NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 05 November 2024

    Cyber Security News
    1
    1
    369
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Siemens And Rockwell Tackle Industrial Cybersecurity, But Face Customer Hesitation
        "SecurityWeek has talked to representatives of industrial giants Siemens and Rockwell Automation to find out how they help customers address some of the most pressing cybersecurity challenges. Cyberattacks can cause significant disruptions and losses for organizations that rely on industrial control systems (ICS) or other operational technology (OT), whether they directly target ICS, such as in the case of the recent water sector attacks, or they indirectly impact ICS, such as in the case of ransomware attacks, where impact may spill over from the IT environment."
        https://www.securityweek.com/siemens-and-rockwell-tackle-industrial-cybersecurity-but-face-customer-hesitation/
      • Exploring ABB Vulnerabilities And Their Impact On Industrial Control Systems
        "In this week's Initial Access Research, I dove into two key vulnerabilities in ABB's building automation and energy management software, ABB Cylon Aspect. This software is used in major installations like the American Museum of Natural History and UC Irvine, making these vulnerabilities noteworthy for security teams in the industrial control Systems (ICS) sector."
        https://vulncheck.com/blog/exploring-abb-ics-vulns
        https://www.bankinfosecurity.com/abb-smart-building-software-flaws-invite-in-hackers-a-26722

      New Tooling

      • Whispr: Open-Source Multi-Vault Secret Injection Tool
        "Whispr is an open-source CLI tool designed to securely inject secrets from secret vaults, such as AWS Secrets Manager and Azure Key Vault, directly into your application’s environment. This enhances secure local software development by seamlessly managing sensitive information."l
        https://www.helpnetsecurity.com/2024/11/04/whispr-open-source-multi-vault-secret-injection-tool/
        https://github.com/narenaryan/whispr

      Vulnerabilities

      • Why The Long Name? Okta Discloses Auth Bypass Bug Affecting 52-Character Usernames
        "In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username. But why is that bad news for those with long usernames? Well, it's because the bug could be exploited only when a series of conditions were met, one of which being a username that was 52 characters or longer. That condition is arguably the most unusual out of them all, although not entirely out of the realm of possibility if a user's work email address is used as a username, for example."
        https://www.theregister.com/2024/11/04/why_the_long_name_okta/
        https://www.darkreading.com/vulnerabilities-threats/okta-fixes-auth-bypass-bug-three-month-lull
      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability
        CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog
      • Android Warns Of Qualcomm Exploit In Latest Security Bulletin
        "Android’s monthly security bulletin published Monday warns of two vulnerabilities with “limited, targeted exploitation” in the wild. One vulnerability impacts Qualcomm chipsets via a use-after-free vulnerability in its FastRPC driver. Designated as CVE-2024-43047, the bug was reported to be under active exploitation in early October and is rated “high” severity with a CVSS score of 7.8."
        https://cyberscoop.com/2024-android-security-bulletin-november-qualcomm-fastrpc-driver/

      Malware

      • Supply Chain Attack Uses Smart Contracts For C2 Ops
        "Security researchers claim to have discovered the first-ever open source supply chain attack combining blockchain technology with traditional attack vectors. Checkmarx said it found the malicious “jest-fet-mock” package on npm. It spoofs two legitimate and widely used JavaScript testing utilities: “fetch-mock-jest” and “Jest-Fetch-Mock.” “The attacker used a classic typosquatting technique by misspelling ‘fetch’ as ‘fet’ while maintaining the key terms ‘jest’ and ‘mock,’” it wrote. “Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments.”"
        https://www.infosecurity-magazine.com/news/supply-chain-attack-smart/

      • Attackers Abuse DocuSign API To Send Authentic-Looking Invoices At Scale
        "In a concerning trend, cybercriminals are leveraging DocuSign's APIs to send fake invoices that appear strikingly authentic. Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard. Typical phishing attacks often involve spoofed emails that mimic trusted brands, luring victims into clicking malicious links or providing sensitive information, such as the login and password to your bank account. Email and anti-spam filters are constantly getting better at flagging these tactics for users."
        https://lab.wallarm.com/attackers-abuse-docusign-api-to-send-authentic-looking-invoices-at-scale/
        https://www.bleepingcomputer.com/news/security/docusigns-envelopes-api-abused-to-send-realistic-fake-invoices/
        https://hackread.com/scammers-docusign-api-spam-filters-phishing-invoices/
        https://www.infosecurity-magazine.com/news/cybercriminals-exploit-docusign/

      • Custom "Pygmy Goat" Malware Used In Sophos Firewall Hack On Govt Network
        "UK's National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named "Pigmy Goat" created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors. Last week, Sophos published a series of reports dubbed "Pacific Rim" that detailed five-year attacks by Chinese threat actors on edge networking devices. One of the custom malware used in these attacks is a rootkit that closely impersonated Sophos product file naming conventions."
        https://www.bleepingcomputer.com/news/security/custom-pygmy-goat-malware-used-in-sophos-firewall-hack-on-govt-network/
        http://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf
        https://www.securityweek.com/fbi-seeking-information-on-chinese-hackers-targeting-sophos-firewalls/

      • CRON#TRAP: Emulated Linux Environments As The Latest Tactic In Malware Staging
        "In a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails. The Securonix Threat Research team has been tracking an intriguing attack campaign that leverages a malicious shortcut (.lnk) file. When executed, this file extracts and initiates a lightweight, custom Linux environment emulated through QEMU. What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled Command and Control (C2) server."
        https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/
        https://www.bleepingcomputer.com/news/security/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks/

      • The Evolution Of Transparent Tribe’s New Malware
        "Transparent Tribe, otherwise known as APT36, is a Pakistan-affiliated threat actor that notoriously targets Indian-associated entities. The threat group’s main objective is cyber espionage, which has previously targeted governmental organizations, diplomatic personnel, and military facilities. Most recently, Transparent Tribe targeted Indian entities with a new malware called ElizaRAT in several successful campaigns. Since it was first detected, Check Point Research has tracked the malware, identifying increased sophistication throughout its tenure. Specifically, ElizaRAT enhanced its evasive methods and command and control capabilities."
        https://blog.checkpoint.com/research/the-evolution-of-transparent-tribes-new-malware/
        https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/
        https://www.darkreading.com/cyberattacks-data-breaches/apt36-refines-tools-attacks-indian-targets

      • Crooks Bank On Microsoft’s Search Engine To Phish Customers
        "We identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. We have reported the fraudulent sites to Microsoft already. While Microsoft’s Bing only has about 4% of the search engine market share, crooks are drawn to it as an alternative to Google. One particularly interesting detail is how a phishing website created barely two weeks ago is already indexed and displayed before the official one. In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication."
        https://www.malwarebytes.com/blog/scams/2024/11/crooks-bank-on-microsofts-search-engine-to-phish-customers

      • GoZone Ransomware Adopts Coercive Tactics To Extract Payment
        "This week, the SonicWall Capture Labs threat research team analyzed a ransomware that not only encrypts files but also accuses the victim of harboring explicit content on their computer and then threatens to turn it over to authorities if ransom is not paid. Extortion attacks often come as unsolicited emails, and GoZone has stooped to pretending to find explicit content on victims’ machines to extract payment."
        https://blog.sonicwall.com/en-us/2024/11/gozone-ransomware-adopts-coercive-tactics-to-extract-payment/

      • Stealc Malware Checks Everything — Even The Screen Resolution
        "This week, the SonicWall Capture Labs threat research team reviewed a sample of Stealc malware. This is an infostealer that digs through a victim’s system to extract credentials from browsers, cryptocurrency wallets and fileshare servers. Processes are monitored, as well as keystrokes, active windows and mouse clicks. It will also disable security applications and change network settings to allow for proxy connections. Every part of the system hardware and Windows settings are enumerated, down to the resolution of the monitor."
        https://blog.sonicwall.com/en-us/2024/11/stealc-malware-checks-everything-even-the-screen-resolution/

      • More Models, More ProbLLMs
        "Oligo’s research team recently uncovered 6 vulnerabilities in Ollama, one of the leading open-source frameworks for running AI models. Four of the flaws received CVEs and were patched in a recent version, while two were disputed by the application’s maintainers, making them shadow vulnerabilities. Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including Denial of Service (DoS) attacks, model poisoning, model theft, and more. With Ollama’s enterprise use skyrocketing, it is pivotal that development and security teams fully understand the associated risks and urgency to ensure that vulnerable versions of the application aren’t being used in their environments."
        https://www.oligo.security/blog/more-models-more-probllms
        https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html

      • Breaches/Hacks/Leaks

      • City Of Columbus: Data Of 500,000 Stolen In July Ransomware Attack
        "The City of Columbus, Ohio, notified 500,000 individuals that a ransomware gang stole their personal and financial information in a July 2024 cyberattack. Ohio's capital city (with a population of over 905,000) was hit by the ransomware attack on July 18. The resulting outages affected various services and IT connectivity between public agencies. City officials announced at the end of July that no systems had been encrypted and revealed that the City's administration was still investigating the possibility that sensitive data had been stolen during the breach."
        https://www.bleepingcomputer.com/news/security/city-of-columbus-data-of-500-000-stolen-in-july-ransomware-attack/
        https://therecord.media/columbus-ohio-city-government-ransomware-data-breach
        https://www.securityweek.com/city-of-columbus-ransomware-attack-impacts-500000-people/
        https://www.infosecurity-magazine.com/news/columbus-ransomware-attack-exposes/
        https://www.malwarebytes.com/blog/news/2024/11/city-of-columbus-breach-affects-around-half-a-million-citizens
        https://www.theregister.com/2024/11/04/columbus_rhysida_ransomware/
        https://securityaffairs.com/170568/data-breach/city-of-columbus-ransomware-attack-impacted-500000-people.html

      • Schneider Electric Confirms Dev Platform Breach After Hacker Steals Data
        "Schneider Electric has confirmed a developer platform was breached after a threat actor claimed to steal 40GB of data from the company's JIRA server. "Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment," Schneider Electric told BleepingComputer. "Our Global Incident Response team has been immediately mobilized to respond to the incident. Schneider Electric's products and services remain unaffected.""
        https://www.bleepingcomputer.com/news/security/schneider-electric-confirms-dev-platform-breach-after-hacker-steals-data/

      • Western Sydney University Suffers Third Major Breach In 2024
        "Australia's Western Sydney University said hackers breached its student management system and data warehouse to steal students' demographic and enrollment information in the third data theft incident of 2024. The Sydney-based university, which has close to 50,000 students enrolled in its undergraduate and postgraduate programs, said a threat actor on Aug. 14 compromised an IT account and used it to gain access to the Student Management System and other back-end data storage systems, including the data warehouse."
        https://www.bankinfosecurity.com/western-sydney-university-suffers-third-major-breach-in-2024-a-26718

      • Hackers Leak 300,000 MIT Technology Review Magazine User Records
        "Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records on Breach Forums. Data includes full names, email addresses, and activity details, posing risks for phishing and targeted scams. In a new data breach disclosed today, the hacker known as Intel Broker claims to have stolen the personal data of 290,762 individuals from MIT’s Technology Review website via a third-party contractor. The data, which could be the website’s newsletter subscribers list, was posted on Breach Forums, a popular cybercrime platform, earlier today."
        https://hackread.com/hackers-leak-mit-technology-review-user-records/

      • Hackers Claim Access To Nokia Internal Data, Selling For $20,000
        "Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal credentials. The data is being sold for $20,000 on BreachForums, though no customer data was affected. Nokia has not yet commented on the claim. A notorious hacker known as Intel Broker has announced a data breach involving the telecommunications giant Nokia. Posting on the infamous cybercrime forum BreachForums, Intel Broker claims to have gained unauthorized access to sensitive Nokia information through a third-party contractor linked to Nokia’s internal tool development."
        https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/
        https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-after-hacker-claims-to-steal-source-code/

      • 210,000 Impacted By Saint Xavier University Data Breach
        "Saint Xavier University last week started notifying over 210,000 individuals that their personal information was compromised in a data breach in July 2023. The incident was discovered on July 21, 2023, but the investigation into the matter revealed that the unauthorized access to the university’s systems occurred weeks before. Between June 29 and July 18, SXU says, the attackers downloaded certain files from its systems, including files containing personal information."
        https://www.securityweek.com/210000-impacted-by-year-old-saint-xavier-university-data-breach/

      • Cyberattack Disrupts Classes At Irish Technology University
        "The South East Technological University (SETU) in Ireland has announced experiencing a cybersecurity incident targeting its IT systems. In a statement on SETU’s website, students were advised that classes at its Waterford campuses would be postponed so academics could plan around the disruption. The nature of the attack has not been announced. “Currently, there is no evidence to suggest that any data or information has been compromised. However, we continue to monitor the situation closely as investigations are ongoing,” said the university."
        https://therecord.media/cyberattack-disrupts-classes-at-irish-tech-university

      General News

      • Cisco Says DevHub Site Leak Won’t Enable Future Breaches
        "Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal don't contain information that could be exploited in future breaches of the company's systems. While analyzing the exposed documents, the company found that their contents include data that Cisco publishes for customers and other DevHub users. However, files that shouldn't have been made public were also available, some belonging to CX Professional Services customers. "So far, in our research, we've determined that a limited set of CX Professional Services customers had files included and we notified them directly," Cisco said."
        https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-wont-enable-future-breaches/
        https://sec.cloudapps.cisco.com/security/center/resources/october_15_2024
        https://therecord.media/cisco-notifies-limited-set-of-customers-hacker-accessed-non-public-info
      • Hiring Guide: Key Skills For Cybersecurity Researchers
        "In this Help Net Security interview, Rachel Barouch, an Organizational Coach for VCs and startups and a former VP HR in both a VC and a Cybersecurity startup, discusses the dynamics of cybersecurity researchers and team-building strategies. She highlights that these researchers, often brilliant and introverted, come with distinctive working styles, making it challenging to foster collaboration. However, with the right approach to assessing, managing, retaining and developing them, organizations can unlock their potential and drive high-performance teams, ultimately boosting the startup’s market value, especially in the context of mergers and acquisitions (M&As)."
        https://www.helpnetsecurity.com/2024/11/04/rachel-barouch-haik-hiring-cybersecurity-researchers/
      • Strong Privacy Laws Boost Confidence In Sharing Information With AI
        "53% of consumers report being aware of their national privacy laws, a 17-percentage point increase compared to 2019, according to Cisco. Informed consumers are also much more likely to feel their data is protected (81%) compared to those who are unaware (44%). “Our survey highlights the importance of privacy awareness in building consumer trust in brands and AI technologies,” says Harvey Jang, Cisco VP and Chief Privacy Officer. “Nearly 60% of consumers aware of privacy laws are comfortable using AI. Broadening awareness and educating consumers about their privacy rights will empower them to make informed decisions and foster greater trust in emerging technologies.”"
        https://www.helpnetsecurity.com/2024/11/04/consumers-privacy-laws-awareness/
      • Cyber Threats That Could Impact The Retail Industry This Holiday Season (and What To Do About It)
        "As the holiday season approaches, retail businesses are gearing up for their annual surge in online (and in-store) traffic. Unfortunately, this increase in activity also attracts cybercriminals looking to exploit vulnerabilities for their gain. Imperva, a Thales company, recently published its annual holiday shopping cybersecurity guide. Data from the Imperva Threat Research team's six-month analysis (April 2024 – September 2024) revealed that AI-driven threats need to be top of mind for retailers this year. As generative AI tools and large language models (LLMs) become more widespread and advanced, cybercriminals are increasingly leveraging these technologies to scale and refine their attacks on eCommerce platforms."
        https://thehackernews.com/2024/11/cyber-threats-that-could-impact-retail.html
      • From Naptime To Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code
        "In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. Today, we're excited to share the first real-world vulnerability discovered by the Big Sleep agent: an exploitable stack buffer underflow in SQLite, a widely used open source database engine. We discovered the vulnerability and reported it to the developers in early October, who fixed it on the same day. Fortunately, we found this issue before it appeared in an official release, so SQLite users were not impacted."
        https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html
        https://thehackernews.com/2024/11/googles-ai-tool-big-sleep-finds-zero.html
        https://therecord.media/google-llm-sqlite-vulnerability-artificial-intelligence
        https://www.darkreading.com/application-security/google-big-sleep-ai-agent-sqlite-software-bug
        https://www.infosecurity-magazine.com/news/google-first-vulnerability-found/
        https://www.securityweek.com/google-says-its-ai-found-sqlite-vulnerability-that-fuzzing-missed/
      • Public Sector Cyber Break-Ins: Our Money, Our Lives, Our Right To Know
        "At the start of September, Transport for London was hit by a major cyber attack. TfL is the public body that moves many of London's human bodies to and from work and play in the capital, and as the attack didn't hit power, signaling, or communications systems, most of the effects went unnoticed by commuters. The organization downplayed the damage done to back office ticketing, billing, and other systems. Everything was in hand. Not for long. TfL quickly rowed back on claims that no customer data had been exposed as evidence appeared to the contrary. Customers complained that various ticketing discount schemes and group privileges for students and retirees weren't accessible, and TfL made vague promises to perhaps compensate for this some time in the future if receipts were kept. The official line was, however, that things were basically fine."
        https://www.theregister.com/2024/11/04/public_sector_breakins_opinion/
      • OWASP Beefs Up GenAI Security Guidance Amid Growing Deepfakes
        "Deepfakes and other generative artificial intelligence (GenAI) attacks are becoming less rare, and signs are pointing to a coming onslaught of such attacks: Already, AI-generated text is becoming more common in emails, and security firms are finding ways to detect emails likely not created by humans. Human-written emails have declined to about 88% of all emails, while text attributed to large language models (LLMs) now accounts for about 12% of all email, up from around 7% in late 2022, according to one analysis."
        https://www.darkreading.com/vulnerabilities-threats/owasp-genai-security-guidance-growing-deepfakes
      • Can Automatic Updates For Critical Infrastructure Be Trusted?
        "In July, the industry witnessed one of the largest technology outages in recent history, with estimates of $5.4 billion in damages. When CrowdStrike distributed a Rapid Response Content Channel Update with an exception-handling logic flaw, it opened the door for constructive conversations about automatic updates — when to use them, when not to use them, whether they make us more or less secure. It's time to reflect and ask: What is the cost of our relentless pursuit of innovation, software currency, and speed to market? How can we reprioritize to reestablish the balance in the C-I-A triad?"
        https://www.darkreading.com/vulnerabilities-threats/can-automatic-updates-critical-infrastructure-be-trusted
      • 4 Main API Security Risks Organizations Need To Address
        "Security vulnerabilities in the application programming interfaces (APIs) powering modern digital services and applications have emerged as a major threat to enterprise systems and data.A recent report from Wallarm shows a 21% increase in API-related flaws between this year's second and third quarters. Nearly one-third (32%) were associated with cloud infrastructure and cloud-native applications and services. In addition to the increased volume, a high proportion of the vulnerabilities that Wallarm reviewed had severity scores of 7.5 or higher, indicating growing risk for organizations from API use."
        https://www.darkreading.com/application-security/main-api-security-risks-manage
        https://www.wallarm.com/resources/q324-api-threatstats-report
      • Antivirus, Anti-Malware Lead Demand For AI/ML Tools
        "Artificial intelligence and machine learning tools are gaining traction in enterprises, and the rate of adoption is particularly notable in cybersecurity operations, where these technologies are being used to improve enterprise security posture, according to Dark Reading’s latest research on enterprise cybersecurity. Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity survey found that enterprises are using AI and ML in a range of cybersecurity technologies, such as firewalls, endpoint detection and response platforms, security information and event management systems, and network traffic analyzers."
        https://www.darkreading.com/cybersecurity-operations/antivirus-antimalware-demand-ai-ml-tools
        https://dr-resources.darkreading.com/free/w_defa7199/?p=w_defa7199

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) f3d63989-a00d-4317-8536-572efd34efd0-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post