CyberSecurity.PH #029

APT41 targeting Philippine military; Supreme Court data breach claim; PoC exploit Windows IPv6 zero-click RCE; Backdoor in millions of RFIDs; Open-source WAF; Grype for SAST; SonicWall vulnerability; GitHub Enterprise Server auth bypass

CyberSecurity.PH weekly - issue 029.

CyberSecurity.PH is not just an awesome newsletter, we also have learning materials, local education providers, curated lists of cybersecurity engineering tools, plenty of policy templates, key cybersecurity strategy papers and details on local conferences.

Help us improve Cybersecurity outcomes in the Philippines by telling your friends about us or just subscribe their email address 😆 - we promise they will learn up-to-date valuable cybersecurity insights each week.

Philippines

Threat actors targeting Philippine military with Cobalt Strike since June

The cybersecurity division of Japanese communications giant NTT, has produced a report detailing recently observed activities targeting military assets in the South East Asian region including the Philippine military.

The report (in Japanese) outlines the less-than-common mechanisms used and attributes the threat activity as likely APT41, a well known Chinese threat group that have been observed dropping Cobalt Strike with similar deployment mechanisms before.

The NTT report provides a list of domains that are excellent indicators of compromise that threat defenders can use to help understand if they have been impacted - use them!

Further reading: Dark Reading

Possible data breach at the Supreme Court of the Philippines

News of a possible data breach involving the Supreme Court of the Philippines has been reported by Kukublan Philippines.

The report provides a screenshot of what appears to be the well-known Breach Forums site with similar but not-quite-the-same site colors (the blue/green banner is off)

The exposed data is said to contain 13,564 records with full names, assessment numbers, case types, payment status and dates.

The report is troublesome if accurate.

Further reading: Kukublan Philippines

Cybersecurity Threat Landscape

Proof-of-concept exploit released for MS Windows IPv6 zero-click remote-code-execution vulnerability

Earlier this month MS patched a vulnerability (CVE-2024-38063, CVSS 9.8) that is a remote code execution affecting all Windows systems that have IPv6 enabled.

The related Microsoft Resource Center article currently suggests the issue is unproven with no public exploits, however this description is no longer accurate because Github user ynwarcs has developed and released PoC exploit code.

If you have not yet applied Windows Updates for CVE-2024-38063, please stop what you are doing and apply updates now.

Further reading: Dark Reading

Volt Typhoon (China) targeting internet providers using Versa Director zero-day

The Chinese state-backed threat group Volt Typhoon has been named as being responsible for exploiting a zero-day vulnerability in Versa Director that enables the upload of a malicious webshell that can be abused to steal credentials from internal networks.

The vulnerability CVE-2024-39717 (CVSS 7.2) is caused by a feature within the Versa Director GUI that enables customized icons. A malicious Java file disguised as a PNG icon file can be used in a way that causes the tricky Java code to be executed remotely. Virus Total has a sample available here.

CISA have issued an advisory for the issue indicating that it has been added to their known exploited vulnerabilities catalog, the issue is real and happening right now.

Backdoor in millions of RFID cards allows cloning

MIFARE Classic RFID cards from Shanghai Fudan Microelectronics (models FM11RF08*) have been discovered to contain hard-coded keys that can be cracked in a way that makes cloning these cards relatively simple.

These cards have been very popular among access control system deployments in hotels and offices because they were reasonably priced and fixed known previous issues with MIFARE Classic.

The issue means that RFID cards using this technology can be copied and cloned which breaks the something-unique-you-have security model relied upon in physical access control systems.

Further reading: Security Week, Hack Read

Thousands of misconfigured NetSuite sites expose customer data

A widespread misconfiguration in the SiteBuilder and SuiteCommerce products from NetSuite can unwittingly expose customer records.

Cybersecurity company AppOmni has produced a detailed report that describes a simple but easy to make misconfiguration that allows unauthenticated customers to browse, register, and even purchase products directly from a business.

Thousands of websites have been discovered to be impacted demonstrating how common the misconfiguration is.

Further reading: Dark Reading

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

  • Bunkerweb - An open-source and next-generation Web Application Firewall (WAF) - github.com/bunkerity/bunkerweb

  • Grype - The easiest vulnerability scanner for container images and filesystems you’ve ever used - github.com/anchore/grype

  • NilsIrl/dockerc - hardly a security tool but highlights the absurdism that can lead to unexpected security outcomes. Dockerc “compiles” a docker image into a file that looks like a single executable, it’s horrible and delightful at the same time - github.com/NilsIrl/dockerc

Cybersecurity Vulnerabilities

New SonicWall vulnerability allows unauthorized access

An improper access control vulnerability has been identified in the SonicWall SonicOS management access that leads to unauthorized access and in some cases a crash of the firewall.

The vulnerability is tracked as CVE-2024-40766 (CVSS 9.3)

Hard coded password in Fortra FileCatalyst Workflow

Fortra FileCatalyst Workflow has hard coded default credentials in the HSQLDB component that are well known and published in vendor knowledge base articles. The HSQLDB component has been deprecated and is not intended for production use, yet it is still used by many thus leading to issues.

The vulnerability is tracked CVE-2024-6633 (CVSS 9.8)

GitHub Enterprise Server auth bypass vulnerability

GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges.

The vulnerability is tracked CVE-2024-6800 (CVSS 9.5)

Further reading: Github, Bleeping Computer

Cybersecurity Engineering Overload

Phrack Magazine Issue 71

If you’ve been involved in information-security / cyber-security for as long as myself you’ll know, love and respect Phrack magazine - they’ve just published edition 71 - fair warning, it’s not for the faint of technical capability.

Got news or something you’d like us to mention, feel free to get in contact - [email protected]