ETDA Cyber Threat Intelligence 01 October 2024

NCSA_THAICERT

Energy Sector

FERC Outlines Supply Chain Security Rules For Power Plants
"Attacks targeting SolarWinds and MOVEit in recent years have spotlighted supply chain risks in cybersecurity. In the wake of recent high-profile incidents at utilities, including one last week in Kansas, the US Federal Energy Regulatory Commission (FERC) called for updating standards for supply chain safety to improve the resilience of the US bulk power system. At its September meeting, FERC asked the energy industry consortium North American Electric Reliability Corporation (NERC) to create a better supply chain security standard for power plants."
https://www.darkreading.com/cyber-risk/ferc-updates-supply-chain-security-power-plants

New Tooling

SCCMSecrets: Open-Source SCCM Policies Exploitation Tool
"SCCMSecrets is an open-source tool that exploits SCCM policies, offering more than just NAA credential extraction. SCCM policies are a key target for attackers in Active Directory environments, as they can expose sensitive technical information, including account credentials. Attackers may retrieve these credentials by impersonating a registered device with authenticated access or, in some cases, even from an unauthenticated position by exploiting misconfigurations in policy distribution.
https://www.helpnetsecurity.com/2024/09/30/sccmsecrets-open-source-sccm-policies-exploitation-tool/
https://github.com/synacktiv/SCCMSecrets

Vulnerabilities

Insecure Deserialization In Veeam Backup And Replication: CVE-2024-40711
"The SonicWall Capture Labs threat research team became aware of an insecure deserialization vulnerability in Veeam Backup & Replication, assessed its impact and developed mitigation measures. Veeam Backup & Replication is a proprietary backup app developed by Veeam for virtual environments built on VMware vSphere, Nutanix AHV and Microsoft Hyper-V hypervisors. Identified as CVE-2024-40711, Veeam Backup & Replication versions before 12.1.2.172 allow a threat actor to achieve unauthenticated remote code execution using an underlying insecure deserialization vulnerability, earning a critical CVSS score of 9.8."
https://blog.sonicwall.com/en-us/2024/09/insecure-deserialization-in-veeam-backup-and-replication-cve-2024-40711/
https://www.veeam.com/kb4649
CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-25280 D-Link DIR-820 Router OS Command Injection Vulnerability
CVE-2020-15415 DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
CVE-2021-4043 Motion Spell GPAC Null Pointer Dereference Vulnerability
CVE-2019-0344 SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/09/30/cisa-adds-four-known-exploited-vulnerabilities-catalog

Malware

Event Log Talks a Lot: Identifying Human-Operated Ransomware Through Windows Event Logs
"The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector. You may already know from recent security incident trends that the vulnerabilities of VPN devices are likely to be exploited, but it often takes much time to investigate because multiple penetration routes are often considered when an incident occurs. Therefore, in order to ensure a smooth initial response, it is important to investigate the penetration route after first estimating the attack group based on the encrypted file extensions and ransom notes left on the affected device, and then identifying the entry points that the attack group has used in the past."
https://blogs.jpcert.or.jp/en/2024/09/windows.html
https://www.bleepingcomputer.com/news/security/jpcert-shares-windows-event-log-tips-to-detect-ransomware-attacks/
Thread Hijacking: How Attackers Exploit Trusted Conversations To Infiltrate Networks
"Cyberattacks are becoming increasingly stealthy and targeted, with malicious actors focusing on high-value individuals to gain privileged access to their organizations’ digital environments. One technique that has gained prominence in recent years is thread hijacking. This method allows attackers to infiltrate ongoing conversations, exploiting the trust within these threads to access sensitive systems."
https://darktrace.com/blog/thread-hijacking-how-attackers-exploit-trusted-conversations-to-infiltrate-networks
https://hackread.com/darktrace-ai-halts-thread-hijacking-attack/
UK And US Warn Of Growing Iranian Spear Phishing Threat
"The UK’s National Cyber Security Centre (NCSC) teamed up with government agencies across the Atlantic to issue a new alert about Iranian cyber-threats on Friday. Released in concert with the FBI, US Cyber Command – Cyber National Mission Force (CNMF) and the Department of the Treasury (Treasury), the security advisory claimed that Iran’s Islamic Revolutionary Guard Corps (IRGC) is behind the spear phishing campaign. The campaign is targeted at individuals “with a nexus to Iranian and Middle Eastern affairs,” although it’s also focused at US political campaigns, with an end goal of furthering its information operations, the advisory noted."
https://www.infosecurity-magazine.com/news/uk-us-warn-iranian-spearphishing/
https://www.ic3.gov/Media/News/2024/240927.pdf
https://www.theregister.com/2024/09/30/iran_spearphishing/
North Korea Hackers Linked To Breach Of German Missile Manufacturer
"A professional hacking team linked to the North Korean government has broken into Diehl Defence, a German company that manufactures Iris-T air defense systems, using a clever phishing campaign with fake job offers and advanced social engineering tactics, according to a report by Der Spiegel. The attack, pinned on the Kimsuky APT, combined the use of booby-trapped PDF files with spear-phishing lures offering Diehl Defence employees jobs with American defense contractors."
https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/
MDR In Action: Preventing The More_eggs Backdoor From Hatching
"A customer’s talent search led to their recruitment officer downloading a fake resume and inadvertently executing a malicious .LNK file, resulting in a more_eggs infection (Figure 1). More_eggs is a JScript backdoor that belongs to the Golden Chickens malware-as-a-service (MaaS) toolkit. It’s known to be used by financially motivated threat actors such as FIN6 and the Cobalt Group to target financial and retail institutions. It communicates with a fixed command-and-control (C&C) server to download and execute additional payload, such as an infostealer and ransomware."
https://www.trendmicro.com/en_us/research/24/i/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html

Breaches/Hacks/Leaks

Media Giant AFP Hit By Cyberattack Impacting News Delivery Services
"Global news agency AFP (Agence France-Presse) is warning that it suffered a cyberattack on Friday, which impacted IT systems and content delivery services for its partners. The news organization says the attack does not impact news coverage worldwide but has impacted some client services. AFP's IT staff is working with France's cybersecurity agency (ANSSI) to mitigate the attack and resolve its repercussions."
https://www.bleepingcomputer.com/news/security/media-giant-afp-hit-by-cyberattack-impacting-news-delivery-services/
https://therecord.media/afp-cyberattack-targeted-it-systems
Facial DNA Service Provider Exposed Thousands Of Records Online
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about the discovery of thousands of non-password-protected biometric images and metadata records belonging to ChoiceDNA — a company that offers genetic DNA testing and DNA Face Matching services."
https://www.vpnmentor.com/news/report-choicedna-breach/
https://hackread.com/facial-dna-provider-leak-biometric-data-wordpress-folder/
Patelco Credit Union Data Breach Impacts Over 1 Million People
"Patelco Credit Union has informed authorities that the information of more than 1 million individuals was stolen in a ransomware attack this summer. The incident was identified on June 29 and resulted in Patelco taking some of its day-to-day banking systems offline, the company said, explaining that it led to an outage affecting the union’s online banking services, mobile application, and call center. The California-based member-owned, not-for-profit credit union said it determined that the attackers had access to its systems starting May 23 and that they stole a database containing personal information."
https://www.securityweek.com/patelco-credit-union-data-breach-impacts-over-1-million-people/
https://securityaffairs.com/169139/cyber-crime/patelco-credit-union-data-breach.html
Hawaii Health Center Discloses Data Breach After Ransomware Attack
"The Community Clinic of Maui in Hawaii, a nonprofit healthcare organization doing business as Malama I Ke Ola Health Center, informed authorities in the US last week that a cyberattack suffered earlier this year has resulted in a data breach impacting over 120,000 individuals. Local media reported in May that it took the Maui healthcare organization more than two weeks to reopen after experiencing “major computer problems”. In June, the notorious LockBit ransomware group took credit for the attack on the Community Clinic of Maui."
https://www.securityweek.com/hawaii-health-center-discloses-data-breach-after-ransomware-attack/
https://securityaffairs.com/169125/data-breach/community-clinic-of-maui-lockbit-ransomware.html
Accounting Firm WMDDH Discloses Data Breach Impacting 127,000
"Public accounting firm Wright, Moore, DeHart, Dupuis & Hutchinson (WMDDH) is notifying over 127,000 individuals that their personal information was stolen in a July 2023 data breach. The incident, the company wrote in notification letters to the impacted individuals, was identified on July 11, 2023, when unusual network activity was observed on WMDDH’s network."
https://www.securityweek.com/accounting-firm-wmddh-discloses-data-breach-impacting-127000/
Rackspace Monitoring Systems Rocked By Zero-Day
"Rackspace has told customers intruders exploited a zero-day bug in a third-party application it was using, and abused that vulnerability to break into its internal performance monitoring environment. That intrusion forced the cloud-hosting outfit to temporarily take its monitoring dashboard offline for customers. "On September 24, 2024, Rackspace discovered a zero-day remote code execution vulnerability in a non-Rackspace utility, that is packaged and delivered alongside the third-party ScienceLogic application," a spokesperson for the IT provider told The Register Monday. It not only discovered that flaw, it found it had been exploited."
https://www.theregister.com/2024/09/30/rackspace_zero_day_attack/
Australian e-Tailer DigiDirect Customers' Info Allegedly Stolen And Dumped Online
"Data allegedly belonging to more than 304,000 customers of Australian camera and tech e-tailer digiDirect has been leaked to an online cyber crime forum. digiDirect, a prominent Australian consumer electronics retailers, did not immediately respond to The Register's inquiries. We will update this story if and when we hear back. According to a BreachForums post, a crook who goes by “Tanaka” allegedly swiped a database containing customers' full names, email addresses, phone numbers, billing and shipping addresses, and company names."
https://www.theregister.com/2024/10/01/australian_digidirect_info_leak/

General News

Could APIs Be The Undoing Of AI?
"Application programming interfaces (APIs) are essential to how generative AI (GenAI) functions with agents (e.g., calling upon them for data). But the combination of API and LLM issues coupled with rapid rollouts is likely to see numerous organizations having to combat security failings."
https://www.helpnetsecurity.com/2024/09/30/llm-issues/
Businesses Turn To Private AI For Enhanced Security And Data Management
"In this Help Net Security interview, Joe Baguley, CTO EMEA at Broadcom, shares insights on private AI and its significance in data security. He explains how it helps organizations maintain control over sensitive information while addressing the complexities of compliance and data privacy. Baguley also discusses the sectors leading the way in private AI adoption and the risks that come with it."
https://www.helpnetsecurity.com/2024/09/30/joe-baguley-broadcom-private-ai-adoption/
The Most Common Authentication Method Is Also The Least Secure
"Despite the rise in cyber threats, many people do not have a holistic view of security, according to Yubico. The results of the survey uncovered concerning patterns and behaviors when it comes to personal and workplace cybersecurity, including the extensive underutilization of multi-factor authentication (MFA) and a generally reactive approach to addressing cyber threats."
https://www.helpnetsecurity.com/2024/09/30/least-secure-authentication-method/
AI Code Helpers Just Can't Stop Inventing Package Names
"AI models just can't seem to stop making things up. As two recent studies point out, that proclivity underscores prior warnings not to rely on AI advice for anything that really matters. One thing AI makes up quite often is the names of software packages. As we noted earlier this year, Lasso Security found that large language models (LLMs), when generating sample source code, will sometimes invent names of software package dependencies that don't exist."
https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
CISA’s VDP Platform 2023 Annual Report Showcases Success
"Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its Vulnerability Disclosure Policy (VDP) Platform 2023 Annual Report, highlighting the service’s remarkable success in 2023, its second full year of operation. Throughout 2023, CISA focused on advocating for the increased agency adoption of the VDP Platform, supporting federal civilian executive branch (FCEB) agencies in identifying vulnerabilities in their systems, and engaging the public security researcher community."
https://www.cisa.gov/news-events/alerts/2024/09/30/cisas-vdp-platform-2023-annual-report-showcases-success
https://www.cisa.gov/sites/default/files/2024-09/Vulnerability Disclosure Policy (VDP) Platform 2023 Annual Report.pdf
The Growing Threat Of Fake Job Applicants
"It cannot be denied that the rise of remote work has opened up many opportunities for both employers and job seekers. Despite this, however, it has also presented a plethora of challenges when it comes to recruiting in the cybersecurity and tech spaces, one of the most notable of which is the proliferation of candidates who either don’t exist entirely or who aren’t who they claim to be."
https://www.tripwire.com/state-of-security/growing-threat-fake-job-applicants
More Frequent Disruption Operations Needed To Dent Ransomware Gangs, Officials Say
"With ransomware gangs proving capable of quickly reconstituting after government takedown operations, an international alliance wants to ramp up those offensive measures even more. “What we’ve observed is that there is no one operation that’s going to disrupt ransomware permanently,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters in a call Monday."
https://cyberscoop.com/counter-ransomware-initiative-summit-white-house-odni/
2024 Deloitte-NASCIO Cybersecurity Study
"The 8th biennial Deloitte-NASCIO Cybersecurity Study reveals a landscape roiled by fresh challenges, most notably the extensive advances in artificial intelligence and generative AI. This year’s study reflects insights from the CISOs of all 50 states and the District of Columbia. The CISOs completed this year’s survey in spring 2024, at a time when the massive disruptions of the COVID-19 pandemic had subsided, but fresh cyberthreats had emerged. The attack surface is expanding, with the public sector’s reliance on information becoming increasingly central to the operation of government itself. The ability of government to deliver on its mission rests on data—and on the security of that data."
https://www2.deloitte.com/us/en/insights/industry/public-sector/2024-deloitte-nascio-cybersecurity-study.html
https://www.darkreading.com/cyber-risk/state-cisos-struggle-budgeting-staffing
https://www.infosecurity-magazine.com/news/us-state-cisos-insufficient-funding/
Reachability Analysis Pares Down Static Security-Testing Overload
"AI assistants are a double-edged sword for developers. On one hand, code-generation assistants have made creating barebones applications easier and led to a surge in code pushed to GitHub. Yet, just as easy? Generating code with defects and vulnerabilities.As a result, application-security teams serving large development groups are seeing growing application-vulnerability reports — a large portion of which are false positives. In fact, nearly a third of teams (31%) find the majority of reported vulnerabilities are false positives, according to software-security firm Snyk's 2023 State of Open Source Security report."
https://www.darkreading.com/application-security/reachability-analysis-static-security-testing-overload
Shadow AI, Data Exposure Plague Workplace Chatbot Use
"Generational AI chatbots are popping up in everything from email clients to HR tools these days, offering a friendly and smooth path toward better enterprise productivity. But there's a problem: All too often, workers aren't thinking about the data security of the prompts they're using to elicit chatbot responses. In fact, more than a third (38%) of employees share sensitive work information with AI tools without their employer's permission, according to a survey this week by the US National Cybersecurity Alliance (NCA). And that's a problem."
https://www.darkreading.com/cyber-risk/shadow-ai-sensitive-data-exposure-workplace-chatbot-use
https://staysafeonline.org/resources/oh-behave-the-annual-cybersecurity-attitudes-and-behaviors-report-2024/
Treat Your Enterprise Data Like a Digital Nomad
"The post-pandemic need for "anywhere connection" is fueling not only borderless business but also the rise of digital nomads. Surprisingly, the two face similar issues. Consider that both international enterprises and location-independent workers must be prepared for travel, follow local rules, and carry only the essentials. For a digital nomad, this might mean a laptop, a handful of essential apps, and a reliable VPN. For an enterprise and its data, it's multicloud databases, robust encryption, and a zero-trust posture."
https://www.darkreading.com/cybersecurity-operations/treat-enterprise-data-digital-nomad
Cyber-Attacks Hit Over a Third Of English Schools
"Over a third (34%) of English schools and colleges were hit by a cyber incident in the previous academic year 2023/24, according to a new government report. A teacher survey by exam watchdog the Office of Qualifications and Examinations Regulation (Ofqual) found that 20% of schools and college were unable to recover immediately following an incident, with 4% taking more than half a term to return to normal operations. Additionally, 9% of headteachers admitted they had had experienced a “critically damaging” cyber-attack in the last academic year."
https://www.infosecurity-magazine.com/news/cyber-attacks-third-english-schools/
PwC Urges Boards To Give CISOs a Seat At The Table
"Cyber-resilience efforts are lagging among global organizations, partly because they’re failing to get CISOs involved in strategic technology investments, according to PwC. The consulting giant polled over 4000 business and technology executives to compile its annual Global Digital Trust Insights report. It found that just 2% of responding organizations have implemented cyber resilience actions across all areas surveyed. That could be because CISOs are not given enough power and autonomy. Less than 50% are involved to a large extent in strategic planning on cyber investments, PwC claimed."
https://www.infosecurity-magazine.com/news/pwc-boards-cisos-seat-table/
https://www.theregister.com/2024/09/30/pwc_security_survey/
CISA Pledges To Resolve Issues With Threat Sharing System After Watchdog Report
"The nation’s top cyber agency said it has plans to revitalize a system used to share cybersecurity threat information after a government watchdog raised concerns about the program’s recent shortcomings. On Friday, the Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS) — which was used to spread cyber threat intelligence and was mandated as part of a 2015 law."
https://therecord.media/cisa-pledges-to-resolve-threat-sharing-program-issues-oig-report
https://www.oig.dhs.gov/sites/default/files/assets/2024-09/OIG-24-60-Sep24.pdf
Session Hijacking 2.0 — The Latest Way That Attackers Are Bypassing MFA
"Attackers are increasingly turning to session hijacking to get around widespread MFA adoption. The data supports this, as:
147,000 token replay attacks were detected by Microsoft in 2023, a 111% increase year-over-year (Microsoft).
Attacks on session cookies now happen in the same order of magnitude as password-based attacks (Google).
But session hijacking isn't a new technique – so what's changed?"
https://thehackernews.com/2024/09/session-hijacking-20-latest-way-that.html
Remote ID Verification Tech Is Often Biased, Bungling, And No Good On Its Own
"A study by the US General Services Administration (GSA) has revealed that five remote identity verification (RiDV) technologies are unreliable, inconsistent, and marred by bias across different demographic groups. In a pre-press version of the GSA study, shared this month, the agency said that only two of the RiDV products it tested were equitable for all users; two others had at least one demographic where error rates and false rejections were notably higher, with one product showing significantly higher rejection rates for Black participants and individuals with darker skin tones."
https://www.theregister.com/2024/09/30/remote_identity_verification_biased/
https://arxiv.org/html/2409.12318v1

อ้างอิง
Electronic Transactions Development Agency(ETDA)