NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 11 November 2024

    Cyber Security News
    1
    1
    321
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      New Tooling

      • Am I Isolated: Open-Source Container Security Benchmark
        "Am I Isolated is an open-source container security benchmark that probes users’ runtime environments and tests for container isolation. The Rust-based container runtime scanner runs as a container, detecting gaps in users’ container runtime isolation. It also provides guidance to improve users’ runtime environments to offer stronger isolation guarantees."
        https://www.helpnetsecurity.com/2024/11/08/am-i-isolated-open-source-container-security-benchmark/
        https://github.com/edera-dev/am-i-isolated

      Vulnerabilities

      • D-Link Won’t Fix Critical Flaw Affecting 60,000 Older NAS Devices
        "More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit. The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized. An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices."
        https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/
      • Palo Alto Networks Warns Of Potential PAN-OS RCE Vulnerability
        "Today, cybersecurity company Palo Alto Networks warned customers to restrict access to their next-generation firewalls because of a potential remote code execution vulnerability in the PAN-OS management interface. In a security advisory published on Friday, the company said it doesn't yet have additional information regarding this alleged security flaw and added that it has yet to detect signs of active exploitation. "Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation," it said."
        https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-potential-pan-os-rce-vulnerability/
        https://thehackernews.com/2024/11/palo-alto-advises-securing-pan-os.html
        https://security.paloaltonetworks.com/PAN-SA-2024-0015
        https://securityaffairs.com/170697/uncategorized/palo-alto-networks-warns-potential-pan-os-rce.html
      • Critical CyberPanel Vulnerability (CVE-2024-51378): How To Stay Protected
        "The SonicWall Capture Labs threat research team became aware of CVE-2024-51378, assessed its impact and developed mitigation measures for the vulnerability. CVE-2024-51378 is a critical vulnerability with a CVSS score of 9.8 in CyberPanel versions 2.3.6 and 2.3.7 that allows unauthenticated remote code execution (RCE). Threat actors, including the PSAUX ransomware group, have been reported exploiting this vulnerability to encrypt server files and deploy ransomware payloads. A public proof of concept is available."
        https://blog.sonicwall.com/en-us/2024/11/critical-cyberpanel-vulnerability-cve-2024-51378-how-to-stay-protected/

      Malware

      • Critical Veeam RCE Bug Now Used In Frag Ransomware Attacks
        "After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware. Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers."
        https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/
        https://securityaffairs.com/170717/malware/veeam-backup-replication-flaw-frag-ransomware.html
      • Multiple Vulnerabilities In The Mazda In-Vehicle Infotainment (IVI) System
        "Multiple vulnerabilities have been discovered in the Mazda Connect Connectivity Master Unit (CMU) system installed in multiple car models, such as the Mazda 3 model year 2014-2021. Like in so many cases, these vulnerabilities are caused by insufficient sanitization when handling attacker-supplied input. A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device – such as an iPod or mass storage device – to the target system. Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges."
        https://www.zerodayinitiative.com/blog/2024/11/7/multiple-vulnerabilities-in-the-mazda-in-vehicle-infotainment-ivi-system
        https://www.bleepingcomputer.com/news/security/unpatched-mazda-connect-bugs-let-hackers-install-persistent-malware/
        https://www.darkreading.com/vulnerabilities-threats/6-infotainment-bugs-mazda-usbs
        https://hackread.com/hackers-mazda-vehicle-controls-system-vulnerabilities/
        https://www.securityweek.com/unpatched-vulnerabilities-allow-hacking-of-mazda-cars-zdi/
        https://securityaffairs.com/170727/security/mazda-connect-flaws.html
      • New Campaign Uses Remcos RAT To Exploit Victims
        "Fortinet’s FortiGuard Labs recently noticed a phishing campaign in the wild. It is initialized with a phishing email containing a malicious Excel document. Upon researching the campaign, I found it was spreading a new variant of the Remcos RAT."
        https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims
        https://hackread.com/hackers-use-excel-files-remcos-rat-variant-windows/
      • Hello Again, FakeBat: Popular Loader Returns After Months-Long Hiatus
        "The web browser, and search engines in particular, continue to be a popular entry point to deliver malware to users. While we noted a decrease in loaders distributed via malvertising for the past 3 months, today’s example is a reminder that threat actors can quickly switch back to tried and tested methods. After months of absence, Fakebat (AKA Eugenloader, PaykLoader) showed up on our radar again via a malicious Google ad for the productivity application Notion. FakeBat is a unique loader that has been used to drop follow-up payloads such as Lumma stealer."
        https://www.malwarebytes.com/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus
      • QSC: A Multi-Plugin Framework Used By CloudComputating Group In Cyberespionage Campaigns
        "In 2021, we began to investigate an attack on the telecom industry in South Asia. During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory. The framework includes a Loader, a Core module, a Network module, a Command Shell module and a File Manager module. It is dropped either as a standalone executable or as a payload file along with a loader DLL. In this post, we describe each component of the framework as well as its recent activity including a deployment scenario, an additional backdoor, post-compromise activity and a link to the CloudComputating group."
        https://securelist.com/cloudcomputating-qsc-framework/114438/
      • SpyAgent Malware Targets Crypto Wallets By Stealing Screenshots
        "A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices. Here’s how to dodge the bullet."
        https://securityintelligence.com/articles/spyagent-malware-targets-crypto-wallets-stealing-screenshots/
      • Roblox Developers Targeted With Npm Packages Infected With Skuld Infostealer And Blank Grabber
        "Socket's threat research team has detected five malicious npm packages specifically targeting Roblox users. These packages — node-dlls, ro.dll, autoadv, and two versions of rolimons-api — were designed to impersonate legitimate modules widely used within the Roblox developer community. The threat actor published typosquatted packages to deceive developers into installing Skuld infostealer and Blank Grabber malware. With over 320 downloads before removal, the malicious packages posed significant risks, including the theft of credentials, financial information, and personal data."
        https://socket.dev/blog/roblox-developers-targeted-with-npm-packages-infected-with-infostealers
        https://thehackernews.com/2024/11/malicious-npm-packages-target-roblox.html
      • Seoul Accuses Pro-Kremlin Hackers Of Attacking Websites Over Decision To Monitor North Korean Troops In Ukraine
        "Pro-Russia hacker groups have ramped up attacks on South Korean organizations following Seoul’s decision to send observers to Ukraine after North Korean troops joined Russian forces on the frontlines. According to a statement from the South Korean president’s office on Friday, the country’s cyber agencies have detected an increase in Russia-linked attacks, primarily targeting civilian and government websites. “Access to some organizations' websites has been temporarily delayed or disconnected, but aside from that, there has been no significant damage,” the statement said."
        https://therecord.media/seoul-accuses-pro-kremlin-hackers-of-attacking-websites-ukraine
        https://www.infosecurity-magazine.com/news/russian-hacktivits-south-korea/
      • Scattered Spider x RansomHub: A New Partnership
        "In October 2024, ReliaQuest investigated an intrusion for a customer in the manufacturing sector. We attributed the incident with high confidence to “Scattered Spider,” an English-speaking collective acting as an affiliate for the ransomware group “RansomHub.” Scattered Spider previously targeted telecommunications firms, likely to support its SIM-swapping activities that facilitate account takeovers. Lately, it’s shifted focus to extorting large organizations by collaborating with ransomware groups, aiming for higher financial returns."
        https://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/
        https://www.theregister.com/2024/11/08/scattered_spider_blackcat_return/
      • Breaking Down Earth Estries' Persistent TTPs In Prolonged Cyber Operations
        "In early 2023, we published a blog entry on campaigns targeting governments and the tech industry from Earth Estries (aka Salt Typhoon), a high-level threat actor that has been active since at least 2020. In this report, we analyze two distinct attack chains by the group that demonstrates the varied tactics, techniques, and tools that they use to compromise targeted systems."
        https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html
      • Life On a Crooked RedLine: Analyzing The Infamous Infostealer’s Backend
        "On October 28th, 2024, the Dutch National police, alongside the FBI, Eurojust, and several other law enforcement organizations, performed a takedown of the infamous RedLine Stealer malware-as-a-service (MaaS) operation, and its clone called META Stealer. This global effort, named Operation Magnus, resulted in the takedown of three servers in the Netherlands, the seizure of two domains, two people being taken into custody in Belgium, and the unsealing of charges against one of the alleged perpetrators in the United States."
        https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/
      • Evasive ZIP Concatenation: Trojan Targets Windows Users
        "Threat actors continually seek innovative methods to evade detection, and ZIP file concatenation has proven to be an effective tactic. By exploiting the different ways ZIP readers and archive managers process concatenated ZIP files, attackers can embed malware that specifically targets users of certain tools. This method allows them to evade security solutions and trick researchers who depend on different approaches."
        https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
        https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/

      Breaches/Hacks/Leaks

      • Mystery Hackers Target Texas Oilfield Supplier In Ransomware Attack
        "Newpark Resources, a Texas-based oil drilling fluids system and composite matting systems provider, announced in a filing with the Securities and Exchange Commission (SEC) that it is dealing with the fallout of a ransomware attack it faced earlier this week. The company has not shared details as to how the attackers gained access to its network, nor who the threat actors are or why they may have targeted Newpark. But after the breach was discovered, Newpark engaged its security response plan as expected and limited access to certain parts of its systems."
        https://www.darkreading.com/cyberattacks-data-breaches/mystery-hackers-texas-oilfield-supplier-ransomware-attack
        https://therecord.media/oilfield-supplier-faces-disruptions-cyberattack
        https://www.infosecurity-magazine.com/news/newpark-resources-oilfield/
        https://www.securityweek.com/texas-oilfield-supplier-newpark-hit-by-ransomware/
        https://securityaffairs.com/170696/cyber-crime/newpark-resources-ransomware-attack.html

      General News

      • Insourcing Versus Outsourcing
        "One of the quotes often attributed to Albert Einstein is “Insanity is doing the same thing over and over again and expecting different results”. Whilst there’s debate if this was something Einstein actually said, the sentiment definitely rings true. Several decades ago I was extremely privileged to work with the government to review the education curriculum to both modernize and expand the number of people that had cybersecurity skills. Since then, the number of centers of excellence in the UK teaching cybersecurity has dramatically grown, and so has the demand."
        https://www.cybereason.com/blog/insourcing-versus-outsourcing
      • Incident Response Readiness Journey
        "Imagine for a second that you live in a neighborhood where increasingly houses get broken into by brazen criminals to steal and break valuable items, kidnap people for ransom, and, in some cases, burn houses to the ground! If those houses belonged to your closest neighbors, would you wait until those criminals break into your home before you do something, or would you proactively do all you can to deter similar acts on your house, including reinforcement of all doors, transfer of some valuable to bank safes, home security cameras, cooperation with relevant authorities, insurance for worst-case scenario, or even moving altogether?"
        https://blog.checkpoint.com/security/incident-response-readiness-journey/
      • How Developers Drive Security Professionals Crazy
        "In the evolving landscape of software development, the integration of DevSecOps has emerged as a critical paradigm, promising a harmonious blend of development, security, and operations to streamline feature delivery while ensuring security. However, the path to achieving this seamless integration is fraught with hurdles — ranging from the lack of security training among developers to the complexity of security tools, the scarcity of dedicated security personnel, and the generation of non-actionable security alerts."
        https://www.darkreading.com/cybersecurity-operations/how-developers-drive-security-professionals-crazy
      • Security Snippets: NIST Publishes Guide On Due Diligence For Cyber Supply Chain Risk Management
        "Last week, the National Institute of Standards and Technology (NIST) released a “quick-start guide” to facilitate due diligence assessments from a cyber supply chain risk management perspective. The guide helps companies navigate due diligence under the agency’s Special Publication 800-161, which was revised in 2022 to address supply chain cybersecurity risks as directed by the Biden administration’s cybersecurity executive order."
        https://www.engage.hoganlovells.com/knowledgeservices/news/security-snippets-nist-publishes-guide-on-due-diligence-for-cyber-supply-chain-risk-management
        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1326.ipd.pdf
      • Apple’s 45-Day Certificate Proposal: A Call To Action
        "In a bold move, Apple has published a draft ballot for commentary to GitHub to shorten Transport Layer Security (TLS) certificates down from 398 days to just 45 days by 2027. The Apple proposal will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months. Apple isn’t the first of the big players to suggest such a move. Last year, Google announced its intention to mandate 90-day certificates – something that it is expected to come into force any day now, which will mean any sites connecting to Chrome will need to renew their identities every 90 days."
        https://www.helpnetsecurity.com/2024/11/08/apple-shorter-certificate-lifespans-proposal/
      • October 2024 Threat Trend Report On Ransomware
        "This report provides statistics on the number of new ransomware samples, targeted systems, and targeted businesses in October 2024, as well as notable ransomware issues in Korea and other countries. The following is a brief summary. The number of ransomware samples and targeted systems are based on the detection names designated by AhnLab, and the statistics on targeted businesses are based on the time the information on the ransomware group’s Dedicated Leak Sites (DLS, identical to ransomware PR sites or PR pages) was collected by the ATIP infrastructure."
        https://asec.ahnlab.com/en/84286/

      อ้างอิง

      Electronic Transactions Development Agency(ETDA) 20081f1e-3461-490c-b786-ce3564a28fe9-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post