Cyber Threat Intelligence 31 May 2024
-
Healthcare Sector
-
Baxter Welch Allyn Configuration Tool
"Successful exploitation of this vulnerability could lead to the unintended exposure of credentials to unauthorized users."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-01 -
Baxter Welch Allyn Connex Spot Monitor
"Successful exploitation of this vulnerability could allow an attacker to modify device configuration and firmware data. Tampering with this data could lead to device compromise, resulting in impact and/or delay in patient care."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02
Industrial Sector
-
LenelS2 NetBox
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute malicious commands with elevated permissions"
https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01 -
Westermo EDW-100
"Successful exploitation of these vulnerabilities could allow an attacker to access the device using hardcoded credentials and download cleartext username and passwords."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-04 -
Exposed And Vulnerable: Recent Attacks Highlight Critical Need To Protect Internet-Exposed OT Devices
"Since late 2023, Microsoft has observed an increase in reports of attacks focusing on internet-exposed, poorly secured operational technology (OT) devices. Internet-exposed OT equipment in water and wastewater systems (WWS) in the US were targeted in multiple attacks over the past months by different nation-backed actors, including attacks by IRGC-affiliated “CyberAv3ngers” in November 2023, as well as pro-Russian hacktivists in early 2024. These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets."
https://www.microsoft.com/en-us/security/blog/2024/05/30/exposed-and-vulnerable-recent-attacks-highlight-critical-need-to-protect-internet-exposed-ot-devices/
https://www.bankinfosecurity.com/internet-exposed-ot-devices-at-risk-amid-israel-hamas-war-a-25370 -
Fuji Electric Monitouch V-SFT
"uccessful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02 -
Inosoft VisiWin
"Successful exploitation of this vulnerability could allow an attacker to gain SYSTEM privileges."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-03
Vulnerabilities
-
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation."
https://www.cisa.gov/news-events/alerts/2024/05/30/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://thehackernews.com/2024/05/cisa-alerts-federal-agencies-to-patch.html
https://securityaffairs.com/163896/security/cisa-check-point-quantum-security-gateways-linux-kernel-flaws-known-exploited-vulnerabilities-catalog.html -
Confluence Data Center And Server Remote Code Execution Vulnerability
"The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in the Atlassian Confluence Data Center and Server, assessed its impact and developed mitigation measures. Confluence Server is a software to manage documentation and knowledge bases with an ubiquitous presence across the globe. Identified as CVE-2024-21683, Confluence Data Center and Server before version 8.9.1(data center only), 8.5.9 LTS and 7.19.22 LTS allows an authenticated threat actor with the privilege of adding new macro languages to execute arbitrary code, earning a high CVSS score of 8.3."
https://blog.sonicwall.com/en-us/2024/05/confluence-data-center-and-server-remote-code-execution-vulnerability/
https://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html
Malware
-
Active Exploitation Of Unauthenticated Stored XSS Vulnerabilities In WordPress Plugins
"We have observed active exploitation attempts targeting three high-severity CVEs: CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000. These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping, making it possible for attackers to inject malicious scripts."
https://www.fastly.com/blog/active-exploitation-unauthenticated-stored-xss-vulnerabilities-wordpress
https://thehackernews.com/2024/05/researchers-uncover-active-exploitation.html
https://www.securityweek.com/critical-wordpress-plugin-flaws-exploited-to-inject-malicious-scripts-and-backdoors/ -
XMRig CoinMiner Installed Via Game Emulator
"AhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through a game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below."
https://asec.ahnlab.com/en/66114/ -
XWorm v5.6 Malware Being Distributed Via Webhards
"While monitoring the distribution sources of malware in Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the XWorm v5.6 malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea."
https://asec.ahnlab.com/en/66099/ -
Analysis Of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)
"AhnLab SEcurity intelligence Center (ASEC) has recently discovered Andariel APT attack cases against Korean corporations and institutes. Targeted organizations included educational institutes and manufacturing and construction businesses in Korea. Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks. The threat actor probably used these malware strains to control and steal data from the infected systems."
https://asec.ahnlab.com/en/66088/ -
Distribution Of Malware Under The Guise Of MS Office Cracked Versions (XMRig, OrcusRAT, Etc.)
"Through a post titled “Orcus RAT Being Distributed Disguised as a Hangul Word Processor Crack” [1], AhnLab SEcurity intelligence Center (ASEC) previously disclosed an attack case in which a threat actor distributed RAT and CoinMiner to Korean users. Until recently, the attacker created and distributed various malware strains, such as downloaders, CoinMiner, RAT, Proxy, and AntiAV."
https://asec.ahnlab.com/en/66017/
https://www.bleepingcomputer.com/news/security/pirated-microsoft-office-delivers-malware-cocktail-on-systems/ -
Decoding Water Sigbin's Latest Obfuscation Tricks
"Water Sigbin (aka the 8220 Gang) is a China-based threat actor that has been active since at least 2017. It focuses on deploying cryptocurrency-mining malware, primarily in cloud-based environments and Linux servers. The group has been known to integrate vulnerability exploitation as part of its wide array of TTPs."
https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html -
LightSpy: Implant For MacOS
"In October 2023 we posted our research about the notorious surveillance framework LightSpy2. In our research, we proved with a high degree of confidence that both implants for Android and iOS came from the same developer and shared the same network infrastructure, but also that they were just a small part of a larger framework."
https://www.threatfabric.com/blogs/lightspy-implant-for-macos
https://www.bleepingcomputer.com/news/security/macos-version-of-elusive-lightspy-spyware-tool-discovered/
https://securityaffairs.com/163888/malware/lightspy-macos-version.html -
The Pumpkin Eclipse
"Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data confirmed the sudden and precipitous removal of 49% of all modems from the impacted ISP’s autonomous system number (ASN) during this time period."
https://blog.lumen.com/the-pumpkin-eclipse/
https://www.bleepingcomputer.com/news/security/malware-botnet-bricked-600-000-routers-in-mysterious-2023-attack/
https://www.itnews.com.au/news/hundreds-of-thousands-of-us-internet-routers-destroyed-in-newly-discovered-2023-hack-608440
https://www.theregister.com/2024/05/31/pumoking_eclipse_remote_router_attack/
https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/ -
RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit
"Expanded arsenal: Threat actors behind the RedTail cryptomining malware, initially reported in early 2024, have incorporated the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability into their toolkit. Private cryptomining pools: The attackers have taken a step forward by employing private cryptomining pools for greater control over mining outcomes despite the increased operational and financial costs. This mirrors tactics used by the Lazarus group, leading to speculation about attack attribution."
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit
https://thehackernews.com/2024/05/redtail-crypto-mining-malware.html
https://www.bankinfosecurity.com/redtail-cryptomining-malware-exploits-pan-os-vulnerability-a-25371 -
LilacSquid: The Stealthy Trilogy Of PurpleInk, InkBox And InkLoader
"Talos assesses with high confidence that this campaign has been active since at least 2021 and the successful compromise and post-compromise activities are geared toward establishing long-term access for data theft by an advanced persistent threat (APT) actor we are tracking as "LilacSquid" and UAT-4820. Talos has observed at least three successful compromises spanning entities in Asia, Europe and the United States consisting of industry verticals such as pharmaceuticals, oil and gas, and technology."
https://blog.talosintelligence.com/lilacsquid/
https://thehackernews.com/2024/05/cyber-espionage-alert-lilacsquid.html -
Exiled, Then Spied On: Civil Society In Latvia, Lithuania, And Poland Targeted With Pegasus Spyware
"Following last year’s joint investigation into the use of NSO Group’s Pegasus spyware against Galina Timchenko, co-founder, CEO, and publisher of Meduza, Access Now, the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto (“the Citizen Lab”), and independent digital security expert Nikolai Kvantiliani have uncovered how at least seven more Russian, Belarusian, Latvian, and Israeli journalists and activists have been targeted with NSO Group’s Pegasus spyware within the EU."
https://www.accessnow.org/publication/civil-society-in-exile-pegasus/
https://citizenlab.ca/2024/05/pegasus-russian-belarusian-speaking-opposition-media-europe/
https://therecord.media/exiled-journalists-russia-belarus-pegasus-spyware
https://cyberscoop.com/spyware-europe-nso-pegasus/ -
Satori Threat Intelligence Alert: Merry-Go-Round Conceals Ads From Users And Brands
"Merry-Go-Round is the name HUMAN researchers have given to two independent rings of websites that operate and redirect traffic among each other in pop-under tabs, racking up digital ad impressions that are concealed from the user. The threat actors built the ad cloaking operations in such a way that directly visiting the domains involved won’t trigger the redirection behavior, effectively hiding the fraudulent activity from brands and advertising partners."
https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-merry-go-round-conceals-ads-from-users-and-brands
https://www.darkreading.com/threat-intelligence/shady-merry-go-round-ad-fraud-network-orgs-hemorrhaging-cash -
Disrupting FlyingYeti's Campaign Targeting Ukraine
"Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. At the onset of Russia’s invasion of Ukraine on February 24, 2022, Ukraine introduced a moratorium on evictions and termination of utility services for unpaid debt."
https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine
https://thehackernews.com/2024/05/flyingyeti-exploits-winrar.html -
Disrupting Deceptive Uses Of AI By Covert Influence Operations
"OpenAI is committed to enforcing policies that prevent abuse and to improving transparency around AI-generated content. That is especially true with respect to detecting and disrupting covert influence operations (IO), which attempt to manipulate public opinion or influence political outcomes without revealing the true identity or intentions of the actors behind them. In the last three months, we have disrupted five covert IO that sought to use our models in support of deceptive activity across the internet. As of May 2024, these campaigns do not appear to have meaningfully increased their audience engagement or reach as a result of our services."
https://openai.com/index/disrupting-deceptive-uses-of-AI-by-covert-influence-operations/
https://downloads.ctfassets.net/kftzwdyauwt9/5IMxzTmUclSOAcWUXbkVrK/3cfab518e6b10789ab8843bcca18b633/Threat_Intel_Report.pdf
https://therecord.media/openai-report-china-russia-iran-influence-operations
https://www.theregister.com/2024/05/30/openai_stops_five_ineffective_ai/
Breaches/Hacks/Leaks
-
Everbridge Warns Of Corporate Systems Breach Exposing Business Data
"Everbridge, an American software company focused on crisis management and public warning solutions, notified customers that unknown attackers had accessed files containing business and user data in a recent corporate systems breach. The company provides public warning, crisis management, and risk intelligence services to over 6,500 customers worldwide, including the U.S. Army, the Hartsfield-Jackson Atlanta International Airport, and the countries of Norway and Australia, among others."
https://www.bleepingcomputer.com/news/security/everbridge-warns-of-corporate-systems-breach-exposing-business-data/ -
BBC Suffers Data Breach Impacting Current, Former Employees
"The BBC has disclosed a data security incident that occurred on May 21, involving unauthorized access to files hosted on a cloud-based service, compromising the personal information of BBC Pension Scheme members. As per the reports, the incident impacted roughly 25,000 people, including current and former employees of Britain's national public service broadcaster."
https://www.bleepingcomputer.com/news/security/bbc-suffers-data-breach-impacting-current-former-employees/
https://www.theregister.com/2024/05/30/cybercriminals_raid_bbc_pension_database/ -
ShinyHunters Claims Santander Bank Breach: 30M Customers’ Data For Sale
"The notorious hacking group ShinyHunters is claiming responsibility for a breach at Santander Bank, a global financial giant. As a result, the personal data of over 30 million customers has been stolen and is currently being sold for a one-time sale price of $2 million. Santander Bank, a prominent player in the global financial market, operates a network of 8,518 branches worldwide. The alleged breach impacts customers in Spain, Chile, and Uruguay."
https://hackread.com/shinyhunters-santander-bank-breach-data-for-sale/
General News
-
59% Of Public Sector Apps Carry Long-Standing Security Flaws
"Applications developed by public sector organizations have more security debt than those created by the private sector, according to Veracode. Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 59% of applications in the public sector, compared to the overall rate of 42%. The research analyzed public sector organizations in more than 25 countries across the globe."
https://www.helpnetsecurity.com/2024/05/30/public-sector-applications-security-debt/ -
Identity-Related Incidents Becoming Severe, Costing Organizations a Fortune
"With the rise of identity sprawl and system complexity, more businesses are suffering identity-related incidents than ever before, according to IDSA."
https://www.helpnetsecurity.com/2024/05/30/identity-related-incidents-rise/ -
Largest Ever Operation Against Botnets Hits Dropper Malware Ecosystem
"Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software."
https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem
https://www.bleepingcomputer.com/news/security/police-seize-over-100-malware-loader-servers-arrest-four-cybercriminals-operation-endgame/
https://therecord.media/dropper-malware-takedown-europol-operation-endgame
https://thehackernews.com/2024/05/europol-dismantles-100-servers-linked.html
https://www.darkreading.com/cyberattacks-data-breaches/cops-swarm-global-botnet-cybercrime-infrastructure-in-two-massive-ops
https://www.infosecurity-magazine.com/news/europol-operation-endgame-hits/
https://www.bankinfosecurity.com/european-police-take-down-botnet-servers-make-arrests-a-25362
https://cyberscoop.com/global-police-operation-strikes-against-malware-infrastructure/
https://hackread.com/4-arrest-operation-endgame-disrupt-ransomware-botnets/
https://www.securityweek.com/trickbot-and-other-malware-droppers-disrupted-by-law-enforcement/
https://securityaffairs.com/163876/cyber-crime/operation-endgame.html
https://www.itnews.com.au/news/five-botnets-dismantled-in-operation-endgame-608441
https://www.theregister.com/2024/05/30/euro_cops_disrupt_malware_droppers/ -
Flawed AI Tools Create Worries For Private LLMs, Chatbots
"Companies that use private instances of large language models (LLMs) to make their business data searchable through a conversational interface face risks of data poisoning and potential data leakage if they do not properly implement security controls to harden the platforms, experts say."
https://www.darkreading.com/application-security/flawed-ai-tools-create-worries-for-private-llms-chatbots -
An Argument For Coordinated Disclosure Of New Exploits
"In 2023, there were more than 23,000 vulnerabilities discovered and disclosed. While not all of them had associated exploits, it has become more and more common for there to be a proverbial race to the bottom to see who can be the first to release an exploit for a newly announced vulnerability. This is a dangerous precedent to set, as it directly enables adversaries to mount attacks on organizations that may not have had the time or the staffing to patch the vulnerability."
https://www.darkreading.com/vulnerabilities-threats/argument-for-coordinated-disclosure-of-new-exploits -
Important Details About CIRCIA Ransomware Reporting
"In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments."
https://securityintelligence.com/articles/circia-ransomware-reporting-important-details/ -
Russian Hackers Go After Ukraine’s Allies ‘to Sow Fear And Discord,’ Says US Cyber Ambassador
"Russian threat actors are using cyberattacks against countries supporting Ukraine “to try to sow fear and discord among us,” U.S. cyber ambassador Nathaniel Fick said this week. “They will not succeed,” he pledged. Speaking at the CyCon conference in Estonia on Wednesday, Fick said the U.S. and EU should further advance their “digital solidarity” to protect systems from common threats."
https://therecord.media/russian-hackers-target-ukraine-allies-fick -
Pretty Much All The Headaches At MSPs Stem From Cybersecurity
"Managed Service Partners (MSPs) say cybersecurity dwarfs all other main concerns about staying competitive in today's market. Adding to the already notoriously strained existence of an MSP is work that even folk in the infosec industry struggle to keep up with, and leaves those looking after client systems and IT struggling to juggle it all."
https://www.theregister.com/2024/05/30/msps_security_nightmare/ -
What Does The Public In Six Countries Think Of Generative AI In News?
"Based on an online survey focused on understanding if and how people use generative artificial intelligence (AI), and what they think about its application in journalism and other areas of work and life across six countries (Argentina, Denmark, France, Japan, the UK, and the USA), we present the following findings."
https://reutersinstitute.politics.ox.ac.uk/what-does-public-six-countries-think-generative-ai-news
https://www.bbc.com/news/articles/c511x4g7x7jo
อ้างอิง
Electronic Transactions Development Agency(ETDA)
-