NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 24 May 2024

    Cyber Security News
    2
    1
    109
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย

      Industrial Sector
      • AutomationDirect Productivity PLCs
        "Successful exploitation of these vulnerabilities could lead to remote code execution and denial of service."
        https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01
      Vulnerabilities

      • High-Severity GitLab Flaw Lets Attackers Take Over Accounts
        "GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks. The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages."
        https://www.bleepingcomputer.com/news/security/high-severity-gitlab-flaw-lets-attackers-take-over-accounts/
        https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/

      • WordPress Unauthenticated Arbitrary SQL Execution Vulnerability
        "The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability –an SQL injection in the WordPress plugin Automatic by ValvePress – assessed its impact and developed mitigation measures for it. Around ~38k active users have installed this premium plugin. The issue allows trivial SQL injection attacks against the plugin user’s authentication process, which could allow WordPress website takeovers. The SQL vulnerability is identified as CVE-2024-27956 and was assigned a critical CVSSv3 score of 9.9. Considering the sizeable user base, low attack complexity, and publicly available exploit code, including a simple SQL query, WordPress users are strongly encouraged to upgrade their instances to the latest or automatic plugin version above 3.92.1 with utmost priority."
        https://blog.sonicwall.com/en-us/2024/05/wordpress-unauthenticated-arbitrary-sql-execution-vulnerability/

      • CISA Adds One Known Exploited Vulnerability To Catalog
        "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation."
        https://www.cisa.gov/news-events/alerts/2024/05/23/cisa-adds-one-known-exploited-vulnerability-catalog
        https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.html
        https://www.theregister.com/2024/05/24/apache_flink_flaw_cisa/

      • The Risk In Malicious AI Models: Wiz Research Discovers Critical Vulnerability In AI-As-a-Service Provider, Replicate
        "Wiz Research has conducted a series of investigations into leading AI-as-a-service providers in recent months. In the course of that work, we have discovered critical vulnerabilities that could have led to the leakage of millions of private AI models and apps. The first installment in that series was done in partnership with the Hugging Face team. Now, in this second installment, we will detail a vulnerability in the Replicate AI platform."
        https://www.wiz.io/blog/wiz-research-discovers-critical-vulnerability-in-replicate
        https://www.darkreading.com/cloud-security/critical-flaw-in-replicate-ai-platform-exposes-customer-models-proprietary-data

      • A Journey Into Forgotten Null Session And MS-RPC Interfaces
        "It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessions for gathering domain users through techniques such as RID (Relative Identifier) enumeration. RIDs uniquely identify users, groups, computers and other entities within the domain. To enumerate them, the attacker used MS-RPC interfaces to make some calls and collect information from the remote host."
        https://securelist.com/no-auth-domain-information-enumeration/112629/

      Malware

      • JAVS Courtroom Recording Software Backdoored In Supply Chain Attack
        "Attackers have backdoored the installer of widely used Justice AV Solutions (JAVS) courtroom video recording software with malware that lets them take over compromised systems. The company behind this software, also known as JAVS, says the digital recording tool currently has over 10,000 installations in many courtrooms, legal offices, correctional facilities, and government agencies worldwide."
        https://www.bleepingcomputer.com/news/security/javs-courtroom-recording-software-backdoored-in-supply-chain-attack/
        https://www.darkreading.com/cyberattacks-data-breaches/courtroom-recording-platform-javs-hijacked-for-supply-chain-attack
        https://therecord.media/courtroom-recording-software-compromised-backdoor
        https://www.helpnetsecurity.com/2024/05/23/javs-viewer-malware/

      • Microsoft Spots Gift Card Thieves Using Cyber-Espionage Tactics
        "Microsoft has published a "Cyber Signals" report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States. The FBI previously warned about Storm-0539's (aka "Ant Lion") activities earlier this month, highlighting the threat group's advanced techniques in conducting gift card theft and fraud, stating that their tactics resemble state-sponsored hackers and sophisticated cyberespionage actors."
        https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-thieves-using-cyber-espionage-tactics/
        https://news.microsoft.com/wp-content/uploads/prod/sites/626/2024/05/Cyber_Signals_Issue_7_May_2024.pdf
        https://therecord.media/morocco-cybercriminals-cashing-in-gift-cards
        https://www.darkreading.com/threat-intelligence/new-gift-card-scam-targets-retailers-not-buyers-to-print-endless-money
        https://cyberscoop.com/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash/

      • Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set To Target Governmental Entities In The Middle East, Africa And Asia
        "A Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and Asia since at least late 2022. An analysis of this threat actor’s activity reveals long-term espionage operations against at least seven governmental entities. The threat actor performed intelligence collection efforts at a large scale, leveraging rare email exfiltration techniques against compromised servers."
        https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
        https://thehackernews.com/2024/05/inside-operation-diplomatic-specter.html
        https://www.darkreading.com/threat-intelligence/china-apt-stole-geopolitical-secrets-from-middle-east-africa-and-asia
        https://www.bankinfosecurity.com/active-chinese-cyberespionage-campaign-rifling-email-servers-a-25304

      • Chinese Espionage Campaign Expands To Target Africa And The Caribbean
        "Check Point Research (CPR) sees an ongoing cyber espionage campaign focuses on targeting governmental organizations in Africa and the Caribbean. Attributed to a Chinese threat actor Sharp Dragon (formerly Sharp Panda), the campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools. This refined approach suggests a deeper understanding of their targets."
        https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/
        https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
        https://thehackernews.com/2024/05/new-frontiers-old-tactics-chinese-cyber.html

      • Beware Of HTML Masquerading As PDF Viewer Login Pages
        "Phishing attacks have evolved into increasingly sophisticated schemes designed to trick users into revealing their personal information. One such method that has gained prominence involves phishing emails that masquerade as PDF viewer login pages. These deceptive emails lure unsuspecting users into entering their email addresses and passwords, compromising their online security. In this blog post, we will explore the intricacies of these phishing scams, how they operate, and the steps you can take to protect yourself from falling victim to them."
        https://www.forcepoint.com/blog/x-labs/html-phishing-pdf-viewer-login-apac

      • Exploiting The Cloud: How SMS Scammers Are Using Amazon, Google And IBM Cloud Services To Steal Customer Data
        "A number of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage, have recently come to Enea’s attention. Threat actors are using these storage platforms to redirect users to malicious websites, with the ultimate objective of stealing their information, and it all starts with the humble SMS."
        https://www.enea.com/insights/exploiting-the-cloud-how-sms-scammers-are-using-amazon-google-and-ibm-cloud-services-to-steal-customer-data/
        https://www.infosecurity-magazine.com/news/cloud-storage-exploited-sms/

      • ShrinkLocker: Turning BitLocker Into Ransomware
        "Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt. In this way, the adversaries can make sure that the malware can run and simulate normal behavior in various versions of the OS that support this DLL."
        https://securelist.com/ransomware-abuses-bitlocker/112643/
        https://www.theregister.com/2024/05/23/ransomware_abuses_microsoft_bitlocker/

      • Uncovering An Undetected KeyPlug Implant Attacking Industries In Italy
        "APT41, known by numerous aliases such as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED SPIDER, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns."
        https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/
        https://securityaffairs.com/163598/apt/apt41-keyplug-targets-italian-industries.html

      • Infiltrating Defenses: Abusing VMware In MITRE’s Cyber Intrusion
        "This is the third and final blog post in a series detailing MITRE’s encounter with a state-sponsored cyber threat actor in our research and experimentation network, NERVE. It builds upon the insights shared in our April 19, 2024 post, “Advanced Cyber Threats Impact Even the Most Prepared” and May 3, 2024 post “Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion”. We continue to work across MITRE, including our Information Security Team, to help all security teams understand and defend against this threat."
        https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
        https://www.securityweek.com/vmware-abused-in-recent-mitre-hack-for-persistence-evasion/

      • ESXi Ransomware Attacks: Evolution, Impact, And Defense Strategy
        "In recent years, Sygnia’s Incident Response team has seen a steady increase in ransomware attacks targeting virtualized environments, particularly against VMware ESXi infrastructure. Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse."
        https://www.sygnia.co/blog/esxi-ransomware-attacks/
        https://thehackernews.com/2024/05/ransomware-attacks-exploit-vmware-esxi.html

      Breaches/Hacks/Leaks

      • National Records Of Scotland Data Breached In NHS Cyber-Attack
        "National Records of Scotland (NRS) has revealed that sensitive personal data it holds was accessed and published as a result of the ransomware attack on NHS Dumfries and Galloway. The NRS data was part of 3TB of data published by cybercriminals on the dark web on May 6. The Scottish Government agency, which stores demographic and census records such as births, deaths and marriages, said it identified a small number of cases where there was sensitive information held temporarily on the network at the time of the attack, which was first reported in March 2024."
        https://www.infosecurity-magazine.com/news/records-scotland-data-nhs-attack/

      • 55,000 Impacted By Cyberattack On California School Association
        "The Association of California School Administrators (ACSA) is informing nearly 55,000 individuals that their information may have been compromised as a result of a cyberattack. ACSA describes itself as the largest umbrella association for school leaders in the United States, serving more than 17,000 California educators, including superintendents, principals, vice-principals, and classified managers."
        https://www.securityweek.com/55000-impacted-by-cyberattack-on-california-school-association/

      • 400,000 Impacted By CentroMed Data Breach
        "San Antonio-based healthcare provider El Centro Del Barrio (which operates as CentroMed) is informing 400,000 patients that their personal and protected health information was compromised in a recent cyberattack. The data breach was discovered on May 1, 2024, after a threat actor gained access to the organization’s network on April 30, CentroMed said in an incident notice (PDF) on its website."
        https://www.securityweek.com/400000-impacted-by-centromed-data-breach/

      General News

      • Ransomware Fallout: 94% Experience Downtime, 40% Face Work Stoppage
        "Within the last 12 months, 48% of organizations identified evidence of a successful breach within their environment, according to Arctic Wolf. To fully understand the gravity of this statistic, it is important to understand that, although 48% of these environments found evidence of a data breach, that does not inversely mean that 52% of organizations did not suffer a breach. Instead, it should be more accurately stated that the remaining 52% did not identify indicators of a breach within their environment."
        https://www.helpnetsecurity.com/2024/05/23/ransomware-attacks-data-exfiltration/

      • Machine Identities Lack Essential Security Controls, Pose Major Threat
        "Siloed approaches to securing human and machine identities are driving identity-based attacks across enterprises and their ecosystems, according to CyberArk. The CyberArk 2024 Identity Security Threat Landscape Report was conducted across private and public sector organizations of 500 employees and above."
        https://www.helpnetsecurity.com/2024/05/23/machine-identities-security-threat/

      • How Apple Wi-Fi Positioning System Can Be Abused To Track People Around The Globe
        "Academics have suggested that Apple's Wi-Fi Positioning System (WPS) can be abused to create a global privacy nightmare. In a paper titled, "Surveilling the Masses with Wi-Fi-Based Positioning Systems," Erik Rye, a PhD student at the University of Maryland (UMD) in the US, and Dave Levin, associate professor at UMD, describe how the design of Apple's WPS facilitates mass surveillance, even of those not using Apple devices."
        https://www.theregister.com/2024/05/23/apple_wifi_positioning_system/
        https://www.cs.umd.edu/~dml/papers/wifi-surveillance-sp24.pdf

      • New Mindset Needed For Large Language Models
        "As a seasoned security architect, I've started to see the adoption of large language models (LLMs) across industries. Working with a diverse range of clients, from startups to Fortune 500 companies, I've witnessed firsthand the excitement and challenges that come with this transformative technology. One trend that's been keeping me up at night is the potential for LLMs to be exploited in increasingly sophisticated ways."
        https://www.darkreading.com/cybersecurity-operations/new-mindset-needed-for-large-language-models

      • Persistent Burnout Is Still a Crisis In Cybersecurity
        "Dr. Ryan Louie, a psychiatrist focused on the intersection of cybersecurity and mental health, recalls a valuable lesson from his medical student days that cybersecurity practitioners may find relevant: "During one of my clinical clerkships at the hospital, our team's attending physician on the first day of the rotation highlighted that we are a team and that everyone should feel free to say whenever they feel they have too much on their plate or if they need any help. And that medical students and residents on the team should not worry about impacts to their evaluation. There was genuine psychological safety," he says."
        https://www.darkreading.com/cybersecurity-careers/persistent-burnout-is-still-a-crisis-in-cybersecurity

      • The Real Danger Lurking In The NVD Backlog
        "On February 12, 2024, the NIST National Vulnerability Database (NVD) began slowing the processing and enrichment of new vulnerabilities. Since that date, 12,720 new vulnerabilities and counting have been added to NVD but 11,885 have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability. By February 15, the NVD website announced that users might experience "delays in analysis efforts.""
        https://vulncheck.com/blog/nvd-backlog-exploitation
        https://www.infosecurity-magazine.com/news/nvd-exploited-vulnerabilities/

      • **Google Guru Roasts Useless Phishing Tests, Calls For Fire Drill-Style Overhaul
        *** "A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit. Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the cybersecurity equivalent of a fire drill."
        https://www.theregister.com/2024/05/23/google_phishing_tests/

      • Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats In 2024
        "Flashpoint is observing that Russian advanced persistent threat (APT) groups are evolving their tactics, techniques, and procedures (TTPs)—while also expanding their targeting. They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces. Flashpoint identified the following Russian APT groups have engaged in recent campaigns, listing the malware strains used in attributed attacks and their intended targets:"
        https://flashpoint.io/blog/russian-apt-groups-cyber-threats/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA)       f3cb5727-38fc-434f-8183-f49b09cfa340-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post