NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 11 July 2024

    Cyber Security News
    2
    1
    62
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      Industrial Sector

      • ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories
        "Major industrial control systems (ICS) providers on Tuesday released security advisories to warn customers of vulnerabilities found and addressed in their products. Siemens published 17 new security advisories describing over 50 vulnerabilities and released patches and mitigations for the flaws. Additionally, the company updated 21 previously released advisories with additional information."
        https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-cisa-issue-advisories/

      New Tooling

      • BunkerWeb: Open-Source Web Application Firewall (WAF)
        "BunkerWeb is an open-source Web Application Firewall (WAF) distributed under the AGPLv3 free license. The solution’s core code is entirely auditable by a third party and the community."
        https://www.helpnetsecurity.com/2024/07/10/bunkerweb-open-source-web-application-firewall-waf/
        https://github.com/bunkerity/bunkerweb

      Vulnerabilities

      • GitLab: Critical Bug Lets Attackers Run Pipelines As Other Users
        "GitLab warned today that a critical vulnerability in its product's GitLab Community and Enterprise editions allows attackers to run pipeline jobs as any other user. The GitLab DevSecOps platform has over 30 million registered users and is used by over 50% of Fortune 100 companies, including T-Mobile, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS. The flaw patched in today's security update is tracked as CVE-2024-6385, and it received a CVSS base score severity rating of 9.6 out of 10."
        https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-bug-that-lets-attackers-run-pipelines-as-an-arbitrary-user/

      • VMware Patches Critical SQL-Injection Flaw In Aria Automation
        "Broadcom-owned VMWare on Wednesday pushed out patches for a high-risk SQL-injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases. The vulnerability, tracked as CVE-2024-22280, allows for unauthorized read and write operations in the database through specially crafted SQL queries, VMWare said in an advisory with a “high-severity” rating"
        https://www.securityweek.com/vmware-patches-critical-sql-injection-flaw-in-aria-automation/
        https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598
        https://securityaffairs.com/165560/security/vmware-aria-automation-critical-sql-injection.html

      • Cisco High Severity Security Advisory: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024
        "On July 7, 2024, security researchers disclosed the following vulnerability in the RADIUS protocol: CVE-2024-3596: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by an on-path attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. This vulnerability may impact any RADIUS client and server."
        https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-radius-spoofing-july-2024-87cCDwZ3

      • New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
        "Select versions of the OpenSSH secure networking suite are susceptible to a new vulnerability that can trigger remote code execution (RCE). The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9."
        https://thehackernews.com/2024/07/new-openssh-vulnerability-discovered.html
        https://www.openwall.com/lists/oss-security/2024/07/08/2
        https://securityaffairs.com/165535/hacking/openssh-flaw-cve-2024-6409.html

      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
        CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability
        CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/07/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
        https://securityaffairs.com/165513/security/cisa-adds-windows-rejetto-http-file-server-bugs-known-exploited-vulnerabilities-catalog.html

      • 15 Vulnerabilities Discovered In Software Development Kit For Wireless Routers
        "Cisco Talos’ Vulnerability Research team recently discovered 15 vulnerabilities in the Realtek rtl819x Jungle software development kit used in some small and home office wireless routers. This SDK uses the discontinued, open-source Boa as its web server. Talos researchers discovered these vulnerabilities in the Jungle SDK while researching other vulnerabilities in the LevelOne WBR-6013 wireless router, which are also covered in this blog post."
        https://blog.talosintelligence.com/vulnerability-roundup-july-10-2024/

      • What's Bugging The NSA? A Vuln In Its 'SkillTree' Training Platform
        "The National Security Agency (NSA) has patched a cross-site request forgery (CSRF) vulnerability in its open source employee training platform known as SkillTree, showcasing how difficult this class of bug is to catch prior to production release."
        https://www.darkreading.com/application-security/whats-buggging-the-nsa-a-vuln-in-its-skilltree-training-platform
        https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j
        Cisco High Severity Security Advisory: Cisco IOS XR Software Secure Boot Bypass Vulnerability
        "A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Cisco Secure Boot functionality and load unverified software on an affected device. To exploit this successfully, the attacker must have root-system privileges on the affected device."
        <[Cisco IOS XR Software Secure Boot Bypass Vulnerability]Cisco IOS XR Software Secure Boot Bypass Vulnerability>

      Malware

      • Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks In Internet Shortcut File To Lure Victims (CVE-2024-38112)
        "Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. An additional trick on IE is used to hide the malicious .hta extension name. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system."
        https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/
        https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/
        https://www.darkreading.com/application-security/attackers-have-been-leveraging-microsoft-zero-day-for-18-months
        https://www.helpnetsecurity.com/2024/07/10/cve-2024-38112-cve-2024-38021/

      • The Mechanics Of ViperSoftX: Exploiting AutoIt And CLR For Stealthy PowerShell Execution
        "In the dynamic landscape of cyber threats, ViperSoftX has emerged as a highly sophisticated malware, adept at infiltrating systems and exfiltrating sensitive information. Since its initial detection in 2020, ViperSoftX has undergone several iterations, with each version demonstrating increased complexity and advanced capabilities. Initially, it spread mainly through cracked software, luring users with pirated applications that secretly installed the malware. ViperSoftX was also distributed via torrent sites earlier, but now we have observed it being distributed specifically as eBooks over torrents."
        https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/
        https://thehackernews.com/2024/07/vipersoftx-malware-disguises-as-ebooks.html
        https://www.theregister.com/2024/07/10/vipersoftx_malware_dot_net/
        https://www.bleepingcomputer.com/news/security/vipersoftx-malware-covertly-runs-powershell-using-autoit-scripting/

      • Ticket Heist: Olympic Games And Sporting Events At Risk
        "With the Olympic Games Paris 2024 set to be one of the most significant sporting events of 2024, the cybersecurity community is preparing for a marked increase in disruption attempts, cyber-attacks, and nation-state involvement. Reflecting on past incidents, many organizations are proactively developing various incident response scenarios and updating their internal playbooks. Nevertheless, one persistent threat remains: fraudulent schemes targeting viewers worldwide."
        https://quointelligence.eu/2024/07/ticket-heist-olympic-games-and-sporting-events-at-risk/
        https://www.bleepingcomputer.com/news/security/ticket-heist-fraud-gang-uses-700-domains-to-sell-fake-olympics-tickets/

      • Attack Activities By Kimsuky Targeting Japanese Organizations
        "JPCERT/CC has confirmed attack activities targeting Japanese organizations by an attack group called Kimsuky in March 2024. This article introduces the attack methods of the group confirmed by JPCERT/CC. In the attack we identified, the attacker sent a targeted attack email impersonating a security and diplomatic organization. A zip file containing the following files with double file extensions was attached to the email. (File names are omitted.)"
        https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html
        https://www.bleepingcomputer.com/news/security/japan-warns-of-attacks-linked-to-north-korean-kimsuky-hackers/

      • New Malware Campaign Targeting Spanish Language Victims
        "Cofense recently identified and named a new malware called Poco RAT, which is a simple Remote Access Trojan that targets Spanish language victims. It was first observed in early 2024, primarily focusing on companies in the Mining sector and initially was delivered via embedded links to 7zip archives containing executables that were hosted on Google Drive. The campaigns are ongoing and continue to exhibit the same TTPs. The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its Command and Control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials."
        https://cofense.com/blog/new-malware-campaign-targeting-spanish-language-victims/
        https://www.bankinfosecurity.com/researchers-discover-new-malware-aimed-at-mining-sector-a-25739
        https://www.darkreading.com/cyberattacks-data-breaches/poco-rat-burrows-deep-mining-sector

      • Hardening Of HardBit
        "Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates HardBit Ransomware version 4.0, a new version observed in the wild."
        https://www.cybereason.com/blog/hardening-of-hardbit

      • Hidden Between The Tags: Insights Into Spammers’ Evasion Techniques In HTML Smuggling
        "HTML smuggling is a technique used by attackers to embed encoded or encrypted JavaScript code within HTML attachments or web pages. This technique has been used extensively in spear phishing email campaigns over the past few months. HTML smuggling is quite effective in bypassing perimeter security controls such as email gateways and web proxies for two main reasons: It abuses the legitimate features of HTML5 and JavaScript, and it leverages different forms of encoding and encryption."
        https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/
        Inside The Ransomware Playbook: Analyzing Attack Chains And Mapping Common TTPs
        "Given the recent slate of massive ransomware attacks that have disrupted everything from hospitals to car dealerships, Cisco Talos wanted to take a renewed look at the top ransomware players to see where the current landscape stands. Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in tactics, techniques and procedures (TTPs), along with several notable differences and outliers."
        https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/
        https://www.infosecurity-magazine.com/news/ransomware-defense-evasion-data/
        https://www.theregister.com/2024/07/10/ransomware_data_exfil_malware/

      • **A “Meta” Facebook Phish
        *** "Everyone today has some form of social media, whether it is Instagram, X, YouTube or Facebook. It is an amazing way to communicate and stay connected with family and friends, but at the same time, it can be scary when your social media falls victim to a cyber-attack. These types of campaigns illustrate how secure email gateways (SEGs), or any type of automated system, may fail to catch things that only the trained eye can. Threat analysts here at the Cofense Phishing Defense Center (PDC) are properly trained and equipped to catch these phishing campaigns that have shown up in environments utilizing SEGs."
        https://cofense.com/blog/a-meta-facebook-phish/

      • Olympics Has Fallen – A Misinformation Campaign Featuring Elon Musk
        "As we gear up for the 2024 Paris Olympics, excitement is building, and so is the potential for scams. From fake ticket sales to counterfeit merchandise, scammers are on the prowl, leveraging big events to trick unsuspecting fans. Recently, McAfee researchers uncovered a particularly malicious scam that not only aims to deceive but also to portray the International Olympic Committee (IOC) as corrupt."
        https://www.mcafee.com/blogs/other-blogs/mcafee-labs/olympics-has-fallen-a-misinformation-campaign-featuring-elon-musk/

      • Patch Or Peril: A Veeam Vulnerability Incident
        "While the vulnerability CVE-2023-27532 was made public in March 2023 and subsequently patched by Veeam for versions 12/11a and later for Veeam Backup & Replication software, Group-IB’s Digital Forensics and Incident Response (DFIR) team recently observed a notable incident related to this vulnerability. This blog post delves into the intricacies of a recent ransomware incident involving the emerging threat actor known as EstateRansomware."
        https://www.group-ib.com/blog/estate-ransomware/
        https://thehackernews.com/2024/07/new-ransomware-group-exploiting-veeam.html

      • DarkGate: Dancing The Samba With Alluring Excel Files
        "This article reviews a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware."
        https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/

      Breaches/Hacks/Leaks

      • UAE’s Lulu Hypermarket Data Breach: Hackers Claim Millions Of Customer Records
        "Lulu Hypermarket has experienced a major data breach, exposing over 200,000 customer records. The attack, claimed by IntelBroker hackers, includes personal details such as email addresses and phone numbers. The full database, allegedly containing millions of user and order details, may be leaked in the future."
        https://hackread.com/uae-lulu-hypermarket-data-breach-hackers-customer-records/

      • Hacker Leaks Thousands Of Microsoft And Nokia Employee Details
        "Hacker “888” leaks personal data of Nokia and Microsoft employees on Breach Forums. Data breaches at third-party contractors exposed contact details, posing identity theft and phishing risks."
        https://hackread.com/hacker-leaks-microsoft-nokia-employee-details/

      • Nearly 39 Million Records Were Exposed Online By Legal Services And Technology Company
        "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained 38.6 million records belonging to Rapid Legal — a legal support services company that offers court filing, process serving, and document retrieval services for law firms, legal departments, and self-represented litigants. The database contained court documents, service agreements, and payment information (all showing partial credit card details and PII)."
        https://www.vpnmentor.com/news/report-rapidlegal-breach/
        https://hackread.com/unsecured-database-exposed-legal-records-online/

      General News

      • How Companies Increase Risk Exposure With Rushed LLM Deployments
        "In this Help Net Security interview, Jake King, Head of Threat & Security Intelligence at Elastic, discusses companies’ exposure to new security risks and vulnerabilities as they rush to deploy LLMs. King explains how LLMs pose significant risks to data privacy and outlines strategies for mitigating these security risks."
        https://www.helpnetsecurity.com/2024/07/10/jake-king-elastic-llms-security-risks/

      • 73% Of Security Pros Use Unauthorized SaaS Applications
        "73% of security professionals admit to using SaaS applications that had not been provided by their company’s IT team in the past year, according to Next DLP."
        https://www.helpnetsecurity.com/2024/07/10/shadow-saas-security-risks/

      • Big Tech's Eventual Response To My LLM-Crasher Bug Report Was Dire
        "Found a bug? It turns out that reporting it with a story in The Register works remarkably well ... mostly. After publication of my "Kryptonite" article about a prompt that crashes many AI chatbots, I began to get a steady stream of emails from readers – many times the total of all reader emails I'd received in the previous decade. Disappointingly, too many of them consisted of little more than a request to reveal the prompt so that they could lay waste to large language models."
        https://www.theregister.com/2024/07/10/vendors_response_to_my_llmcrasher/

      • Huione Guarantee: The Multi-Billion Dollar Marketplace Used By Online Scammers
        "Online scams have led to tens of billions of dollars being stolen from millions of victims across the world. Perhaps most well known are the so-called pig butchering scams, where fraudsters develop relationships with victims and eventually persuade them to invest in sham investment schemes. Others involve ponzi schemes, impersonation of family members and sextortion."
        https://www.elliptic.co/blog/cyber-scam-marketplace
        https://thehackernews.com/2024/07/crypto-analysts-expose-huione.html
        https://www.bleepingcomputer.com/news/security/huione-guarantee-exposed-as-a-11-billion-marketplace-for-cybercrime/

      • CISA And FBI Release Secure By Design Alert On Eliminating OS Command Injection Vulnerabilities
        "Today, CISA and FBI are releasing their newest Secure by Design Alert in the series, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection defects in network edge devices (CVE-2024-20399, CVE-2024-3400, CVE-2024-21887) to target and compromise users. These vulnerabilities allowed unauthenticated malicious actors to remotely execute code on network edge devices."
        https://www.cisa.gov/news-events/alerts/2024/07/10/cisa-and-fbi-release-secure-design-alert-eliminating-os-command-injection-vulnerabilities
        https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-os-command-injection-vulnerabilities
        https://www.bleepingcomputer.com/news/security/cisa-urges-devs-to-weed-out-os-command-injection-vulnerabilities/

      • June 2024’s Most Wanted Malware: RansomHub Takes Top Spot As Most Prevalent Ransomware Group In Wake Of LockBit3 Decline
        "Our latest Global Threat Index for June 2024 noted a shift in the Ransomware-as-a-Service (RaaS) landscape, with relative newcomer RansomHub unseating LockBit3 to become the most prevalent group according to publicized shame sites. Meanwhile, a Windows backdoor dubbed BadSpace was identified, involving infected WordPress websites and fake browser updates."
        https://blog.checkpoint.com/security/june-2024s-most-wanted-malware-ransomhub-takes-top-spot-as-most-prevalent-ransomware-group-in-wake-of-lockbit3-decline/

      • Smishing Triad Targets India With Fraud Surge
        "A recent surge in fraudulent smishing attacks impersonating India Post, the government-operated postal system, has prompted warnings from Indian authorities and cybersecurity experts. The Press Information Bureau (PIB) issued alerts in June urging vigilance against suspicious messages falsely claiming to be from India Post, part of India’s Ministry of Communications. This tactic, known as smishing, involves sending deceptive SMS messages to trick users into divulging personal information or clicking on malicious links."
        https://www.infosecurity-magazine.com/news/smishing-triad-targets-india-fraud/

      • Most Security Pros Admit Shadow SaaS And AI Use
        "Almost three-quarters (73%) of cybersecurity professionals have used unsanctioned apps including AI in the past year, according to a new poll from Next DLP. The security vendor interviewed 250 security pros at the recent Infosecurity Europe and RSA Conference industry events, in the UK and US respectively. Its findings revealed that a majority of industry professionals don’t practice what they preach when it comes to shadow IT."
        https://www.infosecurity-magazine.com/news/most-security-pros-shadow-saas-ai/

      • Digital Solidarity Vs. Digital Sovereignty: Which Side Are You On?
        "The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty. The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty."
        https://securityintelligence.com/articles/digital-solidarity-vs-digital-sovereignty/

      • Can AI Be Meaningfully Regulated, Or Is Regulation a Deceitful Fudge?
        "Governments are rushing to regulate artificial intelligence. Is meaningful regulation currently possible? AI is the new wild west of technology. Everybody sees enormous potential (or profit) and huge risks (to both business and society). But few people understand AI, nor how to use nor control it, nor where it is going. Yet politicians wish to regulate it."
        https://www.securityweek.com/can-ai-be-meaningfully-regulated-or-is-regulation-a-deceitful-fudge/

      • It’s Time To Reassess Your Cybersecurity Priorities
        "This article marks my 100th column for SecurityWeek over a ten-year span. This milestone has prompted reflection on my initial goal of educating the market about the essentials of cybersecurity. Unfortunately, not much has changed. Cyber breaches are now bigger and worse than ever. Hardly a week goes by without headlines about a new devastating cyberattack. In fact, the International Monetary Fund reports that the number of cyberattacks has more than doubled since the pandemic."
        https://www.securityweek.com/its-time-to-reassess-your-cybersecurity-priorities/

      • Russian Researchers Identify Alleged Ukrainian Developer Of Malicious Remote Access Tool
        "Researchers claim to have uncovered the identity of the developer of a malicious remote access tool used to attack Russian organizations. Its developer, who goes by the alias Mr. Burns, has been active on darknet forums since 2010 and is known for creating malicious versions of remote administration tools, such as TeamViewer and RMS (Remote Utilities). The Russian cybersecurity firm F.A.C.C.T., which says it has identified the hacker, tracks the tool as BurnsRAT."
        https://therecord.media/russian-researchers-identify-alleged-rat-developer

      • Beijing Accused Of Misusing Western Research To Claim Volt Typhoon Is a Ransomware Group
        "China’s national cybersecurity agency was accused on Wednesday of misrepresenting research from Western cybersecurity companies in an ongoing attempt to deny allegations that a Being-backed hacking group is behind attacks targeting critical infrastructure in the West. The cybersecurity company Trellix pushed back against a conspiratorial report published Monday by China’s National Computer Virus Emergency Response Center (CVERC) claiming that the Five Eyes intelligence alliance had concocted evidence about the hacking campaign."
        https://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) a219b3f1-7afd-4d78-bb8a-0cc6278cb649-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post