NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 04 November 2024

    Cyber Security News
    1
    1
    376
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Vulnerabilities

      • Synology Hurries Out Patches For Zero-Days Exploited At Pwn2Own
        "Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week's Pwn2Own hacking competition within days. Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company's Synology Photos and BeePhotos for BeeStation software. As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online."
        https://www.bleepingcomputer.com/news/security/synology-fixed-two-critical-zero-days-exploited-at-pwn2own-within-days/
        https://www.midnightblue.nl/research/riskstation
      • Bypassing Azure AI Content Safety Guardrails
        "In February 2024, Mindgard discovered and responsibly disclosed two security vulnerabilities within Microsoft’s Azure AI Content Safety Service, whereby attackers could evade detection and bypass established GenAI guardrails. Azure AI Content Safety is a cloud-based service from Microsoft Azure that helps developers build safety and security guardrails around AI applications by detecting and managing harmful or inappropriate content in user-generated text, images, and videos. Two security vulnerabilities were discovered within the guardrails that the service provides, specifically in AI Text Moderation (blocks harmful content such as hate speech, sexual material, etc.) and Prompt Shield (protects AI models against jailbreaks and prompt injection)."
        https://mindgard.ai/resources/bypassing-azure-ai-content-safety-guardrails
        https://hackread.com/azure-ai-vulnerabilities-bypass-moderation-safeguards/
      • CVE-2024-9379: Ivanti Cloud Service Appliance Authenticated SQL Injection
        "The SonicWall Capture Labs threat research team became aware of an authenticated SQL injection vulnerability affecting Ivanti Cloud Service Appliances (CSA). Identified as CVE-2024-9379 and with a moderate score of 6.5 CVSSv3, the vulnerability is more severe than it initially appears due to reported exploitation attempts. Recently, in its October security update, Ivanti announced, “We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are chained with CVE-2024-8963,”. Labeled as a SQL Injection vulnerability and categorized as CWE-89, this vulnerability allows authenticated attackers to run arbitrary SQL statements and compromise Server Database."
        https://blog.sonicwall.com/en-us/2024/11/cve-2024-9379-ivanti-cloud-service-appliance-authenticated-sql-injection/

      Malware

      • LastPass Warns Of Fake Support Centers Trying To Steal Customer Data
        "LastPass is warning about an ongoing campaign where scammers are writing reviews for its Chrome extension to promote a fake customer support phone number. However, this phone number is part of a much larger campaign to trick callers into giving scammers remote access to their computers, as discovered by BleepingComputer. LastPass is a popular password manager that utilizes a LastPass Chrome extension to generate, save, manage, and autofill website passwords. Threat actors are attempting to target a large swath of the company's user base by leaving 5-star reviews with a fake LastPass customer support number."
        https://www.bleepingcomputer.com/news/security/lastpass-warns-of-fake-support-centers-trying-to-steal-customer-data/
      • SHIM Me What You Got: Manipulating Shim And Office For Code Injection
        "Curiosity is a necessary personality trait for cybersecurity professionals. For many of us, that means taking the defensive knowledge we’ve built and using it as a weapon. Understanding attack methodologies and how attackers think is key to successfully defending against them. This blog is a supplement to our talk at DEF CON 32. In that talk we discussed the resurrection of an attack surface that cybersecurity vendors believed had been addressed a long time ago. We focused on two sets of unique attack surface research. The first study targeted RPC servers related to Office. Analyzing a single RPC method led to a noteworthy attack that combined several manipulations to achieve both code injection and privilege escalation."
        https://www.deepinstinct.com/blog/SHIM-Me-What-You-Got:-Manipulating-Shim-and-Office-for-Code-Injection
      • NCSC Details ‘Pygmy Goat’ Backdoor Planted On Hacked Sophos Firewall Devices
        "The UK’s National Cyber Security Centre (NCSC) has published technical documentation of a sophisticated network backdoor being planted on hacked Sophos XG firewall devices and warned that the malware was designed for a broader range of Linux-based network devices. The backdoor, called Pygmy Goat, uses multiple stealthy techniques to maintain persistence and avoid detection and is capable of disguising malicious traffic as legitimate SSH connections. The backdoor also makes use of encrypted ICMP packets for covert communication and is clearly the work of a very skilled, professional hacking operator."
        https://www.securityweek.com/ncsc-details-pygmy-goat-backdoor-planted-on-hacked-sophos-firewall-devices/
        https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf
      • UK Councils Bat Away DDoS Barrage From Pro-Russia Keyboard Warriors
        "Multiple UK councils had their websites either knocked offline or were inaccessible to residents this week after pro-Russia cyber nuisances added them to a daily target list. The targeting began on Tuesday and among the many authorities on the list, the websites of Bradford, Eastleigh, Keighley, Salford, Tameside, and Trafford were rendered inaccessible. Eastleigh and Trafford's sites remained down on Wednesday, as did Salford's until the afternoon, when it returned with warnings of lingering technical difficulties."
        https://www.theregister.com/2024/11/01/uk_councils_russia_ddos/
      • TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
        "This article reviews an incident where a threat actor unsuccessfully tried bypassing Cortex XDR. By digging further into the incident, the process instead provided us with insight into the threat actor's operations. In a recent investigation involving an extortion attempt, we discovered a threat actor had purchased access to the client network via Atera RMM from an initial access broker. We discovered the threat actor used rogue systems to install the Cortex XDR agent onto a virtual system. They did this to test a new antivirus/endpoint detection and response (AV/EDR) bypass tool leveraging the bring your own vulnerable driver (BYOVD) technique."
        https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
      • Meet Interlock — The New Ransomware Targeting FreeBSD Servers
        "A relatively new ransomware operation named Interlock attacks organizations worldwide, taking the unusual approach of creating an encryptor to target FreeBSD servers. Launched at the end of September 2024, Interlock has since claimed attacks on six organizations, publishing stolen data on their data leak site after a ransom was not paid. One of the victims is Wayne County, Michigan, which suffered a cyberattack at the beginning of October. Not much is known about the ransomware operation, with some of the first information coming from incident responder Simo in early October, who found a new backdoor [VirusTotal] deployed in an Interlock ransomware incident."
        https://www.bleepingcomputer.com/news/security/meet-interlock-the-new-ransomware-targeting-freebsd-servers/
      • ChatGPT-4o Can Be Used For Autonomous Voice-Based Scams
        "Researchers have shown that it's possible to abuse OpenAI's real-time voice API for ChatGPT-4o, an advanced LLM chatbot, to conduct financial scams with low to moderate success rates. ChatGPT-4o is OpenAI's latest AI model that brings new enhancements, such as integrating text, voice, and vision inputs and outputs. Due to these new features, OpenAI integrated various safeguards to detect and block harmful content, such as replicating unauthorized voices."
        https://www.bleepingcomputer.com/news/security/chatgpt-4o-can-be-used-for-autonomous-voice-based-scams/
        https://ddkang.substack.com/p/voice-enabled-ai-agents-how-they
      • Investigating a SharePoint Compromise: IR Tales From The Field
        "Rapid7’s Incident Response team recently investigated a Microsoft Exchange service account with domain administrator privileges. Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain. The attacker remained undetected for two weeks. Rapid7 determined the initial access vector to be the exploitation of a vulnerability, CVE 2024-38094, within the on-premise SharePoint server. Exploitation for initial access has been a common theme in 2024, often requiring security tooling and efficient response procedures to avoid major impact. The attacker’s tactics, techniques, and procedures (TTPs) are showcased in this blog, along with some twists and turns we encountered when handling the investigation."
        https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/
        https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-rce-bug-exploited-to-breach-corporate-network/

      Breaches/Hacks/Leaks

      • LA Housing Authority Confirms Breach Claimed By Cactus Ransomware
        "The Housing Authority of the City of Los Angeles (HACLA), one of the largest public housing authorities in the United States, confirmed that a cyberattack hit its IT network after recent breach claims from the Cactus ransomware gang. HACLA provides affordable public housing and assistance programs to low-income families, children, and seniors in Los Angeles, California. As a state-chartered public agency, it administers over 32,000 public housing units on an annual budget of over $1 billion."
        https://www.bleepingcomputer.com/news/security/la-housing-authority-confirms-breach-claimed-by-cactus-ransomware/
        https://therecord.media/hacla-los-angeles-second-ransomware-attack
      • Ransomware Attack Hits German Pharmaceutical Wholesaler, Disrupts Medicine Supplies
        "AEP, a German pharmaceutical wholesaler based in Bavaria, said it was hit by a ransomware attack that could disrupt the supply of medicine to thousands of pharmacies. In a statement on the AEP website, the company described the cyberattack as “targeted and criminal” and resulting in the partial encryption of AEP’s IT systems. The incident was said to have been detected last week, with the company saying it “took necessary and far-reaching protective measures” after discovering what was happening."
        https://therecord.media/ransomware-attack-hits-german-pharmaceutical-wholesaler-disruptions
        https://www.bankinfosecurity.com/german-pharma-wholesaler-aep-targeted-in-ransomware-attack-a-26704
      • California Court Suffering From Tech Outages After Cyberattack
        "The San Joaquin County Superior Court said nearly all of its digital services have been knocked offline due to a cyberattack that began earlier this week. The court first warned the county’s nearly 800,000 residents of technology issues on Wednesday before admitting that it was a cybersecurity incident on Thursday. The attack knocked out all of the court’s phone and fax services, websites containing juror reporting instructions, the e-filing platform, credit card payment processing and more. Some jurors scheduled for this week were excused."
        https://therecord.media/california-court-suffering-from-tech-outages-cyberattack
      • Young People’s Data Feared Stolen In Cyberattack On French Government Contractor
        "France’s Ministry of Labor and Employment announced on Thursday that it discovered a cyberattack suspected to have impacted the data of young people it was helping get into employment. According to the ministry’s statement, the attack directly impacted an unnamed service provider used by the department’s network of “Local Missions” — places that offer advice and support to people between the ages of 16 and 25 about work and training."
        https://therecord.media/france-data-breach-government-contractor-local-missions

      General News

      • 50% Of Financial Orgs Have High-Severity Security Flaws In Their Apps
        "Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76% of organizations in the financial services sector, with 50% of organizations carrying critical security debt, according to Veracode. With the average cost of a data breach in the financial industry estimated to be $6.08 million, the research comes at a critical time for one of the most highly targeted industries by sophisticated threat actors. According to a U.S. Treasury Department report in March 2024, threat actors use AI-based tools to find and exploit software vulnerabilities. At the same time, increasing industry competition and customer expectations for convenience require organizations to accelerate innovation."
        https://www.helpnetsecurity.com/2024/11/01/financial-sector-applications-security-debt/
      • How Open-Source MDM Solutions Simplify Cross-Platform Device Management
        "In this Help Net Security interview, Mike McNeil, CEO at Fleet, talks about the security risks posed by unmanaged mobile devices and how mobile device management (MDM) solutions help address them. He also discusses employee resistance to MDM and how open-source transparency can build trust. Lastly, McNeil shares insights on managing devices in remote locations and what’s next for MDM technology."
        https://www.helpnetsecurity.com/2024/11/01/mike-mcneil-fleet-mdm-mobile-device-management/
      • DDoS Site Dstat[.]cc Seized And Two Suspects Arrested In Germany
        "The Dstat[.]cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. The seizure and arrests were conducted as part of "Operation PowerOFF," an ongoing international law enforcement operation that targets DDoS-for-hire platforms, aka "booters" or "stressers," to seize infrastructure and arrest the operators. These platforms are responsible for service disruptions to online services and can cause significant economic damages, as well as impact to the operation of critical services, such as healthcare."
        https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and-two-suspects-arrested-in-germany/
        https://therecord.media/german-police-arrest-two-ddos-for-hire-platform
      • Ransomware’s Evolving Threat: The Rise Of RansomHub, Decline Of Lockbit, And The New Era Of Data Extortion
        "The ransomware landscape is witnessing significant changes, with new actors like RansomHub rising to prominence, while previously dominant groups such as Lockbit experience a sharp decline. Ransomware remains the most pervasive cyber threat, with financially motivated criminal groups deploying increasingly sophisticated tactics, including Ransomware-as-a-Service (RaaS) models and double extortion. This report, based on Check Point Research’s (CPR) September 2024 analysis, provides an in-depth review of the current ransomware trends, key actors, and their impact on sectors such as industrial manufacturing, education, and healthcare."
        https://blog.checkpoint.com/research/ransomwares-evolving-threat-the-rise-of-ransomhub-decline-of-lockbit-and-the-new-era-of-data-extortion/
      • AU10TIX Q3 2024 Global Identity Fraud Report Detects Skyrocketing Social Media Attacks
        "AU10TIX, a global technology leader in identity verification and management, today released its Q3 2024 Global Identity Fraud Report at Money 20/20 USA in Las Vegas. Drawing insights from millions of transactions processed around the globe from July to September 2024, the report uncovers significant trends in large-scale organized identity fraud. This quarter, automated bot attacks targeting social media platforms surged in the lead-up to next week's US presidential election, with the sector accounting for 28% of all attacks in Q3, up from just 3% in Q1. The report also reveals a faster-than-anticipated leap in the sophistication of AI-powered impersonation bots and deepfake technology, including synthetic selfies that have shown the ability to bypass some leading verification systems."
        https://www.darkreading.com/cyber-risk/au10tix-q3-2024-global-identity-fraud-report-detects-skyrocketing-social-media-attacks
        https://www.au10tix.com/landing/the-q3-2024-global-identity-fraud-report/
      • IT Security Centralization Makes The Use Of Industrial Spies More Profitable
        "In recent years, large-scale financial and reputational damages have taught organizations the value of IT security. From corporations to universities, many organizations employ advanced security measures, such as implementing multifactor authentication, conducting regular ISO 27001 audits, providing social engineering training, and even conducting penetration tests and red-team exercises. Beyond this, to prevent unaffiliated devices from roaming freely in their networks, many organizations ask individuals to register their devices and apply security policies on them, such as using complex passwords."
        https://www.darkreading.com/vulnerabilities-threats/it-security-centralization-industrial-spies-profitable
      • Developer Velocity & Security: Can You Get Out Of The Way In Time?
        "When it comes to making a difference to business performance, chief information officers (CIOs) are investing in application development and improvements to software. According to Gartner, 60% of companies plan to spend more on software, with 52% of companies increasing their spend on software to improve productivity. Analyst firm Omdia points to modernization and investment in applications as a critical goal, due to the cost of maintaining existing technology stacks over time."
        https://www.darkreading.com/cybersecurity-operations/developer-velocity-security-out-the-way-time
      • What’s Behind Unchecked CVE Proliferation, And What To Do About It
        "The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations’ cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified. Meanwhile, Coalition’s 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits. What’s behind the dramatic rise in CVEs? And what can security teams do to minimize the risk? Let’s find out."
        https://securityintelligence.com/articles/whats-behind-unchecked-cve-proliferation-what-to-do/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 9e01b08e-bf16-4f7c-975f-ef89e81af4c9-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post