Cyber Threat Intelligence 31 October 2024

NCSA_THAICERT

Healthcare Sector

• 6 Key Elements For Building a Healthcare Cybersecurity Response Plan
  "Medical practices remain vulnerable to cyberattacks, with over a third unable to cite a cybersecurity incident response plan, according to Software Advice. This gap exposes healthcare providers to risks of patient data breaches, HIPAA violations, financial penalties, and patient safety concerns. The findings come at a critical time, as the Health Infrastructure Security and Accountability Act seeks to establish minimum cybersecurity standards across the healthcare industry."
  https://www.helpnetsecurity.com/2024/10/30/healthcare-cybersecurity-incident-response-plan/

Vulnerabilities

• Google Patches Critical Chrome Vulnerability Reported By Apple
  "Google and Mozilla on Tuesday announced security updates for their Chrome and Firefox web browsers, and some of the vulnerabilities they patch are potentially severe. Google has announced the release of Chrome 130, which patches two vulnerabilities. One of them, tracked as CVE-2024-10487, has been described as a critical out-of-bounds write issue in Dawn, the cross-platform implementation of the WebGPU standard. The issue was reported to Google by Apple’s Security Engineering and Architecture (SEAR) team just one week ago. Different implementations of the WebGPU graphics API are used in Firefox and Safari as well, but it’s unclear if these browsers are also impacted by CVE-2024-10487."
  https://www.securityweek.com/google-patches-critical-chrome-vulnerability-reported-by-apple/
  https://www.malwarebytes.com/blog/news/2024/10/patch-now-new-chrome-update-for-two-critical-vulnerabilities
  https://securityaffairs.com/170395/security/google-fixed-critical-chrome-flaw.html
• QNAP Patches Second Zero-Day Exploited At Pwn2Own To Get Root
  "QNAP has released security patches for a second zero-day bug exploited by security researchers during last week's Pwn2Own hacking contest. This critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was found in QNAP's SMB Service and is now fixed in versions 4.15.002 or later and h4.15.002 and later. The zero-day flaw was patched one week after allowing YingMuo (working with the DEVCORE Internship Program) to get a root shell and take over a QNAP TS-464 NAS device at Pwn2Own Ireland 2024."
  https://www.bleepingcomputer.com/news/security/qnap-patches-second-zero-day-exploited-at-pwn2own-to-get-root/
  https://www.qnap.com/en/security-advisory/qsa-24-42
• LiteSpeed Cache Plugin Vulnerability Poses Admin Access Risk
  "A vulnerability in the LiteSpeed Cache plugin for WordPress, which has over 6 million active installations, has been discovered allowing unauthenticated visitors to gain administrator-level access by exploiting a security flaw in the plugin’s role simulation feature. This flaw permitted unauthorized access that could lead to the installation of malicious plugins. The LiteSpeed Cache plugin is widely used for site optimization and supports popular WordPress plugins like WooCommerce, bbPress and Yoast SEO."
  https://www.infosecurity-magazine.com/news/litespeed-cache-plugin-flaw-admin/
  https://blog.litespeedtech.com/2024/10/29/crawler-patch-for-wordpress-cache-plugin/

Malware

• Attacker Abuses Victim Resources To Reap Rewards From Titan Network
  "Recently, we observed an attack where an attacker exploited the Atlassian Confluence server vulnerability CVE-2023-22527. This allowed unauthenticated attackers to achieve remote code execution (RCE) and leverage the Titan Network for cryptomining activity. Titan Network, which is based on decentralized physical infrastructure networks (DePIN), is an open-source platform that allows users to share and deploy hardware resources, turning them into valuable digital assets like computing power, storage, and bandwidth. Its economic incentives and network design ensure that contributors are rewarded for their resources, while end-users enjoy high-quality, reliable results comparable to modern cloud services. In the attack, the malicious actor compromises victims’ machines and installs Titan edge nodes to reap those rewards."
  https://www.trendmicro.com/en_us/research/24/j/titan-network.html
• Mishing In Motion: Uncovering The Evolving Functionality Of FakeCall Malware
  "As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a new variant of a well-known malware previously reported by ThreatFabric and Kaspersky. This malware, named FakeCall, employs a technique known as Vishing (voice phishing), in which fraudulent phone calls or voice messages are used to deceive victims into disclosing sensitive information, such as login credentials, credit card numbers, or banking details."
  https://www.zimperium.com/blog/mishing-in-motion-uncovering-the-evolving-functionality-of-fakecall-malware/
  https://github.com/Zimperium/IOC/tree/master/2024-10-FakeCall
  https://www.bleepingcomputer.com/news/security/android-malware-fakecall-now-reroutes-bank-calls-to-attackers/
  https://www.darkreading.com/cyberattacks-data-breaches/vishing-mishing-fakecall-android-malware
  https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/
  https://www.securityweek.com/fakecall-android-trojan-evolves-with-new-evasion-tactics-and-expanded-espionage-capabilities/
  https://www.infosecurity-magazine.com/news/updated-fakecall-malware-targets/
  https://securityaffairs.com/170410/malware/fakecall-malware-intercepts-outgoing-bank-calls.html
• EMERALDWHALE: 15k Cloud Credentials Stolen In Operation Targeting Exposed Git Config Files
  "The Sysdig Threat Research Team (TRT) recently discovered a global operation, EMERALDWHALE, targeting exposed Git configurations resulting in more than 15,000 cloud service credentials stolen. This campaign used multiple private tools that abused multiple misconfigured web services, allowing attackers to steal credentials, clone private repositories, and extract cloud credentials from their source code. Credentials for over 10,000 private repositories were collected during the operation. The stolen data was stored in a S3 bucket of a previous victim."
  https://sysdig.com/blog/emeraldwhale/
  https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-credentials-from-exposed-git-config-files/
  https://cyberscoop.com/sysdig-git-credentials-cloud-service-emeraldwhale/
• Jumpy Pisces Engages In Play Ransomware
  "Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People's Army, as a key player in a recent ransomware incident. Our investigation indicates a likely shift in the group’s tactics. We believe with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius)."
  https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
  https://thehackernews.com/2024/10/north-korean-group-collaborates-with.html
  https://www.bleepingcomputer.com/news/security/north-korean-govt-hackers-linked-to-play-ransomware-attack/
  https://therecord.media/north-korean-hackers-collaborate-with-play-ransomware
• 7,500 Phishing Emails Use Interesting Obfuscation Method To Target Student Loan Holders
  "According to the Education Data Initiative, nearly 43 million Americans are saddled with the burden of student loan debt, with an average individual debt burden of $37,000. In 2022, President Biden announced a three-part plan to cancel thousands of dollars in student debt for low to middle-income borrowers. The effort has faced numerous obstacles, leaving student borrowers confused and uncertain. Cyber criminals have proven eager to capitalized on the upheaval. Across the past two weeks, Harmony Email & Collaboration’s cyber security have not only observed a surge in phishing attacks targeting student loan holders but have identified more than 7,500 emails that weaponize a particularly unique obfuscation method."
  https://blog.checkpoint.com/harmony-email/7500-phishing-emails-use-interesting-obfuscation-method-to-target-student-loan-holders/
• Writing a BugSleep C2 Server And Detecting Its Traffic With Snort
  "In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). This remote access tool (RAT) gives operators reverse shell and file input/output (I/O) capabilities on a victim’s endpoint using a bespoke command and control (C2) protocol. This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort."
  https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/
• “CrossBarking” — Exploiting a 0-Day Opera Vulnerability With a Cross-Browser Extension Store Attack
  "Guardio Labs has uncovered and fully disclosed a serious vulnerability in the Opera browser that allows malicious extensions to gain full access to permissive Private APIs, enabling actions like screen capturing, browser setting modifications, and account hijacking. Following our earlier discovery of MyFlaw, this revelation further underscores the ongoing challenges in modern browser security. To illustrate the unfortunate ease of bypassing extension store security measures, our research team adopted a ‘black hat’ approach, demonstrating how, with just a free email account and AI-generated content, a fully operational malicious extension exploiting this vulnerability can be created and placed in the official Chrome Store — creating a cross-browser-store attack."
  https://labs.guard.io/crossbarking-exploiting-a-0-day-opera-vulnerability-with-a-cross-browser-extension-store-attack-db3e6d6e6aa8
  https://thehackernews.com/2024/10/opera-browser-fixes-big-security-hole.html
  https://www.darkreading.com/vulnerabilities-threats/crossbarking-attack-secret-apis-expose-opera-browser-users
• Unmasking The SYS01 Infostealer Threat: Bitdefender Labs Tracks Global Malvertising Campaign Targeting Meta Business Pages
  "In a world ran by advertising, businesses and organizations are not the only ones using this powerful tool. Cybercriminals have a knack for exploiting the engine that powers online platforms by corrupting the vast reach of advertising to distribute malware en masse. While legitimate businesses rely on ads to reach new audiences, hackers exploit these platforms to trick users into downloading harmful software. Malicious ads often seem to promote legitimate software, streaming services, or products, making it difficult for users to distinguish between safe and dangerous content."
  https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages
  https://thehackernews.com/2024/10/malvertising-campaign-hijacks-facebook.html
  https://hackread.com/fake-meta-ads-hijacking-facebook-sys01-infostealer/
• Cryptocurrency Enthusiasts Targeted In Multi-Vector Supply Chain Attack
  "Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets."
  https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vector-supply-chain-attack/
  https://thehackernews.com/2024/10/researchers-uncover-python-package.html

Breaches/Hacks/Leaks

• Interbank Confirms Data Breach Following Failed Extortion, Data Leak
  "Interbank, one of Peru's leading financial institutions, has confirmed a data breach after a threat actor who hacked into its systems leaked stolen data online. Previously known as the International Bank of Peru (Banco Internacional del Perú), the company provides financial services to over 2 million customers. "We have identified that some data of a group of clients has been exposed by a third party without our authorization. In light of this situation, we immediately deployed additional security measures to protect the operations and information of our clients," Interbank said today."
  https://www.bleepingcomputer.com/news/security/interbank-confirms-data-breach-following-failed-extortion-data-leak/
• Colorado Accidentally Put Voting System Passwords Online, But Officials Say Election Is Secure
  "Voting system passwords were mistakenly put on the Colorado Secretary of State’s website for several months before being spotted and taken down, but the lapse did not pose an immediate threat to the upcoming election, said state election officials Tuesday. The passwords were only one of two that are needed to access any component of Colorado’s voting systems, and are just one part of a layered security system, said Jack Todd, spokesperson for the the Secretary of State’s office, in a statement. The two passwords are “kept in separate places and held by different parties,” he said."
  https://www.securityweek.com/colorado-accidentally-put-voting-system-passwords-online-but-officials-say-election-is-secure/

General News

• Risk Hunting: A Proactive Approach To Cyber Threats
  "Cybersecurity is an overly reactive industry. Too often we act like firefighters, rushing from blaze to blaze, extinguishing flames hoping to keep the damage to a minimum, rather than fire suppression experts designing environments that refuse to burn."
  https://www.helpnetsecurity.com/2024/10/30/risk-hunting/
• Simplifying Decentralized Identity Systems For Everyday Use
  "In this Help Net Security interview, Carla Roncato, VP of Identity at WatchGuard Technologies, discusses how companies can balance privacy, security, and usability in digital identity systems. She emphasizes modern techniques like biometrics and passkeys to replace knowledge-based authentication methods and highlights the need for global standardization in decentralized identity solutions."
  https://www.helpnetsecurity.com/2024/10/30/carla-roncato-watchguard-technologies-digital-identity-systems/
• FBI Has Conducted More Than 30 Disruption Operations In 2024
  "The FBI is seeing progress in the fight against ransomware gangs after conducting more than 30 disruption operations this year in which officials targeted the infrastructure used by those groups, one of the bureau’s top cybersecurity officials said Wednesday. Cynthia Kaiser, deputy assistant director of the FBI’s cyber division, said during CyberScoop’s CyberTalks event that disruption operations against ransomware gangs have in some cases stopped gangs from further targeting the U.S.. Ransomware gangs often operate in safe harbor countries like Russia, where there is little hope for extraction to the U.S."
  https://cyberscoop.com/fbi-ransomware-disruption-infrastructure-cybertalks/
• Cybersecurity Training Resources Often Limited To Developers
  "New studies show that cybersecurity executives often fail to prioritize software security training for the entirety of a company, instead only deeming it necessary for a select few — and not always for the right reasons. Nearly half of cybersecurity leaders who provide these kind of training tools don't consider awareness efforts to be essential within their organizations, according to a study conducted by CMD+CTRL Security and Wakefield Research. In addition to this, half of the leaders who do provide security training do so to build a "security culture," but only 41% say they provide training because of the increased risk from third parties and supply chains."
  https://www.darkreading.com/endpoint-security/cybersecurity-training-resources-limited-developers
  https://web.cmdnctrlsecurity.com/enhancing-cybersecurity-training-research-report
• When Cybersecurity Tools Backfire
  "In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples."
  https://www.darkreading.com/vulnerabilities-threats/when-cybersecurity-tools-backfire
• Back To The Future, Securing Generative AI
  "Over the last 10 years, the top jobs in data analysis have evolved from statistics and applied modeling, into actuarial science, into data science, into machine learning, and now here we are, Artificial Intelligence and Generative AI. AI has become ubiquitous – most people have used it and almost everyone has an opinion of it. As an engineer, I’m excited to apply all of this innovation into practical applications, and ultimately ensure it operates safely and securely. Before I jump into this multi-part series on securing generative AI, I want to take some time and give an overview of where we are today, as well as explain some core components and complexities."
  https://www.securityweek.com/back-to-the-future-securing-generative-ai/
• Don't Become a Statistic: Tips To Help Keep Your Personal Data Off The Dark Web
  "How did 44% members of the European Parliament (MEPs) and 68% of British MPs let their personal details end up circulating on the dark web? The answer is simpler and possibly more alarming than you may think: many will have signed up to online accounts using their official email address, and entered additional personally identifiable information (PII). They will then have been helpless as that third-party provider was breached by cybercriminals, who subsequently shared or sold the data to other threat actors on the dark web."
  https://www.welivesecurity.com/en/cybercrime/dont-become-statistic-defending-data-dark-web/

อ้างอิง
Electronic Transactions Development Agency(ETDA)