Cyber Threat Intelligence 01 November 2024

NCSA_THAICERT

Healthcare Sector

HHS OCIO HC3 – Analyst Note TLP Clear: The Miracle Exploit
"The "Miracle Exploit" refers to a set of critical vulnerabilities in Oracle products, primarily affecting Oracle Fusion Middleware and its ADF Faces framework, which is used to build web interfaces for Java EE applications. This exploit, disclosed in 2022, includes CVE-2022-21445 and CVE-2022-21497, both of which allow attackers to execute remote code without authentication. This can lead to full system compromise, potentially exposing sensitive data and enabling lateral movement within a network."
https://www.aha.org/cybersecurity-government-intelligence-reports/2024-10-28-hhs-ocio-hc3-analyst-note-tlp-clear-miracle-exploit
https://www.aha.org/system/files/media/file/2024/10/hhs-ocio-hc3--analyst-note-tlp-clear-the-miracle-exploit-10-28-2024.pdf

Industrial Sector

Rockwell Automation FactoryTalk ThinManager
"Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device resulting in database manipulation or a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-305-01

Vulnerabilities

GreyNoise Intelligence Discovers Zero-Day Vulnerabilities In Live Streaming Cameras With The Help Of AI
"GreyNoise has discovered previously undisclosed zero-day vulnerabilities in IoT-connected live streaming cameras, leveraging AI to catch an attack before it could escalate. These cameras are reportedly used in sectors such as industrial operations, healthcare, and other sensitive environments like houses of worship, highlighting the urgent need for stronger cybersecurity defenses as the threat landscape continues to evolve. This discovery was made possible after a GreyNoise honeypot detected an attempt to execute an exploit against it. An attacker had developed and automated a zero-day vulnerability exploit, using a broad-spectrum reconnaissance and targeting strategy to run it across the internet."
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai
https://www.bleepingcomputer.com/news/security/hackers-target-critical-zero-day-vulnerability-in-ptz-cameras/
RCE Vulnerability In QBittorrent
"In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86. The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days ago. The usages of DownloadManager across the program are extensive, and affect searches, .torrent downloads, RSS feeds, favicon downloads and more."
https://sharpsec.run/rce-vulnerability-in-qbittorrent/
https://www.bleepingcomputer.com/news/security/qbittorrent-fixes-flaw-exposing-users-to-mitm-attacks-for-14-years/
NVIDIA Shader Out-Of-Bounds And Eleven LevelOne Router Vulnerabilities
"Cisco Talos' Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/nvidia-shader-out-of-bounds-and-level1-2/
Paranoids’ Vulnerability Research: NetIQ iManager Security Alerts
"Last Summer, the Paranoid’s Vulnerability Research Team (VRT) identified a series of vulnerabilities in OpenText NetIQ iManager, an enterprise directory management tool. Some of the vulnerabilities can be chained together by an attacker to achieve pre-authentication remote code execution. In other cases, an attacker with any valid credentials can escalate their privileges within the platform and ultimately achieve post-auth code execution."
https://www.yahooinc.com/paranoids/paranoids-vulnerability-research-netiq-imanager-security-alerts
https://www.securityweek.com/yahoo-discloses-netiq-imanager-flaws-allowing-remote-code-execution/
October 30 Advisory: Xlight FTP Server Flaw [CVE-2024-46483]
"CVE-2024-46483 is an integer overflow vulnerability in the packet parsing logic of the Xlight SFTP server, which can lead to a heap overflow with attacker-controlled content. The vulnerability is currently awaiting analysis from NVD, but an existing proof of concept is available on GitHub, raising the likelihood that we will observe exploitation of this vulnerability. Xlight FTP Server is a lightweight FTP (File Transfer Protocol) server designed primarily for Windows platforms for centralized file sharing and management. Typically, businesses or organizations use FTP servers like Xlight to manage files securely, automate backups, or facilitate data exchanges between departments."
https://censys.com/cve-2024-46483/

Malware

Sophos Pacific Rim
"In the story, we disclose how the attackers used a series of campaigns with novel exploits and customized malware to conduct surveillance, sabotage, and cyberespionage. Sophos also found overlapping tactics, tools, and procedures (TTPs) with well-known Chinese nation-state groups, including Volt Typhoon, APT31 and APT41. The adversaries have targeted both small and large critical infrastructure and government facilities, primarily in South and Southeast Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries."
https://www.sophos.com/en-us/content/pacific-rim
https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/
https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/
https://www.bleepingcomputer.com/news/security/sophos-reveals-5-year-battle-with-chinese-hackers-attacking-network-devices/
https://www.bankinfosecurity.com/sophos-discloses-half-decade-sustained-chinese-attack-a-26698
https://www.securityweek.com/sophos-used-custom-implants-to-surveil-chinese-hackers-targeting-firewall-zero-days/
https://www.helpnetsecurity.com/2024/10/31/sophos-china-defensive-operation/
PythonRatLoader: The Proprietor Of XWorm And Friends
"The Cofense Phishing Defense Center (PDC) has uncovered a sophisticated attack that leveraged multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT. However, this attack campaign didn’t end with VenomRAT because the subsequently loaded plugin continued to deploy various types of malware into the victim’s environment."
https://cofense.com/blog/pythonratloader-the-proprietor-of-xworm-and-friends
Chinese Threat Actor Storm-0940 Uses Credentials From Password Spray Attacks From a Covert Network
"Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Microsoft is publishing this blog on how covert networks are used in attacks, with the goal of increasing awareness, improving defenses, and disrupting related activity against our customers."
https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/
https://www.bleepingcomputer.com/news/security/microsoft-chinese-hackers-use-quad7-botnet-to-steal-credentials/
LottieFiles Hacked In Supply Chain Attack To Steal Users’ Crypto
"The popular LottieFiles Lotti-Player project was compromised in a supply chain attack to inject a crypto drainer into websites that steals visitors' cryptocurrency. Blockchain threat monitoring platform Scam Sniffer reports that at least one victim allegedly lost $723,000 worth of Bitcoin due to the LottieFiles supply chain compromise. As discovered yesterday, following multiple user reports about strange code injections, Lottie Web Player ("lottie-player") 2.0.5, 2.0.6, and 2.0.7 were modified yesterday to include malicious code that injects a crypto wallet drainer into websites."
https://www.bleepingcomputer.com/news/security/lottiefiles-hacked-in-supply-chain-attack-to-steal-users-crypto/
https://thehackernews.com/2024/10/lottiefiles-issues-warning-about.html
https://www.helpnetsecurity.com/2024/10/31/lottie-player-compromise/
https://www.theregister.com/2024/10/31/lottiefiles_supply_chain_attack/
Satori Threat Intelligence Alert: Phish ’n’ Ships Fakes Online Shops To Steal Money And Credit Card Information
"HUMAN’s Satori Threat Intelligence and Research team recently uncovered and disrupted a sprawling fraud operation centered on fake web shops that abuse digital payment providers to steal consumers’ money and credit card information. The threat, dubbed Phish ’n’ Ships, is made up of hundreds of fake web shops offering in-demand items. The threat actors, whose internal tools used Simplified Chinese, drove traffic to these fake web shops by infecting legitimate websites with a malicious payload. This payload creates fake product listings and adds metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer."
https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-phish-n-ships-fakes-online-shops-to-steal-money-and-credit-card-information
https://therecord.media/shopping-scam-thousands-sites-phishing
https://www.bleepingcomputer.com/news/security/over-a-thousand-online-shops-hacked-to-show-fake-product-listings/
Cybercriminals Impersonate OpenAI In Large-Scale Phishing Attack
"Since the launch of ChatGPT, OpenAI has sparked significant interest among both businesses and cybercriminals. While companies are increasingly concerned about whether their existing cybersecurity measures can adequately defend against threats curated with generative AI tools, attackers are finding new ways to exploit them. From crafting convincing phishing campaigns to deploying advanced credential harvesting and malware delivery methods, cybercriminals are using AI to target end users and capitalize on potential vulnerabilities."
https://blog.barracuda.com/2024/10/31/impersonate-openai-steal-data
Threat Actors Use Copyright Infringement Phishing Lure To Deploy Infostealers
"Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are:"
https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/
https://www.darkreading.com/cyberattacks-data-breaches/facebook-businesses-targeted-infostealer-phishing-campaign
China Says Seabed Sentinels Are Spying, After Trump Taps
"Just days after Chinese state-sponsored hackers attacked the presidential campaigns of both Donald Trump and Kamala Harris, Beijing is leveling accusations at unnamed foreign entities, accusing them of using secret maritime buoys and seabed equipment to spy on its naval activities. In a message on WeChat — China's biggest social media app — the country's Ministry of State Security (MSS) claimed it has discovered devices designed for "reconnaissance and monitoring of our country's waters" and "intelligence collection and technical theft activities.""
https://www.darkreading.com/cyberattacks-data-breaches/china-seabed-sentinels-spying-trump-taps
Every Doggo Has Its Day: Unleashing The Xiū Gǒu Phishing Kit
"Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel."
https://www.netcraft.com/blog/doggo-threat-actor-analysis/
https://hackread.com/gou-phishing-kit-hits-uk-us-japan-australia-sectors/
https://www.infosecurity-magazine.com/news/new-xiugou-phishing-kit-targets-us/
Loose-Lipped Neural Networks And Lazy Scammers
"One topic being actively researched in connection with the breakout of LLMs is capability uplift – when employees with limited experience or resources in some area become able to perform at a much higher level thanks to LLM technology. This is especially important in information security, where cyberattacks are becoming increasingly cost-effective and larger-scale, causing headaches for security teams."
https://securelist.com/llm-phish-blunders/114367/
FBI: Iranian Cyber Group Targeted Summer Olympics With Attack On French Display Provider
"The FBI and other agencies accused Iranian cyber actors of targeting the 2024 Summer Olympics, including an attempt to take over display boards to denounce Israel. The U.S. Department of Treasury and Israel National Cyber Directorate joined the FBI in publishing an advisory this week about the operations of Emennet Pasargad — a well-known Iranian cyber operation previously implicated in hacking attempts targeting Israel and the 2020 U.S. presidential election. The group has been using a company named Aria Sepehr Ayandehsazan (ASA) as cover for operations that researchers have tagged under various names, including “Cotton Sandstorm” and “Haywire Kitten.”"
https://therecord.media/iran-cyber-group-targeted-paris-olympics-israel
https://www.ic3.gov/CSA/2024/241030.pdf
AI Pulse: Election Deepfakes, Disasters, Scams & More
"In the final weeks before November’s U.S. election, cybersecurity experts were calling October 2024 the “month of mischief”—a magnet for bad actors looking to disrupt the democratic process through AI-generated misinformation. This issue of AI Pulse looks at what can be done about deepfakes and other AI scams, and why defense-in-depth is the only way to go."
https://www.trendmicro.com/en_us/research/24/j/ai-election-deepfakes.html

Breaches/Hacks/Leaks

Mystic Valley Elder Services Data Breach Impacts 87,000 People
"Mystic Valley Elder Services, a Massachusetts-based non-profit that provides health and other services to the elderly and people with disabilities, has suffered a data breach impacting many individuals. The intrusion was detected by Mystic Valley Elder Services (MVES) in early April and an investigation was immediately launched. The investigation revealed a few months later that the attacker may have stolen files containing personal information, including name, date of birth, Social Security number, passport number, payment card and financial account number, online credentials, driver’s license number, health insurance information, and medical information."
https://www.securityweek.com/mystic-valley-elder-services-data-breach-impacts-87000-people/
Suspected Pro-Ukraine Cyberattack Knocks Out Parking Enforcement In Russian City
"Residents of the northwestern Russian city of Tver were able to park for free for nearly two days due to what local authorities referred to as a “technical failure” in the digital parking payment system. However, a hacker group known as the Ukrainian Cyber Alliance is offering another possible reason for the disruption: a cyberattack on the city’s administrative network. In a statement on Tuesday, the group’s spokesperson said the hackers had taken down the network and claimed to have wiped out “dozens of virtual machines, backup storage, websites, email, and hundreds of workstations.”"
https://therecord.media/ukraine-cyberattack-russia-parking-tver

General News

IoT Needs More Respect For Its Consumers, Creations, And Itself
"Yet again, connected devices are in the news for all the wrong reasons. In October, security researchers found that robot vacuums from Chinese company, Ecovacs, can be compromised via a backdoor. In one case, hackers gained control over the device and shouted slurs at the homeowners. Worse still: the company doesn’t take responsibility and tells users they “do not need to worry excessively” about the vulnerability."
https://www.helpnetsecurity.com/2024/10/31/connected-device-privacy/
How Agentic AI Handles The Speed And Volume Of Modern Threats
"In this Help Net Security interview, Lior Div, CEO at Seven AI, discusses the concept of agentic AI and its application in cybersecurity. He explains how it differs from traditional automated security systems by offering greater autonomy and decision-making capabilities. Div emphasizes that agentic AI is particularly well-suited to combat modern AI-driven threats, such as AI-generated phishing or malware, by processing vast volumes of alerts in real time."
https://www.helpnetsecurity.com/2024/10/31/lior-div-seven-ai-agentic-ai-cybersecurity/
99% Of CISOs Work Extra Hours Every Week
"The most common challenge for CISOs is resource constraints: not enough staff, budget or technology to support the security program needed or meet compliance requirements, according to DirectDefense. The World Economic Forum claims there’s a global shortage of nearly 4 million professionals in the cybersecurity industry – and that shortage is after a 12.6% growth in the cybersecurity workforce between 2022 and 2023. The government and healthcare sectors are among those experiencing the greatest cybersecurity workforce shortages, which presents unique challenges because these industries are so highly regulated."
https://www.helpnetsecurity.com/2024/10/31/cisos-common-challenge/
MacOS Malware Surges As Corporate Usage Grows
"An apple a day keeps the doctor away, While the age-old expression does have its merits, the malware landscape on Apple’s macOS has changed in the past few years. Researchers discovered more and more macOS targeted malware, which ties in with the increase of operating system’s usage on a global scale. A 2% increase of usage was observed by StatCounter when comparing January 2021 through January 2023 with January 2023 through August 2024. With more corporate users, the platform has become increasingly attractive to criminals, ranging from eCrime all the way to Advanced Persistent Threat (APT) actors."
https://www.trellix.com/blogs/research/macos-malware-surges-as-corporate-usage-grows/
https://www.bankinfosecurity.com/mac-malware-threat-hackers-seek-cryptocurrency-holders-a-26697
2024 ISC2 Cybersecurity Workforce Study
"Organizations have experienced a marked increase in risk and disruption in 2024. Economic pressures, exacerbated by geopolitical uncertainties, have led to budget and workforce reductions in a number of sectors, while cybersecurity threats and data security incidents have only continued to grow. Alongside these issues, organizations and professionals have had to keep pace with rapidly advancing technology innovations such as artificial intelligence (AI) in order to maintain and improve efficiency and agility. While the offer of transformative potential has fueled adoption, such technologies also introduce additional risks and exposure to regulation."
https://www.isc2.org/Insights/2024/10/ISC2-2024-Cybersecurity-Workforce-Study
https://www.darkreading.com/application-security/cybersecurity-job-market-stagnates-dissatisfaction-abounds
The Overlooked Importance Of Identifying Riskiest Users
"In healthcare, the "see one, teach one, do one" model refers to an incremental learning process: Trainees first observe a procedure, then learn to teach it to others, then perform it themselves. This framework can be applied to cybersecurity by encouraging employees, especially those identified as high-risk users, to progress through a similar cycle of observation and education, followed by a combination of tool implementation and practice. This approach fosters a deep understanding of cybersecurity risks, increases tool efficiency, and empowers users to mitigate risks actively."
https://www.darkreading.com/threat-intelligence/the-overlooked-importance-of-identifying-riskiest-users
The Case Against Abandoning CrowdStrike Post-Outage
"The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises."
https://www.darkreading.com/vulnerabilities-threats/case-against-abandoning-crowdstrike-post-outage
Distributing Ownership Of An Organization’s Cybersecurity Risks
"Cybersecurity is constantly evolving to respond to new types of threats. For years, organizations have been facing various multifaceted threats, including sophisticated cyberattacks targeting their employees and IT, OT, and IoT systems. Now, CISOs have another major concern to grapple with: compliance."
https://www.fortinet.com/blog/ciso-collective/distributing-ownership-of-an-organization-cybersecurity-risks
Google On Scaling Differential Privacy Across Nearly Three Billion Devices
"In this Help Net Security interview, Miguel Guevara, Product Manager, Privacy Safety and Security at Google, discusses the complexities involved in scaling differential privacy technology across large systems. He emphasizes the need to develop secure, private, and user-controlled products while effectively addressing the complexities of integrating such technologies into existing systems. Guevara also outlines the rigorous processes of optimizing these technologies to ensure user data is protected without sacrificing functionality."
https://www.helpnetsecurity.com/2024/10/31/miguel-guevara-google-implementing-differential-privacy/
Over 80% Of US Small Businesses Have Been Breached
"A growing number of US small businesses are taking preventative security measures, despite the share suffering a data or security breach surging to 81% last year, according to the Identity Theft Resource Center (ITRC). The non-profit collated publicly reported breaches and information from victims who got in touch to compile its annual Consumer & Business Impact Report. It revealed that the share of organizations with fewer than 500 employees that suffered a data or security breach in the past year increased eight percentage points annually."
https://www.infosecurity-magazine.com/news/80-us-small-businesses-breached/
https://www.idtheftcenter.org/publication/itrc-2024-consumer-and-business-impact-report/
Quishing: A Growing Threat Hiding In Plain Sight
"Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image. However, legitimate organizations aren’t the only ones generating QR codes for added convenience. Cyber criminals are also leveraging QR codes and the increased reliance on near-field technology (NFC) to launch sophisticated attacks on unsuspecting victims."
https://securityintelligence.com/articles/quishing-growing-threat-hiding-plain-sight/
Designing a Future-Focused Cybersecurity Investment Strategy
"Today’s CISOs have an unenviable task. The cyber threat environment changes constantly, new threats continually emerge, legacy tools get tired, the environment grows ever more complex, and new tools or approaches may promise much but deliver a host of challenges and frustrations. In fact, the reason Gartner’s hype cycle strikes such a chord with CISOs is that they live through it every day."
https://www.securityweek.com/designing-a-future-focused-cybersecurity-investment-strategy/
API Security Matters: The Risks Of Turning a Blind Eye
"I have the good fortune of traveling a fair bit to meet security teams within businesses that span different sizes, industry verticals, and geographies. During these travels, without fail, I find myself having fascinating conversations that are very grounding and informative regarding the issues and challenges that these security teams are grappling with. As you might expect, these issues and challenges evolve over time as certain ones are addressed and move lower in priority and other ones emerge and become top of mind."
https://www.securityweek.com/api-security-matters-the-risks-of-turning-a-blind-eye/
Government Organizations Face Escalating Cyber Threats Amid Election Concerns: A Closer Look At 2024
"As the United States and the rest of the world gear up for the 2024 elections, cyberattacks on government systems are seriously ramping up, and the cybersecurity community is paying attention. SonicWall’s latest Government Threat Brief is sounding the alarm on these rising risks, shining a light on how vulnerable our critical infrastructure is right now, especially with elections just around the corner. It paints a pretty grim picture of what governments worldwide are up against."
https://blog.sonicwall.com/en-us/2024/10/government-organizations-face-escalating-cyber-threats-amid-election-concerns-a-closer-look-at-2024/
https://www.infosecurity-magazine.com/news/government-sector-236-surge/

อ้างอิง
Electronic Transactions Development Agency(ETDA)