peers and the broader teams that they work within. Unfortunately, I have come across a few charlatans as well. These types drag down both their peers and the broader team, though it can sometimes take a while before they are seen for who they really are."
https://www.securityweek.com/spotting-the-charlatans-red-flags-for-enterprise-security-teams/ - Threat Spotlight: Phishing Techniques To Look Out For In 2025
"Over the last few months, Barracuda’s threat analysts have reported on several advanced phishing techniques implemented by attackers to evade security controls and make malicious emails look more convincing, legitimate, and personal. In this blog post we look at how these and other advanced phishing techniques are likely to evolve in 2025."
https://blog.barracuda.com/2024/12/04/threat-spotlight-phishing-techniques-2025 - The Rise Of MMS Scams: A Picture Is Worth a 1,000 Words—and Sometimes That’s Not Good
"Reports of messaging abuse and smishing continue to increase at a rapid pace. Since the beginning of May, reports of U.S.-based abusive messages have grown by 39%, and Proofpoint threat engineers are observing a significant increase in one specific subtype. Reported MMS (multimedia messaging service) abuse has increased by 220% over the same period. These messages use images and/or graphics to trick subscribers into providing confidential information or entice them into falling for other scams."
https://www.proofpoint.com/us/blog/email-and-cloud-threats/growing-threat-mms-scam-messages
อ้างอิง
Electronic Transactions Development Agency(ETDA) - White House: Salt Typhoon Hacked Telcos In Dozens Of Countries
-
Cyber Threat Intelligence 04 December 2024
Healthcare Sector
- Ransomware's Grip On Healthcare
"Ransomware attacks keep increasing day to day, and healthcare systems are one of the prime targets. Despite ongoing efforts to patch vulnerabilities, the problem persists. Patching, long considered a cornerstone of cybersecurity defense, is no longer enough. The consequences of the attack for healthcare organizations go far beyond reputational and financial damage — they are a matter of patients' lives."
https://www.darkreading.com/cyberattacks-data-breaches/ransomware-grip-healthcare
Industrial Sector
-
CISA Releases Eight Industrial Control Systems Advisories
"CISA released eight Industrial Control Systems (ICS) advisories on December 3, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-releases-eight-industrial-control-systems-advisories
https://www.bankinfosecurity.com/16-zero-days-uncovered-in-fuji-electric-monitoring-software-a-26962 -
Telecom Sector
CISA And Partners Release Joint Guidance On PRC-Affiliated Threat Actor Compromising Networks Of Global Telecommunications Providers
"Today, CISA—in partnership with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners—released joint guidance, Enhanced Visibility and Hardening Guidance for Communications Infrastructure."
https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-and-partners-release-joint-guidance-prc-affiliated-threat-actor-compromising-networks-global
https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure
https://www.bleepingcomputer.com/news/security/us-shares-tips-to-block-hackers-behind-recent-telecom-breaches/
https://therecord.media/fbi-cisa-china-lurking-in-telecom-systems
https://www.bankinfosecurity.com/no-timeline-for-evicting-chinese-hackers-from-us-networks-a-26956
https://cyberscoop.com/u-s-government-says-salt-typhoon-is-still-in-telecom-networks/
https://www.securityweek.com/fbi-tells-telecom-firms-to-boost-security-following-wide-ranging-chinese-hacking-campaign/
↑
Government/Law/Policy
New EU Regulation Establishes European ‘Cybersecurity Shield’
"The Council of the European Union on Monday announced the adoption of two new laws meant to improve the overall cybersecurity across the EU. The two new laws in the cybersecurity package establish a cybersecurity shield that calls for member states to cooperate in detecting and responding to cyberattacks, and amend the EU’s Cybersecurity Act (CSA) of 2019 to ensure adequate security standards for managed security services."
Priority: 3 - Important
Relevance: General
https://www.securityweek.com/new-eu-regulation-establishes-european-cybersecurity-shield/
https://data.consilium.europa.eu/doc/document/PE-94-2024-INIT/en/pdf
Vulnerabilities
- Veeam Warns Of Critical RCE Bug In Service Provider Console
"Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads."
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/
https://www.helpnetsecurity.com/2024/12/03/vspc-vulnerabilities-cve-2024-42448-cve-2024-42449/ - Perfect 10 Directory Traversal Vuln Hits SailPoint's IAM Solution
"It's time to rev up those patch engines after SailPoint disclosed a perfect 10/10 severity vulnerability in its identity and access management (IAM) platform IdentityIQ. The bug is not attached to a security advisory at the time of writing, but the vulnerability was reported on Monday to the National Vulnerability Database (NVD), which then assigned it the CVE-2024-10905 identifier. Given the NVD rarely publishes a full analysis of vulnerabilities, and without an accompanying advisory to consult, the details of the flaw are few and far between."
https://www.theregister.com/2024/12/03/sailpoint_identityiq_vulnerability/ - Progress WhatsUp Gold NmAPI.exe Registry Overwrite Unauthenticated RCE
"A registry overwrite remote code execution vulnerability exists in NmAPI.exe in WhatsUp Gold versions prior to 24.0.1. An unauthenticated remote attacker could leverage this vulnerability to achieve remote code execution on the affected system.NmAPI.exe is a Windows Communication Foundation (WCF) application. It implements an UpdateFailoverRegistryValues operation contract:"
https://www.tenable.com/security/research/tra-2024-48
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-whatsup-gold-rce-flaw-patch-now/ - Decade-Old Cisco Vulnerability Under Active Exploit
"Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors. The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack."
https://www.darkreading.com/vulnerabilities-threats/decade-old-cisco-vulnerability-exploit
https://thehackernews.com/2024/12/cisco-warns-of-exploitation-of-decade.html
https://www.securityweek.com/cisco-warns-of-attacks-exploiting-decade-old-asa-vulnerability/
https://securityaffairs.com/171631/hacking/cisco-asa-flaw-cve-2014-2120-exploited-in-the-wild.html - CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-45727 North Grid Proself Improper Restriction of XML External Entity (XEE) Reference Vulnerability
CVE-2024-11680 ProjectSend Improper Authentication Vulnerability
CVE-2024-11667 Zyxel Multiple Firewalls Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-adds-three-known-exploited-vulnerabilities-catalog
Malware
- North Korean Kimsuky Hackers Use Russian Email Addresses For Credential Theft Attacks
"The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. "Phishing emails were sent mainly through email services in Japan and Korea until early September," South Korean cybersecurity company Genians said. "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed.""
https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html
https://www.infosecurity-magazine.com/news/kimsuky-adopts-new-phishing-tactics/ - Gafgyt Malware Targeting Docker Remote API Servers
"Recently, we've observed the Gafgyt malware (also known as Bashlite or Lizkebab) targeting publicly exposed Docker Remote API servers. Traditionally, this malware has focused on vulnerable IoT devices, but we're now seeing a shift in its behavior as it expands its targets beyond its usual scope. We noticed attackers targeting publicly exposed misconfigured Docker remote API servers to deploy the malware by creating a Docker container based on a legitimate “alpine” docker image. Along with deployment of Gafgyt malware, attackers used Gafgyt botnet malware to infect the victim. After the deployment, the attacker can launch DDoS attack on targeted servers."
https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html - Stellar Discovery Of A New Cluster Of Andromeda/Gamarue C2
"In the course of investigating incidents that relate to an infection by the Andromeda backdoor, we discovered that a threat actor is currently using domains and IP addresses registered with the same certificate and more specifically the common name (CN) being: *.malware[.]com that are used for Command and Control (C2) communication with their Andromeda implant."
https://www.cybereason.com/blog/new-cluster-andromeda-gamrue-c2 - Missing URL Structure: Mistake Or a Masterfully Effective Tactic?
"In an ever-changing threat landscape, where AI and automation are being leveraged to not only detect but stop malicious campaigns, how does an attack that seems rudimentary become effective? By understanding how these tools work and by using social engineering, TAs (Threat Actors) can circumvent automation and gain access to company infrastructure with modest effort."
https://cofense.com/blog/missing-url-structure-mistake-or-a-masterfully-effective-tactic - BreakingWAF: Widespread WAF Bypass Impacts Nearly 40% Of Fortune 100 Companies
"Zafran Researchers Uncover Widespread WAF Bypass Technique Impacting JPMorganChase, Visa, Intel and Nearly 40% of Fortune 100 companies. The misconfiguration exposes web applications to direct attacks over the Internet which can lead to full compromise, ransomware attacks, or trivial denial-of-service attacks."
https://www.zafran.io/resources/breaking-waf
https://www.darkreading.com/application-security/misconfigured-wafs-heighten-dos-breach-risks - Unveiling RevC2 And Venom Loader
"Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools."
https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
https://www.darkreading.com/cyberattacks-data-breaches/venom-spider-malware-maas-platform - White FAANG: Devouring Your Personal Data
"Privacy is a core aspect of our lives. We have the fundamental right to control our personal data, physically or virtually. However, as we use products from external vendors, particularly the FAANG companies (Facebook, Amazon, Apple, Netflix, Google), our digital footprint is continuously being expanded. Fortunately, FAANG provides a service that enables us to export our data to a local drive in just seconds. From now on, we will refer to it as the “export service.”"
https://www.cyberark.com/resources/ransomware-protection/white-faang-devouring-your-personal-data
https://www.darkreading.com/cyber-risk/white-faang-data-export-attack-pii-threats - CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks In Real-World Intrusion
"BYOVD involves adversaries writing to disk and loading a legitimate, but vulnerable, driver to access the kernel of an operating system. This allows them to evade detection mechanisms and manipulate the system at a deep level, often bypassing protections like EDR. For the exploitation to succeed, attackers must first ensure the driver is brought on the target system. This is followed by the initiation of a privileged process to load the driver, setting the stage for further malicious activities."
https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/
Breaches/Hacks/Leaks
- Energy Industry Contractor Says Ransomware Attack Has Limited Access To IT Systems
"A major contractor for the energy industry confirmed in a notice to regulators that it is dealing with a ransomware attack that has hindered operations. ENGlobal Corporation filed a report to the U.S. Securities and Exchange Commission Monday evening explaining that the ransomware attack was discovered on November 25. “The preliminary investigation has revealed that a threat actor illegally accessed the Company’s information technology system and encrypted some of its data files,” the Oklahoma-based firm said."
https://therecord.media/energy-industry-contractor-ransomware-disruption
https://www.infosecurity-magazine.com/news/ransomware-disrupts-us-contractor/
https://www.securityweek.com/energy-sector-contractor-englobal-targeted-in-ransomware-attack/
https://www.helpnetsecurity.com/2024/12/03/englobal-ransomware-attack/
https://securityaffairs.com/171617/cyber-crime/englobal-corporation-disclosed-a-ransomware-attack.html
https://www.theregister.com/2024/12/03/us_energy_contractor_englobal_ransomware/ - Data On 760K Workers From Xerox, Nokia, BofA, Morgan Stanley And More Dumped Online
"Hundreds of thousands of employees from major corporations including Xerox, Nokia, Koch, Bank of America, Morgan Stanley and others appear to be the latest victims in a massive data breach linked to last year's attacks on file transfer tool MOVEit. On Monday morning, an entity that uses the handle "Nam3L3ss" began leaking what they claimed to be personal data belonging to from the abovementioned corporations, plus workers at other firms affected by the MOVEit vulnerability."
https://www.theregister.com/2024/12/03/760k_xerox_nokia_bofa_morgan/
https://hackread.com/data-vigilante-leaks-772k-employee-record-database/
https://www.securityweek.com/760000-employee-records-from-several-major-firms-leaked-online/ - Vodka Maker Stoli Files For Bankruptcy In US After Ransomware Attack
"Stoli Group's U.S. companies have filed for bankruptcy following an August ransomware attack and Russian authorities seizing the company's remaining distilleries in the country. As Chris Caldwell, the President and Global Chief Executive Officer of Stoli USA and Kentucky Owl, the two Stoli Group subsidiaries, said in a Friday filing, this comes after the August attack severely disrupted its IT systems, including its enterprise resource planning (ERP) platform. The cyberattack also forced manual operations across the group, affecting key processes such as accounting, with full recovery not expected until early 2025."
https://www.bleepingcomputer.com/news/security/vodka-maker-stoli-files-for-bankruptcy-in-us-after-ransomware-attack/
https://therecord.media/stoli-group-usa-bankruptcy-filing-ransomware - Hello, This Is Your Chatbot Leaking: WotNot Exposes 346K Sensitive Customer Files
"Introducing additional hands into the AI supply chain might not be such a great idea. Passports, detailed medical records, resumes, and other sensitive personal records were exposed in a database belonging to WotNot, an Indian AI startup that helps build and customize bots for businesses."
https://cybernews.com/security/wotnot-exposes-346k-sensitive-customer-files/
https://www.malwarebytes.com/blog/news/2024/12/ai-chatbot-provider-exposes-346000-customer-files-including-id-documents-resumes-and-medical-records
General News
- Treat AI Like a Human: Redefining Cybersecurity
"In this Help Net Security interview, Doug Kersten, CISO of Appfire, explains how treating AI like a human can change the way cybersecurity professionals use AI tools. He discusses how this shift encourages a more collaborative approach while acknowledging AI’s limitations. Kersten also discusses the need for strong oversight and accountability to ensure AI aligns with business goals and remains secure."
https://www.helpnetsecurity.com/2024/12/03/doug-kersten-appfire-ai-oversight/ - AI Pulse: The Good From AI And The Promise Of Agentic
"The perils of AI get a lot of airtime, but what are the upsides? This issue of AI Pulse looks at some of the good AI can bring, from strengthening cybersecurity to driving health breakthroughs—and how the coming wave of agentic AI is going to take those possibilities to a whole new level."
https://www.trendmicro.com/en_us/research/24/l/good-agentic-ai.html - Avoiding Pitfalls In Vulnerability Management: Key Insights And Best Practices
"Vulnerability management (VM) has always been a complex area of concern that requires continuous and active effort to work properly. This can make it challenging for organizations to maintain their VM strategies and solutions over time, as there are many angles to secure and processes to oversee. There are a wide range of potential ways that VM can go wrong, and it is essential for organizations to avoid the many pitfalls associated with it."
https://www.tripwire.com/state-of-security/avoiding-pitfalls-vulnerability-management-key-insights-and-best-practices - Severity Of The Risk Facing The UK Is Widely Underestimated, NCSC Annual Review Warns
"The number of security threats in the UK that hit the country's National Cyber Security Centre's (NCSC) maximum severity threshold has tripled compared to the previous 12 months. Published today, GCHQ's tech offshoot's 2024 review reveals that 12 incidents topped the NCSC's severity classification system out of a total 430 cases that required support from its Incident Management (IM) team between September 2023 and August 2024. The finding represents a 16 percent increase year-over-year."
https://www.theregister.com/2024/12/03/ncsc_annual_review/
https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024
https://www.infosecurity-magazine.com/news/uk-cyberattacks-surge-ncsc/ - Cloudflare’s Pages.dev And Workers.dev Domains Increasingly Abused For Phishing
"Fortra has observed a rising trend in legitimate service abuse, with a significant volume of attacks targeting Cloudflare Pages. Workers.dev is a domain used by Cloudflare Workers’ deployment services, while Pages.dev is used by Cloudflare’s Pages platform that facilitates the development of web pages and sites. Fortra’s Suspicious Email Analysis (SEA) team has identified different threats being hosted on this platform, including attacks such as phishing redirects, phishing pages and targeted email lists."
https://emailsecurity.fortra.com/blog/cloudflares-pagesdev-and-workersdev-domains-increasingly-abused-phishing
https://www.bleepingcomputer.com/news/security/cloudflares-developer-domains-increasingly-abused-by-threat-actors/ - Police Seizes Largest German Online Crime Marketplace, Arrests Admin
"Germany has taken down the largest online cybercrime marketplace in the country, named "Crimenetwork," and arrested its administrator for facilitating the sale of drugs, stolen data, and illegal services. The law enforcement action was carried out on Monday by the Public Prosecutor's Office in Frankfurt am Main, the Central Office for Combating Cybercrime (ZIT), and the Federal Criminal Police Office (BKA)."
https://www.bleepingcomputer.com/news/security/police-seizes-largest-german-online-crime-marketplace-arrests-admin/ - International Operation Takes Down Another Encrypted Messaging Service Used By Criminals
"Authorities are staying on top of the encrypted messaging services that criminals use to undertake their activities. A joint investigation team (JIT) involving French and Dutch authorities has taken down another sophisticated encrypted messaging service, MATRIX. For three months, authorities were able to monitor the messages from possible criminals, which will now be used to support other investigations. During a coordinated operation supported by Eurojust and Europol, the messaging service was taken down by Dutch and French authorities and follow-up actions were executed by their Italian, Lithuanian and Spanish counterparts."
https://www.europol.europa.eu/media-press/newsroom/news/international-operation-takes-down-another-encrypted-messaging-service-used-criminals
https://www.bleepingcomputer.com/news/security/police-seize-matrix-encrypted-chat-service-after-spying-on-criminals/
https://therecord.media/matrix-criminal-encrypted-chat-platform-takedown-police
https://www.bankinfosecurity.com/european-police-disrupts-matrix-encrypted-service-a-26961
https://www.helpnetsecurity.com/2024/12/03/matrix-encrypted-chat-takedown/
https://www.infosecurity-magazine.com/news/police-shut-down-matrix-criminal/ - Cyber Risk – How To Effectively Manage Fourth-Party Risks
"Cyber risks have gained numerous business executives’ attention as these risks are effectively operational risks due to their potentially devastating operational and financial impacts, and reputational damage to organizations. Among cyber risks, third-party or supply chain risks become one of the most challenging areas as heavy and unavoidable reliance on using third parties such as Cloud and SaaS providers is a reality of today’s IT and security operations."
https://blog.checkpoint.com/security/cyber-risk-how-to-effectively-manage-fourth-party-risks/ - Cyber-Unsafe Employees Increasingly Put Orgs At Risk
"A survey of more than 14,000 employees across a variety of industries shows that employee behaviors when it comes to sensitive data often put organizations at risk. The findings show that 80% of those surveyed access workplace applications from personal devices that lack necessary security controls. In addition, privileged access extends beyond IT admins, and 40% of respondents habitually download customer data. A third of respondents are able to alter sensitive data without controls, and roughly 30% can approve large financial transactions on their own."
https://www.darkreading.com/vulnerabilities-threats/cyber-unsafe-employees-orgs-risk
https://www.cyberark.com/resources/ebooks/cyberark-2024-employee-risk-survey - Gen AI And Cybersecurity: Risk And Reward
"Research from Ivanti shows how organizations are managing the double-edged sword of gen AI in cybersecurity — and the processes, technology and talent needed to fortify defenses."
https://www.ivanti.com/resources/research-reports/gen-ai-cybersecurity
https://www.infosecurity-magazine.com/news/security-pros-genai-attack/ - Repeat Offenders Drive Bulk Of Tech Support Scams Via Google Ads
"Of all the different kinds of malicious search ads we track, those related to customer service are by far the most common. Brands such as PayPal, eBay, Apple or Netflix are among the most coveted ones as they tend to drive a lot of online searches. Tech support scammers are leveraging Google ads to lure victims in, getting them on the phone and finally fleecing them. While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report."
https://www.malwarebytes.com/blog/scams/2024/12/repeat-offenders-drive-bulk-of-tech-support-scams-via-google-ads - Hacker Conversations: Dan McInerney And Puzzle-Driven Hacking
"Dan McInerney, currently lead AI threat researcher at Protect AI, came late to tech hacking. He was a 22-years old psychology grad when he started. His journey, however, provides new insights into the creation and motivation of a hacker."
https://www.securityweek.com/hacker-conversations-dan-mcinerney-and-puzzle-driven-hacking/ - World Tour Survey: IT Operations’ Hands-On Defense
"Cybercriminals have more tools than ever to disrupt business operations, steal data for ransom, and manipulate employees into exposing sensitive information. Generative AI (GenAI) is taking those capabilities to new levels by enhancing phishing attacks and enabling audio and video deepfakes. Security professionals are also facing new pressures from chief executives and corporate boards who increasingly understand the legal, financial, and reputational risks cyber threats pose to businesses."
https://www.trendmicro.com/en_us/research/24/l/world-tour-cybersecurity-survey-it-defense.html
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Ransomware's Grip On Healthcare
-
CISA ออกคำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม 8 รายการ
Cybersecurity and Infrastructure Security Agency (CISA) CISA ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 8 รายการ เมื่อวันที่ 3 ธันวาคม 2567 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน คือ
- ICSA-24-338-01 Ruijie Reyee OS
- ICSA-24-338-02 Siemens RUGGEDCOM APE1808
- ICSA-24-338-03 Open Automation Software
- ICSA-24-338-04 ICONICS and Mitsubishi Electric GENESIS64 Products
- ICSA-24-338-05 Fuji Electric Monitouch V-SFT
- ICSA-24-338-06 Fuji Electric Tellus Lite V-Simulator
- ICSA-22-307-01 ETIC Telecom Remote Access Server (RAS) (Update B)
- ICSA-24-184-03 ICONICS and Mitsubishi Electric Products (Update A)
ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-releases-eight-industrial-control-systems-advisories
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
CISA เพิ่มช่องโหว่ที่ถูกใช้ประโยชน์ที่ทราบแล้ว 3 รายการลงในแค็ตตาล็อก
Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 3 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ ช่องโหว่เหล่านี้เป็น vector เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี้
- CVE-2023-45727 North Grid Proself Improper Restriction of XML External Entity (XEE) Reference Vulnerability
- CVE-2024-11680 ProjectSend Improper Authentication Vulnerability
- CVE-2024-11667 Zyxel Multiple Firewalls Path Traversal Vulnerability