CyberSecurity.PH #028

5x Critical cybersecurity incidents in Philippines; 1.4Bn Tencent accounts claimed leaked; 2024 Threat Hunting Report; CISA warns of destructive cyberattacks from China; Critical SAP flaw; SolarWinds critical update

CyberSecurity.PH weekly - issue 028.

Welcome to issue #028 of CyberSecurity.PH - towards improving cybersecurity outcomes in the Philippines.

It’s been a busy week in cybersecurity with a large number of new threats, vulnerabilities, exploits being presented at BlackHat 2024 / Defcon 32 in Las Vegas last week - consider attending RootCon in Tagaytay next month if you’d like to attend a Philippine local awesome hacker-conference.

CyberSecurity.PH also has learning materials, local education providers, curated lists of cybersecurity engineering tools, plenty of policy templates, key cybersecurity strategy papers and details on local conferences.

Tell your friends and subscribe (or just subscribe their email address 😆) - we promise they will learn up-to-date valuable cybersecurity insights each week - it’s free!

Philippines

Kukublan: 3x large data breaches, 1x government system compromise, 1x large ransomware victim

Kukublan Philippines have been busy in their reporting of cybersecurity incidents in the Philippines in the past two-weeks. Would-be threat actors now recognize the reach that Kukublan has by directly passing evidence of their activities to the blog operators.

Kukublan appears to be doing a fine job in tracking dark-net/dark-web forums to make known cybersecurity incidents that appear to impact the people of the Philippines.

We’d flag a note of caution in that threat-actors/dark-net/dark-web sources are by their very nature difficult to trust. In the current threat landscape of misinformation and disinformation campaigns from certain nation states the job of filtering real from fiction is increasingly difficult for reporters, investigators, threat responders and readers.

We’d suggest a “trust but verify” stance - yes, we loving the efforts of Kukublan Philippines.

With that said, from Kukublan Philippines are currently reporting several high consequence incidents

Cybersecurity Threat Landscape

CISA director Jen Easterly warns of destructive cyberattacks from China

CISA director Jen Easterly said at the BlackHat cybersecurity conference last week that escalating tensions between China and Taiwan have led Beijing to seek ways to launch destructive attacks against the island nation and its allies.

“[This is] a world where a war in Asia will be accompanied by very serious threats for Americans. The explosion of pipelines, the pollution of water systems, the derailing of our transportation systems, the severing of our communications, specifically to incite panic and societal chaos and to deter our ability to marshal military might and citizen will.”

Easterly’s Blackhat talk described the recent worldwide disruption accidentally caused by CrowdStrike as a dress rehearsal for the scale of threat activity possible.

Further reading: The Record

1.4 Billion Tencent user accounts claimed to be leaked

A threat actor named “Fenice” has claimed to leak 1.4 billion user accounts which they claim originates from Chinese internet giant Tencent.

The threat actor “Fenice” is the same actor that recently leaked personal data of 3 billion users taken from US background checking platform National Public Data.

Screenshot: Hackread.com

An article in the Shanghai Daily (China) states that Tencent denies any such leak.

Further reading: Hackread.com

2024 Threat Hunting Report published by CrowdStrike

Despite it being a tough time for CrowdStrike at the moment, they have forged on and delivered their 2024 edition Threat Hunting Report - and it’s awesome.

From the report -

The CrowdStrike 2024 Threat Hunting Report presents trends identified from July 1, 2023, to June 30, 2024, exposed by proactive, intelligence-informed threat hunting. Year-over-year, CrowdStrike OverWatch observed the following:

  • Interactive intrusions increased by 55%. An interactive intrusion occurs when threat actors perform hands-on-keyboard activities within a victim's environment.

  • 86% of all interactive intrusions were attributed to eCrime activity.

  • eCrime-related interactive intrusions against the healthcare sector increased 75%.

  • Interactive intrusions impacting the technology sector increased 60%, making technology the most frequently targeted industry for the seventh consecutive year.

  • FAMOUS CHOLLIMA insiders were identified applying to or actively working at more than 100 unique companies.

  • Adversary use of RMM tools increased 70%, and 27% of all interactive intrusions leveraged RMM tools.

Radar/Dispossessor ransomware servers and domains dismantled

United States FBI announced the disruption of infrastructure used by the “Radar/Dispossessor" ransomware group led by the online moniker "Brain" through the dismantling of 3x U.S. servers, 3x U.K. servers and 18x German servers, together with a collection of domain names used in the furtherance of this gangs ransomware activities.

"Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors," states the FBI.

Dispossessor operated as a ransomware-as-a-service (RaaS) using similar dual-extortion playbooks that have become popular among other ransomware gangs, where-by they both exfiltrate victim data and encrypting victim file systems. Victims that refuse to pay ransom are threatened with data exposure.

Singapore law enforcement reclaim $41M stolen in BEC scam; INTERPOL global stop-payment mechanism used

“A global stop-payment mechanism [I-GRIP] developed by INTERPOL has helped Singapore authorities make their largest ever recovery of funds defrauded in a business email compromise scam.” states a recent INTERPOL news report.

Reports indicate that the funds were stolen by impersonating one of the victim company’s suppliers in switching a single character in the email domain-name address.

Singapore law-enforcement were able to contact authorities in Timor Leste where funds had been stolen to, who were then able to trace $39 million to the threat-actors accounts. Police in Timor Leste were able to arrest seven other suspects in the matter and recovered another $2 million related to the incident.

Further reading: The Register, The Record 

Microsoft seizes domain used by Vietnamese threat group (Storm-1152) selling fake accounts and services

The seizure of a domain (withheld here) by Microsoft comes six months after a US federal court authorized Microsoft to seize domains and infrastructure operated by the threat group tracked as Storm-1152.

Microsoft states that this threat group was responsible for creating ~750M fraudulent Microsoft accounts using CAPTCHA bypass services that were then used to facilitate substantial other cybercrime activities, says Microsoft.

Further reading: Cyberscoop

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

Cybersecurity Vulnerabilities

A critical zero-click RCE in Windows TCP/IP that impacts all Windows

CVE-2024-38063, is a zero-click, wormable remote code execution hole in Windows that requires no authentication, is exploited using IPv6 packets and in some cases can’t be prevented by disabling IPv6 because the exploit occurs in a position that is before the handling of IPv6 packets.

Critical SAP flaw allows threat actors to bypass authentication

CVE-2024-41730 with a CVSS score of 9.8 affects SAP BusinessObjects Business Intelligence Platform versions 430 and 440. This “missing authentication check” flaw enables unauthorized users to obtain a logon token via a REST endpoint if Single Sign-On is enabled on Enterprise authentication.

Further reading: Cybersecurity News, SAP

SolarWinds releases critical update

CVE-2024-28986, with a CVSS score of 9.8 affects SolarWinds Web Help Desk due to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.

Further reading: Solar Winds

Zabbix Server vulnerability allows remote code execution via ping script

CVE-2024-22116, with a CVSS score of 9.9 has been patched in Zabbix, a popular monitoring solution. The vulnerability allowed an administrator with restricted permissions to execute arbitrary code via the Ping script in the Monitoring Hosts section, potentially compromising the infrastructure.

Further reading: Cybersecurity News

Cybersecurity Engineering Overload

NIST releases three algorithms for a post-quantum encryption world

NIST has released a final set of encryption tools designed to withstand the attack of a quantum computer.

These post-quantum encryption standards secure a wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy.

NIST is encouraging computer system administrators to begin transitioning to the new standards as soon as possible.

Further reading: Dark Reading, The Record, NIST

Moxie Marlinspike on the horrors of Agile

If you’re a software developer working with the pains of Agile development then you’ll enjoy comments from the founder of Signal on day two of the Blackhat conference

Further reading: The Register

Got news or something you’d like us to mention, feel free to get in contact - [email protected]