Cyber Threat Intelligence 18 December 2024
-
Financial Sector
- All Major European Financial Firms Suffer Supplier Breaches
"Third and fourth-party ecosystems have emerged as a major source of security risk, after new research highlighted that all (100%) of Europe’s biggest financial services companies suffered a breach via their suppliers in the past year. SecurityScorecard assessed the region’s top companies by market capitalization. It gathered “significant amounts of non-intrusive data” on their security posture, in order to grade them (A-F) “based on 10 factors that are predictive of a security breach.”"
https://www.infosecurity-magazine.com/news/all-europes-top-financial-firms/
Healthcare Sector
- BD Diagnostic Solutions Products
"Successful exploitation of this vulnerability could allow an attacker to use default credentials to access, modify, or delete sensitive data, which could impact the availability of the system or cause a system shutdown."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01
Industrial Sector
- ThreatQuotient ThreatQ Platform
"Successful exploitation of this vulnerability could allow an attacker to perform remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 - Rockwell Automation PowerMonitor 1000 Remote
"Successful exploitation of these vulnerabilities could allow an attacker to perform edit operations, create admin users, perform factory reset, execute arbitrary code, or cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 - Schneider Electric Modicon
"Successful exploitation of this vulnerability could lead to a denial-of-service and a loss of confidentiality and integrity in the controller."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-04 - Hitachi Energy TropOS Devices Series 1400/2400/6400
"Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02
Vulnerabilities
- CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-55956 Cleo Multiple Products Unauthenticated File Upload Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/12/17/cisa-adds-one-known-exploited-vulnerability-catalog
Malware
- Download a Banker To Track Your Parcel
"In late October 2024, a new scheme for distributing a certain Android banking Trojan called “Mamont” was uncovered. The victim would receive an instant message from an unknown sender asking to identify a person in a photo. The attackers would then send what appeared to be the photo itself but was actually a malware installer. Shortly after, reports surfaced of Mamont being disseminated through neighborhood chat groups. Cybercriminals were touting an app to track a parcel containing household appliances they said they were offering for free. In reality, this was malware with no parcel-tracking functionality whatsoever."
https://securelist.com/mamont-banker-disguised-as-parcel-tracking-app/115006/ - Earth Koshchei Coopts Red Team Tools In Complex RDP Attacks
"Red teaming provides essential tools and testing methodologies for organizations to strengthen their security defenses. Cybercriminals and advanced persistent threat (APT) actors pay close attention to new methods and tools red teams develop, and they may repurpose them with a malicious intent."
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html - Hidden In Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs
"On November 18, 2024, TA397 (also known by third-party researchers as Bitter) targeted a defense sector organization in Turkey with a spearphishing lure. The email included a compressed archive (RAR) file attachment containing a decoy PDF (~tmp.pdf) file detailing a World Bank public initiative in Madagascar for infrastructure development, a shortcut (LNK) file masquerading as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file that contained PowerShell code."
https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats
https://thehackernews.com/2024/12/bitter-apt-targets-turkish-defense.html
https://www.bleepingcomputer.com/news/security/bitter-cyberspies-target-defense-orgs-with-new-miyarat-malware/
https://www.bankinfosecurity.com/espionage-campaign-targets-turkish-defense-industry-a-27085
https://www.infosecurity-magazine.com/news/ta397-malware-targets-turkish/ - New Fake Ledger Data Breach Emails Try To Steal Crypto Wallets
"A new Ledger phishing campaign is underway that pretends to be a data breach notification asking you to verify your recovery phrase, which is then stolen and used to steal your cryptocurrency. Ledger is a hardware cryptocurrency wallet that allows you to store, manage, and sell cryptocurrency. The funds in these wallets are secured using 24-word recovery phrases or 12 and 18-word phrases generated by other wallets."
https://www.bleepingcomputer.com/news/security/new-fake-ledger-data-breach-emails-try-to-steal-crypto-wallets/ - Exploit Attempts Inspired By Recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164)
"Last week, Apache announced a vulnerability in Struts2 [1]. The path traversal vulnerability scored 9.5 on the CVSS scale. If exploited, the vulnerability allows file uploads into otherwise restricted directories, which may lead to remote code execution if a webshell is uploaded and exposed in the web root. I call the exploit attempts below "inspired" by this vulnerability. There are at least two vulnerabilities that could be targeted. I do not have a vulnerable system to test if the exploit will work."
https://isc.sans.edu/diary/31520
https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/
https://www.theregister.com/2024/12/17/critical_rce_apache_struts/ - cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen And Hping3)
"AhnLab SEcurity intelligence Center (ASEC) monitors attacks against poorly managed Linux servers using multiple honeypots. Among the prominent honeypots are SSH services using weak credential information, which are targeted by numerous DDoS and CoinMiner threat actors."
https://asec.ahnlab.com/en/85165/ - Your Data Is Under New Lummanagement: The Rise Of LummaStealer
"Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigate the rising activity of the malware LummaStealer."
https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer - Google Calendar Notifications Bypassing Email Security Policies
"Google Calendar is a tool for organizing schedules and managing time, designed to assist individuals and businesses in planning their days efficiently. According to Calendly[.]com, Google Calendar is used by more than 500 million people and is available in 41 different languages."
https://blog.checkpoint.com/securing-user-and-access/google-calendar-notifications-bypassing-email-security-policies/
https://www.infosecurity-magazine.com/news/cybercriminals-exploit-google/
https://www.theregister.com/2024/12/18/google_calendar_spoofed_in_phishing_campaign/ - Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console To Deliver Backdoor Payloads
"The Securonix Threat Research team has been monitoring an interesting tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. Is the abuse of LNK files finally on the decline? It seems that almost all malware campaigns these days feature a malicious LNK (shortcut) file as the initial code execution lure. In fact, the last three campaigns our team analyzed leveraged shortcut files, including SLOW#TEMPEST, SHROUDED#SLEEP and CRON#TRAP."
https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloads/
https://thehackernews.com/2024/12/hackers-use-microsoft-msc-files-to.html - LDAP Enumeration: Unveiling The Double-Edged Sword Of Active Directory
"This article provides a practical guide to developing a detection strategy for Lightweight Directory Access Protocol (LDAP)-based attacks. We analyze real-world examples of nation-state and cybercriminal threat actors abusing LDAP attributes. We also examine common LDAP enumeration queries and assess their potential risks."
https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/
Breaches/Hacks/Leaks
- Hackers Leak Partial Cisco Data From 4.5TB Of Exposed Records
"On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download."
https://hackread.com/hackers-leak-partial-cisco-data-4-5tb-exposed-records/ - 5 Million Payment Card Details Stolen In Painful Reminder To Monitor Christmas Spending
"Another day, another exposed S3 bucket. This time, 5 million US credit cards and personal details were leaked online. The Leakd.com security team discovered that 5 terabytes of sensitive screenshots were exposed in a freely accessible Amazon S3 bucket. An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size."
https://www.malwarebytes.com/blog/news/2024/12/5-million-payment-card-details-stolen-in-painful-reminder-to-monitor-christmas-spending
General News
- The Shifting Security Landscape: 2025 Predictions And Challenges
"As the borderless threat ecosystem poses new challenges for companies and governments worldwide, CISA’s 2025-2026 International Plan aims to address this problem. CISA’s plan calls for integrated cyber defense across borders, addressing the complex, global cybersecurity challenges that businesses, governments and consumers face."
https://www.helpnetsecurity.com/2024/12/17/2025-cybersecurity-predictions/ - Balancing Security And User Experience To Improve Fraud Prevention Strategies
"In this Help Net Security interview, Jennifer White, Senior Director for Banking and Payments Intelligence at J.D. Power, discusses how financial institutions can improve customer satisfaction during fraud resolution, covering proactive fraud prevention, clear communication, and empathetic issue resolution. White also touches on the role of technology, such as AI, in enhancing fraud detection and balancing security with a user-friendly experience for customers."
https://www.helpnetsecurity.com/2024/12/17/jennifer-white-j-d-power-fraud-protection/ - New APIs Discovered By Attackers In Just 29 Seconds
"Newly deployed and potentially unprotected APIs are being discovered in under half a minute, at extremely low cost to threat actors, according to new research from Wallarm. The security firm designed what it claims to be the first ever API honeypot, in order to compile its new report, Gone in 29 Seconds: The World’s First API Honeypot. Its findings are taken from the first 20 days of activity, which took place in November 2024. Wallarm warned that newly deployed APIs in particular represent a security risk, as many are unmanaged and may be less-well protected than they should be."
https://www.infosecurity-magazine.com/news/new-apis-discovered-attackers-29/ - CISA Issues BOD 25-01, Implementing Secure Practices For Cloud Services
"Today, CISA issued Binding Operational Directive (BOD) 25-01, Implementing Secure Practices for Cloud Services to safeguard federal information and information systems. This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines."
https://www.cisa.gov/news-events/alerts/2024/12/17/cisa-issues-bod-25-01-implementing-secure-practices-cloud-services
https://cisa.gov/news-events/directives/bod-25-01-implementing-secure-practices-cloud-services
https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-secure-microsoft-365-tenants/
https://www.bankinfosecurity.com/cisa-orders-secure-cloud-configurations-for-federal-agencies-a-27087
https://cyberscoop.com/cisa-scuba-baselines-cloud-security-directive/
https://www.darkreading.com/cloud-security/cisa-directs-federal-agencies-secure-cloud-environments
https://therecord.media/cisa-orders-federal-agencies-to-secure-microsoft-cloud-systems - CISA And ONCD Release Playbook For Strengthening Cybersecurity In Federal Grant Programs For Critical Infrastructure
"Today, CISA and the Office of the National Cyber Director (ONCD) published Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure to assist grant-making agencies to incorporate cybersecurity into their grant programs and assist grant-recipients to build cyber resilience into their grant-funded infrastructure projects."
https://www.cisa.gov/news-events/alerts/2024/12/17/cisa-and-oncd-release-playbook-strengthening-cybersecurity-federal-grant-programs-critical
https://www.cisa.gov/resources-tools/resources/playbook-strengthening-cybersecurity-federal-grant-programs-critical-infrastructure
https://cyberscoop.com/playbook-advises-federal-grant-managers-how-to-build-cybersecurity-into-their-programs/ - Current State Of SonicWall Exposure: Firmware Decryption Unlocks New Insights
"At Bishop Fox, we pride ourselves on keeping our customers one step ahead of malicious adversaries. Part of what we do to stay on the cutting edge is invest in research that helps us better understand the threat landscape our customers face. The fact is, when it comes to gaining a foothold in a network, edge security devices, and specifically VPN appliances, continue to be an easy target for attackers. In 2024 alone, we’ve seen targeted attacks against appliances from Check Point, Cisco, Ivanti, Fortinet, Palo Alto, Juniper, and SonicWall (just to name a few)."
https://bishopfox.com/blog/state-sonicwall-exposure-firmware-decryption-unlocks-insights
https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-firewalls-exposed-to-critical-flaws/ - What We Saw In Web Security In 2024 And What We Can Do About It
"2024 was a defining year for web security, marked by some of the most sophisticated cyber threats we’ve seen. As businesses continued shifting to web-based work environments – relying on SaaS platforms, cloud-based application, remote work and BYOD policies – attackers increased their focus on browsers, exploiting vulnerabilities faster than ever before."
https://blog.checkpoint.com/security/what-we-saw-in-web-security-in-2024-and-what-we-can-do-about-it/ - To Defeat Cybercriminals, Understand How They Think
"What are cybercriminals thinking? Inside the mind of a threat actor, the devil is in the details. Cybersecurity is composed of so many details that it's easy to miss some of them. For instance, even if you have all other employees protected, just one person not using two-factor authentication could put them all at risk."
https://www.darkreading.com/vulnerabilities-threats/defeat-cybercriminals-understand-how-they-think - GenAI: Security Teams Demand Expertise-Driven Solutions
"Generative AI (GenAI) integration continues to be at the top of many cybersecurity leaders' minds, but not at all costs, according to a new CrowdStrike survey published on December 17. Of the 1022 global cybersecurity and IT professionals approached for the State of AI in Cybersecurity Survey, 64% are either researching GenAI tools or have already purchased one. Additionally, 70% of respondents said they intend to make a GenAI purchase within the next 12 months."
https://www.infosecurity-magazine.com/news/genai-security-teams-crowdstrike/ - Organizations Warned Of Rise In Okta Support Phishing Attacks
"Okta has warned organizations of an increase in what it has described as “phishing social engineering attempts” that impersonate its support team. Okta customers and the company itself are regularly targeted by bad actors due to the widespread use of its identity solutions by major enterprises. Obtaining Okta credentials can enable attackers to gain access to a targeted organization’s systems."
https://www.securityweek.com/organizations-warned-of-rise-in-okta-support-phishing-attacks/ - Cybersecurity Marketing Predictions For 2025 Business Growth
"Every year around this time, cybersecurity marketing teams scramble to work with their subject matter experts (SMEs) to respond to next year prediction requests about tech trends and potential threat actor behaviors. But, nary have I seen anyone ask marketers what they think is going to change—or what should’ve already started happening—going into a new year."
https://www.securityweek.com/cybersecurity-marketing-predictions-for-2025-business-growth/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- All Major European Financial Firms Suffer Supplier Breaches
