สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
Latest posts made by NCSA_THAICERT
-
การละเมิดข้อมูลของ Omni Family Health ส่งผลกระทบต่อบุคคลจำนวน 468,344 ราย
-
พบแฮกเกอร์ใช้ประโยชน์จากช่องโหว่ XSS ของ Roundcube Webmail เพื่อขโมยข้อมูลรับรองการเข้าสู่ระบบ
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 21 October 2024
Industrial Sector
- Organizations Faster At Detecting OT Incidents, But Response Still Lacking: Report
"Organizations have been getting faster at detecting incidents in industrial control system (ICS) and other operational technology (OT) environments, but incident response is still lacking, according to a new report from the SANS Institute. SANS’s 2024 State of ICS/OT Cybersecurity report, which is based on a survey of more than 530 professionals in critical infrastructure sectors, shows that roughly 60% of respondents can detect a compromise in less than 24 hours, which is a significant improvement compared to five years ago when the same number of respondents said their compromise-to-detection time had been 2-7 days."
https://www.securityweek.com/organizations-faster-at-detecting-ot-incidents-but-response-still-lacking-report/
https://sansorg.egnyte.com/dl/5mD1Yxiybn
Vulnerabilities
- New MacOS Vulnerability, “HM Surf”, Could Lead To Unauthorized Data Access
"Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent."
https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/
https://thehackernews.com/2024/10/microsoft-reveals-macos-vulnerability.html
https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data
https://www.malwarebytes.com/blog/news/2024/10/microsoft-reveals-details-about-hm-surf-vulnerability-in-macos
https://www.infosecurity-magazine.com/news/microsoft-macos-vulnerability/
https://www.securityweek.com/microsoft-macos-vulnerability-potentially-exploited-in-adware-attacks/
https://securityaffairs.com/169945/security/macos-hm-surf-flaw-tcc-bypass-safari-privacy-settings.html
https://hackread.com/hm-surf-macos-flaw-attackers-access-camera-mic/ - Intel, AMD CPUs On Linux Impacted By Newly Disclosed Spectre Bypass
"The latest generations of Intel processors, including Xeon chips, and AMD's older microarchitectures on Linux are vulnerable to new speculative execution attacks that bypass existing ‘Spectre’ mitigations. The vulnerabilities impact Intel's 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD's Zen 1, Zen 1+, and Zen 2 processors. The attacks undermine the Indirect Branch Predictor Barrier (IBPB) on x86 processors, a core defense mechanism against speculative execution attacks."
https://www.bleepingcomputer.com/news/security/intel-amd-cpus-on-linux-impacted-by-newly-disclosed-spectre-bypass/
https://comsec.ethz.ch/research/microarch/breaking-the-barrier/
https://comsec.ethz.ch/wp-content/files/ibpb_sp25.pdf - Code Injection In Spring Cloud: CVE-2024-37084
"The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability. CVE-2024-37084 is a critical vulnerability affecting Spring Cloud Data Flow versions 2.11.0 through 2.11.3. A malicious user with access to the Skipper server API can exploit a flaw in the upload request process, allowing them to write arbitrary files to any location on the server’s file system, potentially compromising the server. This vulnerability is assigned a CVSS score of 9.8 by VMware, indicating its critical nature."
https://blog.sonicwall.com/en-us/2024/10/code-injection-in-spring-cloud-cve-2024-37084/ - Severe Flaws In E2EE Cloud Storage Platforms Used By Millions
"Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. Cryptographic analysis from ETH Zurich researchers Jonas Hofmann and Kien Tuong Turong revealed issue with Sync, pCloud, Icedrive, Seafile, and Tresorit services, collectively used by more than 22 million people. The analysis was based on the threat model of an attacker controlling a malicious server that can read, modify, and inject data at will, which is realistic for nation-state actors and sophisticated hackers."
https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-storage-platforms-used-by-millions/
https://brokencloudstorage.info/
https://brokencloudstorage.info/paper.pdf
Malware
- ESET Partner Breached To Send Data Wipers To Israeli Orgs
"Hackers breached ESET's exclusive partner in Israel to send phishing emails to Israeli businesses that pushed data wipers disguised as antivirus software for destructive attacks. A data wiper is malware that intentionally deletes all of the files on a computer and commonly removes or corrupts the partition table to make it harder to recover the data. In a phishing campaign that started on October 8th, emails branded with ESET's logo were sent from the legitimate eset.co.il domain, indicating that the Israel division's email server was breached as part of the attack. While the eset.co.il domain is branded with ESET's content and logos, ESET told BleepingComputer it is operated by Comsecure, their Israel distributor."
https://www.bleepingcomputer.com/news/security/eset-partner-breached-to-send-data-wipers-to-israeli-orgs/
https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targeting-israeli-orgs-b1210aed7021
https://therecord.media/hackers-impersonate-eset-wiper-malware
https://www.darkreading.com/cyberattacks-data-breaches/eset-wiper-attack-targets-israel
https://www.bankinfosecurity.com/hacker-poses-as-israeli-security-vendor-to-deliver-wiper-a-26563
https://www.helpnetsecurity.com/2024/10/18/israel-wiper-eset/
https://www.theregister.com/2024/10/18/eset_denies_israel_branch_breach/
https://hackread.com/hackers-fake-eset-emails-israeli-wiper-malware/ - Military Exercises Trigger Russian DDoS Attacks On Japan
"Plans by Japan and U.S. to conduct military exercises near the coast of eastern Russia prompted Russia-linked threat actors to unleash a series of denial-of-service attacks this week against a dozen websites in Japan including the majority political party, major manufacturers, business groups and local governments."
https://www.bankinfosecurity.com/military-exercises-trigger-russian-ddos-attacks-on-japan-a-26561
https://www.asahi.com/ajw/articles/15469220 - THREAT ANALYSIS: Beast Ransomware
"Cybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason investigates the Ransomware-as-a-Service (RaaS) known as Beast and how to defend against it through the Cybereason Defense Platform."
https://www.cybereason.com/blog/threat-analysis-beast-ransomware - Analysis Of The Crypt Ghouls Group: Continuing The Investigation Into a Series Of Attacks On Russia
"Last December, we discovered a new group targeting Russian businesses and government agencies with ransomware. Further investigation into this group’s activity suggests a connection to other groups currently targeting Russia. We have seen overlaps not only in indicators of compromise and tools, but also tactics, techniques, and procedures (TTPs). Moreover, the infrastructure partially overlaps across attacks. The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others. As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk. We have dubbed the group “Crypt Ghouls”."
https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/114217/
https://thehackernews.com/2024/10/crypt-ghouls-targets-russian-firms-with.html - Mobile Political Spam Volume Continues Rapid Growth In The Lead Up To The U.S. November Elections
"Since our July blog, which focused on the increase in mobile political spam volume, unwanted political messaging has continued to grow at a rapid pace. Subscriber reports of these messages increased 67% in September compared with June. We can expect the increases to not only continue, but to accelerate as we approach the November election. As we previously pointed out, most political messaging comes from political action committees, parties and candidates seeking support and donations. Although for many people these messages are a nuisance, they are not typically abusive or fraudulent. The graphic below shows a recent example of an unwanted political message reported by a subscriber."
https://www.proofpoint.com/us/blog/email-and-cloud-threats/spam-text-messages-dos-donts - Vietnamese Threat Actor’s Multi-Layered Strategy On Digital Marketing Professionals
"Cyble Research and Intelligence Lab (CRIL) has uncovered an advanced attack campaign that likely originates from spam emails containing phishing attachments. These emails include an archive file with an LNK file disguised as a PDF file. The attack begins when the LNK file triggers PowerShell-based commands, which proceed to download and execute additional scripts hosted externally. These scripts are highly encoded and obfuscated to evade detection by security tools. The TAs use a variety of evasion techniques, including checks for virtual machines, sandbox environments, and debugging tools, ensuring that the malicious code can remain undetected and function stealthily in non-virtualized environments while bypassing standard security defenses."
https://cyble.com/blog/vietnamese-threat-actors-multi-layered-strategy-on-digital-marketing-professionals/ - Fake Attachment. Roundcube Mail Server Attacks Exploit CVE-2024-37383 Vulnerability.
"Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications."
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability
https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html
Breaches/Hacks/Leaks
- Cisco Takes DevHub Portal Offline After Hacker Publishes Stolen Data
"Cisco confirmed today that it took its public DevHub portal offline after a threat actor leaked "non-public" data, but it continues to state that there is no evidence that its systems were breached. "We have determined that the data in question is on a public-facing DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed," reads an updated statement from Cisco. "At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published.""
https://www.bleepingcomputer.com/news/security/cisco-takes-devhub-portal-offline-after-hacker-publishes-stolen-data/ - Tech Giant Nidec Confirms Data Breach Following Ransomware Attack
"Nidec Corporation is informing that hackers behind a ransomware attack is suffered earlier this year stole data and leaked it on the dark web. The Japanese tech giant says the threat actors tried to extort the company and decided to leak the information after their demands were not met. The attack did not encrypt files and the incident is considered fully remediated at this time. However, Nidec employees, contractors, and associates, should be aware that the leaked data could be used in more targeted phishing attacks."
https://www.bleepingcomputer.com/news/security/tech-giant-nidec-confirms-data-breach-following-ransomware-attack/ - Omni Family Health Data Breach Impacts 470,000 Individuals
"California network of health centers Omni Family Health is notifying close to 470,000 individuals that their personal information was stolen in a cyberattack earlier this year. The data breach, Omni says, was discovered on August 7, after learning that threat actors had posted on the dark web data allegedly stolen from its network. The leaked information, the healthcare provider says, pertains to current and former patients and employees. In total, 468,344 individuals were affected, Omni told the US Department of Health and Human Services."
https://www.securityweek.com/omni-family-health-data-breach-impacts-470000-individuals/
https://securityaffairs.com/169972/data-breach/omni-family-health-disclosed-a-data-breach.html - Internet Archive Breached Again Through Stolen Access Tokens
"The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens. Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens. "It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor."
https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/
https://www.theregister.com/2024/10/21/internet_archive_zendesk_access_attack/
General News
- A Closer Look At Q3 2024: 75% Surge In Cyber Attacks Worldwide
"The digital landscape witnessed an unprecedented surge in cyber attacks worldwide in the third quarter of 2024. This period marked a significant escalation in both the volume and intensity of cyber threats organizations face, shedding light on cybercriminals’ evolving tactics and the urgent need for reinforced cyber defenses."
https://blog.checkpoint.com/research/a-closer-look-at-q3-2024-75-surge-in-cyber-attacks-worldwide/ - Time To Get Strict With DMARC
"The state of DMARC email authentication and security standard looked so promising at the beginning of 2024. Google and Yahoo had set a deadline of February 2024 for bulk email senders to adopt a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, and as companies scrambled to meet the deadline, the number of email domains with a valid DMARC record jumped 60% in two months. As of September, nearly 6.8 million domains have email sender authentication configured."
https://www.darkreading.com/cybersecurity-operations/time-get-strict-dmarc - CISOs: Throwing Cash At Tools Isn't Helping Detect Breaches
"Global information security spend is projected to reach $215 billion by the end of 2024. But a new survey of chief information security officers (CISOs) shows that all that cash might not have bought the peace of mind they hoped for. In fact, 44% of CISOs across the globe reported missing a data breach in the past 12 months with existing tools."
https://www.darkreading.com/cloud-security/cisos-throwing-cash-tools-detect-breaches
https://www.gigamon.com/resources/resource-library/white-paper/wp-gigamon-survey-hybrid-cloud-security-2024.html
https://www.helpnetsecurity.com/2024/10/18/cisos-security-tools/ - Supply Chain Cybersecurity Beyond Traditional Vendor Risk Management
"In today's interconnected digital landscape, supply chain attacks are no longer an anomaly — they're a persistent, growing threat. From SolarWinds to Kaseya, high-profile breaches have demonstrated that attackers are increasingly exploiting vulnerabilities in the supply chain to infiltrate targets at scale. For cybersecurity professionals, the days of relying on traditional vendor risk management are over. A broader, more proactive approach to securing the supply chain is required — one that goes beyond checklists and questionnaires."
https://www.darkreading.com/cyber-risk/supply-chain-cybersecurity-traditional-vendor-risk-management - What’s Behind The 51% Drop In Ransomware Attacks?
"In a world where cyber threats feel omnipresent, a recent report has revealed some unexpected good news: ransomware attacks on state and local governments have dropped by 51% in 2024. Still, this decline does not signal the end of the ransomware threat, nor should it lead to complacency. As the nature of ransomware evolves, so do its consequences, costs and implications for enterprises and critical infrastructure. What’s behind the drop in ransomware attacks? And what does it mean for the future of cybersecurity? Let’s take a look."
https://securityintelligence.com/articles/whats-behind-51-drop-in-ransomware-attacks/ - Rising Tides: Christien “DilDog” Rioux On Building Privacy And What Makes Hackers Unique
"Few things bring me more joy than this ongoing Rising Tides column, because I get to dig into the minds and experiences of some of the most fascinating people in our industry. What makes these people even more exceptional, at least to me, is how they go beyond the norm of a “day job” and use their efforts to create technology or frameworks that watch out for the human."
https://www.securityweek.com/rising-tides-christien-dildog-rioux-on-building-privacy-and-what-makes-hackers-unique/ - Microsoft Creates Fake Azure Tenants To Pull Phishers Into Honeypots
"Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them. With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity. The tactic and its damaging effect on phishing activity was described at BSides Exeter conference by Ross Bevington, a principal security software engineer at Microsoft calling himself Microsoft's "Head of Deception.""
https://www.bleepingcomputer.com/news/security/microsoft-creates-fake-azure-tenants-to-pull-phishers-into-honeypots/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Organizations Faster At Detecting OT Incidents, But Response Still Lacking: Report
-
Cyber Threat Intelligence 18 October 2024
Industrial Sector
- Elvaco M-Bus Metering Gateway CMe3100
"Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-01 - Kieback&Peter DDC4000 Series
"Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to gain full administrator rights on the system."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-05 - LCDS LAquis SCADA
"Successful exploitation of this vulnerability could allow an attacker to steal cookies, inject arbitrary code, or perform unauthorized actions."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-02 - Mitsubishi Electric CNC Series
"Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to cause a denial-of-service (DoS) condition on the affected device."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-03 - HMS Networks EWON FLEXY 202
"Successful exploitation of this vulnerability could allow an attacker to sniff and decode credentials that are transmitted using weak encoding techniques."
https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-04
New Tooling
- GhostStrike: Open-Source Tool For Ethical Hacking
"GhostStrike is an open-source, advanced cybersecurity tool tailored for ethical hacking and Red Team operations. It incorporates cutting-edge techniques, including process hollowing, to stealthily evade detection on Windows systems, making it an asset for penetration testing and security assessments."
https://www.helpnetsecurity.com/2024/10/17/ghoststrike-open-source-tool-ethical-hacking/
https://github.com/stivenhacker/GhostStrike
Vulnerabilities
- F5 BIG-IP Updates Patch High-Severity Elevation Of Privilege Vulnerability
"F5 on Wednesday published its October 2024 quarterly security notification, describing two vulnerabilities addressed in BIG-IP and BIG-IQ enterprise products. Updates released for BIG-IP address a high-severity security defect tracked as CVE-2024-45844. Affecting the appliance’s monitor functionality, the bug could allow authenticated attackers to elevate their privileges and make configuration changes. “This vulnerability may allow an authenticated attacker with Manager role privileges or greater, with access to the Configuration utility or TMOS Shell (tmsh), to elevate their privileges and compromise the BIG-IP system. There is no data plane exposure; this is a control plane issue only,” F5 notes in its advisory."
https://www.securityweek.com/f5-big-ip-updates-patch-high-severity-elevation-of-privilege-vulnerability/ - Cisco Patches High-Severity Vulnerabilities In Analog Telephone Adapters
"Cisco on Wednesday announced patches for eight vulnerabilities in the firmware of ATA 190 series analog telephone adapters, including two high-severity flaws leading to configuration changes and cross-site request forgery (CSRF) attacks. Impacting the web-based management interface of the firmware and tracked as CVE-2024-20458, the first bug exists because specific HTTP endpoints lack authentication, allowing remote, unauthenticated attackers to browse to a specific URL and view or delete configurations, or modify the firmware."
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-in-analog-telephone-adapters/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-40711 Veeam Backup and Replication Deserialization Vulnerability"
https://www.cisa.gov/news-events/alerts/2024/10/17/cisa-adds-one-known-exploited-vulnerability-catalog - Gatekeeper Bypass: Uncovering Weaknesses In a MacOS Security Mechanism
"Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. A bypass of Gatekeeper could leave the user unprotected from risky applications that may attempt to execute malicious content."
https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/
Malware
- ClickFix Tactic: The Phantom Meet
"In May 2024, a new social engineering tactic called ClickFix emerged, featuring a ClearFake cluster that the Sekoia Threat Detection & Research (TDR) team closely monitored and analysed in a private report entitled FLINT 2024-027 – New widespread ClearFake variant abuses PowerShell and clipboard. This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems."
https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/
https://www.bleepingcomputer.com/news/security/fake-google-meet-conference-errors-push-infostealing-malware/
https://hackread.com/clickfix-fake-google-meet-alerts-windows-macos-malware/
https://www.helpnetsecurity.com/2024/10/17/google-meet-fix-it-infostealers/ - UAT-5647 Targets Ukrainian And Polish Entities With RomCom Malware Variants
"UAT-5647 has long been considered a multi-motivational threat actor performing both ransomware and espionage-oriented attacks. However, UAT-5647 has accelerated their attacks in recent months with a clear focus on establishing long–term access for exfiltrating data of strategic interest to them. Our assessment, in line with recent reporting from CERT-UA and Palo Alto Networks, indicates that the threat actor is aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms such as GoLang, C++, RUST and LUA."
https://blog.talosintelligence.com/uat-5647-romcom/
https://thehackernews.com/2024/10/russian-romcom-attacks-target-ukrainian.html
https://securityaffairs.com/169928/apt/romcom-targeted-ukrainian-government-agencies.html - Encrypted Symphony: Infiltrating The Cicada3301 Ransomware-As-a-Service Group
"Since its discovery in June 2024, the Cicada3301 ransomware-as-a-service (RaaS) group has been observed targeting businesses across a wide range of critical sectors. Between June and October 2024, the group published stolen data from 30 companies on their dedicated leak sites (DLS), with 24 instances of attacks that claimed victims based in the United States and the United Kingdom."
https://www.group-ib.com/blog/cicada3301/
https://thehackernews.com/2024/10/cross-platform-cicada3301-ransomware.html
https://www.infosecurity-magazine.com/news/cicada-ransomware-critical-sectors/ - SAS CTF And The Many Ways To Persist a Kernel Shellcode On Windows 7
"On May 18, 2024, Kaspersky’s Global Research & Analysis Team (GReAT), with the help of its partners, held the qualifying stage of the SAS CTF, an international competition of cybersecurity experts held as part of the Security Analyst Summit conference. More than 800 teams from all over the world took part in the event, solving challenges based on real cases that Kaspersky GReAT encountered in its work, but a couple of challenges remained unsolved. One of those challenges was based on a security issue that allows kernel shellcode to be hidden in the system registry and executed during system boot on a fully updated Windows 7/Windows Server 2008 R2 due to an incomplete fix for the CVE-2010-4398 vulnerability."
https://securelist.com/sas-ctf-windows-7-challenge-explained/114180/ - Ukraine Tracks Emailed Bomb Threats To Russia-Linked Group
"A hacker group tracked as UAC-0050 may be behind a recent large-scale information campaign targeting Ukrainian institutions with emails warning of a terrorist attack. In a report released this week, Ukraine’s computer emergency response team (CERT-UA) linked UAC-0050 to a psychological operation with the name Fire Cells Group. The campaign included emails claiming that bombs were planted inside Ukrainian institutions. Among the targets were nearly 60 Ukrainian embassies around the world, as well as media outlets and state agencies. Their employees were forced to evacuate or suspend services while police searched for alleged explosive devices. According to the investigation, all alerts were false and were likely part of Russian intelligence agencies’ hybrid war against Ukraine."
https://therecord.media/ukraine-bomb-threats-fire-cells-group - Independent Russian News Site Rides Out a Week Of DDoS Incidents
"The Russian independent media outlet Novaya Gazeta Europe was targeted by several large-scale distributed denial-of-service (DDoS) attacks this week, temporarily knocking its website offline. The attacks began on Monday and persisted until Wednesday, reaching 12 million junk page requests per minute at one point, according to the outlet’s statement. During the attacks, the website was temporarily unavailable due to traffic overload. “If our website isn't loading, it means we’re currently experiencing an attack. Please check back in 20 to 30 minutes — by then, we typically have things under control and access should be restored,” Novaya Gazeta Europe stated."
https://therecord.media/ddos-attacks-novaya-gazeta-europe-russian-media - Cronus: Ransomware Threatening Bodily Harm
"Cronus is a .NET based ransomware strain that was first reported on by Seqrite. Threat researchers discovered the ransomware variant after discovering a malicious document that was submitted to VirusTotal. This blog outlines how the ransomware encrypts files and establishes persistence, as well as analyzes the Cronus ransomware note."
https://blog.pulsedive.com/threat-research-cronus-ransomware-threatening-bodily-harm/
Breaches/Hacks/Leaks
- BianLian Ransomware Claims Attack On Boston Children's Health Physicians
"The BianLian ransomware group has claimed the cyberattack on Boston Children's Health Physicians (BCHP) and threatens to leak stolen files unless a ransom is paid. BHCP is a network of over 300 pediatric physicians and specialists operating over 60 locations across New York's Hudson Valley and Connecticut, offering patient care in clinics, community hospitals, and health centers affiliated with Boston Children's Hospital. According to the announcement BHCP published on its website, a cyberattack compromised its IT vendor on September 6 and a few days later BHCP detected unauthorized activity on its network."
https://www.bleepingcomputer.com/news/security/bianlian-ransomware-claims-attack-on-boston-childrens-health-physicians/ - Hackers Blackmail Globe Life After Stealing Customer Data
"Insurance giant Globe Life says an unknown threat actor attempted to extort money in exchange for not publishing data stolen from the company's systems earlier this year. Founded in 1900, Globe Life is among the largest providers of life and health insurance plans in the United States, with a market capitalization of $12 billion and a total revenue that exceeds $5.3 billion. Global Life previously disclosed a data breach on June 13 after discovering they had been compromised while reviewing potential vulnerabilities related to access permissions and user identity management for its web portal."
https://www.bleepingcomputer.com/news/security/hackers-blackmail-globe-life-after-stealing-customer-data/
https://therecord.media/globe-life-insurance-facing-extortion-threat-after-subsidiary-data-theft
https://www.theregister.com/2024/10/17/us_insurance_giant_with_a/ - Japan's Ruling Political Party Hit By Cyberattack From Alleged Pro-Russian Hackers
"Japan's ruling Liberal Democratic Party (LDP) reported that a cyberattack temporarily disrupted its website earlier this week, coinciding with the start of the country’s general election campaign. During a press conference on Thursday, Deputy Chief Cabinet Secretary Kazuhiko Aoki said that the country's cyber agencies had implemented relevant security measures and are investigating the incident. The LDP's website was targeted by a distributed denial-of-service (DDoS) attack on Tuesday, coinciding with the beginning of the 12-day campaign period for the election of the House of Representatives, which plays a key role in Japan’s parliamentary system."
https://therecord.media/japan-political-party-hit-by-cyberattack-pro-russian-hackers
General News
- How NIS2 Will Impact Sectors From Healthcare To Energy
"In this Help Net Security interview, Mick Baccio, Global Security Advisor at Splunk SURGe, discusses the far-reaching implications of the NIS2 Directive beyond traditional IT security. He explains how NIS2 will fundamentally change cybersecurity governance, making it a core aspect of organizational strategy and accountability."
https://www.helpnetsecurity.com/2024/10/17/mick-baccio-splunk-nis2-challenges/ - Why Companies Are Struggling To Keep Up With SaaS Data Protection
"While businesses increasingly rely on SaaS tools, many leaders are not fully confident in their ability to safeguard their data, according to Keepit. According to the survey, while 28% of respondents expressed high confidence in their data protection measures, a significant 31% reported moderate to severe lapses in their data protection. This lack of confidence is alarming as the use of SaaS applications continues to grow, with critical data stored in applications like Microsoft 365, Salesforce, and Power BI."
https://www.helpnetsecurity.com/2024/10/17/saas-tools-data-protection/ - Should We Chat, Too? Security Analysis Of WeChat’s MMTLS Encryption Protocol
"WeChat, with over 1.2 billion monthly active users, stands as the most popular messaging and social media platform in China and third globally. As indicated by market research, WeChat’s network traffic accounted for 34% of Chinese mobile traffic in 2018. WeChat’s dominance has monopolized messaging in China, making it increasingly unavoidable for those in China to use. With an ever-expanding array of features, WeChat has also grown beyond its original purpose as a messaging app."
https://citizenlab.ca/2024/10/should-we-chat-too-security-analysis-of-wechats-mmtls-encryption-protocol/
https://www.theregister.com/2024/10/17/wechat_devs_modded_tls_introducing/ - FBI Arrest Alabama Man Suspected Of Hacking SEC's X Account
"An Alabama man was arrested today by the FBI for his suspected role in hacking the SEC's X account to make a fake announcement that Bitcoin ETFs were approved. The Department of Justice said that 25-year-old Eric Council, of Alabama, and conspirators conducted a SIM-swap attack to take over the identity of the person in charge of SEC's X account."
https://www.bleepingcomputer.com/news/security/fbi-arrest-alabama-man-suspected-of-hacking-secs-x-account/
https://therecord.media/sec-twitter-account-hack-arrest-alabama
https://cyberscoop.com/sec-twitter-hack-arrest-sim-swapping/
https://www.itnews.com.au/news/fbi-arrests-alabama-man-over-sec-bitcoin-x-account-hack-612444 - CISA And FBI Release Joint Guidance On Product Security Bad Practices For Public Comment
"Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions."
https://www.cisa.gov/news-events/alerts/2024/10/16/cisa-and-fbi-release-joint-guidance-product-security-bad-practices-public-comment
https://cisa.gov/resources-tools/resources/product-security-bad-practices
https://www.bankinfosecurity.com/cisa-unveils-exceptionally-risky-software-bad-practices-a-26556
https://www.infosecurity-magazine.com/news/cisa-product-security-flaws/
https://www.securityweek.com/cisa-fbi-seek-public-comment-on-software-security-bad-practices-guidance/ - Check Point Research Unveils Q3 2024 Brand Phishing Trends: Microsoft Remains Most Imitated Brand As Alibaba And Adobe Enter Top 10
"In the realm of cyber security, phishing attacks are among the most prevalent threats, often serving as the initial step for larger-scale campaigns within supply chains. Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies Ltd., has recently released its latest Brand Phishing Ranking for the third quarter of 2024. This report sheds light on the brands most frequently imitated by cyber criminals, in their attempts to deceive and steal personal information or payment credentials, emphasizing the ongoing risks associated with phishing attacks in today’s digital landscape."
https://blog.checkpoint.com/research/check-point-research-unveils-q3-2024-brand-phishing-trends-microsoft-remains-most-imitated-brand-as-alibaba-and-adobe-enter-top-10/ - Is a CPO Still a CPO? The Evolving Role Of Privacy Leadership
"The role of the CPO — chief privacy officer — is at a crossroads. A rapidly growing number of data breaches, continually evolving regulations, and the increasing complexity of digital ecosystems have made a robust, privacy-first approach to managing data more critical for businesses than ever before. The role of a CPO was once clear-cut: Ensure compliance with privacy laws, manage data collection practices, and mitigate data risks. Now, CPOs are balancing more responsibilities than ever. Privacy has an impact on every realm of the business. So, is a CPO still a CPO, or is the role something greater? And, is it a role that just one person can handle?"
https://www.darkreading.com/cyber-risk/cpo-still-cpo-evolving-role-privacy-leadership - Hong Kong Crime Ring Swindles Victims Out Of $46M
"Hong Kong police arrested 27 people Monday for their involvement in a deepfake scam operation, stealing $46 million from the scam's victims. The scammers used AI face-swapping technology to create female personas for online dating, using tools to alter their appearance and voices. They then contacted their victims via social media platforms using these AI-generated photos of people with made-up personalities, occupations, and backgrounds."
https://www.darkreading.com/cyberattacks-data-breaches/hong-kong-crime-ring-swindles-victims-out-of-46m - The Role Of Compromised Cyber-Physical Devices In Modern Cyberattacks
"Cyber-physical devices are increasingly getting compromised and leveraged by criminal groups and state-sponsored threat actors. Fyodor Yarochkin, Senior Threat Solution Architect with Trend Micro, believes that getting a better understanding of attackers’ infrastructure leads to a better understanding of the attackers themselves."
https://www.helpnetsecurity.com/2024/10/17/fyodor-yarochkin-trend-micro-compromised-cyber-physical-devices/ - Ransomware: Threat Level Remains High In Third Quarter
"Ransomware attacks continued to occur at near peak levels during the third quarter of this year, which also saw the newly formed RansomHub group overtake the veteran LockBit operation as the number one ransomware threat. Analysis of data from ransomware leak sites found that ransomware actors claimed 1,255 attacks in the third quarter of 2024, down very slightly from 1,325 in the second quarter, but the overall number of attacks is continuing to trend upwards."
https://www.security.com/threat-intelligence/ransomware-threat-level-remains-high
https://www.infosecurity-magazine.com/news/ransomhub-overtakes-lockbit/ - Be Aware Of These Eight Underrated Phishing Techniques
"Email phishing is by far one of the most prevalent forms of phishing. However, there are a number of lesser-known phishing techniques that are often overlooked or underestimated yet increasingly being employed by attackers. Let’s take a brief look at some of the main ones."
https://www.securityweek.com/be-aware-of-these-eight-underrated-phishing-techniques/ - Apple Releases Draft Ballot To Shorten Certificate Lifespan To 45 Days
"Earlier this week, on October 9, during the second day of the fall CA/Browser Forum Face-to-Face meeting, Apple revealed that it had published a draft ballot for commentary to GitHub. This proposal, which is sponsored by Sectigo, offers to incrementally phase maximum term for public SSL/TLS certificates down to 45 days between now and 2027. The draft also phases down the DCV reuse period over time, until it reaches 10 days in 2027."
https://www.sectigo.com/resource-library/apple-now-joins-google-in-push-to-shorten-digital-certificate-lifespans
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Elvaco M-Bus Metering Gateway CMe3100
-
VMware แก้ไขช่องโหว่ SQL injection ที่มีความรุนแรงสูง CVE-2024-38814 ใน HCX
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand -
การทำงานแบบไฮบริดเผยให้เห็นภัยคุกคามใหม่ด้านความปลอดภัยของการพิมพ์เอกสาร
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
ช่องโหว่ร้ายแรงใน Kubernetes Image Builder
Cyber Security Agency of Singapore (CSA)ได้เผยแพร่เกี่ยวกับ Kubernetes ได้เผยแพร่การอัปเดตด้านความปลอดภัยเพื่อแก้ไขช่องโหว่ที่สำคัญ หมายเลข CVE-2024-9486 ใน Kubernetes Image Builder ช่องโหว่ดังกล่าวมีคะแนน Common Vulnerability Scoring System (CVSSv3.1) อยู่ที่ 9.8
การใช้ประโยชน์จากช่องโหว่ดังกล่าวได้สำเร็จอาจทำให้ผู้โจมตีสามารถเข้าถึงเชลล์ที่ปลอดภัยโดยไม่ได้รับอนุญาตไปยังเครื่องเสมือนที่กำลังรันอิมเมจที่สร้างด้วยโปรเจ็กต์ Kubernetes Image Builder
ช่องโหว่ดังกล่าวส่งผลกระทบต่อผลิตภัณฑ์ต่อไปนี้
- สร้างอิมเมจ VM ด้วยผู้ให้บริการ Proxmox บน Image Builder version 0.1.37 หรือก่อนหน้า
แนะนำให้ผู้ใช้งานและผู้ดูแลระบบของผลิตภัณฑ์รุ่นที่ได้รับผลกระทบทำการอัปเดตเป็นเวอร์ชันล่าสุดทันที
อ้างอิง
https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-133สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
Cyber Threat Intelligence 17 October 2024
Vulnerabilities
- Critical Kubernetes Image Builder Flaw Gives SSH Root Access To VMs
"A critical vulnerability in Kubernetes could allow unauthorized SSH access to a virtual machine running an image created with the Kubernetes Image Builder project. Kubernetes is an open-source platform that helps automate the deployment, scale, and operate virtual containers - lightweight environments for applications to run. With Kubernetes Image Builder, users can create virtual machine (VM) images for various Cluster API (CAPI) providers, like Proxmox or Nutanix, that run the Kubernetes environment. These VMs are then used to set up nodes (servers) that become part of a Kubernetes cluster."
https://www.bleepingcomputer.com/news/security/critical-kubernetes-image-builder-flaw-gives-ssh-root-access-to-vms/
https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119
https://www.theregister.com/2024/10/16/critical_kubernetes_image_builder_bug/ - AhnLab And NCSC Release Joint Report On Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)
"AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat."
https://asec.ahnlab.com/en/83877/
https://www.bleepingcomputer.com/news/security/malicious-ads-exploited-internet-explorer-zero-day-to-drop-malware/
https://thehackernews.com/2024/10/north-korean-scarcruft-exploits-windows.html - Oracle Patches Over 200 Vulnerabilities With October 2024 CPU
"Oracle on Tuesday announced 334 new security patches as part of its October 2024 Critical Patch Update (CPU), including 186 fixes for vulnerabilities that can be exploited remotely without authentication. SecurityWeek has identified roughly 220 unique CVEs in Oracle’s October 2024 CPU. Approximately three dozen security patches resolve critical-severity flaws. The same as in April and July 2024, Oracle Communications received the largest number of security patches. Out of 100 fixes, 81 address unauthenticated, remotely exploitable bugs."
https://www.securityweek.com/oracle-patches-over-200-vulnerabilities-with-october-2024-cpu/ - VMware Patches High-Severity SQL Injection Flaw In HCX Platform
"VMWare on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform. The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager. “A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor."
https://www.securityweek.com/vmware-patches-high-severity-sql-injection-flaw-in-hcx-platform/ - Microsoft Patches Vulnerabilities In Power Platform, Imagine Cup Site
"Microsoft on Tuesday announced patching potentially serious information disclosure and privilege escalation vulnerabilities in Power Platform and Dataverse, as well as the Imagine Cup website. The tech giant has assigned a maximum severity rating of ‘critical’ to each of the flaws, but based on their CVSS scores they are all high-severity issues. In Power Platform, a low-code platform designed for securing and managing apps, workflows and AI-powered tools, Microsoft fixed CVE-2024-38190, a missing authorization vulnerability that could have allowed an unauthenticated attacker to view sensitive information."
https://www.securityweek.com/microsoft-patches-vulnerabilities-in-power-platform-imagine-cup-site/ - I Know Which Device You Used Last Summer: Fingerprinting WhatsApp Users’ Devices
"As part of our ongoing security research on Meta’s WhatsApp privacy issues, we found out these issues are worse than previously realized: Not only that WhatsApp leaks user device setup information (number of devices, mobile or not), it leaks additional information about their Operating Systems (Android, iPhone / iOS, Windows, Mac). Such information may allow potential attackers to gather actionable intelligence about their victims."
https://medium.com/@TalBeerySec/i-know-which-device-you-used-last-summer-fingerprinting-whatsapp-users-devices-71b21ac8dc70
https://www.theregister.com/2024/10/16/whatsapp_privacy_concerns/ - Code Execution, Data Tampering Flaw In Nvidia NeMo Gen-AI Framework
"Artificial intelligence tech giant Nvidia has flagged a major security flaw in its NeMo generative-AI framework, warning that malicious hackers can execute code and tamper with data on systems utilizing the platform. “NeMo contains a vulnerability in SaveRestoreConnector where a user may cause a path traversal issue via an unsafe .tar file extraction. A successful exploit of this vulnerability may lead to code execution and data tampering,” the company said in an advisory. Nvidia tagged the issue as CVE-2024-0129 with a CVSS severity score of 6.3/10. The issue affects the framework on Windows, Linux and MacOS systems."
https://www.securityweek.com/code-execution-data-tampering-flaw-in-nvidia-nemo-gen-ai-framework/ - Android 15 Rolling Out With New Theft, Application Protection Features
"Google on Tuesday started shipping Android 15 to Pixel devices with a hefty set of security improvements, including theft protection and a private space for sensitive applications. Android 15’s enhanced security features, such as the new Theft Detection Lock, rely on AI to keep both the device and the user’s data safe. “By using on-device machine learning, Theft Detection Lock is able to analyze various device signals to detect potential theft attempts. If the algorithm detects a potential theft attempt on your unlocked device, it locks your screen to keep thieves out,” Google explains."
https://www.securityweek.com/android-15-rolling-out-with-new-theft-application-protection-features/ - Google Pays Out $36,000 For Severe Chrome Vulnerability
"Google on Tuesday announced a fresh Chrome browser update that addresses 17 vulnerabilities, including 13 security defects reported by external researchers. The most severe of the externally reported bugs is CVE-2024-9954, a high-risk use-after-free defect in AI, for which Google handed out a $36,000 bug bounty reward. The browser update resolves five medium-severity use-after-free issues as well, impacting Web Authentication, UI, DevTools, Dawn, and Parcel Tracking."
https://www.securityweek.com/google-pays-out-36000-for-severe-chrome-vulnerability/
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
Malware
- CISA, FBI, NSA, And International Partners Release Advisory On Iranian Cyber Actors Targeting Critical Infrastructure Organizations Using Brute Force
"Today, CISA—with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners—released joint Cybersecurity Advisory Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure. This advisory provides known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Iranian actors to impact organizations across multiple critical infrastructure sectors. Since October 2023, Iranian actors have used brute force and password spraying to compromise user accounts and obtain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors."
https://www.cisa.gov/news-events/alerts/2024/10/16/cisa-fbi-nsa-and-international-partners-release-advisory-iranian-cyber-actors-targeting-critical
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-brokers-selling-critical-infrastructure-access/
https://www.bankinfosecurity.com/iranian-hackers-using-brute-force-on-critical-infrastructure-a-26542
https://cyberscoop.com/iranian-hackers-are-going-after-critical-infrastructure-sector-passwords-agencies-caution/ - Coffee Lovers Warned Of New Starbucks Phishing Scam
"A wave of emails masquerading as Starbucks offers have been circulating, promising coffee drinkers a free Starbucks Coffee Lovers Box. Action Fraud, the UK's national fraud and cyber reporting center, said it has received over 900 reports about the scam in the past two weeks. The emails contain malicious links designed to steal personal and financial information or download malware onto personal devices."
https://www.infosecurity-magazine.com/news/coffee-lovers-warned-of-starbucks/ - Hackers Target Ukraine’s Potential Conscripts With MeduzaStealer Malware
"Hackers have targeted the devices of Ukraine’s draft-aged men with MeduzaStealer malware spread through Telegram, researchers have found. MeduzaStealer was previously used by Russia-linked threat actors to obtain login credentials, computer information, browsing history and data from password managers. Last year, a threat actor known as UAC-0050 deployed the malware against targets in Ukraine and Poland. According to a new report from Ukraine’s computer emergency response team (CERT-UA), the unidentified hackers recently distributed MeduzaStealer through a Telegram account disguised as a technical support bot for users of the new Ukrainian government app called Reserve+."
https://therecord.media/hackers-target-ukraine-draftees-meduzastealer-malware-telegram - China’s Infosec Leads Accuse Intel Of NSA Backdoor, Cite Chip Security Flaws
"A Chinese industry group has accused Intel of backdooring its CPUs, in addition to other questionable security practices while calling for an investigation into the chipmaker, claiming its products pose "serious risks to national security." The Cybersecurity Association of China (CSAC), in a lengthy post on its WeChat account on Wednesday described Intel's chips as being riddled with vulnerabilities, adding that the American company's "major defects in product quality and security management show its extremely irresponsible attitude towards customers.""
https://www.theregister.com/2024/10/16/china_intel_chip_security/ - Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 To Steal Data
"From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics. In line with this, we examined ransomware samples written in Go language (aka Golang), targeting Windows and MacOS environments. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor."
https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html - Quishing Attacks Are Targeting Electric Car Owners: Here’s How To Slam On The Brakes
"Many countries and regions across the world have been moving quickly on electric cars in recent years. Around 14 million new cars were registered in 2023 alone, a 35% annual increase which brings the worldwide total to over 40 million. But with new technology comes new threats. Ever alert to fresh money-making opportunities, criminal groups are blending physical and virtual-world threats to steal drivers’ payment details."
https://www.welivesecurity.com/en/scams/quishing-attacks-targeting-electric-car-owners-slam-on-brakes/
Breaches/Hacks/Leaks
- Varsity Brands Data Breach Impacts 65,000 People
"Apparel giant Varsity Brands this week disclosed a data breach impacting a significant number of individuals. Varsity provides uniforms, apparel and services for sports teams, schools, and student-athletes. The company was recently acquired by investment firm KKR, reportedly for $4.75 billion. Varsity informed the Maine Attorney General’s Office this week that it detected “unusual activity” on its systems in May 2024."
https://www.securityweek.com/varsity-brands-data-breach-impacts-65000-people/
General News
- Resilience Over Reliance: Preparing For IT Failures In An Unpredictable Digital World
"No IT system — no matter how advanced – is completely immune to failure. The promise of a digital ring of steel may sound attractive, but can it protect you against hardware malfunctions? Software bugs? Unexpected environmental conditions? Cybersecurity threats? Human error? And that’s just for starters."
https://www.helpnetsecurity.com/2024/10/16/resilience-over-reliance-preparing-for-it-failures-in-an-unpredictable-digital-world/ - Strengthening Kubernetes Security Posture With These Essential Steps
"In this Help Net Security interview, Paolo Mainardi, CTO at SparkFabrik, discusses comprehensive strategies to secure Kubernetes environments from development through deployment. He focuses on best practices, automation, and continuous monitoring."
https://www.helpnetsecurity.com/2024/10/16/paolo-mainardi-sparkfabrik-kubernetes-security/ - Unlocking The Value Of AI-Powered Identity Security
"While most organizations are still in the early horizons of their identity security journey, those who achieve maturity are seeing disproportionately higher returns for every dollar spent, according to SailPoint. The value of identity security remains largely untapped today. Of the organizations surveyed, roughly 41% remain at the very beginning of their identity security journey with only 10% progressing to the more advanced stages; this large gap highlights the significant opportunities for organizations to realize the full potential of identity security."
https://www.helpnetsecurity.com/2024/10/16/identity-security-economic-impact/ - Sri Lankan Police Arrest Over 200 Chinese Scammers
"Sri Lankan authorities have arrested more than 200 Chinese nationals who they say overstayed their visitor visas and engaged in large-scale financial scam operations targeting victims across Asia. In a series of media statements beginning Oct. 6, Sri Lankan police announced seven raids across the nation that led to the arrest of hundreds of cybercriminals and scam operators, a large majority of whom are Chinese nationals."
https://www.bankinfosecurity.com/sri-lankan-police-arrest-over-200-chinese-scammers-a-26531 - How Low Can You Go? An Analysis Of 2023 Time-To-Exploit Trends
"Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild. Consistent with past analyses, the majority (97) of these vulnerabilities were exploited as zero-days (vulnerabilities exploited before patches are made available, excluding end-of-life technologies). Forty-one vulnerabilities were exploited as n-days (vulnerabilities first exploited after patches are available). While we have previously seen and continue to expect a growing use of zero-days over time, 2023 saw an even larger discrepancy grow between zero-day and n-day exploitation as zero-day exploitation outpaced n-day exploitation more heavily than we have previously observed."
https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/
https://www.bleepingcomputer.com/news/security/google-70-percent-of-exploited-flaws-disclosed-in-2023-were-zero-days/
https://www.helpnetsecurity.com/2024/10/16/time-to-exploit-vulnerabilities-2023/ - USDoD Hacker Behind National Public Data Breach Arrested In Brazil
"A notorious hacker named USDoD, who is linked to the National Public Data and InfraGard breaches, has been arrested by Brazil's Polícia Federal in "Operation Data Breach". USDoD, aka EquationCorp, has a long history of high-profile data breaches where he stole data and commonly leaked it on hacking forums while taunting the victims. These breaches include those on the FBI's InfraGard, a threat information sharing portal, and National Public Data, where the personal data and social security numbers of hundreds of millions of US citizens were leaked online."
https://www.bleepingcomputer.com/news/security/usdod-hacker-behind-national-public-data-breach-arrested-in-brazil/
https://hackread.com/brazil-arrest-usdod-hacker-fbi-national-public-data-breach/
https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil
https://securityaffairs.com/169914/cyber-crime/brazils-policia-federal-arrested-hacker-usdod.html - US Disrupts Anonymous Sudan DDoS Operation, Indicts 2 Sudanese Brothers
"The United States Department of Justice unsealed an indictment today against two Sudanese brothers suspected of being the operators of Anonymous Sudan, a notorious and dangerous hacktivist group known for conducting over 35,000 DDoS attacks in a year. Since launching in 2023, Anonymous Sudan has been behind numerous high-profile DDoS attacks, causing widespread outages and the inability for users worldwide to access targeted services. Many of their attacks were motivated by pro-Russian and pro-Palestinian causes, based on messages on the operation's Telegram channel."
https://www.bleepingcomputer.com/news/security/us-disrupts-anonymous-sudan-ddos-operation-indicts-2-sudanese-brothers/
https://therecord.media/anonymous-sudan-brothers-charged-ddos-attacks-hospital-critical-infrastructure
https://www.bankinfosecurity.com/us-indicts-sudanese-brothers-for-anonymous-sudan-attacks-a-26540
https://cyberscoop.com/alleged-anonymous-sudan-leaders-charged-prolific-gangs-tool-disabled/
https://hackread.com/us-charges-anonymous-sudan-35000-ddos-attacks/ - Protecting Major Events: An Incident Response Blueprint
"Ensuring the cybersecurity of major events — whether it’s sports, professional conferences, expos, inter-government meetings or other gatherings — is a complex and time-intensive task. It requires a comprehensive approach and collaboration among various stakeholders, including vendors, hospitality teams, and service providers, to establish a consistent cybersecurity strategy across the entire event ecosystem. In our latest version of the “Protecting major events: An incident response blueprint” whitepaper, Cisco Talos Incident Response outlines the essential steps organizations should take to secure any major event. This paper highlights 13 critical focus areas that will guide organizing committees and participating businesses, offering key questions and actionable answers to help ensure robust event security."
https://blog.talosintelligence.com/protecting-major-events-blueprint-october-2024-update/
https://blog.talosintelligence.com/content/files/2024/10/protecting-major-events-1.pdf - Here’s How Attackers Are Getting Around Phishing Defenses
"Hackers are evading natural language processing detection capabilities used to filter out phishing attacks by adding benign text and links, according to data from Egress’ threat intelligence unit released Tuesday. Egress researchers looked at 40 attacks targeting U.S. organizations that used obfuscation techniques designed to evade anti-phishing services by using natural language processors (NLP) to send malware or malicious links. NLPs are also used by artificial intelligence models like ChatGPT."
https://cyberscoop.com/email-natural-language-obfuscation-phishing-egress/
https://cyberscoop.com/wp-content/uploads/sites/3/2024/10/20241015-Egress-NLP-Data.pdf - Fraudulent North Korean IT Worker Schemes: From Insider Threats To Extortion
"Secureworks Counter Threat Unit (CTU) researchers have observed patterns and evolutions in IT worker schemes linked to the North Korean government (officially the Democratic People’s Republic of Korea (DPRK)). In these schemes, North Korean nationals use stolen or falsified identities to obtain employment with Western companies under false pretenses. This activity has been documented in the U.S., UK, and Australia."
https://www.secureworks.com/blog/fraudulent-north-korean-it-worker-schemes
https://therecord.media/north-korean-fake-it-workers-extorting-employers
https://cyberscoop.com/north-korean-it-workers-secureworks-report/ - 71% Of Hackers Believe AI Technologies Increase The Value Of Hacking
"Bugcrowd, the leader in crowdsourced cybersecurity, today released its annual Inside the Mind of a Hacker 2024 report, which analyzed responses from 1,300 hackers, also known as ethical hackers and security researchers on the Bugcrowd Platform. This report provides a comprehensive overview of the hacking community and their perspectives on topics at the forefront of cybersecurity."
https://www.darkreading.com/vulnerabilities-threats/71-of-hackers-believe-ai-technologies-increase-the-value-of-hacking
https://ww1.bugcrowd.com/inside-the-mind-of-a-hacker-2024/
https://www.infosecurity-magazine.com/news/ethical-hackers-embrace-ai-tools/ - Hybrid Work Exposes New Vulnerabilities In Print Security
"The shift to hybrid work models has exposed new vulnerabilities in corporate print infrastructure and heightened security risks at many organizations. The risks run the gamut and include employees using insecure and unmanaged printers, remote workers sending print jobs over public networks, inadequate user authentication and print job release processes, exposed local spools and caches, and inconsistent patching practices."
https://www.darkreading.com/vulnerabilities-threats/hybrid-work-vulnerabilities-print-security - Cyber Gangs Aren't Afraid Of Prosecution
"Historically, cybercriminals have always had an edge over law enforcement. It may take a few hours to steal thousands of credit cards after exploiting a SQL injection flaw, but the subsequent investigation and prosecution of the cybercriminals can take years — and still fail. Europol described the challenges in investigating and prosecuting cybercrime — the collection and preservation of digital evidence, difficulty tracing and identifying attackers, and legal and judicial hurdles associated with cross-border investigations — back in 2019. These challenges remain relevant in 2024."
https://www.darkreading.com/cyberattacks-data-breaches/cyber-gangs-aren-t-afraid-of-prosecution - What Cybersecurity Leaders Can Learn From The Game Of Golf
"I was talking with some friends about the recent 2024 Presidents Cup matchups, and how Mackenzie Hughes — a fellow Canadian — was going to play a pivotal role on the International Team. As we dug into game strategy, I had one of those lightbulb moments: There is a lot in common between golf and cybersecurity."
https://www.darkreading.com/vulnerabilities-threats/what-cybersecurity-leaders-learn-golf - New Tool DVa Detects And Removes Android Malware
"Discover DVa, a new tool that detects and removes malware exploiting accessibility features on Android devices. Learn how this innovative solution helps protect users from malicious apps and safeguards their personal information."
https://hackread.com/new-tool-dva-detects-and-removes-android-malware/
https://www.usenix.org/system/files/sec24summer-prepub-136-xu-haichuan.pdf - Cyber Threats Escalating Beyond Ability To Defend, New NCSC Head Warns
"Cyber-threats are escalating beyond the collective ability to defend against them, new UK National Cyber Security Centre (NCSC) head Dr Richard Horne has warned. In his first international speech at Singapore International Cyber Week, Horne said that increased dependence on technology is widening the gap between the escalating threats to societies, critical services, and businesses, and the ability to defend and be resilient against these threats. He revealed that in 2024 the NCSC has already responded to 50% more nationally significant incidents compared to last year, as well as a threefold increase in severe incidents."
https://www.infosecurity-magazine.com/news/cyber-threats-defend-ncsc-head/
https://therecord.media/uk-nationally-significant-cyberattacks-ncsc-horne-warning
https://www.bankinfosecurity.com/uk-reports-50-spike-in-nationally-significant-incidents-a-26544 - Navigating The Ethics Of AI In Cybersecurity
"Even if we’re not always consciously aware of it, artificial intelligence is now all around us. We’re already used to personalized recommendation systems in e-commerce, customer service chatbots powered by conversational AI and a whole lot more. In the realm of information security, we’ve already been relying on AI-powered spam filters for years to protect us from malicious emails."
https://securityintelligence.com/articles/navigating-ethics-ai-cybersecurity/ - AI Models In Cybersecurity: From Misuse To Abuse
"Artificial intelligence is on everyone’s mind right now, especially the cybersecurity industry. In a constant game of whack-a-mole, both defenders and attackers are harnessing AI to tip the balance of power in their respective favor. Before we can understand how defenders and attackers leverage AI, we need to acknowledge the three most common types of AI models currently in circulation."
https://www.securityweek.com/ai-models-in-cybersecurity-from-misuse-to-abuse/ - Russia's Case Against REvil Hackers Proceeds As Government Recommends 6.5-Year Sentence
"The Russian military prosecutor's office is reportedly pushing for prison sentences of up to 6.5 years for four people linked to the hacking group REvil. The Russian cybercrime group was one of the most active ransomware gangs before its shutdown in 2021 and the arrests of 14 suspected members by Russian law enforcement a year later. The legal proceedings against the alleged hackers have been dragging on for the last two years, and of 14 detainees only eight have made it to a Moscow court to face charges of illegal financial transactions."
https://therecord.media/russia-revil-hackers-case-sentencing
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Critical Kubernetes Image Builder Flaw Gives SSH Root Access To VMs
-
ฟินแลนด์ยึดเซิร์ฟเวอร์ตลาดมืดที่ใช้ขายยาเสพติด 'Sipultie' บน Dark Web
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
-
สหพันธ์ FHE ผลักดันมาตรฐานการเข้ารหัสระดับ Quantum-Resilient Cryptography
สามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand