NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 October 2024

    Cyber Security News
    1
    1
    415
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Siemens Siveillance Video Camera
        "Successful exploitation of this vulnerability could allow an attacker to execute commands."l
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-289-01
      • Schneider Electric Data Center Expert
        "Successful exploitation of these vulnerabilities could allow an attacker to access private data."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-289-02

      Vulnerabilities

      • GitHub Patches Critical Vulnerability In Enterprise Server
        "Code hosting platform GitHub has released patches for a critical-severity vulnerability in GitHub Enterprise Server that could lead to unauthorized access to affected instances. Tracked as CVE-2024-9487 (CVSS score of 9.5), the bug was introduced in May 2024 as part of the remediations released for CVE-2024-4985, a critical authentication bypass defect allowing attackers to forge SAML responses and gain administrative access to the Enterprise Server."
        https://www.securityweek.com/github-patches-critical-vulnerability-in-enterprise-server/
      • Splunk Enterprise Update Patches Remote Code Execution Vulnerabilities
        "Splunk on Monday announced fixes for 11 vulnerabilities in Splunk Enterprise, two of which are high-severity bugs leading to remote code execution on Windows systems. The most severe of the flaws is CVE-2024-45733 (CVSS score of 8.8), an insecure session storage configuration issue that could allow a user without ‘admin’ or ‘power’ Splunk roles to execute code remotely."
        https://www.securityweek.com/splunk-enterprise-update-patches-remote-code-execution-vulnerabilities/
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability
        CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability
        CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • New CounterSEVeillance And TDXDown Attacks Target AMD And Intel TEEs
        "Security researchers continue to find ways to attack Intel and AMD processors, and the chip giants over the past week have issued responses to separate research targeting their products. The research projects were aimed at Intel and AMD trusted execution environments (TEEs), which are designed to protect code and data by isolating the protected application or virtual machine (VM) from the operating system and other software running on the same physical system."
        https://www.securityweek.com/new-counterseveillance-and-tdxdown-attacks-target-amd-and-intel-tees/
        https://www.stefangast.eu/papers/counterseveillance.pdf

      Malware

      • HijackLoader Evolution: Abusing Genuine Signing Certificates
        "Since mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer” malware deployments via the “HijackLoader” malicious loader. On October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt – except this time, the malware sample was properly signed with a genuine code-signing certificate. In response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and reported more of such certificates. This report briefly presents the associated stealer threat, outlines the methodology for hunting these certificates, and providees indicators of compromise."
        https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/
        https://thehackernews.com/2024/10/researchers-uncover-hijack-loader.html
      • Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
        "Red team tools, which identify and address weaknesses in an organization’s security infrastructure, are crucial to the improvement of its overall security posture. However, threat actors are continuously finding ways to repurpose these tools for malicious purposes. Recently, the Trend Micro Threat Hunting Team discovered EDRSilencer, a red team tool that is able to interfere with endpoint detection and response (EDR) solutions by leveraging the Windows Filtering Platform (WFP). According to the author of this tool, it was inspired by the closed-source tool FireBlock by MdSec NightHawk."
        https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
        https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-used-in-attacks-to-bypass-security/
      • Hidden In Plain Sight: ErrorFather’s Deadly Deployment Of Cerberus
        "The Cerberus Android Banking Trojan initially emerged in 2019 and was available for rent on underground forums. It gained notoriety for its ability to target financial and social media apps by exploiting the Accessibility service, using overlay attacks, and incorporating VNC and keylogging features. Its widespread reach made it one of the most well-known banking trojans at the time. In 2020, following the leak of Cerberus’ source code, a new variant called “Alien” appeared, leveraging Cerberus’ codebase. Then, in 2021, another banking trojan called “ERMAC” surfaced, also building on Cerberus’ code and targeting over 450 financial and social media apps."
        https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/
        https://www.infosecurity-magazine.com/news/cerberus-android-banking-trojan/
      • Beyond The Surface: The Evolution And Expansion Of The SideWinder APT Group
        "SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us in 2018. Over the years, the group has launched attacks against high-profile entities in South and Southeast Asia. Its primary targets have been military and government entities in Pakistan, Sri Lanka, China and Nepal."
        https://securelist.com/sidewinder-apt/114089/
      • Technical Analysis Of DarkVision RAT
        "DarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft. In July 2024, Zscaler ThreatLabz observed attackers using DarkVision RAT alongside PureCrypter. In this blog, we will break down the attack chain behind these DarkVision RAT infections, and provide an in-depth analysis of the RAT’s functionality, including its core features, network communication protocol, commands, and plugins."
        https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat
        https://thehackernews.com/2024/10/new-malware-campaign-uses-purecrypter.html

      Breaches/Hacks/Leaks

      • Volkswagen Says IT Infrastructure Not Affected After Ransomware Gang Claims Data Theft
        "The Volkswagen Group has issued a statement after a known ransomware group claimed to have stolen valuable information from the carmaker’s systems. “This incident is known,” a Volkswagen spokesperson told SecurityWeek, adding, “The IT infrastructure of the Volkswagen Group is not affected. We are continuing to monitor the situation closely.” The Volkswagen Group owns car brands such as Volkswagen, Skoda, Seat, Audi, Lamborghini, Porsche, Cupra, and Bentley."
        https://www.securityweek.com/volkswagen-says-it-infrastructure-not-affected-after-ransomware-gang-claims-data-theft/
      • Calgary Public Library Forced To Limit Services After Cyberattack
        "Calgary residents will have limited access to services at their local libraries following a cyberattack on the city's public library system. The organization, which runs 22 branches for the city’s 1.3 million residents, first notified the public of issues on Friday — warning that a “cybersecurity breach” compromised some of its systems. The library closed early on Friday and all servers or library computers were turned off. On Monday, the library said all locations will be open for regular hours by Wednesday but service will be modified. Customers “will have access to Library spaces and services that do not require technology.”"
        https://therecord.media/calgary-public-library-limits-services

      General News

      • The Lingering Beige Desktop Paradox
        "When I started out my career in security everything was an adventure — new technologies, new opportunities, and new lessons to learn. Some of those lessons have stayed with me over the years. Simple on the surface, these lessons have had a significant impact and proved valuable over time. Yet, when I look at the wider industry, I often find myself vexed at the current state of affairs."
        https://www.darkreading.com/endpoint-security/the-lingering-beige-desktop-paradox
      • The NHI Management Challenge: When Employees Leave
        "An employee is exiting your organization. Regardless of the terms of departure, an ex-staffer has the potential when they leave or change roles to impact a wide range of non-human identities, digital credentials, and other secrets. Those secrets include the credentials for accessing corporate networks, sending and receiving email, and sharing files. For each non-human identity in an enterprise, an average of 92 non-human identities (NHIs) are created. When employees exit, NHIs can become unmanaged, and in many cases, exposed to exploitation."
        https://www.helpnetsecurity.com/2024/10/15/nhi-management-challenge/
      • How Nation-States Exploit Political Instability To Launch Cyber Operations
        "In this Help Net Security interview, Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry, discusses the impact of geopolitical tensions on the frequency and sophistication of cyberattacks. He explains how nation-states and politically motivated groups exploit unrest for strategic advantages, providing examples of recent conflicts and their cyber implications."
        https://www.helpnetsecurity.com/2024/10/15/ismael-valenzuela-blackberry-political-instability-cyber-operations/
      • Data Breaches Trigger Increase In Cyber Insurance Claims
        "Cyber claims have continued their upwards trend over the past year, driven in large part by a rise in data and privacy breach incidents, according to Allianz. The frequency of large cyber claims (>€1 million) in the first six months of 2024 was up 14% while severity increased by 17%, according to the insurer’s claims analysis, following just a 1% increase in severity during 2023. Data and privacy breach-related elements are present in two thirds of these large losses. Overall, the total number of cyber claims in 2024 is expected to stabilize, following a 30% increase in frequency during 2023, which resulted in 700+ claims."
        https://www.helpnetsecurity.com/2024/10/15/cyber-claims-frequency/
      • Guidance: Framing Software Component Transparency: Establishing a Common Software Bill Of Materials (SBOM)
        "Today, CISA published the Framing Software Component Transparency, created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. This resource serves as the detailed foundation of SBOM, defining SBOM concepts and related terms and offering an updated baseline of how software components are to be represented. This document serves as a guide on the processes around SBOM creation."
        https://www.cisa.gov/news-events/alerts/2024/10/15/guidance-framing-software-component-transparency-establishing-common-software-bill-materials-sbom
        https://www.cisa.gov/resources-tools/resources/framing-software-component-transparency-2024
      • Finland Seizes Servers Of 'Sipultie' Dark Web Drugs Market
        "The Finnish Customs office took down the website and seized the servers for the darknet marketplace ‘Sipulitie’ where criminals sold illegal narcotics anonymously. The agency's announcement earlier today says that the site catered to both Finnish and English-speaking users, and that its operator claimed a turnover of 1.3 million Euros (approximately $1.42 million). The operation was possible thanks to an international collaboration involving the Finnish Customs, Europol, the Swedish police, Polish law enforcement authorities, and researchers at Bitdefender cybersecurity company."
        https://www.bleepingcomputer.com/news/legal/finland-seizes-servers-of-sipultie-dark-web-drugs-market/
        https://therecord.media/sweden-filand-take-down-sipulitie-criminal-marketplace
        https://www.bankinfosecurity.com/european-police-make-headway-against-darknet-drug-markets-a-26535
        https://hackread.com/authorities-seize-dark-web-marketplaces-sipulitie-tsatti/
      • New ThreatLabz Report: Mobile Remains a Top Threat Vector With 111% Spyware Growth While IoT Attacks Rise 45%
        "The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving frontiers in enterprise cybersecurity: mobile, the internet of things (IoT), and operational technology (OT) systems. Today, 96.5% of people access the internet with a mobile device, while 59% of internet traffic is generated by mobile devices. Meanwhile, OT and cyber-physical systems, once air-gapped and isolated from the internet, have rapidly become integrated into enterprise networks, where threats can proliferate."
        https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobile-remains-top-threat-vector-111-spyware-growth
        https://www.bleepingcomputer.com/news/security/over-200-malicious-apps-on-google-play-downloaded-millions-of-times/
        https://www.infosecurity-magazine.com/news/eight-million-download-200-mal/
      • Backdoors, Supply Chain Attacks, And Other Threats To Large Language Models
        "In the previous blog post, we discussed large language models (LLMs) and the concept of prompt injection. In this post, we'll explore the advanced threats posed by AI backdoors and supply chain attacks and how they differ from traditional security challenges."
        https://blog.barracuda.com/2024/10/15/backdoors--supply-chain-attacks--and-other-threats-to-large-lang
      • Organizations Can Substantially Lower Vulnerabilities With Secure-By-Design Practices, Report Finds
        "Large organizations that train developers with secure-by-design practices can reliably reduce the number of vulnerabilities introduced into software products by more than 50%, according to a new report from Secure Code Warrior."
        https://cyberscoop.com/secure-by-design-return-investment-code-warrior/
        https://cyberscoop.com/wp-content/uploads/sites/3/2024/10/Developer-Readiness-Analysis-Secure-by-Design-10.15.24.pdf
      • Cyberattackers Unleash Flood Of Potentially Disruptive Election-Related Activity
        "Cyber-threat actors have ramped up their targeting of the 2024 US elections with a flood of malicious activity expected to peak over the next month, aimed at causing disruption to voters and the election process and requiring increased vigilance on the part of stakeholders. Specifically, attackers have bolstered election-related threat activity since the beginning of the year with an increase in the sale of phishing kits targeting US voters and campaign donors; the registration of more than 1,000 domains aimed at exploiting election-related content for malicious purposes; and increased ransomware activity targeting government entities, according to research from FortiGuard Labs Threat Research released today."
        https://www.darkreading.com/cyberattacks-data-breaches/attackers-unleash-flood-potentially-disruptive-election-related-activity
        https://www.fortinet.com/content/dam/fortinet/assets/intelligence-reports/FortiGuard-Labs-2024-US-Election-Security-Report.pdf
        https://www.infosecurity-magazine.com/news/darknet-activity-increases/
        https://www.securityweek.com/election-day-is-close-the-threat-of-cyber-disruption-is-real/
      • LLMs Are a New Type Of Insider Adversary
        "Today, security teams are treating large language models (LLMs) as a vital and trusted business tool that can automate tasks, free up employees to do more strategic functions, and give their company a competitive edge. However, the inherent intelligence of LLMs gives them unprecedented capabilities like no other enterprise tool before. The models are inherently susceptible to manipulation, so they behave in ways they aren't supposed to, and adding more capabilities makes the impact of that risk even more severe."
        https://www.darkreading.com/vulnerabilities-threats/llms-are-new-type-insider-adversary
      • CISOs' Privacy Responsibilities Keep Growing
        "Years ago, when Mark Eggleston was tasked with building a privacy program for a national healthcare provider, he saw firsthand the importance of cross-functional collaboration. "I needed legal experts to debate the HIPAA Privacy, NPRM [Notice of Proposed Rulemaking], final rule, and guidance and convert those requirements into internal policies," Eggleston recalls. "CISOs can bring efficiency and reliance to these procedures by implementing technical controls.""
        https://www.darkreading.com/cybersecurity-operations/cisos-privacy-responsibilities-keep-growing
      • Most Organizations Unprepared For Post-Quantum Threat
        "Despite NIST’s recent publication of post-quantum encryption standards, many organizations have not begun preparing for the post-quantum threat, according to a new report by the Entrust Cybersecurity Institute. In August, NIST published its first three finalized post-quantum encryption standards, outlining usage and implementation guidelines for organizations entering a new era of quantum cryptography."
        https://www.infosecurity-magazine.com/news/orgs-unprepared-postquantum-threat/
        https://www.entrust.com/resources/reports/ponemon-post-quantum-report
      • Microsoft Digital Defense Report 2024
        "In the last year, the cyber threat landscape continued to become more dangerous and complex. The malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the world’s best cybersecurity defenders. Even Microsoft has been the victim of well-orchestrated attacks by determined and well-resourced adversaries, and our customers face more than 600 million cybercriminal and nation-state attacks every day, ranging from ransomware to phishing to identity attacks."
        https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024
        https://therecord.media/ransomware-healthcare-microsoft-last-year
        https://www.infosecurity-magazine.com/news/nation-states-cybercriminals/
        https://cyberscoop.com/ransomware-encryption-down-attacks-up-nation-state-crime/
        https://www.securityweek.com/cybercriminals-are-increasingly-helping-russia-and-china-target-the-us-and-allies-microsoft-says/
        https://www.theregister.com/2024/10/15/microsoft_ransomware_attacks/
      • CISO Conversations: Julien Soriano (Box) And Chris Peake (Smartsheet)
        "Julien Soriano and Chris Peake are CISOs for primary collaboration tools: Box and Smartsheet. As always in this series, we discuss the route toward, the role within, and the future of being a successful CISO."
        https://www.securityweek.com/ciso-conversations-julien-soriano-box-and-chris-peake-smartsheet/
      • Organizations Slow To Protect Doors Against Hackers: Researcher
        "A significant percentage of organizations whose door access controllers have been analyzed by a cybersecurity researcher have failed to take any action to protect them against hacker attacks. The research was conducted by Shawn Merdinger, who in 2010 showed how S2 Security door access controllers used by schools, hospitals, and other organizations could have been remotely hacked."
        https://www.securityweek.com/organizations-slow-to-protect-doors-against-hackers-researcher/
      • Hong Kong Police Bust Fraud Ring That Used Face-Swapping Tech For Romance Scams
        "Hong Kong police have arrested 27 people for allegedly carrying out romance scams using deepfake face-swapping technology that swindled victims out of $46 million. The syndicate operated out of a 4,000 square foot building in the residential Hung Hom neighborhood of Hong Kong, police said on Monday during a press conference."
        https://therecord.media/hong-kong-police-bust-romance-scammers-face-swapping-deepfakes
      • Google’s Heather Adkins On Infostealers, Two-Factor Authentication And Fixing The Security ‘mess’ For Future Generations
        "Heather Adkins, the vice president of security engineering at Google, has spent more than two decades at the company. As head of its Office of Cybersecurity Resilience, she is responsible for safeguarding the tech giant’s networks, systems and applications. Adkins’ work isn’t confined to the private sector, however. She sits on the federal government’s Cyber Safety Review Board (CSRB), which has taken on a leading role in investigating significant cybersecurity incidents."
        https://therecord.media/healther-adkins-interview-future-generations
      • Vulnerable Instances Of Log4j Still Being Used Nearly 3 Years Later
        "Almost three years after the discovery of the Log4Shell vulnerability, 13% of active Log4j installations are running vulnerable versions. According to new research by Sonatype, while 13% is an improvement, it should be near zero based on the broad public awareness of the vulnerability. Research done by Sonatype in 2022 found 40% of downloads were the known critically vulnerable versions.Its research in both 2022 and 2023 found that 96% of vulnerable components downloaded had a fixed, non-vulnerable version available."
        https://www.scworld.com/news/vulnerable-instances-of-log4j-still-being-used-nearly-3-years-later

      อ้างอิง

      Electronic Transactions Development Agency(ETDA) 758f3edd-1953-46d1-b50f-df767aee88f8-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post