CyberSecurity.PH #033

MFA push bombing; Interpol operation rescues 400 Filipinos; Fake Wordpress plugins are infostealer malware; ATM FASTCash malware from DPRK; Vulnhuntr LLM powered SAST; SecObserve CICD management; Disposable email domains; VMware, Grafana, WebLogic, Kubernetes vulnerabilities

Welcome to CyberSecurity.PH issue #033,

CyberSecurity.PH is not just an awesome newsletter, we also have (free)

  • Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.

  • Key cybersecurity strategy papers covering cybersecurity in PH.

  • Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.

  • Plenty of policy templates - to help you get started with your own.

  • Local education providers - an updated list of the known cybersecurity education providers across PH.

You can help improve cybersecurity outcomes in the Philippines by telling your friends about CyberSecurity.PH or just subscribe them. We promise you will learn up-to-date valuable cybersecurity insights each week.

Philippines

Interpol SOGA X operation rescued 400 Filipino human trafficking victims from illegal gambling center

Interpol have released information on their SOGA X operation to bring action against illegal football gambling operations in 28 countries during the UEFA 2024 European Football Championship earlier this year - the action saw the arrest of ~5100 individuals globally.

One of the more significant SOGA X raids occurred in the Philippines and resulted in the rescue of 650+ human trafficking victims, including ~400 Filipinos and ~250 foreign nationals from 6 different countries.

Interpol providing forensic evidence assistance in the Philippines - source: Interpol.int

Many of the Philippine scam-center victims had been lured to the scam-operation location with false promises of employment and were forced into working through threats, intimidation, and passport confiscation. Victims were forced to operate the legal gambling site while simultaneously also running illegal cyber scams, including romance scams and cryptocurrency-related fraud.

Further reading: Interpol, Cybernews, The Record

Cybersecurity Threat Landscape

Five-eyes cybersecurity agencies warning on Iranian MFA push bombing activities

Five-eyes cybersecurity agencies from USA, Canada, Australia have issued a report that details ongoing brute force activities aimed at critical infrastructure organizations such as healthcare, government, information technology, engineering, and energy operators - originating from Iranian threat actors.

The activity is conducted using well known brute force methods against Microsoft 365, Azure, and Citrix endpoints - in order to work around MFA protections the threat actors have been observed using push-bombing to achieve a fully authenticated session.

Push bombing is a technique that bombards users with mobile phone push notifications until the user either approves the request to stop the notification harassment or approves the request by accident in the mobile-device user interface.

Users with high value accounts need to understand this risk so they do not accidentally open up their organizations to these threat actors.

The five-eyes report provides downloadable indicators-of-compromise in STIX 2.1 format to help defenders determine if they are impacted - the data provides 26x attack patterns and 71x indicators that are mostly IPv4 addresses.

Further reading: cisa.gov, Hack Read

Microsoft catching phishers using fake Azure tenants with real looking customer data

Ross Bevington, a principal security engineer at Microsoft publicly described their deception operations to catch threat actors and generate internal threat intelligence signals. Bevington delivered a talk at an Exeter University hosted B-Sides back in July however the story is now gaining some media attention and focus.

From the reporting -

Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.

With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.

There is a YouTube recording of Bevington’s talk that is worth the watch too.

Further reading: Microsoft, Bleeping Computer

Fake Wordpress plugins behind ClickFix information-stealer malware campaign

Security researchers at GoDaddy have reported their findings of fake plugins installed by threat-actors that have already gained access to Wordpress sites that cause those sites to push ClickFix information-stealer malware.

From the GoDaddy report

  • indication that over 6000 Wordpress sites have been impacted by this campaign.

  • good indicators of compromise are provided to assist defenders determine if they are impacted

  • a technical analysis of the Wordpress fake plugin is provided

  • names of the fake plugins such as “LiteSpeed Cache Classic”, “MonsterInsights Classic” and “Wordfence Security Classic” are highlighted.

Cybersecurity vendor Sucuri is also reporting on the same issue without the ClickFix name.

VirusTotal scan results on the malware that is dropped by the ClickFix campaign shows 39x anti malware engines flagging this as malware.

North Korean threat actors using FASTCash malware for ATM cashouts

Yes really - the DPRK has a man-in-the-middle tool that tells ATM machines to approve cash withdrawals even if there are insufficient funds.

DPRK threat actors known as HIDDEN COBRA have been reported using their FASTCash malware since 2018 - the original tool was Win32 based malware and generally well known.

Security researcher Haxrob has delivered a report that details a new Linux variant of this malware that hence allows it to hide in places that are typically on servers and backend operations related, and hence allows the malware to run in network positions that are closer to ATM network flows and remote systems.

From the Haxrob/doubleagent article -

The Linux variant has slightly reduced functionality compared to its Windows predecessor, although it still retains key functionality: intercepting declined (magnetic swipe) transactions messages for a predefined list of card holder account numbers and then authorizing the transaction with a random amount of funds in the currency of Turkish Lira.

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

  • protectai/vulnhuntr - A tool to identify remotely exploitable vulnerabilities using LLMs and static code analysis in Python code - github.com/protectai/vulnhuntr

  • MaibornWolff/SecObserve - an open source vulnerability management system for software development and cloud environments supporting a variety of open source vulnerability scanners - github.com/MaibornWolff/SecObserve

  • disposable-email-domains - An up-to-date list of disposable and temporary email address domains - github.com/disposable-email-domains

Cybersecurity Vulnerabilities

Cybersecurity agencies warning on actively exploited Fortinet vulnerability (CVSS 9.8)

Various cybersecurity agencies have begun reporting today that FortiManager from security vendor Fortinet is under active exploit due to CVE-2024-47575 - the vulnerability carries a CVSS of 9.8.

The issue is caused by missing authentication of certain critical functionality that may allow a remote unauthenticated threat-actor to execute arbitrary code or commands on FortiManager products.

A Shodan lookup suggests there are ~60,000 internet exposed endpoints that are in-scope for this issue - Shodan shows there are approximately 225 FortiManager endpoints in the Philippines.

VMware releases new vCenter Server patch to fix critical RCE vulnerability (CVSS 9.8)

VMware has re-released updates to address a fix a vulnerability in vCenter Server enables remote code execution - whereas the first vCenter patch for this issue did not work.

The vulnerability, tracked as CVE-2024-38812 is a heap-overflow vulnerability in the implementation of their DCE/RPC protocol.

Grafana critical vulnerability with remote code execution (CVSS 9.9)

Grafana have issued patched for Grafana 11.0.x, 11.1.x, and 11.2.x that contain a fix for CVE-2024-9264

The issue is a critical vulnerability that enables command injection and local file inclusion (LFI) via SQL expressions.

Further reading: Grafana, SCWorld

Oracle WebLogic Server Vulnerability (CVSS 9.8)

Oracle WebLogic has an easily exploitable vulnerability that allows an unauthenticated attacker with network access to compromise Oracle WebLogic Server.

Successful attacks result in full takeover of the Oracle WebLogic server.

Further reading: Oracle, Tenable

Default credential in Kubernetes Image Builder for Proxmox allows SSH root access (CVSS 9.8)

Kubernetes Image Builder uses default credentials in the image build process that in the case of Proxmox images are not disabled.

Kubernetes nodes that use the resulting images may be accessible using these default root credentials.

WordPress plugin Jetpack vulnerability impacts Contact Form feature

Automattic the company that produces the Jetpack plugin, has announced a vulnerability in the contact-form feature that impacts 101 previous versions back to 2016 - that is Jetpack version 3.9.10 through to 13.9.1.

The vulnerability can be used by any logged in user to read forms submitted by visitors.

Got news or something you’d like us to mention, feel free to get in contact - [email protected]