NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 16 December 2024

    Cyber Security News
    1
    1
    395
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • CISA And EPA Release Joint Fact Sheet Detailing Risks Internet-Exposed HMIs Pose To WWS Sector
        "Today, CISA and the Environmental Protection Agency (EPA) released Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems. This joint fact sheet provides Water and Wastewater Systems (WWS) facilities with recommendations for limiting the exposure of Human Machine Interfaces (HMIs) and securing them against malicious cyber activity."
        https://www.cisa.gov/news-events/alerts/2024/12/13/cisa-and-epa-release-joint-fact-sheet-detailing-risks-internet-exposed-hmis-pose-wws-sector
        https://www.cisa.gov/resources-tools/resources/internet-exposed-hmis-pose-cybersecurity-risks-water-and-wastewater-systems
        https://www.bleepingcomputer.com/news/security/cisa-warns-water-facilities-to-secure-hmi-systems-exposed-online/

      New Tooling

      • FuzzyAI: Open-Source Tool For Automated LLM Fuzzing
        "FuzzyAI is an open-source framework that helps organizations identify and address AI model vulnerabilities in cloud-hosted and in-house AI models, like guardrail bypassing and harmful output generation."
        https://www.helpnetsecurity.com/2024/12/13/fuzzyai-automated-llm-fuzzing/
        https://github.com/cyberark/FuzzyAI

      Vulnerabilities

      • Microsoft Patches Vulnerabilities In Windows Defender, Update Catalog
        "Microsoft on Thursday informed customers that two potentially critical vulnerabilities have been patched in Update Catalog and Windows Defender. The tech giant has released advisories for each flaw and assigned CVE identifiers, but it’s only for transparency purposes as the issues have been fully mitigated and users do not need to take any action. The Windows Defender vulnerability, tracked as CVE-2024-49071, has a maximum severity rating of ‘critical’, but based on its CVSS score it’s a medium-severity issue. It could have led to information disclosure, specifically the exposure of file content."
        https://www.securityweek.com/microsoft-patches-vulnerabilities-in-windows-defender-update-catalog/
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-50623 Cleo Multiple Products Unrestricted File Upload Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/12/13/cisa-adds-one-known-exploited-vulnerability-catalog
        https://www.bleepingcomputer.com/news/security/cisa-confirms-critical-cleo-bug-exploitation-in-ransomware-attacks/
        https://therecord.media/cisa-ransomware-cleo-cyberpanel-bugs
        https://securityaffairs.com/171973/security/u-s-cisa-adds-cleo-harmony-vltrader-and-lexicom-flaw-to-its-known-exploited-vulnerabilities-catalog.html
      • With 'TPUXtract,' Attackers Can Steal Orgs' AI Models
        "Researchers have demonstrated how to recreate a neural network using the electromagnetic (EM) signals emanating from the chip it runs on. The method, called "TPUXtract," comes courtesy of North Carolina State University's Department of Electrical and Computer Engineering. Using many thousands of dollars worth of equipment and a novel technique called "online template-building," a team of four managed to infer the hyperparameters of a convolutional neural network (CNN) — the settings that define its structure and behavior — running on a Google Edge Tensor Processing Unit (TPU), with 99.91% accuracy."
        https://www.darkreading.com/vulnerabilities-threats/tpuxtract-attackers-steal-ai-models
        https://philosophymindscience.org/index.php/TCHES/article/view/11923/11782

      Malware

      • Vishing Via Microsoft Teams Facilitates DarkGate Malware Intrusion
        "Using Vision One, we observed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call. This led to the user being instructed to download the remote desktop application AnyDesk, which then facilitated the deployment of DarkGate malware. DarkGate, distributed via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control server. In this blog entry, we discuss how this breach was carried out in several stages, emphasizing the need for robust security measures and heightened awareness against social engineering attacks."
        https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html
      • Germany Blocks BadBox Malware Loaded On 30,000 Android Devices
        "Germany's Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. The types of impacted devices include digital picture frames, media players and streamers, and potentially smartphones and tablets."
        https://www.bleepingcomputer.com/news/security/germany-blocks-badbox-malware-loaded-on-30-000-android-devices/
        https://therecord.media/germany-hacker-access-malware-cut
        https://thehackernews.com/2024/12/germany-disrupts-badbox-malware-on.html
        https://www.bankinfosecurity.com/german-bsi-disrupts-android-malware-infecting-iot-devices-a-27062
        https://www.securityweek.com/germany-sinkholes-botnet-of-30000-badbox-infected-devices/
        https://securityaffairs.com/171968/malware/bsi-sinkholed-badbox-botnet.html
      • Paying To Get Paid: Gamified Job Scams Drive Record Losses
        "A job you truly enjoy is a good thing, but if the work feels more like an online game than an actual job, you can bet it’s a scam. Reported losses to job scams increased more than threefold from 2020 to 2023 and, in just the first half of 2024, topped $220 million. Driving this trend are skyrocketing reports about gamified job scams, often called task scams. About 20,000 people reported these scams in the first half of the year, compared to about 5,000 in all of 2023. Since the vast majority of frauds are not reported, this likely reflects only a fraction of the actual harm."
        https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2024/12/paying-get-paid-gamified-job-scams-drive-record-losses
        https://www.bleepingcomputer.com/news/security/ftc-warns-of-online-task-job-scams-hooking-victims-like-gambling/
      • Citrix Shares Mitigations For Ongoing Netscaler Password Spray Attacks
        "Citrix Netscaler is the latest target in widespread password spray attacks targeting edge networking devices and cloud platforms this year to breach corporate networks. In March, Cisco reported that threat actors were conducting password spray attacks on the Cisco VPN devices. In some cases, these attacks caused a denial-of-service state, allowing the company to find a DDoS vulnerability they fixed in October."
        https://www.bleepingcomputer.com/news/security/citrix-shares-mitigations-for-ongoing-netscaler-password-spray-attacks/
      • 390,000+ WordPress Credentials Stolen Via Malicious GitHub Repository Hosting PoC Exploits
        "A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws."
        https://thehackernews.com/2024/12/390000-wordpress-credentials-stolen-via.html
        https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-stolen-from-hackers-in-supply-chain-attack/
      • Crypted Hearts: Exposing The HeartCrypt Packer-As-a-Service Operation
        "This article analyzes a new packer-as-a-service (PaaS) called HeartCrypt, which is used to protect malware. It has been in development since July 2023 and began sales in February 2024. We have identified examples of malware samples created by this service based on strings found in several development samples the operators used to test their work."
        https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/
      • New Yokai Side-Loaded Backdoor Targets Thai Officials
        "DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly to deliver Nightdoor backdoor. During threat hunting activities, the Netskope team discovered a legitimate iTop Data Recovery application side-loading a backdoor we named Yokai that, to the best of our knowledge, has not been publicly documented yet. In this blog we will analyze the infection chain and dive deep into the internals of the Yokai backdoor."
        https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials
        https://thehackernews.com/2024/12/thai-officials-targeted-in-yokai.html
      • Glutton: A New Zero-Detection PHP Backdoor From Winnti Targets Cybercrimals
        "On April 29, 2024, XLab's Cyber Threat Insight and Analysis System(CTIA) detected anomalous activity: IP 172.247.127.210 was distributing an ELF-based Winnti backdoor. Further investigation revealed the same IP had, on December 20, 2023, distributed a zero-detection malicious PHP file, init_task.txt, providing a key lead for the analysis."
        https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/
        https://www.bleepingcomputer.com/news/security/winnti-hackers-target-other-threat-actors-with-new-glutton-php-backdoor/

      Breaches/Hacks/Leaks

      • Auto Parts Giant LKQ Says Cyberattack Disrupted Canadian Business Unit
        "Automobile parts giant LKQ Corporation disclosed that one of its business units in Canada was hacked, allowing threat actors to steal data from the company. LKQ is a public American company specializing in automotive replacement parts, components, and services to repair and maintain vehicles. The company has 45,000 employees in 25 countries and operates numerous brands, including Keystone, Tri Star, and ADL."
        https://www.bleepingcomputer.com/news/security/auto-parts-giant-lkq-says-cyberattack-disrupted-canadian-business-unit/
      • Hackers Steal 17M Patient Records In Attack On 3 Hospitals
        "Cybercriminals claim they stole 17 million patient records from a southern California regional healthcare provider that is still struggling with IT and phone systems outages that have been disrupting patient care since the organization was hit by a ransomware attack on Dec. 1. PIH Health, in a statement Wednesday, said three of its hospitals - Downey Hospital, Good Samaritan Hospital and Whittier Hospital - as well as its urgent care centers, doctor offices, home health and hospice agency - are affected by the attack."
        https://www.bankinfosecurity.com/hackers-steal-17m-patient-records-in-attack-on-3-hospitals-a-27059
      • Eyecare & Healthtech Company Exposed Almost 5 Million Medical Records
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained more than 4.8 million records belonging to Care1 — a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care."
        https://www.vpnmentor.com/news/report-care1-breach/
        https://hackread.com/canadian-eyecare-firm-care1-exposes-patient-records/
        https://www.malwarebytes.com/blog/news/2024/12/4-8-million-healthcare-records-left-freely-accessible
      • South Carolina Credit Union Says 240,000 Impacted By Recent Cyberattack
        "More than 240,000 people had information stolen during a cyberattack on SRP Federal Credit Union, one of the largest in South Carolina. The credit union filed breach notification documents with regulators in Maine and Texas on Friday acknowledging that it recently detected suspicious activity on its network. SRP was founded in 1960, and said it has more than $1.6 billion in assets as of 2022."
        https://therecord.media/south-carolina-credit-union-data-breach
      • Clop Ransomware Claims Responsibility For Cleo Data Theft Attacks
        "The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits to breach corporate networks and steal data. Cleo is the developer of the managed file transfer platforms Cleo Harmony, VLTrader, and LexiCom, which companies use to securely exchange files between their business partners and customers. In October, Cleo fixed a vulnerability tracked as CVE-2024-50623 that allowed unrestricted file uploads and downloads, leading to remote code execution."
        https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-responsibility-for-cleo-data-theft-attacks/

      General News

      • Tackling Software Vulnerabilities With Smarter Developer Strategies
        "In this Help Net Security interview, Karl Mattson, CISO at Endor Labs, discusses strategies for enhancing secure software development. Mattson covers how developers can address vulnerabilities in complex systems, ways organizations can better support secure coding practices, and the role of languages and frameworks in secure development."
        https://www.helpnetsecurity.com/2024/12/13/karl-mattson-endor-labs-secure-coding/
      • CISOs Need To Consider The Personal Risks Associated With Their Role
        "70% of cybersecurity leaders felt that stories of CISOs being held personally liable for cybersecurity incidents have negatively affected their opinion of the role, according to BlackFog. 34% believed that the trend of individuals being prosecuted following a cyberattack was a ‘no-win’ situation for security leaders: facing internal consequences if they report failings and prosecuted if they don’t."
        https://www.helpnetsecurity.com/2024/12/13/cybersecurity-leaders-personal-liability/
      • ISC2 Survey Reveals Critical Gaps In Cybersecurity Leadership Skills
        "Leadership training and skills are severely lacking in the cybersecurity industry, according to ISC2’s Cybersecurity Leadership Survey. The accreditation and training body found that in responses to open-ended inquiries, survey participants indicated that their cybersecurity leaders demonstrate limited or no skills in areas such as communication, strategic mindset and business acumen."
        https://www.infosecurity-magazine.com/news/isc2-gaps-cybersecurity-leadership/
      • UK Shoppers Frustrated As Bots Snap Up Popular Christmas Gifts
        "Almost three quarters of UK consumers (71%) believe malicious bots are ruining Christmas by snapping up all the most wanted presents, according to research by Imperva. The company warned that ‘scalping’, the practice whereby cybercriminals use bots to buy items from online retailers and sell them for a profit on resale sites, is only set to get worse this Christmas. In the UK, 204 of consumers have reported that when attempting to buy a gift they have found it to be completely sold out with 19% being forced to buy a more expensive alternative."
        https://www.infosecurity-magazine.com/news/uk-shoppers-bots-snap-up-christmas/
      • OData Injection Risk In Low-Code/No-Code Environments
        "As organizations lean into low-code/no-code (LCNC) platforms to streamline development and empower citizen developers, security risks become increasingly challenging to manage. One of the more under-the-radar LCNC threats is OData injection, an attack vector that can expose sensitive corporate data and is predominant on the Microsoft Power Platform. This new vulnerability is poorly understood by security professionals in LCNC environments, where traditional safeguards are lacking."
        https://www.darkreading.com/vulnerabilities-threats/odata-injection-risk-low-code-no-code-environments
      • Akira And RansomHub Surge As Ransomware Claims Reach All-Time High
        "Ransomware claims reached an all-time high in November 2024, with Corvus Insurance reporting 632 victims claimed on ransomware groups’ data leak sites (DLS). More than double the monthly average of 307 victims, the November count exceeds the previous peak of 527 victims recorded in May 2024."
        https://www.infosecurity-magazine.com/news/akira-ransomhub-ransomware-claims/
      • The Bite From Inside: The Sophos Active Adversary Report
        "It’s not news that 2024 has been a tumultuous year on many fronts. For our second Active Adversary Report of 2024, we’re looking specifically at patterns and developments we noted during the first half of the year (1H24). Though the year itself was in many ways unremarkable on the surface for those charged with the security of small- and medium-scale enterprises – the war between attackers and defenders raged on, as ever – we see some remarkable activity just below that surface."
        https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/
        https://www.infosecurity-magazine.com/news/increase-microsoft-tool-exploits/

      อ้างอิง

      Electronic Transactions Development Agency(ETDA) 54b575bf-3553-4875-97f0-770cfcaa7e46-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post