NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 14 January 2025

    Cyber Security News
    1
    1
    171
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • CISA And US And International Partners Publish Guidance On Priority Considerations In Product Selection For OT Owners And Operators
        "Today, CISA—along with U.S. and international partners—released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process."
        https://www.cisa.gov/news-events/alerts/2025/01/13/cisa-and-us-and-international-partners-publish-guidance-priority-considerations-product-selection-ot
        https://www.cisa.gov/resources-tools/resources/secure-demand-priority-considerations-operational-technology-owners-and-operators-when-selecting

      New Tooling

      • Chainsaw: Open-Source Tool For Hunting Through Windows Forensic Artefacts
        "Chainsaw is an open-source first-response tool for quickly detecting threats in Windows forensic artefacts, including Event Logs and the MFT file. It enables fast keyword searches through event logs and identifies threats using built-in Sigma detection and custom detection rules."
        https://www.helpnetsecurity.com/2025/01/13/chainsaw-open-source-tool-hunting-through-windows-forensic-artefacts/
        https://github.com/WithSecureLabs/chainsaw

      Vulnerabilities

      • Wiz Research Identifies Exploitation In The Wild Of Aviatrix Controller RCE (CVE-2024-50603)
        "CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996."
        https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603
        https://thehackernews.com/2025/01/hackers-exploit-aviatrix-controller.html
        https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-aviatrix-controller-rce-flaw-in-attacks/
        https://www.darkreading.com/cloud-security/cloud-attackers-exploit-max-critical-aviatrix-rce-flaw
        https://www.theregister.com/2025/01/13/severe_aviatrix_controller_vulnerability/
      • Juniper Networks Fixes High-Severity Vulnerabilities In Junos OS
        "Juniper Networks kicked off 2025 with security updates that address dozens of vulnerabilities in the Junos OS platform, including multiple high-severity bugs. Patches were released last week to resolve a high-severity out-of-bounds read flaw in the routing protocol daemon (RPD) of Junos OS and Junos OS Evolved that could lead to denial-of-service (DoS) when processing a malformed BGP packet. Tracked as CVE-2025-21598, the issue affects systems that have packet receive trace options enabled and “can propagate and multiply through multiple ASes until reaching vulnerable devices”, Juniper says."
        https://www.securityweek.com/juniper-networks-fixes-high-severity-vulnerabilities-in-junos-os/
      • Analyzing CVE-2024-44243, a MacOS System Integrity Protection Bypass Through Kernel Extensions
        "Microsoft Threat Intelligence discovered a new macOS vulnerability that could allow attackers to bypass Apple’s System Integrity Protection (SIP) in macOS by loading third party kernel extensions. SIP is a security technology that restricts the performance of operations that may compromise system integrity; thus, a SIP bypass affects the overall security of the operating system. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits."
        https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/
        https://www.bleepingcomputer.com/news/security/microsoft-macos-bug-lets-hackers-install-malicious-kernel-drivers/
      • CISA Orders Agencies To Patch BeyondTrust Bug Exploited In Attacks
        "CISA has tagged a command injection vulnerability (CVE-2024-12686) in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) as actively exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01, after being added to CISA's Known Exploited Vulnerabilities catalog, U.S. federal agencies must secure their networks against ongoing attacks targeting the flaw within three weeks by February 3. On December 19, the U.S. cybersecurity agency also added a critical command injection security bug (CVE-2024-12356) in the same BeyondTrust software products."
        https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-beyondtrust-bug-exploited-in-attacks/
        https://securityaffairs.com/173031/security/u-s-cisa-adds-beyondtrust-pra-and-rs-and-qlik-sense-flaws-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces On Fortinet FortiGate Firewalls
        "In early December, Arctic Wolf Labs began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices. By gaining access to management interfaces on affected firewalls, threat actors were able to alter firewall configurations. In compromised environments, threat actors were observed extracting credentials using DCSync. While the initial access vector used in this campaign is not yet confirmed, Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected."
        https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
        https://threats.wiz.io/all-incidents/campaign-targeting-publicly-exposed-management-interfaces-on-fortinet-fortigate-firewalls
        https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_firewalls/
      • Abusing AWS Native Services: Ransomware Encrypting S3 Buckets With SSE-C
        "The Halcyon RISE Team has identified a concerning new ransomware campaign targeting Amazon S3 buckets. This attack leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it. It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials. With no known method to recover the data without paying the ransom, this tactic represents a significant evolution in ransomware capabilities."
        https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
        https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws-feature-to-encrypt-s3-buckets/
        https://therecord.media/hackers-encrypting-amazon-cloud-buckets
        https://www.helpnetsecurity.com/2025/01/13/codefinger-encrypting-aws-s3-data-without-ransomware-sse-c/
        https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
      • Double-Tap Campaign: Russia-Nexus APT Possibly Related To APT28 Conducts Cyber Espionage On Central Asia And Kazakhstan Diplomatic Relations
        "On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. Putin said he was visiting his “true ally”, yet Sekoia investigated an ongoing cyber espionage campaign using legitimate Office documents assessed to originate from the Ministry of Foreign Affairs of the Republic of Kazakhstan, that were further weaponized and likely used to collect strategic intelligence in Central Asia, including Kazakhstan and its diplomatic and economic relations with Asian and Western countries. We assess it is possible that this campaign was conducted by a Russia-nexus intrusion set, UAC-0063, sharing overlaps with APT28."
        https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
        https://therecord.media/hackers-kremlin-kazakhstan-espionage-campaign
        https://cyberscoop.com/fancy-bear-kazakhstan-russia-sekoia/
        https://www.infosecurity-magazine.com/news/russian-malware-campaign-hits/
      • Deep Dive Into a Linux Rootkit Malware
        "This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system. At the end of that blog, we revealed that the remote attacker had deployed a rootkit (a loadable kernel module, sysinitd.ko) and a user-space binary file (sysinitd) on the affected system by executing a shell script (Install.sh). Additionally, to establish rootkit persistence, entries for the rootkit malware were added in the /etc/rc.local and /etc/rc.d/rc.local files so the rootkit malware is loaded during system startup."
        https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware
      • Stealthy Credit Card Skimmer Targets WordPress Checkout Pages Via Database Injection
        "Recently, we released an article where a credit card skimmer was targeting checkout pages on a Magento site. Now we’ve come across sophisticated credit card skimmer malware while investigating a compromised WordPress website. This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment details. The malware activates specifically on checkout pages, either by hijacking existing payment fields or injecting a fake credit card form."
        https://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.html
        https://thehackernews.com/2025/01/wordpress-skimmers-evade-detection-by.html
        https://securityaffairs.com/173010/malware/stealthy-credit-card-skimmer-targets-wordpress.html

      Breaches/Hacks/Leaks

      • OneBlood Confirms Personal Data Stolen In July Ransomware Attack
        "Blood-donation not-for-profit OneBlood confirms that donors' personal information was stolen in a ransomware attack last summer. OneBlood first notified the public about the attack on July 31, 2024, noting that ransomware actors had encrypted its virtual machines, forcing the healthcare organization to fall back to using manual processes. OneBlood is a supplier of blood to over 250 hospitals across the United States with the attack causing delays in blood collection, testing, and distribution, leading to 'critical blood shortage' protocols in some clinics."
        https://www.bleepingcomputer.com/news/security/oneblood-confirms-personal-data-stolen-in-july-ransomware-attack/
      • Stolen Path Of Exile 2 Admin Account Used To Hack Player Accounts
        "Path of Exile 2 developers confirmed that a hacked admin account allowed a threat actor to change the password and access at least 66 accounts, finally explaining how PoE 2 accounts have been breached since November. The breached admin account allowed the threat actors to change the passwords of other accounts, with many losing their in-game purchases, including valuable items that took hundreds of hours to acquire. However, a time limit in log retention prevents the full scope of the incident from being determined, potentially meaning more accounts were compromised in the breach."
        https://www.bleepingcomputer.com/news/security/stolen-path-of-exile-2-admin-account-used-to-hack-player-accounts/
      • UK Domain Registry Nominet Confirms Breach Via Ivanti Zero-Day
        "Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability. The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales. It also ran the U.K.'s Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC) until September 2024, protecting over 1,200 organizations and over 7 million end users."
        https://www.bleepingcomputer.com/news/security/uk-domain-registry-nominet-confirms-breach-via-ivanti-zero-day-vulnerability/
        https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/
        https://www.helpnetsecurity.com/2025/01/13/uk-domain-registry-nominet-breached-via-ivanti-zero-day-cve-2025-0282/
      • EU Law Enforcement Training Agency Data Breach: Data Of 97,000 Individuals Compromised
        "Personal data of nearly 100,000 individuals that have participated in trainings organized by CEPOL, the European Union (EU) Agency for Law Enforcement Training, has potentially been compromised due to the cyberattack suffered by the agency in May 2024. “Starting in October 2024, until 31 December 2024, over 97 000 notifications were sent to people whose personal data were processed in the 31 processing activities identified as high risk in the context of the data breach were contacted via email,” the agency shared on Friday."
        https://www.helpnetsecurity.com/2025/01/13/eu-law-enforcement-training-agency-data-breach-cepol/
      • Major Location Data Broker Reports Hack To Norwegian Authorities
        "A major player in the location data broker market has confirmed to Norway’s Data Protection Authority that it was breached by a hacker who obtained an unknown number of files. The Norwegian news outlet NRK on Friday published a copy of the breach notice sent to Norwegian authorities by the location data broker Unacast, the parent company of Gravy Analytics. It is unclear when the breach was reported. While the breach report contains few details of the incident, hackers have claimed on a Russian cybercrime forum to have stolen a vast trove of data. The news outlet 404 Media was the first publication to reveal news of the breach."
        https://therecord.media/location-data-broker-gravy-breach
      • Cyberattack Forces Dutch University To Cancel Lectures
        "Eindhoven University of Technology has cancelled “lectures and other educational activities” following a cyberattack, although it is expected to have only a limited impact as teaching is reduced while students prepare for exams. In a statement on Sunday, the Dutch university said it had shut down its network after detecting the attack at around 9 p.m. on Saturday but stressed its IT staff still have access to all systems and are investigating. Students have been told the disruption would last on Monday and an update would be provided on Tuesday."
        https://therecord.media/tu-eindhoven-cyberattack-lectures-canceled
      • EXCLUSIVE: Scholastic, Education Giant And ‘Harry Potter’ Publisher, Breached By ‘furry’ Hacker
        "A “furry” hacker breached the education and publishing company Scholastic this month and stole data on 8 million people, the Daily Dot has learned. Scholastic is a leading global provider of educational materials for pre-K to grade 12, offering both print and digital resources to support student learning. In addition to its educational offerings, Scholastic publishes popular children’s book series, including Harry Potter, The Hunger Games, Clifford the Big Red Dog, and Goosebumps. The hacker, who goes by the moniker “Parasocial,” presented the data to the Daily Dot after purportedly exfiltrating it from an employee portal."
        https://www.dailydot.com/debug/furry-hacks-scholastic-8-million-records-stolen/

      General News

      • GitHub CISO On Security Strategy And Collaborating With The Open-Source Community
        "In this Help Net Security, Alexis Wales, CISO at GitHub, discusses how GitHub embeds security into every aspect of its platform to protect millions of developers and repositories, ensuring it remains a trustworthy platform for building secure software."
        https://www.helpnetsecurity.com/2025/01/13/alexis-wales-github-ciso-security-strategy/
      • The Shifting Landscape Of Open Source Security
        "As we move into 2025, open source software (OSS) remains central to digital innovation across industries. However, its widespread adoption brings heightened security challenges and evolving regulatory demands. In the coming year, we expect a rise in targeted OSS supply chain attacks, a greater reliance on AI in cybersecurity — with both positive and negative implications — and a stronger push for global regulatory standards promoting responsible OSS practices."
        https://www.darkreading.com/vulnerabilities-threats/shifting-landscape-open-source-security
      • WEF Warns Of Growing Cyber Inequity Amid Escalating Complexities In Cyberspace
        "Cyber inequity has widened in the past year amid increasing complexities in cyberspace and geopolitical uncertainties, to the World Economic Forum (WEF)’s Global Cybersecurity Outlook 2025 has found. The WEF found that there is substantial disparity in the capabilities of different businesses, sectors and regions to effectively respond to cyber-attacks. There is a considerable gap between large and small organizations’ cybersecurity capabilities, the report, which was published on January 13, 2025, found."
        https://www.infosecurity-magazine.com/news/wef-cyber-inequity-complexities/
      • AI Won’t Take This Job: Microsoft Says Human Ingenuity Crucial To Red-Teaming
        "As security pros worry about AI taking their jobs, researchers at Microsoft insist that effective red-teaming still relies on human expertise, cultural awareness, and emotional intelligence — qualities that can’t be replicated by machines. The software giant says its AI red team rigorously tested more than 100 generative AI products and determined that human ingenuity remains crucial to uncovering vulnerabilities and anticipating how hackers might exploit these systems."
        https://www.securityweek.com/ai-wont-take-this-job-microsoft-says-human-ingenuity-crucial-to-red-teaming/
        https://airedteamwhitepapers.blob.core.windows.net/lessonswhitepaper/MS_AIRT_Lessons_eBook.pdf

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) eafa74cd-0ef7-4751-a8d0-b1df2bd4cdc4-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post