Cyber Threat Intelligence 11 October 2024

NCSA_THAICERT

Healthcare Sector

The Global State Of Internet Of Healthcare Things (IoHT) Exposures On Public-Facing Networks
"Healthcare data breaches are on the rise, and they have consistently been the most expensive type of breach across all industries over the past 13 years. In this sector, the disruption caused by a breach goes beyond financial loss—it can directly affect patient care and human health. Censys investigated the exposure of various healthcare devices and data platforms online that interface with and in some scenarios allow unauthenticated access to sensitive medical data, including DICOM, PACS, and various electronic record and data exchange platforms."
https://censys.com/state-of-internet-of-healthcare-things/
https://cyberscoop.com/medical-devices-online-health-censys/

Industrial Sector

ICS Patch Tuesday: Advisories Published By Siemens, Schneider, Phoenix Contact, CERT@VDE
"Industrial control system (ICS) security advisories were published on Tuesday by Siemens, Schneider Electric, Phoenix Contact and CERT@VDE. Siemens has published 13 new advisories. This is not uncommon for the company, but it does not show that its products are more vulnerable than the ones of other vendors. Instead, it should be viewed as proof of the industrial giant’s significant investment in the security of its products."
https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siemens-schneider-phoenix-contact-certvde/
https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one-industrial-control-systems-advisories

Vulnerabilities

GitLab Warns Of Critical Arbitrary Branch Pipeline Execution Flaw
"GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. The vulnerability, which is tracked as CVE-2024-9164, allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository. CI/CD pipelines are automated processes that perform tasks such as building, testing, and deploying code, normally available only to users with appropriate permissions."
https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arbitrary-branch-pipeline-execution-flaw/
Experts Warn Of Critical Unpatched Vulnerability In Linear eMerge E3 Systems
"Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands. The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck. "A vulnerability in the Nortek Linear eMerge E3 allows remote unauthenticated attackers to cause the device to execute arbitrary command," SSD Disclosure said in an advisory for the flaw released late last month, stating the vendor has yet to provide a fix or a workaround."
https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html
https://ssd-disclosure.com/ssd-advisory-nortek-linear-emerge-e3-pre-auth-rce/

Malware

US, UK Warn Of Russian APT29 Hackers Targeting Zimbra, TeamCity Servers
"U.S. and U.K. cyber agencies warned today that APT29 hackers linked to Russia's Foreign Intelligence Service (SVR) target vulnerable Zimbra and JetBrains TeamCity servers "at a mass scale." A joint advisory issued by the NSA, the FBI, the U.S. Cyber Command's Cyber National Mission Force (CNMF), and the U.K.'s NCSC warns network defenders to patch exposed servers to block these ongoing attacks. The four cyber agencies said the hacking group targets unpatched Zimbra and TeamCity servers exposed online "at a mass scale to target victims worldwide across a variety of sectors " using CVE-2022-27924 and CVE-2023-42793 exploits."
https://www.bleepingcomputer.com/news/security/us-uk-warn-of-russian-apt29-hackers-targeting-zimbra-teamcity-servers/
https://www.ic3.gov/Media/News/2024/241010.pdf
Akira And Fog Ransomware Now Exploit Critical Veeam RCE Flaw
"Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. Code White security researcher Florian Hauser found that the security flaw, now tracked as CVE-2024-40711, is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit in low-complexity attacks."
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/
Ghidra Data Type Archive For Windows Driver Functions
"While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly. This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers. Thankfully, these problems can usually be solved by importing Ghidra data type archive files (.gdt) that contain the relevant definitions."
https://blog.talosintelligence.com/ghidra-data-type-archive-for-windows-drivers/
https://github.com/Cisco-Talos/Windows-drivers-GDT-file
Technical Analysis Of a Novel IMEEX Framework
"The IMEEX framework is a newly discovered, custom-built malware designed to target Windows systems. Delivered as a 64-bit DLL, it offers attackers extensive control over compromised machines. This framework is notable for its robust capabilities, featuring a wide array of functionalities, including execution of additional modules, file manipulation, process management, registry modification, and remote command execution."
https://intezer.com/blog/research/technical-analysis-of-a-novel-imeex-framework/
The Mongolian Skimmer: Different Clothes, Equally Dangerous
"A few weeks ago, while consulting skimming threat intel sources Jscrambler researchers stumbled across a new skimming campaign that, at first glance, stood out because of the JavaScript obfuscation it exhibits. Some people raised the question if this was a new obfuscation technique, probably because the code is using weird accented characters. As part of a company that makes a JavaScript obfuscation tool, the team could tell immediately that it is not. The obfuscation author just used unusual Unicode characters for variables and function names. But that has been done before and it’s hardly an obstacle."
https://jscrambler.com/blog/the-mongolian-skimmer
https://thehackernews.com/2024/10/cybercriminals-use-unicode-to-hide.html
https://securityaffairs.com/169632/malware/skimming-campaign-mongolian-skimmer.html
PureLogs: The Low-Cost Infostealer With a High-Impact Threat
"The infostealer landscape is a crowded and constantly evolving market with countless strains, each with its own unique methods for compromising systems and exfiltrating data. This stolen data is a goldmine for threat actors, providing access to a treasure trove of sensitive information—such as every user name, password, and credit card number stored on a victim’s browser."
https://flashpoint.io/blog/purelogs-low-cost-infostealer-high-impact-threat/
MisterioLNK: The Open-Source Builder Behind Malicious Loaders
"Cyble Research and Intelligence Labs (CRIL) has uncovered a new, previously undetected loader builder known as “MisterioLNK.” This discovery follows our earlier analysis of Quantum Software, another LNK file-based builder that has been gaining traction in the cyber landscape. MisterioLNK, available on GitHub, presents a significant challenge to security defenses, as files generated by this tool currently exhibit minimal or zero detection rates by conventional security systems."
https://cyble.com/blog/misteriolnk-the-open-source-builder-behind-malicious-loaders/
Lynx Ransomware: A Rebranding Of INC Ransomware
"In July 2024, researchers from Palo Alto Networks discovered a successor to INC ransomware named Lynx. Since its emergence, the group behind this ransomware has actively targeted organizations in various sectors such as retail, real estate, architecture, and financial and environmental services in the U.S. and UK."
https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

Breaches/Hacks/Leaks

Fidelity Investments Says Data Breach Affects Over 77,000 People
"idelity Investments, a Boston-based multinational financial services company, disclosed that the personal information of over 77,000 customers was exposed after its systems were breached in August. As one of the largest asset managers in the world, with $14.1 trillion in assets under administration and $5.5 trillion under management, Fidelity employs over 75,000 associates across 11 countries in North America, Europe, Asia, and Australia. In a filing with the Office of Maine's Attorney General, the company said that an unknown attacker stole data between August 17 and 19 using "two customer accounts that they had recently established.""
https://www.bleepingcomputer.com/news/security/fidelity-investments-says-data-breach-affects-over-77-000-people/
https://www.darkreading.com/cyberattacks-data-breaches/fidelity-notifies-77k-customers-data-breach
https://www.theregister.com/2024/10/10/fidelity_investment_data_breach/
Underground Ransomware Claims Attack On Casio, Leaks Stolen Data
"The Underground ransomware gang has claimed responsibility for an October 5 attack on Japanese tech giant Casio, which caused system disruptions and impacted some of the firm's services. Earlier this week, Casio disclosed the attack on its website but withheld details about the incident, saying it had engaged external IT specialists to investigate whether personal data or other confidential information was stolen in the attack. Today, the Underground ransomware group has added Casio on its dark web extortion portal, leaking troves of data allegedly stolen from the Japanese firm."
https://www.bleepingcomputer.com/news/security/underground-ransomware-claims-attack-on-casio-leaks-stolen-data/
Fore-Get About Privacy, Golf Tech Biz Leaves 32M Data Records On The Fairway
"Nearly 32 million records belonging to users of tech from Trackman were left exposed to the internet, sitting in a non-password protected database, for an undetermined amount of time, according to researcher Jeremiah Fowler. Trackman is a technology company that uses Doppler radar to analyze golf swings and shots. The PGA Tour, pro golfers, and amateurs use its products. In addition to the thousands of professionals, and 10,000-plus coaches and club-fitters, the company claims 90 of the world's top 100 players use Trackman tech, along with manufacturers including Bridgestone and Callaway, and major broadcasting companies like Golf Channel, ESPN, BBC, NHK, and CNN World."
https://www.theregister.com/2024/10/10/trackman_unprotected_database/
Russian Cyber Firm Dr.Web Denies Data Leak By Pro-Ukraine Hackers
"Russian antivirus company Dr.Web denied on Wednesday that its customer data was leaked during a cyberattack earlier in September. The company released a statement after the pro-Ukraine group known as DumpForums claimed responsibility for the breach, stating they had stolen around 10 terabytes of data, including client databases. In response to DumpForums, Dr.Web said that the information published by the hackers “is mostly untrue,” adding that user data was not affected during the attack and that there are no security risks for customers."
https://therecord.media/russian-antivirus-company-drweb-denies-data-leak
https://www.securityweek.com/doctor-web-refutes-hackers-claims-of-user-data-theft/

General News

Widening Talent Pool In Cyber With On-Demand Contractors
"Filling roles within the cyber sector is an ongoing battle. The shortfall of workers risks creating a vicious cycle within existing cyber teams: With fewer team members to spread the workload on, you risk burning out security professionals. Many make the mistake of valuing certifications over wider experiences, which neglects a person’s eagerness to learn or strong transferable skills that could make them a great fit for a cyber career with the right development opportunities."
https://www.helpnetsecurity.com/2024/10/10/widening-cyber-talent-pool/
Investing In Privacy By Design For Long-Term Compliance
"In this Help Net Security interview, Bojan Belušić, Head of Information Security & IT Operations at Microblink, discusses the relationship between Privacy by Design and regulatory frameworks like GDPR. Integrating privacy principles from the outset of product and process development ensures compliance and enhances efficiency and effectiveness. He also addresses common challenges organizations face, particularly those with legacy systems, while advocating for a culture of awareness and continuous improvement in privacy and security practices."
https://www.helpnetsecurity.com/2024/10/10/bojan-belusic-microblink-privacy-by-design-principle/
Balancing Legal Frameworks And Enterprise Security Governance
"In this Help Net Security interview, Tom McAndrew, CEO at Coalfire, discusses the balance organizations must strike between legal compliance and effective enterprise security governance in the context of evolving regulatory frameworks. McAndrew also addresses the need for clear governance structures and regular board reporting to effectively oversee cyber risks and incident response plans."
https://www.helpnetsecurity.com/2024/10/10/tom-mcandrew-coalfire-corporate-governance/
Improving SecOps: How Simplification, Visibility, And Analytics Can Drive Success
"Recently, Command Zero released its “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders” report. The data in the report comes from interviews conducted with 352 security leaders over a period of 24 months. The respondents came from a variety of company sizes, industry verticals, and job titles."
https://www.securityweek.com/improving-secops-how-simplification-visibility-and-analytics-can-drive-success/
Best Practices To Configure BIG-IP LTM Systems To Encrypt HTTP Persistence Cookies
"CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. F5 BIG-IP is a suite of hardware and software solutions designed to manage and secure network traffic. A malicious cyber actor could leverage the information gathered from unencrypted persistence cookies to infer or identify additional network resources and potentially exploit vulnerabilities found in other devices present on the network."
https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies
What NIST’s Latest Password Standards Mean, And Why The Old Ones Weren’t Working
"Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.” The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now."
https://blog.talosintelligence.com/threat-source-newsletter-oct-10-2024/
State Of The Software Supply Chain
"As we mark the 10th annual State of the Software Supply Chain report, the transformation of open source software has been nothing short of profound. Open source consumption has exploded, with estimates placing this year’s downloads at over 6.6 trillion. This reliance on open source components, now making up to 90% of the modern software application, has ushered in both unprecedented innovation and complex challenges for software supply chains. Because of this, the industry has also become increasingly regulated, moving from a hands-off approach in the early 2010s to proactive frameworks that address growing cybersecurity risks in the global software supply chain."
https://www.sonatype.com/state-of-the-software-supply-chain/Introduction
https://cyberscoop.com/open-source-security-supply-chain-sonatype/
Walking The Tightrope Between Innovation & Risk
"July's CrowdStrike incident serves as a stark reminder of the unintended consequences organizations face when innovating to enhance security and streamline operations. Using best-in-class technology is usually a safe bet for chief information security officers (CISOs) when selecting a security vendor, but it's equally important to be cognizant of how that technology will be deployed and the amount of risk it can create."
https://www.darkreading.com/vulnerabilities-threats/walking-tightrope-innovation-risk
Vulnerability Prioritization & The Magic 8 Ball
"Last month marks 25 years of operation for the CVE (Common Vulnerabilities and Exposures) program, launched in September 1999. It's difficult to imagine a world without CVEs. Much of the "vulnerability management" activities, before the CVE program became popular, relied on matching version numbers from remote scans and executing shady exploits found in dark places on the Internet to validate findings. We've come a long way when it comes to vulnerability tracking."
https://www.darkreading.com/vulnerabilities-threats/vulnerability-prioritization-magic-8-ball
Over 240 Million US Breach Victims Recorded In Q3
"This year is unlikely to be a record one for data compromises, although Q3 saw a massive increase in supply chain attacks and nearly 242 million US breach victims, according to the Identity Theft Resource Center (ITRC). The non-profit tracks publicly reported US data breaches and accidental leaks, to compile its quarterly reports. The latest revealed a 77% quarterly decline in the number of data breach and leak victims – but that’s only because Q2’s figures (940 million) were inflated by two mega breaches at Ticketmaster and Advanced Auto Parts."
https://www.infosecurity-magazine.com/news/240-million-us-breach-victims-q3/
Risk, Reward And Reality: Has Enterprise Perception Of The Public Cloud Changed?
"Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%. With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud resources."
https://securityintelligence.com/articles/risk-reward-reality-enterprise-perception-public-cloud/
An Update On Disrupting Deceptive Uses Of AI
"OpenAI’s mission is to ensure that artificial general intelligence benefits all of humanity. We are dedicated to identifying, preventing, and disrupting attempts to abuse our models for harmful ends. In this year of global elections, we know it is particularly important to build robust, multi-layered defenses against state-linked cyber actors and covert influence operations that may attempt to use our models in furtherance of deceptive campaigns on social media and other internet platforms."
https://openai.com/global-affairs/an-update-on-disrupting-deceptive-uses-of-ai/
https://thehackernews.com/2024/10/openai-blocks-20-global-malicious.html
https://therecord.media/openai-disrupts-campaigns-misusing-tech-gov-officials-mull-ai
Microsoft: BYOD, QR Codes Lead Rampant Education Attacks
"The education sector is facing thousands of cyberattacks per week these days — especially universities, a good portion of which experience at least one incident per week.Education was the third most targeted industry in second quarter of 2024, according to Microsoft's latest "Cyber Signals" report. This finding corroborates data from Check Point Software, indicating that the education and research sectors now face more than 2,500 attacks weekly, up 15% over the past couple of years."
https://www.darkreading.com/threat-intelligence/byod-qr-codes-education-attacks

อ้างอิง
Electronic Transactions Development Agency(ETDA)