Cyber Threat Intelligence 04 October 2024

NCSA_THAICERT

Industrial Sector

TEM Opera Plus FM Family Transmitter
"Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-01
Delta Electronics DIAEnergie
"Successful exploitation of these vulnerabilities could allow an attacker to retrieve records or cause a denial of service."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-03
Subnet Solutions Inc. PowerSYSTEM Center
"Successful exploitation of these vulnerabilities could result in an attacker bypassing a proxy, creating a denial-of-service condition, or viewing sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-02

Vulnerabilities

Cisco Patches Critical Vulnerability In Data Center Management Product
"Cisco on Wednesday announced patches for multiple vulnerabilities across its products, including a critical-severity flaw in Cisco Nexus Dashboard Fabric Controller (NDFC). Tracked as CVE-2024-20432 (CVSS score of 9.9), the critical bug affects the REST API and web UI of NDFC and could allow an authenticated, remote attacker to execute arbitrary commands on an affected device with network-admin privileges. “This vulnerability is due to improper user authorization and insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI,” Cisco explains in its advisory."
https://www.securityweek.com/cisco-patches-critical-vulnerability-in-data-center-management-product/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-cmdinj-UvYZrKfr
Unauthenticated Stored XSS Vulnerability In LiteSpeed Cache Plugin Affecting 6+ Million Sites
"This blog post is about the LiteSpeed Cache plugin vulnerability which is originally reported by TaiYou to the Patchstack bug bounty program for WordPress. We are collaborating with the researcher to release the content of this security advisory article. If you’re a LiteSpeed Cache user, please update the plugin to at least version 6.5.1."
https://patchstack.com/articles/unauthenticated-stored-xss-vulnerability-in-litespeed-cache-plugin-affecting-6-million-sites
https://www.infosecurity-magazine.com/news/litespeed-cache-plugin-flaw-allows/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-45519 Synacor Zimbra Collaboration Command Execution Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/10/03/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

Perfctl: A Stealthy Malware Targeting Millions Of Linux Servers
"In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you have a Linux server connected to the internet, you could be at risk. In fact, given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk."
https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
https://thehackernews.com/2024/10/new-perfctl-malware-targets-linux.html
https://www.bleepingcomputer.com/news/security/linux-malware-perfctl-behind-years-long-cryptomining-campaign/
https://www.darkreading.com/threat-intelligence/perfctl-fileless-malware-targets-millions-linux-servers
https://hackread.com/linux-malware-perfctl-hit-millions-mimick-system-files/
Microsoft And DOJ Disrupt Russian FSB Hackers' Attack Infrastructure
"Microsoft and the Justice Department have seized over 100 domains used by the Russian ColdRiver hacking group to target United States government employees and nonprofit organizations from Russia and worldwide in spear-phishing attacks. In December, the United Kingdom and its Five Eyes allies linked this threat group to Russia's Federal Security Service (FSB), the country's internal security and counterintelligence service."
https://www.bleepingcomputer.com/news/security/microsoft-and-doj-seize-spear-phishing-domains-used-by-star-blizzard-russian-hackers/
https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/
https://therecord.media/doj-microsoft-seize-domains-russian-intelligence
https://www.bankinfosecurity.com/us-microsoft-seize-domains-used-in-russian-spear-phishing-a-26443
https://www.infosecurity-magazine.com/news/microsoft-us-govenment-disrupt/
https://cyberscoop.com/doj-microsoft-fsb-espionage-star-blizzard/
https://www.theregister.com/2024/10/03/russian_phishing_domains_seized/
Stay Safe This Prime Day: Check Point Identifies Rise In Phishing Attacks And Scam Emails
"This October, Amazon Prime’s Big Deal Days are back! If you’re an Amazon Prime member, you won’t have to wait until Black Friday to find a bargain. But buyers beware – cyber criminals are eager to capitalize on the occasion. New research from Check Point Research (CPR) shows that over 100 different Prime-focused scam emails have been distributed to organizations and consumers in the past two weeks. A number of these emails impersonate Amazon Financial Services and request that consumers take action to update payment methods or similar."
https://blog.checkpoint.com/research/stay-safe-this-prime-day-check-point-identifies-rise-in-phishing-attacks-and-scam-emails/
Threat Actor Believed To Be Spreading New MedusaLocker Variant Since 2022
"Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor."
https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/
https://www.theregister.com/2024/10/03/ransomware_spree_infects_100_orgs/
SHROUDED#SLEEP: A Deep Dive Into North Korea’s Ongoing Campaign Against Southeast Asia
"The Securonix Threat Research team has uncovered an ongoing campaign, identified as SHROUDED#SLEEP, likely attributed to North Korea’s APT37 (also known as Reaper or Group123). This advanced persistent threat group is believed to be based in North Korea and is delivering stealthy malware to targets across Southeast Asian countries. APT37, unlike other APT groups from the region such as Kimsuky, has a long history of targeting countries outside of the expected South Korean targets. This includes a number of recent campaigns against Southeast Asia countries."
https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/
https://thehackernews.com/2024/10/north-korean-hackers-using-new.html
https://therecord.media/north-korea-malware-espionage-cambodia

Breaches/Hacks/Leaks

Dutch Police: ‘State Actor’ Likely Behind Recent Data Breach
"The national Dutch police (Politie) says that a state actor was likely behind the data breach it detected last week. The attack compromised police office contact details, names, email addresses, phone numbers, and in some cases, private details. According to the original report, the attacker had hacked a police account and stole work-related contact details of multiple officers."
https://www.bleepingcomputer.com/news/security/dutch-police-state-actor-likely-behind-recent-data-breach/
https://securityaffairs.com/169328/hacking/dutch-police-breached-by-state-actor.html
Radiology Provider Exposed Tens Of Thousands Of Patient Files
"An anonymous person has disclosed that they gained online access to a radiologist’s platform that hosted patient information using stolen credentials. I-MED Radiology is Australia’s leading medical imaging provider. Their clinics offer a range of imaging procedures including MRI, CT, x-ray, ultrasound, and nuclear medicine. The person said they found the credentials in a data set that came from another breach, meaning it’s highly likely that the account holder used the same credentials for more than one service."
https://www.malwarebytes.com/blog/news/2024/10/radiology-provider-exposes-tens-of-thousands-of-patient-files
Detroit-Area Government Services Impacted By Cyberattack
"Wayne County, Michigan is dealing with a cyberattack that has shut down all government websites and limited the operations of several offices. Home to Detroit, the county is the largest in the state with more than 1.75 million residents. County spokesperson Doda Lulgjuraj told Recorded Future News that the investigation into the cyber incident is ongoing."
https://therecord.media/detroit-wayne-county-services-impacted-cyberattack

General News

Three Hard Truths Hindering Cloud-Native Detection And Response
"According to Gartner, the market for cloud computing services is expected to reach $675 billion in 2024. Companies are shifting from testing the waters of cloud computing to making substantive investments in cloud-native IT, and attackers are shifting with them. As security teams level up to support the transition, we’re seeing three specific issues that impede cloud detection and response."
https://www.helpnetsecurity.com/2024/10/03/cloud-native-it/
Spotting AI-Generated Scams: Red Flags To Watch For
"In this Help Net Security interview, Andrius Popovas, Chief Risk Officer at Mano Bank, discusses the most prevalent AI-driven fraud schemes, such as phishing attacks and deepfakes. He explains how AI manipulates videos and audio to deceive victims and highlights key red flags to watch for. Popovas also outlines strategies for professionals to stay ahead of these scams and the role of governments in combating AI fraud."
https://www.helpnetsecurity.com/2024/10/03/andrius-popovas-mano-bank-ai-fraud/
15% Of Office Workers Use Unsanctioned GenAI Tools
"Rigid security protocols — such as complex authentication processes and highly restrictive access controls — can frustrate employees, slow productivity and lead to unsafe workarounds, according to Ivanti."
https://www.helpnetsecurity.com/2024/10/03/employees-unsafe-security-protocols/
Rogue AI: What The Security Community Is Missing
"Previously in this series, we’ve taken a deep dive into Rogue AI to understand what it is and how we can identify it. In the last blog, we also looked at possible mitigations. Our aim here is to help shape the debate around the future of cybersecurity threats and find the most effective ways to minimize the risks they pose to individuals, companies and society at large. In this piece, we’ll explore community efforts currently underway to assess AI risk. While there’s some great work being done, what they’re missing to date is the idea of linking causality with attack context."
https://www.trendmicro.com/en_us/research/24/j/rogue-ai-part-4.html
Navigating The Complexities & Security Risks Of Multicloud Management
"Improper cloud security has cost organizations millions — sometimes even billions — in revenue in the past decade alone. A significant example is Japanese automaker Toyota, which suffered a data breach due to cloud misconfiguration, exposing the personal data of more than 2 million customers. Another example is Accenture, which in August 2021 fell victim to the LockBit ransomware group. Due to cloud misconfigurations, hackers gained access to and stole 6TB of proprietary client data, demanding a ransom of $50 million. These incidents highlight the catastrophic impact that cloud security failures can have."
https://www.darkreading.com/vulnerabilities-threats/navigating-complexities-security-risks-multicloud-management
What Communications Companies Need To Know Before Q-Day
"After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum computing. Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on "Q-Day," when a cryptographically relevant quantum computer (CRQC) comes online."
https://www.darkreading.com/ics-ot-security/communications-ict-q-day
Ukraine-Russia Cyber Battles Tip Over Into The Real World
"As the kinetic war between Russia and Ukraine persists, a parallel battle is being waged in cyberspace, where hackers are targeting critical infrastructure, government entities, and individual service personnel. The cyber campaigns focus on espionage, disruption, and social engineering to weaken Ukrainian defenses and sow discord, with efforts to compromise personal data and infiltrate secure communication channels like Signal and Telegram."
https://www.darkreading.com/cyberattacks-data-breaches/ukraine-russia-cyber-battles-tip-over-into-real-world
Cybersecurity Spending On The Rise, But Security Leaders Still Feel Vulnerable
"Many security leaders are struggling to keep pace with the expanding attack surface, despite cybersecurity budgets increasing, Red Canary’s 2024 Security Operations Trends Report has found. Among survey respondents from the US, UK, Australia and the Nordics across a cross-section of organizations, 63% of security leaders said they had an increase in their budget in the past 12 months, but only 37% felt it was enough to ensure the business is secure. “I think what it tells us is you've had this big shift in the last couple years where the amount you have to protect is getting larger much more quickly,” Brian Beyer, CEO at Red Canary told Infosecurity."
https://www.infosecurity-magazine.com/news/cybersecurity-security-leaders/
Crypto-Doubling Scams Surge Following Presidential Debate
"Security researchers have warned of a new wave of investment scams attempting to cash in on public awareness of the presidential debate last month. Netcraft said it found 24 such domains related to the debate, including 14 phishing sites using the word “debate” in their domain, such as “debatetrump[.]io,” and “tesladebate[.]com.” “All the examples exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire Elon Musk, or a blend of both,” it explained. “Criminals likely use these personas to add legitimacy to their crypto investment theme – one political leader, one policy influencer – both conveying the perception of wealth and authority.”"
https://www.infosecurity-magazine.com/news/cryptodoubling-scams-surge/
Email Phishing Attacks Surge As Attackers Bypass Security Controls
"Email phishing attacks rose by 28% in Q2 2024 compared to Q1, with attackers deploying effective ways to overcome defenses, according to a new Egress report. One prevalent tactic used by attackers was sending phishing emails from familiar accounts to bypass authentication protocols. In the period from April to June 2024, 44% of attacks were sent from internally compromised accounts, with 8% originating from an account within the organization’s supply chain."
https://www.infosecurity-magazine.com/news/email-phishing-surge-bypass/
Trends: Hardware Gets AI Updates In 2024
"The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as “AI PCs.”"
https://securityintelligence.com/articles/trends-hardware-gets-ai-updates-2024/
As Ransomware Attacks Surge, UK Privacy Regulator Investigating Fewer Incidents Than Ever
"As ransomware data breaches reach record high levels across the United Kingdom, the number of incidents being investigated by the country’s data protection regulator is dwindling to record lows, raising questions about its capacity and approach to the problem. Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) last year, only 87 were investigated — fewer than 7% — and just 19 of the 440 incidents reported in the first half of this year have been subjected to an investigation, fewer than 5%."
https://therecord.media/uk-ico-ransomware-investigations-data
The State Of Generative AI In 2024
"Generative AI has taken the world by storm, transforming how individuals and businesses interact with and trust this new technology. With tools like ChatGPT, Grok, DALL-E, and Microsoft Copilot, everyday users are finding new ways to enhance productivity, creativity, and efficiency. However, as the integration of AI into daily life accelerates, so do the concerns around privacy and security."
https://www.webroot.com/blog/2024/10/03/opentext-report-raises-awareness-for-consumer-digital-life-protection-as-privacy/

อ้างอิง

Electronic Transactions Development Agency(ETDA)