CyberSecurity.PH #037

Chinese threat-actors target Philippine Executive branch and US Treasury; 30+ Chrome plugins hack, millions of users at risk; GuardDog PyPi/NPM scanner; Critical vulnerabilities in Apache, Oracle, Mitel, Ivanti and SonicWall

Welcome to CyberSecurity.PH issue #037,

It’s been a busy few weeks since issue #036, so we are picking up 2025 right now, happy 2025 to all.

Got friends that want to “get into” Cybersecurity? Tell them about CyberSecurity.PH for up-to-date cyber threat awareness, Learning materials, Engineering tools, Policy templates, Strategy papers and Philippine local Education providers.

Philippines

Chinese cyber threat actors targeting Philippine Executive Branch, stealing military data

Multiple sources are reporting this week on a recent Bloomberg article that indicates Chinese threat actors were detected in 2023/2024 performing cyber-penetration operations aimed at the Executive Branch of the Philippines.

Reporting on the matter suggests that Philippine President Ferdinand R. Marcos Jr. (PBBM) was targeted among others and that military data regarding the West Philippine Sea region has been stolen.

At the Malacañang Press Briefing event this week, Ivan Mayrina a journalist representing the GMA 7 network asked about “Chinese hackers target Philippine President and steal military data…”, DICT secretary John Uy responded downplaying the reporting as nothing new

"But I’d like to reiterate that so far what we have seen is that no current information has been compromised. What we have seen so far are old data from many years ago that are being regurgitated, recycled just to make an impression that they were successful in doing so.” - DICT secretary John Uy at Malacañang Press Briefing 07 January 2025

Follow up reporting via Rappler -

“Based on assessment of our cybersecurity experts, no sensitive information was compromised,” said the National Security Council’s spokesperson Assistant Director General Jonathan Malaya in a message to Rappler.

China based cyber-threat activity is likely to continue in 2025 with obvious offensive activities that are relatively easy to attribute.

The greater cyber challenge is how to detect, respond and deter long-running narrative redirection threats that are commonly delivered via popular social media platforms, influencing citizen perceptions of threat events and offensive occurrences.

Cybersecurity Threat Landscape

United States Treasury OFAC breached by Chinese threat-actors via third-party vendor

Chinese threat actors have been reported as breaching the United States Treasury Office of Foreign Assets Control (OFAC) that administers and enforces trade and economic sanctions programs.

Threat actors gained access via a vulnerability in BeyondTrust, a cybersecurity vendor. Using this vulnerability they then obtained access to credentials that secured a cloud-based service that was then used to gain remote access to OFAC end-user workstations and steal data.

Early indications from the incident response indicate that the event is limited to the US Treasury Department only.

30+ Chrome plugins hacked, exposing millions of users to credential theft

Cyber security company “Extension Total” that specializes in software supply chain issues regarding browser plugins, recently highlighted concerns with 36x (at time of writing) Chrome browser plugins that unexpectedly import additional JS code that enables phishing threats (among others).

The issue came to light after an earlier event at cyber-security company “Cyberhaven” whereby staff there were unfortunately compromised in a way that led to developers unwittingly including unwanted (i.e. threat) code from an unknown source.

Various lists (Google Sheet: here) have been put together detailing the Chrome browser extension ID’s and versions impacted, some have still not been taken down.

The Chrome extension names include -

VPNCity, Parrot Talks, Uvoice, Internxt VPN, Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant for Chrome, VidHelper - Video Downloader, AI Assistant - ChatGPT and Gemini for Chrome, TinaMind - The GPT-4o-powered AI Assistant!, Bard AI chat, Reader Mode, Primus (prev. PADO), Tackker - online keylogger tool, AI Shop Buddy, Sort by Oldest, Rewards Search Automator, Earny - Up to 20% Cash Back, ChatGPT Assistant - Smart Search, Keyboard History Recorder, Email Hunter, Visual Effects for Google Meet, Cyberhaven security extension V3, GraphQL Network Inspector, GPT 4 Summary with OpenAI, Vidnoz Flex - Video recorder & Video share, YesCaptcha assistant, Proxy SwitchyOmega (V3), ChatGPT App, Web Mirror, Hi AI

Check your users are not using any of the described plugins, some are very popular and commonly used.

Tools released to abuse Windows server LDAP bug causes crashes and reboots

Cybersecurity company SafeBreach has released a report dubbed “LDAPNightmare” together with a proof-of-concept tool that demonstrates the hazard.

The SafeBreach report proposes the same technique may be further developed to achieve a full remote-command-execution - if this bares out, it would become extremely problematic for anyone running MS Windows servers that is not able to apply the December 2024 updates.

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

Cybersecurity Vulnerabilities

Three critical flaws in Apache MINA, Apache HugeGraph, and Apache Traffic Control (CVSS 10.0)

Three individual Apache managed software-packages have been pegged with critical vulnerabilities, if you use these you’ll need to patch immediately

Oracle WebLogic vulnerabilities (CVSS 9.8)

US Cybersecurity agency CISA has issued warnings of an old WebLogic vulnerability (CVE-2020-2883 with CVSS 9.8) being actively exploited in the wild.

Additionally, Oracle WebLogic has a fresh vulnerability (CVE-2024-21182 with CVSS 7.5) that has PoC code being actively circulated.

Mitel NuPoint Unified Messaging vulnerability (CVSS 9.1)

US Cybersecurity agency CISA has issued warnings of Mitel NuPoint Unified Messaging being actively exploited in the wild (CVE-2024-41713 with CVSS 9.1)

Further reading - Mitel, The Register

New Ivanti Connect Secure zero-day vulnerability (CVSS 9.0)

Ivanti reports some of their Connect Secure appliance customers have been exploited by CVE-2025-0282

Further reading - The Record, Bleeping Computer

SonicWall vulnerability in SSLVPN (CVSS 8.2)

Sonicwall has release a patch to their SSLVPN product to address 4x vulnerabilities, the most notable being CVE-2024-53704 (CVSS 8.2)

An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.

Got news or something you’d like us to mention, feel free to get in contact - [email protected]