NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 21 October 2024

    Cyber Security News
    1
    1
    469
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Organizations Faster At Detecting OT Incidents, But Response Still Lacking: Report
        "Organizations have been getting faster at detecting incidents in industrial control system (ICS) and other operational technology (OT) environments, but incident response is still lacking, according to a new report from the SANS Institute. SANS’s 2024 State of ICS/OT Cybersecurity report, which is based on a survey of more than 530 professionals in critical infrastructure sectors, shows that roughly 60% of respondents can detect a compromise in less than 24 hours, which is a significant improvement compared to five years ago when the same number of respondents said their compromise-to-detection time had been 2-7 days."
        https://www.securityweek.com/organizations-faster-at-detecting-ot-incidents-but-response-still-lacking-report/
        https://sansorg.egnyte.com/dl/5mD1Yxiybn

      Vulnerabilities

      • New MacOS Vulnerability, “HM Surf”, Could Lead To Unauthorized Data Access
        "Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent."
        https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/
        https://thehackernews.com/2024/10/microsoft-reveals-macos-vulnerability.html
        https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data
        https://www.malwarebytes.com/blog/news/2024/10/microsoft-reveals-details-about-hm-surf-vulnerability-in-macos
        https://www.infosecurity-magazine.com/news/microsoft-macos-vulnerability/
        https://www.securityweek.com/microsoft-macos-vulnerability-potentially-exploited-in-adware-attacks/
        https://securityaffairs.com/169945/security/macos-hm-surf-flaw-tcc-bypass-safari-privacy-settings.html
        https://hackread.com/hm-surf-macos-flaw-attackers-access-camera-mic/
      • Intel, AMD CPUs On Linux Impacted By Newly Disclosed Spectre Bypass
        "The latest generations of Intel processors, including Xeon chips, and AMD's older microarchitectures on Linux are vulnerable to new speculative execution attacks that bypass existing ‘Spectre’ mitigations. The vulnerabilities impact Intel's 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD's Zen 1, Zen 1+, and Zen 2 processors. The attacks undermine the Indirect Branch Predictor Barrier (IBPB) on x86 processors, a core defense mechanism against speculative execution attacks."
        https://www.bleepingcomputer.com/news/security/intel-amd-cpus-on-linux-impacted-by-newly-disclosed-spectre-bypass/
        https://comsec.ethz.ch/research/microarch/breaking-the-barrier/
        https://comsec.ethz.ch/wp-content/files/ibpb_sp25.pdf
      • Code Injection In Spring Cloud: CVE-2024-37084
        "The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability. CVE-2024-37084 is a critical vulnerability affecting Spring Cloud Data Flow versions 2.11.0 through 2.11.3. A malicious user with access to the Skipper server API can exploit a flaw in the upload request process, allowing them to write arbitrary files to any location on the server’s file system, potentially compromising the server. This vulnerability is assigned a CVSS score of 9.8 by VMware, indicating its critical nature."
        https://blog.sonicwall.com/en-us/2024/10/code-injection-in-spring-cloud-cve-2024-37084/
      • Severe Flaws In E2EE Cloud Storage Platforms Used By Millions
        "Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. Cryptographic analysis from ETH Zurich researchers Jonas Hofmann and Kien Tuong Turong revealed issue with Sync, pCloud, Icedrive, Seafile, and Tresorit services, collectively used by more than 22 million people. The analysis was based on the threat model of an attacker controlling a malicious server that can read, modify, and inject data at will, which is realistic for nation-state actors and sophisticated hackers."
        https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-storage-platforms-used-by-millions/
        https://brokencloudstorage.info/
        https://brokencloudstorage.info/paper.pdf

      Malware

      • ESET Partner Breached To Send Data Wipers To Israeli Orgs
        "Hackers breached ESET's exclusive partner in Israel to send phishing emails to Israeli businesses that pushed data wipers disguised as antivirus software for destructive attacks. A data wiper is malware that intentionally deletes all of the files on a computer and commonly removes or corrupts the partition table to make it harder to recover the data. In a phishing campaign that started on October 8th, emails branded with ESET's logo were sent from the legitimate eset.co.il domain, indicating that the Israel division's email server was breached as part of the attack. While the eset.co.il domain is branded with ESET's content and logos, ESET told BleepingComputer it is operated by Comsecure, their Israel distributor."
        https://www.bleepingcomputer.com/news/security/eset-partner-breached-to-send-data-wipers-to-israeli-orgs/
        https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targeting-israeli-orgs-b1210aed7021
        https://therecord.media/hackers-impersonate-eset-wiper-malware
        https://www.darkreading.com/cyberattacks-data-breaches/eset-wiper-attack-targets-israel
        https://www.bankinfosecurity.com/hacker-poses-as-israeli-security-vendor-to-deliver-wiper-a-26563
        https://www.helpnetsecurity.com/2024/10/18/israel-wiper-eset/
        https://www.theregister.com/2024/10/18/eset_denies_israel_branch_breach/
        https://hackread.com/hackers-fake-eset-emails-israeli-wiper-malware/
      • Military Exercises Trigger Russian DDoS Attacks On Japan
        "Plans by Japan and U.S. to conduct military exercises near the coast of eastern Russia prompted Russia-linked threat actors to unleash a series of denial-of-service attacks this week against a dozen websites in Japan including the majority political party, major manufacturers, business groups and local governments."
        https://www.bankinfosecurity.com/military-exercises-trigger-russian-ddos-attacks-on-japan-a-26561
        https://www.asahi.com/ajw/articles/15469220
      • THREAT ANALYSIS: Beast Ransomware
        "Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform."
        https://www.cybereason.com/blog/threat-analysis-beast-ransomware
      • Analysis Of The Crypt Ghouls Group: Continuing The Investigation Into a Series Of Attacks On Russia
        "Last December, we discovered a new group targeting Russian businesses and government agencies with ransomware. Further investigation into this group’s activity suggests a connection to other groups currently targeting Russia. We have seen overlaps not only in indicators of compromise and tools, but also tactics, techniques, and procedures (TTPs). Moreover, the infrastructure partially overlaps across attacks. The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others. As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk. We have dubbed the group “Crypt Ghouls”."
        https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/114217/
        https://thehackernews.com/2024/10/crypt-ghouls-targets-russian-firms-with.html
      • Mobile Political Spam Volume Continues Rapid Growth In The Lead Up To The U.S. November Elections
        "Since our July blog, which focused on the increase in mobile political spam volume, unwanted political messaging has continued to grow at a rapid pace. Subscriber reports of these messages increased 67% in September compared with June. We can expect the increases to not only continue, but to accelerate as we approach the November election. As we previously pointed out, most political messaging comes from political action committees, parties and candidates seeking support and donations. Although for many people these messages are a nuisance, they are not typically abusive or fraudulent. The graphic below shows a recent example of an unwanted political message reported by a subscriber."
        https://www.proofpoint.com/us/blog/email-and-cloud-threats/spam-text-messages-dos-donts
      • Vietnamese Threat Actor’s Multi-Layered Strategy On Digital Marketing Professionals
        "Cyble Research and Intelligence Lab (CRIL) has uncovered an advanced attack campaign that likely originates from spam emails containing phishing attachments. These emails include an archive file with an LNK file disguised as a PDF file. The attack begins when the LNK file triggers PowerShell-based commands, which proceed to download and execute additional scripts hosted externally. These scripts are highly encoded and obfuscated to evade detection by security tools. The TAs use a variety of evasion techniques, including checks for virtual machines, sandbox environments, and debugging tools, ensuring that the malicious code can remain undetected and function stealthily in non-virtualized environments while bypassing standard security defenses."
        https://cyble.com/blog/vietnamese-threat-actors-multi-layered-strategy-on-digital-marketing-professionals/
      • Fake Attachment. Roundcube Mail Server Attacks Exploit CVE-2024-37383 Vulnerability.
        "Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications."
        https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability
        https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html

      Breaches/Hacks/Leaks

      • Cisco Takes DevHub Portal Offline After Hacker Publishes Stolen Data
        "Cisco confirmed today that it took its public DevHub portal offline after a threat actor leaked "non-public" data, but it continues to state that there is no evidence that its systems were breached. "We have determined that the data in question is on a public-facing DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," reads an updated statement from Cisco. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published.""
        https://www.bleepingcomputer.com/news/security/cisco-takes-devhub-portal-offline-after-hacker-publishes-stolen-data/
      • Tech Giant Nidec Confirms Data Breach Following Ransomware Attack
        "Nidec Corporation is informing that hackers behind a ransomware attack is suffered earlier this year stole data and leaked it on the dark web. The Japanese tech giant says the threat actors tried to extort the company and decided to leak the information after their demands were not met. The attack did not encrypt files and the incident is considered fully remediated at this time. However, Nidec employees, contractors, and associates, should be aware that the leaked data could be used in more targeted phishing attacks."
        https://www.bleepingcomputer.com/news/security/tech-giant-nidec-confirms-data-breach-following-ransomware-attack/
      • Omni Family Health Data Breach Impacts 470,000 Individuals
        "California network of health centers Omni Family Health is notifying close to 470,000 individuals that their personal information was stolen in a cyberattack earlier this year. The data breach, Omni says, was discovered on August 7, after learning that threat actors had posted on the dark web data allegedly stolen from its network. The leaked information, the healthcare provider says, pertains to current and former patients and employees. In total, 468,344 individuals were affected, Omni told the US Department of Health and Human Services."
        https://www.securityweek.com/omni-family-health-data-breach-impacts-470000-individuals/
        https://securityaffairs.com/169972/data-breach/omni-family-health-disclosed-a-data-breach.html
      • Internet Archive Breached Again Through Stolen Access Tokens
        "The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens. Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens. "It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor."
        https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/
        https://www.theregister.com/2024/10/21/internet_archive_zendesk_access_attack/

      General News

      • A Closer Look At Q3 2024: 75% Surge In Cyber Attacks Worldwide
        "The digital landscape witnessed an unprecedented surge in cyber attacks worldwide in the third quarter of 2024. This period marked a significant escalation in both the volume and intensity of cyber threats organizations face, shedding light on cybercriminals’ evolving tactics and the urgent need for reinforced cyber defenses."
        https://blog.checkpoint.com/research/a-closer-look-at-q3-2024-75-surge-in-cyber-attacks-worldwide/
      • Time To Get Strict With DMARC
        "The state of DMARC email authentication and security standard looked so promising at the beginning of 2024. Google and Yahoo had set a deadline of February 2024 for bulk email senders to adopt a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, and as companies scrambled to meet the deadline, the number of email domains with a valid DMARC record jumped 60% in two months. As of September, nearly 6.8 million domains have email sender authentication configured."
        https://www.darkreading.com/cybersecurity-operations/time-get-strict-dmarc
      • CISOs: Throwing Cash At Tools Isn't Helping Detect Breaches
        "Global information security spend is projected to reach $215 billion by the end of 2024. But a new survey of chief information security officers (CISOs) shows that all that cash might not have bought the peace of mind they hoped for. In fact, 44% of CISOs across the globe reported missing a data breach in the past 12 months with existing tools."
        https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches
        https://www.gigamon.com/resources/resource-library/white-paper/wp-gigamon-survey-hybrid-cloud-security-2024.html
        https://www.helpnetsecurity.com/2024/10/18/cisos-security-tools/
      • Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management
        "In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires."
        https://www.darkreading.com/cyber-risk/supply-chain-cybersecurity-traditional-vendor-risk-management
      • What’s Behind The 51% Drop In Ransomware Attacks?
        "In a world where cyber threats feel omnipresent, a recent report has revealed some unexpected good news: ransomware attacks on state and local governments have dropped by 51% in 2024. Still, this decline does not signal the end of the ransomware threat, nor should it lead to complacency. As the nature of ransomware evolves, so do its consequences, costs and implications for enterprises and critical infrastructure. What’s behind the drop in ransomware attacks? And what does it mean for the future of cybersecurity? Let’s take a look."
        https://securityintelligence.com/articles/whats-behind-51-drop-in-ransomware-attacks/
      • Rising Tides: Christien “DilDog” Rioux On Building Privacy And What Makes Hackers Unique
        "Few things bring me more joy than this ongoing Rising Tides column, because I get to dig into the minds and experiences of some of the most fascinating people in our industry. What makes these people even more exceptional, at least to me, is how they go beyond the norm of a “day job” and use their efforts to create technology or frameworks that watch out for the human."
        https://www.securityweek.com/rising-tides-christien-dildog-rioux-on-building-privacy-and-what-makes-hackers-unique/
      • Microsoft Creates Fake Azure Tenants To Pull Phishers Into Honeypots
        "Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them. With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity. The tactic and its damaging effect on phishing activity was described at BSides Exeter conference by Ross Bevington, a principal security software engineer at Microsoft calling himself Microsoft's "Head of Deception.""
        https://www.bleepingcomputer.com/news/security/microsoft-creates-fake-azure-tenants-to-pull-phishers-into-honeypots/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) a767427c-48be-40d5-b34a-cc0962c10d4d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post