- CyberSecurity.PH
- Posts
- CyberSecurity.PH #027
CyberSecurity.PH #027
$75M ransom paid to ransomware gang; 6M+ Vivamax subscriber records compromised; POGOs have been banned effective immediately; An awesome ISO 27001 toolkit; Secure Boot broken on millions of devices; New VMware ESXi vulnerability actively exploited
CyberSecurity.PH weekly - issue 027.
Welcome to issue #027 of CyberSecurity.PH
We have been wildly busy in the past two weeks running the “day-job” and we have a mountain of customers and tasks in front of us at the moment. If you’re interested in helping improve Cybersecurity outcomes in the Philippines we’d love to hear from you (contact at cybersecurity.ph)
CyberSecurity.PH has awesome free online resources available!
Cybersecurity learning materials, local education providers, curated lists of cybersecurity engineering tools, plenty of policy templates, key cybersecurity strategy papers and details on local conferences.
PS: we are looking forward to seeing people at RootCon this year!
Tell your friends and subscribe, we promise you will learn something new each week.
Philippines
Philippine Offshore Gaming Operators (POGOs) have been banned effective immediately
President Ferdinand Marcos Jr. has announced in his third State of the Nation Address (SONA) last week that all POGO operations are now banned in the Philippines (also Tweet/Xeet here).
President Marcos stated at the SONA event “…the grave abuse and disrespect to our system of laws must stop.”
The announcement was met with resounding applause and a standing ovation for good reason as the POGO industry has been the source of much malfeasance, controversy and allegations of illegal activity.
Further reading: The Cyber Express, The Register, PCO.gov.ph
6M+ Vivamax Philippines subscriber records compromised
Unconventional news source Kukublan Philippines continues to provide up-to-date insights into stolen data being advertised on dark-net/dark-web forums that impact people in the Philippines.
The latest is a data-dump claimed to have been taken from VIVA Communications, Inc. regarding their Vivamax video streaming service.
6.8 million customer records, in just 2GB of data -plus- an additional 1GB of transaction data.
Perhaps the most concerning element of this data-leak are the parental lock PIN codes because people tend to use the same PIN for all-the-things including banking - please tell your friends to not reuse passwords and PINs!
Further reading: Kukublan Philippines
Cybersecurity Threat Landscape
$75 Million USD ransom paid to Dark Angels threat gang
Reported that a Fortune 50 company has paid a record-breaking $75 million USD payment to the Dark Angels ransomware gang.
If you’re involved in cyber-defense this is shocking news since it means ransomware threat actors are powerfully emboldened with this news to continue their activities, and the Dark Angles team are now very well funded to improve their threat operations.
The news on this has been thrust into the spotlight via a report from Zscaler ThreatLabz (see page 20) and backed up by crypto-currency monitoring company Chainalysis in a Tweet/Xeet here.
Further reading: Forbes, Bleeping Computer, SentinelOne
CrowdStrike event driving second-order threats and unwanted outcomes
The Crowdstrike event occurred a day after the last CyberSecurity.PH issue so we’ve not yet had opportunity to write too much about it.
On the back of the Crowdstrike event several second-order unwanted outcomes are showing up; (a) threat actors are posting malware files presented as a “fix” for impacted Windows hosts; (b) threat actors are pushing blog/forum instructions that misdirect people into malware/ransomware; (c) Microsoft is shaping the narrative about security vendors with kernel-mode access; (d) the previously stated number of impacted hosts ~8.5M is only a “subset” of those actually impacted.
We’ll keep it brief on Crowdstrike, there is already so much already out there on this thing.
Further reading: The Record, Tech Crunch, Microsoft
SMS info-stealer infects Android devices in 113 countries
Cybersecurity company Zimperium has posted an article that describes info-stealer malware targeting Android devices that is designed to steal SMS based one-time-passwords in real time.
The article provides excellent detail on how the info-stealer operates under the hood and follows-the-money to try and unmask the operators (always follow the payments chain!); 600 online services impacted; 107k malware samples discovered; victims in 113 countries; 2600 telegram bots and 13 command-and-control servers.
The short story here is - the awesome free apps your friends are installing from alternative app-stores are probably not so innocent - please don’t, they’ll get hurt.
Further reading: Bleeping Computer, Dark Reading, The Hacker News
Cybersecurity company KnowBe4 hired a fake IT worker from North Korea
Cybersecurity company that provides security awareness training KnowBe4 has revealed it was targeted by a North Korean threat gang posing as a legitimate IT worker.
The threat actor received an Apple Macbook from the company at which point they started installing malware that was ultimately then detected.
The incident underscores how challenging the threat-landscape is with threat actors taking the time to pass through rigorous interviewing and background checking processes such as those implemented by KnowBe4.
Further reading: Hack Read, Dark Reading, Bleeping Computer, Cyberscoop
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
ISO 27001 Toolkit - How to get started with the ISO 27001, advice and guidance for your own implementation (the HTML is not great, but the content is excellent) - iseoblue.com/27001-getting-started
Substrate - a powerful open-source framework using LLM technologies for reverse engineering human understanding and meaning - Substrate is another project from Daniel Miessler and the application of his new project Substrate provides a powerful tool to deal with mis-information, dis-information, fraud and narrative bending operations - github.com/human-substrate/Substrate
Data from deleted GitHub is not actually deleted
Cybersecurity company Truffle Security has released an article that describes the fact that deleted forks, deleted repositories and private repositories on GitHub are available forever and it is intentionally designed this way.
If that sounds concerning, then yes it is.
Among the more concerning threat-situations that comes up is when a hapless GitHub user accidentally commits secrets to a repository, then decides “Hey that was a bad idea” and goes ahead and deletes that fork to prevent the secret ending up in the public.
Short story - if you can determine the short-hash of the commits in the fork you can retrieve what was in it forever - and these are short-hash values that means their brute guess/force space is greatly reduced.
Further reading: The Register, Hack Read
Cybersecurity Vulnerabilities
Secure Boot is broken on 800+ models many device manufacturers
Cybersecurity research team Binarly have discovered that devices from many large equipment manufacturers are using a test Secure Boot "master key" (known as a Platform Key) that is tagged in capital letters with "DO NOT TRUST" while the manufacturers used them anyway.
The vendors impacted include: Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro.
The untrusted Platform Key is now well known and thus available to threat actors to form UEFI persistent malware.
Further reading: ArsTechnica, Bleeping Computer, The Register, Dark Reading
CISA alerting that VMware ESXi vulnerability exploited in ransomware attacks
Recently patched CVE-2024-37085 bug in VMware ESXi is being actively exploited by threat actors to deploy ransomware according to a CISA announcement yesterday.
CVE-2024-37085 allows threat-actors to add a new user to the “ESX Admins” group that is not present by default but can be added after gaining privileges on the ESXi hypervisor - a privilege escalation.
According to a Tweet/Xeet from ShadowServer there are 20k+ VMWare instances out there at risk.
Further reading: Bleeping Computer, Security Affairs
Critical ServiceNow vulnerabilities targeted by threat-actors
Cybersecurity company AssetNote discovered in May several vulnerabilities that can be chained together to extract data. Companies use ServiceNow’s cloud-based software for everything from employee management to the automation of business processes.
The issues are referenced as CVE-2024-4879, CVE-2024-5178 and CVE-2024-5217.
A proof-of-exploit has been posted now increasing the urgency on the issue.
Further reading: Dark Web Informer, The Record, Dark Reading
Cybersecurity Engineering Overload
NIST releases a tool for testing AI model risk
The US National Institute of Standards and Technology (NIST) has re-released a tool called Dioptra designed to measure how malicious attacks might degrade the performance of an AI system.
“Dioptra is a software test platform for assessing the trustworthy characteristics of artificial intelligence (AI). Trustworthy AI is: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair - with harmful bias managed1. Dioptra supports the Measure function of the NIST AI Risk Management Framework by providing functionality to assess, analyze, and track identified AI risks.”
Further reading: Tech Crunch, NIST.gov
Got news or something you’d like us to mention, feel free to get in contact - [email protected]