CyberSecurity.PH #026

Malvertising impacting Philippines Facebook Pages; Justice Department indicts Coins.ph consultants; Five Eyes warnings on China APT40 group; Huione Guarantee named as cybercrime marketplace; Singapore banks to remove OTP in 90 days; 10 billion leaked passwords released

CyberSecurity.PH weekly - issue 026.

Welcome to weekly issue #026 of CyberSecurity.PH

We have awesome free online resources too! Cybersecurity learning materials, local education providers, curated lists of cybersecurity tools, plenty of policy templates to get you started, information on local conferences, relevant cybersecurity strategy papers and information on local cyber crime reporting.

Tell your friends and subscribe, we promise you will learn something new each week.

Philippines

Facebook malvertising campaigns through stolen Philippines Facebook Pages

Cybersecurity company Trustwave has released a report that details malvertising (advertising that points to malware) campaigns that are currently occurring through stolen Facebook pages and pushing “SYS01” malware.

Threat actors have been observed compromising Facebook user accounts with administrator controls on Facebook Pages that have large follower bases, then renaming those pages to appear as a page that promotes a “Desktop Theme” with download-installers that are ultimately info-stealer malware.

Trustwave notes that each observed instance of this activity involves Facebook Pages administered by individuals located in the Philippines or Vietnam, indicating the threat-actor has an interest in victims in the region.

The Trustwave report is technically detailed and unpacks how the campaigns are being run, how the SYS01 malware is being leveraged, and provides indicators of compromise for defenders.

Further reading: Trustwave, Bleeping Computer

Philippine Justice Department indicts former Coins.ph consultants in P340 Million theft

The Philippine Justice Department has issued indictments against two Russian nationals that were formerly hired as consultants at the well known crypto-exchange Coins.ph.

The security response team at Coins.ph previously reported that “…malicious actor must have had a comprehensive grasp of its network infrastructure, secure access key protocols and server systems, based on the recorded suspicious system logins…”

The Russians are understood to have moved the stolen XRP tokens via multiple crypto-exchanges in an attempt to hide and obfuscate the source of funds.

Further reading: Gulf News, PhilStar, Bitcoinist, Kukublan

PhilHealth failed to notify 42M victims of 2023 data-breach

PhilHealth testified at the Appropriations Committee in the House of Representatives early last week regarding their handling of the September 2023 data breach.

The issue now is that PhilHealth failed to notify all data-breach victims despite a requirement to do so within 72 hours; PhilHealth continues to fumble in getting notifications delivered.

This confused situation highlights the mismatch in the expectations of individual accountability and leadership consequence required for protective custodianship of large personal-information datasets - unfortunately this situation is likely to continue until the value of personal-information is understood in the same way as money and transaction data is understood.

The National Privacy Commission (NPC) stepped in to assist by establishing an online search portal in April allowing potential victims to self-determine if they are impacted.

Further reading: The Record

Cybersecurity Threat Landscape

Five Eyes agencies warn of China state-sponsored APT40 threat actors

The Australian Signals Directorate has produced a report detailing the observed threat activities of a China state-sponsored group that has been variously referred to as APT40, Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk.

Reports indicate the threat-group is based in Haikou, Hainan Province and receives tasks directly from the PRC Ministry of State Security.

Observations of APT40 indicate the group has the ability to quickly transform and adapt vulnerability proof of concepts (POCs) for targeting, reconnaissance, and exploitation operations.

Huione Guarantee named as multi-billion dollar cybercrime marketplace

Crypto integrity and investigations company Elliptic have produced a report that names Huione Guarantee as an online marketplace for the exchange of cybercrime activities.

The Elliptic report states their investigations have traced $11Bn USD worth of transactions through the marketplace since 2021, and that it has become a common haunt for “pig butchering” scam operators that have become common in the South East Asia region.

The Huione Guarantee marketplace is a predominantly Chinese language site owned and operated by the Cambodian conglomerate Huione Group.

Subsequent to the reporting by Elliptic, online crypto exchange Tether has frozen $29M USD in funds and transactions related to the marketplace.

Banks in Singapore to remove one-time passwords in 90 days

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced on July 9 that online banking apps have 90 days to replace all one-time-password authentication schemes.

The swift action is a response to phishing attacks that easily trick users into giving up their one-time-passwords and authentication cookies to threat actors.

The threats in this regard have been amplified recently with dead-simple toolkits (e.g. FishXProxy) available for open download that enable unskilled actors to engage credential theft and authentication token theft activities.

If your organization produces apps using OTP for user authentication they need to pay attention and seek cybersecurity engineering assistance.

CyberSecurity.PH

RockYou2024: a collection of 10 billion leaked passwords released

Cybersecurity researchers at Cybernews have reported their discovery of what appears to be the largest compilation of compromised passwords ever known with 9,948,575,739 unique plaintext passwords.

The data file rockyou2024.txt was posted on a cyber-threat forum on July 4th by a user using the moniker “ObamaCare”.

The file appears to be an expansion of the 2021 RockYou password release that contained 8.4 Billion passwords.

The take away for readers is that if you use a human derived password there is a good chance it has already been compromised and it’s only a matter of time before it is abused in a credential stuffing attack.

Use a password manager and use long random generated passwords.

Further reading: Cyber News

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

  • korniko98/pivot-atlas - awesome pivoting handbook for cyber threat analysts, that contains reference material for how to make use of threat activity observables, such as IP addresses and file hashes - https://github.com/korniko98/pivot-atlas

  • ASD-Blueprint-for-Secure-Cloud - Australian Signals Directorate's Blueprint for Secure Cloud to support the design, configuration and deployment of secure and hybrid workspaces - focuses on Microsoft 365 - https://github.com/ASD-Blueprint/ASD-Blueprint-for-Secure-Cloud

  • Admyral-Security/admyral - an open-source Cybersecurity Automation and Investigation Assistant - provides a case management and workflow automation, currently beta, commercial paid versions coming - https://github.com/Admyral-Security/admyral

  • hoophq/hoop - an access gateway for databases and servers so you can keep control of what your technical and engineering staff do with your databases - enables features that databases do not usually have such as SSO auth, session recording, just in time access grants - https://github.com/hoophq/hoop

Cybersecurity Vulnerabilities

GitLab vulnerability (CVSS 9.6) allows attackers run pipelines as other users

Gitlab have released an update to address CVE-2024-6385 with a CVSS base score of 9.6 - the issue is stated to enable threat actors to trigger a new pipeline as an arbitrary user.

The issue affects all GitLab versions from 15.8 to 16.11.6, 17.0 to 17.0.4, and 17.1 to 17.1.2. GitLab has advised all system admins to upgrade their installations immediately.

Further reading: Bleeping Computer, Dark Reading

Exim vulnerability allows threat actors to deliver malicious payloads on 1.5 million mail servers

Exim versions up to 4.97.1 have an issue that can bypass the $mime_filename extension-blocking protection mechanism that in turn enables threat actors to deliver malicious payloads to the mailboxes of end users.

Critical Wordpress Profile Builder plugin vulnerability (CVSS 9.8)

The Wordpress plugin, Profile Builder with 50k installations has been discovered to have a critical vulnerability that enables threat actors to easily take administrative control of the WordPress site.

The issue tracked as CVE-2024-6695 has been assigned a CVSSv3.1 score of 9.8

Wordpress site administrators using the Profile Builder plugins are strongly advised to update to version 3.11.9 immediately.

Further reading: Cybersecurity News

Got news or something you’d like us to mention, feel free to get in contact - [email protected]