NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 02 October 2024

    Cyber Security News
    1
    1
    414
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Optigo Networks ONS-S8 Spectra Aggregation Switch
        "Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, arbitrary file upload, or bypass authentication."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-275-01
      • Mitsubishi Electric MELSEC iQ-F FX5-OPC
        "Successful exploitation of this vulnerability could allow a remote attacker to cause a Denial-of-Service (DoS) condition on the product by getting a legitimate user to import a specially crafted PKCS#12 format certificate."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-275-02
      • ASD’s ACSC, CISA, FBI, NSA, And International Partners Release Guidance On Principles Of OT Cybersecurity For Critical Infrastructure Organizations
        "Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)—in partnership with CISA, U.S. government and international partners—released the guide Principles of Operational Technology Cybersecurity. This guidance provides critical information on how to create and maintain a safe, secure operational technology (OT) environment."
        https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-and-international-partners-release-guidance-principles-ot-cybersecurity
        https://www.cisa.gov/resources-tools/resources/principles-operational-technology-cyber-security

      Vulnerabilities

      • Arc Browser Launches Bug Bounty Program After Fixing RCE Bug
        "The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards. This development comes in response to a critical remote code execution flaw, tracked as CVE-2024-45489, that could have enabled threat actors to launch mass-scale attacks against users of the program. The flaw allowed attackers to exploit how Arc uses Firebase for authentication and database management to execute arbitrary code on a target's browser."
        https://www.bleepingcomputer.com/news/security/arc-browser-launches-bug-bounty-program-after-fixing-rce-bug/
        https://kibty.town/blog/arc/
      • Zimbra RCE Vuln Under Attack Needs Immediate Patching
        "Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away.The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Zimbra issued updates for affected
        https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now
      • Spooky Action: Phantom Domains Create Hijackable Hyperlinks
        "According to a recent paper published at the 2024 Web Conference, so-called “phantom domains” make it possible for malicious actors to hijack hyperlinks and exploit users’ trust in familiar websites. The research defines phantom domains as active links to dot-com domains that have never been registered. Here’s what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders."
        https://securityintelligence.com/articles/phantom-domains-create-hijackable-hyperlinks/
        https://dl.acm.org/doi/10.1145/3589334.3645510

      Malware

      • Threat Actors Leverage Docker Swarm And Kubernetes To Mine Cryptocurrency At Scale
        "Datadog Security Research recently discovered a new malware campaign targeting microservice technologies, namely Docker and Kubernetes. The campaign exploits Docker for initial access, deploying a cryptocurrency miner on infected containers before retrieving and executing a number of malicious payloads. These payloads are dedicated to lateral movement from the infected container to related hosts running Docker, Kubernetes, or SSH. One such payload is used to identify and compromise Kubernetes’ kubelet API. The kubelet API provides a way to programmatically manage pods (logical groups of containers) within a Kubernetes node. If compromised, a threat actor can use this API endpoint to deploy additional resources and execute malware on the containers themselves."
        https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/
        https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html
      • Crypto-Stealing Code Lurking In Python Package Dependencies
        "On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets."
        https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-dependencies/
        https://hackread.com/pypi-malware-crypto-wallet-tools-steal-private-keys/
      • Watch Out! Mobidash Android Adware Spread Through Phishing And Online Links
        "Someone is trying very hard to infect your Android device with malicious adware. ThreatDown’s Android experts recently became aware of a campaign spreading MobiDash adware for Android using phishing emails, links on social media posted by people or bots, and at least one pornography website (xnxxvideosporn[.]net)."
        https://www.threatdown.com/blog/watch-out-mobidash-android-adware-spread-through-phishing-and-online-links/
        https://www.malwarebytes.com/blog/news/2024/10/android-users-targeted-on-facebook-and-porn-sites-served-adware
      • Key Group: Another Ransomware Group Using Leaked Builders
        "Key Group, or keygroup777, is a financially motivated ransomware group primarily targeting Russian users. The group is known for negotiating with victims on Telegram and using the Chaos ransomware builder. The first public report on Key Group’s activity was released in 2023 by BI.ZONE, a cybersecurity solutions vendor: the attackers drew attention when they left an ideological note during an attack on a Russian user, in which they did not demand money. However, according to our telemetry, the group was also active in 2022. Both before and after the attack covered in the BI.ZONE report, the attackers demanded that money be transferred to a Bitcoin wallet."
        https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
      • Rhadamanthys Stealer Adds Innovative AI Feature In Version 0.7.0
        "Rhadamanthys, an advanced information stealer first identified in 2022, has rapidly evolved into one of the most formidable tools in the cybercriminal landscape. Despite bans from underground forums for targeting entities within Russia and the former USSR, this malware remains active and dangerous, sold at prices starting at $250 for a 30-day license. Insikt Group’s latest analysis of Rhadamanthys Stealer v0.7.0 highlights its new and advanced features, including its use of artificial intelligence (AI) for optical character recognition (OCR). This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies. The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation."
        https://www.recordedfuture.com/research/rhadamanthys-stealer-adds-innovative-ai-feature-version
        https://go.recordedfuture.com/hubfs/reports/mtp-2024-0926.pdf
        https://thehackernews.com/2024/10/ai-powered-rhadamanthys-stealer-targets.html
      • Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning
        "Researchers at Palo Alto Networks discovered an automated scanning tool called Swiss Army Suite (S.A.S) during regular monitoring of telemetry data. Our research indicates that attackers used this tool to perform vulnerability scans not only on our customers' web services but also on various online websites. Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool."
        https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/

      Breaches/Hacks/Leaks

      • Ransomware Attack Forces UMC Health System To Divert Some Patients
        "Texas healthcare provider UMC Health System was forced to divert some patients to other locations after a ransomware attack impacted its operations. In an announcement published on its website late last week, which is offline at the time of writing, UMC disclosed it is responding to an IT outage impacting its network. While facilities remain open, all emergency and non-emergency cases will be diverted. The cause of the IT outage, according to the healthcare organization, was a ransomware attack."
        https://www.bleepingcomputer.com/news/security/ransomware-attack-forces-umc-health-system-to-divert-some-patients/
        https://www.infosecurity-magazine.com/news/ransomware-forces-umc-divert/
        https://securityaffairs.com/169198/cyber-crime/umc-health-system-cyberattack.html

      General News

      • GCC Countries And The Cybercriminal Services Market (2023–2024 Report)
        "Dark web platforms provide a range of goods and services for cyberattacks: corporate infrastructure access, user credentials, breached databases, malware, and more. As this business has developed, so too has the number of attacks on companies; even a low-skilled hacker now has entry to the world of cybercrime. As part of our research into information security threats, we continuously monitor cybercriminal activity on dark web forums. By doing so, we can assess potential targets and attackers' interest in specific systems and industries. This report analyzes the cybercriminal services market for the Gulf Cooperation Council (GCC) countries in 2023–2024, with a focus on hacker interests and the hottest forum topics and industries, plus a cost breakdown of goods and services rendered."
        https://global.ptsecurity.com/analytics/gulf-countries-as-a-commodity-in-the-market-on-criminal-cyber-services-2023-2024
        https://www.darkreading.com/cyberattacks-data-breaches/uae-saudi-arabia-cyberattack-targets
      • Reducing Credential Complexity With Identity Federation
        "In this Help Net Security interview, Omer Cohen, Chief Security Officer at Descope, discusses the impact of identity federation on organizational security and user experience. He explains how this approach streamlines credential management and enhances security by leveraging trusted identity providers while simplifying the login process. Cohen further explores the common protocols and challenges associated with implementing identity federation, emphasizing the need for effective trust relationships and compatibility among various systems."
        https://www.helpnetsecurity.com/2024/10/01/omer-cohen-descope-identity-federation/
      • Ten Million Brits Hit By Fraud In Just Three Years
        "Millions of Brits have fallen victim to fraud over the past three years, costing the wider economy an estimated £16bn ($21bn), according to a new study sponsored by Santander UK. The banking giant enlisted the help of cross-party think tank the Social Market Foundation (SMF) to poll 28,000 respondents across 15 European countries, to better understand the impact of fraud – most of which happens online today. It revealed that a fifth (21%) of respondents experienced fraud between 2021 and 2023, at a direct cost of £168bn."
        https://www.infosecurity-magazine.com/news/ten-million-brits-hit-fraud-three/
      • ISACA: European Security Teams Are Understaffed And Underfunded
        "European IT security teams are overstressed, underfunded and suffering from major skills gaps and shortages, according to ISACA. The industry body polled over 1800 members across the region to better understand the challenges facing professionals in the sector. It revealed that 61% believe their team is understaffed: 19% claimed their organization has unfilled entry-level positions available, while 48% said the same about roles requiring experience, a university degree or other credentials. Worryingly, the latter two figures have dropped only a few percentage points since 2023, from 22% and 53% respectively."
        https://www.infosecurity-magazine.com/news/isaca-european-security/
      • Treasury Sanctions Members Of The Russia-Based Cybercriminal Group Evil Corp In Tri-Lateral Action With The United Kingdom And Australia
        "Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating seven individuals and two entities associated with the Russia-based cybercriminal group Evil Corp, in a tri-lateral action with the United Kingdom’s Foreign, Commonwealth & Development Office (FCDO) and Australia’s Department of Foreign Affairs and Trade (DFAT). On December 5, 2019, OFAC designated Evil Corp, its leader and founder Maksim Viktorovich Yakubets and over a dozen Evil Corp members, facilitators, and affiliated companies pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757 (“E.O. 13694, as amended”)."
        https://home.treasury.gov/news/press-releases/jy2623
        https://www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
        https://www.bleepingcomputer.com/news/security/evil-corp-hit-with-new-sanctions-bitpaymer-ransomware-charges/
        https://therecord.media/evil-corp-cybercrime-eduard-benderskiy-russian-intelligence
        https://www.bankinfosecurity.com/evil-corp-protected-by-ex-senior-fsb-official-police-say-a-26424
        https://www.darkreading.com/threat-intelligence/lockbit-associates-arrested-evil-corp-bigwig-outed
        https://www.infosecurity-magazine.com/news/evil-corp-lockbit-sanctions/
        https://www.itnews.com.au/news/uk-sanctions-evil-corp-over-attacks-against-nato-allies-612086
        https://www.theregister.com/2024/10/01/nca_names_alleged_evil_corp_kingpin/
        https://www.theregister.com/2024/10/01/evil_corp_russia_relationship/
      • LockBit Power Cut: Four New Arrests And Financial Sanctions Against Affiliates
        "Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure. A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate. The Spanish officers seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group."
        https://www.europol.europa.eu/media-press/newsroom/news/lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affiliates
        https://www.bleepingcomputer.com/news/security/police-arrest-four-suspects-linked-to-lockbit-ransomware-gang/
        https://therecord.media/evil-corp-cybercrime-lockbit-russia-aleksandr-ryzhenkov
        https://www.bankinfosecurity.com/lockbit-evil-corp-targeted-in-anti-ransomware-crackdown-a-26422
        https://cyberscoop.com/lockbit-arrests-ransomware-fbi-uk-nca-evil-corp/
        https://www.securityweek.com/more-lockbit-hackers-arrested-unmasked-as-law-enforcement-seizes-servers/
        https://www.theregister.com/2024/10/01/euro_cops_arrest_four_mystery/
      • Gov't, Judicial IT Systems Beset By Access Control Bugs
        "A veritable laundry list of high- and critical-severity bugs have been uncovered in software platforms used by government agencies across the US. Govtech systems are some of the most critical out there, responsible for storing the most sensitive personally identifying information (PII) US citizens own: Social Security numbers (SSNs) and IDs; legal and medical records; voter registrations; and much more. It will surprise few and comfort no one that these systems also happen to be riddled with vulnerabilities."
        https://www.darkreading.com/vulnerabilities-threats/govt-judicial-it-systems-control-bugs
        https://northantara.medium.com/critical-flaws-in-government-systems-put-legal-and-voter-data-at-risk-9a90457a1c8a
        Cracking The Cloud: The Persistent Threat Of Credential-Based Attacks
        "As organizations increasingly adopt cloud technologies, cybercriminals have adapted their tactics to target these environments, but their primary method remains the same: exploiting credentials. Cloud adoption continues to rise, with the market expected to reach $600 billion during 2024. It increasingly attracts cybercriminals. IBM’s Cost of a Data Breach Report found that 40% of all breaches involved data distributed across multiple environments."
        https://www.securityweek.com/cracking-the-cloud-the-persistent-threat-of-credential-based-attacks/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 71eba181-693b-4045-8d4d-6604718cb13f-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post