โพสต์ถูกสร้างโดย NCSA

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับรายงานการใช้ประโยชน์จากช่องโหว่ที่มีความรุนแรงสูง ที่หมายเลข CVE-2024-4947 และ CVE-2024-5274 ที่ส่งผลกระทบต่อ Google Chrome อย่างต่อเนื่อง ช่องโหว่ดังกล่าวเกิดจากข้อผิดพลาด Type Confusion ในกลไก V8 JavaScript และยังส่งผลต่อเบราว์เซอร์ที่ใช้ Chromium อื่นๆ รวมถึง Microsoft Edge

การใช้ประโยชน์จากช่องโหว่ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีสามารถดำเนินการโค้ดจากระยะไกลผ่านหน้า HTML ที่เป็นอันตรายที่สร้างขึ้น

• ช่องโหว่นี้ส่งผลต่อ Google Chrome เวอร์ชันก่อน 125.0.6422.112

แนะนำผู้ใช้งานและผู้ดูแลระบบเวอร์ชันผลิตภัณฑ์ที่ได้รับผลกระทบและเบราว์เซอร์ที่ใช้ Chromium อื่นๆ ควรอัปเดตเป็นเวอร์ชันล่าสุดทันที

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-057

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับการอัปเดตความปลอดภัยที่แก้ไขช่องโหว่ที่สำคัญในปลั๊กอิน WordPress หลายรายการ

ช่องโหว่ส่งผลกระทบต่อปลั๊กอินต่อไปนี้

• WordPress Copymatic – AI Content Writer & Generator: การใช้ประโยชน์จากช่องโหว่ที่ประสบความสำเร็จ (CVE-2024-31351) อาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถอัปโหลดไฟล์ตามอำเภอใจไปยังเว็บไซต์ รวมถึงแบ็คดอร์ เพื่อเข้าถึงได้ ช่องโหว่นี้มีคะแนน Common Vulnerability Scoring System (CVSSv3.1) สูงสุดที่ 10 เต็ม 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อนเวอร์ชัน 1.7
• Pie Register – การเข้าสู่ระบบไซต์โซเชียล (ส่วนเสริม): การใช้ประโยชน์จากช่องโหว่การบายพาสการรับรองความถูกต้อง (CVE-2024-4544) ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถเข้าสู่ระบบในฐานะผู้ใช้หรือผู้ดูแลระบบที่มีอยู่บนเว็บไซต์ที่มีช่องโหว่ ช่องโหว่นี้มี CVSSv3 1 คะแนน 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 1.7.8
• แบบฟอร์มแฮช – เครื่องมือสร้างแบบฟอร์มแบบลากและวาง: การใช้ประโยชน์จากช่องโหว่ในการตรวจสอบประเภทไฟล์ (CVE-2024-5084) ที่ประสบความสำเร็จ อาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถอัปโหลดไฟล์ตามอำเภอใจไปยังไซต์ที่ได้รับผลกระทบ ส่งผลให้เกิดการเรียกใช้โค้ดจากระยะไกล ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 1.1.1
• ปลั๊กอิน CF7 แบบเลื่อนลงของประเทศ รัฐ เมือง: การใช้ประโยชน์จากช่องโหว่การแทรก SQL (CVE-2024-3495) ที่ประสบความสำเร็จ อาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถดึงข้อมูลที่ละเอียดอ่อนจากฐานข้อมูลของเว็บไซต์ที่ได้รับผลกระทบ ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 2.7.3
• WPZOOM Addons สำหรับ Elementor (เทมเพลต, วิดเจ็ต): การใช้ประโยชน์จากช่องโหว่ที่ประสบความสำเร็จ (CVE-2024-5147) อาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถอัปโหลดและเรียกใช้ไฟล์ตามอำเภอใจบนเซิร์ฟเวอร์ ส่งผลให้สามารถเรียกใช้โค้ด PHP ที่เป็นอันตรายในไฟล์เหล่านั้นได้ ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 1.1.38
• ปลั๊กอินไดเรกทอรีธุรกิจ – ไดเรกทอรีรายการอย่างง่าย: การใช้ประโยชน์จากช่องโหว่การแทรก SQL (CVE-2024-4443) ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถดึงข้อมูลที่ละเอียดอ่อนจากฐานข้อมูลของเว็บไซต์ที่ได้รับผลกระทบ ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อนเวอร์ชัน 6.4.3
• ปลั๊กอิน UserPro: การใช้ประโยชน์จากช่องโหว่ที่ประสบความสำเร็จ (CVE-2024-35700) อาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องเพิ่มระดับสิทธิ์และเข้าควบคุมเว็บไซต์ที่ได้รับผลกระทบได้เต็มรูปแบบ ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 5.1.9
• ปลั๊กอินแบบฟอร์มติดต่อของ Fluent Forms: การใช้ประโยชน์จากช่องโหว่นี้ (CVE-2024-2771) ได้สำเร็จ อาจทำให้ผู้ที่ไม่ได้รับการรับรองความถูกต้องเพิ่มระดับสิทธิ์และเข้าควบคุมเว็บไซต์ที่ได้รับผลกระทบได้เต็มรูปแบบ ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.8 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 5.1.17 มีรายงานว่าช่องโหว่ดังกล่าวถูกนำไปใช้ประโยชน์อย่างแข็งขัน
• ปลั๊กอิน Web Directory ฟรี: การใช้ประโยชน์จากช่องโหว่การแทรก SQL (CVE-2024-3552) ที่ประสบความสำเร็จอาจทำให้ผู้โจมตีที่ไม่ได้รับการรับรองความถูกต้องสามารถโต้ตอบโดยตรงกับฐานข้อมูลของเว็บไซต์ที่ได้รับผลกระทบ ซึ่งอาจนำไปสู่การขโมยข้อมูลได้ ช่องโหว่นี้มีคะแนน CVSSv3.1 อยู่ที่ 9.3 จาก 10 และส่งผลต่อเวอร์ชันของปลั๊กอินก่อน 1.7.0

แนะนำผู้ใช้งานและผู้ดูแลระบบของปลั๊กอิน WordPress เวอร์ชันที่ได้รับผลกระทบควรอัปเดตเป็นเวอร์ชันล่าสุดทันที

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-056

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• Research From Claroty's Team82 Highlights Remote Access Risks Facing Mission-Critical OT Assets
  "Claroty, the cyber-physical systems (CPS) protection company, today announced new proprietary data revealing that 13% of the most mission-critical operational technology (OT) assets have an insecure internet connection, and 36% of those contain at least one Known Exploited Vulnerability (KEV), making them both remotely accessible and readily exploitable entry points for threat actors to disrupt operations."
  https://www.darkreading.com/ics-ot-security/research-from-claroty-s-team82-highlights-remote-access-risks-facing-mission-critical-ot-assets
  https://claroty.com/resources/reports/an-open-door

New Tooling

• Introducing Nimfilt: A Reverse-Engineering Tool For Nim-Compiled Binaries
  "Available as both an IDA plugin and a Python script, Nimfilt helps to reverse engineer binaries compiled with the Nim programming language compiler by demangling package and function names, and applying structs to strings"
  https://www.welivesecurity.com/en/eset-research/introducing-nimfilt-reverse-engineering-tool-nim-compiled-binaries/
  https://github.com/eset/nimfilt

Vulnerabilities

• Cisco Releases May 2024 Cisco ASA, FMC, And FTD Software Security Publication
  "Cisco released a bundled publication for security advisories that address vulnerabilities in Cisco Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) software. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system."
  https://www.cisa.gov/news-events/alerts/2024/05/24/cisco-releases-may-2024-cisco-asa-fmc-and-ftd-software-security-publication
  https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75298

• Google Fixes Eighth Actively Exploited Chrome Zero-Day This Year
  "Google has released a new emergency security update to address the eighth zero-day vulnerability in Chrome browser confirmed to be actively exploited in the wild. The security issue was discovered internally by Google's Clément Lecigne and is tracked as CVE-2024-5274. It is a high-severity 'type confusion' in V8, Chrome's JavaScript engine responsible for executing JS code."
  https://www.bleepingcomputer.com/news/security/google-fixes-eighth-actively-exploited-chrome-zero-day-this-year/
  https://thehackernews.com/2024/05/google-detects-4th-chrome-zero-day-in.html
  https://www.darkreading.com/vulnerabilities-threats/google-discovers-fourth-zero-day-in-less-than-a-month
  https://www.securityweek.com/google-patches-fourth-chrome-zero-day-in-two-weeks/
  https://securityaffairs.com/163642/hacking/8th-chrome-zero-day-2024-html.html
  https://www.helpnetsecurity.com/2024/05/24/cve-2024-5274/

• Usage Of TLS In DDNS Services Leads To Information Disclosure In Multiple Vendors
  "The use of Dynamic DNS (DDNS) services embedded in appliances, such as those provided by vendors like Fortinet or QNAP, carries cybersecurity implications. It increases the discoverability of customer devices by attackers. Advisory on security impacts related to the use of TLS in proprietary vendor Dynamic DNS (DDNS) services."
  https://www.ush.it/2024/05/23/tls-ddns-multiple-vendor-information-disclosure/

Malware

• Potent Youth Cybercrime Ring Made Up Of 1,000 People, FBI Official Says
  "An aggressive, nebulous ring of young cybercriminals linked to a string of recent high-profile breaches is made up of approximately 1,000 people, a senior FBI official said Friday. In remarks Friday at the cybercrime-focused Sleuthcon conference, Bryan Vorndran, assistant director of the FBI’s Cyber Division, described the group best known as Scattered Spider as a “very, very large, expansive, disbursed group of individuals,” many of whom don’t know each other directly."
  https://cyberscoop.com/potent-youth-cybercrime-ring-made-up-of-1000-people-fbi-official-says/

• Malware Transmutation! - Unveiling The Hidden Traces Of BloodAlchemy
  "This article examines the analysis of a malware called "BloodAlchemy" that we observed in an attack campaign. In October 2023, BloodAlchemy was named by Elastic Security Lab 1 as a new RAT (Remote Access Trojan). However, our investigation has revealed that BloodAlchemy is not an entirely new malware but an evolved version of Deed RAT, the successor to ShadowPad."
  https://blog-en.itochuci.co.jp/entry/2024/05/23/090000
  https://thehackernews.com/2024/05/japanese-experts-warn-of-bloodalchemy.html

• A Catalog Of Hazardous AV Sites – A Tale Of Malware Hosting
  "In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK, EXE and Inno setup installer that includes Spy and Stealer capabilities. Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber-attacks. The hosted websites made to look legitimate are listed below."
  https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/
  https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.html
  https://securityaffairs.com/163673/cyber-crime/fake-av-websites-distribute-malware.html

• Threat Actors Ride The Hype For Newly Released Arc Browser
  "Google Chrome has been the dominant web browser for years now, which is why it may come as a surprise to hear of a startup, not even based in Silicon Valley, called The Browser Company offering a new take on the “window to the internet”. The Arc browser has been available for MacOS since July 2023, but the Windows version was only released a couple of weeks ago. What’s unique is the hype around Arc, but also the glowing reviews it has earned in a relatively short time span."
  https://www.threatdown.com/blog/threat-actors-ride-the-hype-for-newly-released-arc-browser/
  https://www.bleepingcomputer.com/news/security/arc-browsers-windows-launch-targeted-by-google-ads-malvertising/

• CERT-UA Warns: Ukrainian Finances Targeted With SmokeLoader Malware
  "The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a sharp increase in cyberattacks, associated with the financially-motivated threat actor UAC-0006. Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware."
  https://cip.gov.ua/en/news/cert-ua-poperedzhaye-pro-zbilshennya-kilkosti-kiberatak-proti-bukhgalteriv
  https://securityaffairs.com/163711/cyber-warfare-2/cert-ua-warns-uac-0006-massive-campaigns.html

Breaches/Hacks/Leaks

• PCTattletale Leaks Victims' Screen Recordings To Entire Internet
  "PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target's browser."
  https://www.ericdaigle.ca/pctattletale-leaking-screen-captures/
  https://www.bleepingcomputer.com/news/security/hacker-defaces-spyware-apps-site-dumps-database-and-source-code/

• Cencora Data Breach Exposes US Patient Info From 11 Drug Companies
  "Some of the largest drug companies in the world have disclosed data breaches due to a February 2024 cyberattack at Cencora, whom they partner with for pharmaceutical and business services. Cencora, formerly AmerisourceBergen, is a pharmaceutical services provider specializing in drug distribution, specialty pharmacy, consulting, and clinical trial support."
  https://www.bleepingcomputer.com/news/security/cencora-data-breach-exposes-us-patient-info-from-11-drug-companies/

• New York's Albany County Investigating 'cybersecurity Breach' Ahead Of Holiday Weekend
  "Officials in New York’s state capital region said they are investigating a cyberattack ahead of the Memorial Day weekend. Albany County Executive Daniel McCoy told Recorded Future News in a statement that they are working with the state Division of Homeland Security and the Emergency Services Cyber Incident Response Team after discovering the potential issue in county networks."
  https://therecord.media/albany-county-new-york-government-cybersecurity-incident

• Indian Military & Police Biometrics Exposed In Data Breach
  "Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained over 1.6 million documents belonging to an Indian leading provider of biometric authentication solutions, with offices in the USA and Australia. The exposed records included the biometric identity information of members of the police, army, teachers, and railway workers. In parallel, it appeared that the data might have been for sale on a dark web related Telegram group."
  https://www.websiteplanet.com/news/india-biometric-breach-report/
  https://www.hackread.com/data-leak-indian-police-military-biometric-data/

General News

• Despite Increased Budgets, Organizations Struggle With Compliance
  "Only 40% of organizations feel fully prepared to meet the compliance demands of rising cybersecurity regulations, according to a new Swimlane report. Organizations still feel unprepared for new regulations despite 93% of organizations rethinking their strategies and 92% increasing budgets."
  https://www.helpnetsecurity.com/2024/05/24/organizations-cybersecurity-compliance-demands-readiness/

• Worried About Job Security, Cyber Teams Hide Security Incidents
  "The frequency and severity of cyberattacks are increasing—yet most businesses remain unprepared, according to VikingCloud. Between a growing talent shortage, alert fatigue, and new sophisticated attack methods, companies are more susceptible than ever."
  https://www.helpnetsecurity.com/2024/05/24/cyber-teams-major-challenges/

• Effective GRC Programs Rely On Team Collaboration
  "One in three organizations are not currently able to proactively identify, assess, and mitigate risk with their GRC program, nor are they able to ensure compliance with regulations and frameworks – both key aspects of a mature, holistic GRC program, according to LogicGate’s 2024 GRC Strategies, Teams and Outcomes Report."
  https://www.helpnetsecurity.com/2024/05/24/grc-program-spending/

• When 'No' & 'Good Enough' Challenge Cybersecurity
  "In the realm of cybersecurity, the path to securing necessary resources often is strewn with obstacles, chief among them hearing the word "no." This response is not just about budgets, although financial constraints play a significant role; it's also about convincing leadership of the indispensable value of comprehensive cyber defense strategies. The reality is, every chief information security officer (CISO) will, at some point, face pushback — be it from a chief financial officer (CFO) who is skeptical about the return on investment of a new cyber platform, or a CEO who underestimates the vulnerability of the enterprise, believing a "good enough" EDR or SIEM solution will suffice."
  https://www.darkreading.com/vulnerabilities-threats/when-no-and-good-enough-challenge-cybersecurity

• DevOps Dilemma: How Can CISOs Regain Control In The Age Of Speed?
  "The infamous Colonial pipeline ransomware attack (2021) and SolarWinds supply chain attack (2020) were more than data leaks; they were seismic shifts in cybersecurity. These attacks exposed a critical challenge for Chief Information Security Officers (CISOs): holding their ground while maintaining control over cloud security in the accelerating world of DevOps."
  https://thehackernews.com/2024/05/devops-dilemma-how-can-cisos-regain.html

อ้างอิง
Electronic Transactions Development Agency(ETDA)

SIM swap fraud continues to cause substantial financial losses for both consumers and financial institutions, undermining the integrity of the financial ecosystem. According to the FBI’s IC3 Report, the U.S. saw 1,075 reported incidents, resulting in losses totaling $48.7 million. In the United Arab Emirates, the banking industry has incurred considerable losses from this fraud scheme. The syndicate behind this fraud was well-organized, diligent and sophisticated. As one of the leading banks in the UAE, we worked closely with law enforcement agencies, conducted sting operations and helped apprehend nearly two dozen syndicate members, but we failed to reach the top layer of the syndicate. This incident remains one of the few cases in my career where we could not apprehend the key leaders behind the SIM swap fraud.

ที่มาแหล่งข่าว
https://www.databreachtoday.com/blogs/strategic-approach-to-stopping-sim-swap-fraud-p-3628

Google on Thursday rolled out a fresh Chrome update to address another exploited vulnerability in the popular web browser, the fourth zero-day to be patched in two weeks. Tracked as CVE-2024-5274, the high-severity flaw is described as a type confusion in the V8 JavaScript and WebAssembly engine. “Google is aware that an exploit for CVE-2024-5274 exists in the wild,” the internet giant noted in an advisory. The company shared no details on the bug itself, nor on the in-the-wild exploitation, but credited Clement Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security for reporting the flaw. No bug bounty reward will be handed out for the discovery.

ที่มาแหล่งข่าว
https://www.securityweek.com/google-patches-fourth-chrome-zero-day-in-two-weeks/

Security researchers have revealed a series of criminal campaigns that exploit cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2 and IBM Cloud Object Storage. These campaigns, driven by unnamed threat actors, aim to redirect users to malicious websites to steal their information using SMS messages. According to a technical write-up published by Enea today, the attackers have two primary goals. First, they want to ensure that scam text messages are delivered to mobile handsets without detection by network firewalls. Second, they seek to convince end users that the messages or links they receive are trustworthy. By leveraging cloud storage platforms to host static websites with embedded spam URLs, attackers make their messages appear legitimate and avoid common security measures. Cloud storage services allow organizations to store and manage files and host static websites by storing website assets in a storage bucket. Cybercriminals have exploited this capability by embedding spam URLs in static websites stored on these platforms.

ที่มาแหล่งข่าว
https://www.infosecurity-magazine.com/news/cloud-storage-exploited-sms/

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่ข้อมูลการเพิ่มช่องช่องโหว่ใหม่ 1 รายการใน Known Exploited Vulnerabilities Catalog โดยอิงตามหลักฐานของการแสวงหาผลประโยชน์ที่ยังดำเนินอยู่

• CVE-2020-17519 Apache Flink Improper Access Control Vulnerability

ช่องโหว่ประเภทนี้ส่วนใหญ่เป็นเวกเตอร์การโจมตี สำหรับผู้โจมตีทางไซเบอร์ที่เป็นอันตราย และก่อให้เกิดความเสี่ยงอย่างมากต่อองค์กรของรัฐบาลกลาง ซึ่งBinding Operational Directive (BOD) 22-01: การลดความเสี่ยงที่มีนัยสำคัญของช่องโหว่ที่ถูกใช้ประโยชน์ ได้สร้างแคตตาล็อกช่องโหว่ที่ทราบที่เจาะจงเป็นรายการที่มีอยู่ของช่องโหว่และความเสี่ยงทั่วไปที่รู้จัก (CVEs) ซึ่งมีความเสี่ยงที่สำคัญต่อองค์กรของรัฐบาลกลาง BOD 22-01 กำหนดให้หน่วยงาน FCEB แก้ไขช่องโหว่ที่ระบุภายในวันที่กำหนดเพื่อป้องกันเครือข่าย FCEB จากภัยคุกคามที่ทำงานอยู่
ทั้งนี้ CISA แนะนำให้ทุกองค์กรลดความเสี่ยงต่อการถูกโจมตีทางไซเบอร์ ให้ความสำคัญกับการแก้ไขช่องโหว่ของ Catalog อย่างทันท่วงที อ่านคำแนะนำฉบับเต็มได้ที่
https://www.cisa.gov/news-events/alerts/2024/05/23/cisa-adds-one-known-exploited-vulnerability-catalog

อ้างอิง
https://www.cisa.gov/news-events/alerts/2024/05/23/cisa-adds-one-known-exploited-vulnerability-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม(ICS) 1 รายการ เมื่อวันที่ 23 พฤษภาคม 2567 คำแนะนำเหล่านี้ให้ข้อมูลที่ทันท่วงทีเกี่ยวกับปัญหาด้านความปลอดภัยช่องโหว่ และช่องโหว่ที่อยู่รอบ ๆ ICS ในปัจจุบัน มีดังต่อไปนี้

• ICSA-24-144-01 AutomationDirect Productivity PLCs

ทั้งนี้ CISA สนับสนุนให้ผู้ใช้และผู้ดูแลระบบตรวจสอบคำแนะนำ ICS ที่เผยแพร่ใหม่สำหรับรายละเอียดทางเทคนิคและการบรรเทาผลกระทบ รายละเอียดเพิ่มเติมที่ https://www.cisa.gov/news-events/alerts/2024/05/23/cisa-releases-one-industrial-control-systems-advisory

อ้างอิง
https://www.cisa.gov/news-events/alerts/2024/05/23/cisa-releases-one-industrial-control-systems-advisory

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Industrial Sector

• AutomationDirect Productivity PLCs
  "Successful exploitation of these vulnerabilities could lead to remote code execution and denial of service."
  https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01

Vulnerabilities

• High-Severity GitLab Flaw Lets Attackers Take Over Accounts
  "GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks. The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages."
  https://www.bleepingcomputer.com/news/security/high-severity-gitlab-flaw-lets-attackers-take-over-accounts/
  https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/

• WordPress Unauthenticated Arbitrary SQL Execution Vulnerability
  "The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability –an SQL injection in the WordPress plugin Automatic by ValvePress – assessed its impact and developed mitigation measures for it. Around ~38k active users have installed this premium plugin. The issue allows trivial SQL injection attacks against the plugin user’s authentication process, which could allow WordPress website takeovers. The SQL vulnerability is identified as CVE-2024-27956 and was assigned a critical CVSSv3 score of 9.9. Considering the sizeable user base, low attack complexity, and publicly available exploit code, including a simple SQL query, WordPress users are strongly encouraged to upgrade their instances to the latest or automatic plugin version above 3.92.1 with utmost priority."
  https://blog.sonicwall.com/en-us/2024/05/wordpress-unauthenticated-arbitrary-sql-execution-vulnerability/

• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation."
  https://www.cisa.gov/news-events/alerts/2024/05/23/cisa-adds-one-known-exploited-vulnerability-catalog
  https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.html
  https://www.theregister.com/2024/05/24/apache_flink_flaw_cisa/

• The Risk In Malicious AI Models: Wiz Research Discovers Critical Vulnerability In AI-As-a-Service Provider, Replicate
  "Wiz Research has conducted a series of investigations into leading AI-as-a-service providers in recent months. In the course of that work, we have discovered critical vulnerabilities that could have led to the leakage of millions of private AI models and apps. The first installment in that series was done in partnership with the Hugging Face team. Now, in this second installment, we will detail a vulnerability in the Replicate AI platform."
  https://www.wiz.io/blog/wiz-research-discovers-critical-vulnerability-in-replicate
  https://www.darkreading.com/cloud-security/critical-flaw-in-replicate-ai-platform-exposes-customer-models-proprietary-data

• A Journey Into Forgotten Null Session And MS-RPC Interfaces
  "It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessions for gathering domain users through techniques such as RID (Relative Identifier) enumeration. RIDs uniquely identify users, groups, computers and other entities within the domain. To enumerate them, the attacker used MS-RPC interfaces to make some calls and collect information from the remote host."
  https://securelist.com/no-auth-domain-information-enumeration/112629/

Malware

• JAVS Courtroom Recording Software Backdoored In Supply Chain Attack
  "Attackers have backdoored the installer of widely used Justice AV Solutions (JAVS) courtroom video recording software with malware that lets them take over compromised systems. The company behind this software, also known as JAVS, says the digital recording tool currently has over 10,000 installations in many courtrooms, legal offices, correctional facilities, and government agencies worldwide."
  https://www.bleepingcomputer.com/news/security/javs-courtroom-recording-software-backdoored-in-supply-chain-attack/
  https://www.darkreading.com/cyberattacks-data-breaches/courtroom-recording-platform-javs-hijacked-for-supply-chain-attack
  https://therecord.media/courtroom-recording-software-compromised-backdoor
  https://www.helpnetsecurity.com/2024/05/23/javs-viewer-malware/

• Microsoft Spots Gift Card Thieves Using Cyber-Espionage Tactics
  "Microsoft has published a "Cyber Signals" report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States. The FBI previously warned about Storm-0539's (aka "Ant Lion") activities earlier this month, highlighting the threat group's advanced techniques in conducting gift card theft and fraud, stating that their tactics resemble state-sponsored hackers and sophisticated cyberespionage actors."
  https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-thieves-using-cyber-espionage-tactics/
  https://news.microsoft.com/wp-content/uploads/prod/sites/626/2024/05/Cyber_Signals_Issue_7_May_2024.pdf
  https://therecord.media/morocco-cybercriminals-cashing-in-gift-cards
  https://www.darkreading.com/threat-intelligence/new-gift-card-scam-targets-retailers-not-buyers-to-print-endless-money
  https://cyberscoop.com/moroccan-cybercrime-group-impersonates-nonprofits-and-abuses-cloud-services-to-rake-in-gift-card-cash/

• Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set To Target Governmental Entities In The Middle East, Africa And Asia
  "A Chinese advanced persistent threat (APT) group has been conducting an ongoing campaign, which we call Operation Diplomatic Specter. This campaign has been targeting political entities in the Middle East, Africa and Asia since at least late 2022. An analysis of this threat actor’s activity reveals long-term espionage operations against at least seven governmental entities. The threat actor performed intelligence collection efforts at a large scale, leveraging rare email exfiltration techniques against compromised servers."
  https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
  https://thehackernews.com/2024/05/inside-operation-diplomatic-specter.html
  https://www.darkreading.com/threat-intelligence/china-apt-stole-geopolitical-secrets-from-middle-east-africa-and-asia
  https://www.bankinfosecurity.com/active-chinese-cyberespionage-campaign-rifling-email-servers-a-25304

• Chinese Espionage Campaign Expands To Target Africa And The Caribbean
  "Check Point Research (CPR) sees an ongoing cyber espionage campaign focuses on targeting governmental organizations in Africa and the Caribbean. Attributed to a Chinese threat actor Sharp Dragon (formerly Sharp Panda), the campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools. This refined approach suggests a deeper understanding of their targets."
  https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/
  https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
  https://thehackernews.com/2024/05/new-frontiers-old-tactics-chinese-cyber.html

• Beware Of HTML Masquerading As PDF Viewer Login Pages
  "Phishing attacks have evolved into increasingly sophisticated schemes designed to trick users into revealing their personal information. One such method that has gained prominence involves phishing emails that masquerade as PDF viewer login pages. These deceptive emails lure unsuspecting users into entering their email addresses and passwords, compromising their online security. In this blog post, we will explore the intricacies of these phishing scams, how they operate, and the steps you can take to protect yourself from falling victim to them."
  https://www.forcepoint.com/blog/x-labs/html-phishing-pdf-viewer-login-apac

• Exploiting The Cloud: How SMS Scammers Are Using Amazon, Google And IBM Cloud Services To Steal Customer Data
  "A number of criminal campaigns that exploit cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage, have recently come to Enea’s attention. Threat actors are using these storage platforms to redirect users to malicious websites, with the ultimate objective of stealing their information, and it all starts with the humble SMS."
  https://www.enea.com/insights/exploiting-the-cloud-how-sms-scammers-are-using-amazon-google-and-ibm-cloud-services-to-steal-customer-data/
  https://www.infosecurity-magazine.com/news/cloud-storage-exploited-sms/

• ShrinkLocker: Turning BitLocker Into Ransomware
  "Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt. In this way, the adversaries can make sure that the malware can run and simulate normal behavior in various versions of the OS that support this DLL."
  https://securelist.com/ransomware-abuses-bitlocker/112643/
  https://www.theregister.com/2024/05/23/ransomware_abuses_microsoft_bitlocker/

• Uncovering An Undetected KeyPlug Implant Attacking Industries In Italy
  "APT41, known by numerous aliases such as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED SPIDER, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns."
  https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/
  https://securityaffairs.com/163598/apt/apt41-keyplug-targets-italian-industries.html

• Infiltrating Defenses: Abusing VMware In MITRE’s Cyber Intrusion
  "This is the third and final blog post in a series detailing MITRE’s encounter with a state-sponsored cyber threat actor in our research and experimentation network, NERVE. It builds upon the insights shared in our April 19, 2024 post, “Advanced Cyber Threats Impact Even the Most Prepared” and May 3, 2024 post “Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion”. We continue to work across MITRE, including our Information Security Team, to help all security teams understand and defend against this threat."
  https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
  https://www.securityweek.com/vmware-abused-in-recent-mitre-hack-for-persistence-evasion/

• ESXi Ransomware Attacks: Evolution, Impact, And Defense Strategy
  "In recent years, Sygnia’s Incident Response team has seen a steady increase in ransomware attacks targeting virtualized environments, particularly against VMware ESXi infrastructure. Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse."
  https://www.sygnia.co/blog/esxi-ransomware-attacks/
  https://thehackernews.com/2024/05/ransomware-attacks-exploit-vmware-esxi.html

Breaches/Hacks/Leaks

• National Records Of Scotland Data Breached In NHS Cyber-Attack
  "National Records of Scotland (NRS) has revealed that sensitive personal data it holds was accessed and published as a result of the ransomware attack on NHS Dumfries and Galloway. The NRS data was part of 3TB of data published by cybercriminals on the dark web on May 6. The Scottish Government agency, which stores demographic and census records such as births, deaths and marriages, said it identified a small number of cases where there was sensitive information held temporarily on the network at the time of the attack, which was first reported in March 2024."
  https://www.infosecurity-magazine.com/news/records-scotland-data-nhs-attack/

• 55,000 Impacted By Cyberattack On California School Association
  "The Association of California School Administrators (ACSA) is informing nearly 55,000 individuals that their information may have been compromised as a result of a cyberattack. ACSA describes itself as the largest umbrella association for school leaders in the United States, serving more than 17,000 California educators, including superintendents, principals, vice-principals, and classified managers."
  https://www.securityweek.com/55000-impacted-by-cyberattack-on-california-school-association/

• 400,000 Impacted By CentroMed Data Breach
  "San Antonio-based healthcare provider El Centro Del Barrio (which operates as CentroMed) is informing 400,000 patients that their personal and protected health information was compromised in a recent cyberattack. The data breach was discovered on May 1, 2024, after a threat actor gained access to the organization’s network on April 30, CentroMed said in an incident notice (PDF) on its website."
  https://www.securityweek.com/400000-impacted-by-centromed-data-breach/

General News

• Ransomware Fallout: 94% Experience Downtime, 40% Face Work Stoppage
  "Within the last 12 months, 48% of organizations identified evidence of a successful breach within their environment, according to Arctic Wolf. To fully understand the gravity of this statistic, it is important to understand that, although 48% of these environments found evidence of a data breach, that does not inversely mean that 52% of organizations did not suffer a breach. Instead, it should be more accurately stated that the remaining 52% did not identify indicators of a breach within their environment."
  https://www.helpnetsecurity.com/2024/05/23/ransomware-attacks-data-exfiltration/

• Machine Identities Lack Essential Security Controls, Pose Major Threat
  "Siloed approaches to securing human and machine identities are driving identity-based attacks across enterprises and their ecosystems, according to CyberArk. The CyberArk 2024 Identity Security Threat Landscape Report was conducted across private and public sector organizations of 500 employees and above."
  https://www.helpnetsecurity.com/2024/05/23/machine-identities-security-threat/

• How Apple Wi-Fi Positioning System Can Be Abused To Track People Around The Globe
  "Academics have suggested that Apple's Wi-Fi Positioning System (WPS) can be abused to create a global privacy nightmare. In a paper titled, "Surveilling the Masses with Wi-Fi-Based Positioning Systems," Erik Rye, a PhD student at the University of Maryland (UMD) in the US, and Dave Levin, associate professor at UMD, describe how the design of Apple's WPS facilitates mass surveillance, even of those not using Apple devices."
  https://www.theregister.com/2024/05/23/apple_wifi_positioning_system/
  https://www.cs.umd.edu/~dml/papers/wifi-surveillance-sp24.pdf

• New Mindset Needed For Large Language Models
  "As a seasoned security architect, I've started to see the adoption of large language models (LLMs) across industries. Working with a diverse range of clients, from startups to Fortune 500 companies, I've witnessed firsthand the excitement and challenges that come with this transformative technology. One trend that's been keeping me up at night is the potential for LLMs to be exploited in increasingly sophisticated ways."
  https://www.darkreading.com/cybersecurity-operations/new-mindset-needed-for-large-language-models

• Persistent Burnout Is Still a Crisis In Cybersecurity
  "Dr. Ryan Louie, a psychiatrist focused on the intersection of cybersecurity and mental health, recalls a valuable lesson from his medical student days that cybersecurity practitioners may find relevant: "During one of my clinical clerkships at the hospital, our team's attending physician on the first day of the rotation highlighted that we are a team and that everyone should feel free to say whenever they feel they have too much on their plate or if they need any help. And that medical students and residents on the team should not worry about impacts to their evaluation. There was genuine psychological safety," he says."
  https://www.darkreading.com/cybersecurity-careers/persistent-burnout-is-still-a-crisis-in-cybersecurity

• The Real Danger Lurking In The NVD Backlog
  "On February 12, 2024, the NIST National Vulnerability Database (NVD) began slowing the processing and enrichment of new vulnerabilities. Since that date, 12,720 new vulnerabilities and counting have been added to NVD but 11,885 have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability. By February 15, the NVD website announced that users might experience "delays in analysis efforts.""
  https://vulncheck.com/blog/nvd-backlog-exploitation
  https://www.infosecurity-magazine.com/news/nvd-exploited-vulnerabilities/

• **Google Guru Roasts Useless Phishing Tests, Calls For Fire Drill-Style Overhaul
  *** "A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit. Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the cybersecurity equivalent of a fire drill."
  https://www.theregister.com/2024/05/23/google_phishing_tests/

• Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats In 2024
  "Flashpoint is observing that Russian advanced persistent threat (APT) groups are evolving their tactics, techniques, and procedures (TTPs)—while also expanding their targeting. They are using new spear-phishing campaigns to exfiltrate data and credentials by delivering malware sold on illicit marketplaces. Flashpoint identified the following Russian APT groups have engaged in recent campaigns, listing the malware strains used in attributed attacks and their intended targets:"
  https://flashpoint.io/blog/russian-apt-groups-cyber-threats/

อ้างอิง
Electronic Transactions Development Agency(ETDA)

Industrial Sector

• Exploiting Honeywell ControlEdge VirtualUOC
  "Team82 has researched Honeywell ControlEdge Virtual Unit Operations Center (UOC) and found multiple vulnerabilities in the EpicMo protocol implementation within ControlEdge Virtual UOC instances. These vulnerabilities are exploitable and can lead to unauthenticated remote code execution."
  https://claroty.com/team82/research/exploiting-honeywell-controledge-virtualuoc
  https://www.securityweek.com/critical-vulnerability-in-honeywell-virtual-controller-allows-remote-code-execution/

New Tooling

• Authelia: Open-Source Authentication And Authorization Server
  "Authelia is an open-source authentication and authorization server that offers 2FA and SSO for applications through a web portal. It works alongside reverse proxies to permit, deny, or redirect requests."
  https://www.helpnetsecurity.com/2024/05/22/authelia-open-source-authentication-authorization-server/
  https://github.com/authelia/authelia

Vulnerabilities

• Critical Netflix Genie Bug Opens Big Data Orchestration To RCE
  "A critical vulnerability in the open source version of Netflix' Genie job orchestration engine for big data applications gives remote attackers a way to potentially execute arbitrary code on systems running affected versions of the software. The bug, designated as CVE-2024-4701, carries a near-max critical score of 9.9 out of 10 on the CVSS vulnerability-severity scale. It attacks organizations running their own instance of Genie OSS, using the underlying local file system to upload and store user-submitted file attachments."
  https://www.darkreading.com/application-security/netflix-fixes-critical-vulnerability-on-big-data-orchestration-service
  https://github.com/Netflix/genie/security/advisories/GHSA-wpcv-5jgp-69f3

• Critical Vulnerability Patched In UserPro Plugin
  "This plugin suffers from an unauthenticated account takeover vulnerability. This allows any unauthenticated users to change the password of any users with certain conditions. The described vulnerability was fixed in version 5.1.9 and assigned CVE-2024-35700."
  https://patchstack.com/articles/critical-vulnerability-patched-in-userpro-plugin/
  https://www.infosecurity-magazine.com/news/userpro-plugin-flaw-allows-account/

• Ivanti Patches Critical Code Execution Vulnerabilities In Endpoint Manager
  "IT software company Ivanti on Tuesday announced patches for several products, including fixes for critical vulnerabilities in Endpoint Manager (EPM). Six out of the ten security defects resolved in EPM are critical-severity SQL Injection bugs that could allow an unauthenticated attacker on the network to execute arbitrary code, Ivanti says."
  https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnerabilities-in-endpoint-manager/
  https://forums.ivanti.com/s/article/KB-Security-Advisory-EPM-May-2024

• Chrome 125 Update Patches High-Severity Vulnerabilities
  "Google on Tuesday announced a Chrome 125 update that resolves six vulnerabilities, including four high-severity bugs reported by external researchers. The first issue, tracked as CVE-2024-5157, is a use-after-free flaw in Scheduling that was reported by Looben Yang a month ago. The researcher received an $11,000 bug bounty reward for the discovery."
  https://www.securityweek.com/chrome-125-update-patches-high-severity-vulnerabilities/

• Beware – Your Customer Chatbot Is Almost Certainly Insecure: Report
  "Customer chatbots built on top of general purpose gen-AI engines are proliferating. They are easy to develop but hard to secure. In January 2024, Ashley Beauchamp ‘tricked’ DPD’s chatbot into behaving unconventionally. The chatbot told him how bad DPD’s service is, swore, and even composed a disparaging haiku about its owner:"
  https://www.securityweek.com/beware-your-customer-chatbot-is-almost-certainly-insecure-report/
  https://www.immersivelabs.com/wp-content/uploads/2024/05/Study_Dark_Side_of_GenAI.pdf

• This Undisclosed WhatsApp Vulnerability Lets Governments See Who You Message
  "In March, WhatsApp’s security team issued an internal warning to their colleagues: Despite the software’s powerful encryption, users remained vulnerable to a dangerous form of government surveillance. According to the previously unreported threat assessment obtained by The Intercept, the contents of conversations among the app’s 2 billion users remain secure. But government agencies, the engineers wrote, were “bypassing our encryption” to figure out which users communicate with each other, the membership of private groups, and perhaps even their locations."
  https://theintercept.com/2024/05/22/whatsapp-security-vulnerability-meta-israel-palestine/

Malware

• Positive Technologies Detects a Series Of Attacks Via Microsoft Exchange Server
  "While responding to an incident, the Incident Response team of Positive Technologies Expert Security Center (PT ESC) discovered an unknown keylogger embedded in the main Microsoft Exchange Server page of one of our customers. This keylogger was collecting account credentials into a file accessible via a special path from the internet. The team identified over 30 victims, most of whom were linked to government agencies across various countries. According to our data, the first compromise occurred in 2021. Without additional data, we can't attribute these attacks to a specific group; however, most victims are located in Africa and the Middle East."
  https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/positive-technologies-detects-a-series-of-attacks-via-microsoft-exchange-server/
  https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html
  https://securityaffairs.com/163521/breaking-news/microsoft-exchange-server-flaws-attacks.html

• IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks To Raise Cost On Defenders
  "Mandiant Intelligence is tracking a growing trend among China-nexus cyber espionage operations where advanced persistent threat (APT) actors utilize proxy networks known as “ORB networks” (operational relay box networks) to gain an advantage when conducting espionage operations. ORB networks are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end of life or unsupported by their manufacturers."
  https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
  https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/
  https://www.darkreading.com/cybersecurity-operations/chinese-orb-networks-conceal-apts-make-tracking-iocs-irrelevant
  https://www.infosecurity-magazine.com/news/chinese-apt-orb-networks/
  https://www.bankinfosecurity.com/chinese-cyber-espionage-groups-tied-to-orb-network-attacks-a-25292
  https://cyberscoop.com/china-hacking-operational-relay-box-networks/

• Deep Dive Into Unfading Sea Haze: A New Threat Actor In The South China Sea
  "In a recent investigation by Bitdefender Labs, a series of cyberattacks targeting high-level organizations in South China Sea countries revealed a previously unknown threat actor. We've designated this group "Unfading Sea Haze" based on their persistence and focus on the region. The targets and nature of the attacks suggest alignment with Chinese interests."
  https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/
  https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/
  https://therecord.media/chinese-hackers-compromising-south-china-sea-targets
  https://thehackernews.com/2024/05/researchers-warn-of-chinese-aligned.html
  https://www.bankinfosecurity.com/unfading-sea-haze-apt-targeting-south-china-sea-governments-a-25289
  https://www.hackread.com/unfading-sea-haze-military-target-south-china-sea/

• Transparent Tribe Targets Indian Government, Defense, And Aerospace Sectors Leveraging Cross-Platform Programming Languages
  "As part of our continuous hunting efforts across the Asia-Pacific region, BlackBerry discovered Pakistani-based advanced persistent threat group Transparent Tribe (APT36) targeting the government, defense and aerospace sectors of India. This cluster of activity spanned from late 2023 to April 2024 and is anticipated to persist."
  https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors
  https://www.bankinfosecurity.com/pakistani-aligned-apt36-targets-indian-defense-organizations-a-25296

• From Trust To Trickery: Brand Impersonation Over The Email Attack Vector
  "Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands."
  https://blog.talosintelligence.com/from-trust-to-trickery-brand-impersonation/

• Behind The Advisory: Decoding Apple’s Alert And Spyware Dilemma
  "On April 10, 2024, Apple issued an advisory regarding threat notifications and defense against mercenary spyware attacks affecting iPhone users in 92 countries. The advisory also noted that, based on public reports and research conducted by civil society organizations, technology companies, and journalists, attacks of such extraordinary cost and complexity have typically been linked to state actors or private companies that create mercenary spyware for them, like Pegasus from the NSO Group. This announcement has attracted widespread attention and media coverage worldwide."
  https://www.cloudsek.com/blog/behind-the-advisory-decoding-apples-alert-and-spyware-dilemma
  https://www.hackread.com/threat-actors-spoofing-pegasus-spyware-fake-code/

• Stealers, Stealers And More Stealers
  "Stealers are a prominent threat in the malware landscape. Over the past year we published our research into several stealers (see here, here and here), and for now, the trend seems to persist. In the past months, we wrote several private reports on stealers as we discovered Acrid (a new stealer), ScarletStealer (another new stealer) and Sys01, which had been updated quite a bit since the previous public analysis."
  https://securelist.com/crimeware-report-stealers/112633/

Breaches/Hacks/Leaks

Criminal Record Database Of Millions Of Americans Dumped Online
"A cybercriminal going by the names of EquationCorp and USDoD has released an enormous database containing the criminal records of millions of Americans. The database is said to contain 70 million rows of data."
https://www.malwarebytes.com/blog/news/2024/05/criminal-record-database-of-millions-of-americans-dumped-online

• Spyware Found On US Hotel Check-In Computers
  "A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned. The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware’s intended users."
  https://techcrunch.com/2024/05/22/spyware-found-on-hotel-check-in-computers/

General News

• Outsourcing Security Without Increasing Risk
  "The growing number of cybersecurity incidents and wave of data privacy laws and regulations combined is behind the current boost in demand for cybersecurity. Consider a recent survey from management consulting firm McKinsey that forecasts a 13% annual increase in cybersecurity spending through at least 2025."
  https://www.darkreading.com/cybersecurity-operations/outsourcing-security-without-increasing-risk

• Picking The Right Database Tech For Cybersecurity Defense
  "Modern cybersecurity technologies produce massive quantities of data, which requires rethinking how to store and manage all the different types of information being generated. Many cybersecurity platforms are increasingly relying on one of two database technologies — graph or streaming databases — to efficiently represent and query databases of threat indicators, asset inventories, and other critical cybersecurity information."
  https://www.darkreading.com/cybersecurity-analytics/picking-right-database-tech-cybersecurity-defense

• CEOs Accelerate GenAI Adoption Despite Workforce Resistance
  "CEOs are facing workforce, culture and governance challenges as they act quickly to implement and scale generative AI across their organizations, according to IBM. The annual global study of 3,000 CEOs from over 30 countries and 26 industries found that 64% of those surveyed say succeeding with generative AI will depend more on people’s adoption than the technology itself. However, 61% of respondents say they are pushing their organization to adopt generative AI more quickly than some people are comfortable with."
  https://www.helpnetsecurity.com/2024/05/22/ceos-generative-ai-adoption/

• Technological Complexity Drives New Wave Of Identity Risks
  "Security leaders are facing increased technological and organizational complexity, which is creating a new wave of identity risks for their organizations, according to ConductorOne."
  https://www.helpnetsecurity.com/2024/05/22/identity-risks-complexity-for-organizations/

• Top 7 Cybersecurity Trends For Enterprises In 2024
  "How can an organization prepare to be cyber-resilient in 2024? The major trends to look out for seem to focus mainly on AI. While the rise of generative AI indeed poses challenges, executives should be cautious not to miss other critical trends that will shape the cybersecurity landscape this year."
  https://www.tripwire.com/state-of-security/top-cybersecurity-trends-enterprises

• Annual Fraud Report 2024
  "UK Finance publishes both the value of fraud losses and the number of cases. The data is reported to us by our members which include financial providers, credit, debit and charge card issuers, and card payment acquirers. Each incident of fraud does not equal one person being defrauded, but instead refers to the number of cards or accounts defrauded. For example, if a fraud was carried out on two cards, but they both belonged to the same person, this would represent two instances of fraud, not one."
  https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2024
  https://www.ukfinance.org.uk/system/files/2024-05/Annual Fraud Report 2024_0.pdf
  https://www.infosecurity-magazine.com/news/authorized-push-payment-fraud/

• Report Reveals 341% Rise In Advanced Phishing Attacks
  "Security experts have reported a 341% increase in malicious phishing links, business email compromise (BEC), QR code and attachment-based threats in the past six months. This data comes from SlashNext’s mid-year The State of Phishing 2024 report, which also identified an 856% increase in malicious email and messaging threats over the previous 12 months. Since the launch of ChatGPT in November 2022, there has been a 4151% surge in malicious phishing messages."
  https://www.infosecurity-magazine.com/news/341-rise-advanced-phishing-attacks/
  https://slashnext.com/the-state-of-phishing-2024/

• NIST Quantum-Resistant Algorithms To Be Published Within Weeks, Top White House Advisor Says
  "The U.S. National Institute of Standards and Technology (NIST) will release four post-quantum cryptographic algorithms in the next few weeks, a senior White House official said on Monday. Anne Neuberger, the White House’s top cyber advisor, told an audience at the Royal United Services Institute (RUSI) in London that the release of the algorithms was “a momentous moment,” as they marked a major step in the transition to the next generation of cryptography."
  https://therecord.media/nist-post-quantum-cryptography-standards-publishing-soon

• LockBit Dethroned As Leading Ransomware Gang For First Time Post-Takedown
  "The takedown of LockBit in February is starting to bear fruit for rival gangs with Play overtaking it after an eight-month period of LockBit topping the attack charts. For the first time since the National Crime Agency-led takedown of LockBit, the gang didn't register the most number of attacks across a single month, suggesting that law enforcement's claims of a successful disruption were valid."
  https://www.theregister.com/2024/05/22/lockbit_dethroned_as_leading_ransomware/

• Microsoft's Recall Stokes Security And Privacy Concerns
  "Microsoft's new automatic screenshot retrieval feature could enable hackers to steal sensitive information such as online banking credentials, security experts warned. Additionally, the U.K. data regulator will probe Recall for compliance with privacy law."
  https://www.bankinfosecurity.com/microsofts-recall-stokes-security-privacy-concerns-a-25299
  https://www.helpnetsecurity.com/2024/05/22/windows-recall-security-privacy/
  https://www.bleepingcomputer.com/news/microsoft/windows-11-recall-ai-feature-will-record-everything-you-do-on-your-pc/
  https://tech.slashdot.org/story/24/05/20/180204/with-recall-microsoft-is-using-ai-to-fix-windows-eternally-broken-search

อ้างอิง
Electronic Transactions Development Agency(ETDA)

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

เพื่อจัดทำหรือปรับปรุงแบบฟอร์มของแผนรับมือฯ ให้เข้ากับบริบทของโรงพยาบาล

เพื่อจัดทำแนวปฏิบัติด้านการสำรองข้อมูลในโรงพยาบาล

การพัฒนาคุณภาพระบบเทคโนโลยีสารสนเทศในโรงพยาบาล: HAIT
(Hospital Information Technology Quality Improvement Framework – HITQIF)
เป็นมาตรฐานที่พัฒนาโดยสมาคมเวชสารสนเทศไทย (TMI) มี 4 Level มาตรฐาน HAIT เป็นเครื่องมือที่มีประสิทธิภาพสำหรับโรงพยาบาลที่ต้องการพัฒนาระบบ IT ให้มีประสิทธิภาพ ปลอดภัย และเชื่อถือได้ การนำมาตรฐาน HAIT มาใช้ ช่วยให้โรงพยาบาลยกระดับคุณภาพมาตรฐานการบริการด้านสุขภาพ และสร้างความพึงพอใจให้กับผู้ป่วย โรงพยาบาลที่ต้องการขอรับรองมาตรฐาน HAIT จะต้องผ่านการประเมินจากคณะผู้ประเมินของ TMI

โดย HAIT Plus จะมีรายงานผลสำรวจการดำเนินงานตามข้อกำหนด HAIT Plus : 2567 และแนวทางการดำเนินงานด้านการรักษาความมั่นคงปลอดภัยไซเบอร์สำหรับโรงพยาบาลของรัฐ (HAIT Plus) : 2567

สามารถศึกษารายละเอียดเพิ่มเติมได้ที่ https://tmi.or.th/downloads/

อยากทราบเกี่ยวกับการพัฒนาคุณภาพระบบเทคโนโลยีสารสนเทศในโรงพยาบาล ทำอย่างไรได้บ้างคะ

Cyber Security Agency of Singapore (CSA)ได้เผยรายงานจำนวนมากที่เกี่ยวข้องกับอาชญากรไซเบอร์ที่ใช้ประโยชน์จาก Microsoft Graph Application Programming Interface (API) เพื่อสื่อสารและโฮสต์โครงสร้างพื้นฐานคำสั่งและการควบคุม (C2) บนบริการคลาวด์ของ Microsoft Microsoft Graph API ช่วยให้นักพัฒนาสามารถเข้าถึงบริการและข้อมูลของ Microsoft เช่น Outlook, OneDrive, SharePoint และ Teams ผ่านจุดสิ้นสุดเดียว ช่วยให้นักพัฒนาสามารถเพิ่มประสิทธิภาพกระบวนการพัฒนาของตนได้โดยการผสานรวมบริการต่างๆ ของ Microsoft เข้ากับแอปพลิเคชันของตนเอง

เนื่องจากฟังก์ชันการทำงานที่กว้างขวางและความสามารถในการบูรณาการของ Microsoft Graph API เข้ากับบริการต่างๆ ของ Microsoft มีรายงานว่าอาชญากรไซเบอร์ถูกละเมิดอย่างแข็งขันเพื่ออำนวยความสะดวกในการโจมตีที่อาศัยอยู่นอกพื้นที่ ด้วยการใช้ประโยชน์จาก Microsoft Graph API อาชญากรไซเบอร์จึงสามารถดำเนินกิจกรรมที่เป็นอันตรายภายในโครงสร้างพื้นฐานของแอปพลิเคชันและบริการที่ถูกต้องตามกฎหมาย ดังนั้นจึงประสบความสำเร็จในการผสมผสานกิจกรรมของพวกเขาเข้ากับการรับส่งข้อมูลที่ถูกกฎหมาย ตัวอย่างเช่น หลังจากที่ประนีประนอมอุปกรณ์ได้สำเร็จ อาชญากรไซเบอร์สามารถปรับใช้มัลแวร์ที่สร้างการเชื่อมต่อกับ Microsoft Graph API เพื่อใช้ OneDrive ซึ่งเป็นแพลตฟอร์มที่โดยทั่วไปใช้สำหรับฟังก์ชันที่ถูกต้องตามกฎหมาย เช่น การถ่ายโอนไฟล์ เป็นเซิร์ฟเวอร์ C2 สำหรับการอัพโหลดและดาวน์โหลดไฟล์ที่เป็นอันตราย

ผู้ดูแลระบบอาจต้องการพิจารณาติดตามและIOC ที่เกี่ยวข้องกับมัลแวร์ที่ใช้ประโยชน์จาก Microsoft Graph API IOC ที่เป็นไปได้ที่เกี่ยวข้องกับมัลแวร์ที่เกี่ยวข้องในตารางด้านล่าง

องค์กรอาจพิจารณาใช้มาตรการป้องกันต่อไปนี้เพื่อเสริมสร้างมาตรการรักษาความปลอดภัยทางไซเบอร์และเสริมการป้องกันเพื่อปกป้องตนเองจากเหตุการณ์ดังกล่าว
• ตรวจสอบการรับส่งข้อมูลเครือข่ายขาเข้าและขาออกสำหรับการสื่อสารที่น่าสงสัย
• กำหนดค่ากฎไฟร์วอลล์เพื่อบล็อกการเชื่อมต่อขาออกไปยังที่อยู่ IP ที่เชื่อมโยงกับเซิร์ฟเวอร์ C2
• ใช้ระบบตรวจจับการบุกรุก (IDS) และระบบป้องกันการบุกรุก (IPS) เพื่อตรวจจับและบล็อกการรับส่งข้อมูลที่น่าสงสัย
• ใช้การควบคุมการเข้าถึงที่เข้มงวดตามบทบาทและความรับผิดชอบของพนักงาน เพื่อป้องกันการเข้าถึงแพลตฟอร์มระบบคลาวด์ของ Microsoft โดยไม่ได้รับอนุญาต
• ตรวจสอบบัญชีผู้ใช้ Microsoft ทั้งหมดเป็นประจำและปิดการใช้งานบัญชีที่ไม่ได้ใช้งาน
• อัปเดตระบบ แอปพลิเคชัน และซอฟต์แวร์ให้เป็นเวอร์ชันล่าสุด และดาวน์โหลดแพตช์รักษาความปลอดภัยล่าสุด
• ปรับใช้โซลูชัน Endpoint Detection and Response (EDR) เพื่อตรวจจับและป้องกันมัลแวร์จากการพยายามสร้างการสื่อสารกับเซิร์ฟเวอร์ C2
• ติดตั้งซอฟต์แวร์ป้องกันไวรัส/ป้องกันมัลแวร์ และอัปเดตซอฟต์แวร์ (และไฟล์คำจำกัดความ) อยู่เสมอ ทำการสแกนระบบและเครือข่ายอย่างสม่ำเสมอ และสแกนไฟล์ที่ได้รับทั้งหมด

อ้างอิง
https://www.csa.gov.sg/alerts-advisories/Advisories/2024/ad-2024-010

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่ข้อมูลการเพิ่มช่องช่องโหว่ใหม่ 2 รายการใน Known Exploited Vulnerabilities Catalog โดยอิงตามหลักฐานของการแสวงหาผลประโยชน์ที่ยังดำเนินอยู่

• CVE-2024-4947 Google Chromium V8 Type Confusion Vulnerability
• CVE-2023-43208 NextGen Healthcare Mirth Connect Deserialization of Untrusted Data Vulnerability

ช่องโหว่ประเภทนี้ส่วนใหญ่เป็นเวกเตอร์การโจมตี สำหรับผู้โจมตีทางไซเบอร์ที่เป็นอันตราย และก่อให้เกิดความเสี่ยงอย่างมากต่อองค์กรของรัฐบาลกลาง ซึ่งBinding Operational Directive (BOD) 22-01: การลดความเสี่ยงที่มีนัยสำคัญของช่องโหว่ที่ถูกใช้ประโยชน์ ได้สร้างแคตตาล็อกช่องโหว่ที่ทราบที่เจาะจงเป็นรายการที่มีอยู่ของช่องโหว่และความเสี่ยงทั่วไปที่รู้จัก (CVEs) ซึ่งมีความเสี่ยงที่สำคัญต่อองค์กรของรัฐบาลกลาง BOD 22-01 กำหนดให้หน่วยงาน FCEB แก้ไขช่องโหว่ที่ระบุภายในวันที่กำหนดเพื่อป้องกันเครือข่าย FCEB จากภัยคุกคามที่ทำงานอยู่
ทั้งนี้ CISA แนะนำให้ทุกองค์กรลดความเสี่ยงต่อการถูกโจมตีทางไซเบอร์ ให้ความสำคัญกับการแก้ไขช่องโหว่ของ Catalog อย่างทันท่วงที อ่านคำแนะนำฉบับเต็มได้ที่ https://www.cisa.gov/news-events/alerts/2024/05/20/cisa-adds-two-known-exploited-vulnerabilities-catalog

อ้างอิง
https://www.cisa.gov/news-events/alerts/2024/05/20/cisa-adds-two-known-exploited-vulnerabilities-catalog

สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand