NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 03 October 2024

    Cyber Security News
    1
    1
    402
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Telecom Sector

      • The Fix For BGP's Weaknesses Has Big, Scary, Issues Of Its Own, Boffins Find
        "The Resource Public Key Infrastructure (RPKI) protocol has "software vulnerabilities, inconsistent specifications, and operational challenges" according to a pre-press paper from a trio of German researchers. RPKI was designed to fix problems caused by the fact that Border Gateway Protocol (BGP) – the protocol that manages the routes traffic can traverse across the internet – was not secure by design. The newer protocol theoretically fixes that by adding Route Origin Validation (ROV) and Route Origin Authorization (ROA) – techniques that let network operators verify that advertised routes are authentic and represent accurate BGP announcements."
        https://www.theregister.com/2024/10/02/rpki_immaturity_study/
        https://arxiv.org/pdf/2409.14518

      New Tooling

      • Suricata: Open-Source Network Analysis And Threat Detection
        "Suricata is an open-source network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring engine. Suricata offers comprehensive capabilities for network security monitoring (NSM), including logging HTTP requests, capturing and storing TLS certificates, and extracting files from network flows for disk storage. Its support for full packet capture (pcap) simplifies in-depth traffic analysis."
        https://www.helpnetsecurity.com/2024/10/02/suricata-open-source-network-analysis-threat-detection/
        https://github.com/OISF/suricata

      Vulnerabilities

      • DrayTek Fixed Critical Flaws In Over 700,000 Exposed Routers
        "DrayTek has released security updates for multiple router models to address 14 vulnerabilities of varying severity, including a remote code execution flaw that received the maximum CVSS score of 10. The flaws, which Forescout Research – Vedere Labs discovered, impact both actively supported and models that have reached end-of-life. However, due to the severity, DrayTek has provided fixes for routers in both categories. The researchers warned that their scans revealed that approximately 785,000 DrayTek routers might be vulnerable to the newly discovered set of flaws, with over 704,500 having their web interface exposed to the internet."
        https://www.bleepingcomputer.com/news/security/draytek-fixed-critical-flaws-in-over-700-000-exposed-routers/
        https://thehackernews.com/2024/10/alert-over-700000-draytek-routers.html
        https://cyberscoop.com/research-reveals-vulnerabilities-in-routers-that-left-700000-plus-exposed/
        https://securityaffairs.com/169267/security/draytek-routers-flaws-impacts-700000-devices.html
        https://www.theregister.com/2024/10/02/draytek_routers_bugs/
      • When CUPS Runneth Over: The Threat Of DDoS
        "Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service (DDoS) attacks. Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity. The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+). Of the 58,000+ vulnerable devices, hundreds exhibited an “infinite loop” of requests."
        https://www.akamai.com/blog/security-research/2024/oct/october-cups-ddos-threat
        https://therecord.media/ddos-attacks-cups-linux-print-vulnerability
        https://www.darkreading.com/vulnerabilities-threats/unix-printing-vulnerabilities-easy-ddos-attacks
        https://www.securityweek.com/after-code-execution-researchers-show-how-cups-can-be-abused-for-ddos-attacks/
        https://hackread.com/old-linux-vulnerability-exploited-ddos-attacks-cups/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-29824 Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/10/02/cisa-adds-one-known-exploited-vulnerability-catalog
        https://www.bleepingcomputer.com/news/security/critical-ivanti-rce-flaw-with-public-exploit-now-used-in-attacks/
        https://securityaffairs.com/169279/security/u-s-cisa-adds-ivanti-epm-flaw-known-exploited-vulnerabilities-catalog.html

      Malware

      • Thousands Of Adobe Commerce Stores Hacked In Competing CosmicSting Campaigns
        "Cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. Among the victims are Ray Ban, National Geographic, Cisco, Whirlpool and Segway. Seven distinct groups are using CosmicSting attacks to plant malicious code on victim stores. Sansec research shows that seven different groups have been hacking into 4275 online stores since the publication of CVE-2024-34102 (also known as CosmicSting) on June 11th. Despite ongoing warnings, five percent of all Adobe Commerce and Magento stores ended up with a payment skimmer on their checkout page this summer."
        https://sansec.io/research/cosmicsting-fallout
        https://thehackernews.com/2024/10/alert-adobe-commerce-and-magento-stores.html
      • FIN7 Hosting Honeypot Domains With Malicious AI DeepNude Generators – New Silent Push Research
        "Silent Push Threat Analysts have observed the FIN7 group (aka Sangria Tempest) using new tactics in their malware and phishing attacks. We found that FIN7 has created at least seven websites serving malware to visitors looking to use an “AI Deepnude generator.” The threat group is also continuing to use browser extension honeypots, previously written about by Silent Push. Organizations may become vulnerable as FIN7 lures unsuspecting employees to download malicious files. These files may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware."
        https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/
        https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake-nude-generator-sites-to-spread-malware/
      • Fake Browser Updates Spread Updated WarmCookie Malware
        "A new 'FakeUpdate' campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie backdoor. FakeUpdate is a cyberattack strategy used by a threat group known as 'SocGolish' who compromises or creates fake websites to show visitors fake update prompts for a variety of applications, such as web browsers, Java, VMware Workstation, WebEx, and Proton VPN. When users click on update prompts designed to appear legitimate, a fake update is downloaded that drops a malicious payload, like info-stealers, cryptocurrency drainers, RATs, and even ransomware."
        https://www.bleepingcomputer.com/news/security/fake-browser-updates-spread-updated-warmcookie-malware/
      • Warnings Mount Over Fake North Korean IT Workers
        "The German federal domestic intelligence agency is adding to warnings over North Korean IT workers obtaining remote work in Western tech companies. The Federal Office for the Protection of the Constitution in a Tuesday advisory acknowledged that German companies have fallen for the scam, in which North Korean IT workers use fake identities and VPNs to conceal their true nature."
        https://www.bankinfosecurity.com/warnings-mount-over-fake-north-korean-workers-a-26430
        <https://dd80b675424c132b90b3-* **e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/2024-10-01-security-advisory.pdf>
      • Stonefly: Extortion Attacks Continue Against U.S. Targets**
        "Symantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45, Silent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the U.S., despite being the subject of an indictment and a multi-million dollar reward. Symantec, part of Broadcom, found evidence of intrusions against three different organizations in the U.S. in August of this year, a month after the indictment was published. While the attackers didn’t succeed in deploying ransomware on the networks of any of the organizations affected, it is likely that the attacks were financially motivated. All the victims were private companies and involved in businesses with no obvious intelligence value."
        https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion
        https://thehackernews.com/2024/10/andariel-hacker-group-shifts-focus-to.html
        https://therecord.media/north-korea-hackers-andariel-stonefly-ransomware
        https://www.darkreading.com/vulnerabilities-threats/stonefly-apt-us-private-cos-north-korean-profit
        https://www.infosecurity-magazine.com/news/stonefly-targets-us-firms-new/
      • Silent Intrusion: Unraveling The Sophisticated Attack Leveraging VS Code For Unauthorized Access
        "Cyble Research and Intelligence Lab (CRIL) uncovered a campaign that leverages a suspicious .LNK file as the initial attack vector. This file, potentially delivered via spam emails, downloads a Python distribution package that is then used to execute an obfuscated Python script retrieved from a paste site. At the time of publishing this research, this script had no detections on VirusTotal (VT), making it difficult to identify through standard security measures."
        https://cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/
        https://www.darkreading.com/endpoint-security/python-malware-slithers-legit-vs-code
      • Pig Butchering Alert: Fraudulent Trading App Targeted iOS And Android Users
        "Since May 2024, Group-IB analysts have detected a number of fake mobile applications disguised as trading platforms in various regions. All of these applications were developed for the Android platform using a single cross-platform development framework. One of the applications discovered was distributed through the official Google Play store, while a similar application targeting iOS devices was found shortly after. Unlike conventional mobile trojans such as the GoldPickaxe that Group-IB’s analysts first discovered in February 2024, these suspicious applications lacked the typical malicious features. Instead, cybercriminals created a facade of a legitimate trading platform to defraud its victims."
        https://www.group-ib.com/blog/pig-butchering/
        https://thehackernews.com/2024/10/fake-trading-apps-target-victims.html
        https://hackread.com/pig-butchering-fake-apps-crypto-apple-google-play-stores/
      • Finding a Needle In a Haystack: Machine Learning At The Forefront Of Threat Hunting Research
        "In the ever-evolving landscape of cybersecurity, logs, that is information collected from various sources like network devices, endpoints, and applications, plays a crucial role in identifying and responding to threats. By analyzing this data, organizations can detect anomalies, pinpoint malicious activity, and mitigate potential cyberattacks before they cause significant damage. However, the sheer volume and complexity of logs often make them challenging to analyze effectively."
        https://securelist.com/machine-learning-in-threat-hunting/114016/
      • How Cloudflare Auto-Mitigated World Record 3.8 Tbps DDoS Attack
        "Since early September, Cloudflare's DDoS protection systems have been combating a month-long campaign of hyper-volumetric L3/4 DDoS attacks. Cloudflare’s defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). The largest attack peaked 3.8 Tbps — the largest ever disclosed publicly by any organization. Detection and mitigation was fully autonomous. The graphs below represent two separate attack events that targeted the same Cloudflare customer and were mitigated autonomously."
        https://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/
        https://www.securityweek.com/record-breaking-ddos-attack-peaked-at-3-8-tbps-2-14-billion-pps/
      • Separating The Bee From The Panda: CeranaKeeper Making a Beeline For Thailand
        "ESET researchers observed several campaigns targeting governmental institutions in Thailand, starting in 2023. These attacks leveraged revamped versions of components previously attributed by other researchers to the China-aligned advanced persistent threat (APT) group Mustang Panda, and later, a new set of tools that abuse service providers such as Pastebin, Dropbox, OneDrive, and GitHub to execute commands on compromised computers and exfiltrate sensitive documents."
        https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/
        https://web-assets.esetstatic.com/wls/en/papers/white-papers/ceranakeeper.pdf
        https://thehackernews.com/2024/10/china-linked-ceranakeeper-targeting.html
        https://www.darkreading.com/cyberattacks-data-breaches/new-china-backed-apt-group-culling-thai-government-data
      • Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware
        "Proofpoint researchers identified a campaign impersonating the British postal carrier Royal Mail delivering Prince ransomware. Prince is a ransomware variant freely available on GitHub with a “disclaimer” that it is only designed for educational purposes. The campaign occurred in mid-September and targeted people in the UK and the U.S. The activity was low-volume and impacted a small number of organizations. Notably, in most cases the messages appear to originate via contact forms posted on the target organizations’ websites, indicating the actor does not exclusively target organizations via email directly, but also from public contact forms."
        https://www.proofpoint.com/us/blog/threat-insight/security-brief-royal-mail-lures-deliver-open-source-prince-ransomware
        https://therecord.media/hackers-pose-as-british-postal-carrier-prince-ransomware
      • How North Korean APT Groups Exploit DMARC Misconfigurations — And What You Can Do About It
        "In the world of email security, nothing is foolproof — especially when misconfigurations open the door to attacks. Recently, the North Korean cybercrime group Kimsuky has shown just how dangerous those vulnerabilities can be, using poorly configured Domain-based Message Authentication, Reporting & Conformance (DMARC) policies to run spear-phishing campaigns. This isn’t just a geopolitical concern; it’s a reminder that email security flaws, however small, can be exploited by anyone with malicious intent."
        https://blog.barracuda.com/2024/10/02/north-korean-apt-groups-dmarc-misconfigurations

      General News

      • Normalizing Security Culture: Don’t Have To Get Ready If You Stay Ready
        "October is National Cybersecurity Awareness Month in the U.S. when IT teams prep their annual security education and awareness training program. For many employees, this may be their only interaction with the security team outside of onboarding, submitting a help ticket, or a potential incident. But every person plays a part in the security function of the business every day, whether they realize it or not. As they do, they have the potential to be an asset or risk to the team’s security posture."
        https://www.darkreading.com/cybersecurity-operations/normalizing-security-culture-get-ready
      • Message Apps Widely Used In Intelligence Operations Against Ukrainian Military: SSSCIP Analysis
        "Numerous attempts of russian hackers to obtain personal data of Ukrainian servicemen were recorded throughout the first half of 2024, reads the analytical report 'russian Cyber Operations' (H1 2024) by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP). This personal data, such as surname and first name, passport data, and most importantly, place of service and military rank, are then used by the hackers to gain access to specific military systems."
        https://cip.gov.ua/en/news/message-apps-widely-used-in-intelligence-operations-against-ukrainian-military-ssscip-analysis
        https://hackread.com/russian-cyber-offensive-ukraines-military-infrastructure/
      • Enhancing Firewall Management With Automation Tools
        "In this Help Net Security interview, Raymond Brancato, CEO at Tufin, discusses the considerations organizations must weigh when selecting a next-generation firewall to effectively balance security needs with network performance."
        https://www.helpnetsecurity.com/2024/10/02/raymond-brancato-tufin-firewall-management/
      • CRI Guidance For Organisations During Ransomware Incidents
        "Members of the Counter Ransomware Initiative are joining together, alongside insurance bodies to issue guidance for organisations experiencing a ransomware attack and partner organisations supporting them. Acceding to ransom payment demands fuels the ransomware business model, and 2023 was the worst year on record for ransomware payments globally (Chainalysis)."
        https://www.gov.uk/government/publications/cri-guidance-for-organisations-during-ransomware-incidents/cri-guidance-for-organisations-during-ransomware-incidents
        https://www.bankinfosecurity.com/global-governments-release-new-ransomware-response-guidance-a-26436
      • America’s Allies Are Shifting: Cyberspace Is About Persistence, Not Deterrence
        "Something interesting is happening across America’s cyber allies. From the United Kingdom to the Netherlands, Japan, South Korea, and Canada, there is an evolution in cyber strategic thought taking root. The United States spearheaded this fresh approach to securing national interests in and through cyberspace with its 2023 Defend Forward strategy, which built on a 2018 strategy pivot. Now America’s allies are building on this momentum."
        https://cyberscoop.com/cybersecurity-deterrence-persistence-richard-harknett-dod-strategy/
      • Top 5 Myths Of AI & Cybersecurity
        "The global rise of increasingly sophisticated cybercrimes creates daily challenges for the cybersecurity industry, as security professionals grapple with new and evolving attacks, complex IT architecture, and the integration of artificial intelligence (AI) into nefarious actors' tactics, techniques, and procedures (TTPs). As a result, cybersecurity practitioners feel a sense of urgency to stay at the forefront of technological advances to defend against a growing arsenal of exploits."
        https://www.darkreading.com/vulnerabilities-threats/top-5-myths-ai-cybersecurity
      • Manufacturers Rank As Ransomware's Biggest Target
        "In the past year, the manufacturing industry has been the top target for ransomware groups, due to the sector's lack of technological advancement, even as its digital footprint continues to grow. According to a study released by Black Kite, the manufacturing sector accounts for 21% of ransomware attacks and places manufacturing entities at a significantly high risk, making them more than three times as likely to suffer a ransomware attack."
        https://www.darkreading.com/vulnerabilities-threats/manufacturers-ransomwares-biggest-target
        https://www.infosecurity-magazine.com/news/manufacturing-critical/
      • MITRE Adds Mitigations To EMB3D Threat Model
        "MITRE on Tuesday announced the full release of the EMB3D Threat Model, which now includes essential mitigations mapped to security controls specified in the Industrial Automation and Control Systems standard. Initially announced in December 2023 and officially released in May 2024, EMB3D is a framework offering information on the cyber threats targeting embedded devices used in critical infrastructure and other industries."
        https://www.securityweek.com/mitre-adds-mitigations-to-emb3d-threat-model/
      • Arrests In International Operation Targeting Cybercriminals In West Africa
        "Eight individuals have been arrested as part of an ongoing international crackdown on cybercrime, dealing a major blow to criminal operations in Côte d’Ivoire and Nigeria. The arrests were made as part of INTERPOL’s Operation Contender 2.0, an initiative aimed at combating cyber-enabled crimes, primarily in West Africa, through enhanced international intelligence sharing."
        https://www.interpol.int/en/News-and-Events/News/2024/Arrests-in-international-operation-targeting-cybercriminals-in-West-Africa
        https://therecord.media/interpol-west-africa-cybercrime-group-cote-divoire
      • Danger Is Still Lurking In The NVD Backlog
        "On February 12, 2024, the NVD began slowing its processing and enrichment of new vulnerabilities, resulting in a backlog of over 18,000 vulnerabilities. On May 23, we wrote about The Real Danger Lurking in the NVD Backlog. It showed that 93.4% of new vulnerabilities had not been analyzed by the National Vulnerability Database (NVD) between February 12 and May 19, 2024. On May 29, NIST announced that it awarded a contract to a third-party, Maryland-based Analygence, to help address the backlog. Its announcement expressed confidence that “this additional support will allow us to return to the processing rates prior to February 2024 within the next few months.” It further stated that it expects the “backlog to be cleared by the end of the fiscal year.”"
        https://vulncheck.com/blog/nvd-backlog-exploitation-lurking
        https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/
      • Why System Resilience Should Mainly Be The Job Of The OS, Not Just Third-Party Applications
        "Last week, a US congressional hearing regarding the CrowdStrike incident in July saw one of the company’s executives answer questions from policy makers. One point that caught my interest during the ensuing debate was the suggestion that future incidents of this magnitude could be avoided by some form of automated system recovery."
        https://www.welivesecurity.com/en/cybersecurity/system-resilience-job-os-not-just-third-party-applications/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 2305b6f4-c9fb-4d1f-ba18-d9abd9c6296d-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post