NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 22 November 2024

    Cyber Security News
    1
    1
    355
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Automated Logic WebCTRL Premium Server
        "Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary commands on the server hosting WebCTRL or redirect legitimate users to malicious sites."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-01
      • Schneider Electric EcoStruxure IT Gateway
        "Successful exploitation of this vulnerability could allow unauthorized access."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-05
      • MySCADA MyPRO Manager
        "Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands or disclose sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07
      • Schneider Electric Modicon M340, MC80, And Momentum Unity M1E
        "Successful exploitation of these vulnerabilities could allow an attacker to tamper with memory on these devices."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-04
      • Schneider Electric PowerLogic PM5300 Series
        "Successful exploitation of this vulnerability could cause the device to become unresponsive resulting in communication loss."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-06
      • OSCAT Basic Library
        "Successful exploitation of this vulnerability allows an local, unprivileged attacker to access limited internal data of the PLC, which may lead to a crash of the affected service."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-02
      • Schneider Electric Modicon M340, MC80, And Momentum Unity M1E
        "Successful exploitation of these vulnerabilities could allow an attacker to retrieve password hashes or cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-03
      • Over 145,000 Industrial Control Systems Across 175 Countries Found Exposed Online
        "New research has uncovered more than 145,000 internet-exposed Industrial Control Systems (ICS) across 175 countries, with the U.S. alone accounting for over one-third of the total exposures. The analysis, which comes from attack surface management company Censys, found that 38% of the devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa. The countries with the most ICS service exposures include the U.S. (more than 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the U.K., Japan, Sweden, Taiwan, Poland, and Lithuania."
        https://thehackernews.com/2024/11/over-145000-industrial-control-systems.html
        https://go.censys.com/rs/120-HWT-117/images/2024SOTIR.pdf
        https://www.securityweek.com/ics-security-145000-systems-exposed-to-web-many-industrial-firms-hit-by-attacks/

      New Tooling

      • AxoSyslog: Open-Source Scalable Security Data Processor
        "AxoSyslog is a syslog-ng fork, created and maintained by the original creator of syslog-ng, Balazs Scheidler, and his team. “We first started by making syslog-ng more cloud-ready: we packaged syslog-ng in a container, added helm charts, and made it more suitable for use in cloud-native environments. We’ve also improved the monitoring and operational experience to help AxoSyslog better integrate with modern telemetry pipelines,” Balazs Scheidler, CEO of Axoflow, told Help Net Security."
        https://www.helpnetsecurity.com/2024/11/21/axosyslog-open-source-scalable-security-data-processor/

      Vulnerabilities

      • NTLM Privilege Escalation: The Unpatched Microsoft Vulnerabilities No One Is Talking About
        "NTLM is like that stubborn relic of the past that just won’t go away – a decades-old authentication protocol, seemingly deprecated but still lurking in the shadows of every Windows environment."
        https://blog.morphisec.com/top-5-ntlm-vulnerabilities-unpatched-threats-in-microsoft
      • Forti-Fied? Logging Blind Spot Revealed In FortiClient VPN
        "Virtual private networks (VPNs) have become widely used by enterprises for secure remote network access to protect sensitive data. This critical role has made VPNs attractive to threat actors, with more than half of enterprises attacked via VPN vulnerabilities in 2023. With this in mind, we focused our research on popular VPN clients, including Fortinet’s VPN solution, a preferred choice for many enterprises. During this research, we developed a method to automatically validate credentials against Fortinet VPN servers. In the process, we uncovered a bug that attackers can exploit, potentially compromising the security of countless organizations."
        https://pentera.io/blog/FortiClient-VPN_logging-blind-spot-revealed/
        https://www.bleepingcomputer.com/news/security/fortinet-vpn-design-flaw-hides-successful-brute-force-attacks/
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability
        CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability
        CVE-2024-21287 Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/11/21/cisa-adds-three-known-exploited-vulnerabilities-catalog
      • 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability
        "This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process."
        Priority: 3 - Important
        Relevance: General
        https://www.zerodayinitiative.com/advisories/ZDI-24-1532/

      Malware

      • Now BlueSky Hit With Crypto Scams As It Crosses 20 Million Users
        "As many more users are flocking to BlueSky from social media platforms like X/Twitter, so are threat actors. BleepingComputer has spotted cryptocurrency scams popping up on BlueSky just as the decentralized microblogging service surpassed 20 million users this week."
        https://www.bleepingcomputer.com/news/security/now-bluesky-hit-with-crypto-scams-as-it-crosses-20-million-users/
      • Unveiling WolfsBane: Gelsemium’s Linux Counterpart To Gelsevirine
        "ESET researchers have identified multiple samples of Linux backdoor, which we have named WolfsBane, that we attribute with high confidence to the Gelsemium advanced persistent threat (APT) group. This China-aligned threat actor has a known history dating back to 2014 and until now, there have been no public reports of Gelsemium using Linux malware. Additionally, we discovered another Linux backdoor, which we named FireWood. However, we cannot definitively link FireWood to other Gelsemium tools, and its presence in the analyzed archives might be coincidental. Thus, we attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-aligned APT groups."
        https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
        https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/
        https://thehackernews.com/2024/11/chinese-apt-gelsemium-targets-linux.html
        https://www.darkreading.com/threat-intelligence/chinese-apt-gelsemium-wolfsbane-linux-variant
        https://www.helpnetsecurity.com/2024/11/21/linux-backdoors-wolfsbane-firewood/
        https://www.infosecurity-magazine.com/news/linux-malware-wolfsbane-firewood/
      • Over 2,000 Palo Alto Firewalls Hacked Using Recently Patched Bugs
        "Hackers have already compromised thousands of Palo Alto Networks firewalls in attacks exploiting two recently patched zero-day vulnerabilities. The two security flaws are an authentication bypass (CVE-2024-0012) in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges and a PAN-OS privilege escalation (CVE-2024-9474) that helps them run commands on the firewall with root privileges. While CVE-2024-9474 was disclosed this Monday, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw (which was tagged last Friday as CVE-2024-0012)."
        https://www.bleepingcomputer.com/news/security/over-2-000-palo-alto-firewalls-hacked-using-recently-patched-bugs/
        https://infosec.exchange/@shadowserver/113520322017264871
        https://thehackernews.com/2024/11/warning-over-2000-palo-alto-networks.html
        https://www.securityweek.com/2000-palo-alto-firewalls-compromised-via-new-vulnerabilities/
        https://www.helpnetsecurity.com/2024/11/21/palo-alto-firewalls-compromised-cve-2024-0012-cve-2024-9474/
      • Lumma Stealer On The Rise: How Telegram Channels Are Fueling Malware Proliferation
        "In today’s rapidly evolving cyber landscape, malware threats continue to adapt, employing new tactics and leveraging popular platforms to reach unsuspecting victims. One such emerging threat is the Lumma Stealer—a potent information-stealing malware recently gaining traction through Telegram channels. With Telegram’s popularity as a messaging and sharing platform, threat actors have identified it as a lucrative distribution vector, bypassing traditional detection mechanisms and reaching a broad, often unsuspecting audience."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-rise-how-telegram-channels-are-fueling-malware-proliferation/
        https://www.infosecurity-magazine.com/news/lumma-stealer-proliferation-fueled/
      • The SOC Case Files: Play Ransomware Targets Manufacturing Firm
        "At approximately 1:00 a.m. the sophisticated threat actors began their attack. They started by exploiting compromised credentials for a domain admin account, which allowed them to authenticate to an under-protected remote desktop server from where they planned to conduct the whole operation. The target did not have XDR server security in place, leaving a gap in monitoring capabilities that could have detected anomalous activity on the domain controller at the very start of the attack."
        https://blog.barracuda.com/2024/11/21/soc-case-files-play-ransomware-manufacturing-firm
      • DPRK IT Workers | A Network Of Active Front Companies And Their Links To China
        "North Korea operates a global network of IT workers, both as individuals and under front companies, to evade sanctions and generate revenue for the regime. These workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies. By posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide."
        https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/
        https://thehackernews.com/2024/11/north-korean-front-companies.html
        https://www.helpnetsecurity.com/2024/11/21/north-korean-it-front-companies/
      • Python NodeStealer Targets Facebook Ads Manager With New Techniques
        "In September 2023, Netskope Threat Labs reported a Python-based NodeStealer targeting Facebook business accounts. NodeStealer collects Facebook and other credentials stored in the browser and its cookie data. For over a year, we have tracked and discovered multiple variants of this infostealer. It is now targeting new victims and extracting new information using new techniques. In this blog post, we will dissect the development of the Python NodeStealer from multiple samples in the wild. Each section highlights different variants, showcasing new targets and techniques."
        https://www.netskope.com/blog/python-nodestealer-targets-facebook-ads-manager-with-new-techniques
        https://thehackernews.com/2024/11/nodestealer-malware-targets-facebook-ad.html
      • Targeting The Cybercrime Supply Chain
        "Microsoft’s Digital Crimes Unit (DCU) has seized 240 fraudulent websites associated with an Egypt-based cybercrime facilitator. Abanoub Nady (known online as “MRxC0DER”) developed and sold “do it yourself” phish kits and fraudulently used the brand name “ONNX” to sell these services. Numerous cybercriminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts. While all sectors are at risk, the financial services industry has been heavily targeted given the sensitive data and transactions they handle. In these instances, a successful phish can have devastating real-world consequences for the victims. It can result in the loss of significant amounts of money, including life savings, which, once stolen, can be very difficult to recover."
        https://blogs.microsoft.com/on-the-issues/2024/11/21/targeting-the-cybercrime-supply-chain/
        https://www.bleepingcomputer.com/news/security/microsoft-disrupts-onnx-phishing-as-a-service-infrastructure/
        https://therecord.media/microsoft-seizes-websites-onnx-phishing
        https://www.darkreading.com/cybersecurity-operations/microsoft-takes-action-against-phishing-service-platform
        https://cyberscoop.com/microsoft-seizes-websites-tied-to-egypt-based-diy-phishing-kit-maker/
      • Tracing The Path Of VietCredCare And DuckTail: Vietnamese Dark Market Of Infostealers’ Data
        "In mid-2024, Vietnamese law enforcement agencies announced the results of a large-scale investigation into information stealers specifically targeting Facebook Business accounts, which led to the arrest of more than 20 individuals involved in the development, distribution, and operation of the malicious programs. These malicious programs illicitly collected Facebook accounts from the infected Windows-based victims. Threat actors categorized the received accounts based on advertisement balance and then sold or used them to run illicit and financially-motivated advertising campaigns."
        https://www.group-ib.com/blog/tracing-the-path-of-vietcredcare-and-ducktail/
        https://www.infosecurity-magazine.com/news/vietnams-infostealer-vietcredcare/
      • Russia-Aligned TAG-110 Targets Asia And Europe With HATVIBE And CHERRYSPY
        "Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaign’s tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server."
        https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-asia-and-europe
        https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-1121.pdf
        https://therecord.media/central-asia-cyber-espionage-tag-110-russia

      Breaches/Hacks/Leaks

      • Ford Rejects Breach Allegations, Says Customer Data Not Impacted
        "Ford is investigating allegations that it suffered a data breach after a threat actor claimed to leak 44,000 customer records on a hacking forum. The leak was announced on Sunday by threat actor 'EnergyWeaponUser,' also implicating the hacker 'IntelBroker,' who supposedly took part in the November 2024 breach. The threat actors leaked on BreachForums 44,000 Ford customer records containing customer information, including full names, physical locations, purchase details, dealer information, and record timestamps."
        https://www.bleepingcomputer.com/news/security/ford-rejects-breach-allegations-says-customer-data-not-impacted/
      • Cyberattack At French Hospital Exposes Health Data Of 750,000 Patients
        "A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system. A threat actor using the nickname 'nears' (previously near2tlg) claimed to have attacked multiple healthcare facilities in France, alleging that they have access to the patient records of over 1,500,000 people. The hacker claims they breached MediBoard by Software Medical Group, a company offering Electronic Patient Record (EPR) solutions across Europe."
        https://www.bleepingcomputer.com/news/security/cyberattack-at-french-hospital-exposes-health-data-of-750-000-patients/
        https://securityaffairs.com/171238/data-breach/sale-750000-patients-french-hospital.html
        https://www.tripwire.com/state-of-security/750000-patients-medical-records-exposed-after-data-breach-french-hospital
      • Mexico’s President Says Government Is Investigating Reported Ransomware Hack Of Legal Affairs Office
        "Mexico’s president said Wednesday that the government is investigating an alleged ransomware hack of her administration’s legal affairs office after what appeared to be samples of personal information from a database of government employees were posted online. The website Cybernews said a group called Ransomhub had posted a sample of apparently hacked government files on the dark web. Ransomhub is reportedly giving the government 10 days to pay an undisclosed sum or it will make public about 313 gigbytes of files."
        https://www.securityweek.com/mexicos-president-says-government-is-investigating-reported-ransomware-hack-of-legal-affairs-office/
        https://securityaffairs.com/171257/data-breach/mexico-suffers-ransomware-attack.html
      • Gambling And Lottery Giant Disrupted By Cyberattack, Working To Bring Systems Back Online
        "One of the largest gambling companies in the U.S. said a cyberattack last week caused massive disruptions to their operations, forcing them to take some systems offline. International Game Technology (IGT) notified the U.S. Securities and Exchange Commission on Tuesday that it became aware of the cyberattack when it “experienced disruptions in portions of its internal information technology systems and applications” on Sunday. “The Company has also proactively taken certain systems offline to help protect them. The Company's ongoing investigation and response include efforts to bring its systems back online,” the company said."
        https://therecord.media/gambling-lottery-giant-hit-with-disruptive-cyberattack

      General News

      • How Can PR Protect Companies During a Cyberattack?
        "When a cybersecurity incident occurs, it's not just IT systems and data that are at risk — a company's reputation is on the line, too."
        https://www.darkreading.com/cyberattacks-data-breaches/how-can-pr-protect-companies-during-a-cyberattack-
      • Enhancing Visibility For Better Security In Multi-Cloud And Hybrid Environments
        "In this Help Net Security interview, Brooke Motta, CEO of RAD Security, talks about how cloud-specific threats have evolved and what companies should be watching out for. She discusses the growing complexity of cloud environments and the importance of real-time detection to protect against increasingly sophisticated attacks. Motta also shares practical advice for SMBs and organizations navigating compliance and cloud security challenges."
        https://www.helpnetsecurity.com/2024/11/21/brooke-motta-rad-security-cloud-threat-detection/
      • Unit 42 Predicts The Year Of Disruption And Other Top Threats In 2025
        "2025 will be the “year of disruption” as organizations experience an increase in cyberattacks that halt business operations and impact end users. This disruption will be defined by a rise in mega breaches that take entire enterprise networks offline, driven by supply chain vulnerabilities and attackers reaching new levels of speed and sophistication. Additionally, the cost of cyber disruption will increase next year as businesses experience downtime due to cyberattacks and scramble to implement defenses fit for the AI-enabled attacker era."
        https://www.paloaltonetworks.com/blog/2024/11/unit-42-predicts-top-threats-in-2025/
      • OWASP Top 10 Risks For Large Language Models: 2025 Updates
        "As generative AI and large language models (LLMs) are embedded into a greater number of internal processes and customer-facing applications, the risks associated with LLMs are growing. The OWASP Top 10 list for LLM applications for 2025 details these risks based on real-world usage as a cautionary note for leaders in tech, cybersecurity, privacy, and compliance."
        https://blog.barracuda.com/2024/11/20/owasp-top-10-risks-large-language-models-2025-updates
      • CISA Releases Insights From Red Team Assessment Of a U.S. Critical Infrastructure Sector Organization
        "Today, CISA released Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization in coordination with the assessed organization. This cybersecurity advisory details lessons learned and key findings from an assessment, including the Red Team’s tactics, techniques, and procedures (TTPs) and associated network defense activity."
        https://www.cisa.gov/news-events/alerts/2024/11/21/cisa-releases-insights-red-team-assessment-us-critical-infrastructure-sector-organization
        https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
        https://www.bankinfosecurity.com/cisa-red-team-finds-alarming-critical-infrastructure-risks-a-26873
        https://www.theregister.com/2024/11/22/cisa_red_team_exercise/
      • Cybersecurity Is Critical, But Breaches Don't Have To Be Disasters
        "Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM "Cost of a Data Breach Report 2024" estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it's about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It's time to shift the mindset: Every breach is an opportunity to innovate."
        https://www.darkreading.com/cyberattacks-data-breaches/cybersecurity-critical-breaches-disasters
      • Threat Predictions For 2025: Get Ready For Bigger, Bolder Attacks
        "While threat actors continue to rely on many “classic” tactics that have existed for decades, our threat predictions for the coming year largely focus on cybercriminals embracing bigger, bolder, and, from their perspectives, better attacks. From Cybercrime-as-a-Service (CaaS) groups becoming more specialized to adversaries using sophisticated playbooks that combine both digital and physical threats, cybercriminals are upping the ante to execute more targeted and harmful attacks."
        https://www.fortinet.com/blog/threat-research/threat-predictions-for-2025-get-ready-for-bigger-bolder-attacks
      • Thai Court Dismisses Activist’s Closely Watched Lawsuit Against Spyware Maker
        "A Thai civil court on Thursday dismissed a high-profile lawsuit filed by a prominent Thai activist who was allegedly targeted with powerful spyware manufactured by the NSO Group. The activist, Jatupat Boonpattararaksa, sued the surveillance technology company for allegedly “failing to prevent him” from being targeted with spyware, according to an Amnesty International press release."
        https://therecord.media/thai-court-dismisses-activists-lawsuit-spyware
      • Meta Says It Has Removed 2 Million Accounts Linked To Pig Butchering Scams
        "Meta has taken down more than 2 million accounts this year connected to pig butchering scams conducted from Southeast Asia and the United Arab Emirates, the company said Thursday. In its latest security report, the parent company of Facebook, Instagram and WhatsApp highlighted its efforts to combat the scams and its collaboration with law enforcement and other technology companies."
        https://therecord.media/meta-takedown-pig-butchering-2million-accounts

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 3c6cdd24-d1e1-4ab8-83a3-959798d2a367-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post