Cyber Threat Intelligence 14 November 2024

NCSA_THAICERT

Healthcare Sector

Feds Warn Of Godzilla Webshell Threats To Health Sector
"Godzilla webshell, a Chinese-language backdoor known for its stealth and ability to execute commands and manipulate files, is publicly available on GitHub, and federal authorities have issued a stern warning to the healthcare sector to prepare for this threat and inevitable cyberattacks. The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an alert Tuesday said it "implores" all healthcare organizations to review and take risk mitigation actions to defend against attacks using Godzilla webshell."
https://www.bankinfosecurity.com/feds-warn-godzilla-webshell-threats-to-health-sector-a-26803
https://www.hhs.gov/sites/default/files/november-2024–godzilla-webshell-analyst-note.pdf

Industrial Sector

ICS Patch Tuesday: Security Advisories Released By CISA, Schneider, Siemens, Rockwell
"Siemens, Schneider Electric, CISA, and Rockwell Automation have released November 2024 Patch Tuesday security advisories. Siemens has published a dozen new advisories. Based on severity score, the most important vulnerability is a critical deserialization issue in TeleControl Server Basic, which can allow an unauthenticated attacker to execute arbitrary code on the device. In Sinec INS, Siemens patched roughly 60 vulnerabilities, including critical issues. Many of them impact third-party components used by the product. In Sinec NMS and Scalance M-800, the company addressed over a dozen flaws in each product, many of them impacting third-party components."
https://www.securityweek.com/ics-patch-tuesday-security-advisories-released-by-cisa-schneider-siemens-rockwell/
https://www.bankinfosecurity.com/schneider-electric-warns-critical-modicon-flaws-a-26804

New Tooling

ShrinkLocker (+Decryptor): From Friend To Foe, And Back Again
"Imagine a ransomware attack that's so old-school it's using VBScript and a built-in Windows feature for encryption. ShrinkLocker (discovered in May 2024) is a surprisingly simple yet effective ransomware that uses relics from the past. Unlike most modern ransomware, which relies on sophisticated encryption algorithms, ShrinkLocker takes a simpler, more unconventional approach. ShrinkLocker modifies BitLocker configurations to encrypt a system's drives. It first checks if BitLocker is enabled and, if not, installs it. Then, it re-encrypts the system using a randomly generated password. This unique password is uploaded to a server controlled by the attacker. After the system reboots, the user is prompted to enter the password to unlock the encrypted drive. The attacker's contact email is displayed on the BitLocker screen, directing victims to pay a ransom for the decryption key."
https://www.bitdefender.com/en-gb/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-decryptor-recovers-bitlocker-password/
https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html
https://therecord.media/bitdefender-releases-decryptor-shrinklocker
https://hackread.com/bitdefender-shrinklocker-ransomware-decryptor-tool/
https://www.theregister.com/2024/11/14/shrinklocker_ransomware_decryptor/
https://securityaffairs.com/170934/cyber-crime/shrinklocker-ransomware-decryptor.html

Vulnerabilities

Microsoft Patches Windows Zero-Day Exploited In Attacks On Ukraine
"Suspected Russian hackers were caught exploiting a recently patched Windows vulnerability as a zero-day in ongoing attacks targeting Ukrainian entities. The security flaw (CVE-2024-43451) is an NTLM Hash Disclosure spoofing vulnerability reported by ClearSky security researchers, which can be exploited to steal the logged-in user's NTLMv2 hash by forcing connections to a remote attacker-controlled server. ClearSky spotted this campaign in June after observing phishing emails designed to exploit it. These emails contained hyperlinks that would download an Internet shortcut file hosted on a previously compromised server (osvita-kp.gov[.]ua) belonging to the Kamianets-Podilskyi City Council's Department of Education and Science."
https://www.bleepingcomputer.com/news/security/microsoft-patches-windows-zero-day-exploited-in-attacks-on-ukraine/
https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/
Threats In Space (or Rather, On Earth): Internet-Exposed GNSS Receivers
"Global Navigation Satellite Systems (GNSS) are collections, or constellations of satellite positioning systems. There are several GNSSs launched by different countries currently in operation: GPS (US), GLONASS (Russia), Galileo (EU), BeiDou Navigation Satellite System (BDS, China), Navigation with Indian Constellation (NavIC, India) and Quazi-Zenith Satellite System (QZSS, Japan). These systems are used for positioning, navigation and timing (PNT) by a wide range of industries: agriculture, finance, transportation, mobile communications, banking and others."
https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/
High-Severity Vulnerabilities Patched In Zoom, Chrome
"Zoom and Chrome security updates released on Tuesday patch over a dozen vulnerabilities affecting users across desktop platforms Zoom announced fixes for six security defects, including two high-severity issues that could allow remote attackers to escalate privileges or leak sensitive information. The first bug, tracked as CVE-2024-45421 (CVSS score of 8.5), is described as a buffer overflow issue that requires authentication for successful exploitation. The second flaw, tracked as CVE-2024-45419 (CVSS score of 8.1), is an improper input validation issue that can be exploited over the network, without authentication."
https://www.securityweek.com/high-severity-vulnerabilities-patched-in-zoom-chrome/
https://securityaffairs.com/170861/security/zoom-fixed-two-high-severity-flaws.html
The Problem With IoT Cloud-Connectivity And How It Exposed All OvrC Devices To Hijacking
"There are certain commonalities when the cybersecurity of internet-of-things (IoT) devices is researched and discussed. Manufacturers have long treated the security of these connected things as an afterthought, failing to prioritize the use of strong authentication and access controls, or relying on weak or outdated protocols for device communication to the cloud, and avoiding costly encryption implementations for data security."
https://claroty.com/team82/research/the-problem-with-iot-cloud-connectivity-and-how-it-exposed-all-ovrc-devices-to-hijacking
https://thehackernews.com/2024/11/ovrc-platform-vulnerabilities-expose.html
CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2021-26086 Atlassian Jira Server and Data Center Path Traversal Vulnerability
CVE-2014-2120 Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
CVE-2021-41277 Metabase GeoJSON API Local File Inclusion Vulnerability
CVE-2024-43451 Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/11/12/cisa-adds-five-known-exploited-vulnerabilities-catalog
Chipmaker Patch Tuesday: Intel Publishes 44 And AMD Publishes 8 New Advisories
"Intel and AMD have published November 2024 Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products. Intel has released 44 new advisories for over 80 vulnerabilities, including more than 20 high-severity issues. The high-severity vulnerabilities impact products such as Server Board S2600ST and S2600BP, graphics drivers, Neural Compressor, Computing Improvement Program, Xeon and other processors, Alias Checking Trusted Module, Endpoint Management Assistant, Driver Support Assistant, and Extension for Transformers."
https://www.securityweek.com/chipmaker-patch-tuesday-intel-publishes-44-and-amd-publishes-8-new-advisories/

Malware

Critical Bug In EoL D-Link NAS Devices Now Exploited In Attacks
"Attackers now target a critical severity vulnerability with publicly available exploit code that affects multiple models of end-of-life D-Link network-attached storage (NAS) devices. Tracked as CVE-2024-10914, the command injection vulnerability was found by security researcher Netsecfish, who also shared exploitation details and said that unauthenticated attackers could exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable NAS devices exposed online."
https://www.bleepingcomputer.com/news/security/critical-bug-in-eol-d-link-nas-devices-now-exploited-in-attacks/
Phishing By Design: Two-Step Attacks Using Microsoft Visio Files
"Two-step phishing attacks have become a cornerstone of modern cybercrime, leveraging trusted legitimate platforms like DocuSign and SharePoint to deliver malicious content in layers to evade detection. In a recent twist, threats have begun exploiting Microsoft Visio files in two-step phishing campaigns. This analysis dives into how .vdsx files are increasingly weaponized in phishing attacks as a new evasion technique in the attacker’s arsenal."
https://perception-point.io/blog/phishing-by-design-two-step-attacks-using-microsoft-visio-files/
Emmenhtal Loader Uses Scripts To Deliver Lumma And Other Malware
"Emmenhtal Loader uses LOLBAS techniques, deploying malware like Lumma and Amadey through legitimate Windows tools. Its infection chain of LNK files and encrypted scripts evades detection. Cybercriminals are always on the lookout for sneaky ways to bypass detection. One of the ongoing threats that cybersecurity professionals are closely monitoring is the Emmenhtal loader campaign. Emmenhtal relies on LOLBAS (Living Off the Land Binaries and Scripts) techniques to quietly deliver malware, making it especially hard to detect."
https://hackread.com/emmenhtal-loader-uses-scripts-deliver-lumma-malware/
China-Nexus TAG-112 Compromises Tibetan Websites To Distribute Cobalt Strike
"In a recent cyber campaign, the Chinese state-sponsored threat group TAG-112 compromised two Tibetan websites, Tibet Post and Gyudmed Tantric University, to deliver the Cobalt Strike malware. Recorded Future’s Insikt Group discovered that the attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a disguised security certificate. This malware, often used by threat actors for remote access and post-exploitation, highlights a continued cyber-espionage focus on Tibetan entities. TAG-112’s infrastructure, concealed using Cloudflare, links this campaign to other China-sponsored operations, particularly TAG-102 (Evasive Panda)."
https://www.recordedfuture.com/research/china-nexus-tag-112-compromises-tibetan-websites
https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf
https://www.securityweek.com/chinese-hackers-target-tibetan-websites-in-malware-attack-cybersecurity-group-says/
Global Companies Are Unknowingly Paying North Koreans: Here’s How To Catch Them
"Workers with allegiances to the Democratic People's Republic of Korea (DPRK) have been infiltrating organizations worldwide through a fraudulent remote work scheme. This operation not only violates international sanctions but also poses cybersecurity risks to unwitting employers. Drawing on publicly available information, including recent U.S. Department of Justice reports, Unit 42 has developed a guide for network defenders. While no single technique alone will detect these operatives, we propose a multi-faceted strategy that combines enhanced IT asset management, contextual analysis and strengthened security awareness."
https://unit42.paloaltonetworks.com/north-korean-it-workers/
US Govt Officials’ Communications Compromised In Recent Telecom Hack
"CISA and the FBI confirmed that Chinese hackers compromised the "private communications" of a "limited number" of government officials after breaching multiple U.S. broadband providers. The attackers also stole other information from the companies' compromised systems, including information related to customer call records and law enforcement requests. "Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data," the two agencies said in a joint statement issued on Wednesday."
https://www.bleepingcomputer.com/news/security/chinese-hackers-compromised-us-government-officials-private-communications-in-recent-telecom-breach/
https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3c1b400
LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign
"In April 2024, BlackBerry identified a significant evolution in the LightSpy malware campaign, demonstrating enhanced capabilities and advanced data theft mechanisms. The threat actor behind LightSpy, who we believe with a high level of confidence is associated with Chinese cyber-espionage group APT41, has now expanded their toolset with the introduction of DeepData, a modular Windows-based surveillance framework that significantly broadens their espionage capabilities."
https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign
https://www.darkreading.com/cyberattacks-data-breaches/toolkit-expands-apt41s-surveillance-powers
Strela Stealer: Today’s Invoice Is Tomorrow’s Phish
"As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe – primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation’s effectiveness. Hive0145 is likely to be a financially motivated initial access broker (IAB), active since late 2022 and potentially the sole operator of Strela Stealer. The continuous operational pace of Hive0145’s campaigns highlights an increased risk to potential victims across Europe."
https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/
https://www.infosecurity-magazine.com/news/hive0145-targets-eu-strela-stealer/
Stealthy Attributes Of APT Lazarus: Evading Detection With Extended Attributes
"In this blog, we examine a fresh take on techniques regarding concealing codes in Extended Attributes in order to evade detection in macOS systems. This is a new technique that has yet to be included in the MITRE ATT&CK framework."
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
https://www.infosecurity-magazine.com/news/lazarus-extended-attributes-macos/

Breaches/Hacks/Leaks

Leaked Info Of 122 Million Linked To B2B Data Aggregator Breach
"The business contact information for 122 million people circulating since February 2024 is now confirmed to have been stolen from a B2B demand generation platform. The data comes from DemandScience (formerly Pure Incubation), a B2B demand generation company that aggregates data. Data aggregation is the process of collecting, compiling, and organizing data from public sources to create a comprehensive dataset valuable for digital marketers and advertisers in creating rich "profiles" used to generate leads or marketing information."
https://www.bleepingcomputer.com/news/security/leaked-info-of-122-million-linked-to-b2b-data-aggregator-breach/
Wisconsin City Of Sheboygan Says Ransom Demanded After Cyberattack
"Cybercriminals have demanded a ransom from officials in the city of Sheboygan, Wisconsin this week after launching an attack that caused network issues. Since late October, the city of more than 50,000 has been dealing with technology outages. On Sunday the city provided an update, confirming that hackers gained “unauthorized access” to the city’s network."
https://therecord.media/sheboygan-wisconsin-hackers-demand-ransom
Data Broker Amasses 100M+ Records On People – Then Someone Snatches, Sells It
"What's claimed to be more than 183 million records of people's contact details and employment info has been stolen or otherwise obtained from a data broker and put up for sale by a miscreant. The underworld merchant, using the handle KryptonZambie, has put a $6,000 price tag on the information in a cybercrime forum posting. They are offering 100,000 records as a sample for interested buyers, and claim the data as a whole includes people's corporate email addresses, physical addresses, phone numbers, names of employers, job titles, and links to LinkedIn and other social media profiles."
https://www.theregister.com/2024/11/13/demandscience_data/
Ransomware Fiends Boast They've Stolen 1.4TB From US Pharmacy Network
"American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared. The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP's data, scrambling its files, and demanding payment to restore the information."
https://www.theregister.com/2024/11/13/embargo_ransomware_breach_aap/

General News

Middle East Cybersecurity Efforts Catch Up After Late Start
"The increase in cyber operations, disruptive attacks, and hacktivism in the Middle East has led the region's largest nations to pursue more sophisticated cybersecurity laws and frameworks over the past decade, leading to a dynamic regulatory landscape that companies need to navigate moving forward, according to regional experts."
https://www.darkreading.com/cyber-risk/middle-east-cybersecurity-efforts-catch-up
https://blogs.cisco.com/security/overview-of-cybersecurity-regulations-in-the-middle-east-region-part-1
CISOs In 2025: Balancing Security, Compliance, And Accountability
"In this Help Net Security interview, Daniel Schwalbe, CISO at DomainTools, discusses the intensifying regulatory demands that have reshaped CISO accountability and daily decision-making. He outlines the skill sets future CISOs need, their key priorities for 2025, and how increased pressure impacts the role’s attractiveness and retention."
https://www.helpnetsecurity.com/2024/11/13/daniel-schwalbe-domaintools-cisos-2025/
Tips For a Successful Cybersecurity Job Interview
"Whether you’re looking to enhance your existing cybersecurity skills or just beginning your journey in the field, cybersecurity offers a wide range of career opportunities. If you’re considering a career shift, exploring new job opportunities, or aiming to upgrade your skill set, take time to learn about the questions to prepare for in your upcoming cybersecurity job interview."
https://www.helpnetsecurity.com/2024/11/13/cybersecurity-job-interview-questions-tips/
US Indicts Snowflake Hackers Who Extorted $2.5 Million From 3 Victims
"The U.S. Department of Justice has unsealed the indictment against two suspected Snowflake hackers, who breached more than 165 organizations using the services of the Snowflake cloud storage company. Connor Riley Moucka and John Erin Binns are accused of using credentials, obtained with the help of info-stealing malware, to hijack Snowflake accounts that were not protected by multi-factor authentication Moucka and Binns exfiltrated terabytes of data from various companies and demanded ransom payments in exchange for deleting the stolen information."
https://www.bleepingcomputer.com/news/security/us-indicts-snowflake-hackers-who-extorted-25-million-from-3-victims/
https://www.theregister.com/2024/11/12/snowflake_hackers_indictment/
https://www.bankinfosecurity.com/us-prosecutors-charge-hackers-in-snowflake-data-theft-a-26805
How CISOs Can Lead The Responsible AI Charge
"No one wants to miss the artificial intelligence (AI) wave, but the "fear of missing out" has leaders poised to step onto an already fast-moving train where the risks can outweigh the rewards. A PwC survey highlighted a stark reality: 40% of global leaders don't understand the cyber-risks of generative AI (GenAI), despite their enthusiasm for the emerging technology. This is a red flag that could expose companies to security risks from negligent AI adoption. This is precisely why a chief information security officer (CISO) should lead in AI technology evaluation, implementation, and governance. CISOs understand the risk scenarios that can help create safeguards so everyone can use the technology safely and focus more on AI's promises and opportunities."
https://www.darkreading.com/vulnerabilities-threats/how-cisos-can-lead-responsible-ai-charge
Adversarial Advantage: Using Nation-State Threat Analysis To Strengthen U.S. Cybersecurity
"Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, “nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities.” These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk. Thankfully, there’s an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are better prepared to track, manage and mitigate these attacks."
https://securityintelligence.com/articles/adversarial-advantage-using-nation-state-threat-analysis-to-strengthen-us-cybersecurity/
NIST Says Exploited Vulnerability Backlog Cleared But End-Of-Year Goal For Full List Unlikely
"The federal body in charge of processing prominent vulnerabilities said a backlog of unanalyzed exploited bugs has been cleared. The National Institute of Standards and Technology (NIST) has faced backlash since it became clear earlier this year that thousands of critical vulnerabilities were not being analyzed or enriched since the agency announced cutbacks in February. Enrichment involves adding contextual data to an entry about a vulnerability in the National Vulnerability Database (NVD)."
Priority: 3 - Important
Relevance: General
https://therecord.media/nist-vulnerability-backlog-cleared-cisa

อ้างอิง
Electronic Transactions Development Agency(ETDA)