Cyber Threat Intelligence 07 June 2024

NCSA_THAICERT

Industrial Sector

Emerson Ovation
"Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, denial-of-service, or allow an attacker to modify the controller configuration."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-02
Johnson Controls Software House iStar Pro Door Controller
"Successful exploitation of this vulnerability may allow an attacker to perform a machine-in-the-middle attack to inject commands which change configuration or initiate manual door control commands."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04
Emerson PACSystem And Fanuc
"Successful exploitation of these vulnerabilities could allow remote code execution, loss of sensitive information, or a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-01
Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch
"Successful exploitation of this vulnerability could allow an attacker to cause a temporary denial-of service (DoS) condition in the web service on the product."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03

New Tooling

Sniffnet: Free, Open-Source Network Monitoring
"Sniffnet is a free, open-source network monitoring tool to help you easily track your Internet traffic. What sets it apart is its strong focus on user experience. Unlike most network analyzers, Sniffnet is built to be easily usable by everyone, regardless of technical expertise."
https://www.helpnetsecurity.com/2024/06/06/sniffnet-open-source-free-network-monitoring-tool/
https://github.com/GyulyVGC/sniffnet

Vulnerabilities

CyRC Vulnerability Advisory: CVE-2024-5184s Prompt Injection In EmailGPT Service
"The Synopsys Cybersecurity Research Center (CyRC) has exposed prompt injection vulnerabilities in the EmailGPT service. EmailGPT is an API service and Google Chrome extension that assists users in writing emails inside Gmail using OpenAI's GPT models. The service uses an API service that allows a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit the issue by forcing the AI service to leak the standard hard-coded system prompts and/or execute unwanted prompts."
https://www.synopsys.com/blogs/software-security/cyrc-advisory-prompt-injection-emailgpt.html
https://hackread.com/emailgpt-flaw-user-data-at-risk-remove-extension/
Vulnerabilities Patched In Kiuwan Code Security Products After Long Disclosure Process
"It took code security firm Kiuwan nearly two years to patch several potentially serious vulnerabilities discovered in its static application security testing (SAST) products. Kiuwan is owned by US-based B2B productivity tools provider Idera. The vulnerabilities were found in the Kiuwan SAST and Local Analyzer products by a researcher at Eviden-owned cybersecurity consultancy SEC Consult, which uses the Kiuwan SAST tool for finding security issues in customer projects."
https://www.securityweek.com/vulnerabilities-patched-in-kiuwan-code-security-products-after-long-disclosure-process/

Malware

What’s Going On With Check Point (CVE-2024-24919)?
"On May 28, 2024, Check Point published an advisory (and emailed customers) regarding CVE-2024-24919, a CVSS 8.6 vulnerability that they described using fairly vague language: "exploiting this vulnerability can result in accessing sensitive information on the Security Gateway. This, in certain scenarios, can potentially lead the attacker to move laterally and gain domain admin privileges.""
https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919
https://www.darkreading.com/cyberattacks-data-breaches/attacks-surge-on-check-points-recent-vpn-zero-day-flaw
https://www.securityweek.com/exploitation-of-recent-check-point-vpn-zero-day-soars/
Russia-Linked 'Lumma' Crypto Stealer Now Targets Python Devs
"Imagine being a developer who's building the next-gen crypto app by using popular open source components to speed up coding. Instead, you end up including a package in your build that, does accomplish what you are trying to, but additionally steals cryptocurrency on any system that it's installed on. That's 'crytic-compilers' for you."
https://www.sonatype.com/blog/crytic-compilers-typosquats-known-crypto-library-drops-windows-trojan
https://thehackernews.com/2024/06/hackers-target-python-developers-with.html
Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers
"We observed an attack campaign abusing exposed Docker remote API servers to deploy cryptocurrency miners. This attack campaign bears the name Commando Cat due to its initial step, which involves the deployment of benign containers generated using the publicly-available Commando project (an open-source GitHub project that creates Docker images on-demand for developers). Commando, which is publicly available, is deployed using cmd.cat. The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure. This attack campaign has been active since the start of 2024."
https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html
https://www.darkreading.com/cloud-security/-commando-cat-digs-its-claws-into-exposed-docker-containers
2024: Old CVEs, New Targets — Active Exploitation Of ThinkPHP
"We are seeing a troubling trend in security: Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example of this is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082. As you can tell by the CVE names, these have been in the wild since at least 2018, and yet, the attack activity continues today."
https://www.akamai.com/blog/security-research/2024-thinkphp-applications-exploit-1-days-dama-webshell
https://www.bleepingcomputer.com/news/security/hackers-exploit-2018-thinkphp-flaws-to-install-dama-web-shells/
https://www.securityweek.com/chinese-hackers-exploit-old-thinkphp-vulnerabilities-in-new-attacks/
Ukraine Says Hackers Abuse SyncThing Data Sync Tool To Steal Data
"The Computer Emergency Response Team of Ukraine (CERT-UA) reports about a new campaign dubbed "SickSync," launched by the UAC-0020 (Vermin) hacking group in attacks on the Ukrainian defense forces. The threat group is linked to the Luhansk People's Republic (LPR) region, which Russia has occupied almost in its entirety since October 2022. The hacker's activities commonly align with Russia's interests. The attack utilizes the legitimate file-syncing software SyncThing in combination with malware called SPECTR. Vermin's apparent motive is to steal sensitive information from military organizations."
https://www.bleepingcomputer.com/news/security/ukraine-says-hackers-abuse-syncthing-data-sync-tool-to-steal-data/
https://www.bankinfosecurity.com/renewed-info-stealer-campaign-targets-ukrainian-military-a-25443
New Gitloker Attacks Wipe GitHub Repos In Extortion Scheme
"Attackers are targeting GitHub repositories, wiping their contents, and asking the victims to reach out on Telegram for more information. These attacks are part of what looks like an ongoing campaign first spotted on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity company CronUp. The threat actor behind this campaign—who has the Gitloker handle on Telegram and is posing as a cyber incident analyst—is likely compromising targets' GitHub accounts using stolen credentials."
https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/
Howling At The Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks
"Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent."
https://blog.morphisec.com/sticky-werewolfs-aviation-attacks
Muhstik Malware Targets Message Queuing Services Applications
"Aqua Nautilus discovered a new campaign of Muhstik malware targeting message queuing services applications, specifically the Apache RocketMQ platform. Our investigation revealed that the attackers downloaded the known malware Muhstik onto the compromised instances by exploiting a known vulnerability in the platform. In this blog, we will explore how the attackers exploit the existing vulnerability in RocketMQ, examine how the Muhstik malware affects the compromised instances, and analyze the number of RocketMQ instances worldwide vulnerable to this type of attack."
https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
https://thehackernews.com/2024/06/muhstik-botnet-exploiting-apache.html

*** Analysis Of Botnet Attacks**
"This report can be seen as an extension of SektorCERT’s report on unauthorised scans, in which a group of actors were categorised as ”Unknown”. In this report, SektorCERT has made a deeper analysis of the group of ”unknown actors”, including the identification of three different botnets that we can observe attacking our members on a daily basis. For one of these botnets, there are no other official references, which is why we at SektorCERT have chosen to call the botnet BIMP botnet; an abbreviation for Bruteforce, IOT, Malware, Phishing botnet."
https://sektorcert.dk/wp-content/uploads/2024/06/Botnet-EN-TLP_CLEAR-202406.pdf

Breaches/Hacks/Leaks

Hundreds Of Snowflake Customer Passwords Found Online Are Linked To Info-Stealing Malware
"Cloud data analysis company Snowflake is at the center of a recent spate of alleged data thefts, as its corporate customers scramble to understand if their stores of cloud data have been compromised. Snowflake helps some of the largest global corporations — including banks, healthcare providers and tech companies — store and analyze their vast amounts of data, such as customer data, in the cloud."
https://techcrunch.com/2024/06/05/snowflake-customer-passwords-found-online-infostealing-malware/
Los Angeles Unified School District Investigates Data Theft Claims
"Los Angeles Unified School District (LAUSD) officials are investigating a threat actor's claims that they're selling stolen databases containing records belonging to millions of students and thousands of teachers. LAUSD is the second largest public school district in the United States, with over 25,900 teachers, roughly 48,700 other employees, and more than 563,000 students enrolled during the 2023-2024 school year."
https://www.bleepingcomputer.com/news/security/los-angeles-unified-school-district-investigates-data-theft-claims/
PandaBuy Pays Ransom To Hacker Only To Get Extorted Again
"Chinese shopping platform Pandabuy told BleepingComputer it previously paid a a ransom demand to prevent stolen data from being leaked, only for the same threat actor to extort the company again this week. PandaBuy is an online platform that acts as an intermediary between customers and various Chinese e-commerce websites, including Tmall, Taobao, and JD.com, which don't ship internationally."
https://www.bleepingcomputer.com/news/security/pandabuy-pays-ransom-to-hacker-only-to-get-extorted-again/
Nearly 400,000 Affected By Data Breach At Eye Care Management Services Company
"Nearly 400,000 people had sensitive healthcare information stolen by hackers during a 2023 cyberattack on a company that supports eye clinics. Colorado-based Panorama Eyecare told regulators in Maine and Massachusetts that 377,911 current and former patients and employees had data stolen — including names, Social Security numbers, dates of birth, license numbers, financial account information, dates of service and medical provider names."
https://therecord.media/data-breach-eye-care-company-cyberattack

General News

78% Of SMBs Fear Cyberattacks Could Shut Down Their Business
"94% of SMBs have experienced at least one cyberattack, a dramatic rise from 64% in 2019, according to ConnectWise. This increase in cyberattacks is exacerbated by the fact that 76% of SMBs lack the in-house skills to properly address security issues, increasing demand for the expertise and services of MSPs."
https://www.helpnetsecurity.com/2024/06/06/smbs-cyberattack-frequency/
Understanding Security's New Blind Spot: Shadow Engineering
""Out of sight, out of mind" is not a good way to approach cybersecurity or a secure software development life cycle. But in the rush to digital transformation, many organizations are unknowingly exposed to security risks associated with citizen developer applications."
https://www.darkreading.com/vulnerabilities-threats/understanding-security-new-blind-spot-shadow-engineering
#Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing The Rules”
"The ransomware ecosystem has changed beyond recognition in 2024, and organizations must adapt their defenses accordingly, warned experts at Infosecurity Europe 2024. Martin Zugec, Technical Solutions Director at Bitdefender, told attendees to “forget what you know” about ransomware, and learn how new groups are changing the rules of the game."
https://www.infosecurity-magazine.com/news/ransomware-transformed-new-groups/
#Infosec2024: Third Of Web Traffic Comes From Malicious Bots, Veracity Says
"Malicious bots are a scourge for organizations with an online presence, and AI will likely increase this threat, Nigel Bridges, CEO of Veracity Trust Network, said during Infosecurity Europe 2024. Veracity observed that, in 2022, almost 50% of all web traffic came from bots rather than humans, of which over 30% were malicious bots."
https://www.infosecurity-magazine.com/news/third-web-traffic-malicious-bots/
#Infosec2024: How To Change Security Behaviors Beyond Awareness Training
"Organizations need to focus on changing security behaviors ahead of awareness training, according to experts speaking at Infosecurity Europe 2024. Javvad Malik, Lead Security Advocate at KnowBe4, explained that lack of knowledge is not the reason human error continues to be the primary factor in cybersecurity breaches."
https://www.infosecurity-magazine.com/news/change-security-behaviors-training/
Phishing For Gold: Cyber Threats Facing The 2024 Paris Olympics
"Mandiant assesses with high confidence that the Paris Olympics faces an elevated risk of cyber threat activity, including cyber espionage, disruptive and destructive operations, financially-motivated activity, hacktivism, and information operations. Olympics-related cyber threats could realistically impact various targets including event organizers and sponsors, ticketing systems, Paris infrastructure, and athletes and spectators traveling to the event."
https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics
https://www.securityweek.com/google-microsoft-russian-threat-actors-pose-high-risk-to-2024-paris-olympics/
Why Hackers Love Logs
"Computer log tampering is an almost inevitable part of a system compromise. Why and how do cybercriminals target logs, and what can be done to protect them? A computer log file is a record of actions taken on or by an application within a computer. They are important to see what is happening within the system, whether it be a design malfunction or malicious activity. Initially, these logs were manually (and inefficiently) analyzed."
https://www.securityweek.com/why-hackers-love-logs/

อ้างอิง
Electronic Transactions Development Agency(ETDA)