Cyber Threat Intelligence 19 August 2024

NCSA_THAICERT

New Tooling

• Authentik: Open-Source Identity Provider
  "Authentik is an open-source identity provider designed for maximum flexibility and adaptability. It easily integrates into existing environments and supports new protocols. It’s a comprehensive solution for implementing features like sign-up, account recovery, and more in your application, eliminating the need to manage these tasks manually."
  https://www.helpnetsecurity.com/2024/08/16/authentik-open-source-identity-provider/
  https://github.com/goauthentik/authentik

Vulnerabilities

• Potential Widespread Data Exposure Analysis: Oracle NetSuite
  "NetSuite is a popular SaaS Enterprise Resource Planning (ERP) platform. One of the most coveted features of the platform is the ability to deploy an external-facing store using SuiteCommerce or SiteBuilder. These sites are deployed on a subdomain of the NetSuite tenant and can allow unauthenticated customers to browse, register, and even purchase products directly from a business. The main benefit is providing e-commerce operations and back-office processes (such as supply chain) within a unified platform."
  https://appomni.com/blog/oracle-netsuite-data-exposure-analysis/
  https://www.darkreading.com/application-security/oracle-netsuite-ecommerce-sites-expose-customer-data
• CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
  "In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations. This DarkGate campaign was an update from a previous campaign in which the DarkGate operators were exploiting a zero-day vulnerability, CVE-2024-21412, which we disclosed to Microsoft earlier this year."
  https://www.zerodayinitiative.com/blog/2024/8/14/cve-2024-38213-copy2pwn-exploit-evades-windows-web-protections
  https://www.securityweek.com/copy2pwn-zero-day-exploited-to-bypass-windows-protections/
• The Hidden Door: How CVE-2024-23897 Enabled Ransomware Attack On Indian Banks
  "On August 1, 2024, Retail payments began to be disrupted in Indian banks and suddenly, massive news broke, stating Brontoo Technology Solutions – a collaborator with C-Edge Technologies, which is a joint venture between TCS (Tata Consultancy Services) and SBI (State Bank of India), was impacted by a ransomware attack, according to NPCI (National Payment Corporation of India). C-Edge primarily provides technology services to cooperative and regional rural banks."
  https://blogs.juniper.net/en-us/threat-research/cve-2024-23897-enabled-ransomware-attack-on-indian-banks
  https://therecord.media/jenkins-vulnerability-india-npci-ransomware-attack
• iVerify Discovers Android Vulnerability Impacting Millions Of Pixel Devices Around The World
  "Earlier this year, iVerify's EDR capability flagged an Android device at Palantir Technologies as unsecure, which launched an investigation in partnership with Palantir and Trail of Bits. The investigation revealed an Android application package, Showcase.apk, that is part of the firmware. When enabled, Showcase.apk makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware. The impact of this vulnerability is significant and could result in data loss breaches totaling billions of dollars."
  https://iverify.io/blog/iverify-discovers-android-vulnerability-impacting-millions-of-pixel-devices-around-the-world
  https://thehackernews.com/2024/08/google-pixel-devices-shipped-with.html
  https://therecord.media/google-to-remove-app-pixel-vulnerable
  https://securityaffairs.com/167130/security/pixel-devices-pre-installed-vulnerable-app.html
  https://hackread.com/7-year-old-pre-installed-google-pixel-app-flaw-risk/
• From 2018: DeepMasterPrints: Deceive Fingerprint Recognition Systems With MasterPrints Generated With GANs
  "Boffins demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks using ‘MasterPrints, ‘which are fingerprints that can match multiple other prints."
  https://securityaffairs.com/167219/hacking/deepmasterprints-deceive-fingerprint-recognition-systems-with-masterprints.html

Malware

• Unmasking Styx Stealer: How a Hacker’s Slip Led To An Intelligence Treasure Trove And Their Big Reveal
  "In the shadowy world of cybercrime, even the most cunning hackers can make blunders that expose their operations. CPR’s recent discovery of Styx Stealer, a new malware variant derived from the notorious Phemedrone Stealer, highlights this reality. The investigation revealed critical missteps by its developer, including a significant operational security (OpSec) lapse that leaked sensitive information from his own computer."
  https://blog.checkpoint.com/research/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove-and-their-big-reveal/
• Disrupting a Covert Iranian Influence Operation
  "OpenAI is committed to preventing abuse and improving transparency around AI-generated content. This includes our work to detect and stop covert influence operations (IO), which try to manipulate public opinion or influence political outcomes while hiding the true identity or intentions of the actors behind them. This is especially important in the context of the many elections being held in 2024. We have expanded our work in this area throughout the year, including by leveraging our own AI models to better detect and understand abuse."
  https://openai.com/index/disrupting-a-covert-iranian-influence-operation/
  https://thehackernews.com/2024/08/openai-blocks-iranian-influence.html
  https://cyberscoop.com/openai-bans-accounts-linked-to-covert-iranian-influence-operation/
  https://securityaffairs.com/167194/intelligence/openai-dismantled-iranian-influence-operation.html
• Beyond The Wail: Deconstructing The BANSHEE Infostealer
  "In August 2024, a novel macOS malware named "BANSHEE Stealer" emerged, catching the attention of the cybersecurity community. Reportedly developed by Russian threat actors, BANSHEE Stealer was introduced on an underground forum and is designed to function across both macOS x86_64 and ARM64 architectures. This malware presents a severe risk to macOS users, targeting vital system information, browser data, and cryptocurrency wallets. With a steep monthly subscription price of $3,000, BANSHEE Stealer stands out in the market, particularly compared to known stealers like AgentTesla."
  https://www.elastic.co/security-labs/beyond-the-wail
  https://thehackernews.com/2024/08/new-banshee-stealer-targets-100-browser.html
  https://therecord.media/apple-macos-infostealer-banshee-stealer
  https://www.securityweek.com/new-banshee-stealer-macos-malware-priced-at-3000-per-month/
  https://securityaffairs.com/167138/malware/banshee-stealer-macos-malware.html
• Azure Domains And Google Abused To Spread Disinformation And Malware
  "A clever disinformation campaign engages several Microsoft Azure and OVH cloud subdomains as well as Google search to promote malware and spam sites. Android users receive a "new info related to..." Google search notification about a subject they have previously searched about, but are then presented with misleading search results, driving traffic to scam websites disguised as infotainment articles."
  https://www.bleepingcomputer.com/news/security/azure-domains-and-google-abused-to-spread-disinformation-and-malware/

Breaches/Hacks/Leaks

• National Public Data Confirms Breach Exposing Social Security Numbers
  "Background check service National Public Data confirms that hackers breached its systems after threat actors leaked a stolen database with millions of social security numbers and other sensitive personal information. The company states that the breached data may include names, email addresses, phone numbers, social security numbers (SSNs), and postal addresses."
  https://www.bleepingcomputer.com/news/security/national-public-data-confirms-breach-exposing-social-security-numbers/
  https://therecord.media/social-security-numbers-leak-national-public-data
  https://www.infosecurity-magazine.com/news/national-public-data-confirms-data/
  https://www.theregister.com/2024/08/16/national_public_data_theft/
  https://securityaffairs.com/167171/data-breach/national-public-data-confirms-data-breach.html
• Ransomware Attack On Flint Affecting City Services As FBI Investigates Incident
  "Phones and computers used by government workers in Flint, Michigan are facing outages due to a ransomware attack that began on Wednesday. The city of about 80,000 people published a statement Thursday saying it is experiencing internal network and internet outages caused by the attack. Both the FBI and state attorney general’s office are involved in investigating the incident."
  https://therecord.media/ransomare-flint-incident-cyberattack-fbi-investigating
• Crypto Firm Says Hacker Locked All Employees Out Of Google Products For Four Days
  "A prominent cryptocurrency company told the SEC that a hacker broke into its systems and locked all of the company’s employees out before taking several actions that are still being investigated. Unicoin filed regulatory documents Thursday that said the attack began on August 9, when a hacker “gained access to the Company’s Google G-Suite account and changed passwords of all users of the Company’s G-Suite products (i.e., G-Mail, G-Drive and other related G-Suite functionality).”"
  https://therecord.media/unicoin-cryptocurrency-company-hack-gsuite
  https://www.theregister.com/2024/08/16/unicoin_gsuite_compromise/

General News

• Why Are Organizations Losing The Ransomware Battle?
  "Successful ransomware attacks are increasing, not necessarily because the attacks are more sophisticated in design but because cybercriminals have realized many of the world's largest enterprises lack sufficient resilience to basic cybersecurity practices. Despite massive investments in cybersecurity from the private and public sectors, many organizations continue to lack sufficient resistance to ransomware attacks."
  https://www.darkreading.com/vulnerabilities-threats/why-are-organizations-losing-ransomware-battle
• Business And Tech Consolidation Opens Doors For Cybercriminals
  "Cyber threats continued to intensify in the first half of 2024 as cybercriminals exploited security gaps from growing business and technological consolidation, according to Resilience."
  https://www.helpnetsecurity.com/2024/08/16/technology-consolidation-risks/
• Geopolitical Tensions Drive Explosion In DDoS Attacks
  "Web distributed denial of service (DDoS) attacks rose by 265% in the first half of 2024 compared to H2 2023, according to new findings from Radware. Application-layer DNS DDoS activity also tripled from H2 2023 to H1 2024, while a 16% increase in locked network-layer DDoS attacks was observed in the same period. The researchers highlighted growing worldwide geopolitical tensions as a major driver of this trend, with hacktivist groups claiming between 1000 to 1200 DDoS attacks per month in the first six
  https://www.infosecurity-magazine.com/news/geopolitical-tensions-drive-ddos/
• Consolidation Vs. Optimization: Which Is More Cost-Effective For Improved Security?
  "Especially in the current macroeconomic and political climate, security leaders are facing some big decisions about how they use their monetary and people resources to better secure their environments. And, despite that climate driving more threat actor activity, they are being asked to scale back. It’s a paradox that impacts both the security of organizations and the stress levels of the people running them."
  https://www.securityweek.com/consolidation-vs-optimization-which-is-more-cost-effective-for-improved-security/

อ้างอิง

Electronic Transactions Development Agency(ETDA)