โพสต์ถูกสร้างโดย NCSA

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

“UK law enforcement agencies have infiltrated and taken down DigitallStress, the world’s most prolific underground marketplace offering distributed denial of service (DDoS) services. The National Crime Agency (NCA) said that had taken over and disabled digitalstress.su on July 2, in collaboration with the Police Service of Northern Ireland (PSNI). Using a mirror site, the agencies have now replaced the domain with a splash page, warning users that their data has been collected by law enforcement. The takedown, made public on July 22, comes after the PSNI arrested one of the site’s suspected controllers, Skiop, earlier in July, following a joint investigation by the NCA, the PSNI, and the FBI. DigitalStress was a marketplace offering DDoS-for-hire or ‘booter’ services. These services allow users to create accounts and order DDoS attacks within minutes. Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Booter services are an attractive entry-level cybercrime, allowing individuals with little technical ability to commit cyber offenses with ease.” According to UK law enforcement, DDoS operators using DigitalStress were responsible for tens of thousands of attacks weekly. The site's administrators chose to place the service under a .su domain, an old Soviet Union domain still operated by the Russian Institute for Public Networks. Many criminal services use this domain to make it more difficult for any potential law enforcement investigation. However, the NCA has been able to infiltrate communication channels used by DigitalStress users, leading to the platform’s takedown.”

แหล่งที่มาของข่าว

https://www.infosecurity-magazine.com/news/ddos-marketplace-shut-down-uk-law/

New Tooling

• Shuffle Automation: Open-Source Security Automation Platform
  "Shuffle is an open-source automation platform designed by and for security professionals. While security operations are inherently complex, Shuffle simplifies the process. It’s designed to integrate with Managed Security Service Providers (MSSPs) and other service providers."
  https://www.helpnetsecurity.com/2024/07/22/shuffle-automation-open-source-security-automation-platform/
  https://github.com/Shuffle/Shuffle

Malware

• Fake Browser Updates Lead To BOINC Volunteer Computing Software
  "Beginning on July 4, 2024, Huntress observed new behaviors in conjunction with malware typically called SocGholish or FakeUpdates. This is a large malware group, with a number of new campaigns and similar malware emerging over the past couple of years. Huntress has written about SocGholish previously, and many of these same behaviors haven’t changed. The infections typically begin as a result of a user visiting a compromised website, which results in a fake browser update prompt to the user."
  https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
  https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html
  https://securityaffairs.com/166030/malware/socgholish-used-deliver-asyncrat.html
• Cursed Tapes: Exploiting The EvilVideo Vulnerability On Telegram For Android
  "ESET researchers discovered a zero-day exploit that targets Telegram for Android, which appeared for sale for an unspecified price in an underground forum post from June 6th, 2024. Using the exploit to abuse a vulnerability that we named EvilVideo, attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files."
  https://www.welivesecurity.com/en/eset-research/cursed-tapes-exploiting-evilvideo-vulnerability-telegram-android/
  https://therecord.media/telegram-zero-day-android-app-eset
  https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-sending-malicious-android-apks-as-videos/
  https://hackread.com/telegram-android-vulnerability-evilvideo-malware-videos/
  https://securityaffairs.com/166042/hacking/evilvideo-telegram-android-zero-day.html
• Threat Actors Use Telegram APIs For Harvesting Credentials
  "In recent weeks, there has been an increase in phishing attacks, conducted through messaging platforms like Telegram. Telegram is a widely used app that allows users to send messages, photos, videos, and other files online. It also provides APIs for developers to create custom bots and applications. Unfortunately, these APIs can also attract threat actors who use them for illicit purposes, such as stealing credentials."
  https://www.forcepoint.com/blog/insights/threat-actors-harvesting-credentials-telegram-api
• Gambling Is No Game: DNS Links Between Chinese Organized Crime And Sports Sponsorships
  "This groundbreaking report unveils the discovery of a technology suite and its connection to Chinese organized crime, money laundering, and human trafficking throughout Southeast Asia. The technology suite is composed of software, Domain Name System (DNS) configurations, website hosting, payment mechanisms, mobile apps, and more—a full cybercrime supply chain. Tens of seemingly unrelated gambling brands that advertise by way of sponsorship deals with European sports teams use this technology."
  https://blogs.infoblox.com/threat-intelligence/gambling-is-no-game-dns-links-between-chinese-organized-crime-and-sports-sponsorships/
  https://insights.infoblox.com/resources-report/infoblox-report-vigorish-viper-a-venomous-bet
  https://thehackernews.com/2024/07/experts-uncover-chinese-cybercrime.html
  https://therecord.media/chinese-cybercrime-syndicate-gambling-football-europe
  https://hackread.com/chinese-vigorish-viper-dns-football-illegal-gambling/
• PINEAPPLE And FLUXROOT Hacker Groups Abuse Google Cloud For Credential Phishing
  "A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. "Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use," Google said in its biannual Threat Horizons Report [PDF] shared with The Hacker News."
  https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html
  https://services.google.com/fh/files/misc/threat_horizons_report_h2_2024.pdf
• From RA Group To RA World: Evolution Of a Ransomware Group
  "The ransomware group RA Group, now known as RA World, showed a noticeable uptick in their activity since March 2024. About 37% of all posts on their dark web leak site have appeared since March, suggesting this is an emerging group to watch. This article describes the tactics, techniques and procedures (TTPs) used by RA World."
  https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/

Breaches/Hacks/Leaks

• Greece’s Land Registry Agency Breached In Wave Of 400 Cyberattacks
  "The Land Registry agency in Greece has announced that it suffered a limited-scope data breach following a wave of 400 cyberattacks targeting its IT infrastructure over the last week. The agency said hackers managed to compromise employee terminals and steal 1.2 GB of data, corresponding to roughly 0.0006% of the total data held by the government organization. The stolen data reportedly does not contain any citizens' personal information but primarily consists of typical administrative documents, the exposure of which is not expected to impact the registry's operations."
  https://www.bleepingcomputer.com/news/security/greeces-land-registry-agency-breached-in-wave-of-400-cyberattacks/
• Los Angeles Superior Court Shuts Down After Ransomware Attack
  "The largest trial court in the United States, the Superior Court of Los Angeles County, closed all 36 courthouse locations on Monday to restore systems affected by a Friday ransomware attack. The attack, which has not yet been claimed by a ransomware operation, affected the entire network of the Los Angeles Superior Court. This includes external systems like the MyJuryDuty Portal and its website and internal systems like the case management systems."
  https://www.bleepingcomputer.com/news/security/los-angeles-superior-court-shuts-down-after-ransomware-attack/
  https://therecord.media/la-county-system-ransomware-closed-monday
  https://hackread.com/ransomware-attack-la-county-courts-halt-inmate-transfer/
  https://www.securityweek.com/california-officials-say-largest-trial-court-in-us-victim-of-ransomware-attack/
  https://www.theregister.com/2024/07/22/ransomware_la_county_superior_court/
• Safety Equipment Giant Cadre Holdings Hit By Cyberattack
  "Florida-based safety equipment giant Cadre Holdings on Friday disclosed a cyberattack that has impacted some of the company’s operations. Cadre provides safety and survivability products for first responders, federal agencies, outdoor recreation, and personal protection in over 100 countries. Its products include body armor, bomb squad equipment, duty gear, and nuclear safety solutions."
  https://www.securityweek.com/safety-equipment-giant-cadre-holdings-hit-by-cyberattack/

General News

• Under-Resourced Maintainers Pose Risk To Africa's Open Source Push
  "During a two-day conference at the United Nations in New York City last week, technologists and global policy makers expounded on the benefits that open source software (OSS) can provide to the world, particularly when it comes to delivering affordable technology to underserved nations in Africa and beyond. But to make the most of the OSS promise, security has to go hand in hand with app development."
  https://www.darkreading.com/application-security/under-resourced-maintainers-pose-risk-to-africas-open-source-push
• Cross-Industry Standards For Data Provenance In AI
  "In this Help Net Security interview, Saira Jesani, Executive Director of the Data & Trust Alliance, discusses the role of data provenance in AI trustworthiness and its impact on AI models’ performance and reliability. Jesani highlights the collaborative process behind developing cross-industry metadata standards to address widespread data provenance challenges and ensure applicability across various sectors."
  https://www.helpnetsecurity.com/2024/07/22/saira-jesani-data-trust-alliance-data-provenance-standards/
• NCA Infiltrates World's Most Prolific DDoS-For-Hire Service
  "The National Crime Agency has infiltrated a significant DDoS-for-hire service which has been responsible for tens of thousands of attacks every week across the globe. The disruption targeting digitalstress.su, a criminal marketplace offering DDos capabilities, was made in partnership with the Police Service of Northern Ireland. It comes after the PSNI arrested one of the site’s suspected controllers earlier this month."
  https://www.nationalcrimeagency.gov.uk/news/nca-infiltrates-world-s-most-prolific-ddos-for-hire-service
  https://www.bleepingcomputer.com/news/security/police-infiltrates-takes-down-digitalstress-ddos-for-hire-service/
  https://therecord.media/ddos-for-hire-site-digitalstress-takedown-arrest-uk-nca
  https://www.theregister.com/2024/07/22/ddos_for_hire_shutdown/
• Spain Arrests Three For Using DDoSia Hacktivist Platform
  "The Spanish authorities have arrested three individuals for using DDoSia, a distributed denial of service platform operated by pro-Russian hacktivists, to conduct DDoS attacks against governments and organizations in NATO countries. The arrests were made in the suspects' homes in Seville, Huelva, and Manacor. The police also confiscated various computer equipment and documents of interest to be used in the ensuing investigations."
  https://www.bleepingcomputer.com/news/security/spain-arrests-three-for-using-ddosia-hacktivist-platform/
  https://therecord.media/spain-arrest-noname-russia-hackers
• Swipe Right For Data Leaks: Dating Apps Expose Location, More
  "Apps like Tinder, Bumble, Grindr, Badoo, OKCupid, MeetMe, and Hinge all have API vulnerabilities that expose sensitive user data, and six allow a threat actor to pinpoint exactly where someone is."
  https://www.darkreading.com/application-security/swipe-right-for-data-leaks-dating-apps-expose-location-more
  https://lepoch.at/files/dating-apps-usesec24.pdf
• Fragmented And Multiplied Cybercriminal Landscape, Warns New Europol Report
  "Today, Europol publishes the 10th edition of the Internet Organised Crime Threat Assessment (IOCTA), an in-depth assessment of the key developments, changes and emerging threats in cybercrime over the last year. The report highlights relevant trends in crime areas such cyber-attacks, child sexual exploitation and online and payment fraud schemes. It also provides an outlook of what can be expected in the near future, especially regarding new technologies, payment systems, AI, cryptocurrencies and illicit content online."
  https://www.europol.europa.eu/media-press/newsroom/news/fragmented-and-multiplied-cybercriminal-landscape-warns-new-europol-report
  http://www.europol.europa.eu/cms/sites/default/files/documents/IOCTA 2024 - EN_0.pdf
  https://www.infosecurity-magazine.com/news/ransomware-groups-fragment-rising/
  https://www.theregister.com/2024/07/22/europol_says_ransomware_takedowns_make/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

New Tooling

• New Recovery Tool To Help With CrowdStrike Issue Impacting Windows Endpoints
  "As a follow-up to the CrowdStrike Falcon agent issue impacting Windows clients and servers, Microsoft has released an updated recovery tool with two repair options to help IT admins expedite the repair process. The signed Microsoft Recovery Tool can be found in the Microsoft Download Center: https://go.microsoft.com/fwlink/?linkid=2280386. In this post we include detailed recovery steps for Windows client, servers, and OS's hosted on Hyper-V."
  https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959
  https://go.microsoft.com/fwlink/?linkid=2280386
  https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-repair-tool-to-remove-crowdstrike-driver/

Vulnerabilities

• Cisco Releases Security Updates For Multiple Products
  "Cisco released security updates to address vulnerabilities in Cisco software. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system."
  https://www.cisa.gov/news-events/alerts/2024/07/18/cisco-releases-security-updates-multiple-products

Malware

• IT Teams Scramble To Recover From CrowdStrike Incident As Officials Warn Of ‘risks Of Consolidation'
  "Fallout from massive technology outages caused by the cybersecurity firm CrowdStrike continued throughout Friday as people around the world navigated canceled flights, paralyzed workspaces and downed 911 systems. White House cybersecurity leader Anne Neuberger said her morning began at 4 a.m. with a call from the Situation Room about the outages — which affected millions of Windows computers and was sourced back to a faulty software update issued by CrowdStrike."
  https://therecord.media/it-teams-scramble-recover-crowdstrike
  https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/
  https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html
  https://www.bleepingcomputer.com/news/security/fake-crowdstrike-fixes-target-companies-with-malware-data-wipers/
  https://hackread.com/fake-hot-fix-crowdstrike-crowdstrike-hotfix-zip-remcos-rat/
  https://www.helpnetsecurity.com/2024/07/19/crowdstrike-it-outage-update/
  https://www.trendmicro.com/es_es/research/24/g/crowdstrike-windows-outage-insights.html
  https://www.bankinfosecurity.com/fake-websites-phishing-surface-in-wake-crowdstrike-outage-a-25817
  https://securityaffairs.com/165953/malware/threat-actors-capitalize-crowdstrike-incident.html
• Beijing's Attack Gang Volt Typhoon Was a False Flag Inside Job Conspiracy: China
  "China has asserted that the Volt Typhoon gang, which Five Eyes nations accuse of being a Beijing-backed attacker that targets critical infrastructure, was in fact made up by the US intelligence community."
  https://www.theregister.com/2024/07/19/volt_typhoon_china_theory/
• Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma
  "Our Threat Hunting team uncovered a Linux variant of the Play ransomware that only encrypts files when running in a VMWare ESXi environment. First detected in June 2022, the Play ransomware group became notable for its double-extortion tactic, evasion techniques, custom-built tools, and substantial impact on various organizations in Latin America."
  https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html
• OilAlpha Malicious Applications Target Humanitarian Aid Groups Operating In Yemen
  "Insikt Group's research reveals that OilAlpha, a likely pro-Houthi group, continues to target humanitarian and human rights organizations operating in Yemen. They use malicious Android applications to steal credentials and gather intelligence, potentially to control aid distribution. Notable organizations affected include CARE International and the Norwegian Refugee Council. This report highlights the ongoing threat and suggests mitigation strategies, such as social engineering awareness, strong passwords, and multi-factor authentication."
  https://www.recordedfuture.com/research/oilalpha-spyware-used-to-target-humanitarian-aid-groups
  https://go.recordedfuture.com/hubfs/reports/cta-2024-0709.pdf
  https://thehackernews.com/2024/07/pro-houthi-group-targets-yemen-aid.html
• Gamers Beware: There’s No Such Thing As ‘GTA VI Beta Version’ To Download From Sponsored Facebook Ads. It’s Malware!
  "Rockstar Games’ announcement about the upcoming videogame release in the long-running Grand Theft Auto series has been on every gamer’s lips this past year. GTA VI is scheduled for an Autumn 2025 release on PS5 and the Xbox Series, with PC gamers having to wait a bit longer. However, this hasn’t stopped threat actors from exploiting the highly anticipated action-adventure game from the US-based game publisher."
  https://www.bitdefender.com/blog/hotforsecurity/gamers-beware-theres-no-such-thing-as-gta-vi-beta-version-to-download-from-sponsored-facebook-ads-its-malware/
  https://hackread.com/grand-theft-auto-fake-gta-vi-beta-download-malware/

Breaches/Hacks/Leaks

• WazirX Cryptocurrency Exchange Loses $230 Million In Major Security Breach
  "Indian cryptocurrency exchange WazirX has confirmed that it was the target of a security breach that led to the theft of $230 million in cryptocurrency assets. "A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million," the company said in a statement. "This wallet was operated utilizing the services of Liminal's digital asset custody and wallet infrastructure from February 2023.""
  https://thehackernews.com/2024/07/wazirx-cryptocurrency-exchange-loses.html
  https://www.theregister.com/2024/07/19/wasirx_pauses_trade/

General News

• CrowdStrike Code Update Bricking Windows Machines Around The World
  "An update to a product from infosec vendor CrowdStrike is bricking computers running Windows. The Register has found numerous accounts of Windows 10 PCs crashing, displaying the Blue Screen of Death, then being unable to reboot. “We're seeing BSOD Org wide that are being caused by csagent.sys, and it's taking down critical services. I'll open a ticket, but this is a big deal,” wrote one user."
  https://www.theregister.com/2024/07/19/crowdstrike_falcon_sensor_bsod_incident/
  https://www.cisa.gov/news-events/alerts/2024/07/19/widespread-it-outage-due-crowdstrike-update
  https://www.bleepingcomputer.com/news/security/crowdstrike-update-crashes-windows-systems-causes-outages-worldwide/
  https://thehackernews.com/2024/07/faulty-crowdstrike-update-crashes.html
  https://therecord.media/crowdstrike-update-crashes-windows-devices-globally
  https://www.darkreading.com/cyberattacks-data-breaches/crowdstrike-outage
  https://www.infosecurity-magazine.com/news/crowdstrike-fault-it-outages/
  https://www.bankinfosecurity.com/federal-agencies-scramble-to-fix-massive-software-outage-a-25814
  https://cyberscoop.com/crowdstrike-falcon-flaw-microsoft-outage-flights-grounded-windows/
  https://hackread.com/faulty-crowdstrike-update-ground-flights-disrupt-business/
  https://www.securityweek.com/major-outages-worldwide-linked-to-bsod-caused-by-bad-crowdstrike-update/
  https://securityaffairs.com/165920/security/crowdstrike-epic-fail-crashed-windows.html
  https://www.itnews.com.au/news/widespread-global-it-outages-attributed-to-crowdstrike-609951
  https://www.malwarebytes.com/blog/uncategorized/2024/07/crowdstrike-update-at-center-of-windows-blue-screen-of-death-outage
  https://www.helpnetsecurity.com/2024/07/19/crowdstrike-outage/
  https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/
  https://www.securityweek.com/crowdstrike-says-logic-error-caused-windows-bsod-chaos/
  https://www.itnews.com.au/news/crowdstrike-explains-update-that-crippled-windows-environments-609964
  https://www.securityweek.com/crowdstrike-provides-remediation-guidance-after-software-update-causes-worldwide-it-chaos/
  https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-365-cloud-pcs-stuck-restarting-after-crowdstrike-update/
  https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/
  https://www.securityweek.com/microsoft-says-8-5-million-windows-devices-impacted-by-crowdstrike-incident-publishes-recovery-tool/
• GenAI Network Acceleration Requires Prior WAN Optimization
  "As GenAI models used for natural language processing, image generation, and other complex tasks often rely on large datasets that must be transmitted between distributed locations, including data centers and edge devices, WAN optimization is essential for robust deployment of GenAI applications at a scale."
  https://www.helpnetsecurity.com/2024/07/19/wan-optimization/
• One-Third Of Dev Professionals Unfamiliar With Secure Coding Practices
  "Attackers consistently discover and exploit software vulnerabilities, highlighting the increasing importance of robust software security, according to OpenSSF and the Linux Foundation. Despite this, many developers lack the essential knowledge and skills to effectively implement secure software development."
  https://www.helpnetsecurity.com/2024/07/19/devs-secure-coding-practices/
• CISOs Must Shift From Tactical Defense To Strategic Leadership
  "Cyber threats are advancing quickly in size and sophistication, largely because of the rapid evolution of technology, increasing sophistication of cyber attackers, and the expansion of attack surfaces through interconnected systems and devices, according to Ivanti."
  https://www.helpnetsecurity.com/2024/07/19/cyber-threats-size-sophistication/
• CrowdStrike's Falcon Sensor Also Linked To Linux Kernel Panics And Crashes
  "CrowdStrike's now-infamous Falcon Sensor software, which last week led to widespread outages of Windows-powered computers, has also caused crashes of Linux machines. Red Hat in June warned its customers of a problem it described as "Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64 by falcon-sensor process" that impacted some users of Red Hat Enterprise Linux 9.4 after (as the warning suggests) booting on kernel version 5.14.0-427.13.1.el9_4.x86_64."
  https://www.theregister.com/2024/07/21/crowdstrike_linux_crashes_restoration_tools/
• Two Foreign Nationals Plead Guilty To Participation In LockBit Ransomware Group
  "Two foreign nationals pleaded guilty today in Newark federal court to participating in the LockBit ransomware group – at various times the most prolific ransomware variant in the world – and to deploying LockBit attacks against victims in the United States and worldwide."
  https://www.justice.gov/usao-nj/pr/two-foreign-nationals-plead-guilty-participation-lockbit-ransomware-group
  https://www.bleepingcomputer.com/news/security/russians-plead-guilty-to-involvement-in-lockbit-ransomware-attacks/
  https://thehackernews.com/2024/07/two-russian-nationals-plead-guilty-in.html
  https://therecord.media/lockbit-affiliates-russia-plead-guilty
  https://securityaffairs.com/165941/cyber-crime/lockbit-ransomware-group-members-plead-guilty.html
• Treasury Sanctions Leader And Primary Member Of The Cyber Army Of Russia Reborn
  "Today, the United States designated Yuliya Vladimirovna Pankratova (Pankratova) and Denis Olegovich Degtyarenko (Degtyarenko), two members of the Russian hacktivist group Cyber Army of Russia Reborn (CARR) for their roles in cyber operations against U.S. critical infrastructure. These two individuals are the group’s leader and a primary hacker, respectively."
  https://home.treasury.gov/news/press-releases/jy2473
  https://therecord.media/cyber-army-russia-us-sanctions
  https://cyberscoop.com/treasury-sanctions-russia-hacktivist-water/
• Tech Giants Agree To Standardize AI Security
  "The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models."
  https://www.darkreading.com/cloud-security/tech-giants-agree-to-standardize-ai-security
  https://www.securityweek.com/cosai-tech-giants-form-coalition-for-secure-ai/
• In Cybersecurity, Mitigating Human Risk Goes Far Beyond Training
  "As the stakes of cyberattacks continue to rise, organizations are throwing more and more money at innovative new services and equipment to thwart them. But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element. There's little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for robbers into the building."
  https://www.darkreading.com/cyber-risk/in-cybersecurity-mitigating-human-risk-goes-far-beyond-training
• UK Cops Arrest Teen Suspect In MGM Resorts Cyberattack Probe
  "Cops in the UK have arrested a suspected member of the notorious Scattered Spider crime gang, which is accused of crippling MGM Resorts in Las Vegas with ransomware last summer. West Midlands police - along with officials from Britain's National Crime Agency and the FBI - cuffed the 17-year-old, of Walsall, England, on Thursday. The suspect, whose name has not been released, was taken into custody on suspicion of blackmail and breaking the UK's Computer Misuse Act. He's now out on bail."
  https://www.theregister.com/2024/07/19/uk_mgm_suspect_arrested/
  https://www.westmidlands.police.uk/news/west-midlands/news/news/2024/july/walsall-teenager-arrested-in-joint-west-midlands-police-and-fbi-operation/
  https://therecord.media/mgm-hack-teenager-arrest-britain
  https://www.bleepingcomputer.com/news/security/uk-arrests-suspected-scattered-spider-hacker-linked-to-mgm-attack/
  https://thehackernews.com/2024/07/17-year-old-linked-to-scattered-spider.html
• The Complexities Of Cybersecurity Update Processes
  "Cybersecurity is often about speed; a threat actor creates a malicious attack technique or code, cybersecurity companies react to the new threat and if necessary, adjust and adopt methods to detect the threat. That adoption may require updating cloud detection systems and/or updating endpoint devices to provide the protection needed against the threat. And speed is of the essence as the cybersecurity industry is there to protect, detect and respond to threats as they happen."
  https://www.welivesecurity.com/en/cybersecurity/complexities-cybersecurity-update-processes/
• Beyond The Blue Screen Of Death: Why Software Updates Matter
  "In the realm of computing, few things are as unsettling as encountering a blue screen of death (BSOD) on your Windows system. The ominous screen with its cryptic error messages invokes a mix of alarm and frustration even among many seasoned technology users."
  https://www.welivesecurity.com/en/cybersecurity/beyond-blue-screen-death-software-updates/
• Nationwide Policing Operation Targets Widespread SIM Box Fraud
  "Policing agencies across Australia have joined forces in a National Day of Action (Thursday 18 July, 2024), coordinated by the AFP-led Joint Policing Cybercrime Coordination Centre (JPC3), to disrupt cyber criminals allegedly using SIM boxes to scam hundreds of Australians. SIM boxes are allegedly used by criminals to commit large-scale SMS phishing attacks known as 'smishing'. Smishing is a malicious attack that uses deceptive text messages to deceive victims into downloading malware or sharing personal information."
  https://www.afp.gov.au/news-centre/media-release/nationwide-policing-operation-targets-widespread-sim-box-fraud
  https://www.itnews.com.au/news/australian-police-seize-devices-used-to-send-over-318-million-phishing-texts-610003

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Healthcare Sector

• Philips Vue PACS
  "Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity to negatively impact system confidentiality, integrity, or availability."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-200-01

Industrial Sector

• Mitsubishi Electric MELSOFT MaiLab
  "Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in the target product."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-200-01
• Subnet Solutions PowerSYSTEM Center
  "Successful exploitation of this vulnerability could allow an authenticated attacker to elevate permissions."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-200-02

New Tooling

• Grype: Open-Source Vulnerability Scanner For Container Images, Filesystems
  "Grype is an open-source vulnerability scanner designed for container images and filesystems that seamlessly integrates with Syft, a powerful Software Bill of Materials (SBOM) tool."
  https://www.helpnetsecurity.com/2024/07/18/grype-open-source-vulnerability-scanner-container-images-filesystems/
  https://github.com/anchore/grype

Vulnerabilities

• Ivanti Releases Security Updates For Endpoint Manager
  "Ivanti released security updates to address vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Endpoint Manager for Mobile (EPMM). A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system."
  https://www.cisa.gov/news-events/alerts/2024/07/18/ivanti-releases-security-updates-endpoint-manager
  https://forums.ivanti.com/s/article/Security-Advisory-EPM-July-2024-for-EPM-2024
  https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024
  https://www.securityweek.com/ivanti-issues-hotfix-for-high-severity-endpoint-manager-vulnerability/
• SolarWinds Fixes 8 Critical Bugs In Access Rights Audit Software
  "SolarWinds has fixed eight critical vulnerabilities in its Access Rights Manager (ARM) software, six of which allowed attackers to gain remote code execution (RCE) on vulnerable devices. Access Rights Manager is a critical tool in enterprise environments that helps admins manage and audit access rights across their organization's IT infrastructure to minimize threat impact."
  https://www.bleepingcomputer.com/news/security/solarwinds-fixes-8-critical-bugs-in-access-rights-audit-software/
• Critical Cisco Bug Lets Hackers Add Root Users On SEG Devices
  "Cisco has fixed a critical severity vulnerability that lets attackers add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using emails with malicious attachments. Tracked as CVE-2024-20401, this arbitrary file write security flaw in the SEG content scanning and message filtering features is caused by an absolute path traversal weakness that allows replacing any file on the underlying operating system."
  https://www.bleepingcomputer.com/news/security/critical-cisco-bug-lets-hackers-add-root-users-on-seg-devices/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-afw-bGG2UsjH
• 20 Million Trusted Domains Vulnerable To Email Hosting Exploits
  "Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than 20 million domains of trusted organizations.The flaws — discovered by several security researchers at PayPal — allow attackers to use simple mail transfer protocol (SMTP) smuggling to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) security protocols to deliver malicious emails from domains owned by reputable Fortune 500 companies and government agencies."
  https://www.darkreading.com/threat-intelligence/20-million-trusted-domains-vulnerable-to-email-hosting-exploits
• SAPwned: SAP AI Vulnerabilities Expose Customers’ Cloud Environments And Private AI Artifacts
  "Over the past months, we on the Wiz Research Team have conducted extensive tenant isolation research on multiple AI service providers. We believe these services are more susceptible to tenant isolation vulnerabilities, since by definition, they allow users to run AI models and applications – which is equivalent to executing arbitrary code. As AI infrastructure is fast becoming a staple of many business environments, the implications of these attacks are becoming more and more significant."
  https://www.wiz.io/blog/sapwned-sap-ai-vulnerabilities-ai-security
  https://thehackernews.com/2024/07/sap-ai-core-vulnerabilities-expose.html
  https://www.securityweek.com/sap-ai-core-vulnerabilities-allowed-service-takeover-customer-data-access/
  https://www.infosecurity-magazine.com/news/sap-ai-core-expose-customer-data/
  https://securityaffairs.com/165888/hacking/sap-ai-core-sapwned.html

Malware

• RDGAs: The Next Chapter In Domain Generation Algorithms
  "This trailblazing report explores a burgeoning technique that threat actors are using to covertly transform the DNS threat landscape with millions of new domains. You’ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), and more."
  https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/
  https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/
  https://hackread.com/threat-actor-revolver-rabbit-rdga-register-domains/
• Warning Against The Distribution Of Malware Disguised As Software Cracks (Disrupts V3 Lite Installation)
  "AhnLab SEcurity intelligence Center (ASEC) has previously introduced the dangers of malware disguised as crack programs through a post titled “Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)”. Malware strains disguised as crack programs are primarily distributed through file-sharing platforms, blogs, and torrents, leading to the infection of multiple systems. These infected systems are continually managed by threat actors through periodic updates."
  https://asec.ahnlab.com/en/68011/
• HotPage: Story Of a Signed, Vulnerable, Ad-Injecting Driver
  "Malware research involves studying threat actor TTPs, mapping infrastructure, analyzing novel techniques… And while most of these investigations build on existing research, sometimes they start from a hunch, something that looks too simple. At the end of 2023, we stumbled upon an installer named HotPage.exe that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic."
  https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/
  https://www.darkreading.com/threat-intelligence/microsoft-signed-chinese-adware-opens-the-door-to-kernel-privileges
  https://www.infosecurity-magazine.com/news/hotpage-hijacks-browsers-microsoft/
  https://thehackernews.com/2024/07/alert-hotpage-adware-disguised-as-ad.html
• APT41 Has Arisen From The DUST
  "In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom."
  https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
  https://www.securityweek.com/chinese-hacking-group-apt41-infiltrates-global-shipping-and-tech-sectors-mandiant-warns/
• TAG-100 Uses Open-Source Tools In Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
  "Recorded Future’s Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations. TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities."
  https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign
  https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf
  https://therecord.media/tag-100-espionage-hacking-backdoors-asia-pacific
  https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html
• Container Breakouts: Escape Techniques In Cloud Environments
  "This article reviews container escape techniques, assesses their possible impact and reveals how to detect these escapes from the perspective of endpoint detection and response (EDR). As cloud services rise in popularity, so does the use of containers, which have become an integrated part of cloud infrastructure. Although containers provide many advantages, they are also susceptible to attack techniques like container escapes."
  https://unit42.paloaltonetworks.com/container-escape-techniques/

Breaches/Hacks/Leaks

• Nearly 13 Million Australians Affected By MediSecure Attack
  "Personal and health data of almost 13 million Australians has been impacted by the cyber- attack on medical prescription provider MediSecure. Following an investigation of a dataset accessed by the attackers in May 2024, the company has determined that 12.9 million individuals who used the MediSecure prescription delivery service during the period of March 2019 to November 2023 have been impacted by the incident. This includes information relating to patient prescriptions."
  https://www.infosecurity-magazine.com/news/13-million-australians-medisecure/
  https://www.itnews.com.au/news/medisecure-data-breach-affects-about-129-million-australians-609924

General News

• Fighting AI-Powered Synthetic ID Fraud With AI
  "Aided by the emergence of generative artificial intelligence models, synthetic identity fraud has skyrocketed, and now accounts for a staggering 85% of all identity fraud cases."
  https://www.helpnetsecurity.com/2024/07/18/ai-powered-synthetic-identity-fraud/
• Laying The Groundwork For Zero Trust In The Military
  "In this Help Net Security interview, Curtis Arnold, VP and Chief Scientist at Core4ce, discusses the starting points for military training in zero trust principles, emphasizing foundational technologies and a unified taxonomy. Arnold provides insights into the DoD’s Zero Trust Overlays guide and the future evolution of zero-trust principles in a military context."
  https://www.helpnetsecurity.com/2024/07/18/curtis-arnold-core4ce-zero-trust-principles/
• Small But Mighty: Top 5 Pocket-Sized Gadgets To Boost Your Ethical Hacking Skills
  "While blue teams defend, red teams attack. They share a common goal, however – help identify and address gaps in organizations’ defenses before these weaknesses can be exploited by malicious actors. The blue/red team exercises provide invaluable insights across the technical, procedural and human sides of security and can ultimately help organizations fend off actual attacks."
  https://www.welivesecurity.com/en/cybersecurity/small-but-mighty-top-5-pocket-sized-gadgets-boost-ethical-hacking-skills/
• Identity Theft Resource Center Sees Third-Most Data Breach Victims In a Quarter In Q2 2024
  "Today, the Identity Theft Resource Center (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, released its U.S. data breach findings for the second quarter (Q2) and the first half (H1) of 2024. According to the ITRC, there were 732 publicly reported data compromises in Q2, a 12 percent decrease compared to the previous Quarter (838). Through the first half of the year, the ITRC tracked 1,571 compromises, putting 2024 ~14 percent higher compared to H1 2023 which ended in a record number of compromises (3,203)."
  https://www.idtheftcenter.org/post/itrc-sees-third-most-data-breach-victims-in-quarter/
  https://www.idtheftcenter.org/publication/itrc-h1-data-breach-analysis/
  https://www.infosecurity-magazine.com/news/us-data-breach-victims-surge-1170/
  https://www.darkreading.com/cyberattacks-data-breaches/us-data-breach-victim-numbers-increase-1000
• Introducing Chainalysis Operation Spincaster: An Ecosystem-Wide Initiative To Disrupt And Prevent Billions In Losses To Crypto Scams
  "Approval phishing is an increasingly popular tactic used by criminals to steal funds through different scamming techniques such as fake crypto apps and romance scams (also known as pig butchering). With the approval phishing technique, the scammer tricks the user into signing a malicious blockchain transaction that gives the scammer’s address approval to spend specific tokens inside the victim’s wallet, allowing the scammer to then drain the victim’s address of those tokens at will."
  https://www.chainalysis.com/blog/operation-spincaster/
  https://therecord.media/crypto-experts-law-enforcement-take-down-approval-phishing-scams
  https://www.bankinfosecurity.com/operation-spincaster-targets-crypto-pig-butchering-scams-a-25800
  https://www.infosecurity-magazine.com/news/chainalysis-operation-spincaster/
• It's Best To Just Assume You’ve Been Involved In a Data Breach Somehow
  "Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach. We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people."
  https://blog.talosintelligence.com/threat-source-newsletter-july-18-2024/
• • CISA Releases Playbook For Infrastructure Resilience Planning
    "Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a companion guide to the Infrastructure Resilience Planning Framework (IRPF), which provides guidance on how local governments and the private sector can work together to plan for the security and resilience of critical infrastructure services in the face of threats. Dubbed the IRPF Playbook, this supplemental manual will assist state, local, tribal, territorial (SLTT) and private sector stakeholders in planning for the security and resilience of infrastructure in their regions."
    https://www.cisa.gov/news-events/news/cisa-releases-playbook-infrastructure-resilience-planning
    https://www.cisa.gov/sites/default/files/2024-07/IRPF-Playbook-07-17-2024.pdf
    https://statescoop.com/cisa-cybersecurity-resilience-planning-playbook-critical-infrastructure/
• Using Threat Intelligence To Predict Potential Ransomware Attacks
  "Ransomware Awareness Month, which takes place in July, firmly puts the topic front and center for organizations. While ransomware has been around since 1989, it continues to top the list of the most feared attack vectors."
  https://www.securityweek.com/using-threat-intelligence-to-predict-potential-ransomware-attacks/

อ้างอิง

Electronic Transactions Development Agency(ETDA)

Cybersecurity and Infrastructure Security Agency (CISA) CISA ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 4 รายการ เมื่อวันที่ 23 กรกรฎาคม 2567 ซึ่งคำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-24-205-01 National Instruments IO Trace
• ICSA-24-205-02 Hitachi Energy AFS/AFR Series Products
• ICSA-24-205-03 National Instruments LabVIEW
• ICSA-22-333-02 Hitachi Energy IED Connectivity Packages and PCM600 Products (Update A)

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2024/07/23/cisa-releases-four-industrial-control-systems-advisories

อ้างอิง https://www.cisa.gov/news-events/cybersecurity-advisories

Cybersecurity and Infrastructure Security Agency (CISA) ได้มีการเผยแพร่การเพิ่มช่องโหว่ใหม่ 2 รายการในแค็ตตาล็อก ช่องโหว่อาจเป็นที่รู้จักของกลุ่มแฮกเกอร์ ซึ่งการเพิ่มนี้ขึ้นอยู่กับข้อมูลของการแสวงหาผลประโยชน์จากการโจมตีช่องโหว่ดังกล่าวนั้นได้ซึ่งมีการเผยแพร่ช่องโหว่ที่เป็นการโจมตีบ่อยครั้งสำหรับผู้ที่ไม่ประสงค์ดีด้านภัยคุกคามทางไซเบอร์และก่อให้เกิดความเสี่ยงที่สำคัญต่อองค์กรนั้นได้ มีรายละเอียดดังนี้

• CVE-2012-4792
  (CVSS score: 9.3) เป็นช่องโหว่ Use-After-Free ใน Internet Explorer โดยช่องโหว่นี้เป็นการใช้หน่วยความจำซ้ำ (use-after-free) ในโปรแกรม Internet Explorer ซึ่งช่องโหว่นี้สามารถทำให้ผู้โจมตีระยะไกลสามารถเรียกใช้ execute arbitrary code ได้ โดยใช้เว็บไซต์ที่ถูกออกแบบมาอย่างพิเศษ และแม้ว่าในปัจจุบันจะยังไม่มีการยืนยันว่าช่องโหว่นี้ถูกใช้ในการโจมตีใหม่ แต่ในปี 2012 ช่องโหว่นี้เคยถูกใช้ในการโจมตีแบบ watering hole ซึ่งมุ่งเป้าไปที่เว็บไซต์ของ Council on Foreign Relations (CFR) และ Capstone Turbine Corporation

• CVE-2024-39891
  (CVSS score: 5.3) เป็นช่องโหว่ Information Disclosure ใน Twilio Authy โดยช่องโหว่นี้เป็นการรั่วไหลของข้อมูลผ่าน endpoint ที่ไม่ได้รับการยืนยันตัวตน ทำให้ผู้โจมตีสามารถส่งคำขอที่มีหมายเลขโทรศัพท์และรับข้อมูลว่าหมายเลขนั้นถูกลงทะเบียนกับ Authy หรือไม่ และเมื่อเร็วๆนี้ Twilio ได้ประกาศการแก้ไขช่องโหว่แล้วในเวอร์ชัน 25.1.0 (Android) และ 26.1.0 (iOS) หลังจากที่มีการใช้ช่องโหว่นี้จากผู้โจมตีที่เพื่อระบุข้อมูลที่เกี่ยวข้องกับบัญชี Authy

อ้างอิง
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

ทดสอบทดสอบทดสอบ

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Defending OT Requires Agility, Proactive Controls
  "Hackers affiliated with the Chinese government have reportedly kept access to US critical infrastructure for years, several agencies warned in February.he revelation is, at least on the surface, a heel-turn for Chinese cyber behavior — moving from espionage to the potential compromise or destruction of infrastructure via operational technology (OT). This includes the programmable systems and devices connected to physical environments."
  https://www.darkreading.com/ics-ot-security/defending-ot-requires-agility-proactive-controls

New Tooling

• SubSnipe: Open-Source Tool For Finding Subdomains Vulnerable To Takeover
  "SubSnipe is an open-source, multi-threaded tool to help find subdomains vulnerable to takeover. It’s simpler, produces better output, and has more fingerprints than other subdomain takeover tools."
  https://www.helpnetsecurity.com/2024/07/17/subsnipe-open-source-tool-find-subdomains-vulnerable-takeover/
  https://github.com/dub-flow/subsnipe

Vulnerabilities

• Cisco SSM On-Prem Bug Lets Hackers Change Any User's Password
  "Cisco has fixed a maximum severity vulnerability that allows attackers to change any user's password on vulnerable Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers, including administrators. The flaw also impacts SSM On-Prem installations earlier than Release 7.0, known as Cisco Smart Software Manager Satellite (SSM Satellite). As a Cisco Smart Licensing component, SSM On-Prem assists service providers and Cisco partners in managing customer accounts and product licenses."
  https://www.bleepingcomputer.com/news/security/cisco-ssm-on-prem-bug-lets-hackers-change-any-users-password/
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
  https://securityaffairs.com/165848/security/critical-flaw-cisco-ssm-on-prem.html
• Atlassian Patches High-Severity Vulnerabilities In Bamboo, Confluence, Jira
  "Software vendor Atlassian on Tuesday released security-themed updates to fix several high-severity vulnerabilities in its Bamboo, Confluence and Jira products. The Australian firm called urgent attention to the Bamboo Data Center and Server updates that resolve two high-severity bugs, including one affecting the UriComponentsBuilder dependency that could allow an unauthenticated attacker to perform a server-side request forgery (SSRF) attack."
  https://www.securityweek.com/atlassian-patches-high-severity-vulnerabilities-in-bamboo-confluence-jira/
• Chrome 126 Updates Patch High-Severity Vulnerabilities
  "Google on Tuesday announced security updates for Chrome 126 that address ten vulnerabilities, including eight high-severity bugs reported by external researchers. Despite Google’s efforts to eliminate memory safety bugs in Chrome, most of the externally reported security defects are memory issues that could potentially lead to a sandbox escape and remote code execution."
  https://www.securityweek.com/chrome-126-updates-patch-high-severity-vulnerabilities/
• Oracle Patches 240 Vulnerabilities With July 2024 CPU
  "Oracle on Tuesday announced 386 new security patches as part of its July 2024 Critical Patch Update (CPU), including over 260 for unauthenticated, remotely exploitable vulnerabilities. SecurityWeek has identified roughly 240 unique CVEs in Oracle’s July 2024 CPU. More than two dozen security patches resolve critical-severity flaws."
  https://www.securityweek.com/oracle-patches-240-vulnerabilities-with-july-2024-cpu/
• The Potential Impact Of The OpenSSH Vulnerabilities CVE-2024–6387 And CVE-2024-6409
  "We check the OpenSSH vulnerabilities CVE-2024–6387 and CVE-2024-6409, examining their potential real-world impact and the possibility of exploitation for CVE-2024–6387 in x64 systems."
  https://www.trendmicro.com/en_us/research/24/g/cve-2024-6387-and-cve-2024-6409.html
• CISA Adds Three Known Exploited Vulnerabilities To Catalog
  "CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
  CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
  CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
  CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability"
  https://www.cisa.gov/news-events/alerts/2024/07/17/cisa-adds-three-known-exploited-vulnerabilities-catalog
• Critical Splunk Vulnerability CVE-2024-36991: Patch Now To Prevent Arbitrary File Reads
  "The SonicWall Capture Labs threat research team became aware of an arbitrary file read vulnerability affecting Splunk Enterprise installations. Identified as CVE-2024-36991 and given a CVSSv3 score of 7.5, the vulnerability is more severe than it initially appeared. Labeled as a path traversal vulnerability and categorized as CWE-35, this vulnerability allows attackers to traverse the file system to access files or directories outside the restricted directory. Splunk software uses computer-generated data to track, scan, analyze and visualize it in real-time. It is used for business and web analytics, application management, compliance, and security."
  https://blog.sonicwall.com/en-us/2024/07/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads/
• Attacking Connection Tracking Frameworks As Used By Virtual Private Networks
  "VPNs (Virtual Private Networks) have become an essential privacy-enhancing technology, particularly for at-risk users like dissidents, journalists, NGOs, and others vulnerable to targeted threats. While previous research investigating VPN security has focused on cryptographic strength or traffic leakages, there remains a gap in understanding how lower-level primitives fundamental to VPN operations, like connection tracking, might undermine the security and privacy that VPNs are intended to provide."
  https://petsymposium.org/popets/2024/popets-2024-0070.php
  https://petsymposium.org/popets/2024/popets-2024-0070.pdf

Malware

• Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP
  "Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API."
  https://thehackernews.com/2024/07/critical-apache-hugegraph-vulnerability.html
  https://www.securityweek.com/apache-hugegraph-vulnerability-exploited-in-wild/
• Attacks On Israeli Orgs 'more Than Doubled' Since October 7, Cyber Researcher Says
  "Israeli organizations have seen a "dramatic increase" in cyberattacks since the October 7 terrorist attack, with some organizations experiencing a constant bombardment of intrusion attempts, according to military officials and cybersecurity researchers working in the country. Gil Messing, the chief of staff at Tel Aviv-based Check Point Software, told Recorded Future News that the cyberattacks on Israeli organizations are driven mostly by politically-motivated groups, such as hackers affiliated with Iran and Hezbollah as well as hacktivists."
  https://therecord.media/attacks-israeli-orgs-double
  https://www.darkreading.com/cloud-security/idf-has-rebuffed-3b-cloud-cyberattacks-since-oct-7-colonel-claims
  https://www.timesofisrael.com/idf-computer-chief-3-billion-cyber-attacks-against-israel-since-beginning-of-war/
• FIN7 Reboot | Cybercrime Gang Enhances Ops With New EDR Bypasses And Automated Attacks
  "FIN7, an elusive and persistent financially motivated threat group with origins in Russia, has been active since 2012, targeting various industry sectors and causing substantial financial losses in industries such as hospitality, energy, finance, high-tech and retail."
  https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
  https://www.bleepingcomputer.com/news/security/notorious-fin7-hackers-sell-edr-killer-to-other-threat-actors/
  https://thehackernews.com/2024/07/fin7-group-advertises-security.html
  https://therecord.media/fin7-selling-avneutralizer-tool-darknet-cybercrime
  https://www.darkreading.com/endpoint-security/security-end-run-aukill-shuts-down-windows-reliant-edr-processes
• Private HTS Program Continuously Used In Attacks
  "AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently."
  https://asec.ahnlab.com/en/67969/
• SEG Vs. SEG: How Threat Actors Are Pitting Email Security Products Against Each Other With Encoded URLs
  "Email security tools such as Secure Email Gateways (SEGs) often encode URLs that are embedded in emails. This enables the security appliance to scan the URL before the recipient visits the website. Oftentimes when SEGs detect URLs in emails that are already SEG encoded they do not scan the URLs, or the scanning shows only the security tool’s scanning page and not the actual destination. As a result, when an email already has SEG encoded URLs the recipient’s SEG often allows the email through without properly checking the embedded URLs."
  https://cofense.com/blog/seg-vs-seg-how-threat-actors-are-pitting-email-security-products-against-each-other/
  https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email
• DPRK Hackers Tweak Malware To Lure MacOS Users Into Video Calls
  "Well known for targeting victims with fake job postings, North Korea state-sponsored hackers have been discovered using a new variant of their BeaverTail malware to trick macOS users into downloading a malicious version of Microtalk, a video-calling service.Details about the latest campaign were published by cybersecurity researcher Patrick Wardle, who explained in his writeup that the threat actors likely lured their victims into downloading the updated BeaverTail-infected version of Microtalk by asking them to join a job interview."
  https://www.darkreading.com/threat-intelligence/dprk-hackers-tweak-malware-to-lure-macos-users-into-video-calls
  https://objective-see.org/blog/blog_0x7A.html
  https://thehackernews.com/2024/07/north-korean-hackers-update-beavertail.html
• Deep Dive: Exposing Stealthy New BlackSuit Ransomware
  "Five weeks ago, the KADOKAWA corporation began to experience service outages affecting multiple websites. The outages spread to other operations and were identified as a ransomware attack by the BlackSuit ransomware group. BlackSuit claimed responsibility and threatened the public release of stolen information on July 1st unless their ransom demands were met."
  https://www.deepinstinct.com/blog/deep-dive-exposing-stealthy-new-blacksuit-ransomware
• Qilin Revisited: Diving Into The Techniques And Procedures Of The Recent Qilin Ransomware Attacks
  "Let’s revisit the Qilin ransomware group, which recently drew considerable attention due to an attack on the healthcare sector. The highest ransom demand they issued was $50 million during their assault on Synnovis, a pathology services provider. This attack had profound impacts on several key NHS hospitals in London. First identified in July 2022, Qilin has rapidly gained notoriety by launching its Ransomware-as-a-Service (RaaS) operations on underground forums as of February 2023."
  https://www.group-ib.com/blog/qilin-revisited/
  https://www.infosecurity-magazine.com/news/qilin-ransomwares-tactics-unveiled/
• NullBulge | Threat Actor Masquerades As Hacktivist Group Rebelling Against AI
  "Between April and June 2024, the NullBulge group emerged targeting users in AI-centric application and gaming communities. The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms. Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause, rather than profit, other activities tied to this threat actor may indicate otherwise."
  https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
  https://www.infosecurity-magazine.com/news/nullbulge-anti-ai-hacktivist-group/
• How To Analyze Malicious MSI Installer Files
  "Threat actors choose to use MSI installers to deliver and execute malicious payloads because these files can embed harmful executables and scripts within legitimate-looking packages, evading detection. They can abuse custom actions within MSI files to run malicious code during installation and configure the installers to download additional malware from remote servers. By masquerading as legitimate software, attackers trick users into executing these files."
  https://intezer.com/blog/incident-response/how-to-analyze-malicious-msi-installer-files/
• Italian Government Agencies And Companies In The Target Of a Chinese APT
  "On June 24 and July 2, 2024, two targeted attacks on Italian companies and government entities were observed by a Chinese cyber actor exploiting a variant of the Rat 9002 in diskless mode. Other variants have over time been named as Rat 3102. These activities are associated with the APT17 group also known as "DeputyDog". The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link. Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of Rat 9002."
  https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng
  https://thehackernews.com/2024/07/china-linked-apt17-targets-italian.html
• The Return Of Ghost Emperor’s Demodex
  "During Sygnia’s analysis of the forensic findings extracted from the victim’s environment, the team found strong resemblance to the multi-stage tool which was described in Kaspersky’s blog from 2021. However, our investigation yielded some alterations in the infection chain and a slightly different C++ DLL variant."
  https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
  https://therecord.media/ghostemperor-spotted-first-time-in-two-years

Breaches/Hacks/Leaks

• Over 400,000 Life360 User Phone Numbers Leaked Via Unsecured API
  "A threat actor has leaked a database containing the personal information of 442,519 Life360 customers collected by abusing a flaw in the login API. Known only by their 'emo' handle, they said the unsecured API endpoint used to steal the data provided an easy way to verify each impacted user's email address, name, and phone number. "When attempting to login to a life360 account on Android the login endpoint would return the first name and phone number of the user, this existed only in the API response and was not visible to the user," emo said."
  https://www.bleepingcomputer.com/news/security/over-400-000-life360-user-phone-numbers-leaked-via-unsecured-android-api/
• Yacht Giant MarineMax Data Breach Impacts Over 123,000 People
  "MarineMax, self-described as the world's largest recreational boat and yacht retailer, is notifying over 123,000 individuals whose personal information was stolen in a March security breach claimed by the Rhysida ransomware gang. The company operates over 130 locations, including 83 dealerships and 66 marinas and storage facilities worldwide. Last year, it reported $2.39 billion in revenue and a $835.3 million gross profit."
  https://www.bleepingcomputer.com/news/security/yacht-giant-marinemax-data-breach-impacts-over-123-000-people/
  https://securityaffairs.com/165843/data-breach/marinemax-data-breach.html
• Family Location Tracker App Life360 Breach: 443,000 Users’ Data Leaked
  "Life360, a popular family location tracker app, suffered a data breach affecting 443,000 users. Personal details, including first names and phone numbers, were leaked. Learn about the breach, potential risks, and protective measures."
  https://hackread.com/family-location-tracker-app-life360-breach-data-leak/
• MNGI Digestive Health Data Breach Impacts 765,000 Individuals
  "MNGI Digestive Health is notifying over 765,000 individuals that their personal information was compromised in an August 2023 data breach. The incident occurred on August 20, 2023, but it took MNGI almost one year to determine that personal and protected health information was accessed."
  https://www.securityweek.com/mngi-digestive-health-data-breach-impacts-765000-individuals/
• Hackers Claim Possession Of Four Million U Mobile User Data (Updated)
  "Recently, Bloomberg reported that local telco U Mobile may be getting bought out by fellow telco Maxis. So it’s probably not so good a time to also learn that a hacker has claimed to have breached the security system of the former, making away with personal data of about four million customers."
  https://www.lowyat.net/2024/326879/hackers-possession-u-mobile-data/

General News

• Overlooked Essentials: API Security Best Practices
  "In this Help Net Security, Ankita Gupta, CEO at Akto, discusses API security best practices, advocating for authentication protocols like OAuth 2.0 and OpenID Connect, strict HTTPS encryption, and the use of JWTs for stateless authentication."
  https://www.helpnetsecurity.com/2024/07/17/ankita-gupta-akto-api-security-best-practices/
• Most GitHub Actions Workflows Are Insecure In Some Way
  "Most GitHub Actions are susceptible to exploitation; they are overly privileged or have risky dependencies, according to Legit Security."
  https://www.helpnetsecurity.com/2024/07/17/insecure-github-actions-workflows/
• The Three Conversations Every CISO Needs To Have
  "A CISO needs to be many things. One of the most important, and possibly underestimated, is the need to be a good storyteller. It can be hard for non-technical senior managers to understand the cyber risks facing their organization. Just over a third (35%) of the smaller businesses surveyed for a recent international study said that senior managers don’t see cyberattacks as a significant risk — although a quarter admit that leaders aren’t kept up to date about threats facing the organization."
  https://blog.barracuda.com/2024/07/17/three-conversations-every-ciso-needs
  https://www.barracuda.com/reports/ciso-script
• Ransomware Attacks Are Hitting Energy, Oil And Gas Sectors Especially Hard, Report Finds
  "Ransomware attacks are hitting energy and oil and gas sectors harder, costing utilities more in recovery time and funding as victims appear increasingly willing to pay ransom demands, according to a new report from the cybersecurity firm Sophos."
  https://cyberscoop.com/ransomware-energy-oil-gas-report/
  https://assets.sophos.com/X24WTUEQ/at/75tnw38cqsnrrv56wpwc78k/sophos-state-of-ransomware-critical-infrastructure-2024.pdf
  https://www.theregister.com/2024/07/17/ransomware_continues_to_pile_on/
• INTERPOL Operation Strikes Major Blow Against West African Financial Crime
  "A global law enforcement operation targeting West African organized crime groups, including Black Axe, has led to hundreds of arrests, the seizure of assets worth USD 3 million, and the dismantling of multiple criminal networks around the world. Operation Jackal III, which ran from 10 April to 3 July across 21 countries on five continents, targeted online financial fraud and the West African syndicates behind it. The annual operation resulted in some 300 arrests, the identification of over 400 additional suspects, and the blocking of more than 720 bank accounts."
  https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-operation-strikes-major-blow-against-West-African-financial-crime
  https://therecord.media/interpol-operation-west-africa-cyber-fraud-300-arrested
  https://www.darkreading.com/cybersecurity-operations/west-african-crime-syndicate-taken-down-by-interpol-operation
  https://www.infosecurity-magazine.com/news/global-police-black-axe-cybercrime/
  https://cyberscoop.com/300-arrests-made-in-crackdown-of-west-african-cyber-fraud-group/
  https://www.securityweek.com/interpol-arrests-300-people-in-a-global-crackdown-on-west-african-crime-groups-across-5-continents/
• Orgs Are Finally Making Moves To Mitigate GenAI Risks
  "Many enterprise security teams finally appear to be catching up with the runaway adoption of AI-enabled applications in their organizations, since the public release of ChatGPT 18 months ago.A new analysis by Netskope of anonymized AI app usage data from customer environments showed substantially more organizations have begun using blocking controls, data loss prevention (DLP) tools, live coaching, and other mechanisms to mitigate risk."
  https://www.darkreading.com/threat-intelligence/orgs-are-finally-making-moves-to-mitigate-genai-risks
  https://www.infosecurity-magazine.com/news/sensitive-data-sharing-genai/
• Dark Web Shows Cybercriminals Ready For Olympics. Are You?
  "Major sporting events like the World Cup, Super Bowl, and Wimbledon attract millions, even billions, of viewers. Argentina’s shootout win over France in the final game of the Qatar 2022 World Cup reached a global audience of 1.5 billion viewers. And the Olympics, starting later this month in Paris, is the biggest of them all—with the 2020 Tokyo Olympics having attracted a worldwide audience of over 3 billion viewers."
  https://www.fortinet.com/blog/threat-research/dark-web-shows-cybercriminals-ready-for-olympics
  https://www.fortinet.com/resources/reports/fortirecon-threat-intelligence-report-summer-olympics
  https://www.infosecurity-magazine.com/news/paris-2024-olympics-face/
• Ukraine Police Arrest Suspected Cybercriminals Accused Of Theft From Industrial Companies
  "Ukrainian law enforcement has arrested suspected cybercriminals accused of stealing from some of the country’s “leading industrial enterprises.” According to a cyber police report on Wednesday, the suspects infected employees’ computers with malicious software to gain remote access to their financial systems and changed their banking details to accounts controlled by the hackers."
  https://therecord.media/ukraine-police-arrest-suspected-cybercriminals-theft
• The Biggest Data Breaches In 2024: 1 Billion Stolen Records And Rising
  "We’re over halfway through 2024, and already this year we have seen some of the biggest, most damaging data breaches in recent history. And just when you think that some of these hacks can’t get any worse, they do. From huge stores of customers’ personal information getting scraped, stolen and posted online, to reams of medical data covering most people in the United States getting stolen, the worst data breaches of 2024 to date have already surpassed at least 1 billion stolen records and rising. These breaches not only affect the individuals whose data was irretrievably exposed, but also embolden the criminals who profit from their malicious cyberattacks."
  https://techcrunch.com/2024/07/16/2024-in-data-breaches-1-billion-stolen-records-and-rising/

อ้างอิง

Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand