Cyber Threat Intelligence 16 August 2024

NCSA_THAICERT

Industrial Sector

CISA Releases Eleven Industrial Control Systems Advisories
"CISA released eleven Industrial Control Systems (ICS) advisories on August 15, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2024/08/15/cisa-releases-eleven-industrial-control-systems-advisories
Dragos Industrial Ransomware Analysis: Q2 2024
"Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management."
https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2024/
https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-in-q2-2024/

Vulnerabilities

CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/08/15/cisa-adds-one-known-exploited-vulnerability-catalog
Palo Alto Networks Patches Unauthenticated Command Execution Flaw In Cortex XSOAR
"Palo Alto Networks on Wednesday announced patches for vulnerabilities found in several of its products, including flaws that have been assigned a ‘high severity’ rating. The most important vulnerability is CVE-2024-5914, described as a high-severity command injection issue affecting the company’s Cortex XSOAR security orchestration, automation and response (SOAR) product. Specifically, the flaw affects the product’s CommonScripts Pack and allows an unauthenticated attacker to execute arbitrary commands within the context of an integration container."
https://www.securityweek.com/palo-alto-networks-patches-unauthenticated-command-execution-flaw-in-cortex-xsoar/

Malware

A Massive Cyber Attack Hit Central Bank Of Iran And Other Iranian Banks
"Iranian news outlet reported that a major cyber attack targeted the Central Bank of Iran (CBI) and several other banks causing disruptions."
https://securityaffairs.com/167066/hacking/cyberattack-central-bank-of-iran.html
Gafgyt Malware Variant Exploits GPU Power And Cloud Native Environments
"Aqua Nautilus researchers discovered a new variant of Gafgyt botnet. This campaign is targeting machines with weak SSH passwords, executing 2 binaries from memory to increase the Gafgyt botnet and mine crypto currency with GPU power, indicating that the IoT botnet is targeting more robust servers running on cloud native environments. In this blog we explain about the campaign, the techniques used and how to detect and protect your environments."
https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/
https://thehackernews.com/2024/08/new-gafgyt-botnet-variant-targets-weak.html
New APT Group Actor240524: A Closer Look At Its Cyber Tactics Against Azerbaijan And Israel
"Leveraging NSFOCUS’s Global Threat Hunting System, NSFOCUS Security Labs (NSL) captured an attack campaign targeting Azerbaijan and Israel on July 1, 2024. By analyzing the tactics, attack vectors, weapons, and infrastructure of the attack in this incident, it was found that the exposed attack characteristics have no direct connection with known APT groups. Therefore, NSL attributes the attackers of this campaign to a new APT group, marking the group as Actor240524 and naming the new type of Trojan program used by the group as ABCloader and ABCsync."
https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/
https://thehackernews.com/2024/08/new-cyber-threat-targets-azerbaijan-and.html
Ransomware Attackers Introduce New EDR Killer To Their Arsenal
"Sophos analysts recently encountered a new EDR-killing utility being deployed by a criminal group who were trying to attack an organization with ransomware called RansomHub. While the ransomware attack ultimately was unsuccessful, the postmortem analysis of the attack revealed the existence of a new tool designed to terminate endpoint protection software. We are calling this tool EDRKillShifter."
https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/
https://www.bleepingcomputer.com/news/security/ransomware-gang-deploys-new-malware-to-kill-security-software/
https://thehackernews.com/2024/08/ransomhub-group-deploys-new-edr-killing.html
https://securityaffairs.com/167105/cyber-crime/ransomhub-tool-kill-edr-software.html
Double Agent: Exploiting Pass-Through Authentication Credential Validation In Azure AD
"Today’s enterprise security architecture demands seamless authentication across various systems. To accomplish this, many organizations use Azure Active Directory (AAD) to sync their on-premises environments to the cloud to manage user access across environments. (Note: Azure Active Directory has been rebranded as Microsoft Entra ID, but we’ll continue to call it AAD throughout this blog for simplicity.) However, our recent investigation uncovered a vulnerability in AAD when syncing multiple on-premises AD domains to a single Azure tenant. This issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access."
https://cymulate.com/blog/exploiting-pta-credential-validation-in-azure-ad/
https://www.darkreading.com/application-security/unfixed-microsoft-entra-id-authentication-bypass-threatens-hybrid-clouds
A Deep Dive Into a New ValleyRAT Campaign Targeting Chinese Speakers
"FortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers. This malware has historically targeted e-commerce, finance, sales, and management enterprises. ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage. Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, significantly reducing its file footprint in the victim’s system."
https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
https://www.infosecurity-magazine.com/news/valleyrat-campaign-hits-windows/
https://hackread.com/valleyrat-malware-chinese-windows-users/
Leaked Environment Variables Allow Large-Scale Extortion Operation Of Cloud Environments
"Unit 42 researchers found an extortion campaign's cloud operation that successfully compromised and extorted multiple victim organizations. It did so by leveraging exposed environment variable files (.env files) that contained sensitive variables such as credentials belonging to various applications."
https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
https://www.helpnetsecurity.com/2024/08/15/exposed-environment-files-data-theft/
2024 Paris Olympic Games Infrastructure Attack Report
"The Paris Olympic Games, which officially started on 26 July, 2024, has been swirling with malicious and cybercriminal activities for months before the event. Adversaries were found to have set up social media accounts, stores, ticketing systems, and cryptocurrencies amidst the popularity and commotion of the Olympics. Researchers at BforeAI analyzed the set of NRDs (Newly Registered Domains) acquired two weeks prior to the event and analyzed the rise in malicious activities, discussed briefly in this report."
https://bfore.ai/2024-paris-olympic-games-infrastructure-attack-report/
https://www.infosecurity-magazine.com/news/cybercriminals-exploit-paris-fake/
Dozens Of Google Products Targeted By Scammers Via Malicious Search Ads
"In a previous blog, we saw criminals distribute malware via malicious ads for Google Authenticator. This time, brazen malvertisers went as far as impersonating Google’s entire product line and redirecting victims to a fake Google home page. Clearly not afraid of poking the bear, they even used and abused yet another Google product, Looker Studio, to lock up the browser of Windows and Mac users alike. We describe how they were able to achieve this, relying almost exclusively on stolen or free accounts and leveraging Google’s APIs to create rotating malicious URLs for the browser lock."
https://www.malwarebytes.com/blog/scams/2024/08/dozens-of-google-products-targeted-by-scammers-via-malicious-search-ads
Tusk: Unraveling a Complex Infostealer Campaign
"Kaspersky Global Emergency Response Team (GERT) has identified a complex campaign, consisting of multiple sub-campaigns orchestrated by Russian-speaking cybercriminals. The sub-campaigns imitate legitimate projects, slightly modifying names and branding and using multiple social media accounts to increase their credibility. In our analysis we observed that all the active sub-campaigns host the initial downloader on Dropbox. This downloader is responsible for delivering additional malware samples to the victim’s machine, which are mostly infostealers (Danabot and StealC) and clippers."
https://securelist.com/tusk-infostealers-campaign/113367/
Doppelgänger Operation Rushes To Secure Itself Amid Ongoing Detections, German Agency Says
"The Russian propaganda network known as Doppelgänger is struggling to maintain its operations amid a crackdown on its infrastructure, according to a recent report. Following the recent disclosure that European hosting companies, knowingly or not, provided services to the Kremlin-linked disinformation campaign, Doppelgänger operators rushed to back up their systems and secure their data, according to findings by the Bavarian State Office for the Protection of the Constitution (BayLfV)."
https://therecord.media/doppelganger-influence-operation-struggle-bavarian-baylfv-report
Don’t Get Mad, Get Wise
"The Sophos X-Ops Incident Response team has been examining the tactics of a ransomware group called Mad Liberator. This is a fairly new threat actor, first emerging in mid-July 2024. In this article, we’ll look at certain techniques the group is using, involving the popular remote-access application Anydesk. We’ll document the interesting social-engineering tactics the group has used and provide guidance both as to how to minimize your risk of becoming a victim and, for investigators, to how to see potential activity by this group."
https://news.sophos.com/en-us/2024/08/13/dont-get-mad-get-wise/
https://www.theregister.com/2024/08/15/mad_liberator_extortion/
Ongoing SEO Poisoning Attacks On Government Websites
"Recent observations have uncovered a campaign targeting government websites globally, with a focus on those utilizing various content management systems (CMS), including Joomla. The attackers’ primary objective is to perform black hat SEO poisoning, manipulating search engine rankings to lure unsuspecting users to gambling websites. Notably, some defacers have shifted to this TTP, becoming affiliates of gambling, casino, and scam syndicates. This report details the tactics, techniques, and procedures (TTPs) observed in these attacks and provides recommendations for mitigating this threat."
https://blog.xanda.org/2024/08/14/ongoing-seo-poisoning-attacks-on-government-websites/

Breaches/Hacks/Leaks

Over 40 Million Kakao Pay Users' Data Somehow Ended Up With Alipay
"Kakao Pay, a subsidiary of Korea's WhatsApp analog Kakao, handed over data from more than 40 million users to the Singaporean arm of Chinese payment platform Alipay, without user consent, Korea's financial watchdog revealed Tuesday. The nation's Financial Supervisory Service (FSS) concluded the data was shared illegally after an on-site inspection of Kakao Pay's overseas payment division between May and July of this year. Among the personal data shared was Kakao Account ID, mobile phone number, email address, Kakao Pay subscription history, and transactions."
https://www.theregister.com/2024/08/15/kakao_pay_data_leak/
Mayor Of Columbus, Ohio, Says Ransomware Attackers Stole Corrupted, Unusable Data
"Hackers recently stole data from Ohio’s largest city, but what they got was not usable and no personal information about city workers was made available online, the mayor said. Columbus Mayor Andrew Ginther confirmed the data breach and noted Tuesday that the city never received a ransom request. The city learned Friday that most of the data published to the dark web by the ransomware group Rhysida was corrupted or encrypted, he said."
https://www.securityweek.com/mayor-of-columbus-ohio-says-ransomware-attackers-stole-corrupted-unusable-data/

General News

How Passkeys Eliminate Password Management Headaches
"In this Help Net Security interview, David Cottingham, President at rf IDEAS, discusses the key benefits organizations can expect when implementing passkeys. Cottingham addresses the misconceptions surrounding the adoption of passkeys, particularly in the B2B landscape."
https://www.helpnetsecurity.com/2024/08/15/david-cottingham-rf-ideas-implementing-passkeys/
The AI Balancing Act: Unlocking Potential, Dealing With Security Issues, Complexity
"The rapid integration of AI and GenAI technologies creates a complex mix of challenges and opportunities for organizations. While the potential benefits are clear, many companies struggle with AI literacy, cautious adoption, and the risks of immature implementation. This has led to disruptions, particularly in security, where data threats, deepfakes, and AI misuse are on the rise."
https://www.helpnetsecurity.com/2024/08/15/ai-genai-security-risks/
74% Of IT Professionals Worry AI Tools Will Replace Them
"56% of security professionals are concerned about AI-powered threats, according to Pluralsight. Over half of surveyed technologists are either extremely concerned or moderately concerned about AI-powered threats, with only 6% saying they are not worried. As AI continues to dominate the technology landscape, these concerns about potential threats in cybersecurity have rapidly surfaced. According to Pluralsight’s AI Skills Report, only 40% of organizations have formal structured training and instruction for AI, and 74% of IT professionals worry that AI tools will replace their roles."
https://www.helpnetsecurity.com/2024/08/15/it-professionals-ai-worry/
Zero Trust: How The ‘Jia Tan’ Hack Complicated Open-Source Software
"The volunteers that maintain open-source software have always been knocked around by the tech community. The Jia Tan hack made it all so much worse."
https://cyberscoop.com/open-source-security-trust-xz-utils/
Beyond The Hype: Unveiling The Realities Of WormGPT In Cybersecurity
"WormGPT — the Dark Web imitation of ChatGPT that quickly generates convincing phishing emails, malware, and malicious recommendations for hackers — is worming its way into consumer consciousness and anxieties. Fortunately, many of these concerns can be allayed.As someone who has investigated WormGPT's back-end functionalities, I can say that much of the discourse around this sinister tool has been exaggerated by a general misunderstanding of AI-based hacking applications."
https://www.darkreading.com/vulnerabilities-threats/beyond-the-hype-unveiling-realities-of-wormgpt-in-cybersecurity
2024 Crypto Crime Mid-Year Update Part 1: Cybercrime Climbs As Exchange Thieves And Ransomware Attackers Grow Bolder
"2024 has seen a number of positive developments for the cryptocurrency ecosystem. In many ways, crypto has continued to gain mainstream acceptance, following the approval of spot Bitcoin and Ethereum exchange-traded funds (ETFs) in the United States and revisions to the Financial Accounting Standards Board (FASB)’s fair accounting rules. But as with any new technology, adoption will grow among both good and bad actors. And while illicit activity is down year-to-date (YTD) compared to previous years, crypto inflows to specific cybercrime-related entities show some worrying trends."
https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/
https://therecord.media/ransomware-gangs-set-record-for-money-extorted
https://www.infosecurity-magazine.com/news/another-record-year-ransomware/
CISOs List Human Error As Their Top Cybersecurity Risk
"With cybersecurity, the focus often is on technology — specifically, how cyber criminals use it to conduct attacks and the tools that organizations can use to keep their systems and data safe. However, this overlooks the most important element in cybersecurity risk: human error."
https://securityintelligence.com/articles/cisos-list-human-error-top-cybersecurity-risk/
Rogue AI Is The Future Of Cyber Threats
"Yoshua Bengio, regarded as one of the “godfathers” of artificial intelligence, has likened the now-ubiquitous technology to a bear. When we teach the bear to become smart enough to escape its cage, we no longer control it. All we can do after that is try to build a better cage. This should be our goal with the generative AI tools rapidly coming to market today, both as standalone services and in countless integrations with existing products. While this lightspeed adoption seems inevitable, we are not too late to mitigate the growing risks associated with it – but we need to act fast."
https://www.trendmicro.com/en_us/research/24/h/rogue-ai-part-1.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)