NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 20 January 2025

    Cyber Security News
    1
    1
    378
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector

      • Hack The Emulated Planet: Vulnerability Hunting Planet WGS-804HPT Industrial Switch
        "Emulators such as the open-source, cross-platform QEMU framework are invaluable tools for researchers conducting vulnerability research. QEMU and other emulators act as great testing environments where software and firmware can be analyzed for exploitable vulnerabilities. They can also be taken a step further for testing exploits within a safe space. For Team82, QEMU and other emulation platforms are center stage in much of our research, in particular where it may be difficult to obtain an actual target device. In this blog, we will explain how we used QEMU to emulate the relevant system components of Planet Technology Corp’s WGS-804HPT Industrial switch, and how it was used to uncover three vulnerabilities that could allow an attacker to remotely execute code on a vulnerable device."
        https://claroty.com/team82/research/hack-the-emulated-planet-vulnerability-hunting-planet-wgs-804hpt-industrial-switch
        https://thehackernews.com/2025/01/critical-flaws-in-wgs-804hpt-switches.html
        https://securityaffairs.com/173237/security/wgs-804hpt-flaws.html

      Telecom Sector

      • FCC Orders Telecoms To Secure Their Networks After Salt Tyhpoon Hacks
        "The Federal Communications Commission (FCC) has ordered U.S. telecommunications carriers to secure their networks following last year's Salt Typhoon security breaches. Today's action comes after FCC Chairwoman Jessica Rosenworcel said in early December that the FCC would act "urgently" to require U.S. carriers to secure their systems from cyberattacks. "We now have a choice to make. We can turn the other way and hope this threat goes away. But hope is not a plan," Rosenworcel said on Friday. "In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. The time to take this action is now. We do not have the luxury of waiting.""
        https://www.bleepingcomputer.com/news/security/fcc-orders-telecoms-to-secure-their-networks-after-salt-tyhpoon-hacks/
        https://docs.fcc.gov/public/attachments/DOC-408945A1.pdf
        https://www.theregister.com/2025/01/17/fcc_telcos_calea/

      New Tooling

      • MSSqlPwner: Open-Source Tool For Pentesting MSSQL Servers
        "MSSqlPwner is an open-source pentesting tool tailored to interact with and exploit MSSQL servers. Built on Impacket, it enables users to authenticate with databases using various credentials, including clear-text passwords, NTLM hashes, and Kerberos tickets."
        https://www.helpnetsecurity.com/2025/01/17/mssqlpwner-open-source-pentesting-mssql-servers/
        https://github.com/ScorpionesLabs/MSSqlPwner

      Vulnerabilities

      • Microsoft Eggheads Say AI Can Never Be Made Secure – After Testing Redmond's Own Products
        "Microsoft brainiacs who probed the security of more than 100 of the software giant's own generative AI products came away with a sobering message: The models amplify existing security risks and create new ones. The 26 authors offered the observation that “the work of securing AI systems will never be complete" in a pre-print paper titled: Lessons from red-teaming 100 generative AI products."
        https://www.theregister.com/2025/01/17/microsoft_ai_redteam_infosec_warning/
        https://arxiv.org/abs/2501.07238
      • Mercedes-Benz Head Unit Security Research Report
        "This report covers the research of the Mercedes-Benz Head Unit, which was made by our team. Mercedes-Benz’s latest Head Unit (infotainment system) is called Mercedes-Benz User Experience (MBUX). We performed analysis of the first generation MBUX. MBUX was previously analysed by KeenLab. Their report is a good starting point for diving deep into the MBUX internals and understanding the architecture of the system. In our research we performed detailed analysis of the first generation MBUX subsystems, which are overlooked in the KeenLab research: diagnostics (CAN, UDS, etc.), connections via USB and custom IPC."
        https://securelist.com/mercedes-benz-head-unit-security-research/115218/
      • OpenAI's ChatGPT Crawler Can Be Tricked Into DDoSing Sites, Answering Your Queries
        "OpenAI's ChatGPT crawler appears to be willing to initiate distributed denial of service (DDoS) attacks on arbitrary websites, a reported vulnerability the tech giant has yet to acknowledge. In a write-up shared this month via Microsoft's GitHub, Benjamin Flesch, a security researcher in Germany, explains how a single HTTP request to the ChatGPT API can be used to flood a targeted website with network requests from the ChatGPT crawler, specifically ChatGPT-User."
        https://www.theregister.com/2025/01/19/openais_chatgpt_crawler_vulnerability/
        https://github.com/bf/security-advisories/blob/main/2025-01-ChatGPT-Crawler-Reflective-DDOS-Vulnerability.md

      Malware

      • Warning Against ModiLoader (DBatLoader) Spreading Via MS Windows CAB Header Batch File (*.cmd)
        "In December 2024, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of malware using MS Windows CAB header batch file (*.cmd) with AhnLab’s email honeypot. The malware known as ModiLoader (DBatLoader) was being distributed through purchase orders (PO). The difference from the past cases is that while the current malware uses the *.cmd (batch file) extension, it actually abuses the CAB compression header format to create and execute the malware as a loader type."
        https://asec.ahnlab.com/en/85834/
      • IoT Botnet Linked To Large-Scale DDoS Attacks Since The End Of 2024
        "We discovered an Internet-of-Things (IoT) botnet and have been continuously observing large-scale distributed denial-of-service (DDoS) attack commands sent from its command-and-control (C&C) server targeting Japan, as well as other countries around the world, since the end of 2024. These attacks targeted various companies in different countries, including multiple major Japanese corporations and banks."
        https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
      • Malicious PyPI Package ‘pycord-Self’ Targets Discord Developers With Token Theft And Backdoor Exploit
        "The Socket team has identified a malicious PyPI package named pycord-self, which targets developers seeking Python wrappers for the Discord user API. By mimicking the legitimate package discord.py-self, this malicious package deceives developers into installing it, enabling attackers to steal Discord authentication tokens and gain remote control over their systems through a backdoor persistence mechanism. This typosquatting attack, which has already made its way onto hundreds of developer systems, highlights why it’s crucial for developers to carefully evaluate dependencies before installing them."
        https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-token-theft-and-backdoor
        https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steals-discord-auth-tokens-from-devs/
      • GSocket Gambling Scavenger – How Hackers Use PHP Backdoors And GSocket To Facilitate Illegal Gambling In Indonesia
        "Since 1974, gambling has been officially illegal in Indonesia. However, the digital revolution of the 2000s introduced a new challenge: the rapid growth of online gambling platforms. This technological shift has created enforcement gaps, compelling the Indonesian government to intensify its efforts to combat illegal online gambling. Recent government crackdowns have sought to disrupt the operators and platforms behind these activities, as authorities emphasize the legal, social, and moral implications of gambling in the predominantly Muslim nation."
        https://www.imperva.com/blog/how-hackers-use-php-backdoors-and-gsocket-to-facilitate-illegal-gambling-in-indonesia/
        https://thehackernews.com/2025/01/python-based-bots-exploiting-php.html
      • Sneaky 2FA: Exposing a New AiTM Phishing-As-a-Service
        "In December 2024, during our daily threat hunting routine, we uncovered a new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts. These phishing pages have been circulating since at least October 2024, and during that period, we identified potential compromises through the Sekoia.io telemetry. Our analysis showed that this kit is being sold as Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log”, which operates through a fully-featured bot on Telegram. Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently. Currently, Sneaky 2FA’s phishing pages are hosted on compromised infrastructure, frequently involving WordPress websites, and other domains controlled by the attacker."
        https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
        https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html
      • Sliver Implant Targets German Entities With DLL Sideloading And Proxying Techniques
        "Cyble Research & Intelligence Labs (CRIL) recently identified an ongoing campaign involving an archive file containing a deceptive LNK file. While the initial infection vector remains unclear, this attack is likely initiated via spear-phishing email. The archive file “Homeoffice-Vereinbarung-2025.7z,” once extracted, contains a shortcut (.LNK) file along with several other components, including legitimate executables (DLL and EXE files), a malicious DLL file, an encrypted DAT file, and a decoy PDF. Interestingly, the creation times of most files in the archive are about a year old, with only the lure document being recently created."
        https://cyble.com/blog/sliver-implant-targets-german-entities-with-dll-sideloading-and-proxying-techniques/

      Breaches/Hacks/Leaks

      • Analysis Of Threat Actor Data Posting
        "Fortinet is aware of a posting by a threat actor which claims to offer compromised configuration and VPN credentials from FortiGate devices. Based on our analysis, the data involved is a resharing of data from previous incidents from dates prior to November 2022 and is not related to any recent incident or advisory. The following provides factual information to help our customers better understand the situation and make informed decisions."
        https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting
        https://www.theregister.com/2025/01/17/fortinet_fortigate_config_leaks/
      • Otelier Data Breach Exposes Info, Hotel Reservations Of Millions
        "Hotel management platform Otelier suffered a data breach after threat actors breached its Amazon S3 cloud storage to steal millions of guests' personal information and reservations for well-known hotel brands like Marriott, Hilton, and Hyatt. The breach first allegedly occurred in July 2024, with continued access through October, with the threat actors claiming to have stolen amost eight terabytes of data from Otelier's Amazon AWS S3 buckets. In a statement to BleepingComputer, Otelier confirmed the compromise and said it is communicating with impacted customers."
        https://www.bleepingcomputer.com/news/security/otelier-data-breach-exposes-info-hotel-reservations-of-millions/
      • MedSave Health Insurance TPA Hacked; Firm Has Yet To Comment Or Respond
        "The individual known as “0mid16B” has been busy, it seems. They contacted DataBreaches on Wednesday to announce that they had hacked MedSave Health Insurance TPA Ltd (“MedSave”). MedSave is a third party administrator in India that partners with more than 10 insurance companies, processing and settling claims submitted by hospitals or insured members. MedSave lists 5,000 hospital networks that they work with. They are considered one of the biggest TPAs in India. “In total, I stole 561 gigabytes of databases,” 0mid16B wrote. “Corporate, accounting, employees, sales and personal/health data of 10,617,943 people.” They attached a screenshot showing a directory of .ldf and .mdf files and several .csv files as proof of claims."
        https://databreaches.net/2025/01/17/medsave-health-insurance-tpa-hacked-firm-has-yet-to-comment-or-respond/
      • Medusa Ransomware Group Claims Attack On UK's Gateshead Council
        "Another year and yet another UK local authority has been pwned by a ransomware crew. This time it's Gateshead Council in North East England at the hands of the Medusa group. The council confirmed that police were investigating the "cybersecurity incident" on January 15, a few short hours after Medusa placed "stolen" documents on its data leak site. Gateshead said the attackers gained access to its systems on January 8, that officers have been working on the case since then, and that some personal data "has been infringed.""
        https://www.theregister.com/2025/01/17/gateshead_council_cybersecurity_incident/
      • Hackers Claim Breach Of Hewlett Packard Enterprise, Lists Data For Sale
        "Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online. The notorious IntelBroker hacker along with their associates have claimed responsibility for breaching Hewlett Packard Enterprise (HPE), a Houston, TX, United States-based global company that provides technology solutions to businesses. The hacker, who was previously linked to several high-profile data breaches, is now selling the allegedly stolen data, demanding payment in Monero (XML) cryptocurrency to remain anonymous and untraceable."
        https://hackread.com/hackers-claim-hewlett-packard-data-breach-sale/

      General News

      • Balancing Usability And Security In The Fight Against Identity-Based Attacks
        "In this Help Net Security interview, Adam Bateman, CEO of Push Security, talks about the rise in identity-based attacks, how they’re becoming more sophisticated each year, and how AI and ML are both fueling these threats and helping to defend against them. Bateman also discusses the role of employee training and how businesses can balance strong security with user-friendly experiences."
        https://www.helpnetsecurity.com/2025/01/17/adam-bateman-push-security-dentity-based-attacks/
      • Homeowners Are Clueless About How Smart Devices Collect Their Data
        "Homeowners are increasingly concerned about data privacy in smart home products, according to Copeland. Homeowners are still generally comfortable in using new technology, but this year smart thermostat non-owners are less likely to feel comfortable using new tech compared to 2022 levels."
        https://www.helpnetsecurity.com/2025/01/17/homeowners-data-privacy/
      • US Sanctions Chinese Firm, Hacker Behind Telecom And Treasury Hacks
        "The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Yin Kecheng, a Shanghai-based hacker for his role in the recent Treasury breach and a company associated with the Salt Typhoon threat group. “Yin Kecheng has been a cyber actor for over a decade and is affiliated with the People’s Republic of China Ministry of State Security (MSS),” reads the Treasury's announcement. “Yin Kecheng was associated with the recent compromise of the Department of the Treasury’s Departmental Offices network,” says the agency."
        https://www.bleepingcomputer.com/news/security/us-sanctions-chinese-firm-hacker-behind-telecom-and-treasury-hacks/
        https://therecord.media/treasury-sanctions-alleged-salt-typhoon-hacker-company
        https://www.darkreading.com/threat-intelligence/us-sanctions-chinese-hacker-treasury-critical-infrastructure-breaches
        https://thehackernews.com/2025/01/us-sanctions-chinese-cybersecurity-firm.html
        https://www.bankinfosecurity.com/us-identifies-hacking-firm-behind-salt-typhoon-telecom-hacks-a-27325
        https://cyberscoop.com/treasury-sanctions-chinese-cybersecurity-company-salt-typhoon-hacks/
        https://www.securityweek.com/treasury-levels-sanctions-tied-to-a-massive-hack-of-telecom-companies-and-breach-of-its-own-network/
        https://securityaffairs.com/173209/intelligence/u-s-treasury-sanctioned-cybersecurity-firm-and-shanghai-cyber-actor-linked-salt-typhoon.html
        https://www.itnews.com.au/news/us-treasury-department-imposes-sanctions-on-chinese-company-over-salt-typhoon-hack-614436
      • Employees Enter Sensitive Data Into GenAI Prompts Far Too Often
        "A wide spectrum of data is being shared by employees through generative AI (GenAI) tools, researchers have found, legitimizing many organizations' hesitancy to fully adopt AI practices. Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service's LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn't in place for the service."
        https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts
      • Leveraging Behavioral Insights To Counter LLM-Enabled Hacking
        "Hacking is innovation in its purest form. Like any other innovation, a successful hack requires developing a creative solution to the scenario at hand and then effectively implementing that solution. As technologies facilitate implementation, successfully preventing a hack (that is, blue teaming) or simulating an attack to test defenses (red teaming) will require a better understanding of how adversaries generate creative ideas."
        https://www.darkreading.com/vulnerabilities-threats/leveraging-behavioral-insights-counter-llm-enabled-hacking
      • Government Sector Bears The Brunt Of Cyberattacks In Ukraine: Report
        "Ukraine’s fight against cyberthreats has reached new heights, with its top cybersecurity agency releasing the 2024 annual cyberthreat landscape report detailing its efforts to protect critical infrastructure and government systems. The report, prepared by the State Cyber Defense Center under the State Service for Special Communications and Information Protection, outlines key findings, incident statistics, and strategies employed to counteract persistent cyber threats."
        https://cyble.com/blog/ukraine-cyberthreat-landscape-2024/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 4ea5d7b1-b96c-493a-b199-c15ff4471042-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post