NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 27 November 2024

    Cyber Security News
    1
    1
    369
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Schneider Electric PowerLogic PM55xx And PowerLogic PM8ECC
        "Successful exploitation of these vulnerabilities could result in an attacker gaining escalated privileges and obtaining control of the device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-01
      • Hitachi Energy MicroSCADA Pro/X SYS600
        "Successful exploitation of these vulnerabilities could allow an attacker to inject code towards persistent data, manipulate the file system, hijack a session, or engage in phishing attempts against users."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04
      • Schneider Electric PowerLogic P5
        "If an attacker has physical access to the device, it is possible to reboot the device, cause a denial of service condition, or gain full control of the relay by abusing a specially crafted reset token."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-02
      • Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, And Modicon M340, M580 And M580 Safety PLCs
        "Successful exploitation of these vulnerabilities could allow a denial of service, a loss of confidentiality, and threaten the integrity of controllers."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-03
      • Hitachi Energy RTU500 Scripting Interface
        "Successful exploitation of this vulnerability could allow attackers to spoof the identity of the service."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05

      Vulnerabilities

      • 200,000 WordPress Sites Affected By Unauthenticated Critical Vulnerabilities In Anti-Spam By CleanTalk WordPress Plugin
        "On October 30th, 2024, we received a submission for an Authorization Bypass via Reverse DNS Spoofing vulnerability in Anti-Spam by CleanTalk, a WordPress plugin with more than 200,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to install and activate arbitrary plugins on a vulnerable site, which can be leveraged to achieve remote code execution. A few days later on November 4th, our Threat Intelligence Team discovered another vulnerability in the same functionality that could be leveraged to perform the same actions."
        https://www.wordfence.com/blog/2024/11/200000-wordpress-sites-affected-by-unauthenticated-critical-vulnerabilities-in-anti-spam-by-cleantalk-wordpress-plugin/
        https://thehackernews.com/2024/11/critical-wordpress-anti-spam-plugin.html
        https://www.securityweek.com/critical-vulnerabilities-found-in-anti-spam-plugin-used-by-200000-wordpress-sites/
      • QNAP And Veritas Dump 30-Plus Vulns Over The Weekend
        "Taiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend. The flaws include two critical and nine "high" severity vulnerabilities, potentially resulting in code execution, file read/write, authentication bypass, information disclosure, and elevation of privileges. QNAP's Notes Station 3 (versions 3.9.x), a collaborative note-taking and sharing app, was arguably affected the worst, with both critical bugs localized to the product, as well as two other high-severity issues."
        https://www.theregister.com/2024/11/26/qnap_veritas_vulnerabilities/
        https://www.bleepingcomputer.com/news/security/qnap-addresses-critical-flaws-across-nas-router-software/
        https://www.bankinfosecurity.com/qnap-systems-fixes-bugs-in-qurouter-notes-station-3-a-26908
      • IBM Patches RCE Vulnerabilities In Data Virtualization Manager, Security SOAR
        "IBM on Monday announced patches for multiple vulnerabilities across its products, including two high-severity remote code execution (RCE) issues in Data Virtualization Manager and Security SOAR. Tracked as CVE-2024-52899 (CVSS score of 8.5), the flaw in Data Virtualization Manager for z/OS could allow a remote, authenticated attacker to inject malicious JDBC URL parameters, which could lead to arbitrary code execution on the server."
        https://www.securityweek.com/ibm-patches-rce-vulnerabilities-in-data-virtualization-manager-security-soar/
      • VMware Patches High-Severity Vulnerabilities In Aria Operations
        "Virtualization software vendor VMware on Tuesday released a high-severity bulletin with patches for at least five security defects in its Aria Operations product. The company documented five distinct vulnerabilities in the cloud IT operations platform and warned that malicious hackers can craft exploits to elevate privileges or launch cross-site scripting attacks."
        https://www.securityweek.com/vmware-patches-high-severity-vulnerabilities-in-aria-operations/
        https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25199

      Malware

      • RomCom Exploits Firefox And Windows Zero Days In The Wild
        "ESET researchers discovered a previously unknown vulnerability in Mozilla products, exploited in the wild by Russia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023."
        https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/
        https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html
        https://www.darkreading.com/application-security/romcom-apt-zero-day-zero-click-browser-escapes-firefox-tor
        https://www.bankinfosecurity.com/russian-hackers-target-mozilla-windows-in-new-exploit-chain-a-26916
        https://www.helpnetsecurity.com/2024/11/26/romcom-backdoor-cve-2024-9680-cve-2024-49039/

      • Analysis Of Elpaco: a Mimic Variant
        "In a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon). The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands."
        https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/

      • Guess Who’s Back - The Return Of ANEL In The Recent Earth Kasha Spear-Phishing Campaign In 2024
        "This blog is a part of a blog series about Earth Kasha. Kindly refer to our blog about the previous campaigns, where we discussed the tactics and targets of Earth Kasha in detail, read here for a deeper understanding,"
        https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html

      • Matrix Unleashes A New Widespread DDoS Campaign
        "Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals. This campaign highlights how accessible tools and minimal technical knowledge can enable large-scale cyberattacks. Matrix demonstrates a growing trend among threat actors to target vulnerabilities and misconfigurations across internet-connected devices, particularly IoT and enterprise systems."
        https://www.aquasec.com/blog/matrix-unleashes-a-new-widespread-ddos-campaign/
        https://cyberscoop.com/russian-hacker-script-matrix-ddos-aqua/
        https://www.infosecurity-magazine.com/news/ddos-campaign-exploits-iot-devices/
        https://hackread.com/matrix-hackers-new-iot-botnet-ddos-attacks/

      • The Source Code Of Banshee Stealer Leaked Online
        "Banshee Stealer, a MacOS Malware-as-a-Service, shut down after its source code leaked online. The code is now available on GitHub. In August 2024, Russian hackers promoted BANSHEE Stealer, a macOS malware targeting x86_64 and ARM64, capable of stealing browser data, crypto wallets, and more. BANSHEE Stealer supports basic evasion techniques, relies on the sysctl API to detect debugging and checks for virtualization by running a command to see if “Virtual” appears in the hardware model identifier."
        https://securityaffairs.com/171423/malware/the-source-code-of-banshee-stealer-leaked-online.html

      • Police Uncover Group Using Devices To Steal Personal Info From Phone Users
        "Police arrested four men who drove around in sports utility vehicles packed with telecommunication tools used to gather confidential information on banking transactions. The suspects were believed to be working in cahoots with a syndicate. They used fake base transceiver station (BTS) devices to send fraudulent messages to mobile phone users within a 1km radius to gather crucial information, including one-time passwords used in bank transactions."
        https://www.nst.com.my/news/crime-courts/2024/11/1139905/updated-police-uncover group-using-devices-steal-personal-info

      • Introducing NachoVPN: One VPN Server To Pwn Them All
        "What would happen if you connected to the wrong VPN endpoint? Well, that depends on which VPN client you’re using and who was controlling the server. During our recent talk at SANS HackFest Hollywood 2024 titled Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells, we shared details of how vulnerabilities in leading corporate VPN clients can be exploited by attackers. In this presentation, we presented the details of how we discovered vulnerabilities in the most popular and widely used corporate VPN clients, and how these vulnerabilities could be exploited by attackers to gain Remote Code Execution on both macOS and Windows Operating Systems."
        https://blog.amberwolf.com/blog/2024/november/introducing-nachovpn---one-vpn-server-to-pwn-them-all/
        https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rogue-vpn-servers-to-install-malicious-updates/
        https://www.helpnetsecurity.com/2024/11/26/vulnerabilities-corporate-vpn-clients-cve-2024-5921-cve-2024-29014/

      • Containers Full Of Secrets: Archive Files Bypassing SEGs
        "Modern enterprise environments make use of multiple tools such as Secure Email Gateways (SEGs) and Endpoint Detection and Response (EDR) solutions to prevent malware from getting onto a user’s device. However, many of these protection measures have flaws that threat actors often take advantage of. One of the easiest ways for threat actors to bypass many of these protections is by putting malware inside certain types of archives."
        https://cofense.com/blog/containers-full-of-secrets-archive-files-bypassing-segs

      • 'CyberVolk' Hacktivists Use Ransomware In Support Of Russian Interests
        "Researchers have observed a hacktivist group with roots possibly in India deploying ransomware against state and public entities in countries that oppose Russian interests. Known as CyberVolk, the group has been active since at least March 2024, exploiting current geopolitical issues to justify its attacks. Most recently, the group claimed responsibility for compromising the networks of critical infrastructure facilities and scientific institutions in Japan, France, and the U.K."
        https://therecord.media/cybervolk-india-hacktivists-russia-ransomware

      • Breaches/Hacks/Leaks

      • British Hospital Group Declares ‘major Incident’ Following Cyberattack
        "The NHS Trust responsible for a group of hospitals in northwest England has declared a “major incident” following a cyberattack, invoking the crisis management status for events that pose a serious risk to public health. A statement on the website for Wirral University Teaching Hospital NHS Foundation Trust says: “A major incident has been declared at the Trust for cyber security reasons.” The nature of the incident has not been disclosed. Outpatient appointments have been cancelled, and patients are being asked not to attend the hospital unless they have a “genuine emergency.”"
        https://therecord.media/england-hospitals-cyberattack-nhs-wirral
        https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/
        https://www.bankinfosecurity.com/uk-nhs-hospital-reports-major-cyberincident-a-26915
        https://www.infosecurity-magazine.com/news/nhs-trust-major-incident/

      • RansomHub Gang Says It Broke Into Networks Of Texas City, Minneapolis Agency
        "Ransomware attacks on two municipal governments have been claimed by a notorious cybercriminal operation responsible for dozens of high-profile incidents in 2024. On Monday, the RansomHub operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board. Both organizations have reported widespread technology issues in recent weeks that caused significant problems for local residents."
        https://therecord.media/ransomhub-cybercrime-coppell-texas-minneapolis-parks-agency

      General News

      • How To Recognize Employment Fraud Before It Becomes a Security Issue
        "The combination of remote work, the latest technologies, and never physically meeting your employees has made it very easy for job applicants to mask their true identities from their employer and commit employment fraud."
        https://www.helpnetsecurity.com/2024/11/26/employment-fraud-red-flags/
      • Over a Third Of Firms Struggling With Shadow AI
        "Over a third of organizations have admitted that they face major challenges monitoring the use of unsanctioned AI tools in the enterprise, according to Strategy Insights. The London-headquartered consulting firm polled 3320 directors from companies across the US, UK, Germany, the Nordics and Benelux regions in order to better understand how they’re managing AI. It found that non-approved tools are particularly challenging to monitor when integrated with legacy systems."
        https://www.infosecurity-magazine.com/news/over-third-firms-struggling-shadow/
      • 2025's CISO: Managing Cyber Threats With Bigger Budgets But Higher Stakes
        "Today's CISOs wear many hats. They are expected to be experts in technologies, negotiators, strategists, influencers, and a source of inspiration throughout the value chain. As cybersecurity threats evolve and grow, the role of the Chief Information Security Officer (CISO) is becoming even more critical."
        https://www.tripwire.com/state-of-security/ciso-managing-cyber-threats-bigger-budgets-higher-stakes
      • Over 1,000 Arrested In Massive ‘Serengeti’ Anti-Cybercrime Operation
        "Law enforcement agencies in Africa arrested as part of 'Operation Serengeti' more than a thousand individuals suspected of being involved in major cybercriminal activities that caused close to $193 million in financial losses all over the world. The operation was coordinated by the Interpol and Afripol between September 2nd and October 31st and "targeted criminals behind ransomware, business email compromise (BEC), digital extortion and online scams.""
        https://www.bleepingcomputer.com/news/security/over-1-000-arrested-in-massive-serengeti-anti-cybercrime-operation/
        https://therecord.media/interpol-afripol-cybercrime-arrests
        https://cyberscoop.com/african-cybercrime-crackdown-nets-more-than-1000-suspects/
        https://www.helpnetsecurity.com/2024/11/26/operation-serengeti-cybercrime-operation-arrests/
        https://www.securityweek.com/interpol-clamps-down-on-cybercrime-and-arrests-over-1000-suspects-in-africa/
      • Advanced Cyberthreats Targeting Holiday Shoppers
        "As the holiday season approaches, shoppers worldwide eagerly anticipate snagging deals during Black Friday, Cyber Monday, and other holiday sales. However, this heightened online activity also draws the attention of cybercriminals. A recent report from FortiGuard Labs, Understanding Threat Actor Readiness for the Upcoming Holiday Season, reveals the advanced tactics attackers have been developing to exploit this year’s shopping frenzy. This blog highlights the report’s key findings from the darknet and offers some practical advice to help shoppers and businesses stay secure this season."
        https://www.fortinet.com/blog/threat-research/advanced-cyberthreats-targeting-holiday-shoppers
        https://www.fortinet.com/content/dam/fortinet/assets/intelligence-reports/report-holiday-shopping-threats.pdf
        https://www.infosecurity-magazine.com/news/darknet-services-fuel-holiday-scams/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)
      d61821b3-1584-46ca-aa1b-dbdadd301865-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post