- CyberSecurity.PH
- Posts
- CyberSecurity.PH #035
CyberSecurity.PH #035
eGovPH hack not real; US and PH military information sharing; China abusing GSM to infiltrate telecom networks; Five eyes provide top-15 exploits; Critical Windows Kerberos vulnerability; Apple Releases urgent patches; Palo Alto Authentication bypass; Wordpress plugin exploit enables admin access
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/4a92f75c-85ea-473c-b216-5a9399ac167a/cybersecurityph-1200x630-beehiiv-banner.png?t=1702939984)
Welcome to CyberSecurity.PH issue #035,
CyberSecurity.PH is not just an awesome newsletter, we also maintain collections of -
Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.
Local education providers - an updated list of the known cybersecurity education providers across PH.
Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.
Plenty of policy templates - to help you get started with your own.
Key cybersecurity strategy papers covering cybersecurity in PH.
Philippines
News of eGovPH “hack” not real according to DICT
Last week several outlets reported on a Breach Forums post made on November 8, by forum user “GR3GGM3RC3R” that claims to have access to ~200k know-your-customer (KYC) records from the Philippine eGovPH system. News this week via the Philippine News Agency (the PH government news source) reports that the DICT sub division, the Cybercrime Investigation and Coordinating Center (CICC) has investigated the eGovPH systems and finds no evidence that support the claims made by GR3GGM3RC3R. | ![]() Credit: kukublanph.data.blog |
The post made by GR3GGM3RC3R is convincing in-that it describes a maybe-plausible exploit mechanism related to SSH where the post-details “…luck of patch and monitor…” [sic] make it sound like an exploit using the regreSSHion issue that was uncovered earlier this year.
The forum post contains spelling errors and English language grammar mistakes that are common with non-native English speakers, however it is noted that the subtleties of the language errors do not quite align with Tagalog/Bisaya language speakers and the GR3GGM3RC3R forum user account is brand new on Breach Forums.
There is a lot at stake since undermining confidence in the eGovPH system negatively impacts the PH government to operate efficiently that is generally negative for the PH economy at large - unfortunately these are the types of negative outcomes that adversaries may welcome.
There appear to be some heated online exchanges regarding this matter that are the signal-indicators threat actors are seeking to create an environment of suspicion, distrust and argument. Regardless if there is a real data breach or not both outcomes may have a tendency to erode confidence in eGovPH - don’t let it, the Philippines deserves an awesome and efficient economy.
Further reading - pna.gov.ph, kukublanph, tribune.net.ph
United States and Philippines sign deal on sharing military information
United States and Philippine defense chiefs have signed an agreement (Nov 18, 2024) to share classified military information and technology in a bid to counter Chinese influence in the region.
US Defense Secretary Lloyd Austin signed the deal with his Philippine counterpart Gilberto Teodoro at the start of a visit to Manila that also included a closed-door meeting with President Ferdinand Marcos.
Further reading - The Defense Post, PhilStar, Aljazeera
Cybersecurity Threat Landscape
China based threat actors leverage SIGTRAN, GSM protocols to infiltrate telecom networks
Cybersecurity company Crowdstrike has released a report detailing China attributed threat group “Liminal Panda” that has targeted global telecommunications entities using custom tools that enable covert access, command and control (C2) and data exfiltration.
“The adversary demonstrates extensive knowledge of telecommunications networks, including understanding interconnections between providers. LIMINAL PANDA has used compromised telecom servers to initiate intrusions into further providers in other geographic regions.
The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata and text messages (SMS).” - Crowdstrike
The reporting of this threat-actor overlaps with other China attributed threat activity affecting telecommunications companies by a threat-group known as “Salt Typhoon” that underscores the aggressiveness in which the PRC is acting.
Further reading - Crowdstrike, The Hacker News
United States CISA and FBI announce PRC-backed threat-groups have compromised multiple US telecom networks
The United States FBI and CISA have made a short public press-release stating that recent investigations have revealed a broad and significant cyber espionage campaign from PRC-backed threat-actors.
“Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues.” - CISA
US based telecommunications companies T-Mobile, AT&T and Verizon have all recently indicated they have been hacked by the PRC-backed “Salt Typhoon” threat group.
Further reading - Dark Reading, Wall Street Journal, Hack Read, CISA.gov, Bleeping Computer
Five eyes cybersecurity agencies reveal top-15 exploited vulnerabilities in 2023
Five Eyes cybersecurity agencies have released a list of the top 15 routinely exploited vulnerabilities in 2023, where most of them are noted to be zero-days.
The joint advisory notes that threat-actors continue to have success in exploiting vulnerabilities within two years after public disclosure of a vulnerability and calls for organizations to patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential threats.
Further reading - Cyber.gov.au, Bleeping Computer
Residential proxy botnet “Nsocks” disrupted
Cybersecurity outfit “Black Lotus Labs” at Lumen Technologies has released an article that describes their disruption of the Nsocks residential proxy botnet.
The Nsocks service publicly claims to provide as many as 35k end points.
![](https://media.beehiiv.com/cdn-cgi/image/fit=scale-down,format=auto,onerror=redirect,quality=80/uploads/asset/file/0ee3e37a-c384-48b8-adf4-cd8d9e7946c1/image.png?t=1732156511)
Further reading - Lumen.com, Bleeping Computer
Facebook Malvertising campaign spreading malware via fake Bitwarden software
Cybersecurity researchers at Bitdefender have discovered and reported a malicious advertising campaign delivered via Meta’s advertising platform to distribute malware on Facebook.
The campaign that was detected on November 3, 2024, disguises the malware as a security update for the popular Bitwarden password manager.
Further reading - Bitdefender, Hack Read, Bleeping Computer
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
APT CyberCriminal Campaign Collections - an awesome and up-to-date collection of APT reports and assessments - CyberMonitor/APT_CyberCriminal_Campagin_Collections
APT Report - another excellent collection of APT reports that describe tools, techniques and procedures per group - github.com/blackorbird/APT_REPORT
Github Search - A collection of tools that implement various “dork” style searches on GitHub that can be helpful for red-teamers - github.com/gwen001/github-search
Cybersecurity Vulnerabilities
Critical Windows Kerberos vulnerability affects millions of servers to attack (CVSS 9.8)
Cybersecurity company Censys has posted their review of a patch in Microsoft’s most recent patch-Tuesday regarding CVE-2024-43639.
The vulnerability only affects Windows Servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server - domain controllers are not affected.
The vulnerability allows attackers to send specially crafted requests to vulnerable systems to gain unauthorized access and remote code execution (RCE).
Apple Releases urgent patches for actively exploited zero-day vulnerabilities
Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have been reported as being actively exploited in the wild - CVE-2024-44309
Further reading - Apple #1, Apple #2, The Hacker News
Wordpress, “Really Simple Security plugin” affects over 4M sites, enables full admin access (CVSS 9.8)
Security researchers are calling this vulnerability “…the most serious vulnerabilities they have discovered in their 12-year activity…”
The vulnerability affects a plugin called “Really Simple Security” and is installed on 4M+ websites that allows a threat-actor to remotely gain full administrative access to a site running the plugin.
Further reading - Security Affairs, Dark Reading
Palo Alto Authentication bypass in management web interface (CVSS 9.3)
United States cybersecurity agency CISA is urging users of Palo Alto Networks Expedition tool to patch immediately due to CVE-2024-5910 that is rapidly being exploited.
The vulnerability is an authentication bypass that enables an unauthenticated threat actor with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities.
Further reading - Palo Alto, The Record, Bleeping Computer, Hack Read
Got news or something you’d like us to mention, feel free to get in contact - [email protected]