Cyber Threat Intelligence 15 November 2024

NCSA_THAICERT

Healthcare Sector

Cyber Incident Response: Playbook For Medical Product Makers
"A new playbook from the Health Sector Coordinating Council aims to help manufacturers of medical products such as pharmaceuticals, devices and durable equipment plot out and improve their response to ransomware attacks and other cyber incidents. The Medical Product Manufacturer Cyber Incident Response Playbook, or MPM-CIRP, was developed by an operational technology cyber task force within the HSCC's joint cybersecurity working group, whose members include stakeholders from government, including the Food and Drug Administration, and the private sector, including manufacturers, technology firms and others."
https://www.bankinfosecurity.com/cyber-incident-response-playbook-for-medical-product-makers-a-26814
https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/hscc-medical-product-manufacturing-cyber-incident-response-playbook-002.pdf

Industrial Sector

CISA Releases Nineteen Industrial Control Systems Advisories
"CISA released nineteen Industrial Control Systems (ICS) advisories on November 14, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-industrial-control-systems-advisories

Telecom Sector

Joint Statement From FBI And CISA On The People's Republic Of China (PRC) Targeting Of Commercial Telecommunications Infrastructure
"The U.S. government's continued investigation into the People's Republic of China (PRC) targeting of commercial telecommunications infrastructure has revealed a broad and significant cyber espionage campaign.Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues."
https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications
https://therecord.media/us-agencies-confirm-china-telecom-hack-wiretaps
https://www.theregister.com/2024/11/14/salt_typhoon_hacked_multiple_telecom/
https://www.infosecurity-magazine.com/news/telecom-hack-exposes-us-officials/
https://www.securityweek.com/cisa-fbi-confirm-china-hacked-telecoms-providers-for-spying/
https://www.bankinfosecurity.com/fbi-updates-on-vast-chinese-hack-on-telecom-networks-a-26810
https://hackread.com/cisa-fbi-chinese-hackers-hacked-us-telecom-networks/
https://securityaffairs.com/170981/uncategorized/china-linked-threat-actors-spied-on-u-s-gov-officials.html

Vulnerabilities

Varonis Warns Of Bug Discovered In PostgreSQL PL/Perl
"Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes. The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it's exploited. Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system."
https://www.darkreading.com/vulnerabilities-threats/varonis-warns-bug-discovered-postgresql-pl-perl
4,000,000 WordPress Sites Using Really Simple Security Free And Pro Versions Affected By Critical * Authentication Bypass Vulnerability
"Introductory Note: This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. The vulnerability is scriptable, meaning that it can be turned into a large scale automated attack, targeting WordPress websites. The vendor worked with the WordPress plugins team to force-update all sites running this plugin before we published this post."
https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/
Microsoft Power Pages Leak Millions Of Private Records
"Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government."
https://www.darkreading.com/cybersecurity-operations/microsoft-power-pages-millions-private-records
https://www.infosecurity-magazine.com/news/microsoft-power-pages/
https://www.securityweek.com/low-code-high-risk-millions-of-records-exposed-via-misconfigured-microsoft-power-pages/
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability
CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-warns-of-more-palo-alto-networks-bugs-exploited-in-attacks/
Prompt Injecting Your Way To Shell: OpenAI's Containerized ChatGPT Environment
"Exploring the Limits: This blog takes readers on a journey through OpenAI’s containerized ChatGPT environment, uncovering the surprising capabilities that allow users to interact with the model’s underlying structure in unexpected ways. Sandbox Environment Insights: It dives into the Debian-based sandbox environment where ChatGPT’s code runs, highlighting its controlled file system and command execution capabilities. Readers will see how simple prompt injections can expose internal directory structures and enable file management."
https://0din.ai/blog/prompt-injecting-your-way-to-shell-openai-s-containerized-chatgpt-environment
https://www.bleepingcomputer.com/news/artificial-intelligence/chatgpt-allows-access-to-underlying-sandbox-os-playbook-data/

Malware

APT Group Trends In October 2024
"The following are the main APT groups and their cases based on the analysis reports released by security companies and organizations in October 2024."
https://asec.ahnlab.com/en/84418/
New PXA Stealer Targets Government And Education Sectors For Sensitive Information
"The attacker is targeting the education sector in India and government organizations in European countries, including Sweden and Denmark, based on Talos telemetry data. The attacker’s motive is to steal the victim’s information, including credentials for various online accounts, browser login data, cookies, autofill information, credit card details, data from various cryptocurrency online and desktop wallets, data from installed VPN clients, gaming software accounts, chat messengers, password managers, and FTP clients."
https://blog.talosintelligence.com/new-pxa-stealer/
Advertisers Are Pushing Ad And Pop-Up Blockers Using Old Tricks
"Despite the countermeasures some services are taking against well-known ad blockers, lots of people now use one. This is no doubt due to increased privacy concerns around online tracking, along with the growing number of ads per site. And where there is money to be made, you’ll find social engineering and affiliates. In a campaign predominantly used on media websites, we found a misleading ad that promised visitors some content they might be interested in."
https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks
Inside Intelligence Center: Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers
"In early October 2024, EclecticIQ analysts uncovered a phishing campaign that targets e-commerce shoppers in Europe and USA, looking for Black Friday discounts. Analysts assess with high confidence that it was very likely orchestrated by a Chinese financially motivated threat actor, analysts dubbed as SilkSpecter. The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) [1] and Sensitive Authentication Data (SAD) [2] and Personally Identifiable Information (PII)."
https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers
https://www.bleepingcomputer.com/news/security/fraud-network-uses-4-700-fake-shopping-sites-to-steal-credit-cards/
Glove Stealer: Leveraging IElevator To Bypass App-Bound Encryption & Steal Sensitive Data
"We’ve been closely observing various social engineering tactics, such as ClickFix and FakeCaptcha, for quite some time now. Tactics like these deceive users into thinking they are helping themselves, but by following the instructions from the attackers, they are actually inadvertently infecting their own devices. The steps the users are led to take commonly involve copying a malicious script that’s typically copied on background without user noticing. The instructions then prompt the user to paste and execute it via a PowerShell terminal or a Run prompt on Windows, displayed by a Win+R key combination."
https://www.gendigital.com/blog/news/innovation/glove-stealer
https://www.bleepingcomputer.com/news/security/new-glove-infostealer-malware-bypasses-google-chromes-cookie-encryption/
Spotlight On Iranian Cyber Group Emennet Pasargad’s Malware
"Check Point Research delved into the custom modular infostealer known as WezRat after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate issued a joint Cybersecurity Advisory about the campaign. The latest version of WezRat was recently distributed to multiple Israeli organizations in a wave of emails impersonating the Israeli National Cyber Directorate (INCD). In the advisory, the attack was attributed to the Iranian cyber group Emennet Pasargad, a group already notorious for its alarming cyber operations across the globe, including attacks on targets in the US, France, Sweden, and Israel."
https://blog.checkpoint.com/research/spotlight-on-iranian-cyber-group-emennet-pasargads-malware/
DNS Predators Hijack Domains To Supply Their Attack Infrastructure
"Hijacking domains using a ‘Sitting Ducks attack’ remains an underreported topic in the cybersecurity community. Few threat researchers are familiar with this attack vector, and knowledge is scarce. However, the prevalence of these attacks and the risk to organizations are much broader than initially reported. Following our initial publication on Sitting Ducks, Infoblox Threat Intel delved deeper into this topic. The result is a new, eye-opening report estimating that over 1 million registered domains could be vulnerable. The report also explores the widespread use of the attack and how multiple actors leverage it to strengthen their malicious campaigns."
https://blogs.infoblox.com/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/
https://thehackernews.com/2024/11/experts-uncover-70000-hijacked-domains.html
https://www.infosecurity-magazine.com/news/sitting-ducks-dns-attacks-global/
Malware Being Delivered By Mail, Warns Swiss Cyber Agency
"Switzerland’s Federal Office for Cybersecurity (OFCS) issued a warning on Wednesday about “fake letters” from the country’s meteorological agency being used to spread malware. The postal letters, dated to 12 November, claim to be offering people in the country a new weather app developed by the agency — MeteoSwiss — however they contain a QR code redirecting people to a malicious application developed by fraudsters."
https://therecord.media/malware-delivered-by-mail-swiss-cyber-agency
Fake North Korean IT Worker Linked To BeaverTail Video Conference App Phishing Attack
"Unit 42 researchers identified a North Korean IT worker activity cluster that we track as CL-STA-0237. This cluster was involved in recent phishing attacks using malware-infected video conference apps. It likely operates from Laos, using Lao IP addresses and identities. CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs. In 2022, CL-STA-0237 secured a position at a major tech company."
https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/
BlueKeep Attack Detected By AhnLab EDR
"BlueKeep (CVE-2019-0708) is a vulnerability revealed in May 2019, occurring during the Remote Desktop Protocol (RDP) connection process between a client and server. When a client sends a malicious packet through a specific channel (MS_T120), a Use-After-Free vulnerability occurs, allowing remote code execution.[1] This vulnerability has been discussed on the ASEC Blog until recently [2], and APT groups are continuing to exploit it."
https://asec.ahnlab.com/en/84437/

Breaches/Hacks/Leaks

Kids' Shoemaker Start-Rite Trips Over Security Again, Spilling Customer Card Info
"Children's shoemaker Start-Rite is dealing with a nasty "security incident" involving customer payment card details, its second significant lapse during the past eight years. That's according to a recent notification sent to customers, seen by The Register, which didn't clarify exactly what the nature of that trouble was, although we know it involved the website's payment page. The intrusion occurred between October 14 and November 7, the notification reads, and the information understood to be potentially compromised includes customer names as displayed on their payment cards, the address to which the card is registered, the card number, its expiry date, and card verification value (CVV)."
https://www.theregister.com/2024/11/14/smartrite_breach/
Hungary Confirms Hack Of Defense Procurement Agency
"Hungarian officials confirmed to local media that the country’s defense procurement agency (VBÜ) was attacked by an “international group of hackers.” Earlier on Thursday, the cybercrime group known as INC Ransomware or INC Ransom claimed access to the agency's data and posted sample screenshots on its dark web portal. Previous research indicates that the group emerged last year, primarily targeting healthcare, education, and government entities. The operators behind it remain unknown."
https://therecord.media/hungary-defense-procurement-agency-hacked

General News

Change Of Recovery Disruption Techniques In Ransomware
"Ransomware attacks are still on the rise in 2024. Threat actors continue to launch ransomware attacks because victims infected with ransomware often pay a ransom to recover their data, allowing the attackers to gain profit significantly. Threat actors maintain their anonymity by demanding ransom payments through cryptocurrency, making it difficult for law enforcement agencies to track their activities. In terms of the ease of attack, ransomware can be relatively easily distributed and can infiltrate systems in various ways. Recent methods that bypass detection involved exploiting legitimate tools or drivers. Moreover, the spread of ransomware attacks has been exacerbated by the Ransomware-as-a-Service (RaaS) model, which allows threat actors with a lack of technical knowledge to easily use ransomware."
https://asec.ahnlab.com/en/84415/
Google Cloud Cybersecurity Forecast 2025: AI, Geopolitics, And Cybercrime Take Centre Stage
"Google Cloud unveiled its Cybersecurity Forecast for 2025, offering a detailed analysis of the emerging threat landscape and key security trends that organizations worldwide should prepare for. The report delivers insights into the tactics of cyber adversaries, providing advice for increasing security posture in the coming year."
https://www.helpnetsecurity.com/2024/11/14/google-cybersecurity-forecast-2025/
How Intel Is Making Open Source Accessible To All Developers
"In this Help Net Security interview, Arun Gupta, Vice President and General Manager for Open Ecosystem, Intel, discusses the company’s commitment to fostering an open ecosystem as a cornerstone of its software strategy. He explains how this approach empowers developers and shapes Intel’s broader technology and business objectives, enhancing platform innovation. Gupta emphasizes that by actively participating in open-source initiatives, Intel aims to lower complexity and improve security, ultimately enabling developers to create impactful solutions in the evolving landscape of artificial intelligence and beyond."
https://www.helpnetsecurity.com/2024/11/14/arun-gupta-intel-open-ecosystem-strategy/
How Cybersecurity Failures Are Draining Business Budgets
"Security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps, according to Panaseer. The report analyses the findings of a survey of 400 security decision makers (SDMs) across the US and UK."
https://www.helpnetsecurity.com/2024/11/14/cybersecurity-failures-business-budgets/
API Security In Peril As 83% Of Firms Suffer Incidents
"Security experts have warned of the soaring cost and volume of API security incidents after revealing that 83% of UK organizations were impacted over the past 12 months. Akamai polled 404 UK CIOs, CISOs and other security professionals between June and July 2024, to help compile its API Security Impact Study 2024. It recorded a 14-percentage point annual increase in UK respondents claiming to have experienced at least one API security incident over the previous 12 months. For US respondents, the figure actually dropped two percentage points."
https://www.infosecurity-magazine.com/news/api-security-83-firms-suffer/
https://www.akamai.com/site/en/documents/analyst-report/2024/akamai-api-security-study-2024-pdf-preview.pdf
Сrimeware And Financial Cyberthreats In 2025
"Kaspersky’s Global Research and Analysis Team constantly monitors known and emerging cyberthreats directed at the financial industry, with banks and fintech companies being the most targeted. We also closely follow threats that aim to infiltrate a wider range of industries, namely ransomware families that are financially motivated."
https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/
Hackers Lurking In Critical Infrastructure To Wage Attacks
"The Australian government is alerting critical infrastructure providers that state-sponsored cyber actors are positioning malware in their networks that can be weaponized to disrupt national security during major crises or a military conflict."
https://www.bankinfosecurity.com/hackers-lurking-in-critical-infrastructure-to-wage-attacks-a-26815
https://www.cisc.gov.au/resources-subsite/Documents/critical-infrastructure-annual-risk-review-2024.pdf
The Vendor's Role In Combating Alert Fatigue
"For most of my cybersecurity career, I worked on the vendor side, in presales capacity, helping businesses identify and address security pain points. Now, as an information security engineer, I am on the other side, engaging with security vendors. A typical sales engagement includes pre-sales, proof of concept (PoC), onboarding, and support. While PoCs are useful, the real complexity of a product is understood only when the customer is fully onboarding."
https://www.darkreading.com/vulnerabilities-threats/vendors-role-combating-alert-fatigue
The State Of Cloud Ransomware In 2024
"Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm. Cloud services inherently provide an advantage over endpoint and web server-based services due to the minimal nature of a cloud service’s attack surface. With the exception of Compute services, which run a virtual operating system in the cloud, cloud services do not provide an entire operating system, which means that the ransomware binaries prevalent on Windows and Linux are unable to attack them effectively."
https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/
https://www.darkreading.com/cloud-security/cloud-ransomware-scripts-web-applications
Google Warns Of Rising Cloaking Scams, AI-Driven Fraud, And Crypto Schemes
"Google has revealed that bad actors are leveraging techniques like landing page cloaking to conduct scams by impersonating legitimate sites. "Cloaking is specifically designed to prevent moderation systems and teams from reviewing policy-violating content which enables them to deploy the scam directly to users," Laurie Richardson, VP and Head of Trust and Safety at Google, said."
https://thehackernews.com/2024/11/google-warns-of-rising-cloaking-scams.html
1,400 Pegasus Spyware Infections Detailed In WhatsApp’s Lawsuit Filings
"Unredacted court documents published Thursday show that spyware maker NSO Group admitted to developing exploits to allow its Pegasus product to infect the phones of some 1,400 WhatsApp users in 2019 — an operation that allegedly violated federal and state laws, according to the messaging company. The filings, part of a lawsuit WhatsApp filed against the NSO Group in 2019, shine a light on how Israel-based NSO Group — a notoriously secretive company — operates the powerful Pegasus spyware on behalf of government customers. A California federal judge ordered the documents to be released last week."
https://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit

อ้างอิง
Electronic Transactions Development Agency(ETDA)