NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Cyber Threat Intelligence 30 July 2024

    Cyber Security News
    2
    1
    102
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      New Tooling

      • Cirrus: Open-Source Google Cloud Forensic Collection
        "Cirrus is an open-source Python-based tool designed to streamline Google Cloud forensic evidence collection. It can streamline environment access and evidence collection in investigations involving Google Workspace and GCP. The tool simplifies incident response activities and enhances an organization’s security posture."
        https://www.helpnetsecurity.com/2024/07/29/cirrus-open-source-google-cloud-forensic-evidence-collection/
        https://github.com/SygniaLabs/Cirrus
      • New Specula Tool Uses Outlook For Remote Code Execution In Windows
        "Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec. This C2 framework works by creating a custom Outlook Home Page using WebView by exploiting CVE-2017-11774, an Outlook security feature bypass vulnerability patched in October 2017."
        https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/
        https://github.com/trustedsec/specula/wiki

      Vulnerabilities

      • Over 1 Million Websites Are At Risk Of Sensitive Information Leakage - XSS Is Dead. Long Live XSS
        "Cross-site scripting (aka XSS) has rightfully claimed its place as one of the most popular web vulnerabilities. Since its first emergence, somewhere in the dark days of the internet, countless vulnerabilities have been found across websites everywhere. Therefore, it comes as no surprise that XSS has been consistently highlighted as a top risk in the OWASP TOP-10 since the list's very first iteration in 2004!"
        https://salt.security/blog/over-1-million-websites-are-at-risk-of-sensitive-information-leakage---xss-is-dead-long-live-xss
        https://www.securityweek.com/millions-of-websites-susceptible-xss-attack-via-oauth-implementation-flaw/
        https://www.infosecurity-magazine.com/news/hotjar-business-insider-flaw-oauth/
        https://www.darkreading.com/endpoint-security/oauth-xss-attack-millions-web-users-account-takeover
        https://hackread.com/xss-oauth-threatens-millions-hotjar-flaw/
      • CISA Adds Three Known Exploited Vulnerabilities To Catalog
        "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
        CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability
        CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
        CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability"
        https://www.cisa.gov/news-events/alerts/2024/07/29/cisa-adds-three-known-exploited-vulnerabilities-catalog
        https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit
      • GeoServer RCE Vulnerability (CVE-2024-36401) Being Exploited In The Wild
        "The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in GeoServer, assessed its impact and developed mitigation measures. GeoServer is a community-driven project that allows users to share and edit geospatial data. It supports industry-standard OGC protocols, including Web Feature Service (WFS), Web Map Service (WMS) and Web Coverage Service (WCS). Identified as CVE-2024-36401, GeoServer versions before 2.24.4, 2.25.2 and 2.23.6 allow an unauthenticated threat actor to execute arbitrary code remotely, earning a critical CVSS score of 9.8. Since this vulnerability has made its way into CISA’s Known Exploited Vulnerabilities (KEV) Catalog, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory."
        https://blog.sonicwall.com/en-us/2024/07/geoserver-rce-vulnerability-cve-2024-36401-being-exploited-in-the-wild/
        Meta's AI Safety System Defeated By The Space Bar
        "Meta's machine-learning model for detecting prompt injection attacks – special prompts to make neural networks behave inappropriately – is itself vulnerable to, you guessed it, prompt injection attacks. Prompt-Guard-86M, introduced by Meta last week in conjunction with its Llama 3.1 generative model, is intended "to help developers detect and respond to prompt injection and jailbreak inputs," the social network giant said."
        https://www.theregister.com/2024/07/29/meta_ai_safety/

      Malware

      • Introducing Gh0stGambit: A Dropper For Deploying Gh0st RAT
        "Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team."
        https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat
        https://thehackernews.com/2024/07/gh0st-rat-trojan-targets-chinese.html
      • Belarus-Linked APT Ghostwriter Targeted Ukraine With PicassoLoader Malware
        "Belarus-linked APT group GhostWriter targeted Ukrainian organizations with a malware family known as PicassoLoader, used to deliver various malicious payloads."
        https://securityaffairs.com/166265/intelligence/belarus-apt-ghostwriter-targeted-ukraine.html
      • Mandrake Spyware Sneaks Onto Google Play Again, Flying Under The Radar For Two Years
        "In May 2020, Bitdefender released a white paper containing a detailed analysis of Mandrake, a sophisticated Android cyber-espionage platform, which had been active in the wild for at least four years. In April 2024, we discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor."
        https://securelist.com/mandrake-apps-return-to-google-play/113147/
        https://www.bleepingcomputer.com/news/security/android-spyware-mandrake-hidden-in-apps-on-google-play-since-2022/
        https://www.infosecurity-magazine.com/news/mandrake-spyware-infects-32000/
      • Attackers (Crowd)Strike With Infostealer Malware
        "The infamous Blue(screen) Friday caused widespread concern, commotion, and, for attackers, convenience. Threat actors were quick to take advantage of the CrowdStrike outage, launching attacks that preyed on victims’ hysteria. In this blog, we examine an infostealer malware campaign conducted by suspected Iranian threat actor, Handala. The attack targets Israeli companies, leveraging the CrowdStrike incident to lure victims into downloading a fake update."
        https://perception-point.io/blog/attackers-crowdstrike-with-infostealer-malware/
      • “EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection To Dispatch Millions Of Perfectly Spoofed Emails
        "Guardio Labs has uncovered a critical in-the-wild exploit of Proofpoint’s email protection service, responsible for securing 87 of the Fortune 100 companies. Dubbed “EchoSpoofing”, this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details."
        https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6
        https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html
        https://www.bleepingcomputer.com/news/security/proofpoint-settings-exploited-to-send-millions-of-phishing-emails-daily/
        https://www.securityweek.com/phishing-campaign-exploited-proofpoint-email-protections-for-spoofing/
      • Ransomware Operators Exploit ESXi Hypervisor Vulnerability For Mass Encryption
        "Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network. In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function."
        https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
        https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/
        https://securityaffairs.com/166295/cyber-crime/ransomware-gangs-exploit-cve-2024-37085-vmware-esxi.html
        https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/
      • Hunters International: Your Data Is The Prey
        "Hunters International (Hunters) is one of those rare criminal groups whose name reflects exactly who they are. They hunt for your data, and they operate internationally. As of this writing, the group has successfully compromised victims in 29 countries, and that's only counting confirmed victims. Several industry surveys have found the number of unreported ransomware attacks to be anywhere from 60% - 80%, so we can probably assume the numbers are higher than we know."
        https://blog.barracuda.com/2024/07/29/hunters-international--your-data-is-the-prey
      • Walmart Discovers New PowerShell Backdoor Linked To Zloader Malware
        "An unknown PowerShell backdoor has been discovered alongside a new variant of the Zloader/SilentNight malware, Walmart’s Cyber Intelligence Team has reported. The PowerShell backdoor has been constructed to provide threat actors with further access via recon activity and to deploy other malware samples, including Zloader. The backdoor also utilizes sophisticated obfuscation techniques. It was potentially utilized alongside the new Zloader variant, the researchers said."
        https://www.infosecurity-magazine.com/news/walmart-powershell-backdoor-zloader/
      • Distribution Of Xworm Malware As a URL File (Detected By AhnLab EDR)
        "Phishing, which is a common method used in the malware distribution phase, has been employed for a long time. Phishing emails typically include attachments disguised as invoices, estimates, tax bills, or summonses to trick recipients into running malware. A recent case confirmed by AhnLab SEcurity intelligence Center (ASEC) involves a phishing scam pretending to be PayPal, tricking recipients into executing a file disguised as an invoice."
        https://asec.ahnlab.com/en/68422/

      Breaches/Hacks/Leaks

      • French Cybercrimes Team Called In After Israeli Athletes’ Data Leaked Online
        "France’s cybercrime unit (OFAC) is pushing to get private data on several Israeli athletes competing in the Paris Olympic Games removed from social media, police sources said Saturday. Data including blood test results and login credentials were published on Telegram on Friday in an apparent doxing cyberattack, the sources said. Doxing is the malicious publication of private details online. The hacker group, which called itself “Zeus,” also leaked personal information revealing Israeli athletes’ military status on social media Thursday."
        https://www.timesofisrael.com/french-cybercrimes-team-called-in-after-israeli-athletes-data-leaked-online/
        https://www.darkreading.com/threat-intelligence/zeus-hacker-group-strikes-israeli-olympic-athletes-data-leak
      • Pro-Ukrainian Hackers Claim Attack On Russian Cyber Company
        "A pro-Ukrainian hacker group, known as Cyber Anarchy Squad, claimed it hacked the Russian information security firm Avanpost and leaked a trove of its data. The hackers said over the weekend that they encrypted over 400 virtual machines running Linux or Windows and most of the physical workstations of the company’s employees. The group also reportedly destroyed more than 60 terabytes of data and leaked 390 gigabytes of “valuable information.”"
        https://therecord.media/pro-ukraine-hackers-attack-russian-cyber-firm

      General News

      • Enhancing Threat Detection For GenAI Workloads With Cloud Attack Emulation
        "Cloud GenAI workloads inherit pre-existing cloud security challenges, and security teams must proactively evolve innovative security countermeasures, including threat detection mechanisms."
        https://www.helpnetsecurity.com/2024/07/29/genai-cloud-threat-detection/
      • Why a Strong Patch Management Strategy Is Essential For Reducing Business Risk
        "In this Help Net Security interview, Eran Livne, Senior Director of Product Management, Endpoint Remediation at Qualys and Thomas Scheffler, Security Operations Manager of Cintas Corporation, discuss their experiences with automated patch management."
        https://www.helpnetsecurity.com/2024/07/29/thomas-scheffler-cintas-eran-livne-qualys-patch-management-strategy/
      • Whitepaper: DevSecOps Blueprint
        "In the DevSecOps Blueprint whitepaper, GitGuardian outlines a robust foundation for building an automated and technology-driven DevSecOps Program that addresses every aspect of the SDLC. Learn how your organization can embed security at every layer: the tools and technologies, the processes (like IR and security testing), and the people involved. Help your developers work faster while maintaining security."
        Priority: 3 - Important
        Relevance: General
        https://www.helpnetsecurity.com/2024/07/29/whitepaper-devsecops-blueprint/
        https://www.gitguardian.com/whitepapers/devsecops-blueprint
      • Windows Security Best Practices For Integrating And Managing Security Tools
        "In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products."
        https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/
        https://www.darkreading.com/application-security/microsoft-lowballs-crowdstrike-outage-impact
        https://www.theregister.com/2024/07/29/microsoft_crowdstrike_incident_report/
        https://www.helpnetsecurity.com/2024/07/29/crowdstrike-outage-positive-effects/
      • Less Than Half Of European Firms Have AI Controls In Place
        "European businesses have been urged to carefully assess what privacy, security and acceptable usage controls they need to place on AI tools before allowing employees to use them. To compile its new Sapio Research Finance Pulse report, the eponymous research firm polled 800 consumers and 375 business decision makers responsible for their finance department, with respondents from the UK, Germany, France and the Netherlands."
        https://www.infosecurity-magazine.com/news/less-half-european-firms-ai/
        https://sapioresearch.com/wp-content/uploads/2024/06/survey-uploads/Sapio-Research-Finance-Pulse.pdf
      • How To Write a Generative AI Cybersecurity Policy
        "Amidst all the hype, CISOs urgently need practical guidance on how to establish AI security practices to defend their organizations as they play catchup with deployments and plans. With the right combination of cybersecurity policy and advanced tools, enterprises can meet their goals for today and lay a foundation for dealing with the evolving complexities of AI going forward."
        https://www.trendmicro.com/en_us/research/24/g/write-generative-ai-cybersecurity-policy.html
      • French Telecom Infrastructure Damaged In Another Sabotage Attack
        "Fiber optic networks of several French telecommunication service providers have been “sabotaged” overnight, disrupting some fixed and mobile services. The country’s second-largest telecom operator, SFR, said in a statement on X that its long-distance cables were “vandalized” and that the company’s services may be disrupted “in the most impacted areas.”"
        https://therecord.media/french-telecom-infrastructure-sabotage
      • Singapore Cyber Landscape 2023
        "The “Singapore Cyber Landscape (SCL) 2023” reviews Singapore’s cybersecurity situation in 2023 against the backdrop of global trends and events, and highlights Singapore’s efforts in creating a safer cyberspace. Several cybersecurity trends took the headlines in 2023. These included (i) threats that leveraged vulnerabilities in supply chains and popular third-party services, (ii) the expanding operations of hacktivist groups, and (iii) the exploitation of generative artificial intelligence (AI) by malicious actors to enhance their attacks."
        https://www.csa.gov.sg/Tips-Resource/publications/2024/singapore-cyber-landscape-2023
        https://www.csa.gov.sg/docs/default-source/publications/2024/singapore-cyber-landscape-2023.pdf
        https://www.channelnewsasia.com/singapore/ai-phishing-attempts-cyber-attacks-technology-scams-deepfakes-ransomware-4506631
      • State Department: UN Cybercrime Treaty Must Include Human Rights Protections
        "On the eve of the kickoff of the final round of negotiations debating a United Nations cybercrime treaty, the U.S. State Department said Friday it is focused on ensuring the treaty protects human rights. Along with 40 other U.N. member states, the U.S. signed off on a statement acknowledging the treaty’s potential to be “misused as a tool for acts of domestic and transnational repression and other human rights violations.” The statement comes amid substantial criticism of the draft agreement from human rights and digital freedom advocates."
        https://therecord.media/state-department-treaty-human-rights-protections
        https://www.bankinfosecurity.com/tech-orgs-feel-abandoned-as-un-finalizes-cybercrime-treaty-a-25875
      • Russia-Linked Brute-Force Campaign Targets EU Via Microsoft Infrastructure
        "The European Union is experiencing a surge in brute-force cyberattacks on corporate and institutional networks, mostly originating from Russia, according to a Heimdal investigation. These attackers exploit Microsoft infrastructure, particularly in Belgium and the Netherlands, to avoid detection. Heimdal’s data reveals that the attacks date back to May 2024, but evidence suggests they may have been occurring for an even longer period."
        https://heimdalsecurity.com/blog/russia-brute-force-attacks-europe/

      อ้างอิง
      Electronic Transactions Development Agency(ETDA) 1937031d-ec73-4f04-8884-5a02ab08d135-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post