Cyber Threat Intelligence 10 October 2024

NCSA_THAICERT

Industrial Sector

Researchers Uncover Major Security Vulnerabilities In Industrial MMS Protocol Libraries
"Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments. "The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution," Claroty researchers Mashav Sapir and Vera Mens said in a new analysis. MMS is an OSI application layer messaging protocol that enables remote control and monitoring of industrial devices by exchanging supervisory control information in an application-agnostic manner."
https://thehackernews.com/2024/10/researchers-uncover-major-security.html

Vulnerabilities

Palo Alto Networks Warns Of Firewall Hijack Bugs With Public Exploit
"Palo Alto Networks warned customers today to patch security vulnerabilities (with public exploit code) that can be chained to let attackers hijack PAN-OS firewalls. The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. They can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts."
https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-firewall-hijack-bugs-with-public-exploit/
https://security.paloaltonetworks.com/PAN-SA-2024-0010
Mozilla Fixes Firefox Zero-Day Actively Exploited In Attacks
"Mozilla has issued an emergency security update for the Firefox browser to address a critical use-after-free vulnerability that is currently exploited in attacks. The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines. This type of flaw occurs when memory that has been freed is still used by the program, allowing malicious actors to add their own malicious data to the memory region to perform code execution."
https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-zero-day-actively-exploited-in-attacks/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-23113 Fortinet Multiple Products Format String Vulnerability
CVE-2024-9379 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
CVE-2024-9380 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/
Vulnerability In Popular PDF Reader Could Lead To Arbitrary Code Execution; Multiple Issues In GNOME Project
"Cisco Talos’ Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution. Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory corruption vulnerability that could allow an adversary to execute code on the targeted machine. Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments."
https://blog.talosintelligence.com/vulnerability-roundup-foxit-gnome-oct-9-2024/
Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)
"In this blog post, we will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab. This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled. The issue arises due to weaknesses in the verification of the digital signature used to protect SAML assertions, allowing attackers to manipulate the SAML response and bypass critical security checks."
https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/
https://www.helpnetsecurity.com/2024/10/09/exploit-cve-2024-45409/

Malware

File Hosting Services Misused For Identity Phishing
"Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints."
https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
https://thehackernews.com/2024/10/microsoft-detects-growing-use-of-file.html
https://www.darkreading.com/cyberattacks-data-breaches/microsoft-creative-abuse-cloud-files-bec-attacks
Hidden Cryptocurrency Mining And Theft Campaign Affected Over 28,000 Users
"Virus analysts at Doctor Web have identified a large-scale campaign aimed at spreading cryptomining and cryptostealing malware by delivering trojans to victims' computers under the guise of office programs, game cheats, and online trading bots. During routine analysis of cloud telemetry submitted by our users, specialists at the Doctor Web virus lab detected suspicious activity of a program disguised as a Windows component (StartMenuExperienceHost.exe, a legitimate process with this name is responsible for managing the Start menu). This program communicated with a remote network host and waited for an incoming connection to immediately launch the cmd.exe command line interpreter."
https://news.drweb.com/show/?i=14920&lng=en
https://www.bleepingcomputer.com/news/cryptocurrency/crypto-stealing-malware-campaign-infects-28-000-people/
https://hackread.com/trojan-autoit-1443-hits-users-game-cheats-office-tool/
Novel Phishing Techniques To Evade Detection: ASCII-Based QR Codes And ‘Blob’ URIs
"Even the most sophisticated phishing campaigns face failure if they cannot get past security defenses, so it is not surprising that cyberattackers continue to try out new techniques that might help them to avoid detection. In this blog, we highlight two novel evasive techniques detected recently by Barracuda threat analysts. The first involves QR code that instead of being a static image is built from combinations of ASCII/Unicode ‘block ( █ )’ characters. This tactic is designed to prevent security software from extracting the malicious URL from the QR code."
https://blog.barracuda.com/2024/10/09/novel-phishing-techniques-ascii-based-qr-codes-blob-uri
https://www.bankinfosecurity.com/malicious-pixels-criminals-revamp-qr-code-phishing-attacks-a-26487
https://www.infosecurity-magazine.com/news/new-gen-malicious-qr-codes/
Operation MiddleFloor: Unmasking The Disinformation Campaign Targeting Moldova’s National Elections
"As Moldova approaches a critical juncture in its democratic journey, Check Point Research discovered a disinformation campaign, targeting its government and education sectors. Check Point Research uncovered that starting in August 2024, malicious actors are seemingly working to influence public perception ahead of the country’s pivotal elections on October 20, 2024. With a nationwide referendum on EU membership coinciding with the presidential election, the stakes are higher than ever."
https://blog.checkpoint.com/research/operation-middlefloor-unmasking-the-disinformation-campaign-targeting-moldovas-national-elections/
Tax Extension Malware Campaign: Threat Actors Target GitHub Comment Section To Bypass Secure Email Gateways
"In 2024 Cofense Intelligence detected a phishing campaign that used GitHub links to bypass Secure Email Gateway (SEG) security. In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories. Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments."
https://cofense.com/blog/tax-extension-malware-campaign
https://www.darkreading.com/vulnerabilities-threats/hackers-hide-remcos-rat-github-comments
Cybercriminals Are Targeting AI Agents And Conversational Platforms: Emerging Risks For Businesses And Consumers
"Resecurity has identified a spike in malicious campaigns targeting AI agents and Conversational AI platforms that leverage chatbots to provide automated, human-like interactions for consumers. Conversational AI platforms are designed to facilitate natural interactions between humans and machines using technologies like Natural Language Processing (NLP) and Machine Learning (ML). These platforms enable applications such as chatbots and virtual agents to engage in meaningful conversations, making them valuable tools across various industries."
https://www.resecurity.com/blog/article/cybercriminals-are-targeting-ai-agents-and-conversational-platforms-emerging-risks-for-businesses-and-consumers
https://securityaffairs.com/169580/security/cybercriminals-are-targeting-ai-conversational-platforms.html
Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers To Install New Variants Of BeaverTail And InvisibleFerret Malware
"Unit 42 has tracked activity from threat actors associated with the Democratic People’s Republic of Korea (DPRK), where they pose as recruiters to install malware on tech industry job seekers’ devices. We call this activity the CL-STA-240 Contagious Interview campaign, and we first published about it in November 2023. Since that publication, we’ve observed additional online activity from the fake recruiters, as well as code updates to two pieces of malware associated with the campaign; the BeaverTail downloader and the InvisibleFerret backdoor."
https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/
https://thehackernews.com/2024/10/n-korean-hackers-use-fake-interviews-to.html
https://therecord.media/updated-malware-strains-north-korea
https://www.infosecurity-magazine.com/news/beavertail-malware-job-seekers/

Breaches/Hacks/Leaks

Recent Dr.Web Cyberattack Claimed By Pro-Ukrainian Hacktivists
"A group of pro-Ukrainian hacktivists has claimed responsibility for the September breach of Russian security company Doctor Web (Dr.Web). Dr.Web confirmed last month that its network was breached on September 14, which forced it to disconnect all internal servers and stop pushing virus database updates to customers while investigating the incident. In a Tuesday Telegram post, DumpForums pro-Ukrainian hacktivists said they were behind the hack and gained access to Dr.Web's development systems."
https://www.bleepingcomputer.com/news/security/recent-drweb-breach-claimed-by-dumpforums-pro-ukrainian-hacktivists/
https://hackread.com/dumpforums-russian-cybersecurity-firm-dr-web-data-breach/
Internet Archive Hacked, Data Breach Impacts 31 Million Users
"Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records. News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached. "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site."
https://www.bleepingcomputer.com/news/security/internet-archive-hacked-data-breach-impacts-31-million-users/
https://www.theregister.com/2024/10/10/internet_archive_ddos_data_leak/
AI Girlfriend Site Breached, User Fantasies Stolen
"A hacker has stolen a massive database of users’ interactions with their sexual partner chatbots, according to 404 Media. The breached service, Muah[.]ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats. As you can imagine, data like this is very sensitive, so the site assures customers that communications are encrypted and says it doesn’t sell any data to third parties."
https://www.malwarebytes.com/blog/news/2024/10/ai-girlfriend-site-breached-user-fantasies-stolen

General News

Cultivating a Security-First Mindset: Key Leadership Actions
"In this Help Net Security interview, Emily Wienhold, Cyber Education Specialist at Optiv, discusses how business leaders can promote a security-first culture within their organizations. Wienhold also discusses strategies for maintaining ongoing cybersecurity awareness and making security protocols accessible to non-technical staff."
https://www.helpnetsecurity.com/2024/10/09/emily-wienhold-optiv-security-awareness-program/
30% Of Customer-Facing APIs Are Completely Unprotected
"70% of customer-facing APIs are secured using HTTPS, leaving nearly one-third of these APIs completely unprotected, according to F5. This is a stark contrast to the 90% of web pages that are now accessed via HTTPS, following the push for secure web communications over the past decade. “APIs are becoming the backbone of digital transformation efforts, connecting critical services and applications across organizations,” said Lori MacVittie, Distinguished Engineer at F5. “However, as our report indicates, many organizations are not keeping pace with the security requirements needed to protect these valuable assets, especially in the context of emerging AI-driven threats.”"
https://www.helpnetsecurity.com/2024/10/09/customer-facing-apis-protection/
CISA And FBI Release Fact Sheet On Protecting Against Iranian Targeting Of Accounts Associated With National Political Organizations
"Today, CISA and the Federal Bureau of Investigation (FBI) released joint fact sheet, How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations. This fact sheet provides information about threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting and compromising accounts of Americans to stoke discord and undermine confidence in U.S. democratic institutions."
https://www.cisa.gov/news-events/alerts/2024/10/08/cisa-and-fbi-release-fact-sheet-protecting-against-iranian-targeting-accounts-associated-national
https://www.cisa.gov/resources-tools/resources/how-protect-against-iranian-targeting-accounts-associated-national-political-organizations
Dutch Police Arrest Admin Of 'Bohemia/Cannabia' Dark Web Market
"An international law enforcement operation led to the arrest of one of the three administrators of the dual dark web market 'Bohemia/Cannabia,' known for hosting ads for drug sales and distributed denial of service (DDoS) attacks. The man was arrested at the Schiphol airport in Amsterdam on June 27, 2024, and electronic devices containing incriminating data and access keys to Bitcoin wallets were seized. A second administrator of Bohemia/Cannabia was arrested in Ireland in the context of the same operation, which leveraged data from the joint international investigation."
https://www.bleepingcomputer.com/news/legal/dutch-police-arrest-admin-of-bohemia-cannabia-dark-web-market/
https://therecord.media/bohemia-cannabia-dark-web-market-arrests
AI-Augmented Email Analysis Spots Latest Scams, Bad Content
"Artificial intelligence (AI) models that work across different types of media and domains — so-called "multimodal AI" — can be used by attackers to create convincing scams. At the same time, defenders are finding multimodal AI equally useful at spotting fraudulent emails and not-safe-for-work (NSFW) materials."
https://www.darkreading.com/cybersecurity-operations/ai-augmented-email-analysis-spots-latest-scams
Building Cyber Resilience In SMBs With Limited Resources
"Small and medium-sized businesses (SMBs) increasingly have become prime targets for cybercriminals. While large corporations often dominate headlines when breaches occur, the reality is that SMBs are at even greater risk. Almost 70% of SMBs reported experiencing at least one cyberattack in the past year. The reasons are clear: SMBs often operate with limited budgets, inadequate cybersecurity tools, and a shortage of skilled cybersecurity professionals. These factors make them particularly vulnerable to the sophisticated and evolving threats of today's cyber environment."
https://www.darkreading.com/vulnerabilities-threats/building-cyber-resilience-smbs-limited-resources
Despite Prevalence Of Online Threats, Users Aren't Changing Behavior
"Consumers are aware that their information can be stolen by cybercriminals and that they are vulnerable to attack. While many people are taking steps to improve their cybersecurity online, the pace they are adopting security tools remains low, according to the latest Consumer Cyber Readiness Report from Consumer Reports."
https://www.darkreading.com/endpoint-security/despite-online-threats-users-are-not-changing-behavior
Cybersecurity Awareness Month: Horror Stories
"When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior. October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad enough.)"
https://securityintelligence.com/articles/cybersecurity-awareness-month-horror-stories/
Ukraine Sentences Two Hackers From Russia-Linked Armageddon Group
"Two hackers affiliated with the Russian federal security service (FSB) have been sentenced in absentia to 15 years in prison in Ukraine for carrying out cyberattacks against state institutions, according to a government statement on Tuesday. The pair is reportedly connected to a hacking group tracked as Armageddon, which is considered “the most engaged” state-sponsored threat actor in the country, according to previous research."
https://therecord.media/ukraine-in-absentia-sentencing-russia-armageddon-gamaredon-hackers
Smart TVs Are Spying On Everyone
"Smart TVs are watching their viewers and harvesting their data to benefit brokers using the same ad technology that denies privacy on the internet. In a report titled "How TV Watches Us: Commercial Surveillance in the Streaming Era," the Center for Digital Democracy (CDD) outlines the expansive "commercial surveillance system" that has infested Smart TVs – aka connected TVs or CTVs – and video streaming services."
https://www.theregister.com/2024/10/09/smart_tv_spy_on_viewers/
https://democraticmedia.org/assets/cdd-ctv-report-oct24-1.1.pdf
Cyber Insurance, Human Risk, And The Potential For Cyber-Ratings
"It’s undeniable that cyber insurance and cybersecurity are intrinsically linked. One requires the other, and they are a perfect pairing, even if they may deny the relationship. Looking ahead, however, we probably need to add a third party into the relationship: the business. Now we have everyone in the room, what could the future hold?"
https://www.welivesecurity.com/en/business-security/cyber-insurance-human-risk-potential-cyber-ratings/

อ้างอิง
Electronic Transactions Development Agency(ETDA)