Cyber Threat Intelligence 23 September 2024

NCSA_THAICERT

Vulnerabilities

Versa Networks Releases Advisory For a Vulnerability In Versa Director, CVE-2024-45229
"Versa Networks has released an advisory for a vulnerability (CVE-2024-45229) affecting Versa Director. A cyber threat actor could exploit this vulnerability to exercise unauthorized REST APIs."
https://www.cisa.gov/news-events/alerts/2024/09/20/versa-networks-releases-advisory-vulnerability-versa-director-cve-2024-45229
https://security-portal.versa-networks.com/emailbulletins/66e4a8ebda545d61ec2b1ab9

Malware

Clickbaity Or Genius? 'BF Cheated On You' QR Codes Pop Up Across UK
""If your name is Emily and your boyfriend went out last night HE CHEATED. Heres [sic] the video for proof," states a poster seen in Manchester, England this week. My name isn't Emily, but anyone who comes across such a poster would stop by to take a closer look—it piques curiosity, breeds insecurity, and sparks controversy. And the blatant QR code underneath staring at your face makes you think for a second what all could it reveal..."
https://www.bleepingcomputer.com/news/security/clickbaity-or-genius-bf-cheated-on-you-qr-codes-pop-up-across-uk/
Behind The CAPTCHA: A Clever Gateway Of Malware
"McAfee Labs recently observed an infection chain where fake CAPTCHA pages are being leveraged to distribute malware, specifically Lumma Stealer. We are observing a campaign targeting multiple countries. Below is a map showing the geolocation of devices accessing fake CAPTCHA URLs, highlighting the global distribution of the attack."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/
-=TWELVE=- Is Back
"In the spring of 2024, posts with real people’s personal data began appearing on the -=TWELVE=- Telegram channel. Soon it was blocked for falling foul of the Telegram terms of service. The group stayed off the radar for several months, but as we investigated a late June 2024 attack, we found that it employed techniques identical to those of Twelve and relied on C2 servers linked to the threat actor. We are therefore confident that the group is still active and will probably soon resurface. This article uses the Unified Kill Chain methodology to analyze the attackers’ actions."
https://securelist.com/twelve-group-unified-kill-chain/113877/
https://thehackernews.com/2024/09/hacktivist-group-twelve-targets-russian.html
How Ransomhub Ransomware Uses EDRKillShifter To Disable EDR And Antivirus Protections
"RansomHub is notable for its affiliate model and for using techniques to disable or terminate endpoint detection and response (EDR) to evade detection and prolong its presence within compromised systems or networks. Due to the recent discovery of our threat hunting team regarding Ransomhub's new evasion technique: the integration of the EDRKillShifter within its attack chain. We were able to investigate a recent incident from Trend Micro’s Vision One telemetry data."
https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html

Breaches/Hacks/Leaks

Cybercrooks Strut Away With Haute Couture Harvey Nichols Data
"High-end British department store Harvey Nichols is writing to customers to confirm some of their data was exposed in a recent cyberattack. Customers have already received, or are set to receive, letters this week with details of the incident, which exposed their name, company (if provided), phone number, as well as email and home addresses. Highly sensitive information like passwords and financial information isn't believed to be affected."
https://www.theregister.com/2024/09/20/highstreet_swank_dealer_harvey_nichols/
Disney Ditching Slack After Massive July Data Breach
"The Walt Disney Company is reportedly ditching Slack after a July data breach exposed over 1TB of confidential messages and files posted to the company's internal communication channels. According to CNBC, Disney has already begun migrating to new "streamlined enterprise-wide collaboration tools" and emailed employees this week to say that they will finish the migration at the end of the company's next fiscal quarter. This move comes after the company suffered a massive data breach in July when a threat actor named 'NullBulge' breached Disney's Slack platform and stole 1.1TB of data."
https://www.bleepingcomputer.com/news/security/disney-ditching-slack-after-massive-july-data-breach/
More Than $44 Million In Cryptocurrency Stolen From Singaporean Platform BingX
"Singaporean crypto platform BingX said Friday that more than $44 million was stolen from their platform in a cyberattack. Blockchain security firms began seeing millions flow out of the platform Thursday night before the company posted a message on social media about a shutdown related to “wallet maintenance.” The company quickly released a longer statement saying the disruption was triggered after the company “detected abnormal network access, potentially indicating a hacker attack on BingX's hot wallet.”"
https://therecord.media/44-million-stolen-from-crypto-platform-singapore
https://securityaffairs.com/168703/cyber-crime/hackers-stole-44m-from-bingx.html
Hackers Claim Second Dell Data Breach In One Week
"Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident. On September 19, 2024, Hackread.com published an exclusive report detailing claims of a Dell data breach involving sensitive information related to 10,863 Dell employees. The same hacker behind the original breach is now claiming that Dell has been “breached again,” suggesting a larger ongoing issue."
https://hackread.com/dell-hit-by-second-security-breach-in-week/
General News
How To Detect And Stop Bot Activity
"Bad bot traffic continues to rise year-over-year, accounting for nearly a third of all internet traffic in 2023. Bad bots access sensitive data, perpetrate fraud, steal proprietary information, and degrade site performance. New technologies are enabling fraudsters to strike faster and inflict more damage. Bots’ indiscriminate and large-scale attacks pose a risk to businesses of all sizes in all industries."
https://www.helpnetsecurity.com/2024/09/20/bot-detection-techniques/
Striking The Balance Between Cybersecurity And Operational Efficiency
"In this Help, Net Security interview, Michael Oberlaender, ex-CISO, and book author, discusses how to strike the right balance between security and operational efficiency. Oberlaender advises companies starting their cybersecurity journey and stresses the importance of aligning with various frameworks. He also introduces his latest book, which provides insights into the CISO role and effective cybersecurity leadership."
https://www.helpnetsecurity.com/2024/09/20/michael-oberlaender-flexible-cybersecurity-strategy/
GenAI In Cybersecurity: Insights Beyond The Verizon DBIR
"The Verizon "Data Breach Investigations Report" (DBIR) is a highly credible annual report that provides valuable insights into data breaches and cyber threats, based on analysis of real-world incidents. Professionals in cybersecurity rely on this report to help inform security strategies based on trends in the evolving threat landscape. However, the 2024 DBIR has raised some interesting questions, particularly regarding the role of generative AI in cyberattacks."
https://www.darkreading.com/vulnerabilities-threats/genai-cybersecurity-insights-beyond-verizon-dbir
New Cybersecurity Advisory Highlights Defense-In-Depth Strategies
"In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team operation against an FCEB (Federal Civilian Executive Branch) organization. In July 2024, CISA released a new CSA that detailed the findings of this assessment along with key findings relevant to the security of the organization’s network. One of the interesting findings of this SILENTSHIELD assessment was the renewed importance placed on defense-in-depth strategies. This was determined after the FCEB organization failed to respond effectively to the network breach and lacked sufficient controls to log the simulated attack."
https://securityintelligence.com/articles/new-cybersecurity-advisory-highlights-defense-in-depth-strategies/
Identifying Rogue AI
"For many – certainly given the share price of some leading proponents – the hype of AI is starting to fade. But that may be about to change with the dawn of agentic AI. It promises to get humanity far closer to the ideal of AI as an autonomous technology capable of goal-oriented problem solving. But with progress comes risk. As agentic AI derives its power from composite AI systems, there’s more likelihood that one of those composite parts may contain weaknesses enabling Rogue AI. As discussed in previous blogs, this means the technology could act against the interests of its creators, users or humanity. It’s time to start thinking about mitigations."
https://www.trendmicro.com/en_us/research/24/i/rogue-ai-part-3.html
Hacker Behind Snowflake Customer Data Breaches Remains Active
"The hacker behind the bulk of the Snowflake customer data theft earlier this year remains active as of this week, a researcher tracking the suspect said Friday. The hacker — known primarily “Judische,” but who also used other names online, including “Waifu” — continues to target software-as-a-service providers and other entities “as recently as today,” Austin Larsen, a senior threat analyst with Mandiant, said during a presentation at SentinelOne’s LABScon security conference."
https://cyberscoop.com/snowflake-hacker-judische-labscon-2024/

อ้างอิง
Electronic Transactions Development Agency(ETDA)