CyberSecurity.PH #030

Chinese cyber espionage Mustang Panda and Crimson Palace; Two new large Philippines data-breaches; a YubiKey vulnerability; Russian military GRU 29155 threats; Two air-gapped host exfiltration techniques; Two CVSS 10.0 vulnerabilities; Open source adversary simulation software

CyberSecurity.PH weekly - issue 030.

Welcome to CyberSecurity.PH issue #030

CyberSecurity.PH is not just an awesome newsletter, we also have (free)

  • Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.

  • Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.

  • Plenty of policy templates - to help you get started with your own.

  • Key cybersecurity strategy papers covering cybersecurity in PH.

  • Local education providers - an updated list of the known cybersecurity education providers across PH.

Help us improve Cybersecurity outcomes in the Philippines by telling your friends about us or just subscribe their email address 😆 we promise they will learn up-to-date valuable cybersecurity insights each week.

Will you be at RootCon? Stop and say hello, we’ll be easy to recognize.

Philippines

China-based cyber espionage threat-group Mustang Panda targeting APAC governments including PH

Multiple reports this week of the China state-sponsored threat group Mustang Panda operating a new campaign aimed at government agencies throughout the APAC region, including the Philippines.

The current operation involves spear phishing victims known to be high value targets; and the use of physical USB based malware to deploy PUBLOAD that exfiltrates data from victims.

Mustang Panda are known for collecting intelligence ahead of bad news that allows China to deploy influence operations to soften-the-blow or create an environment of doubt.

Mustang Panda is known by various names; TA416, Bronze President, Luminous Moth, Stately Taurus, and Earth Preta.

Crimson Palace espionage campaign, actively hacking APAC governments

Crimson Palace, yet another Chinese government threat campaign targeting APAC government entities, including the Philippines.

A new report by cybersecurity firm Sophos outlines the campaigns updated tools, techniques and procedures, and describes their activity as very recent and continuing - Sophos provided an earlier report on this campaign.

Of particular note in the latest report are three IP addresses located in the Philippines that have been used as endpoints forming part of the command-and-control operations for compromised hosts - these endpoints are likely compromised themselves.

Well-practiced threat campaign operators like to keep threat traffic within the country since it is less likely to trip threat-sensors - it is not (yet) known from Sophos who the main government target is, their report avoids directly naming the target(s).

Kukublan Philippines: 2x new large data breaches reported

Kukublan Philippines, the media outlet of Deep Web Konek is reporting two new large data breach events this week.

From their reports

Kukublan does a fine job in tracking dark-net/dark-web sources to make known cybersecurity incidents that impact the people of the Philippines.

Cybersecurity Threat Landscape

Chinese hackers linked to cybercrime syndicate arrested in Singapore

The Singapore Police Force has arrested five Chinese nationals, plus a Singaporean national for their suspected involvement in cyber crime activity in Singapore.

The report from the Singapore police states that 160 law enforcement officials conducted simultaneous raids at several locations on September 9, 2024.

The six men, aged between 32 and 42, are suspected of being linked to a global syndicate that conducts malicious cyber activities using PlugX backdoor malware.

China-based APT actors that have been known to use PlugX include APT10 (Stone Panda), APT41 (Winnti), and Mustang Panda.

YubiKey vulnerability discovered that enables key cloning

Much news last week about a technical attack on Yubikeys that can enable key clones to be created - this is a big-deal because it breaks one of the fundamental aspects of hardware-keys, that they can’t be reproduced - and these keys get used in critical user authentication systems including defense related systems.

The report into the issue is a fascinating read if you have the technical chops to follow, it’s not straightforward and it clearly took the researchers years to nut out an effective mechanism to leak the internally held private key.

Short story it’s a side channel attack achieved by placing a probe on a component inside.

Should you be worried? Probably not.

Source: ninjalab.io

Considerations to keep in mind on this issue

  • The attack requires physical tampering of the target YubiKey, making it very evident that the device has been attacked.

  • The attack requires physical access to the key, which if occurs means that threat actors could just enroll their hardware tokens on your target accounts because doing so is much easier and you probably won’t notice.

  • The attack requires fairly solid technical capability and appropriate tools, if you have threat actors at this level acting against you then you perhaps have bigger concerns - buy a new Yubikey and call it a day.

The net security outcome is probably positive on the whole, since users will be reminded of the importance of maintaining physical control of their Yubikeys.

Further reading - Ars Technica, Bleeping Computer

Russian military cyber threat actors (GRU 29155) targeting global critical infrastructure assets

Five-eyes cyber intelligence services have produced a new report that details the current operations of GRU Unit 29155 that has been responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.

The current threat activity involves website defacement, infrastructure scanning, data exfiltration, and data leak operations. The group then sells or publicly releases exfiltrated victim data obtained from their compromises to inflict reputational harm. Since early 2022 their primary focus has been in targeting and disrupting efforts related to Ukraine.

The five-eyes reports provide good, albeit simple advice -

  • Prioritize routine system updates and remediate known exploited vulnerabilities.

  • Segment networks to prevent the spread of malicious activity.

  • Enable phishing-resistant multi factor authentication (i.e. hardware tokens) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

Cybersecurity Vulnerabilities

Ivanti releases urgent security updates for Endpoint Manager vulnerabilities (CVSS 10.0)

Endpoint security software vendor Ivanti has released an update to address a long list of high-range vulnerabilities, including CVE-2024-29847 with a CVSS of 10.0 that allows a remote unauthenticated attacker to achieve remote code execution - as bad as it gets.

Progress Software issue emergency fix for LoadMaster vulnerabilities (CVSS 10.0)

Progress Software has issued an emergency fix for CVE-2024-7591 with a CVSS of 10.0. The vulnerability enables threat actors to remotely execute commands on LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products.

Thousands of Veeam backup servers at risk of new vulnerability (CVSS 9.8)

A new vulnerability CVE-2024-40711 in Veeam’s Backup and Replication software allows threat actors to take full control of unpatched systems through a remote, no-authentication issue.

Of particular note, ransomware threat actors are known to target Veeam systems to steal backups and delete/encrypt backups thus depriving victims of recovery options.

Most shockingly, there are thousands of organizations that expose this type of critical corporate infrastructure to the public internet - they’ll be having a bad week.

Further reading - Bleeping Computer, Hack Read

Cybersecurity Engineering Overload

RAMBO attack steals data using RAM in air-gapped computers

A side-channel attack dubbed "RAMBO" (Radiation of Air-gapped Memory Bus for Offense) generates electromagnetic radiation from a device's RAM to send data from air-gapped computers.

Air-gapped hosts vulnerable to acoustic attack via LCD screens

Yes, this is a different attack to the RAMBO attack, and yes it’s from the same author.

In a PIXHELL attack, malware modulates pixel patterns on an LCD screen to induce audible noise that carries encoded signals that can then be captured by nearby devices such as smartphones.

Further reading - Dark Reading, The Hacker News

Got news or something you’d like us to mention, feel free to get in contact - [email protected]