NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 04 December 2024

    Cyber Security News
    1
    1
    512
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Ransomware's Grip On Healthcare
        "Ransomware attacks keep increasing day to day, and healthcare systems are one of the prime targets. Despite ongoing efforts to patch vulnerabilities, the problem persists. Patching, long considered a cornerstone of cybersecurity defense, is no longer enough. The consequences of the attack for healthcare organizations go far beyond reputational and financial damage — they are a matter of patients' lives."
        https://www.darkreading.com/cyberattacks-data-breaches/ransomware-grip-healthcare

      Industrial Sector

      • CISA Releases Eight Industrial Control Systems Advisories
        "CISA released eight Industrial Control Systems (ICS) advisories on December 3, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
        https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-releases-eight-industrial-control-systems-advisories
        https://www.bankinfosecurity.com/16-zero-days-uncovered-in-fuji-electric-monitoring-software-a-26962

      • Telecom Sector
        CISA And Partners Release Joint Guidance On PRC-Affiliated Threat Actor Compromising Networks Of Global Telecommunications Providers
        "Today, CISA—in partnership with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners—released joint guidance, Enhanced Visibility and Hardening Guidance for Communications Infrastructure."
        https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-and-partners-release-joint-guidance-prc-affiliated-threat-actor-compromising-networks-global
        https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure
        https://www.bleepingcomputer.com/news/security/us-shares-tips-to-block-hackers-behind-recent-telecom-breaches/
        https://therecord.media/fbi-cisa-china-lurking-in-telecom-systems
        https://www.bankinfosecurity.com/no-timeline-for-evicting-chinese-hackers-from-us-networks-a-26956
        https://cyberscoop.com/u-s-government-says-salt-typhoon-is-still-in-telecom-networks/
        https://www.securityweek.com/fbi-tells-telecom-firms-to-boost-security-following-wide-ranging-chinese-hacking-campaign/
        ↑
        Government/Law/Policy
        New EU Regulation Establishes European ‘Cybersecurity Shield’
        "The Council of the European Union on Monday announced the adoption of two new laws meant to improve the overall cybersecurity across the EU. The two new laws in the cybersecurity package establish a cybersecurity shield that calls for member states to cooperate in detecting and responding to cyberattacks, and amend the EU’s Cybersecurity Act (CSA) of 2019 to ensure adequate security standards for managed security services."
        Priority: 3 - Important
        Relevance: General
        https://www.securityweek.com/new-eu-regulation-establishes-european-cybersecurity-shield/
        https://data.consilium.europa.eu/doc/document/PE-94-2024-INIT/en/pdf

      Vulnerabilities

      • Veeam Warns Of Critical RCE Bug In Service Provider Console
        "Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads."
        https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/
        https://www.helpnetsecurity.com/2024/12/03/vspc-vulnerabilities-cve-2024-42448-cve-2024-42449/
      • Perfect 10 Directory Traversal Vuln Hits SailPoint's IAM Solution
        "It's time to rev up those patch engines after SailPoint disclosed a perfect 10/10 severity vulnerability in its identity and access management (IAM) platform IdentityIQ. The bug is not attached to a security advisory at the time of writing, but the vulnerability was reported on Monday to the National Vulnerability Database (NVD), which then assigned it the CVE-2024-10905 identifier. Given the NVD rarely publishes a full analysis of vulnerabilities, and without an accompanying advisory to consult, the details of the flaw are few and far between."
        https://www.theregister.com/2024/12/03/sailpoint_identityiq_vulnerability/
      • Progress WhatsUp Gold NmAPI.exe Registry Overwrite Unauthenticated RCE
        "A registry overwrite remote code execution vulnerability exists in NmAPI.exe in WhatsUp Gold versions prior to 24.0.1. An unauthenticated remote attacker could leverage this vulnerability to achieve remote code execution on the affected system.NmAPI.exe is a Windows Communication Foundation (WCF) application. It implements an UpdateFailoverRegistryValues operation contract:"
        https://www.tenable.com/security/research/tra-2024-48
        https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-whatsup-gold-rce-flaw-patch-now/
      • Decade-Old Cisco Vulnerability Under Active Exploit
        "Cisco is warning customers of a security vulnerability impacting its Adaptive Security Appliance (ASA) that is actively being exploited by threat actors. The bug, tracked as CVE-2014-2120 and a decade old, involves insufficient input validation in ASA's WebVPN login page, through which an unauthenticated remote attacker could enact a cross-site scripting (XSS) attack."
        https://www.darkreading.com/vulnerabilities-threats/decade-old-cisco-vulnerability-exploit
        https://thehackernews.com/2024/12/cisco-warns-of-exploitation-of-decade.html
        https://www.securityweek.com/cisco-warns-of-attacks-exploiting-decade-old-asa-vulnerability/
        https://securityaffairs.com/171631/hacking/cisco-asa-flaw-cve-2014-2120-exploited-in-the-wild.html
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2023-45727 North Grid Proself Improper Restriction of XML External Entity (XEE) Reference Vulnerability
        CVE-2024-11680 ProjectSend Improper Authentication Vulnerability
        CVE-2024-11667 Zyxel Multiple Firewalls Path Traversal Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/12/03/cisa-adds-three-known-exploited-vulnerabilities-catalog

      Malware

      • North Korean Kimsuky Hackers Use Russian Email Addresses For Credential Theft Attacks
        "The North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. "Phishing emails were sent mainly through email services in Japan and Korea until early September," South Korean cybersecurity company Genians said. "Then, from mid-September, some phishing emails disguised as if they were sent from Russia were observed.""
        https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html
        https://www.infosecurity-magazine.com/news/kimsuky-adopts-new-phishing-tactics/
      • Gafgyt Malware Targeting Docker Remote API Servers
        "Recently, we've observed the Gafgyt malware (also known as Bashlite or Lizkebab) targeting publicly exposed Docker Remote API servers. Traditionally, this malware has focused on vulnerable IoT devices, but we're now seeing a shift in its behavior as it expands its targets beyond its usual scope. We noticed attackers targeting publicly exposed misconfigured Docker remote API servers to deploy the malware by creating a Docker container based on a legitimate “alpine” docker image. Along with deployment of Gafgyt malware, attackers used Gafgyt botnet malware to infect the victim. After the deployment, the attacker can launch DDoS attack on targeted servers."
        https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html
      • Stellar Discovery Of A New Cluster Of Andromeda/Gamarue C2
        "In the course of investigating incidents that relate to an infection by the Andromeda backdoor, we discovered that a threat actor is currently using domains and IP addresses registered with the same certificate and more specifically the common name (CN) being: *.malware[.]com that are used for Command and Control (C2) communication with their Andromeda implant."
        https://www.cybereason.com/blog/new-cluster-andromeda-gamrue-c2
      • Missing URL Structure: Mistake Or a Masterfully Effective Tactic?
        "In an ever-changing threat landscape, where AI and automation are being leveraged to not only detect but stop malicious campaigns, how does an attack that seems rudimentary become effective? By understanding how these tools work and by using social engineering, TAs (Threat Actors) can circumvent automation and gain access to company infrastructure with modest effort."
        https://cofense.com/blog/missing-url-structure-mistake-or-a-masterfully-effective-tactic
      • BreakingWAF: Widespread WAF Bypass Impacts Nearly 40% Of Fortune 100 Companies
        "Zafran Researchers Uncover Widespread WAF Bypass Technique Impacting JPMorganChase, Visa, Intel and Nearly 40% of Fortune 100 companies. The misconfiguration exposes web applications to direct attacks over the Internet which can lead to full compromise, ransomware attacks, or trivial denial-of-service attacks."
        https://www.zafran.io/resources/breaking-waf
        https://www.darkreading.com/application-security/misconfigured-wafs-heighten-dos-breach-risks
      • Unveiling RevC2 And Venom Loader
        "Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools."
        https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
        https://www.darkreading.com/cyberattacks-data-breaches/venom-spider-malware-maas-platform
      • White FAANG: Devouring Your Personal Data
        "Privacy is a core aspect of our lives. We have the fundamental right to control our personal data, physically or virtually. However, as we use products from external vendors, particularly the FAANG companies (Facebook, Amazon, Apple, Netflix, Google), our digital footprint is continuously being expanded. Fortunately, FAANG provides a service that enables us to export our data to a local drive in just seconds. From now on, we will refer to it as the “export service.”"
        https://www.cyberark.com/resources/ransomware-protection/white-faang-devouring-your-personal-data
        https://www.darkreading.com/cyber-risk/white-faang-data-export-attack-pii-threats
      • CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks In Real-World Intrusion
        "BYOVD involves adversaries writing to disk and loading a legitimate, but vulnerable, driver to access the kernel of an operating system. This allows them to evade detection mechanisms and manipulate the system at a deep level, often bypassing protections like EDR. For the exploitation to succeed, attackers must first ensure the driver is brought on the target system. This is followed by the initiation of a privileged process to load the driver, setting the stage for further malicious activities."
        https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/

      Breaches/Hacks/Leaks

      • Energy Industry Contractor Says Ransomware Attack Has Limited Access To IT Systems
        "A major contractor for the energy industry confirmed in a notice to regulators that it is dealing with a ransomware attack that has hindered operations. ENGlobal Corporation filed a report to the U.S. Securities and Exchange Commission Monday evening explaining that the ransomware attack was discovered on November 25. “The preliminary investigation has revealed that a threat actor illegally accessed the Company’s information technology system and encrypted some of its data files,” the Oklahoma-based firm said."
        https://therecord.media/energy-industry-contractor-ransomware-disruption
        https://www.infosecurity-magazine.com/news/ransomware-disrupts-us-contractor/
        https://www.securityweek.com/energy-sector-contractor-englobal-targeted-in-ransomware-attack/
        https://www.helpnetsecurity.com/2024/12/03/englobal-ransomware-attack/
        https://securityaffairs.com/171617/cyber-crime/englobal-corporation-disclosed-a-ransomware-attack.html
        https://www.theregister.com/2024/12/03/us_energy_contractor_englobal_ransomware/
      • Data On 760K Workers From Xerox, Nokia, BofA, Morgan Stanley And More Dumped Online
        "Hundreds of thousands of employees from major corporations including Xerox, Nokia, Koch, Bank of America, Morgan Stanley and others appear to be the latest victims in a massive data breach linked to last year's attacks on file transfer tool MOVEit. On Monday morning, an entity that uses the handle "Nam3L3ss" began leaking what they claimed to be personal data belonging to from the abovementioned corporations, plus workers at other firms affected by the MOVEit vulnerability."
        https://www.theregister.com/2024/12/03/760k_xerox_nokia_bofa_morgan/
        https://hackread.com/data-vigilante-leaks-772k-employee-record-database/
        https://www.securityweek.com/760000-employee-records-from-several-major-firms-leaked-online/
      • Vodka Maker Stoli Files For Bankruptcy In US After Ransomware Attack
        "Stoli Group's U.S. companies have filed for bankruptcy following an August ransomware attack and Russian authorities seizing the company's remaining distilleries in the country. As Chris Caldwell, the President and Global Chief Executive Officer of Stoli USA and Kentucky Owl, the two Stoli Group subsidiaries, said in a Friday filing, this comes after the August attack severely disrupted its IT systems, including its enterprise resource planning (ERP) platform. The cyberattack also forced manual operations across the group, affecting key processes such as accounting, with full recovery not expected until early 2025."
        https://www.bleepingcomputer.com/news/security/vodka-maker-stoli-files-for-bankruptcy-in-us-after-ransomware-attack/
        https://therecord.media/stoli-group-usa-bankruptcy-filing-ransomware
      • Hello, This Is Your Chatbot Leaking: WotNot Exposes 346K Sensitive Customer Files
        "Introducing additional hands into the AI supply chain might not be such a great idea. Passports, detailed medical records, resumes, and other sensitive personal records were exposed in a database belonging to WotNot, an Indian AI startup that helps build and customize bots for businesses."
        https://cybernews.com/security/wotnot-exposes-346k-sensitive-customer-files/
        https://www.malwarebytes.com/blog/news/2024/12/ai-chatbot-provider-exposes-346000-customer-files-including-id-documents-resumes-and-medical-records

      General News

      • Treat AI Like a Human: Redefining Cybersecurity
        "In this Help Net Security interview, Doug Kersten, CISO of Appfire, explains how treating AI like a human can change the way cybersecurity professionals use AI tools. He discusses how this shift encourages a more collaborative approach while acknowledging AI’s limitations. Kersten also discusses the need for strong oversight and accountability to ensure AI aligns with business goals and remains secure."
        https://www.helpnetsecurity.com/2024/12/03/doug-kersten-appfire-ai-oversight/
      • AI Pulse: The Good From AI And The Promise Of Agentic
        "The perils of AI get a lot of airtime, but what are the upsides? This issue of AI Pulse looks at some of the good AI can bring, from strengthening cybersecurity to driving health breakthroughs—and how the coming wave of agentic AI is going to take those possibilities to a whole new level."
        https://www.trendmicro.com/en_us/research/24/l/good-agentic-ai.html
      • Avoiding Pitfalls In Vulnerability Management: Key Insights And Best Practices
        "Vulnerability management (VM) has always been a complex area of concern that requires continuous and active effort to work properly. This can make it challenging for organizations to maintain their VM strategies and solutions over time, as there are many angles to secure and processes to oversee. There are a wide range of potential ways that VM can go wrong, and it is essential for organizations to avoid the many pitfalls associated with it."
        https://www.tripwire.com/state-of-security/avoiding-pitfalls-vulnerability-management-key-insights-and-best-practices
      • Severity Of The Risk Facing The UK Is Widely Underestimated, NCSC Annual Review Warns
        "The number of security threats in the UK that hit the country's National Cyber Security Centre's (NCSC) maximum severity threshold has tripled compared to the previous 12 months. Published today, GCHQ's tech offshoot's 2024 review reveals that 12 incidents topped the NCSC's severity classification system out of a total 430 cases that required support from its Incident Management (IM) team between September 2023 and August 2024. The finding represents a 16 percent increase year-over-year."
        https://www.theregister.com/2024/12/03/ncsc_annual_review/
        https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024
        https://www.infosecurity-magazine.com/news/uk-cyberattacks-surge-ncsc/
      • Cloudflare’s Pages.dev And Workers.dev Domains Increasingly Abused For Phishing
        "Fortra has observed a rising trend in legitimate service abuse, with a significant volume of attacks targeting Cloudflare Pages. Workers.dev is a domain used by Cloudflare Workers’ deployment services, while Pages.dev is used by Cloudflare’s Pages platform that facilitates the development of web pages and sites. Fortra’s Suspicious Email Analysis (SEA) team has identified different threats being hosted on this platform, including attacks such as phishing redirects, phishing pages and targeted email lists."
        https://emailsecurity.fortra.com/blog/cloudflares-pagesdev-and-workersdev-domains-increasingly-abused-phishing
        https://www.bleepingcomputer.com/news/security/cloudflares-developer-domains-increasingly-abused-by-threat-actors/
      • Police Seizes Largest German Online Crime Marketplace, Arrests Admin
        "Germany has taken down the largest online cybercrime marketplace in the country, named "Crimenetwork," and arrested its administrator for facilitating the sale of drugs, stolen data, and illegal services. The law enforcement action was carried out on Monday by the Public Prosecutor's Office in Frankfurt am Main, the Central Office for Combating Cybercrime (ZIT), and the Federal Criminal Police Office (BKA)."
        https://www.bleepingcomputer.com/news/security/police-seizes-largest-german-online-crime-marketplace-arrests-admin/
      • International Operation Takes Down Another Encrypted Messaging Service Used By Criminals
        "Authorities are staying on top of the encrypted messaging services that criminals use to undertake their activities. A joint investigation team (JIT) involving French and Dutch authorities has taken down another sophisticated encrypted messaging service, MATRIX. For three months, authorities were able to monitor the messages from possible criminals, which will now be used to support other investigations. During a coordinated operation supported by Eurojust and Europol, the messaging service was taken down by Dutch and French authorities and follow-up actions were executed by their Italian, Lithuanian and Spanish counterparts."
        https://www.europol.europa.eu/media-press/newsroom/news/international-operation-takes-down-another-encrypted-messaging-service-used-criminals
        https://www.bleepingcomputer.com/news/security/police-seize-matrix-encrypted-chat-service-after-spying-on-criminals/
        https://therecord.media/matrix-criminal-encrypted-chat-platform-takedown-police
        https://www.bankinfosecurity.com/european-police-disrupts-matrix-encrypted-service-a-26961
        https://www.helpnetsecurity.com/2024/12/03/matrix-encrypted-chat-takedown/
        https://www.infosecurity-magazine.com/news/police-shut-down-matrix-criminal/
      • Cyber Risk – How To Effectively Manage Fourth-Party Risks
        "Cyber risks have gained numerous business executives’ attention as these risks are effectively operational risks due to their potentially devastating operational and financial impacts, and reputational damage to organizations. Among cyber risks, third-party or supply chain risks become one of the most challenging areas as heavy and unavoidable reliance on using third parties such as Cloud and SaaS providers is a reality of today’s IT and security operations."
        https://blog.checkpoint.com/security/cyber-risk-how-to-effectively-manage-fourth-party-risks/
      • Cyber-Unsafe Employees Increasingly Put Orgs At Risk
        "A survey of more than 14,000 employees across a variety of industries shows that employee behaviors when it comes to sensitive data often put organizations at risk. The findings show that 80% of those surveyed access workplace applications from personal devices that lack necessary security controls. In addition, privileged access extends beyond IT admins, and 40% of respondents habitually download customer data. A third of respondents are able to alter sensitive data without controls, and roughly 30% can approve large financial transactions on their own."
        https://www.darkreading.com/vulnerabilities-threats/cyber-unsafe-employees-orgs-risk
        https://www.cyberark.com/resources/ebooks/cyberark-2024-employee-risk-survey
      • Gen AI And Cybersecurity: Risk And Reward
        "Research from Ivanti shows how organizations are managing the double-edged sword of gen AI in cybersecurity — and the processes, technology and talent needed to fortify defenses."
        https://www.ivanti.com/resources/research-reports/gen-ai-cybersecurity
        https://www.infosecurity-magazine.com/news/security-pros-genai-attack/
      • Repeat Offenders Drive Bulk Of Tech Support Scams Via Google Ads
        "Of all the different kinds of malicious search ads we track, those related to customer service are by far the most common. Brands such as PayPal, eBay, Apple or Netflix are among the most coveted ones as they tend to drive a lot of online searches. Tech support scammers are leveraging Google ads to lure victims in, getting them on the phone and finally fleecing them. While hard to measure precisely, tech support scams accounted for $924M, according to the FBI’s 2023 Internet Crime Report."
        https://www.malwarebytes.com/blog/scams/2024/12/repeat-offenders-drive-bulk-of-tech-support-scams-via-google-ads
      • Hacker Conversations: Dan McInerney And Puzzle-Driven Hacking
        "Dan McInerney, currently lead AI threat researcher at Protect AI, came late to tech hacking. He was a 22-years old psychology grad when he started. His journey, however, provides new insights into the creation and motivation of a hacker."
        https://www.securityweek.com/hacker-conversations-dan-mcinerney-and-puzzle-driven-hacking/
      • World Tour Survey: IT Operations’ Hands-On Defense
        "Cybercriminals have more tools than ever to disrupt business operations, steal data for ransom, and manipulate employees into exposing sensitive information. Generative AI (GenAI) is taking those capabilities to new levels by enhancing phishing attacks and enabling audio and video deepfakes. Security professionals are also facing new pressures from chief executives and corporate boards who increasingly understand the legal, financial, and reputational risks cyber threats pose to businesses."
        https://www.trendmicro.com/en_us/research/24/l/world-tour-cybersecurity-survey-it-defense.html

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) c48c675b-bde8-44f9-ba54-05d26f061d07-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post