- CyberSecurity.PH
- Posts
- CyberSecurity.PH #028
CyberSecurity.PH #028
5x Critical cybersecurity incidents in Philippines; 1.4Bn Tencent accounts claimed leaked; 2024 Threat Hunting Report; CISA warns of destructive cyberattacks from China; Critical SAP flaw; SolarWinds critical update
CyberSecurity.PH weekly - issue 028.
Welcome to issue #028 of CyberSecurity.PH - towards improving cybersecurity outcomes in the Philippines.
It’s been a busy week in cybersecurity with a large number of new threats, vulnerabilities, exploits being presented at BlackHat 2024 / Defcon 32 in Las Vegas last week - consider attending RootCon in Tagaytay next month if you’d like to attend a Philippine local awesome hacker-conference.
CyberSecurity.PH also has learning materials, local education providers, curated lists of cybersecurity engineering tools, plenty of policy templates, key cybersecurity strategy papers and details on local conferences.
Tell your friends and subscribe (or just subscribe their email address 😆) - we promise they will learn up-to-date valuable cybersecurity insights each week - it’s free!
Philippines
Kukublan: 3x large data breaches, 1x government system compromise, 1x large ransomware victim
Kukublan Philippines have been busy in their reporting of cybersecurity incidents in the Philippines in the past two-weeks. Would-be threat actors now recognize the reach that Kukublan has by directly passing evidence of their activities to the blog operators.
Kukublan appears to be doing a fine job in tracking dark-net/dark-web forums to make known cybersecurity incidents that appear to impact the people of the Philippines.
We’d flag a note of caution in that threat-actors/dark-net/dark-web sources are by their very nature difficult to trust. In the current threat landscape of misinformation and disinformation campaigns from certain nation states the job of filtering real from fiction is increasingly difficult for reporters, investigators, threat responders and readers.
We’d suggest a “trust but verify” stance - yes, we loving the efforts of Kukublan Philippines.
With that said, from Kukublan Philippines are currently reporting several high consequence incidents
Cybersecurity Threat Landscape
CISA director Jen Easterly warns of destructive cyberattacks from China
CISA director Jen Easterly said at the BlackHat cybersecurity conference last week that escalating tensions between China and Taiwan have led Beijing to seek ways to launch destructive attacks against the island nation and its allies.
“[This is] a world where a war in Asia will be accompanied by very serious threats for Americans. The explosion of pipelines, the pollution of water systems, the derailing of our transportation systems, the severing of our communications, specifically to incite panic and societal chaos and to deter our ability to marshal military might and citizen will.”
Easterly’s Blackhat talk described the recent worldwide disruption accidentally caused by CrowdStrike as a dress rehearsal for the scale of threat activity possible.
Further reading: The Record
1.4 Billion Tencent user accounts claimed to be leaked
A threat actor named “Fenice” has claimed to leak 1.4 billion user accounts which they claim originates from Chinese internet giant Tencent. The threat actor “Fenice” is the same actor that recently leaked personal data of 3 billion users taken from US background checking platform National Public Data. | Screenshot: Hackread.com |
An article in the Shanghai Daily (China) states that Tencent denies any such leak.
Further reading: Hackread.com
2024 Threat Hunting Report published by CrowdStrike
Despite it being a tough time for CrowdStrike at the moment, they have forged on and delivered their 2024 edition Threat Hunting Report - and it’s awesome.
From the report -
The CrowdStrike 2024 Threat Hunting Report presents trends identified from July 1, 2023, to June 30, 2024, exposed by proactive, intelligence-informed threat hunting. Year-over-year, CrowdStrike OverWatch observed the following:
Interactive intrusions increased by 55%. An interactive intrusion occurs when threat actors perform hands-on-keyboard activities within a victim's environment.
86% of all interactive intrusions were attributed to eCrime activity.
eCrime-related interactive intrusions against the healthcare sector increased 75%.
Interactive intrusions impacting the technology sector increased 60%, making technology the most frequently targeted industry for the seventh consecutive year.
FAMOUS CHOLLIMA insiders were identified applying to or actively working at more than 100 unique companies.
Adversary use of RMM tools increased 70%, and 27% of all interactive intrusions leveraged RMM tools.
Further reading: CrowdStrike 2024 Threat Hunting Report.pdf
Radar/Dispossessor ransomware servers and domains dismantled
United States FBI announced the disruption of infrastructure used by the “Radar/Dispossessor" ransomware group led by the online moniker "Brain" through the dismantling of 3x U.S. servers, 3x U.K. servers and 18x German servers, together with a collection of domain names used in the furtherance of this gangs ransomware activities.
"Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors," states the FBI.
Dispossessor operated as a ransomware-as-a-service (RaaS) using similar dual-extortion playbooks that have become popular among other ransomware gangs, where-by they both exfiltrate victim data and encrypting victim file systems. Victims that refuse to pay ransom are threatened with data exposure.
Further reading: Dark Reading, The Record, The Register, Bleeping Computer
Singapore law enforcement reclaim $41M stolen in BEC scam; INTERPOL global stop-payment mechanism used
“A global stop-payment mechanism [I-GRIP] developed by INTERPOL has helped Singapore authorities make their largest ever recovery of funds defrauded in a business email compromise scam.” states a recent INTERPOL news report.
Reports indicate that the funds were stolen by impersonating one of the victim company’s suppliers in switching a single character in the email domain-name address.
Singapore law-enforcement were able to contact authorities in Timor Leste where funds had been stolen to, who were then able to trace $39 million to the threat-actors accounts. Police in Timor Leste were able to arrest seven other suspects in the matter and recovered another $2 million related to the incident.
Further reading: The Register, The Record
Microsoft seizes domain used by Vietnamese threat group (Storm-1152) selling fake accounts and services
The seizure of a domain (withheld here) by Microsoft comes six months after a US federal court authorized Microsoft to seize domains and infrastructure operated by the threat group tracked as Storm-1152.
Microsoft states that this threat group was responsible for creating ~750M fraudulent Microsoft accounts using CAPTCHA bypass services that were then used to facilitate substantial other cybercrime activities, says Microsoft.
Further reading: Cyberscoop
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
SSHamble - a tool for testing and checking SSH implementations for implementation and configuration problems - github.com/runZeroInc/sshamble
Can I take over XYZ? - a list of services and how to claim (sub)domains with dangling DNS records - github.com/EdOverflow/can-i-take-over-xyz
Bearer - Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks - github.com/Bearer/bearer
Cybersecurity Vulnerabilities
A critical zero-click RCE in Windows TCP/IP that impacts all Windows
CVE-2024-38063, is a zero-click, wormable remote code execution hole in Windows that requires no authentication, is exploited using IPv6 packets and in some cases can’t be prevented by disabling IPv6 because the exploit occurs in a position that is before the handling of IPv6 packets.
Further reading: Microsoft, The Register, Cybersecurity News, Bleeping Computer
Critical SAP flaw allows threat actors to bypass authentication
CVE-2024-41730 with a CVSS score of 9.8 affects SAP BusinessObjects Business Intelligence Platform versions 430 and 440. This “missing authentication check” flaw enables unauthorized users to obtain a logon token via a REST endpoint if Single Sign-On is enabled on Enterprise authentication.
Further reading: Cybersecurity News, SAP
SolarWinds releases critical update
CVE-2024-28986, with a CVSS score of 9.8 affects SolarWinds Web Help Desk due to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.
Further reading: Solar Winds
Zabbix Server vulnerability allows remote code execution via ping script
CVE-2024-22116, with a CVSS score of 9.9 has been patched in Zabbix, a popular monitoring solution. The vulnerability allowed an administrator with restricted permissions to execute arbitrary code via the Ping script in the Monitoring Hosts section, potentially compromising the infrastructure.
Further reading: Cybersecurity News
Cybersecurity Engineering Overload
NIST releases three algorithms for a post-quantum encryption world
NIST has released a final set of encryption tools designed to withstand the attack of a quantum computer.
These post-quantum encryption standards secure a wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy.
NIST is encouraging computer system administrators to begin transitioning to the new standards as soon as possible.
Further reading: Dark Reading, The Record, NIST
Moxie Marlinspike on the horrors of Agile
If you’re a software developer working with the pains of Agile development then you’ll enjoy comments from the founder of Signal on day two of the Blackhat conference
Further reading: The Register
Got news or something you’d like us to mention, feel free to get in contact - [email protected]