Cyber Threat Intelligence 30 October 2024
-
Industrial Sector
- Siemens InterMesh Subscriber Devices
"Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, execute commands, write arbitrary files, or execute arbitrary commands."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-01 - Delta Electronics InfraSuite Device Master
"Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 - Solar-Log Base 15
"Successful exploitation of this vulnerability could result in an attacker obtaining unauthorized access."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-02
New Tooling
- OT PCAP Analyzer: Free PCAP Analysis Tool
"EmberOT’s OT PCAP Analyzer, developed for the industrial security community, is a free tool providing a high-level overview of the devices and protocols in packet capture files. “The OT PCAP Analyzer was designed specifically with critical OT environments in mind. We’ve created a novel set of engines to gather and analyze network traffic at speed with unparalleled accuracy. This allows the free PCAP Analyzer to quickly identify OT devices, protocols, and how those elements interact. We stream this data in real-time so the user can begin reviewing results while a .pcap or .pcapng is being processed,” Jori VanAntwerp, CEO of EmberOT, told Help Net Security."
https://www.helpnetsecurity.com/2024/10/29/ot-pcap-analyzer-free-pcap-analysis-tool/
https://emberot.com/ot-pcap-analyzer
Vulnerabilities
- QNAP Fixes NAS Backup Software Zero-Day Exploited At Pwn2Own
"QNAP has fixed a critical zero-day vulnerability exploited by security researchers on Thursday to hack a TS-464 NAS device during the Pwn2Own Ireland 2024 competition. Tracked as CVE-2024-50388, the security flaw is caused by an OS command injection weakness in HBS 3 Hybrid Backup Sync version 25.1.x, the company's disaster recovery and data backup solution. "An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," QNAP said in a Tuesday security advisory."
https://www.bleepingcomputer.com/news/security/qnap-fixes-nas-backup-software-zero-day-exploited-at-pwn2own/
https://www.qnap.com/en/security-advisory/qsa-24-41 - Apple Releases Security Updates For Multiple Products
"Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system."
https://www.cisa.gov/news-events/alerts/2024/10/29/apple-releases-security-updates-multiple-products
https://www.securityweek.com/apple-patches-over-70-vulnerabilities-across-ios-macos-other-products/
https://www.malwarebytes.com/blog/news/2024/10/update-your-iphone-mac-watch-apple-issues-patches-for-several-vulnerabilities - Admins Better Spring Into Action Over Latest Critical Open Source Vuln
"If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed. Tracked as CVE-2024-38821, the vulnerability affects apps developed using Spring WebFlux only, and when exploited can lead to security rules being bypassed. An application is only considered vulnerable to CVE-2024-38821, in this case, if WebFlux is used, if the app is using the framework's static resources support, and a non-permitAll authorization rule is applied to that support. All conditions must be met in order for an app to be considered vulnerable."
https://www.theregister.com/2024/10/29/admins_spring_into_action_over/
https://spring.io/security/cve-2024-38821/ - We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day)
"When last year Akamai security researcher Tomer Peled decided to look into Windows themes files, they found that when a theme file specified a network file path for some of the theme properties (specifically BrandImage and Wallpaper), Windows would automatically send authenticated network requests to remote hosts, including user's NTLM credentials when such theme file would be viewed in Windows Explorer. This meant that merely seeing a malicious theme file listed in a folder or placed on the desktop would be enough for leaking user's credentials without any additional user action."
https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html
https://www.bleepingcomputer.com/news/security/new-windows-themes-zero-day-gets-free-unofficial-patches/
https://www.darkreading.com/vulnerabilities-threats/recurring-windows-flaw-could-expose-user-credentials
https://www.helpnetsecurity.com/2024/10/29/windows-themes-spoofing-vulnerability/
Malware
- BPFDoor Linux Malware Detected By AhnLab EDR
"BPFDoor is a backdoor using the Berkeley Packet Filter (BPF), first revealed through a threat report by PWC in 2021 [1]. According to the report, the China-based threat actor Red Menshen has been using BPFDoor for several years in attacks targeting the Middle East and Asia regions, with its source being released recently."
https://asec.ahnlab.com/en/83925/ - Analysis Of An Attack Against HiveOS For Mining Ravencoin
"AhnLab Security intelligence Center (ASEC) is using multiple honeypots to monitor attacks targeting improperly managed Linux servers. Among the prominent honeypots is the SSH service using vulnerable credentials, which is targeted by many DDoS and CoinMiner attackers. While monitoring numerous external attacks, ASEC recently identified an attack targeting HiveOS. The initial access targeted the improperly managed SSH service, ultimately executing commands to mine new cryptocurrency and additionally installing a LinuxRC backdoor."
https://asec.ahnlab.com/en/83857/ - Linux Persistence Techniques Detected By AhnLab EDR (1)
"Persistence techniques refer to methods employed by threat actors to maintain a connection to the target system after infiltration. As a single breach may not be enough to achieve all their goals, threat actors look for ways to re-access the system. Persistence can be maintained by configuring the malware to be executed even after a system reboot or installing a backdoor account among many other methods."
https://asec.ahnlab.com/en/83779/ - Massive PSAUX Ransomware Attack Targets 22,000 CyberPanel Instances
"Over 22,000 CyberPanel instances exposed online to a critical remote code execution (RCE) vulnerability were mass-targeted in a PSAUX ransomware attack that took almost all instances offline. This week, security researcher DreyAnd disclosed that CyberPanel 2.3.6 (and likely 2.3.7) suffers from three distinct security problems that can result in an exploit allowing unauthenticated remote root access without authentication."
https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/ - LightSpy: Implant For iOS
"In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS. After a brief analysis of the obtained files, we concluded that this version slightly differs from the version discussed by researchers in 2020."
https://www.threatfabric.com/blogs/lightspy-implant-for-ios
https://www.infosecurity-magazine.com/news/lightspy-spyware-targets-ios/ - Lumma/Amadey: Fake CAPTCHAs Want To Know If You’re Human
"Attackers are increasingly distributing malware through a rather unusual method: a fake CAPTCHA as the initial infection vector. Researchers from various companies reported this campaign in August and September. The attackers, primarily targeting gamers, initially delivered the Lumma stealer to victims through websites hosting cracked games. Our recent research into the adware landscape revealed that this malicious CAPTCHA is spreading through a variety of online resources that have nothing to do with games: adult sites, file-sharing services, betting platforms, anime resources, and web apps monetizing through traffic."
https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/ - Statement On People's Republic Of China Reconnaissance Of Canadian Systems
"The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment Canada (CSE), is urging Canadian organizations to remain vigilant and bolster their defences against reconnaissance scanning, a low-level but constant cyber threat facing the country. The Cyber Centre is aware that a sophisticated state-sponsored threat actor from the People’s Republic of China has performed broad based reconnaissance scanning over several months against numerous domains in Canada."
https://www.cyber.gc.ca/en/news-events/statement-peoples-republic-china-reconnaissance-canadian-systems
https://www.securityweek.com/canada-says-chinese-reconnaissance-scans-targeting-government-organizations/ - Russia’s ‘Midnight Blizzard’ Hackers Target Government Workers In Novel Info-Stealing Campaign
"Microsoft said Russia’s Foreign Intelligence Service (SVR) has targeted government workers over the last week with a tool that provides the hackers with full access to a victim’s device. In a blog post on Tuesday, Microsoft’s Threat Intelligence team said it has seen a Russian actor it tracks as Midnight Blizzard sending “highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors” since October 22. The campaign is ongoing and Microsoft tracked emails “sent to thousands of targets in over 100 organizations.” The emails contained configuration files for Remote Desktop Protocol (RDP) that are connected to servers controlled by the hackers."
https://therecord.media/russia-midnight-blizzard-hackers-target-government-sector
General News
- Inside Console Security: How Innovations Shape Future Hardware Protection
"In this Help Net Security interview, security researchers Specter and ChendoChap discuss gaming consoles’ unique security model, highlighting how it differs from other consumer devices. They also share their thoughts on how advancements in console security could shape future consumer and enterprise hardware designs. Specter was a speaker at the Hardwear.io conference that took place last week in Amsterdam."
https://www.helpnetsecurity.com/2024/10/29/game-console-security/ - Trust And Risk In The AI Era
"55% of organizations say the security risks for their business have never been higher, according to Vanta. Yet the average company only dedicates 11% of its IT budget to security — far from the ideal allocation of 17%, according to business and IT leaders. The rapid adoption of AI only adds to the risks with phishing attacks (33%), AI-based malware (32%), and compliance violations (27%) increasing since AI has become far more prevalent in the last year."
https://www.helpnetsecurity.com/2024/10/29/organizations-ai-training/ - U.S. Joins International Action Against RedLine And META Infostealers
"The Department of Justice joined the Netherlands, Belgium, Eurojust and other partners in announcing an international disruption effort against the current version of RedLine Infostealer, one of the most prevalent infostealers in the world that has targeted millions of victim computers, and the closely-related META Infostealer. The Justice Department, FBI, Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division joined international partners in the Joint Cybercrime Action Taskforce (“JCAT”) Operation Magnus (supported by Europol) to seize domains, servers, and Telegram accounts used by the RedLine and META administrators to disrupt the operations of the infostealers."
https://www.justice.gov/usao-wdtx/pr/us-joins-international-action-against-redline-and-meta-infostealers
https://www.bleepingcomputer.com/news/security/russian-charged-by-us-for-creating-redline-infostealer-malware/
https://thehackernews.com/2024/10/dutch-police-disrupt-major-info.html
https://therecord.media/redline-infostealer-malware-criminal-complaint-maxim-rudometov
https://www.bankinfosecurity.com/russian-indicted-by-us-for-developing-redline-infostealer-a-26667
https://cyberscoop.com/redline-meta-magnus-rudometov-justice-dutch/
https://www.helpnetsecurity.com/2024/10/29/us-charges-suspected-redline-infostealer-developer-admin/
https://www.theregister.com/2024/10/29/russian_redline_malware/
https://www.theregister.com/2024/10/29/belgian_cops_arrest_two_suspected/ - BlackSuit Ransomware: 8 Years, 6 Names, 1 Cybercrime Syndicate
"It’s been nearly 20 years since ransomware became a significant threat, and some of today’s most prolific modern threats are the great, great, great-grandchildren of the original notorious strains. This is true in the case of BlackSuit ransomware, an operation identified as the fifth most dangerous threat to the U.S. public healthcare sector just six months ago."
https://blog.barracuda.com/2024/10/29/blacksuit-ransomware--8-years--6-names--1-cybercrime-syndicate - China's Elite Cyber Corps Hone Skills On Virtual Battlefields
"Over the last decade, the Chinese government has established an efficient pipeline of capture-the-flag (CTF) tournaments both as a way to attract cyber-savvy citizens to cybersecurity, and as part of its cybersecurity curriculum and training regimen. The efforts have paid off."
https://www.darkreading.com/threat-intelligence/china-cyber-corps-hone-skills-virtual-battlefields - How To Find The Right CISO
"The artificial intelligence (AI) investment cycle we are currently in will drive new levels of cybersecurity risk in pretty much every organization, making the cybersecurity chief a CEO's most important current hire. Great chief information security officers (CISOs) — who blend technical, strategic, board-level communication, and leadership skills — are in high demand and short supply, and with technology constantly changing, the cybersecurity skill set is changing, too."
https://www.darkreading.com/cybersecurity-operations/how-find-right-ciso - Risk Reduction Redefined: How Compromise Assessment Helps Strengthen Cyberdefenses
"Organizations often rely on a layered defense strategy, yet breaches still occur, slipping past multiple levels of protection unnoticed. This is where compromise assessment enters the game. The primary objective of these services is risk reduction. They help discover active cyberattacks as well as unnoticed sophisticated attacks that occurred in the past by doing the following:"
https://securelist.com/compromise-assessment-cases/114332/ - Why Safeguarding Sensitive Data Is So Crucial
"A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other. The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states."
https://securityintelligence.com/articles/why-safeguarding-sensitive-data-is-crucial/ - How To Improve The Security Of AI-Assisted Software Development
"By now, it’s clear that the artificial intelligence (AI) “genie” is out of the bottle – for good. This extends to software development, as a GitHub survey shows that 92 percent of U.S.-based developers are already using AI coding tools both in and outside of work. They say AI technologies help them improve their skills (as cited by 57 percent), boost productivity (53 percent), focus on building/creating instead of repetitive tasks (51 percent) and avoid burnout (41 percent)."
https://www.securityweek.com/how-to-improve-the-security-of-ai-assisted-software-development/ - Russia And China-Linked State Hackers Intensify Attacks On Netherlands, Security Officials Warn
"Russian and Chinese state threat actors are ramping up their cyberattacks against Dutch organizations, according to a new government report. Most of these attacks primarily aim to gain a foothold within critical infrastructure for potential future sabotage, as well as to obtain sensitive information, the Dutch principal counterterrorism unit (NCTV) said in research published Monday. Attacks are increasingly partly due to the involvement of non-state actors from both Russia and China. For example, a larger portion of Russia's digital espionage, sabotage and influence activities last year were carried out by the so-called “hacktivists” who are aligned with the government but may not be directly tied to it."
https://therecord.media/china-russia-cyberattacks-targeting-netherlands
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Siemens InterMesh Subscriber Devices