Cyber Threat Intelligence 24 April 2024
-
Industrial Sector
- Siemens Industrial Product Impacted By Exploited Palo Alto Firewall Vulnerability
"In an advisory published late last week, Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400."
https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/
Vulnerabilities
-
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation."
https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog -
Microsoft DRM Hack Could Allow Movie Downloads From Popular Streaming Services
"Microsoft’s PlayReady content access and protection technology is affected by vulnerabilities that could allow rogue subscribers to illegally download movies from popular streaming services, according to Poland-based cybersecurity research company AG Security Research."
https://www.securityweek.com/microsoft-drm-hacking-could-allow-movie-downloads-from-popular-streaming-services/
https://security-explorations.com/microsoft-playready.html
Malware
-
Suspected CoralRaider Continues To Expand Victimology Using Three Information Stealers
"Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host."
https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/
https://www.bleepingcomputer.com/news/security/coralraider-attacks-use-cdn-cache-to-push-info-stealer-malware/ -
DPRK Hacking Groups Breach South Korean Defense Contractors
"The National Police Agency in South Korea issued an urgent warning today about North Korean hacking groups targeting defense industry entities to steal valuable technology information. The police discovered several instances of successful breaches of defense companies in South Korea involving the hacking groups Lazarus, Andariel, and Kimsuky, all part of the North Korean hacking apparatus."
https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/
https://www.documentcloud.org/documents/24601517-korean-police?responsive=1&title=1
https://therecord.media/south-korean-defense-companies-cyber-espionage-north-korea
https://securityaffairs.com/162193/apt/north-korea-south-korean-defense-contractors.html -
GuptiMiner: Hijacking Antivirus Updates For Distributing Backdoors And Casual Mining
"We’ve been tracking a curious one here. Firstly, GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others."
https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/
https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/ -
Memory Analysis 101: Understanding Memory Threats And Forensic Tools
"Memory forensics is an important part of incident response and threat analysis, as new threats and sophistication emerge in the evolving cybersecurity landscape. Unlike traditional methods focusing on hard drive analysis, memory forensics dives into the volatile memory, aiming to uncover evidence of malware infections and other illicit activities that leave footprints in a system’s RAM."
https://intezer.com/blog/incident-response/memory-analysis-forensic-tools/ -
Google Ad For Facebook Redirects To Scam
"Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience. What is perhaps less known is how it is even possible to impersonate top brands and get away with it. We will try to respond to the ‘how they do it’ and the ‘why is Google allowing this’ questions."
https://www.malwarebytes.com/blog/scams/2024/04/google-ad-for-facebook-redirects-to-scam -
Analysis Of Native Process CLR Hosting Used By AgentTesla
"SonicWall Capture Labs threat research team has observed fileless .Net managed code injection in a native 64-bit process. Native code or unmanaged code refers to low-level compiled code such as C/C++. Managed code refers to code that is written to target .NET and will not work without the CLR (Microsoft .NET engine) runtime libraries. The injected code belongs to AgentTesla malware."
https://blog.sonicwall.com/en-us/2024/04/analysis-of-native-process-clr-hosting-used-by-agenttesla/ -
Distribution Of Infostealer Made With Electron
"AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. Electron is a framework that allows one to develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. Apps made with Electron are packaged and usually distributed in Nullsoft Scriptable Install System (NSIS) installer format. The threat actor in this attack case applied this installer format to the malware."
https://asec.ahnlab.com/en/64445/
Breaches/Hacks/Leaks
-
Over a Million Neighbourhood Watch Members Exposed Through Web App Bug
"Neighbourhood Watch (NW) groups across the UK can now rest easy knowing the developers behind a communications platform fixed a web app bug that leaked their data en masse. Nottingham-based VISAV is the company behind Neighbourhood Alert, a platform that, among other things, claims to offer a secure messaging system between registered NW community members and authorized administrators."
https://www.theregister.com/2024/04/23/neighbourhood_watch_privacy_bug/ -
Millions Of Americans' Data Potentially Exposed In Change Healthcare Hack
"A substantial proportion of people in America have had personal information exposed as a result of the Change Healthcare hack. UnitedHealth Group, owners of Change, provided an update on ongoing review of impacted patient data on April 22, 2024. The company said that based on initial targeted data sampling to date, it has found files containing protected health information (PHI) or personally identifiable information (PII)."
https://www.infosecurity-magazine.com/news/americans-data-exposed-change/
https://therecord.media/substantial-data-theft-change-healthcare-ransomware
https://www.malwarebytes.com/blog/news/2024/04/substantial-proportion-of-americans-may-have-had-health-and-personal-data-stolen-in-change-healthcare-breach
https://www.securityweek.com/unitedhealth-says-patient-data-exposed-in-change-healthcare-cyberattack/
https://www.theregister.com/2024/04/23/unitedhealth_admits_breach_substantial/ -
Russia-Linked Hacking Group Claims To Have Targeted Indiana Water Plant
"Hackers targeted a wastewater treatment plant in Indiana on Friday evening, prompting plant managers to send maintenance personnel to investigate the suspicious activity, a local official told CNN. A Russia-linked hacking group claimed responsibility. The same group claimed credit for a string of hacking incidents against water facilities in Texas earlier this year."
https://edition.cnn.com/2024/04/22/politics/russia-linked-hacking-group-targets-indiana-water-plant/index.html
https://therecord.media/russia-hackers-cyberattack-tipton-indiana -
Leicester Streetlights Take Ransomware Attack Personally, Shine On 24/7
"It's become somewhat cliché in cybersecurity reporting to speculate whether an organization will have the resources to "keep the lights on" after an attack. But the opposite turns out to be true with Leicester City Council following its March ransomware incident. Nearly two months after INC Ransom's attack hit the English council's systems, residents' reports now have us thinking everyone in the city is donning thick shades to manage their newfound Svalbard-esque perpetual brightness."
https://www.theregister.com/2024/04/23/leicester_streetlights_ransomware/
General News
-
People Doubt Their Own Ability To Spot AI-Generated Deepfakes
"23% of Americans said they recently came across a political deepfake they later discovered to be fake, according to McAfee. The actual number of people exposed to political and other deepfakes is expected to be much higher given many Americans are not able to decipher what is real versus fake, thanks to the sophistication of AI technologies."
https://www.helpnetsecurity.com/2024/04/23/deepfake-concerns-in-election-year/ -
Behavioral Patterns Of Ransomware Groups Are Changing
"Q1 saw substantial shifts in activity from some of the most prolific
Ransomware-as-a-Service (RaaS) groups, according to GuidePoint Security."
https://www.helpnetsecurity.com/2024/04/23/ransomware-groups-activity-q1-2024/ -
US Govt Sanctions Iranians Linked To Government Cyberattacks
"The Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned four Iranian nationals for their involvement in cyberattacks against the U.S. government, defense contractors, and private companies."
https://www.bleepingcomputer.com/news/security/us-govt-sanctions-iranians-linked-to-government-cyberattacks/
https://home.treasury.gov/news/press-releases/jy2292
https://therecord.media/us-accuses-iranians-irgc-sanctions-indictments
https://www.bankinfosecurity.com/us-pressures-iran-over-phishing-campaign-against-feds-a-24927
https://cyberscoop.com/iranian-nationals-charged-with-hacking-u-s-companies-treasury-and-state-departments/
https://www.itnews.com.au/news/us-charges-sanctions-iranians-linked-to-revolutionary-guard-cyber-command-607336
https://www.securityweek.com/10-million-bounty-on-iranian-hackers-for-cyber-attacks-on-us-gov-defense-contractors/ -
Lessons For CISOs From OWASP's LLM Top 10
"OWASP recently released its top 10 list for large language model (LLM) applications, in an effort to educate the industry on potential security threats to be aware of when deploying and managing LLMs. This release is a notable step in the right direction for the security community, as developers, designers, architects, and managers now have 10 areas to clearly focus on."
https://www.darkreading.com/vulnerabilities-threats/top-lessons-cisos-owasp-llm-top-10 -
M-Trends 2024: Our View From The Frontlines
"Attackers are taking greater strides to evade detection. This is one of the running themes in our latest release: M-Trends 2024. This edition of our annual report continues our tradition of providing relevant attacker and defender metrics, and insights into the latest attacker tactics, techniques and procedures, along with guidance and best practices on how organizations and defenders should be responding to threats."
https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2024
https://therecord.media/chinese-russian-hackers-edge-devices
https://www.darkreading.com/endpoint-security/edge-vpns-firewalls-nonexistent-telemetry-apts
https://www.infosecurity-magazine.com/news/vulnerability-exploitation-rise/
https://www.securityweek.com/the-battle-continues-mandiant-report-shows-improved-detection-but-persistent-adversarial-success/
https://www.theregister.com/2024/04/23/mandiant_orgs_are_detecting_cybercrims/ -
Key Findings From The 2024 Cloud Security Report
"As organizations develop and deploy more cloud applications, security becomes more complicated. Many organizations are adopting a hybrid or multi-cloud approach, which has expanded the attack surface and increased complexity. Security teams often struggle to manage and secure their various private and public cloud workloads and environments."
https://www.fortinet.com/blog/industry-trends/key-findings-cloud-security-report-2024
https://global.fortinet.com/lp-en-2024-cloud-report -
Passwords, Passkeys And Familiarity Bias
"As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity."
https://securityintelligence.com/posts/passwords-passkeys-familiarity-bias/ -
Spain Reopens a Probe Into a Pegasus Spyware Case After a French Request To Work Together
"A Spanish judge has reopened a probe into the suspected spying on the cellphone of Spain’s prime minister after receiving a request to collaborate with a similar investigation in France."
https://www.securityweek.com/spain-reopens-a-probe-into-a-pegasus-spyware-case-after-a-french-request-to-work-together/ -
Unmasking The True Cost Of Cyberattacks: Beyond Ransom And Recovery
"Cybersecurity breaches can be devastating for both individuals and businesses alike. While many people tend to focus on understanding how and why they were targeted by such breaches, there's a larger, more pressing question: What is the true financial impact of a cyberattack? According to research by Cybersecurity Ventures, the global cost of cybercrime is projected to reach an astonishing 10.5 trillion USD annually by 2025, which marks a dramatic increase from the 3 trillion USD reported in 2015."
https://thehackernews.com/2024/04/unmasking-true-cost-of-cyberattacks.html
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Siemens Industrial Product Impacted By Exploited Palo Alto Firewall Vulnerability