NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 17 December 2024

    Cyber Security News
    1
    1
    344
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Financial Sector

      • With DORA Approaching, Financial Institutions Must Strengthen Their Cyber Resilience
        "The clock is ticking for financial institutions across the EU as the January 17, 2025, deadline for the Digital Operational Resilience Act (DORA) approaches. This regulation will reshape how organizations in the financial sector approach cybersecurity and operational resilience. It demands more than just technical upgrades — it calls for a strategic shift in mindset and practices."
        https://www.helpnetsecurity.com/2024/12/16/financial-institutions-dora-requirements/

      Government/Law/Policy

      • CISA Requests Public Comment For Draft National Cyber Incident Response Plan Update
        "Today, CISA—through the Joint Cyber Defense Collaborative and in coordination with the Office of the National Cyber Director (ONCD)—released the National Cyber Incident Response Plan Update Public Comment Draft. The draft requests public comment on the National Cyber Incident Response Plan (NCIRP)—public comment period begins today and concludes on January 15, 2025."
        https://www.cisa.gov/news-events/alerts/2024/12/16/cisa-requests-public-comment-draft-national-cyber-incident-response-plan-update
        https://cisa.gov/resources-tools/resources/national-cyber-incident-response-plan-update-public-comment-draft
        https://therecord.media/cisa-first-draft-updated-cyber-plan
        https://cyberscoop.com/cisa-national-cyber-incident-response-plan-comments/
        https://www.bankinfosecurity.com/cisa-urges-enhanced-coordination-in-incident-response-plan-a-27077

      New Tooling

      • Trapster Community: Open-Source, Low-Interaction Honeypot
        "Trapster Community is an open-source, lightweight, low-interaction honeypot designed for deployment within internal networks. It enhances network security by creating a deceptive layer that monitors and detects suspicious activities. “Our reengineered approach leverages the asyncio library, breaking away from the norm of Twisted, to deliver a customizable framework for honeypots. By integrating YAML configuration and Jinja2 variables, we’ve made creating adaptive and realistic honeypot websites easier."
        https://www.helpnetsecurity.com/2024/12/16/trapster-community-open-source-honeypot/
        https://github.com/0xBallpoint/trapster-community

      Vulnerabilities

      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-20767 Adobe ColdFusion Improper Access Control Vulnerability
        CVE-2024-35250 Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/12/16/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://www.bleepingcomputer.com/news/security/windows-kernel-bug-now-exploited-in-attacks-to-gain-system-privileges/
      • Multiple Flaws In Volkswagen Group’s Infotainment Unit Allow For Vehicle Compromise
        "A team of security researchers from cybersecurity firm PCAutomotive discovered multiple vulnerabilities in the infotainment units used in some vehicles of the Volkswagen Group. Remote attackers can exploit the flaws to achieve certain controls and track the location of cars in real time. The team led by Danila Parnishchev and Artem Ivachev discovered 12 vulnerabilities in the MIB3 infotainment systems, which appeared in 2021, and now being used in many VW Group cars."
        https://securityaffairs.com/172024/hacking/volkswagen-group-infotainment-unit-flaws.html

      Malware

      • Malicious Ad Distributes SocGholish Malware To Kaiser Permanente Employees
        "On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks. We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser."
        https://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees
      • FBI Spots HiatusRAT Malware Attacks Targeting Web Cameras, DVRs
        "The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online. As a private industry notification (PIN) published on Monday explains, the attackers focus their attacks on Chinese-branded devices that are still waiting for security patches or have already reached the end of life."
        https://www.bleepingcomputer.com/news/security/fbi-spots-hiatusrat-malware-attacks-targeting-web-cameras-dvrs/
        https://www.ic3.gov/CSA/2024/241216.pdf
      • “DeceptionAds” — Fake Captcha Driving Infostealer Infections And a Glimpse To The Dark Side Of Internet Advertising
        "Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players."
        https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6
        https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-infostealer-via-fake-captcha-pages/
        https://thehackernews.com/2024/12/deceptionads-delivers-1m-daily.html
        https://www.infosecurity-magazine.com/news/fake-captcha-campaign-risks/
      • “A Digital Prison”: Surveillance And The Suppression Of Civil Society In Serbia
        "In February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad in Serbia who covers local interest news stories, was brought into a police station after a seemingly routine traffic stop. After Slaviša was released, he noticed that his phone, which he had left at the police station reception at the request of the officers, was acting strangely – the data and wi-fi settings were turned off. Aware that this can be a sign of hacking, and mindful of the surveillance threats facing journalists in Serbia, Slaviša contacted Amnesty International’s Security Lab to request an analysis of his phone."
        https://securitylab.amnesty.org/latest/2024/12/a-digital-prison-surveillance-and-the-suppression-of-civil-society-in-serbia/
        https://www.bleepingcomputer.com/news/security/new-android-novispy-spyware-linked-to-qualcomm-zero-day-bugs/
        https://thehackernews.com/2024/12/novispy-spyware-installed-on.html
        https://therecord.media/serbia-report-amnesty-international-cellebrite-spyware
        https://cyberscoop.com/amnesty-international-exposes-serbian-polices-use-of-spyware-on-journalists-activists/
        https://www.securityweek.com/android-zero-day-exploited-in-serbian-spyware-campaigns-amnesty-international-points-to-cellebrite/
        https://securityaffairs.com/172039/malware/novispy-spyware-serbian-journalist.html
        https://www.infosecurity-magazine.com/news/amnesty-accuses-serbia-spyware/
        https://www.helpnetsecurity.com/2024/12/16/serbian-government-used-cellebrite-to-unlock-phones-install-spyware/
      • Analysis On The Case Of TIDRONE Threat Actor’s Attacks On Korean Companies
        "AhnLab SEcurity intelligence Center (ASEC) has recently identified that the TIDRONE threat actor is launching attacks against companies. In the attack cases, Enterprise Resource Planning (ERP) software was exploited to install a backdoor malware called CLNTEND. TIDRONE is a threat group known for targeting Taiwanese defense companies and drone manufacturers. Trend Micro first reported on TIDRONE in September 2024."
        https://asec.ahnlab.com/en/85119/
      • How Threat Actors Exploit Brand Collaborations To Target Popular YouTube Channels
        "Cybercriminals are increasingly targeting YouTube creators by exploiting fake brand collaboration offers to distribute malware. These sophisticated phishing campaigns involve carefully crafted emails that impersonate trusted brands, presenting enticing partnership deals. The malware, disguised as legitimate documents like contracts or promotional materials, is often delivered through password-protected files hosted on platforms such as OneDrive to evade detection. Once downloaded, the malware can steal sensitive information, including login credentials and financial data, while also granting attackers remote access to the victim’s systems. With content creators and marketers as primary targets, this global campaign underscores the importance of verifying collaboration requests and adopting robust cybersecurity measures to protect against such threats."
        https://www.cloudsek.com/blog/how-threat-actors-exploit-brand-collaborations-to-target-popular-youtube-channels
        https://hackread.com/malware-fake-business-proposals-hits-youtube-creators/
        https://www.infosecurity-magazine.com/news/youtube-creators-global-phishing/
      • NodeLoader Exposed: The Node.js Malware Evading Detection
        "Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. Node.js is a well-known framework for building web-based services such as chat applications, online gaming platforms, and live collaboration tools."
        https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection#indicators-of-compromise--iocs-
        https://www.helpnetsecurity.com/2024/12/16/node-js-malware-loader-nodeloader-game-hack/
      • CoinLurker: The Stealer Powering The Next Generation Of Fake Updates
        "The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks."
        https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates
      • DrayTek Routers Exploited In Massive Ransomware Campaign: Analysis And Recommendations
        "Network perimeter devices have become a critical initial access target for sophisticated threat actors. Ransomware operators are increasingly exploiting vulnerabilities in routers and VPN appliances. This analysis details a coordinated campaign targeting DrayTek Vigor devices. Our findings reveal a complex ecosystem of cybercriminal collaboration and systematic network infiltration."
        https://www.forescout.com/blog/draytek-routers-exploited-in-massive-ransomware-campaign-analysis-and-recommendations/
        https://www.securityweek.com/undocumented-draytek-vulnerabilities-exploited-to-hack-hundreds-of-orgs/
      • Link Trap: GenAI Prompt Injection Attack
        "With the rise of generative AI, new security vulnerabilities are emerging. One such vulnerability is prompt injection, a method that malicious actors can exploit to manipulate AI systems. Typically, the impact of prompt injection attacks is closely tied to the permissions granted to the AI. However, the attack discussed in this article differs from commonly known prompt injections; its impact and scope are significantly broader when targeting generative AI. Even without granting AI extensive permissions, this type of attack can still compromise sensitive data, making it crucial for users to be aware of these threats and take preventive measures."
        https://www.trendmicro.com/en_us/research/24/l/genai-prompt-injection-attack-threat.html
      • Dirty DAG: New Vulnerabilities In Azure Data Factory’s Apache Airflow Integration
        "Unit 42 researchers have discovered new security vulnerabilities in the Azure Data Factory Apache Airflow integration. Attackers can exploit these flaws by gaining unauthorized write permissions to a directed acyclic graph (DAG) file or using a compromised service principal. While classified as low severity vulnerabilities by Microsoft, the risk still carries significant potential impact for organizations that use Azure Data Factory. The vulnerabilities can provide attackers with shadow admin control over Azure infrastructure, which could lead to data exfiltration, malware deployment and unauthorized data access."
        https://unit42.paloaltonetworks.com/azure-data-factory-apache-airflow-vulnerabilities/

      Breaches/Hacks/Leaks

      • Texas Tech University System Data Breach Impacts 1.4 Million Patients
        "The Texas Tech University Health Sciences Center and its El Paso counterpart suffered a cyberattack that disrupted computer systems and applications, potentially exposing the data of 1.4 million patients. The organization is a public, academic health institution that is part of the Texas Tech University System, which educates and trains healthcare professionals, conducts medical research, and provides patient care services. The organization announced that, in September 2024, it suffered a cyberattack involving sensitive data theft."
        https://www.bleepingcomputer.com/news/security/texas-tech-university-system-data-breach-impacts-14-million-patients/
      • ConnectOnCall Breach Exposes Health Data Of Over 910,000 Patients
        "Healthcare software as a service (SaaS) company Phreesia is notifying over 910,000 people that their personal and health data was exposed in a May breach of its subsidiary ConnectOnCall, acquired in October 2023. ConnectOnCall is a telehealth platform and after-hours on-call answering service with automated patient call tracking for healthcare providers."
        https://www.bleepingcomputer.com/news/security/connectoncall-breach-exposes-health-data-of-over-910-000-patients/
        https://www.securityweek.com/900000-people-impacted-by-connectoncall-data-breach/
        https://securityaffairs.com/172053/data-breach/connectoncall-data-breach-impacted-over-900000-individuals.html
      • Rhode Island Confirms Data Breach After Brain Cipher Ransomware Attack
        "Rhode Island is warning that its RIBridges system, managed by Deloitte, suffered a data breach exposing residents' personal information after the Brain Cipher ransomware gang hacked its systems. RIBridges is a modern integrated eligibility system (IES) used in Rhode Island to manage and deliver public assistance programs, helping streamline the administration of various social services. The incident was discovered on December 5, 2024, and following an evaluation by Deloitte, it is considered very likely that hackers stole files containing personally identifiable information and other data."
        https://www.bleepingcomputer.com/news/security/rhode-island-confirms-data-breach-after-brain-cipher-ransomware-attack/
        https://therecord.media/rhode-island-governor-cyberattack-benefits
        https://www.bankinfosecurity.com/thousands-affected-by-data-theft-hack-smallest-us-state-a-27075
        https://www.infosecurity-magazine.com/news/deloitte-rhode-island-data-breach/
        https://www.theregister.com/2024/12/16/deloitte_rhode_island_attack/
      • Cicada3301 Ransomware Claims Attack On French Peugeot Dealership
        "Cicada3301, a ransomware group, has claimed responsibility for a data breach targeting Concession Peugeot (concessions.peugeot[.]fr), a prominent French automotive dealership linked to the Peugeot brand. The group claims to have stolen 35GB of sensitive data, marking a continuation of their aggressive cyber campaigns."
        https://hackread.com/cicada3301-ransomware-french-peugeot-dealership/
      • Namibia’s State Telecom Provider Says Hackers Leaked Data After It Refused To Pay Ransom
        "Namibia’s state-owned telecom provider confirmed Monday that some of its customers’ data was leaked on the dark web following a ransomware attack. Telecom Namibia attributed the attack to a threat actor known as Hunters International. According to the company’s chief executive, Stanley Shanapinda, the hackers made the stolen data public after Telecom Namibia had refused to negotiate with them about the potential ransom."
        https://therecord.media/namibia-state-telecom-provider-data-leaked-after-ransom-refusal

      General News

      • Ukrainian Minors Recruited For Cyber Ops And Reconnaissance In Russian Airstrikes
        "The Security Service of Ukraine (SBU or SSU) has exposed a novel espionage campaign suspected to be orchestrated by Russia's Federal Security Service (FSB) that involves recruiting Ukrainian minors for criminal activities under the guise of "quest games." Law enforcement officials said that it detained two FSB agent groups following a special operation in Kharkiv. These groups, per the agency, consisted exclusively of children aged 15 and 16."
        https://thehackernews.com/2024/12/ukrainian-minors-recruited-for-cyber.html
        https://www.infosecurity-magazine.com/news/russia-recruits-ukrainian-children/
      • EU Issues First-Ever Sanctions Over ‘Russian Hybrid Threats’
        "The European Council announced on Monday it was sanctioning 16 individuals and three entities “responsible for Russia’s destabilising actions abroad.” It is the first time the bloc’s political executive is issuing sanctions under powers established in October. When the powers were agreed, Brussels said they were a response to the Kremlin’s “intensifying campaign of hybrid activities” targeting member states and partners. The sanctions aim to impact a wide range of actors, from those involved in GRU Unit 29155 — a Russian military intelligence unit that has been accused of cyberattacks and assassinations — through to other intelligence agency staff and private individuals involved in spreading Russian propaganda both in Europe and Africa."
        https://therecord.media/eu-issues-sanctions-over-russia-hybrid-threats
        https://www.bankinfosecurity.com/european-union-sanctions-russian-malicious-cyber-actors-a-27076
      • Does Desktop AI Come With a Side Of Risk?
        "Artificial intelligence has come to the desktop. Microsoft 365 Copilot, which debuted last year, is now widely available. Apple Intelligence just reached general beta availability for users of late-model Macs, iPhones, and iPads. And Google Gemini will reportedly soon be able to take actions through the Chrome browser under an in-development agent feature dubbed Project Jarvis."
        https://www.darkreading.com/application-security/does-desktop-ai-risk
      • Task Scams Surge By 400%, But What Are They?
        "An unfamiliar type of scam has surged against everyday people, with a year-over-year increase of some 400%, putting job seekers at risk of losing their time and money. The emerging threat is delivered in “task scams” or “gamified job scams.” While these scams were virtually non-existent in 2020, the FTC reported 5,000 cases in 2023 and a whopping 20,000 cases in the first half of 2024."
        https://www.malwarebytes.com/blog/news/2024/12/task-scams-surge-by-400-but-what-are-they
      • Dark Web Threats And Dark Market Predictions For 2025
        "We continuously monitor underground markets for the emergence of new “cryptors,” which are tools specifically designed to obfuscate the code within malware samples. The primary purpose of these tools is to render the code undetectable by security software. In 2024, our expert observations indicate that commercial advertising for these cryptors have indeed gained momentum. Cryptor developers are introducing novel techniques to evade detection by security solutions, incorporating these advances into their malware offerings."
        https://securelist.com/ksb-dark-web-predictions-2025/114966/
      • ESET Threat Report H2 2024
        "In the usual cat-and-mouse game with defenders, the second half of 2024 has seen the cybercriminals keeping busy, finding security loopholes and innovative ways to expand their victim pool. As a result, we’ve seen new attack vectors and social engineering methods, new threats skyrocketing in our telemetry, and takedown operations leading to shake-ups of established cybercriminal ranks."
        https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2024/
        https://thehackernews.com/2024/12/new-investment-scam-leverages-ai-social.html
      • Create a Strong Security Culture: How To Turn Good Security Habits Into Second Nature For Your Employees
        "Last year, 74% of breaches involved human factors, like users behaving in risky ways or maliciously. No doubt, it’s a challenge to address any type of insider threat—whether it stems from human error and oversight or from more sinister intentions. However, when you foster a strong security culture you can significantly reduce these incidents. But creating a strong security culture isn’t easy. For starters, the concept of security culture itself can often feel vague. And this is partly because there aren’t any standardized metrics to measure it. Some organizations assess culture through phishing simulation click rates or reporting rates; others rely on training completion rates or the speed at which assignments are finished."
        https://www.proofpoint.com/us/blog/security-awareness-training/how-build-sustainable-security-culture-drives-behavior-change

      อ้างอิง

      Electronic Transactions Development Agency(ETDA) 45bc8a6a-a0a7-4313-8def-ca4ab4d8fa8a-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post