Cyber Threat Intelligence 01 August 2024

NCSA_THAICERT

New Tooling

Secretive: Open-Source App For Storing And Managing SSH Keys In The Secure Enclave
"Secretive is an open-source, user-friendly app designed to store and manage SSH keys within the Secure Enclave. Typically, SSH keys are stored on disk with appropriate permissions, which is usually sufficient. However, it’s not overly difficult for malicious users or malware to copy your private key. By storing your keys in the Secure Enclave, they become impossible to export, providing a higher level of security."
https://www.helpnetsecurity.com/2024/07/31/secretive-app-managing-ssh-keys-secure-enclave/
https://github.com/maxgoedjen/secretive

Vulnerabilities

Out-Of-Bounds Read Vulnerability In NVIDIA Driver; Open-Source Flashcard Software Contains Multiple Security Issues
"Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards. The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy."
https://blog.talosintelligence.com/vulnerability-roundup-july-31-nvidia/
Multiple Cross-Site Scripting (XSS) Vulnerabilities In REDCap (CVE-2024-37394, CVE-2024-37395, And CVE-2024-37396)
"Trustwave SpiderLabs uncovered multiple stored cross-site scripting (XSS) vulnerabilities (CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396) in REDCap (Research Electronic Data Capture), a widely used web application for building and managing online surveys and databases in research environments. These vulnerabilities, if exploited, could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/
https://www.darkreading.com/threat-intelligence/dangerous-xss-bugs-redcap-academic-scientific-research
Multiple SMTP Services Are Susceptible To Spoofing Attacks Due To Insufficient Enforcement
"Multiple hosted, outbound SMTP servers are vulnerable to email impersonation. This allows authenticated users and certain trusted networks to send emails containing spoofed sender information. Two vulnerabilities were identified that reduce the authentication and verification of the sender, provided by the combination of Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM). Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM, adding linkage to the author (FROM:) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders to improve and monitor protection of the domain from fraudulent email (DMARC.org). An authenticated remote attacker can spoof the identity of a sender when sending emails using a hosted service provider."
https://kb.cert.org/vuls/id/244112
https://www.securityweek.com/vulnerabilities-enable-attackers-to-spoof-emails-from-20-million-domains/
Protecting SmartPLC Devices From Critical Hardcoded Credential Vulnerability CVE-2024-28747
"The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-28747, a vulnerability in SmartPLC devices, assessed its impact and developed mitigation measures for this vulnerability. This vulnerability of hardcoded credentials affects SmartPLC devices, specifically the AC14xx and AC4xxS models, with firmware versions up to and including 4.3.17. It allows unauthenticated remote attackers to gain high-privilege access using hard-coded credentials of username “target” and password “target” embedded in the firmware."
https://blog.sonicwall.com/en-us/2024/07/protecting-smartplc-devices-from-critical-hardcoded-credential-vulnerability-cve-2024-28747/
Identifying a BOLA Vulnerability In Harbor, a Cloud-Native Container Registry
"In a recent audit of open-source web applications, threat researchers from Unit 42 have identified a broken object-level authorization (BOLA) vulnerability that impacts Harbor versions prior to 2.9.5. Harbor is a widely used cloud-native container registry that plays a role in cloud environments by hosting container images and providing features such as role-based access control (RBAC), vulnerability scanning and image signing. It is an open-source CNCF Graduated project with over 22,600 stars and 1.8 million downloads. The vulnerability we identified is tracked as CVE-2024-22278, with a CVSS score of 6.4."
https://unit42.paloaltonetworks.com/bola-vulnerability-impacts-container-registry-harbor/

Malware

Trump Campaign Crypto Scam: Unveiling The Phishing Plot
"In a concerning development, recent research conducted by the Veriti research team uncovered a phishing campaign targeting supporters of Donald Trump’s 2024 campaign. The scheme, active since May 31 – the day of Trump’s trial verdict, leverages cryptocurrency as a means to solicit donations fraudulently. This blog delves into the intricacies of the campaign, highlighting key findings and the implications of this cyber threat."
https://veriti.ai/blog/trump-campaign-crypto-scam-unveiling-the-phishing-plot/
https://hackread.com/phishing-attack-steals-donations-trump-supporters/
BingoMod: The New Android RAT That Steals Money And Wipes Data
"At the end of May 2024, a new Android RAT appeared in Cleafy’s telemetries. Due to the lack of information and the absence of a proper nomenclature for this malware family, we decided to dub it BingoMod to track it inside our Threat Intelligence taxonomy. This nomenclature is based on the malware's core component, known at an early stage as “ChrUpdate” but later renamed “BingoMod”."
https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data
https://www.bleepingcomputer.com/news/security/new-android-malware-wipes-your-device-after-draining-bank-accounts/
"ERIAKOS" Scam Campaign: Detected By Recorded Future’s Payment Fraud Intelligence Team
"Recorded Future’s Payment Fraud Intelligence team has identified a scam e-commerce network, named the “ERIAKOS” campaign, targeting Facebook users. This campaign, detected on April 17, 2024, involves 608 fraudulent websites using brand impersonation and malvertising tactics to steal personal and financial data. Notably, the scam websites were accessible only via mobile devices and ad lures, likely to evade automated scanners. Recorded Future recommends blocklisting suspicious merchant accounts and closely monitoring customer transactions. The use of advanced screening techniques in this campaign suggests a growing trend that might challenge current detection technologies."
https://www.recordedfuture.com/research/eriakos-scam-campaign-detected
https://go.recordedfuture.com/hubfs/reports/CTA-2024-0731.pdf
https://www.bleepingcomputer.com/news/security/fraud-ring-pushes-600-plus-fake-web-shops-via-facebook-ads/
Cofense Catches Phishing Emails Missed By Proofpoint And Abnormal Security
"In a recent wave of phishing attacks, cybercriminals managed to bypass secure email gateways (SEGs) from both Proofpoint and Abnormal Security to deliver emails that employed Microsoft-spoofing and artificial notifications into victims’ inboxes. These emails contained embedded URLs that led unsuspecting users to fake login pages designed to harvest credentials. Fortunately, the emails were identified, analyzed, and quarantined by the Cofense Phishing Defense Center (PDC) within minutes. This serves as a stark reminder of the evolving tactics of cybercriminals and the need for multi-layered defense strategies."
https://cofense.com/blog/cofense-catches-phishing-emails-missed-by-proofpoint-and-abnormal-security/
Research Update: Threat Actors Behind The DEV#POPPER Campaign Have Retooled And Are Continuing To Target * Software Developers Via Social Engineering
"The threat actors behind the previously documented DEV#POPPER campaign are continuing to target developers by means of new malware and tactics, including support for Linux, Windows and macOS. The Securonix Threat Research team has been monitoring the threat actors behind the ongoing investigation into the DEV#POPPER campaign, we have identified additional malware variants linked to the same North Korean threat actors using similar, stealthy malicious code execution tactics, though now with much more robust capabilities."
https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/
https://thehackernews.com/2024/07/north-korea-linked-malware-targets.html
https://www.darkreading.com/threat-intelligence/north-koreans-target-devs-worldwide-spyware-job-offers
Unseen Dangers Lurking Behind Evasive Secureserver.net URLs
"Banking trojans continue to evolve quickly, affecting major banking organizations across the globe. We’ve seen an increase in malware using secureserver[.]net to target Spanish and Portuguese-speaking regions covering Latin America financial institutions. Additionally, hackers are also targeting Spanish and Portuguese-speaking European countries and other parts of the world. This campaign is spread via URL secureserver[.]net, which is a hosting site that also offers domain name registration and web hosting services worldwide. During our research within X-Labs, we have observed that this domain is frequently abused to host malicious content."
https://www.forcepoint.com/blog/x-labs/malware-lurking-behind-secureserver-net-urls
Malicious Packages Hidden In PyPI
"The FortiGuard Labs team has identified a malicious PyPI package affecting all platforms where PyPI packages can be installed. This discovery poses a significant risk to individuals and institutions that have installed these packages, potentially leading to the leakage of credentials and sensitive information. Given the high severity of this threat, it is crucial to focus on this specific PyPI package. This report discusses its potential impacts and emphasizes the importance of diligent security practices in managing software dependencies."
https://www.fortinet.com/blog/threat-research/malicious-packages-hidden-in-pypl
https://www.infosecurity-magazine.com/news/pypi-package-steals-discord/
Who Knew? Domain Hijacking Is So Easy
"Researchers at Infoblox and Eclypsium have discovered that a powerful attack vector in the domain name system (DNS) is being widely exploited across many DNS providers. We have found that over a dozen Russian-nexus cybercriminal actors are using this attack vector to hijack domain names without being noticed. We call this the Sitting Ducks attack. There are over a million exploitable target domains on any given day, and the attack is:"
https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/
https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/
https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/
https://www.theregister.com/2024/07/31/domains_with_delegated_name_service/
Microsoft Seizes Domain Used By Vietnamese Group To Sell Fake Accounts, Services
"Microsoft on Wednesday seized another domain used by a trio of people based in Vietnam who were selling fraudulent accounts and services to bypass CAPTCHA puzzles, according to court documents unsealed late Wednesday."
https://cyberscoop.com/microsoft-seizes-domain-used-by-vietnamese-group-to-sell-fake-accounts-services/

Breaches/Hacks/Leaks

OneBlood's Virtual Machines Encrypted In Ransomware Attack
"OneBlood, a large not-for-profit blood center that serves hospitals and patients in the United States, is dealing with an IT systems outage caused by a ransomware attack. The organization plays a critical role in ensuring a stable blood supply to the Southeastern part of the country, collecting, testing, and distributing a large volume of blood products. because of this, there are concerns about surgeries and treatments being impacted."
https://www.bleepingcomputer.com/news/security/onebloods-virtual-machines-encrypted-in-ransomware-attack/
https://therecord.media/ransomware-attack-blood-center-shortage-protocols-hospitals
https://www.infosecurity-magazine.com/news/urgent-blood-appeal-us-ransomware/
https://www.securityweek.com/ransomware-attack-hits-oneblood-blood-bank-disrupts-medical-operations/
https://securityaffairs.com/166401/cyber-crime/oneblood-suffered-ransomware-attack.html
https://www.theregister.com/2024/07/31/ransomware_blood_supply_hospital/
World Leading Silver Producer Fresnillo Discloses Cyberattack
"Fresnillo PLC, the world's largest silver producer and a top global producer of gold, copper, and zinc, said attackers gained access to data stored on its systems during a recent cyberattack. The mining giant revealed in a Tuesday filing that it was "the subject of a cyber security incident which has resulted in unauthorised access to certain IT systems and data." Upon discovering the attack, Fresnillo initiated response measures to contain the breach, and its IT experts are investigating and assessing the incident's impact in coordination with external forensic specialists."
https://www.bleepingcomputer.com/news/security/world-leading-silver-producer-fresnillo-discloses-cyberattack/

General News

What CISOs Need To Keep CEOs (and Themselves) Out Of Jail
"Former Uber CISO Joe Sullivan, who was convicted for attempting to cover up a data breach Uber suffered in 2016, recently posited that in the very near future, CEOs might find themselves held directly responsible for cybersecurity breaches. Considering the changes in the Cyber Security Framework 2.0 (CSF 2.0) emphasizing governance and communication with the board of directors, Sullivan is right to assume that liability will not stop at the CISO and will likely move upwards."
https://www.helpnetsecurity.com/2024/07/31/ceos-cisos-new-controls/
Leveraging Dynamic Configuration For Seamless And Compliant Software Changes
"In this Help Net Security interview, Konrad Niemiec, CEO and Founder of Lekko, discusses the benefits of dynamic configuration in preventing system outages and enabling faster response times during incidents. Niemiec explains how dynamic configuration evolves feature flagging, supports operational agility, and addresses compliance challenges across various sectors."
https://www.helpnetsecurity.com/2024/07/31/konrad-niemiec-lekko-dynamic-configuration/
Microsoft Says Massive Azure Outage Was Caused By DDoS Attack
"Microsoft confirmed today that a nine-hour outage on Tuesday, which took down and disrupted multiple Microsoft 365 and Azure services worldwide, was triggered by a distributed denial-of-service (DDoS) attack. Redmond says the outage impacted Microsoft Entra, some Microsoft 365 and Microsoft Purview services (including Intune, Power BI, and Power Platform), as well as Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, and the Azure portal."
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-massive-azure-outage-was-caused-by-ddos-attack/
https://www.infosecurity-magazine.com/news/ddos-microsoft-global-outage/
https://www.darkreading.com/cloud-security/microsoft-azure-ddos-attack-amplified-cyber-defense-error
https://www.helpnetsecurity.com/2024/07/31/microsoft-azure-ddos/
https://www.securityweek.com/microsoft-says-azure-outage-caused-by-ddos-attack-response/
https://www.theregister.com/2024/07/31/microsoft_ddos_azure/
Innovative Approach Promises Faster Bug Fixes
"Modern software applications usually consist of numerous files and several million lines of code. Due to the sheer quantity, finding and correcting faults, known as debugging, is difficult. In many software companies, developers still search for faults manually, which takes up a large proportion of their working time. Studies indicate that this accounts for between 30 and 90 percent of the total development time."
https://www.helpnetsecurity.com/2024/07/31/debugging-faster-bug-fixes/
Would Making Ransom Payments Illegal Result In Fewer Attacks?
"Ransomware and other malware attacks are among the top three types of security incidents that organizations experience, according to Netwrix's "2024 Hybrid Security Trends Report." In a bid to curb this menace, for several years now there have been discussions around a radical approach: making ransomware payments illegal. The rationale is straightforward. If paying a ransom is prohibited, organizations won't do it — thus eliminating the incentive for cybercriminals to launch ransomware attacks. Problem solved. Or is it?"
https://www.darkreading.com/vulnerabilities-threats/would-making-ransom-payments-illegal-result-in-fewer-attacks
Malware Trends Report: Q2, 2024
"We’re excited to share ANY.RUN‘s latest malware trends analysis for Q2 2024! Our quarterly update provides insights into the most widely deployed malware families, types, and TTPs we saw during the last 3 months of the year."
https://any.run/cybersecurity-blog/malware-trends-q2-2024/
https://hackread.com/top-infostealers-analysis-redline-vidar-formbook/
- PR Vs Cybersecurity Teams: Handling Disagreements In a Crisis
  "When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide on how to spin the PR team’s information. And usually, that approach is fine — until there is a crisis to be managed."
  https://securityintelligence.com/articles/pr-vs-cybersecurity-teams-handling-disagreements-in-crisis/
Greek Prosecutor Says Government Played No Role In Civil Society Spyware Infections
"A Greek investigation into a sprawling domestic spyware scandal that emerged in 2022 found no evidence any state entity had purchased or used powerful spyware targeting or infecting devices belonging to several journalists, politicians and business executives, a top prosecutor said. Greek Supreme Court Prosecutor Georgia Adeilini said Tuesday the probe into how powerful Predator spyware ended up on prominent Greek public figures’ phones found that none of the country’s state services, including its National Intelligence Service (EYP), were involved in acquiring or deploying the technology, according to local news reports."
https://therecord.media/greece-predator-spyware-investigation
Germany Summons Chinese Ambassador Over Cyberattack On Cartography Agency
"German authorities on Wednesday said that a Beijing-backed threat actor was behind a cyberattack three years ago on the country’s state cartography agency, and summoned the Chinese ambassador to Berlin for further discussions. The action represents the first time that Germany summoned China’s ambassador since the Tiananmen Square crackdown in 1989, Germany’s foreign ministry spokesperson Sebastian Fischer said during a press briefing."
https://therecord.media/germany-summons-chinese-ambassador-over-hack
Five Months After Takedown, LockBit Is a Shadow Of Its Former Self
"For roughly two years, LockBit's ransomware operation was by far the most prolific of its kind, until the fateful events of February. After claiming thousands of victims, extorting hundreds of millions of dollars, and building a robust army of sophisticated cybercriminals, the life's work of its mastermind, LockbitSupp – whom cops claim is Russian national Dmitry Khoroshev – is now hanging by a thread. Despite Operation Cronos's failure to scupper the operation entirely, it may still go down as one of the most comprehensive ransomware takedowns of all time. Sure, the infrastructure may have been rebuilt and its blog is back online, but LockBit's reputation is in tatters."
https://www.theregister.com/2024/07/31/five_months_after_lockbit/

อ้างอิง
Electronic Transactions Development Agency(ETDA)