NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 13 June 2024

    Cyber Security News
    2
    1
    61
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Industrial Sector

      • ICS Patch Tuesday: Advisories Published By Siemens, Schneider Electric, Aveva, CISA
        "Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their industrial and OT products."
        https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siemens-schneider-electric-aveva-cisa/

      • NIST Publishes Draft OT Cybersecurity Guide For Water Sector
        "Networked control systems in municipal water systems are inescapable even for the localities that would prefer otherwise. New equipment with default remote access and an over-stretched repair workforce mean cutting off municipal water systems from the internet isn't a real option."
        https://www.bankinfosecurity.com/nist-publishes-draft-ot-cybersecurity-guide-for-water-sector-a-25505
        https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/securing-water-and-wastewater-utilities-project-description-final.pdf

      • Rockwell's ICS Directive Comes As Critical Infrastructure Risk Peaks
        "Citing "heightened geopolitical tensions and adversarial cyber activity globally," industrial control systems (ICS) giant Rockwell Automation last month took the unusual step of telling its customers to disconnect their gear from the Internet. The move showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say."
        https://www.darkreading.com/ics-ot-security/rockwell-ics-directive-critical-infrastructure-risk-peaks

      Vulnerabilities

      • Google Warns Of Actively Exploited Pixel Firmware Zero-Day
        "Google has released patches for 50 security vulnerabilities impacting its Pixel devices and warned that one of them had already been exploited in targeted attacks as a zero-day. Tracked as CVE-2024-32896, this elevation of privilege (EoP) flaw in the Pixel firmware has been rated a high-severity security issue. "There are indications that CVE-2024-32896 may be under limited, targeted exploitation," the company warned this Tuesday."
        https://www.bleepingcomputer.com/news/security/google-warns-of-actively-exploited-pixel-firmware-zero-day/
        https://source.android.com/docs/security/bulletin/pixel/2024-06-01
        https://www.securityweek.com/google-warns-of-pixel-firmware-zero-day-under-limited-targeted-exploitation/

      • Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities
        "Google and Mozilla on Tuesday announced the release of Chrome 126 and Firefox 127 to the stable channel with patches for multiple high-severity memory safety vulnerabilities. Chrome 126 includes 21 security fixes, including 18 for defects reported by external researchers. The reporting researchers, Google notes in its advisory, received over $160,000 in bug bounty rewards for their findings."
        https://www.securityweek.com/chrome-126-firefox-127-patch-high-severity-vulnerabilities/

      • CISA Adds Two Known Exploited Vulnerabilities To Catalog
        "CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability
        CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/06/12/cisa-adds-two-known-exploited-vulnerabilities-catalog
        https://securityaffairs.com/164488/hacking/cisa-adds-arm-mali-gpu-kernel-driver-php-bugs-to-its-known-exploited-vulnerabilities-catalog.html

      Malware

      • Attacks Against Linux SSH Services Detected By AhnLab EDR
        "Secure SHell (SSH) is a standard protocol for secure terminal connections and is generally used for controlling remote Linux systems. Unlike Windows OS that individual users use for desktops, Linux systems mainly fulfill the role of servers providing web, database, FTP, DNS, and other services. Of course, Windows also supports these services as a server."
        https://asec.ahnlab.com/en/66695/

      • Bondnet Using Miner Bots As C2
        "Bondnet first became known to the public in an analysis report published by GuardiCore in 20171 and Bondnet’s backdoor was covered in an analysis report on XMRig miner targeting SQL servers released by DFIR Report in 20222. There has not been any information on the Bondnet threat actor’s activities thereon, but it was confirmed that they had continued their attacks until recent times."
        https://asec.ahnlab.com/en/66662/

      • Phone Scammers Impersonating CISA Employees
        "Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency (CISA) is aware of recent impersonation scammers claiming to represent the agency. As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret."
        https://www.cisa.gov/news-events/alerts/2024/06/12/phone-scammers-impersonating-cisa-employees
        https://www.bleepingcomputer.com/news/security/cisa-warns-of-criminals-impersonating-its-employees-in-phone-calls/
        https://www.bankinfosecurity.com/fraudsters-impersonate-cisa-in-money-scams-a-25501

      • New Phishing Toolkit Uses PWAs To Steal Login Credentials
        "A new phishing kit has been released that allows red teamers and cybercriminals to create progressive web Apps (PWAs) that display convincing corporate login forms to steal credentials. A PWA is a web-based app created using HTML, CSS, and JavaScript that can be installed from a website like a regular desktop application. Once installed, the operating system will create a PWA shortcut and add it to Add or Remove Programs in Windows and under the /Users//Applications/ folder in macOS."
        https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-uses-pwas-to-steal-login-credentials/

      • Ransomware Attackers May Have Used Privilege Escalation Vulnerability As Zero-Day
        "The Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may have been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day. The vulnerability (CVE-2024-26169) occurs in the Windows Error Reporting Service. If exploited on affected systems, it can permit an attacker to elevate their privileges. The vulnerability was patched on March 12, 2024, and, at the time, Microsoft said there was no evidence of its exploitation in the wild. However, analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day."
        https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day
        https://thehackernews.com/2024/06/black-basta-ransomware-may-have.html
        https://therecord.media/black-basta-ransomware-zero-day-windows
        https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-linked-to-windows-zero-day-attacks/
        https://www.securityweek.com/ransomware-group-may-have-exploited-windows-vulnerability-as-zero-day/
        https://www.theregister.com/2024/06/12/black_basta_ransomware_windows/

      • Search & Spoof: Abuse Of Windows Search To Redirect To Malware
        "Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors. Let’s break down the HTML and the Windows search code to better understand their roles in the attack chain."
        https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/search-spoof-abuse-of-windows-search-to-redirect-to-malware/
        https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/

      • The Evolution Of QR Code Phishing: ASCII-Based QR Codes
        "Quishing—QR code phishing—is a rapidly evolving threat. Starting around August, when we saw the first rapid increase, we’ve also seen a change in the type of QR code attacks. It started with standard MFA authentication requests. It then evolved to conditional routing and custom targeting. Now, we’re seeing another evolution, into the manipulation of QR codes."
        https://blog.checkpoint.com/harmony-email/the-evolution-of-qr-code-phishing-ascii-based-qr-codes/

      • STR RAT – Phishing Malware Baseline
        "STR RAT is a remote access trojan (RAT) written in Java that was first seen in 2020. Like other RATs, it gives threat actors full control when it is successfully installed onto a machine. STR RAT is capable of keylogging, stealing credentials, and even delivering additional malicious payloads. The malware receives a version update every year, on average. These updates correlate with the renewed use of STR RAT by threat actors. Currently, 60% of the STR RAT samples that Cofense analyzed from January 2023 to April 2024 are delivered directly to the email as opposed to an embedded link."
        https://cofense.com/blog/str-rat-phishing-malware-baseline/

      • Worldwide Web: An Analysis Of Tactics And Techniques Attributed To Scattered Spider
        "In early 2024, we identified a current affiliate of the RansomHub RaaS group as a former Alphv/Black Cat affiliate. We assess with high confidence that the same affiliate is a present or former affiliate of the Scattered Spider threat group, also tracked as UNC3944, Muddled Libra, Octo Tempest, Scatter Swine, and Starfraud. Our high-confidence assessment is based on the following pieces of evidence observed by GuidePoint’s DFIR and GRIT practices:"
        https://www.guidepointsecurity.com/blog/worldwide-web-an-analysis-of-tactics-and-techniques-attributed-to-scattered-spider/
        https://www.darkreading.com/threat-intelligence/ransomhub-brings-scattered-spider-into-its-raas-fold
        https://www.infosecurity-magazine.com/news/scattered-spider-affiliated/

      • Self-Replicating Morris II Worm Targets AI Email Assistants
        "The proliferation of generative artificial intelligence (GenAI) email assistants such as OpenAI’s GPT-3 and Google’s Smart Compose has revolutionized communication workflows. Unfortunately, it has also introduced novel attack vectors for cyber criminals. Leveraging recent advancements in AI and natural language processing, malicious actors can exploit vulnerabilities in GenAI systems to orchestrate sophisticated cyberattacks with far-reaching consequences. Recent studies have uncovered the insidious capabilities of self-replicating malware, exemplified by the “Morris II” strain created by researchers."
        https://securityintelligence.com/posts/morris-ii-self-replicating-malware-genai-email-assistants/

      • Pause Off My Cluster: DERO Cryptojacking Takes a New Shape
        "We have detected a new variant of an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters in our customers’ cloud environments. In this incident, the threat actor abused anonymous access to an Internet-facing cluster to launch malicious container images hosted at Docker Hub, some of which have more than 10,000 pulls. These docker images contain a UPX-packed DERO miner named "pause"."
        https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection
        https://thehackernews.com/2024/06/cryptojacking-campaign-targets.html

      Breaches/Hacks/Leaks

      • Life360 Says Hacker Tried To Extort Them After Tile Data Breach
        "Safety and location services company Life360 says it was the target of an extortion attempt after a threat actor breached and stole sensitive information from a Tile customer support platform. Life360 provides real-time location tracking, crash detection, and emergency roadside assistance services to more than 66 million members worldwide. In December 2021, it acquired Bluetooth tracking service provider Tile in a $205 million deal."
        https://www.bleepingcomputer.com/news/security/life360-says-hacker-tried-to-extort-them-after-tile-data-breach/
        https://www.theregister.com/2024/06/13/tile_life360_extortion/

      • Toronto School Board Reports Ransomware Attack On Test Environment
        "Hackers attempted to attack a technology testing environment used by the Toronto District School Board (TDSB) with ransomware, officials said Wednesday. The school board is the largest in Canada and manages 582 schools for about 235,000 students."
        https://therecord.media/toronto-school-board-ransomware-attack

      General News

      • Forced-Labor Camps Fuel Billions Of Dollars In Cyber Scams
        "Greater collaboration between financial and law enforcement officials is needed to dismantle cybercrime scam centers in Cambodia, Laos, and Myanmar, which rake in tens of billions of dollars annually — and affect victims worldwide."
        https://www.darkreading.com/cyber-risk/forced-labor-camps-fuel-billions-of-dollars-in-cyber-scams

      • Open-Source Security In AI
        "New AI products are coming onto the market faster than we have seen in any previous technology revolution. Companies’ free access and right to use open source in AI software models has allowed them to prototype an AI product to market cheaper than ever and at hypersonic speed."
        https://www.helpnetsecurity.com/2024/06/12/ai-open-source-security/

      • Security And Privacy Strategies For CISOs In a Mobile-First World
        "In this Help Net Security interview, Jim Dolce, CEO at Lookout, discusses securing mobile devices to mitigate escalating cloud threats. He emphasizes that organizations must shift their approach to data security, acknowledging the complexities introduced by mobile access to cloud-based corporate data."
        https://www.helpnetsecurity.com/2024/06/12/jim-dolce-lookout-securing-mobile-devices/

      • Police Arrest Conti And LockBit Ransomware Crypter Specialist
        "The Ukraine cyber police have arrested a 28-year-old Russian man in Kyiv for working with Conti and LockBit ransomware operations to make their malware undetectable by antivirus software and conducting at least one attack himself. The investigation was backed by information shared by the Dutch police who responded to a ransomware attack on a Dutch multinational, followed by data-theft extortion."
        https://www.bleepingcomputer.com/news/security/police-arrest-conti-and-lockbit-ransomware-crypter-specialist/
        https://therecord.media/ukraine-suspected-lockbit-conti-affiliate
        https://www.darkreading.com/cyberattacks-data-breaches/lockbit-and-conti-ransomware-hacker-busted-in-ukraine
        https://securityaffairs.com/164475/breaking-news/developer-crypter-conti-lockbit-ransomware.html

      • Mass Exploitation: The Vulnerable Edge Of Enterprise Security
        "The cyber threat landscape in 2023 and so far 2024 has been dominated by mass exploitation. Previous WithSecure reporting on the professionalization of cybercrime noted the growing importance of mass exploitation as an infection vector, but the volume and severity of this vector have now truly exploded. Several recent reports indicate that mass exploitation may have overtaken botnets as the primary vector for ransomware incidents, and there has been a rapid tempo of security incidents caused by mass exploitation of vulnerable software including, but not limited to: MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect."
        https://labs.withsecure.com/publications/mass-exploitation-the-vulnerable-edge-of-enterprise-security
        https://www.infosecurity-magazine.com/news/withsecure-exploitation-edge/

      • 70% Of Cybersecurity Pros Often Work Weekends, 64% Looking For New Jobs
        "Over 70% of cybersecurity professionals often have to work weekends to address security concerns at their organization, according to a new report by Bitdefender. This intense workload appears to correlate strongly with job dissatisfaction, with around two-thirds (64%) of the 1200 cyber professionals surveyed stating that they are planning on looking for a new job in the next 12 months."
        https://www.infosecurity-magazine.com/news/cyber-pros-weekends-new-jobs/

      • Lessons From The Ticketmaster-Snowflake Breach
        "Last week, the notorious hacker gang, ShinyHunters, sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million Ticketmaster users. This colossal breach, with a price tag of $500,000, could expose the personal information of a massive swath of the live event company's clientele, igniting a firestorm of concern and outrage."
        https://thehackernews.com/2024/06/lessons-from-ticketmaster-snowflake.html

      • White House Report Dishes Deets On All 11 Major Government Breaches From 2023
        "The number of cybersecurity incidents reported by US federal agencies rose 9.9 percent year-on-year (YoY) in 2023 to a total of 32,211, per a new White House report, which also spilled the details on the most serious incidents suffered across the government. Of the total number of incidents, the majority (38 percent) were classed as "improper usage," meaning a system was used in a way that violated the agency's acceptable use policies. The report stated that agencies have the capability to detect when security policies are being violated, but not the ability to prevent it from actually happening."
        https://www.theregister.com/2024/06/12/white_house_report/
        https://www.whitehouse.gov/wp-content/uploads/2024/06/FY23-FISMA-Report.pdf

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) f5e244b0-35d8-4722-8752-8f1c22d41eb1-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post