NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 24 October 2024

    Cyber Security News
    1
    1
    357
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Energy Sector

      • US Energy Sector Vulnerable To Supply Chain Attacks
        "The US energy sector is at particularly high risk of supply chain attacks, with 45% of security breaches hitting this industry in the past year third-party related, according to new research by Security Scorecard and KPMG. This compares to a global average of 29% for supply chain breaches across all other industries. Additionally, the study found that 90% of attacks on energy companies breached more than once involved third parties. Two-thirds (67%) of third-party related breaches involved external software and IT providers. Around a fifth (22%) involved other energy companies."
        https://www.infosecurity-magazine.com/news/us-energy-vulnerable-supply-chain/

      New Tooling

      • Argus: Open-Source Information Gathering Toolkit
        "Argus is an open-source toolkit that simplifies information gathering and reconnaissance. It features a user-friendly interface and a collection of powerful modules, enabling the exploration of networks, web applications, and security configurations."
        https://www.helpnetsecurity.com/2024/10/23/argus-open-source-information-gathering-toolkit/
        https://github.com/jasonxtn/Argus

      Vulnerabilities

      • Fortinet Warns Of New Critical FortiManager Flaw Used In Zero-Day Attacks
        "Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released. However, news of the vulnerability began leaking online throughout the week by customers on Reddit and by cybersecurity researcher Kevin Beaumont on Mastodon, who calls this flaw "FortiJump.""
        https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/
        https://www.fortiguard.com/psirt/FG-IR-24-423
        https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog
        https://therecord.media/high-severity-fortimanager-bug-being-exploited
        https://www.bankinfosecurity.com/fortinet-discloses-actively-exploited-zero-day-a-26602
        https://www.securityweek.com/fortinet-confirms-zero-day-exploit-targeting-fortimanager-systems/
        https://www.theregister.com/2024/10/23/fortimanager_critical_vulnerability/
        https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerability-used-by-nation-state-in-espionage-via-msps-c79abec59773
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
        CVE-2024-38094 Microsoft SharePoint Deserialization Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/10/22/cisa-adds-one-known-exploited-vulnerability-catalog
        https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html
        https://www.darkreading.com/vulnerabilities-threats/microsoft-sharepoint-vuln-active-exploit
        https://www.securityweek.com/cisa-warns-recent-microsoft-sharepoint-rce-flaw-exploited-in-attacks/
        https://securityaffairs.com/170157/security/u-s-cisa-adds-microsoft-sharepoint-flaw-known-exploited-vulnerabilities-catalog.html
        https://www.theregister.com/2024/10/23/microsoft_sharepoint_rce_exploited/
      • VMWare vCenter Server CVE-2024-38812 DCERPC Vulnerability
        "CVE-2024-38812 is a critical heap-overflow vulnerability identified in VMware vCenter Server’s implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted packets, potentially leading to remote code execution (RCE). The vulnerability, classified under CWE-122 (Heap-based Buffer Overflow), arises when memory allocated in the heap is improperly overwritten, leading to unpredictable behavior that could be exploited."
        https://blog.sonicwall.com/en-us/2024/10/vmware-vcenter-server-cve-2024-38812-dcerpc-vulnerability/
      • Deceptive Delight: Jailbreak LLMs Through Camouflage And Distraction
        "This article introduces a simple and straightforward technique for jailbreaking that we call Deceptive Delight. Deceptive Delight is a multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content. We tested this simple yet effective method in 8,000 cases across eight models. We found that it achieves an average attack success rate of 65% within just three interaction turns with the target model."
        https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distraction/
        https://thehackernews.com/2024/10/researchers-reveal-deceptive-delight.html

      Malware

      • The Crypto Game Of Lazarus APT: Investors Vs. Zero-Days
        "Lazarus APT and its BlueNoroff subgroup are a highly sophisticated and multifaceted Korean-speaking threat actor. We closely monitor their activities and quite often see them using their signature malware in their attacks — a full-feature backdoor called Manuscrypt. According to our research, Lazarus has been employing this malware since at least 2013 and we’ve documented its usage in 50+ unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, IT and telecommunication operators, gaming companies, media outlets, casinos, universities, and even security researchers — the list goes on."
        https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/
        https://www.bleepingcomputer.com/news/security/lazarus-hackers-used-fake-defi-game-to-exploit-google-chrome-zero-day/
        https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-exploits-chrome-zero-day-campaign
      • Embargo Ransomware: Rock’n’Rust
        "ESET researchers have discovered new Rust-based tooling leading to the deployment of Embargo ransomware. Embargo is a relatively new player in the ransomware scene, first observed by ESET in June 2024. The new toolkit consists of a loader and an EDR killer, named MDeployer and MS4Killer respectively by ESET. MS4Killer is particularly noteworthy as it is custom compiled for each victim’s environment, targeting only selected security solutions. Both tools are written in Rust, the Embargo group’s language of choice for developing its ransomware."
        https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/
        https://www.bankinfosecurity.com/embargo-ransomware-disables-security-defenses-a-26603
        https://www.infosecurity-magazine.com/news/embargo-ransomware-defense-evasion/
      • Threat Spotlight: WarmCookie/BadSpace
        "WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection. These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments."
        https://blog.talosintelligence.com/warmcookie-analysis/
        https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/
        https://hackread.com/ta866-group-warmcookie-malware-espionage-campaign/
        https://www.infosecurity-magazine.com/news/malware-warmcookie-users-malicious/
      • LinkedIn Bots And Spear Phishers Target Job Seekers
        "Microsoft’s social network for professionals, LinkedIn, is an important platform for job recruiters and seekers alike. It’s also a place where criminals go to find new potential victims. Like other social media platforms, LinkedIn is no stranger to bots attracted to special keywords and hashtags. Think “I was laid off”, “I’m #opentowork” and similar phrases that can wake up a swarm of bots hungry to scam someone new."
        https://www.malwarebytes.com/blog/news/2024/10/linkedin-bots-and-spear-phishers-target-job-seekers
      • Decrypted: Mallox Ransomware
        "Researchers from Avast have discovered a flaw in the cryptographic schema of the Mallox ransomware variant that was prevalent during 2023 and early in 2024. Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant. The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware."
        https://www.gendigital.com/blog/news/innovation/decrypted-mallox-ransomware
        https://www.securityweek.com/avast-releases-free-decryptor-for-mallox-ransomware/
      • MacOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools
        "Last week, researchers at Trend Micro published a report on a macOS malware sample that had credible file locking and data exfiltration capabilities and masqueraded as LockBit ransomware on successful encryption of a user’s files. Until now, ransomware threats for Mac computers had been at best ‘proof of concept’ and at worst entirely incapable of succeeding at their apparent aim. Interestingly, despite one of the more credible previous attempts being from LockBit itself, this latest discovery appears to be an entirely different threat actor appropriating the name of a more notorious one. Since earlier researchers did not give a specific threat name for the sample they reported, we have dubbed the malware ‘macOS.NotLockBit’."
        https://www.sentinelone.com/blog/macos-notlockbit-evolving-ransomware-samples-suggest-a-threat-actor-sharpening-its-tools/
        https://www.securityweek.com/notlockbit-ransomware-can-target-macos-devices/
      • Russia-Linked Influence Campaign Shifts Focus To US Presidential Election: Report
        "A Russia-aligned influence operation that peddles in fake news and fact-checking content has been dedicating “significant resources” aimed at the U.S. presidential election and particularly Vice President Kamala Harris’ campaign, according to new research. Operation Overload, also referred to as Matryoshka and Storm-1679, has been observed in recent months sharing and amplifying videos across social media that spoof major news outlets to spread election-related disinformation, according to a report published Wednesday by Recorded Future."
        https://therecord.media/russia-us-presidential-election-influence-operation-overload
      • Unmasking Prometei: A Deep Dive Into Our MXDR Findings
        "In a recent Managed Extended Detection and Response (MXDR) investigation, we analyzed a case involving the spread of the Prometei botnet across a customer's environment, the malicious activity detected with the help of Trend Vision One. Prometei functions as part of a larger botnet, enabling attackers to remotely control infected machines, deploy malware, and coordinate attacks. The Prometei botnet, reportedly dating back to as far back as 2016 and updated to version 3 in late 2022, is a modular malware family used primarily for cryptocurrency mining (especially Monero) and credential theft. By early 2023, it had compromised over 10,000 systems globally, with significant activity in Brazil, Indonesia, and Turkey."
        https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html

      Breaches/Hacks/Leaks

      • Ransomware Gang Stoops To New Low, Targets Prominent Nonprofit For Disabled People
        "A notorious ransomware gang previously responsible for attacks on multiple hospitals has now claimed a new victim: disability nonprofit Easterseals. The Rhysida ransomware group stooped to new lows this week when it attempted to extort $1.3 million from the organization, which provides support to disabled children, seniors, military veterans and others. Easterseals did not respond to requests for comment but filed breach notification documents with regulators in Maine saying its Peoria-based Central Illinois location dealt with a cyberattack in April. The filing did not mention the ransomware group, but the cybercriminals claimed the attack this week."
        https://therecord.media/easterseals-central-illinois-data-breach
      • 'Satanic' Data Thief Claims To Have Slipped Into 350M Hot Topic Shoppers Info
        "A data thief calling themselves Satanic claims to have purloined the records of around 350 million customers of fashion retailer Hot Topic. Israeli security shop Hudson Rock reports that the criminal says they have hacked the loyalty account of the fashion megachain, harvesting 350 million customers' PII, including names, emails, physical addresses, and dates of birth. It appears that financial details have at least been somewhat protected, with the evil one saying it has the last four digits of customers’ credit cards, card types, hashed expiration dates, and account holder names, but the criminal claims to have billions of payment details."
        https://www.theregister.com/2024/10/23/satanic_data_thief/

      General News

      • Effective Strategies For Measuring And Testing Cyber Resilience
        "In this Help Net Security interview, Detective Superintendent Ian Kirby, CEO of the National Cyber Resilience Centre Group (NCRCG), discusses the emerging cyber threats and strategies organizations can use to increase cyber resilience. He emphasizes basic cyber hygiene, security awareness training, multi-factor authentication, and stakeholder involvement at all levels in building a resilient organizational culture."
        https://www.helpnetsecurity.com/2024/10/23/ian-kirby-national-cyber-resilience-centre-group-cyber-resilience-strategy/
      • Hackers Exploit 52 Zero-Days On The First Day Of Pwn2Own Ireland
        "On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. Viettel Cyber Security took an early lead getting 13 points in their chase for the "Master of Pwn" title. The team's phudq and namnp exploited a Lorex 2K WiFi camera through a stack-based buffer overflow vulnerability and got $30,000 and 3 points. Sina Kheirkhah from Summoning Team stole the show with a chain of nine vulnerabilities to go from QNAP QHora-322 router to TrueNAS Mini X device, which brought a $100,000 payout and 10 Master of Pwn points."
        https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days-on-the-first-day-of-pwn2own-ireland/
      • How To Thrive In a Distributed Team
        "Remote work became the norm for many industries during the pandemic, but as the world recovers, some companies are calling employees back to the office or adopting hybrid work models. Despite this shift, remote work remains a critical part of the future of cybersecurity and many other industries. For those who continue to work remotely or in a hybrid model, the need for robust cybersecurity practices needs to be a priority."
        https://www.bankinfosecurity.com/blogs/how-to-thrive-in-distributed-team-p-3746
      • 70% Of Leaders See Cyber Knowledge Gap In Employees
        "TA866, also called Asylum Ambuscade, is a threat actor that has been observed conducting intrusion operations since at least 2020. TA866 has historically been associated with financially motivated malware campaigns. However, prior reporting indicates that they may also conduct espionage-related activities. Cisco Talos has been monitoring and analyzing the malware distribution campaigns, and post-compromise intrusion activity associated with TA866 and has observed continued evolution in the tooling and tactics, techniques and procedures (TTPs) employed by this threat actor since early 2023."
        https://www.infosecurity-magazine.com/news/70-cyber-knowledge-gap-employees/
        https://www.fortinet.com/content/dam/maindam/PUBLIC/02_MARKETING/08_Report/ftnt-service-report-security-awareness-training-2024.pdf
      • US Government Pledges To Cyber Threat Sharing Via TLP Protocol
        "The US federal government has pledged to use the Traffic Light Protocol (TLP) to boost cyber threat information sharing with the cybersecurity community and private sector. The guidance for federal agencies is designed to build trust between the government and cybersecurity research community, ensuring that crucial threat data can be shared in confidence when not in conflict with existing law or policy. While the federal government does already use the TLP, the new guidance aims to clarify its commitment, providing clarity for security researchers."
        https://www.infosecurity-magazine.com/news/us-government-threat-sharing-tlp/
      • AI Hallucinations Can Pose a Risk To Your Cybersecurity
        "In early 2023, Google’s Bard made headlines for a pretty big mistake, which we now call an AI hallucination. During a demo, the chatbot was asked, “What new discoveries from the James Webb Space Telescope can I tell my 9-year-old about?” Bard answered that JWST, which launched in December 2021, took the “very first pictures” of an exoplanet outside our solar system. However, the European Southern Observatory’s Very Large Telescope took the first picture of an exoplanet in 2004."
        https://securityintelligence.com/articles/ai-hallucinations-pose-risk-cybersecurity/
      • Trickle-Down Cyber Economics: UK Hails Success Of Cyber Essentials Certification Scheme
        "A decade on from its launch, the British government has announced it is delighted with the Cyber Essentials certification scheme, despite cyberattacks in the country being at record highs. In a speech on Wednesday marking the anniversary, cybersecurity minister Feryal Clark hailed how an independent impact evaluation also published on Wednesday detailed the benefits the scheme brings to the companies and institutions that use it."
        https://therecord.media/uk-cyber-essentials-certification-scheme

      อ้างอิง

      Electronic Transactions Development Agency(ETDA) 2623f62a-9d82-4c8b-96d6-18489851a35f-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post