โพสต์ถูกสร้างโดย NCSA

NCSA_THAICERT

ADT เปิดเผยการละเมิดข้อมูลที่ส่งผลกระทบต่อ.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

FreeBSD ออกแพทช์ด่วนสำหรับช่องโหว่ OpenSSH ที่มีควา.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand !

NCSA_THAICERT

Healthcare Sector

American Hospital Association And Health-ISAC Joint Threat Bulletin - TLP White
"The recent ransomware attacks on OneBlood, Synnovis, and Octapharma by Russian cybercrime ransomware gangs resulted in a massive disruption to patient care. The outcomes of these attacks highlight the need to incorporate mission-critical and life-critical third-party suppliers into enterprise risk management and emergency management plans to maintain resiliency and redundancy in the modern digitally connected healthcare ecosystem."
https://www.aha.org/advisory/2024-08-01-american-hospital-association-and-health-isac-joint-threat-bulletin-tlp-white
https://www.darkreading.com/endpoint-security/healthcare-providers-must-plan-for-ransomware-attacks-on-third-party-suppliers

Telecom Sector

Keeping Your Android Device Safe From Text Message Fraud
"Cell-site simulators, also known as False Base Stations (FBS) or Stingrays, are radio devices that mimic real cell sites in order to lure mobile devices to connect to them. These devices are commonly used for security and privacy attacks, such as surveillance and interception of communications. In recent years, carriers have started reporting new types of abuse perpetrated with FBSs for the purposes of financial fraud."
https://security.googleblog.com/2024/08/keeping-your-android-device-safe-from.html

Government/Law/Policy

UN Cybercrime Treaty Passes In Unanimous Vote
"The United Nations passed its first cybercrime treaty on Thursday in a unanimous vote supporting an agreement first put forward by Russia. The passage of the treaty is significant and establishes for the first time a global-level cybercrime and data access-enabling legal framework. The treaty was adopted late Thursday by the body’s Ad Hoc Committee on Cybercrime and will next go to the General Assembly for a vote in the fall. It is expected to sail through the General Assembly since the same states will be voting on it there."
https://therecord.media/un-cybercrime-treaty-passes-unanimous

Vulnerabilities

Microsoft Discloses Unpatched Office Flaw That Exposes NTLM Hashes
"Microsoft has disclosed a high-severity vulnerability affecting Office 2016 that could expose NTLM hashes to a remote attacker. Tracked as CVE-2024-38200, this security flaw is caused by an information disclosure weakness that enables unauthorized actors to access protected information. It impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise."
https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200
https://thehackernews.com/2024/08/microsoft-warns-of-unpatched-office.html
Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources
"During February 2024, we discovered critical vulnerabilities in six AWS services. The impact of these vulnerabilities range between remote code execution (RCE), full-service user takeover (which might provide powerful administrative access), manipulation of AI modules, exposing sensitive data, data exfiltration and denial of service."
https://www.aquasec.com/blog/bucket-monopoly-breaching-aws-accounts-through-shadow-resources/
https://thehackernews.com/2024/08/experts-uncover-severe-aws-flaws.html
Chained For Attack: OpenVPN Vulnerabilities Discovered Leading To RCE And LPE
"Microsoft researchers recently identified multiple medium severity vulnerabilities in OpenVPN, an open-source project with binaries integrated into routers, firmware, PCs, mobile devices, and many other smart devices worldwide, numbering in the millions. Attackers could chain and remotely exploit some of the discovered vulnerabilities to achieve an attack chain consisting of remote code execution (RCE) and local privilege escalation (LPE). This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information."
https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/
https://thehackernews.com/2024/08/microsoft-reveals-four-openvpn-flaws.html
New AMD SinkClose Flaw Helps Install Nearly Undetectable Malware
"AMD is warning about a high-severity CPU vulnerability named SinkClose that impacts multiple generations of its EPYC, Ryzen, and Threadripper processors. The vulnerability allows attackers with Kernel-level (Ring 0) privileges to gain Ring -2 privileges and install malware that becomes nearly undetectable. Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system's Kernel."
https://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/
https://ioactive.com/event/def-con-talk-amd-sinkclose-universal-ring-2-privilege-escalation/
Vulnerability Allowed Eavesdropping Via Sonos Smart Speakers
"NCC Group researchers have disclosed vulnerabilities found in Sonos smart speakers, including a flaw that could have been exploited to eavesdrop on users. One of the vulnerabilities, tracked as CVE-2023-50809, can be exploited by an attacker who is in Wi-Fi range of the targeted Sonos smart speaker for remote code execution. The researchers demonstrated how an attacker targeting a Sonos One speaker could have used this vulnerability to take control of the device, covertly record audio, and then exfiltrate it to the attacker’s server."
https://www.securityweek.com/vulnerability-allowed-eavesdropping-via-sonos-smart-speakers/
https://thehackernews.com/2024/08/new-flaws-in-sonos-smart-speakers-allow.html
https://securityaffairs.com/166823/hacking/sonos-smart-speakers-flaw.html
QuickShell: Sharing Is Caring About An RCE Attack Chain On Quick Share
"Google’s Quick Share is a peer–to-peer data-transfer utility for Android, Windows, and Chrome operating systems. It uses a variety of communication protocols—including Bluetooth, Wi-Fi, Wi-Fi Direct, Web real-time communication (WebRTC), and near-field communication (NFC)—to send files between compatible devices that are in close proximity to each other."
https://www.safebreach.com/blog/rce-attack-chain-on-quick-share
https://thehackernews.com/2024/08/researchers-uncover-10-flaws-in-googles.html
GPS Spoofers 'hack Time' On Commercial Airlines, Researchers Say
"A recent surge in GPS “spoofing”, a form of digital attack which can send commercial airliners off course, has entered an intriguing new dimension, according to cyber security researchers: The ability to hack time."
https://www.itnews.com.au/news/gps-spoofers-hack-time-on-commercial-airlines-researchers-say-610563

Malware

A Dive Into Earth Baku’s Latest Campaign
"Earth Baku, an advanced persistent threat (APT) actor that we previously wrote about in 2021, has expanded its activities to Europe, the Middle East, and Africa (MEA) beginning late 2022. The group has updated its tools, tactics, and procedures (TTPs) in more recent campaigns, making use of public-facing applications such as IIS servers as entry points for attacks, after which they deploy sophisticated malware toolsets on the victim’s environment, including the loaders StealthVector and StealthReacher, and the modular backdoor SneakCross."
https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html
BianLian: The Face-Changing Ransomware Menace
"There’s no shortage of weird brand names in the world of cybercrime. Threat actors like to intimidate people and project the image of a strong and stealthy threat. Something called "Bob's ransomware" just isn't as disturbing as REvil or Hive, which both have a disturbing 'Resident Evil' feel to them. And then there's Rhysida, which is an appropriate name for ransomware, but only to those who know what a Rhysida is. I had to look it up. And RansomHub just sounds like a creepy dating app."
https://blog.barracuda.com/2024/08/09/bianlian--the-face-changing-ransomware-menace
New Widespread Extension Trojan Malware Campaign
"Web browser extensions have grown from being just a niche piece of software into a full-on sub-economy of the Internet industry. Extensions are supported on most browsers, including Microsoft Edge and Google Chrome - both offer hundreds of thousands of extensions in the Chrome Web Store and Microsoft Edge Add-ons. With the rise in the popularity of extensions has come a rise in malicious extensions built by bad actors who have pinpointed this relatively new malware attack vector. This research article intends to highlight a specific ongoing threat and the larger issue: malicious web extensions."
https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign
https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/
https://thehackernews.com/2024/08/new-malware-hits-300000-users-with.html
Iran Steps Into US Election 2024 With Cyber-Enabled Influence Operations
"Foreign malign influence concerning the 2024 US election started off slowly but has steadily picked up pace over the last six months due initially to Russian operations, but more recently from Iranian activity. This third election report from the Microsoft Threat Analysis Center (MTAC) provides an update on what we’ve observed from Russia, Iran, and China since our second report in April 2024, “Nation-states engage in US-focused influence operations ahead of US presidential election.”"
https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/iran-steps-into-us-election-2024-with-cyber-enabled-influence-operations
https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf
https://therecord.media/iranian-hackers-election-interference-microsoft
https://www.securityweek.com/iran-is-accelerating-cyber-activity-that-appears-meant-to-influence-the-us-election-microsoft-says/
https://www.theregister.com/2024/08/09/iran_state_groups_lay_groundwork/
Ideal Typosquat 'solana-Py' Steals Your Crypto Wallet Keys
"The legitimate Solana Python API project is known as "solana-py" on GitHub, but simply "solana" on the Python software registry, PyPI. This slight naming discrepancy has been leveraged by a threat actor who published a "solana-py" project on PyPI which, in addition to borrowing real code from the legitimate project, quietly steals your secrets, making it an ideal typosquat."
https://www.sonatype.com/blog/an-ideal-pypi-typosquat-solana-py-is-here-to-steal-your-crypto-keys
https://thehackernews.com/2024/08/rogue-pypi-library-solana-users-steals.html
Chinese Hacking Groups Target Russian Government, IT Firms
"A series of targeted cyberattacks that started at the end of July 2024, targeting dozens of systems used in Russian government organizations and IT companies, are linked to Chinese hackers of the APT31 and APT 27 groups. Kaspersky, who discovered the activity, dubbed the campaign "EastWind," reporting that it employs an updated version of the CloudSorcerer backdoor spotted in a similar cyberespionage campaign from May 2024, also targeting Russian government entities."
https://www.bleepingcomputer.com/news/security/chinese-hacking-groups-target-russian-government-it-firms/
Fake X Content Warnings On Ukraine War, Earthquakes Used As Clickbait
"X has always had a bot problem, but now scammers are utilizing the Ukraine war and earthquake warnings in Japan to entice users into clicking on fake content warnings and videos that lead to scam adult sites, malicious browser extensions, and shady affiliate sites. For months, X has been flooded with posts that contain what appears at first glance to be a pornographic video but, when clicked on, brings you to fake adult sites."
https://www.bleepingcomputer.com/news/security/fake-x-content-warnings-on-ukraine-war-earthquakes-used-as-clickbait/

Breaches/Hacks/Leaks

CSC ServiceWorks Discloses Data Breach After 2023 Cyberattack
"CSC ServiceWorks, a leading provider of commercial laundry services and air vending solutions, has disclosed a data breach after the personal information of an undisclosed number of individuals was exposed in a 2023 cyberattack. The company discovered the incident on February 4, 2024, after detecting unusual activity on its network. Subsequently, external cybersecurity experts hired to investigate the incident found that unknown attackers had accessed some computer systems."
https://www.bleepingcomputer.com/news/security/csc-serviceworks-discloses-data-breach-after-2023-cyberattack/
Crooks Took Control Of a Cow Milking Robot Causing The Death Of a Cow
"Crooks took control of a cow milking robot and demanded a ransom from a farmer who refused to pay it, resulting in the death of a cow."
https://securityaffairs.com/166839/cyber-crime/cow-milking-robot-hacked.html
Donald Trump’s Campaign Says Its Emails Were Hacked
"Former President Donald Trump’s presidential campaign said Saturday that it has been hacked and suggested Iranian actors were involved in stealing and distributing sensitive internal documents. The campaign provided no specific evidence of Iran’s involvement, but the claim comes a day after Microsoft issued a report detailing foreign agents’ attempts to interfere in the U.S. campaign in 2024."
https://www.securityweek.com/donald-trumps-campaign-says-its-emails-were-hacked/
https://cyberscoop.com/trump-campaign-says-emails-were-hacked-jumpstarting-a-wild-ride-to-election-day/
https://securityaffairs.com/166895/cyber-warfare-2/donald-trumps-campaign-hacked.html

General News

Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges And Arrest Of Nashville Facilitator
"Matthew Isaac Knoot, 38, of Nashville, Tennessee, was charged today for his efforts to generate revenue for the Democratic People’s Republic of Korea’s (DPRK or North Korea) illicit weapons program, which includes weapons of mass destruction (WMD)."
https://www.justice.gov/usao-mdtn/pr/department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and
https://www.bleepingcomputer.com/news/security/us-dismantles-laptop-farm-used-by-undercover-north-korean-it-workers/
https://therecord.media/tennessee-man-charged-over-north-korea-it-worker-scheme
https://thehackernews.com/2024/08/doj-charges-nashville-man-for-helping.html
NIS2: A Catalyst For Cybersecurity Innovation Or Just Another Box-Ticking Exercise?
"The Network and Information Security (NIS) 2 Directive is possibly one of the most significant pieces of cybersecurity regulation to ever hit Europe. The 27 EU Member States have until 17 October 2024 to adopt and publish the standards necessary to comply with NIS2, which brings increased requirements to strengthen security conditions and report more regularly, with shorter deadlines, on cyber-attacks."
https://www.helpnetsecurity.com/2024/08/09/nis2-cybersecurity-innovation-catalyst/
Shorter TLS Certificate Lifespans Expected To Complicate Management Efforts
"76% of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security, according to Venafi. However, many feel unprepared to take action, with 77% saying the shift to 90-day certificates will mean more outages are inevitable."
https://www.helpnetsecurity.com/2024/08/09/certificate-lifespans/
Where Internal Audit Teams Are Spending Most Of Their Time
"Over half of key stakeholders including audit committees, company boards, and chief financial officers are looking to internal audit teams to take on more risk-related work, according to AuditBoard."
https://www.helpnetsecurity.com/2024/08/09/internal-audit-teams-expectations/
Tackling Vulnerabilities & Errors Head-On For Proactive Security
"In its latest "Data Breach Investigations Report," Verizon made the lighthearted, Taylor Swift-inspired quip that it's "entering its vulnerability era." Why? Verizon's new data found that hackers exploited vulnerabilities to initiate breaches at nearly triple the rate since its last report. While this tactic is still less popular than credential-based or phishing attacks, the exploitation of vulnerabilities in software, supply chains, and basic human nature is on the rise and should be a top concern for cybersecurity leaders."
https://www.darkreading.com/vulnerabilities-threats/tackling-vulnerabilities-and-errors-head-on-for-proactive-security
Media & Victims Find Common Ground Against Hackers
"When threat actors breach an organization and steal data, perhaps the worst thing imaginable to victims is the extortion attempts they face from the criminals behind the breach. These days, there is an added threat that hackers like to hang over their victims' heads: going to the press."
https://www.darkreading.com/cyberattacks-data-breaches/media-and-victims-find-common-ground-against-hackers
Memory Safety Is Key To Preventing Hardware Hacks
"The Spectre and Meltdown vulnerabilities in 2018 exposed computer memory as an easy target for hackers to inject malicious code and steal data. The aftermath spurred the adoption of memory-safe chips and programming tools to secure a computer's cache and RAM, where data is temporarily stored as programs are being executed."l
https://www.darkreading.com/endpoint-security/memory-safety-is-key-to-preventing-hardware-hacks
#BHUSA: CoSAI, Combating AI Risks Through Industry Collaboration
"In early July 2024, some of the world’s leading AI companies joined forces to create the Coalition for Secure AI (CoSAI). During a conversation with Infosecurity at Black Hat USA 2024, Jason Clinton, CISO at Anthropic, one of CoSAI’s founding members, explained some of the key goals of the new coalition and the cybersecurity focus of the organization."
https://www.infosecurity-magazine.com/news/cosai-ai-risks-industry/
Threat Actors Favor Rclone, WinSCP And cURL As Data Exfiltration Tools
"Data exfiltration is critical in double extortion cyber-attacks, which have become the new gold standard of ransomware attacks. In a new report, ReliaQuest found that Rclone, WinSCP and Client URL (cURL) were the top three data exfiltration tools utilized by threat actors between September 2023 and July 2024. Data exfiltration, the unauthorized transfer or retrieval of data from enterprise or personal devices, may include threat actor–owned infrastructure or third-party cloud services."
https://www.infosecurity-magazine.com/news/rclone-winscp-curl-top-data/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Healthcare Sector

#BHUSA: Ransomware Drill Targets Healthcare In Operation 911
"Las Vegas law enforcement, the FBI and Semperis conducted a ransomware tabletop exercise targeting the healthcare sector at Black Hat USA 2024 to address the rising threat of attacks like the one on Change Healthcare. The exercise focused on the healthcare sector, which has been subject to a swathe of ransomware attacks in recent months and involved some of Semperis’ customers in the sector."
https://www.infosecurity-magazine.com/news/ransomware-drill-healthcare/

Industrial Sector

How Network Segmentation Can Strengthen Visibility In OT Networks
"What role does the firewall play in the protection of operational technology (OT) networks and systems? Many would say that it’s the defensive mechanism to protect that environment from IT and the outside world. For the operators responsible for uptime of that critical system, the firewall is the perimeter protection that keeps others out. It’s also the gateway for information that needs to pass from the OT system to the business networks and for remote access when necessary. The firewall monitors for attempts to break into that network, stop them, and can send alerts when necessary."
https://www.helpnetsecurity.com/2024/08/08/ot-networks-visibility/
Dorsett Controls InfoScan
"Successful exploitation of these vulnerabilities could allow an attacker to expose sensitive information, resulting in data theft and misuse of credentials."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-221-01

New Tooling

Traceeshark: Open-Source Plugin For Wireshark
"Traceeshark is a plugin for Wireshark that enables security practitioners to quickly investigate security incidents. It enhances the capabilities of Aqua Tracee, an open-source runtime security and forensics tool, and allows users to analyze kernel-level event and behavioral detection alongside network traffic."
https://www.helpnetsecurity.com/2024/08/08/traceeshark-open-source-plugin-wireshark/
https://github.com/aquasecurity/traceeshark
SSHamble: Open-Source Security Testing Of SSH Services
"runZero published new research on Secure Shell (SSH) exposures and unveiled a corresponding open-source tool, SSHamble. This tool helps security teams validate SSH implementations by testing for uncommon but dangerous misconfigurations and software bugs."
https://www.helpnetsecurity.com/2024/08/08/sshamble-test-ssh-services/
https://github.com/runZeroInc/sshamble

Vulnerabilities

Critical AWS Vulnerabilities Allow S3 Attack Bonanza
"Six critical vulnerabilities in Amazon Web Services (AWS) could have allowed threat actors to target organizations with remote code execution (RCE), exfiltration, denial-of-service attacks, or even account takeovers."Most of the vulnerabilities were considered critical because they gave access to other accounts with minimal effort from the attacker perspective," Aqua's lead security researcher Yakir Kadkoda tells Dark Reading."
https://www.darkreading.com/remote-workforce/critical-aws-vulnerabilities-allow-s3-attack-bonanza
https://www.securityweek.com/aws-patches-vulnerabilities-potentially-allowing-account-takeovers/
https://hackread.com/black-hat-usa-2024-aws-bucket-monopoly-account-takeover/
0.0.0.0 Day: Exploiting Localhost APIs From The Browser
"Oligo Security's research team recently disclosed the “0.0.0.0 Day” vulnerability. This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network."
https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html
https://cyberscoop.com/browser-zero-day-oligo-security-0-0-0-0-day/
https://www.bleepingcomputer.com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/
https://www.darkreading.com/cyberattacks-data-breaches/0000-day-flaw-puts-chrome-firefox-mozilla-browsers-at-rce-risk
https://www.itnews.com.au/news/browser-vulnerability-can-be-used-to-breach-local-networks-610511
https://securityaffairs.com/166765/hacking/0-0-0-0-day-browsers-attack.html
Cisco Warns Of Critical RCE Zero-Days In End Of Life IP Phones
"Cisco is warning of multiple critical remote code execution zero-days in the web-based management interface of the end-of-life Small Business SPA 300 and SPA 500 series IP phones. The vendor has not made fixes available for these devices and shared no mitigation tips, so users of those products will have to move to newer and actively supported models as soon as possible."
https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-zero-days-in-end-of-life-ip-phones/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz
Hazy Issue In Entra ID Allows Privileged Users To Become Global Admins
"An obscure issue with Microsoft's Entra ID identity and access management service could allow a hacker to access every corner of an organization's cloud environment.Crucially, the attack requires that a hacker already have access to an admin-level account. With that in hand, though, the possibilities are limitless. At 4:20 p.m. local time today at Black Hat, Eric Woodruff, senior cloud security architect at Semperis, will describe how an attacker in such a position could take advantage of layered authentication mechanisms in Entra ID to gain all-powerful global administrator privileges."
https://www.darkreading.com/application-security/hazy-issue-entra-id-privileged-users-become-global-admins
Using 1Password On Mac? Patch Up If You Don’t Want Your Vaults Raided
"Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. 1Password Vaults are essentially mini password managers inside the main app itself. They allow users to separate passwords used for different purposes, like personal accounts, family accounts, work-related credentials, and so on and so forth."
https://www.theregister.com/2024/08/08/using_1password_on_mac_patch/
How To Weaponize Microsoft Copilot For Cyberattackers
"Enterprises are implementing Microsoft's Copilot AI-based chatbots at a rapid pace, hoping to transform how employees gather data and organize their time and work. But at the same time, Copilot is also an ideal tool for threat actors.Security researcher Michael Bargury, a former senior security architect in Microsoft's Azure Security CTO office and now co-founder and chief technology officer of Zenity, says attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don't open emails or click on links."
https://www.darkreading.com/application-security/how-to-weaponize-microsoft-copilot-for-cyberattackers

Malware

New CMoon USB Worm Targets Russians In Data Theft Attacks
"A new self-spreading worm named 'CMoon,' capable of stealing account credentials and other data, has been distributed in Russia since early July 2024 via a compromised gas supply company website. According to Kaspersky researchers who discovered the campaign, CMoon can perform a broad range of functions, including loading additional payloads, snapping screenshots, and launching distributed denial of service (DDoS) attacks."
https://www.bleepingcomputer.com/news/security/new-cmoon-usb-worm-targets-russians-in-data-theft-attacks/
New Malware, FakeBat Loader, Spreads Via Drive-By Download
"Drive-by download is a well-established technique that cybercriminals use to install malware onto a victim’s computer. And in the first half of 2024 there has been a significant number of campaigns in which this mode of attack has been used to install the FakeBat Loader malware. Today, I’ll provide an overview of how drive-by download works, and then we’ll get into the details of FakeBat Loader and what it reveals about the current state of the cybercrime economy. And we’ll close out with a discussion of how best to combat this type of attack."
https://blog.barracuda.com/2024/08/07/new-malware-FakeBat-Loader-spreads-via-drive-by-download
PureHVNC Deployed Via Python Multi-Stage Loader
"This past April, FortiGuard Labs uncovered a sophisticated attack that leveraged multiple layers of obfuscation and evasion techniques to distribute and execute VenomRAT via ScrubCrypt. However, this attack campaign didn’t end with VenomRAT, as the subsequently loaded plugin continued to deploy various types of malware into the victim’s environment."
https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader
Decoding a Google Drawings And WhatsApp Open Redirection Phish
"Open Redirect campaigns, like EvilProxy and Browser in the Browser, are an attack type that has been around for years. The threat is based on a user being sent to what appears to be a trusted website, then redirected to a site controlled by attackers. In this case, the attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim’s information. This attack is a great example of a Living Off Trusted Sites (LOTS) threat."
https://www.menlosecurity.com/blog/google-drawings-and-whatsapp-zero-hour-open-redirection-phish-exposed
https://thehackernews.com/2024/08/new-phishing-scam-uses-google-drawings.html
https://www.infosecurity-magazine.com/news/phishing-exploits-google-whatsapp/
APT Group Kimsuky Targets University Researchers
"Kimsuky is a North Korean APT group tasked with global intelligence collection operations aligned with the North Korean government’s interests. The group has been active since at least 2012 and has a particular interest in South Korean think tanks and government entities; however, it also targets the United States, the United Kingdom, and other European countries. Kimsuky specializes in targeted phishing campaigns, leveraging malicious attachments in follow-on emails after establishing trust through email correspondence [1][2]."
https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/
https://thehackernews.com/2024/08/university-professors-targeted-by-north.html
https://www.infosecurity-magazine.com/news/north-korea-kimsuky-phishing/
Russia's Kursk Region Suffers 'massive' DDoS Attack Amid Ukraine Offensive
"Russia's Kursk region was hit by a “massive” distributed denial-of-service (DDoS) attack on Thursday amid Ukraine’s surprise cross-border incursion, Kursk state officials said in a statement. The unnamed hackers targeted government and business websites, as well as critical infrastructure services, making some of them temporarily unavailable, state media reported."
https://therecord.media/kursk-military-offensive-ddos-russia-ukraine
Operation “Uncle Scam”: AI-Powered Phishers Abuse Microsoft Dynamics 365 To Target US Government Contractors
"In a phishing campaign dubbed “Uncle Scam,” threat actors impersonate United States government agencies to deliver fake tender invite emails to hundreds of American enterprises. Prevented by Perception Point’s Advanced Threat Prevention platform, Perception Point security researchers investigated this campaign, uncovering advanced interactive kits, LLMs, and the abuse of Microsoft’s Dynamics 365 marketing platform. This blog explores how attackers created this highly realistic, multi-step phishing operation."
https://perception-point.io/blog/operation-uncle-scam/

Breaches/Hacks/Leaks

Ronin Network Hacked, $12 Million Returned By "white Hat" Hackers
"Gambling blockchain Ronin Network suffered a security incident yesterday when white hat hackers exploited an undocumented vulnerability on the Ronin bridge to withdraw 4,000 ETH and 2 million USDC, totaling $12 million. This figure corresponds to the maximum amount of ETH and USDC that can be withdrawn from the bridge via a single transaction, so this critical security measure prevented the theft of potentially astronomical figures."
https://www.bleepingcomputer.com/news/security/ronin-network-hacked-12-million-returned-by-white-hat-hackers/
https://hackread.com/nexera-defi-protocol-hacked-smart-contract-exploit/
https://www.infosecurity-magazine.com/news/ethical-hackers-steal-return-12m/
https://therecord.media/hackers-return-12-million-taken-from-ronin-network
Atari Asteroids Hack Sparks Debate On Blockchain Gaming Transparency
"Atari’s Asteroids game was exposed as a fake “on-chain” experience. Stackr Labs reveals how the game’s leaderboard was manipulated without actual gameplay, highlighting the importance of true on-chain verification in blockchain gaming."
https://hackread.com/atari-asteroids-hack-blockchain-gaming-transparency/
Rhysida Ransomware Group Claims To Have Breached Bayhealth Hospital In Delaware
"The Rhysida Ransomware group claims to have breached Bayhealth Hospital in Delaware and offers alleged stolen data for 25 BTC."
https://securityaffairs.com/166749/cyber-crime/rhysida-ransomware-bayhealth-hospital.html
ADT Confirms Data Breach After Customer Info Leaked On Hacking Forum
"American building security giant ADT confirmed it suffered a data breach after threat actors leaked allegedly stolen customer data on a popular hacking forum. ADT is a public American company that specializes in security and smart home solutions for residential and small business customers. The firm employs 14,300 people, has an annual revenue of $4.98 billion, and serves approximately 6 million customers across 200 locations in the United States."
https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-customer-info-leaked-on-hacking-forum/
https://therecord.media/adt-says-hackers-obtained-limited-customer-data
Exclusive: Russian Spies Hacked UK Government Systems Earlier This Year, Stole Data And Emails
"Cyber spies working for Russia’s foreign intelligence service stole internal emails and data on individuals from the British government earlier this year, according to an official description of the incident obtained by Recorded Future News. The breach of the Home Office’s systems has not previously been reported. It followed the Russian hackers initially targeting Microsoft, which supplies corporate systems to the Home Office, before the hackers exploited this access to also compromise several of Microsoft’s clients."
https://therecord.media/russia-hack-uk-government-home-office-microsoft
Stolen Data From Scraping Service National Public Data Leaked Online
"Cybercriminals are offering a large database for sale that may include your data without you even being aware of its existence. The stolen data comes from a data scraping service trading under the name “scraping” which was allegedly breached by a cybercriminal group by the name of USDoD. In April, a member of this group posted the database, which contains the data of some 2.9 billion people, up for sale for $3.5 million. Then, earlier this week, the 277 GB of data was offered for download for free on the notorious BreachForums by another member of the USDoD group."
https://www.malwarebytes.com/blog/news/2024/08/stolen-data-from-scraping-service-national-public-data-leaked-online

General News

Monitoring Changes In KEV List Can Guide Security Teams
"Organizations that use the Known Exploited Vulnerabilities (KEV) catalog to prioritize patching are likely missing silent changes to the list that could indicate that an issue's severity has changed, according to an analysis presented at the BSides Las Vegas conference on Aug. 7."
https://www.darkreading.com/cybersecurity-analytics/monitoring-kev-list-for-changes-can-guide-security-teams
CIS Critical Security Controls v8.1
"Version 8.1 (v8.1) of the CIS Critical Security Controls (CIS Controls) is an iterative update to version 8.0. It offers prescriptive, prioritized, and simplified cybersecurity best practices that provide a clear path for you to improve your organization’s cyber defense program."
https://www.cisecurity.org/insights/white-papers/cis-critical-security-controls-v8-1
https://www.helpnetsecurity.com/2024/08/08/download-cis-critical-security-controls-v8-1/
CyberAv3ngers
"Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act."
https://rewardsforjustice.net/rewards/cyberav3ngers/
https://therecord.media/us-offers-reward-for-info-on-iranian-hackers-water-utilities
https://www.securityweek.com/us-offering-10-million-reward-for-iranian-ics-hackers/
Building An Effective Strategy To Manage AI Risks
"AI technology is proliferating at a rapid pace, becoming an essential component of many businesses' operations. While organizations are achieving genuine benefits with them, the rise of AI-based systems does create new obstacles regarding data privacy, reputational risk, and new attack vectors for companies."
https://www.darkreading.com/cyber-risk/building-an-effective-strategy-to-manage-ai-risks
SaaS Apps Present An Abbreviated Kill Chain For Attackers
"Organizations that are expanding their use of SaaS applications may want to revise their notions of — and approaches to — the cyber kill chain.SaaS applications have transformed the modern organization's attack surface and eliminated — or made easier — several of the steps that adversaries have traditionally needed to execute a successful attack, researchers at AppOmni said in a talk at Black Hat USA 2024. Security teams need to revise and readjust their defenses to keep ahead of the new reality."
https://www.darkreading.com/application-security/saas-apps-present-abbreviated-kill-chain-for-attackers
https://www.securityweek.com/stolen-credentials-have-turned-saas-apps-into-attackers-playgrounds/
Verizon Business 2024 Mobile Security Index Reveals Escalating Risks In Mobile And IoT Security
"Today, Verizon Business released its 2024 Mobile Security Index (MSI) report outlining the top threats to mobile and IoT device security. This year’s report, in its seventh iteration, goes beyond employee-level mobile usage and extends into the usage of IoT devices and sensors and the security concerns the growth of these devices can present especially as remote work continues to be a trend. This expanded view of mobile security concerns for organizations showcases the evolving threat landscape that CIOs and other IT decision makers must contend with."
https://www.darkreading.com/endpoint-security/verizon-business-2024-mobile-security-index-reveals-escalating-risks-in-mobile-and-iot-security
Cybersecurity Industry Leaders Launch The Cyber Threat Intelligence Capability Maturity Model
"Today, Intel 471, the premier provider of cyber intelligence-driven solutions worldwide, sponsored a partnership of 28 industry leaders serving public and private organizations across the vendor and consumer community. Together, these professionals volunteered their time, effort, and experience to launch the first version of the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), designed as the first-of-its kind vendor agnostic and universally applicable resource to support organizations of all shapes and sizes across the CTI industry. In today’s evolving threat landscape, the sign of a successful Cyber Threat Intelligence (CTI) program is a mature program that seamlessly integrates with an organization’s core objectives and key outcomes."
https://www.darkreading.com/threat-intelligence/cybersecurity-industry-leaders-launch-the-cyber-threat-intelligence-capability-maturity-model
https://cti-cmm.org/
After The Dust Settles: Post-Incident Actions
"A major cybersecurity incident is an extremely high-pressure situation where rapid action is needed to control and mitigate the immediate effects. But once the dust has settled and the pressure has alleviated a little, what should organizations do to learn from the incident and improve their security posture for the future?"
https://www.securityweek.com/after-the-dust-settles-post-incident-actions/
Immutability In Cybersecurity: A Layer Of Security Amidst Complexity And Misconceptions
"‘Immutable’ describes something that cannot be changed (the word derives from the Latin ‘mutare’, meaning ‘to change’). Applied to data, immutability provides the Integrity aspect of security’s CIA triad (the others being Confidentiality and Availability). C and A are not inherent to immutability, but may be enhanced."
https://www.securityweek.com/immutability-in-cybersecurity-a-layer-of-security-amidst-complexity-and-misconceptions/
Consumer Reports Study Finds Data Removal Services Are Often Ineffective
"A new investigation of data removal services — companies that say they will strip consumer information from people-search data broker sites — found that they are for the most part worthless. The nonprofit Consumer Reports found that a sample of 13 of the services, which ranged in cost from $19.99 to $249 per year, failed to get consumers’ data removed quickly or completely."
https://therecord.media/data-removal-services-mostly-worthless-study
https://www.documentcloud.org/documents/25034333-evaluating-people-search-site-removal-services_8824-1
Excitement, Superstition And Great Insecurity – How Global Consumers Engage With The Digital World
"As a recent study[1] shows, modern consumers everywhere are becoming more knowledgeable about the benefits and drawbacks of an increasingly complex and sophisticated digital world. Yet even amongst the generally tech savvy, younger audience[2], superstitious beliefs can be found alongside excitement and concern when it comes to using smart devices, surfing on the internet and managing their personal information. A widespread sense of insecurity highlights the need for more education on safe practices in the digital environment, expert explanations on new technologies, and knowledge about reliable security solutions protecting users’ devices, privacy and digital identity."
https://www.kaspersky.com/blog/myths-and-reality-of-digital-world/
https://www.theregister.com/2024/08/08/report_tech_misconceptions_plague_the/
Entrust Faces Years Of Groveling To Regain Browsers' Trust, Say Rival Chiefs
"After falling down in the estimations of major browser makers Google and Mozilla, Entrust faces a lengthy fight on its hands to regain industry trust and once more issue trusted TLS certificates. That's according to the top dogs at rival cert issuer Sectigo. The company also claims that Microsoft and Apple are likely to follow in their competitors' footsteps in distrusting certificates newly issued by Entrust in Edge and Safari respectively."
https://www.theregister.com/2024/08/08/entrust_faces_years_of_groveling/
Best Practices For Cisco Device Configuration
"In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance."
https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration
https://media.defense.gov/2019/Jul/16/2002157833/-1/-1/0/CSA-CISCO-SMART-INSTALL-PROTOCOL-MISUSE.PDF
https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-abusing-cisco-smart-install-feature/
https://www.bleepingcomputer.com/news/security/exploit-released-for-cisco-ssm-bug-allowing-admin-password-changes/
Microsoft On CISOs: Thriving Community Means Stronger Security
"This week at Black Hat, Ann Johnson, corporate vice president and deputy chief information security officer (CISO) at Microsoft, and Sherrod DeGrippo, Microsoft's director of threat intelligence strategy, took to the main stage for their talk, "From the Office of the CISO: Smarter, Faster, Stronger, Security in the Age of AI." While attendees may have expected a discussion focused on ways that AI can help the effectiveness of cybersecurity tools, one could say that Johnson and DeGrippo decided to go off script."
https://www.darkreading.com/cybersecurity-operations/microsoft-on-cisos-thriving-community-means-stronger-security
Tech Analysis: Addressing Claims About Falcon Sensor Vulnerability
"CrowdStrike is aware of inaccurate reporting and false claims about the security of the Falcon sensor. This blog sets the record straight by providing customers with accurate technical information about the Falcon sensor and any claims regarding the Channel File 291 incident. CrowdStrike has provided a Technical Root Cause Analysis and executive summary that describes the bug in detail."
https://www.crowdstrike.com/blog/tech-analysis-addressing-claims-about-falcon-sensor-vulnerability/
https://www.securityweek.com/crowdstrike-dismisses-claims-of-exploitability-in-falcon-sensor-bug/
Why Tech-Savvy Leadership Is Key To Cyber Insurance Readiness
"The board does not understand cybersecurity – that’s not so anymore. Prior to the pandemic, the CISO and cybersecurity team were seen as the geeks in the room down the hall who always said no. Even post-pandemic, while there is appreciation that cybersecurity can be a business enabler, there is typically a lack of understanding, especially at the board level, on how to achieve a robust cybersecurity posture and how it actually enables the business."
https://www.welivesecurity.com/en/business-security/why-tech-savvy-leadership-key-cyber-insurance-readiness/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

Energy Sector

60 Hurts Per Second – How We Got Access To Enough Solar Power To Run The United States
"The electricity grid – the buzzing, crackling marvel that supplies the lifeblood of modernity - is by far the largest structure humanity ever built. It’s so big, in fact, that few people even notice it, like a fish can’t see the ocean.Until the grid goes down, that is. Then, like the fish dangling from the angler’s hook, we see our vulnerability. Modernity dissolves into a sudden silence, followed by the repeated flick of a light switch, and a howl of panic at the prospect of missed appointments, ruined dinners, lost workdays, stopped elevators and dark, cold evenings, and worse."l
https://www.bitdefender.com/blog/labs/60-hurts-per-second-how-we-got-access-to-enough-solar-power-to-run-the-united-states/
https://hackread.com/solar-power-grid-vulnerabilities-risk-global-blackouts/

Healthcare Sector

#BHUSA: DARPA's AI Cyber Challenge Heats Up As Healthcare Sector Watches
"With software vulnerabilities being exploited at an alarming rate, the Defense Advanced Research Projects Agency's (DARPA) AI Cyber Challenge (AIxCC) enters its semi-finals stage, and the healthcare sector is taking a keen interest in the outcomes of the competition. AIxCC brings together experts in AI and cybersecurity to create novel AI systems that can safeguard the open-source software critical to modern life."
https://www.infosecurity-magazine.com/news/darpas-ai-cyber-challenge-heats-up/

Industrial Sector

OpenWrt Dominates, But Vulnerabilities Persist In OT/IoT Router Firmware
"Forescout has published a new report examining the current state of the software supply chain in OT/IoT routers. The study uncovered that OT and IoT cellular routers and those used in small offices and homes contain outdated software components associated with known (“n-day”) vulnerabilities. The research showed that widely used OT/IoT router firmware images have, on average, 20 exploitable n-day vulnerabilities affecting the kernel, leading to
Relevance: General, Trends and statistics
https://www.helpnetsecurity.com/2024/08/07/ot-iot-router-firmware-vulnerabilities/
Over 40,000 Internet-Exposed ICS Devices Found In US: Censys
"LAS VEGAS — BLACK HAT USA 2024 — An analysis conducted by internet intelligence platform Censys shows that there are more than 40,000 internet-exposed industrial control systems (ICS) in the United States, and notifying their owners about the exposure is in many cases impossible. Censys pointed out that more than half of these systems are likely associated with building control and automation, and roughly 18,000 are actually used to control industrial systems."
https://www.securityweek.com/over-40000-internet-exposed-ics-devices-found-in-us-censys/

New Tooling

RustScan: Open-Source Port Scanner
"RustScan is an open-source port scanner designed for speed and versatility. It combines a sleek interface with the power to adapt and improve over time. With RustScan’s Adaptive Learning, the tool continually optimizes its performance, making it the most efficient port scanner available. Discover open ports in seconds, and leverage the flexible scripting engine, supporting Python, Lua, and Shell, to enhance your scanning capabilities."
https://www.helpnetsecurity.com/2024/08/07/rustscan-open-source-port-scanner/
https://github.com/RustScan/RustScan

Vulnerabilities

Chrome, Firefox Updates Patch Serious Vulnerabilities
"Mozilla and Google both updated their web browsers on Tuesday and the latest versions patch several potentially serious vulnerabilities. Google updated Chrome to version 127.0.6533.99, which fixes six vulnerabilities, including a critical out-of-bounds memory access issue in the Angle component. A reward has yet to be determined for this flaw, which is tracked as CVE-2024-7532."
https://www.securityweek.com/chrome-firefox-updates-patch-serious-vulnerabilities/
Critical Progress WhatsUp RCE Flaw Now Under Active Exploitation
"Threat actors are actively attempting to exploit a recently fixed Progress WhatsUp Gold remote code execution vulnerability on exposed servers for initial access to corporate networks. The vulnerability leveraged in these attacks is CVE-2024-4885, a critical-severity (CVSS v3 score: 9.8) unauthenticated remote code execution flaw impacting Progress WhatsUp Gold 23.1.2 and older. Proof-of-concept (PoC) exploits for CVE-2024-4885 are publicly available that target exposed WhatsUp Gold '/NmAPI/RecurringReport' endpoints."
https://www.bleepingcomputer.com/news/security/critical-progress-whatsup-rce-flaw-now-under-active-exploitation/
Government Emails At Risk: Critical Cross-Site Scripting Vulnerability In Roundcube Webmail
"Roundcube is a popular open-source webmail software that enables users to check their emails right in their browser without needing dedicated client software. It is included by default in the server hosting panel cPanel leading to millions of installations around the globe, according to Shodan. It is also used by universities as well as government agencies."
https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/
https://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html
https://www.helpnetsecurity.com/2024/08/07/cve-2024-42009-cve-2024-42008/
CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-36971 Android Kernel Remote Code Execution Vulnerability
CVE-2024-32113 Apache OFBiz Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/08/07/cisa-adds-two-known-exploited-vulnerabilities-catalog
GhostWrite Vulnerability Facilitates Attacks On Devices With RISC-V CPU
"LAS VEGAS — BLACK HAT USA 2024 — A team of researchers from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new vulnerability affecting a popular CPU that is based on the RISC-V architecture. RISC-V is an open source instruction set architecture (ISA) designed for developing custom processors for various types of applications, including embedded systems, microcontrollers, data centers, and high-performance computers."
https://www.securityweek.com/ghostwrite-vulnerability-facilitates-attacks-on-devices-with-risc-v-cpu/
https://www.theregister.com/2024/08/07/riscv_business_thead_c910_vulnerable/

Malware

Hijacked: How Cybercriminals Are Turning Anti-Virus Software Against You
"LevelBlue Labs has identified a new evolution in the toolset of threat actors. Threat actors are hijacking legitimate anti-virus software to carry out malicious activities undetected. A new tool, named SbaProxy, has been found masquerading as legitimate anti-virus components to establish proxy connections through a command and control (C&C) server. This tool, distributed in various formats such as DLLs, EXEs, and PowerShell scripts, is challenging to detect due to its sophisticated design and legitimate appearance."
https://cybersecurity.att.com/blogs/labs-research/hijacked-how-cybercriminals-are-turning-anti-virus-software-against-you
Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
"The number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers have begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well known, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than communications with attacker-controlled infrastructure."
https://symantec-enterprise-blogs.security.com/threat-intelligence/cloud-espionage-attacks
https://thehackernews.com/2024/08/new-go-based-backdoor-gogra-targets.html
Chameleon Is Now Targeting Employees: Masquerading As a CRM App
"In July 2024 Mobile Threat Intelligence analysts observed new campaigns from Chameleon, a Device-Takeover Trojan discovered back in December 2022. These campaigns introduced an unusual masquerading technique used in the campaign targeting Canada: masquerading as a Customer Relationship Management (CRM) app. Key outtakes from the discovered campaigns are:"
https://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app
https://thehackernews.com/2024/08/chameleon-android-banking-trojan.html
https://www.darkreading.com/endpoint-security/chameleon-banking-trojan-makes-a-comeback-cloaked-as-crm-app
https://therecord.media/chameleon-malware-crm-software-canadian-restaurant-chain
Exploring Anti-Phishing Measures In Microsoft 365
"In this post we will explore some of the anti-phishing measures employed by Microsoft 365 (formally Office 365) as well as their weaknesses. Certitude was able to identify an issue in that allows malicious actors to bypass anti-phishing measures."
https://certitude.consulting/blog/en/o365-anti-phishing-measures/
https://www.bleepingcomputer.com/news/security/microsoft-365-anti-phishing-feature-can-be-bypassed-with-css/
https://hackread.com/phishing-bypass-microsoft-365-email-safety-warnings/
https://www.theregister.com/2024/08/07/small_css_tweaks_can_help/
https://www.infosecurity-magazine.com/news/microsoft-365-phishing-alert/
Royal Ransomware Actors Rebrand As “BlackSuit,” FBI And CISA Release Update To Advisory
"Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network defenders with recent and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with BlackSuit and legacy Royal activity. FBI investigations identified these TTPs and IOCs as recently as July 2024."
https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-rebrand-blacksuit-fbi-and-cisa-release-update-advisory
Windows Update Downgrade Attack "unpatches" Fully-Updated Systems
"SafeBreach security researcher Alon Leviev revealed at Black Hat 2024 that two zero-days could be exploited in downgrade attacks to "unpatch" fully updated Windows 10, Windows 11, and Windows Server systems and reintroduce old vulnerabilities. Microsoft issued advisories on the two unpatched zero-days (tracked as CVE-2024-38202 and CVE-2024-21302) in coordination with the Black Hat talk, providing mitigation advice until a fix is released."
https://www.bleepingcomputer.com/news/microsoft/windows-update-downgrade-attack-unpatches-fully-updated-systems/
https://www.securityweek.com/safebreach-sounds-alarm-on-windows-update-flaws-allowing-undetectable-downgrade-attacks/

Breaches/Hacks/Leaks

McLaren Hospitals Disruption Linked To INC Ransomware Attack
"On Tuesday, IT and phone systems at McLaren Health Care hospitals were disrupted following an attack linked to the INC Ransom ransomware operation. McLaren is a non-profit healthcare system with annual revenues of over $6.5 billion, which operates a network of 13 hospitals across Michigan supported by a team of 640 physicians. It also has over 28,000 employees and works with 113,000 network providers throughout Michigan, Indiana, and Ohio."
https://www.bleepingcomputer.com/news/security/mclaren-hospitals-disruption-linked-to-inc-ransomware-attack/

General News

Sports Venues Must Vet Their Vendors To Maintain Security
"Sporting events generate a lot of consumer activity, from hotels and restaurants to retail. Large sporting events are held together by webs of connectivity that include vendors, sponsors, employees, and consumers. These networks connect ticketing, merchandising, venue access, live events information, and everything in between."
https://www.helpnetsecurity.com/2024/08/07/sporting-events-security/
Number Of Incidents Affecting GitHub, Bitbucket, GitLab, And Jira Continues To Rise
"Outages, human errors, cyberattacks, data breaches, ransomware, security vulnerabilities, and, as a result, data loss are the reality that DevSecOps teams have to face every few days, according to GitProtect.io."
https://www.helpnetsecurity.com/2024/08/07/github-bitbucket-gitlab-jira-incidents/
CISA Releases Secure By Demand Guidance
"Today, CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start."
https://www.cisa.gov/news-events/alerts/2024/08/06/cisa-releases-secure-demand-guidance
https://www.cisa.gov/resources-tools/resources/secure-demand-guide
https://www.infosecurity-magazine.com/news/cisa-guide-enhance-software/
UK Managers Improve Cyber Knowledge But Staff Lack Training
"Managers in UK organizations are getting better at understanding online safety best practice, but their skills are not necessarily matched by other employees, a new study has found. The Chartered Management Institute (CMI) surveyed 1000 managers in March for its latest Managers Voice Pulse Point Poll."
https://www.infosecurity-magazine.com/news/uk-managers-improve-cyber/
Executive Insights From The Unit 42 Incident Response Report
"An attack vector is the method an attacker uses to get access to a target environment. Understanding which vectors result in the most successful attacks can help you reduce the likelihood an attacker succeeds at compromising your
Relevance: Executives, General, Trends and statistics
https://www.paloaltonetworks.com/blog/2024/08/attack-vectors-at-a-glance/
Ransomware In 2024: More Attacks, More Leaks, And Increased Sophistication
"More groups, fewer families, more attacks – no great change over 2023 except, if anything, the ransomware threat is even more severe in 2024. And the growth in leaks and leak sites suggests ransomware is even more successful. Rapid7’s Ransomware Radar Report 2024 (PDF) gleans its intelligence from an analysis of visible leak sites, the analysis of ransomware code, and an analysis of underground forum chatter. The result is an intriguing insight into the current state of global ransomware – and it is not a comforting result."
https://www.securityweek.com/ransomware-in-2024-more-attacks-more-leaks-and-increased-sophistication/
https://www.rapid7.com/globalassets/_pdfs/2024-rapid7-ransomware-radar-report-final.pdf
https://www.infosecurity-magazine.com/news/new-ransomware-groups-emerge-1/
The API Security Crisis: Why Your Company Could Be Next
"Most companies are sitting ducks regarding API security. During my two decades in infosec, I've never seen a threat landscape evolve as rapidly and dangerously as the one surrounding APIs. And here's the kicker: Most organizations are blissfully unaware of the ticking time bomb in their digital infrastructure."
https://www.darkreading.com/vulnerabilities-threats/api-security-crisis-why-your-company-could-be-next
New And Emerging Cybersecurity Threats And Attacker Tactics
"As cyberthreats continue to evolve nearly four decades after the first computer virus for PCs emerged in 1986, the cybersecurity landscape faces increasingly sophisticated challenges. While many are familiar with common threats like phishing and ransomware, newer, more targeted attacks are emerging, threatening the very foundations of our
Relevance: General, Trends and statistics
https://www.fortinet.com/blog/ciso-collective/emerging-cybersecurity-threats-and-attack-tactics
#BHUSA: CrowdStrike Outage Serves As Dress Rehearsal For China-Led Cyber-Attacks
"The recent CrowdStrike IT outage served as a dress rehearsal for a potential cyber-attack on critical infrastructure that could potentially be orchestrated by a nation-state like China. The CrowdStrike IT outage was a useful exercise in what may happen if China were to act in a disruptive manner against critical systems."
https://www.infosecurity-magazine.com/news/crowdstrike-outage-china/
#BHUSA: The Board Needs To Understand AI Deployment Risks
"The idiosyncratic use of AI within organizations is a problem when it comes to risk. Instead, AI deployment must be part of the entire strategic enterprise operation. Speaking at the AI Summit during Black Hat USA, Larry Clinton, president of the Internet Security Alliance, argued that company boards need to be educated about the use of artificial intelligence within their organizations in order to deploy it securely."
https://www.infosecurity-magazine.com/news/board-ai-deployment-risks/

อ้างอิง

Electronic Transactions Development Agency(ETDA)

NCSA_THAICERT

โรงพยาบาล McLaren หยุดชะงักเนื่องจากถูกโจมตีด.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Censys พบอุปกรณ์ ICS ที่เปิดเผยต่ออินเทอร์เน็ตม.png

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

NCSA_THAICERT

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับความยืดหยุ่นของข้อมูลกลายเป็นสิ่งสำคัญมากขึ้นในโลกดิจิทัล ช่วยให้มั่นใจได้ว่าข้อมูลของคุณยังคงเป็นความลับ รักษาความสมบูรณ์ (กล่าวคือ ไม่มีการแก้ไขโดยไม่ได้รับอนุญาต)
และพร้อมใช้งานเมื่อคุณต้องการเข้าถึง

เป็นเรื่องสำคัญที่บุคคลและองค์กรต่างๆ ต้องใช้มาตรการเชิงรุกเพื่อปกป้องข้อมูลของตนจากภัยคุกคามทางไซเบอร์ที่อาจเกิดขึ้น

แนะนำให้บุคคลและองค์กรดำเนินการดังต่อไปนี้:

ดำเนินการสำรองข้อมูลอย่างสม่ำเสมอและครอบคลุม
บุคคลและองค์กรส่วนใหญ่มีข้อมูลที่เก็บไว้ในอุปกรณ์ส่วนตัวหรือที่ทำงาน รวมถึงแล็ปท็อป เซิร์ฟเวอร์ และอุปกรณ์พกพา การสำรองข้อมูลเป็นประจำถือเป็นสิ่งสำคัญ

สามารถสำรองข้อมูลได้ในสื่อหลายประเภท รวมถึง (แต่ไม่จำกัดเพียง):
• สื่อบันทึกข้อมูลแบบถอดได้
• ไดรฟ์ฮาร์ดดิสก์ภายใน
• การจัดเก็บข้อมูลบนคลาวด์
• สื่อสิ่งพิมพ์

การพึ่งพาการสำรองข้อมูลเพียงสื่อเดียวอาจทำให้ข้อมูลไม่มีความยืดหยุ่นเพียงพอ ดังนั้น บุคคลและองค์กรจึงควรพิจารณาใช้ตัวเลือกการสำรองข้อมูลแยกกันอย่างน้อยสองตัวเลือกสำหรับข้อมูลสำคัญบนสื่อที่แตกต่างกันเพื่อให้แน่ใจว่าข้อมูลมีความทนทาน นอกจากนี้ เพื่อรักษาความสมบูรณ์ของข้อมูล บุคคลและองค์กรควรดำเนินการทดสอบการสำรองข้อมูลเป็นประจำเพื่อยืนยันว่าไม่มีข้อผิดพลาดใดๆ เพื่อให้แน่ใจว่าขั้นตอนการกู้คืนข้อมูลมีความน่าเชื่อถือและมีประสิทธิภาพในการป้องกันการสูญเสียข้อมูลที่อาจเกิดขึ้น

ใช้การเข้ารหัสข้อมูล
การเข้ารหัสข้อมูลเป็นสิ่งสำคัญเพื่อให้แน่ใจว่าข้อมูลที่ละเอียดอ่อนจะเป็นความลับและปลอดภัย ข้อมูลสำคัญทั้งหมด ไม่ว่าจะอยู่ในที่จัดเก็บหรือระหว่างการส่ง ควรเข้ารหัสโดยใช้ขั้นตอนการเข้ารหัสที่แข็งแกร่งเพื่อให้แน่ใจว่าข้อมูลจะไม่สามารถอ่านได้แม้ว่าจะถูกขโมย (ผ่านการบุกรุกอุปกรณ์) หรือถูกดักจับ (ผ่านการโจมตีแบบ Man-in-the-Middle) บุคคลสามารถพิจารณาใช้เครื่องมือเข้ารหัสที่มีชื่อเสียงและ/หรือคุณลักษณะการเข้ารหัสในตัวเพื่อปกป้องข้อมูลของตนจากการเข้าถึงโดยไม่ได้รับอนุญาต องค์กรควรใช้การเข้ารหัสมาตรฐานอุตสาหกรรม (เช่น AES-256) เพื่อให้แน่ใจว่าข้อมูลจะเป็นความลับและปกป้องข้อมูลที่ละเอียดอ่อน
อัปเดตซอฟต์แวร์และระบบเป็นประจำ
ตรวจสอบให้แน่ใจว่าซอฟต์แวร์และระบบทั้งหมดติดตั้งแพตช์ความปลอดภัยล่าสุดเพื่อแก้ไขช่องโหว่ใหม่ๆ เพื่อลดความเสี่ยงของการเสียหายของข้อมูลหรือการขโมยข้อมูล บุคคลและองค์กรควรพิจารณาเปิดใช้คุณสมบัติการแพตช์ความปลอดภัยอัตโนมัติเพื่อให้แน่ใจว่ามีการแพตช์ตามเวลาและสม่ำเสมอ
คอยติดตามข้อมูลเกี่ยวกับภัยคุกคามทางไซเบอร์ที่เกิดขึ้นใหม่
เมื่อภัยคุกคามทางไซเบอร์มีการพัฒนาอย่างต่อเนื่อง สิ่งสำคัญคือทั้งบุคคลและองค์กรต่าง ๆ จะต้องรับทราบข้อมูลเกี่ยวกับภัยคุกคามทางไซเบอร์ล่าสุดและแนวทางปฏิบัติที่ดีที่สุดสำหรับการรักษาความปลอดภัยทางไซเบอร์

นอกจากนี้ องค์กรต่างๆ ควรปฎิบัติดังนี้

การดำเนินการแบ่งส่วนเครือข่าย
การดำเนินการนี้มีวัตถุประสงค์เพื่อแยกส่วนต่างๆ ของเครือข่ายขององค์กรออกจากกัน เพื่อจำกัดการบุกรุกที่อาจเกิดขึ้นกับส่วนเครือข่ายเดียว และลดความเสี่ยงของการละเมิดข้อมูลโดยรวมให้เหลือน้อยที่สุด การแบ่งส่วนเครือข่ายจะสร้างบันทึกการรับส่งข้อมูลบนเครือข่ายที่สามารถตรวจสอบกิจกรรมออนไลน์ที่เป็นอันตรายได้เป็นประจำ ข้อมูลที่เป็นความลับอย่างยิ่งควรอยู่ในส่วนเครือข่ายที่ไม่มีการเข้าถึงอินเทอร์เน็ตโดยตรง
บังคับใช้การควบคุมการเข้าถึงที่เข้มงวด
ควรดำเนินการนี้ร่วมกับมาตรการตรวจสอบสิทธิ์ที่เข้มงวดเพื่อลดความเสี่ยงในการเข้าถึงข้อมูลสำคัญโดยไม่ได้รับอนุญาต โดยการยึดตามหลักการของสิทธิ์ขั้นต่ำที่ให้สิทธิ์การเข้าถึงที่จำเป็นเพียงเล็กน้อยแก่พนักงานแต่ละคน ความเสี่ยงจากภัยคุกคามจากภายในและการเข้าถึงโดยไม่ได้รับอนุญาตสามารถลดลงได้อย่างมาก นอกจากนี้ องค์กรต่างๆ ยังได้รับการสนับสนุนให้ตรวจสอบรายการควบคุมการเข้าถึงเป็นประจำและลบบัญชีที่ไม่ได้ใช้งานใดๆ
จัดทำแผนการกู้คืนจากภัยพิบัติ
ควรพัฒนาแผนการกู้คืนเพื่อให้องค์กรมีแนวทางที่เป็นระบบในการตอบสนองต่อการหยุดชะงักและฟื้นฟูการดำเนินธุรกิจอย่างมีประสิทธิภาพ องค์กรควรพิจารณาสิ่งต่อไปนี้ในแผนการกู้คืนจากภัยพิบัติ:
• ข้อมูลที่สำคัญจะถูกจำแนกและแบ่งส่วนอย่างไร
• ควรสำรองข้อมูลอย่างไร
• ข้อมูลจะถูกกู้คืนได้อย่างไร
• ความถี่ในการสำรองข้อมูล
องค์กรต่างๆ ยังได้รับการสนับสนุนให้ตรวจสอบแผนการตอบสนองเป็นประจำเพื่อให้แน่ใจว่าแผนเหล่านั้นได้รับการอัปเดตและมีประสิทธิผล
ดำเนินการฝึกอบรมด้านความปลอดภัยไซเบอร์
องค์กรต่างๆ สามารถพิจารณาให้ความรู้แก่พนักงานเกี่ยวกับภัยคุกคามทางไซเบอร์ทั่วไปและแนวทางปฏิบัติที่ดีที่สุดด้านความปลอดภัยทางไซเบอร์ การฝึกอบรมอาจครอบคลุมถึงการสร้างความตระหนักรู้เกี่ยวกับความสำคัญของความปลอดภัยของข้อมูล เทคนิคฟิชชิ่งล่าสุด และแนวทางปฏิบัติที่ดีที่สุดสำหรับการรักษาความปลอดภัยของข้อมูล การให้ความรู้และทักษะด้านความปลอดภัยทางไซเบอร์แก่พนักงานจะช่วยลดโอกาสที่พนักงานจะตกเป็นเหยื่อของเหตุการณ์ทางไซเบอร์ได้ จึงช่วยลดความเสี่ยงในการสูญเสียข้อมูลลงได้

ด้วยการใช้มาตรการป้องกันที่แข็งแกร่งและการเฝ้าระวังภัยคุกคามทางไซเบอร์ที่เปลี่ยนแปลงไป บุคคลและองค์กรจะสามารถเตรียมพร้อมในการเพิ่มความยืดหยุ่นของข้อมูลได้ดีขึ้น

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-015

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand