Cyber Threat Intelligence 24 September 2024

NCSA_THAICERT

New Tooling

Certainly: Open-Source Offensive Security Toolkit
"Certainly is an open-source offensive security toolkit designed to capture extensive traffic across various network protocols in bit-flip and typosquatting scenarios."
https://www.helpnetsecurity.com/2024/09/23/certainly-open-source-offensive-security-toolkit/
https://github.com/happycakefriends/certainly'

Vulnerabilities

A Stack-Based Overflow Vulnerability Exists In The Microchip Advanced Software Framework (ASF) Implementation Of The Tinydhcp Server
"An implementation of DHCP in ASF fails input validation, thereby creating conditions for a stack-based overflow. The software is no longer supported by the vendor. Because this vulnerability is in IoT-centric code, it is likely to surface in many places in the wild. CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution."
https://kb.cert.org/vuls/id/138043
https://thehackernews.com/2024/09/critical-flaw-in-microchip-asf-exposes.html
https://www.securityweek.com/cert-cc-warns-of-unpatched-critical-vulnerability-in-microchip-asf/
Privilege Escalation Vulnerability Patched In Houzez Theme
"This blog post discusses about the findings on the Houzez theme and the Houzez Login Register plugin that comes pre-installed with the theme. If you’re a Houzez user, please update the theme and the Houzez Login Register plugin to version 3.3.0 or higher."
https://patchstack.com/articles/privilege-escalation-vulnerability-patched-in-houzez-theme/
https://www.infosecurity-magazine.com/news/vulnerabilities-found-houzez-theme/
ESET Patches Privilege Escalation Vulnerabilities In Windows, MacOS Products
"ESET on Friday announced patches for two local privilege escalation vulnerabilities affecting multiple Windows and macOS products. The Windows products, the company warns in an advisory, were found vulnerable to CVE-2024-7400, a high-severity bug affecting the file operations handling during the removal of a detected file. An attacker with low privileges on a system running an affected ESET product could exploit the flaw to delete arbitrary files and escalate privileges."
https://www.securityweek.com/eset-patches-privilege-escalation-vulnerabilities-in-windows-macos-products/
https://support.eset.com/en/ca8726-local-privilege-escalation-fixed-for-vulnerability-during-detected-file-removal-in-eset-products-for-windows
https://securityaffairs.com/168795/security/eset-local-privilege-escalation-vulnerabilities.html

Malware

The Latest Email Scams: Key Trends To Look Out For
"Amid the numerous instruments that have augmented our digital communication and commerce experiences over time, email remains a staple for everything, from confirming purchases to life-changing events like the authorization of financial aid.It comes as no surprise that email scams have been a mainstay of cyberattacks since the earliest days of online correspondence. Worse yet, their scope and sophistication have kept pace with and taken liberal advantage of general digital developments."
https://www.tripwire.com/state-of-security/latest-email-scams-key-trends-look-out
How The Necro Trojan Infiltrated Google Play, Again
"We sometimes come across modified applications when analyzing suspicious files. These are created in response to user requests for more customization options within the app or for new features that the official versions don’t have. Unfortunately, it’s not uncommon for popular mods to contain malware. This often happens because they’re distributed on unofficial websites that don’t have any moderation. For example, last year we found popular WhatsApp mods infected with CanesSpy and distributed this way. Before that, we found ads for WhatsApp mods infected with the Triada Trojan dropper in the popular Snaptube application."
https://securelist.com/necro-trojan-is-back-on-google-play/113881/
https://www.bleepingcomputer.com/news/security/android-malware-necro-infects-11-million-devices-via-google-play/
https://www.securityweek.com/necro-trojan-infects-google-play-apps-with-millions-of-downloads/
https://www.theregister.com/2024/09/23/necro_malware_android/
Kryptina RaaS | From Unsellable Cast-Off To Enterprise Ransomware
"In February of 2024, SentinelOne posted a write-up on Kryptina Ransomware-as-a-Service, a free and open-source RaaS platform written for Linux. At the time, Kryptina provided all the components required to host a fully functional RaaS platform. This included the ability to automate payloads, manage multiple groups and campaigns nested within, as well as configure the ransom payment requirements such as the amount and type of payment. Despite such functionality, the offering struggled to attract much interest from dark market customers."
https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/
https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/
https://www.infosecurity-magazine.com/news/kryptina-ransomware-resurfaces/
Hackers Posed As Google Support To Steal $243 Million In Crypto
"A major breakthrough in cryptocurrency theft came to light on September 19, 2024, when anonymous Twitter user and crypto investigator ZachXBT (@ZachXBT) revealed his investigation into one of the largest crypto heists in history. The theft of $243 million worth of cryptocurrency from a single Genesis creditor, was carried out through a sophisticated social engineering attack in August 2024. ZachXBT’s investigation played a key role in tracing the alleged culprits, which led to multiple arrests and the recovery of millions in stolen funds."
https://hackread.com/hackers-posed-google-support-steal-243m-crypto/
Staying a Step Ahead: Mitigating The DPRK IT Worker Threat
"Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People's Republic of North Korea (DPRK). These workers pose as non-North Korean nationals to gain employment with organizations across a wide range of industries in order to generate revenue for the North Korean regime, particularly to evade sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programs. A U.S. government advisory in 2022 noted that these workers have also leveraged privileged access obtained through their employment in order to enable malicious cyber intrusions, an observation corroborated by Mandiant and other organizations."
https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/
https://therecord.media/major-us-companies-unwittingly-hire-north-korean-remote-it-workers
https://www.securityweek.com/mandiant-offers-clues-to-spotting-and-stopping-north-korean-fake-it-workers/
Inside SnipBot: The Latest RomCom Malware Variant
"We recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time, show post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and unique code obfuscation methods in addition to those seen in previous versions of RomCom 3.0 and PEAPOD (RomCom 4.0). In early April, our sandbox Advanced WildFire discovered an unusual DLL module that turned out to be part of a broader tool set called SnipBot. By examining the malware sample and using Cortex XDR telemetry data, we were able to reconstruct the infection chain and the attacker's subsequent actions."
https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
Ministry Of State Security Unveils Hacker Group Supported By ‘Taiwan Independence’ Forces
"China’s Ministry of State Security (MSS) on Monday unveiled a hacker organization called "Anonymous 64," saying that it was an “internet army” supported by “Taiwan independence” forces and has frequently launched cyberattacks against the Chinese mainland and Hong Kong and Macao Special Administrative Regions, attempting to infiltrate portals, outdoor electronic screens, and online television to spread disinformation and disrupt public communications. National security agencies have identified individuals involved in the related cyberattacks, including three active members, whose names and photos have been disclosed. Legal investigations have been launched against the three individuals, the ministry said in a release on Monday."
https://www.globaltimes.cn/page/202409/1320191.shtml
Quishing 2.0: QR Code Phishing Evolves With Two-Step Attacks And SharePoint Abuse
"Quishing, or QR code phishing, is quickly advancing as threat actors adapt their tactics to bypass email security QR scanners. Quishing has become one of the fastest growing email threat vectors, by introducing QR codes into phishing campaigns, threat actors added an additional layer of evasion, making it harder for traditional security solutions to detect. But now as many cybersecurity vendors have already followed Perception Point’s lead in implementing QR scanners, “Quishing 2.0” attacks have emerged – and they’re more evasive than ever."
https://perception-point.io/blog/quishing-evolves-two-step-attacks-sharepoint-abuse/

Breaches/Hacks/Leaks

One-Third Of The US Population’s Background Info Is Now Public
"Cybernews exclusive research has revealed that a massive data leak at MC2 Data, a background check firm, affects a staggering amount of US citizens. MC2 Data and similar companies run public records and background check services. These services gather, compile, and analyze data from a wide range of public sources, including criminal records, employment history, family data, and contact details. They use this information to create comprehensive profiles that employers, landlords, and others rely on for decision-making and risk management."
https://cybernews.com/security/us-mc2-background-check-data-leak/
https://www.malwarebytes.com/blog/news/2024/09/100-million-us-citizens-have-records-leaked-by-background-check-service
SpaceX, CNN, And The White House Internal Data Allegedly Published Online. Is It Real?
"A cybercriminal has released internal data online that they say has come from leaks at several high-profile sources, including SpaceX, CNN, and the White House. However, there are some questions around the reliability and usefulness of the released data, so we took a closer look. When it comes to the the SpaceX data set, the poster is apparently not a big fan of Elon Musk."
https://www.malwarebytes.com/blog/news/2024/09/spacex-cnn-and-the-white-house-internal-data-allegedly-published-online-is-it-real
Ransomware Attack On Kansas County Exposed Sensitive Info Of Nearly 30,000 Residents
"A county in Kansas warned regulators last week that a ransomware attack earlier this year leaked personal data found in county records. Franklin County, which is about an hour outside of Kansas City, warned 29,690 residents on Friday that hackers breached the County Clerk’s Office on May 19 and took data from the network. On May 20, the county said it “discovered and responded to a ransomware attack” that required them to contact cybersecurity experts and federal law enforcement. The county informed the public on July 19 that it was investigating the incident."
https://therecord.media/kansas-ransomware-attack-thousands-residents

General News

Organizations Are Changing Cybersecurity Providers In Wake Of Crowdstrike Outage
"More often than not, a cyber attack or a cyber incident that results in business disruption will spur organizations to make changes to improve their cybersecurity and cyber resilience – and sometimes that means changing cybersecurity providers. The recent massive worldwide outage caused by a faulty Crowdstrike sensor content update has had a similar effect on many German organizations, a recent report by the German Federal Office for Information Security (BSI) and Germany’s digital association Bitkom has revealed."
https://www.helpnetsecurity.com/2024/09/23/changing-cybersecurity-providers/
Offensive Cyber Operations Are More Than Just Attacks
"In this Help Net Security interview, Christopher Jones, Chief Technology Officer and Chief Data Officer at Nightwing, talks about some key misconceptions and complexities surrounding offensive cyber operations. Many myths stem from a simplistic view of these operations, ranging from direct attacks to enhancing defenses through techniques like penetration testing. Advances in AI and quantum computing are expected to reshape the field by improving both offensive capabilities and threats, including more sophisticated attacks and vulnerabilities."
https://www.helpnetsecurity.com/2024/09/23/christopher-jones-nightwing-offensive-cyber-operations/
Paid Open-Source Maintainers Spend More Time On Security
"Paid maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers and are dedicating more time to implementing security practices like those included in industry standards like the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF), according to Tidelift."
https://www.helpnetsecurity.com/2024/09/23/open-source-maintainers-security/
Why 'Never Expire' Passwords Can Be a Risky Decision
"Password resets can be frustrating for end users. Nobody likes being interrupted by the 'time to change your password' notification – and they like it even less when the new passwords they create are rejected by their organization's password policy. IT teams share the pain, with resetting passwords via service desk tickets and support calls being an everyday burden. Despite this, it's commonly accepted that all passwords should expire after a set period of time. Why is this the case? Do you need password expiries at all? Explore the reason expiries exist and why setting passwords to 'never expire' might save some headaches, but not be the best idea for cybersecurity."
https://thehackernews.com/2024/09/why-never-expire-passwords-can-be-risky.html
Data Security Posture Management: Accelerating Time To Value
"When it comes to your sensitive data, not knowing where your crown jewels are located and ensuring they are adequately secured can have catastrophic consequences. Data resilience is the subset of cyber resilience focused on an organization's data assets. Security teams need a strategic approach to data resilience — understanding where their sensitive data stores are located and what's inside — to effectively secure their data."
https://www.darkreading.com/vulnerabilities-threats/data-security-posture-management-accelerating-time-value
Russian Hackers Have Shifted Tactics In Third Year Of War, Ukraine Cyber Agency Says
"Ukraine’s cyber agency has observed “a significant change” in the use of cyberattacks by Russian hackers in recent months, according to a new report. Whereas in the first two years of the war Russian hacker groups launched opportunistic attacks across an array of targets — for either destructive purposes or cyber-espionage — this year they have shifted their focus to Ukrainian entities directly connected to the war effort. “Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations,” Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) said in the new report."
https://therecord.media/russian-hackers-shifting-tactics-ukraine
https://www.infosecurity-magazine.com/news/russian-cyberattacks-ukraines/

อ้างอิง
Electronic Transactions Development Agency(ETDA)