Cyber Threat Intelligence 13 August 2024

NCSA_THAICERT

New Tooling

• Scout Suite: Open-Source Cloud Security Auditing Tool
  "Scout Suite is an open-source, multi-cloud security auditing tool designed to assess the security posture of cloud environments. By leveraging the APIs provided by cloud vendors, Scout Suite collects and organizes configuration data, making it easier to identify potential risks. Instead of manually sifting through numerous pages on cloud web consoles, Scout Suite automatically generates a comprehensive and clear overview of the attack surface, streamlining the security assessment process."
  https://www.helpnetsecurity.com/2024/08/12/scout-suite-open-source-cloud-security-auditing-tool/

Vulnerabilities

• Hacking a Secure Industrial Remote Access Gateway
  "In this blog post, we describe the security analysis and the found vulnerabilities in the industrial remote access solution Ewon Cosy+. We found security vulnerabilities in the Cosy+ that allow unauthenticated attackers to gain root access to the device. With this access and by conducting further analyses, we found more issues allowing decrypting encrypted firmware files and encrypted data such as passwords in configuration files."
  https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
  https://thehackernews.com/2024/08/industrial-remote-access-tool-ewon-cosy.html
• Vulnerability In Windows Driver Leads To System Crashes
  "A newly discovered vulnerability, identified as CVE-2024-6768, has surfaced in the Common Log File System (CLFS.sys) driver of Windows. This issue, identified by Fortra cybersecurity researcher, Ricardo Narvaja, highlights a flaw that could allow an unprivileged user to cause a system crash, resulting in Blue Screen of Death (BSOD). The vulnerability exists due to improper input data validation, leading to an unrecoverable system state."
  https://www.infosecurity-magazine.com/news/vulnerability-windows-driver/
• Technical Analysis: CVE-2024-30103
  "Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook, which highlights the potential for remote code execution within the context of the Outlook application. This newly identified vulnerability, CVE-2024-30103, allows remote execution through malicious injected Outlook Forms, posing a significant threat as it executes as soon as an email is opened."
  https://blog.morphisec.com/cve-2024-30103-technical-analysis
• FreeBSD Releases Urgent Patch For High-Severity OpenSSH Vulnerability
  "The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity."
  https://thehackernews.com/2024/08/freebsd-releases-urgent-patch-for-high.html
  https://securityaffairs.com/166941/security/freebsd-openssh-flaw.html

Malware

• FBI Disrupts The Dispossessor Ransomware Operation, Seizes Servers
  "The FBI announced on Monday that it seized the servers and websites of the Radar/Dispossessor ransomware operation following a joint international investigation. The joint operation was carried out in collaboration with the U.K.'s National Crime Agency, the Bamberg Public Prosecutor's Office, and the Bavarian State Criminal Police Office (BLKA)."
  https://www.bleepingcomputer.com/news/security/fbi-disrupts-the-dispossessor-ransomware-operation-seizes-servers/
  https://therecord.media/fbi-seizes-ransomware-servers-radar
• Hackers Posing As Ukraine’s Security Service Infect 100 Govt PCs
  "Attackers impersonating the Security Service of Ukraine (SSU) have used malicious spam emails to target and compromise systems belonging to the country's government agencies. On Monday, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed that the attackers successfully infected over 100 computers with AnonVNC malware. Some samples were signed using the code signing certificate of what looks like a Chinese company (Shenzhen Variable Engine E-commerce Co Ltd)."
  https://www.bleepingcomputer.com/news/security/hackers-posing-as-ukraines-security-service-infect-100-govt-pcs/
  https://www.darkreading.com/vulnerabilities-threats/ukraine-cert-phishing-campaign-poses-as-nations-security-service
• Indirect Prompt Injection In The Real World: How People Manipulate Neural Networks
  "Large language models (LLMs) – the neural network algorithms that underpin ChatGPT and other popular chatbots – are becoming ever more powerful and inexpensive. For this reason, third-party applications that make use of them are also mushrooming, from systems for document search and analysis to assistants for academic writing, recruitment and even threat research. But LLMs also bring new challenges in terms of cybersecurity."
  https://securelist.com/indirect-prompt-injection-in-the-wild/113295/

Breaches/Hacks/Leaks

• South Korea Says DPRK Hackers Stole Spy Plane Technical Data
  "South Korea's ruling party, People Power Party (PPP), claims that North Korean hackers have stolen crucial information about K2 tanks, the country's main battle tank, as well as its "Baekdu" and "Geumgang" spy planes. PPP fears that DPRK will use this information to evade military surveillance and gain an advantage on the battlefield, so it's calling for the urgent introduction of stronger measures to safeguard national security."
  https://www.bleepingcomputer.com/news/security/south-korea-says-dprk-hackers-stole-spy-plane-technical-data/
• Australian Gold Producer Evolution Mining Hit By Ransomware
  "Evolution Mining has informed that it has been targeted by a ransomware attack on August 8, 2024, which impacted its IT systems. The company has contracted external cybersecurity experts to help with the remediation efforts, and based on the current information, the attack is now fully contained."
  https://www.bleepingcomputer.com/news/security/australian-gold-producer-evolution-mining-hit-by-ransomware/
  https://therecord.media/evolution-mining-gold-ransomware-incident
  https://www.itnews.com.au/news/australias-evolution-mining-targeted-in-latest-cyber-attack-610602
• Credit Unions Are Rich Targets For Ransomware Groups
  "First Commonwealth Federal Credit Union ("First Commonwealth") has notified its nearly 99,000 members of a "Data Event" that exposed member names, addresses, Social Security numbers, dates of birth, or account numbers. First Commonwealth is a large credit union in eastern Pennsylvania, with over a dozen locations in the Greater Lehigh Valley and surrounding areas."
  https://blog.barracuda.com/2024/08/12/credit-unions-are-rich-targets-for-ransomware-groups
• 200k Impacted By East Valley Institute Of Technology Data Breach
  "The East Valley Institute of Technology (EVIT) is informing over 200,000 individuals that their personal and health information was compromised in a recent data breach. The incident occurred on January 9, when a threat actor gained unauthorized access to EVIT’s network, accessing sensitive information pertaining to current and former students, staff, faculty, and parents."
  https://www.securityweek.com/200k-impacted-by-east-valley-institute-of-technology-data-breach/
  https://www.theregister.com/2024/08/12/200k_with_links_to_arizona/
• Swiss Manufacturer Investigating Ransomware Attack That Shut Down IT Network
  "Hackers are attempting to blackmail a Swiss manufacturing giant after a cyberattack on Friday. Schlatter Group did not respond to questions about the incident, but said in a press release that it was dealing with a “criminal cyberattack using malware.” The company — which is more than 100 years old and specializes in plant engineering as well as welding — immediately initiated security measures and involved law enforcement when the attack was discovered on Friday."
  https://therecord.media/swiss-manufacturer-investigating-ransomware-incident

General News

• 74% Of Ransomware Victims Were Attacked Multiple Times In a Year
  "An alarming trend toward multiple, sometimes simultaneous cyber attacks forces business leaders to re-evaluate their cyber resilience strategies to address common points of failure, including inadequate identity system backup and recovery practices, according to Semperis."
  https://www.helpnetsecurity.com/2024/08/12/74-of-ransomware-victims-were-attacked-multiple-times-in-a-year/
• Misconfigurations And IAM Weaknesses Top Cloud Security Concerns
  "Traditional cloud security issues often associated with cloud service providers (CSPs) are continuing to decrease in importance, according to the Top Threats to Cloud Computing 2024 report by the Cloud Security Alliance."
  https://www.helpnetsecurity.com/2024/08/12/cloud-computing-issues/
• July 2024’s Most Wanted Malware: Remcos And RansomHub Run Rampant
  "Our last Global Threat Index for June 2024 revealed significant changes in ransomware rankings. Despite a significant drop in June, LockBit re-emerged last month to become the second most prevalent ransomware group, while RansomHub retained the top spot. Meanwhile, researchers identified both a campaign distributing Remcos malware following a CrowdStrike update issue, and a series of new FakeUpdates tactics, which once again ranked first on the top malware list for July."
  https://blog.checkpoint.com/research/july-2024s-most-wanted-malware-remcos-and-ransomhub-run-rampant/
• CrowdStrike Tries To Patch Things Up With Cybersecurity Industry
  "A combination of factors caused the Falcon EDR sensor to crash, resulting in the global outage affecting over 8.5 million Windows systems back in July, CrowdStrike said last week in a root cause analysis of the incident. At the same time, CrowdStrike CTO George Kurtz and president Michael Sentonas were in Las Vegas with a public mea culpa."
  https://www.darkreading.com/cybersecurity-operations/crowdstrike-tries-patch-things-up-cybersecurity-industry
• How Phishing Attacks Adapt Quickly To Capitalize On Current Events
  "In 2023, no fewer than 94 percent of businesses were impacted by phishing attacks, a 40 percent increase compared to the previous year, according to research from Egress. What's behind the surge in phishing? One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails and, in more sophisticated cases, deepfake videos. In addition, AI can help write the malware that threat actors often plant on their victims' computers and servers as part of phishing campaigns."
  https://thehackernews.com/2024/08/how-phishing-attacks-adapt-quickly-to.html
• Mega Money, Unfathomable Violence Pervade Thriving Underground Doxxing Scene
  "Recently published interviews with known doxxers reveal the incredible finances behind the practice and how their extortion tactics are becoming increasingly violent. Doxxing is the term that's used to describe when an individual purposefully reveals the true identity of someone who was or would otherwise expect to be anonymous by "dropping documents" – which is where the term doxxing comes from – with information on them. It's common, has been going on for years, and is frequently used by cybercrims in various ways for financial gain."
  https://www.theregister.com/2024/08/12/mega_money_and_unfathomable_violence/
• High-Risk Cloud Exposures Surge Due To Rapid Service Growth
  "Organizations are introducing over 300 new services each month, contributing to nearly 32% of high or critical cloud exposures, according to a new report by Palo Alto Networks' Unit 42. This rapid expansion of digital services is creating a complex cybersecurity landscape, the firm warned, making it increasingly difficult for businesses and government entities to maintain an accurate inventory of their IT assets, which are prime targets for attackers."
  https://www.infosecurity-magazine.com/news/high-risk-cloud-exposures-palo/

อ้างอิง
Electronic Transactions Development Agency(ETDA)