Cyber Threat Intelligence 20 November 2024
-
Industrial Sector
- Mitsubishi Electric MELSEC iQ-F Series
"Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in Ethernet communication on the module. A system reset of the module is required for recovery."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-324-01
Vulnerabilities
- Oracle Patches Exploited Agile PLM Vulnerability (CVE-2024-21287)
"Oracle has released a security patch for CVE-2024-21287, a remotely exploitable vulnerability in the Oracle Agile PLM Framework that is, according to Tenable researchers, being actively exploited by attackers. Oracle Agile PLM Framework is an enterprise product lifecycle management solution that enables collaboration between the various teams involved. CVE-2024-21287 affects version 9.3.6 of the Agile PLM Framework – more specifically, the Agile Software Development Kit and the Process Extension components."
https://www.helpnetsecurity.com/2024/11/19/cve-2024-21287/
https://www.oracle.com/security-alerts/alert-cve-2024-21287.html
https://www.bleepingcomputer.com/news/security/oracle-warns-of-agile-plm-file-disclosure-flaw-exploited-in-attacks/ - D-Link Urges Users To Retire VPN Routers Impacted By Unfixed RCE Flaw
"D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices. The flaw was discovered and reported to D-Link by security researcher 'delsploit,' but technical details have been withheld from the public to avoid triggering mass exploitation attempts in the wild. The vulnerability, which does not have a CVE assigned to it yet, impacts all hardware and firmware revisions of DSR-150 and DSR-150N, and also DSR-250 and DSR-250N from firmware 3.13 to 3.17B901C."
https://www.bleepingcomputer.com/news/security/d-link-urges-users-to-retire-vpn-routers-impacted-by-unfixed-rce-flaw/ - Apple Fixes Two Zero-Days Used In Attacks On Intel-Based Macs
"Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS."
https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-days-used-in-attacks-on-intel-based-macs/
https://support.apple.com/en-us/121753
https://www.securityweek.com/apple-confirms-zero-day-attacks-hitting-intel-based-macs/ - November 18 Advisory: Windows KDC Proxy Remote Code Execution Vulnerability [CVE-2024-43639]
"CVE-2024-43639 is a critical vulnerability in the Windows Kerberos authentication protocol that allows unauthenticated attackers to execute remote code on affected systems. By exploiting this flaw, attackers can send specially crafted requests to a vulnerable system, leveraging a cryptographic protocol vulnerability in the Windows Kerberos to gain unauthorized access and execute arbitrary code. This vulnerability has been assigned a CVSS severity score of 9.8. This vulnerability only affects Windows Servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected."
https://censys.com/cve-2024-43639/
https://hackread.com/windows-kerberos-flaw-millions-of-servers-attack/
Malware
- Spotify Abused To Promote Pirated Software And Game Cheats
"Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and "warez" sites. By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may benefit from boosting SEO for their dubious online properties, since Spotify's web player results appear in search engines like Google."
https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pirated-software-and-game-cheats/ - One Sock Fits All: The Use And Abuse Of The NSOCKS Botnet
"The Black Lotus Labs team at Lumen Technologies has expanded the known architecture of the “ngioweb” botnet, its use as a cornerstone of the notorious criminal proxy service known as NSOCKS, and appropriation by others such as VN5Socks and Shopsocks5. One of the most widely used criminal proxies, NSOCKS maintains a daily average of over 35,000 bots in 180 countries, and has been tied to notorious groups such as Muddled Libra. At least 80% of NSOCKS bots in our telemetry originate from the ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices. Two-thirds of these proxies are based in the U.S."
https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/
https://www.bleepingcomputer.com/news/security/ngioweb-botnet-fueling-residential-proxies-disrupted-in-cybercrime-crackdown/
https://thehackernews.com/2024/11/ngioweb-botnet-fuels-nsocks-residential.html
https://cyberscoop.com/proxy-services-cybercrime-ngioweb-botnet-nsocks/ - Threat Actors Hijack Misconfigured Servers For Live Sports Streaming
"To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new attack vector: threat actors using misconfigured servers to hijack environments for streaming sports events. By exploiting misconfigured JupyterLab and Jupyter Notebook applications, attackers drop live streaming capture tools and duplicate the broadcast on their illegal server, thus conducting stream ripping. In this blog, we explain how our threat hunting operation helped us uncover this and how we analyzed this attack using Aqua Tracee and Traceeshark."
https://www.aquasec.com/blog/threat-actors-hijack-misconfigured-servers-for-live-sports-streaming/
https://thehackernews.com/2024/11/hackers-hijack-unsecured-jupyter.html
https://cyberscoop.com/misconfigured-jupyter-notebooks-uefa-champions-league-streaming/
https://www.securityweek.com/vulnerable-jupyter-servers-targeted-for-sports-piracy/ - Free AI Editor Lures In Victims, Installs Information Stealer Instead On Windows And Mac
"A large social media campaign was launched to promote a free Artificial Intelligence (AI) video editor. If the “free” part of that campaign sounds too good to be true, then that’s because it was. Instead of the video editor, users got information stealing malware. Lumma Stealer was installed on Windows machines and Atomic Stealer (AMOS) on Macs. The campaign to promote the AI video editor was active on several social media platforms, like X, Facebook, and YouTube…"
https://www.malwarebytes.com/blog/news/2024/11/free-ai-editor-lures-in-victims-installs-information-stealer-instead-on-windows-and-mac - Hackers Redirect $250,000 Payment In iLearningEngines Cyberattack
"AI-powered learning automation firm iLearningEngines on Monday disclosed a cybersecurity incident that resulted in the theft of $250,000. iLearningEngines told the SEC that a threat actor accessed its environment and certain files on its network, deleted some emails, and misdirected a $250,000 wire payment, which has not been recovered. Maryland-based iLearningEngines has developed a platform that uses AI to deliver personalized and automated learning, as well as work automation capabilities that organizations can use to custom-design workflows and optimize processes."
https://www.securityweek.com/hackers-redirect-250000-payment-in-ilearningengines-cyberattack/
https://www.sec.gov/Archives/edgar/data/1835972/000121390024099394/ea0221424-8k_ilearning.htm - Helldown Ransomware: An Overview Of This Emerging Threat
"Through our social media monitoring, Sekoia’s Threat Detection & Research (TDR) team identified a tweet posted on 31 October 2024 mentioning a Linux variant of the Helldown ransomware targeting Linux systems. The Helldown ransomware group is a relatively new and still largely undocumented Intrusion Set (IS), previously known to deploy ransomware exclusively on Windows systems. He employs its own custom ransomware and engages in double extortion tactics. He is particularly active, claiming 31 victims within three months, including Zyxel’s European subsidiary."
https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/
https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html
https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/
https://www.darkreading.com/cyberattacks-data-breaches/linux-variant-helldown-ransomware-targets-vmware
https://www.bankinfosecurity.com/helldown-ransomware-group-tied-to-zyxels-firewall-exploits-a-26849
https://www.infosecurity-magazine.com/news/helldown-ransomware-target-vmware/ - Spot The Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
"LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. While some vendors suspect that the actor using LODEINFO might be APT10, we don’t have enough evidence to fully support this speculation. Currently, we view APT10 and Earth Kasha as different entities, although they might be related. To avoid confusion caused by names, we use a new term “APT10 Umbrella," which represents a group of intrusion sets related to APT10 (including APT10 itself)."
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html - FrostyGoop’s Zoom-In: A Closer Look Into The Malware Artifacts, Behaviors And Network Communications
"In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt critical infrastructure. The outage occurred after the Cyber Security Situation Center (CSSC), affiliated with the Security Service of Ukraine, disclosed details [PDF] of an attack on a municipal energy company in Lviv in April 2024. FrostyGoop is the ninth reported OT-centric malware, but the first that used Modbus TCP communications to impact the power supply to heating services for over 600 apartment buildings. FrostyGoop can be used both within a compromised perimeter and externally if the target device is accessible over the internet. FrostyGoop sends Modbus commands to read or modify data on industrial control systems (ICS) devices, causing damage to the environment where attackers installed it."
https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
Breaches/Hacks/Leaks
- Healthcare Org Equinox Notifies 21K Patients And Staff Of Data Theft
"Equinox, a New York State health and human services organization, has begun notifying over 21 thousand clients and staff that cyber criminals stole their health, financial, and personal information in a "data security incident" nearly seven months ago. Adding insult to injury, it appears the LockBit ransomware gang – which was supposed to have been shut down at the time of the incident – may be to blame."
https://www.theregister.com/2024/11/20/equinox_patients_employees_data/
General News
- We Can Do Better Than Free Credit Monitoring After a Breach
"Having a long career in cybersecurity doesn't stop me from being included in the same data breaches and mass involuntary disclosures of consumer information as everyone else. And like everyone else, I probably have now collected enough years of "free" credit monitoring that some of it could be passed on to my kids upon my death — maybe there will be some left for my grandkids, too. Not that credit monitoring isn't helpful — one big benefit is the detection of data on the Dark Web, which has shed more light on the frequency of breaches. Through my free credit monitoring obtained after one breach, I have been notified about my data showing up on the Dark Web, indicating a new breach has occurred with a different company, long before the company notified me itself."
https://www.darkreading.com/cyberattacks-data-breaches/we-can-do-better-than-free-credit-monitoring-after-breach - AI About-Face: 'Mantis' Turns LLM Attackers Into Prey
"Companies worried about cyberattackers using large language models (LLMs) and other generative artificial intelligence (AI) systems that automatically scan and exploit their systems could gain a new defensive ally: a system capable of subverting the attacking AI. Dubbed Mantis, the defensive system uses deceptive techniques to emulate targeted services and — when it detects a possible automated attacker — sends back a payload that contains a prompt-injection attack. The counterattack can be made invisible to a human attacker sitting at a terminal and will not affect legitimate visitors who are not using malicious LLMs, according to a paper by a group of researchers from George Mason University."
https://www.darkreading.com/cybersecurity-operations/deceptive-framework-defense-mislead-attacking-ai
https://arxiv.org/abs/2410.20911 - To Map Shadow IT, Follow Citizen Developers
"Shadow IT is what your business runs on while waiting for IT to provide an enterprise solution. It's your sales team buying licenses to an obscure software-as-a-service (SaaS) because it helps them get the job done. Or it's your finance team using an unapproved tool because the approved one is too clunky. Sometimes shadow IT exists specifically to bypass an overly annoying security mechanism — figuring out a way to forward business emails to your personal Gmail account because it's easier to view on mobile, for example."
https://www.darkreading.com/cyber-risk/to-map-shadow-it-follow-citizen-developers - Dev + Sec: A Collaborative Approach To Cybersecurity
"The age-old tension between development and security teams has long been a source of friction in organizations. Developers prioritize speed and efficiency, aiming to deliver features and products quickly with a fast-paced, iterative development cycle and move on efficiently. On the other hand, security teams strive to balance risk and innovation but must focus on protecting sensitive data and systems with guardrails and ensuring compliance with stringent regulations."
https://www.helpnetsecurity.com/2024/11/19/dev-sec-collaborative-approach/ - Why AI Alone Can’t Protect You From Sophisticated Email Threats
"In this Help Net Security interview, Riaz Lakhani, CISO at Barracuda Networks, discusses the effectiveness of AI-based behavioural analysis in combating sophisticated email threats like BEC and VEC. Lakhani also explains how AI tools help detect malicious email activity and address the limitations of traditional security measures."
https://www.helpnetsecurity.com/2024/11/19/riaz-lakhani-barracuda-networks-sophisticated-email-threats/ - Companies Take Over Seven Months To Recover From Cyber Incidents
"IT decision makers (ITDMs) are overly optimistic about how long it would take their organization to recover from a serious cybersecurity incident, according to new data from Fastly. The cloud services provider polled 1800 ITDMs with responsibility for cybersecurity in organizations across the Americas, Europe, APAC and Japan to compile its Global Security Research Report. The study revealed that it takes 7.34 months on average to fully recover from an incident, 25% longer than 5.85 months predicted by respondents."
https://www.infosecurity-magazine.com/news/companies-seven-months-recover/ - New Threat Report From Cato Networks Reveals Ransomware Gangs Recruiting Penetration Testers To Improve Effectiveness Of Attacks
"Cato Networks, the SASE leader, today published the Q3 2024 Cato CTRL SASE Threat Report, which provides insights into the threat landscape across several key areas: hacking communities and the dark web, enterprise security and network security. "Ransomware is one of the most pervasive threats in the cybersecurity landscape. It impacts everyone—businesses and consumers—and threat actors are constantly trying to find new ways to make their ransomware attacks more effective," said Etay Maor, chief security strategist at Cato Networks."
https://www.prnewswire.com/il/news-releases/new-threat-report-from-cato-networks-reveals-ransomware-gangs-recruiting-penetration-testers-to-improve-effectiveness-of-attacks-302309226.html
https://www.darkreading.com/vulnerabilities-threats/russian-ransomware-gangs-hunt-pen-testers
https://www.infosecurity-magazine.com/news/ransomware-gangs-pen-testers/ - The Dark Side Of Gen AI
"There’s no denying that Generative Artificial Intelligence (GenAI) has been one of the most significant technological developments in recent memory, promising unparalleled advancements and enabling humanity to accomplish more than ever before. By harnessing the power of AI to learn and adapt, GenAI has fundamentally changed how we interact with technology and each other, opening new avenues for innovation, efficiency, and creativity, and revolutionizing nearly every industry, including cybersecurity. As we continue to explore its potential, GenAI promises to rewrite the future in ways we are only beginning to imagine."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-dark-side-of-gen-ai/ - Scammer Black Friday Offers: Online Shopping Threats And Dark Web Sales
"The e-commerce market continues to grow every year. According to FTI consulting, in Q1 2024, online retail comprised 57% of total sales in the US, and it is expected to increase by 9.8% over 2023 by the end of this year. In Europe, 72% of those aged 16–74 buy online, their share growing by the year. Globally, according to eMarketer, e-commerce sales are to reach $6.9 trillion by the end of 2024."
https://securelist.com/black-friday-report-2024/114589/ - Communication Platforms Play a Major Role In Data Breach Risks
"Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools. When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email, file sharing, managed transfer and secure file transfer. But there are many other communication tools, including SMS text, video conferencing and even web forms. Kiteworks’ research found that more is not necessarily better when it comes to security and communications tools."
https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/ - The Urgent And Critical Need To Prioritize Mobile Security
"The modern enterprise is far more mobile than it used to be. Trends like Bring Your Own Device (BYOD) and Company Owned, Personally Enabled (COPE), hybrid working and enterprise mobility initiatives have been picking up pace, allowing mobile devices to access and interact with enterprise data systems like never before. According to Verizon, more than half (55%) of organizations have more mobile device users than they did 12 months ago, and Zimperium claims more than 70% of employees use smartphones for work-related tasks."
https://www.securityweek.com/the-urgent-and-critical-need-to-prioritize-mobile-security/ - Cybersecurity Aphorisms: A Humorous And Insightful Look At The Industry’s Truths
"Aphorisms abound in cybersecurity. They are clever, self-effacing, and purposeful survival mechanisms that simultaneously teach reality truths in possibly the most stressful occupation outside of the military. SecurityWeek talked to Bec McKeown CPsychol, founder and principal psychologist at Mind Science Ltd (and a visiting lecturer in applied psychology at Cranfield university) to understand the role and purpose of aphorisms in cybersecurity. We illustrate the discussion with genuine aphorisms collected from practicing security professionals."
https://www.securityweek.com/cybersecurity-aphorisms-a-humorous-and-insightful-look-at-industrys-truths/ - Threat Spotlight: Bad Bots Are Evolving To Become More 'human'
"The bot landscape is changing. Malicious — or bad bots — are evolving to become more advanced and human-like in their behavior, while an emerging category of AI bots, which we might think of as “grey bots,” is blurring the boundary of legitimate activity. Barracuda security researchers analyzed bot-related traffic and activity targeting web applications and APIs between September 2023 and the end of August 2024."
https://blog.barracuda.com/2024/11/19/threat-spotlight-bad-bots-evolving-more-human - Security Culture And Its Importance In Protecting Organizations
"Cyberattacks are escalating rapidly. With the emergence of artificial intelligence (AI) technologies, cybercriminals can now craft sophisticated social engineering attacks, making such threats more prevalent and easier to execute. However, AI adoption is not the only driver of increased cyber risks. Rapid digitization, which appears in the widespread use of Internet of Things (IoT) devices, and the shift to cloud environments have vastly expanded attack surfaces, providing more entry points for hackers to exploit."
https://blog.barracuda.com/2024/11/18/security-culture-protecting-organizations - Navigating The Evolving Threat Landscape Ahead Of Black Friday
"As Thanksgiving and Black Friday approach, so do the risks of fraudulent shopping scams. Cyber criminals take advantage of shoppers eager to benefit from the exceptional sales available on Black Friday. In preparation for this shopping season, Check Point Research has examined the activities of these cyber criminals. They found a significant increase in malicious websites related to Black Friday. Additionally, researchers noted that phishing emails have remained consistent, indicating that it is easy for cyber attackers to recreate these scams."
Priority: 3 - Important
Relevance: General, Trends and statistics
https://blog.checkpoint.com/research/navigating-the-evolving-threat-landscape-ahead-of-black-friday/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Mitsubishi Electric MELSEC iQ-F Series
