- CyberSecurity.PH
- Posts
- CyberSecurity.PH #033
CyberSecurity.PH #033
MFA push bombing; Interpol operation rescues 400 Filipinos; Fake Wordpress plugins are infostealer malware; ATM FASTCash malware from DPRK; Vulnhuntr LLM powered SAST; SecObserve CICD management; Disposable email domains; VMware, Grafana, WebLogic, Kubernetes vulnerabilities
Welcome to CyberSecurity.PH issue #033,
CyberSecurity.PH is not just an awesome newsletter, we also have (free)
Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.
Key cybersecurity strategy papers covering cybersecurity in PH.
Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.
Plenty of policy templates - to help you get started with your own.
Local education providers - an updated list of the known cybersecurity education providers across PH.
You can help improve cybersecurity outcomes in the Philippines by telling your friends about CyberSecurity.PH or just subscribe them. We promise you will learn up-to-date valuable cybersecurity insights each week.
Philippines
Interpol SOGA X operation rescued 400 Filipino human trafficking victims from illegal gambling center
Interpol have released information on their SOGA X operation to bring action against illegal football gambling operations in 28 countries during the UEFA 2024 European Football Championship earlier this year - the action saw the arrest of ~5100 individuals globally.
One of the more significant SOGA X raids occurred in the Philippines and resulted in the rescue of 650+ human trafficking victims, including ~400 Filipinos and ~250 foreign nationals from 6 different countries.
Interpol providing forensic evidence assistance in the Philippines - source: Interpol.int
Many of the Philippine scam-center victims had been lured to the scam-operation location with false promises of employment and were forced into working through threats, intimidation, and passport confiscation. Victims were forced to operate the legal gambling site while simultaneously also running illegal cyber scams, including romance scams and cryptocurrency-related fraud.
Further reading: Interpol, Cybernews, The Record
Cybersecurity Threat Landscape
Five-eyes cybersecurity agencies warning on Iranian MFA push bombing activities
Five-eyes cybersecurity agencies from USA, Canada, Australia have issued a report that details ongoing brute force activities aimed at critical infrastructure organizations such as healthcare, government, information technology, engineering, and energy operators - originating from Iranian threat actors.
The activity is conducted using well known brute force methods against Microsoft 365, Azure, and Citrix endpoints - in order to work around MFA protections the threat actors have been observed using push-bombing to achieve a fully authenticated session.
Push bombing is a technique that bombards users with mobile phone push notifications until the user either approves the request to stop the notification harassment or approves the request by accident in the mobile-device user interface.
Users with high value accounts need to understand this risk so they do not accidentally open up their organizations to these threat actors.
The five-eyes report provides downloadable indicators-of-compromise in STIX 2.1 format to help defenders determine if they are impacted - the data provides 26x attack patterns and 71x indicators that are mostly IPv4 addresses.
Microsoft catching phishers using fake Azure tenants with real looking customer data
Ross Bevington, a principal security engineer at Microsoft publicly described their deception operations to catch threat actors and generate internal threat intelligence signals. Bevington delivered a talk at an Exeter University hosted B-Sides back in July however the story is now gaining some media attention and focus.
From the reporting -
Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.
With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.
There is a YouTube recording of Bevington’s talk that is worth the watch too.
Further reading: Microsoft, Bleeping Computer
Fake Wordpress plugins behind ClickFix information-stealer malware campaign
Security researchers at GoDaddy have reported their findings of fake plugins installed by threat-actors that have already gained access to Wordpress sites that cause those sites to push ClickFix information-stealer malware.
From the GoDaddy report
indication that over 6000 Wordpress sites have been impacted by this campaign.
good indicators of compromise are provided to assist defenders determine if they are impacted
a technical analysis of the Wordpress fake plugin is provided
names of the fake plugins such as “LiteSpeed Cache Classic”, “MonsterInsights Classic” and “Wordfence Security Classic” are highlighted.
Cybersecurity vendor Sucuri is also reporting on the same issue without the ClickFix name.
VirusTotal scan results on the malware that is dropped by the ClickFix campaign shows 39x anti malware engines flagging this as malware.
Further reading: GoDaddy, Sucuri, Bleeping Computer, Dark Reading
North Korean threat actors using FASTCash malware for ATM cashouts
Yes really - the DPRK has a man-in-the-middle tool that tells ATM machines to approve cash withdrawals even if there are insufficient funds.
DPRK threat actors known as HIDDEN COBRA have been reported using their FASTCash malware since 2018 - the original tool was Win32 based malware and generally well known.
Security researcher Haxrob has delivered a report that details a new Linux variant of this malware that hence allows it to hide in places that are typically on servers and backend operations related, and hence allows the malware to run in network positions that are closer to ATM network flows and remote systems.
From the Haxrob/doubleagent article -
The Linux variant has slightly reduced functionality compared to its Windows predecessor, although it still retains key functionality: intercepting declined (magnetic swipe) transactions messages for a predefined list of card holder account numbers and then authorizing the transaction with a random amount of funds in the currency of Turkish Lira.
Further reading: doubleagent.net, Bleeping Computer, Hack Read, cisa.gov
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
protectai/vulnhuntr - A tool to identify remotely exploitable vulnerabilities using LLMs and static code analysis in Python code - github.com/protectai/vulnhuntr
MaibornWolff/SecObserve - an open source vulnerability management system for software development and cloud environments supporting a variety of open source vulnerability scanners - github.com/MaibornWolff/SecObserve
disposable-email-domains - An up-to-date list of disposable and temporary email address domains - github.com/disposable-email-domains
Cybersecurity Vulnerabilities
Cybersecurity agencies warning on actively exploited Fortinet vulnerability (CVSS 9.8)
Various cybersecurity agencies have begun reporting today that FortiManager from security vendor Fortinet is under active exploit due to CVE-2024-47575 - the vulnerability carries a CVSS of 9.8.
The issue is caused by missing authentication of certain critical functionality that may allow a remote unauthenticated threat-actor to execute arbitrary code or commands on FortiManager products. |
Further reading: cyber.gov.au, cisa.gov, Fortinet, The Record, Bleeping Computer
VMware releases new vCenter Server patch to fix critical RCE vulnerability (CVSS 9.8)
VMware has re-released updates to address a fix a vulnerability in vCenter Server enables remote code execution - whereas the first vCenter patch for this issue did not work.
The vulnerability, tracked as CVE-2024-38812 is a heap-overflow vulnerability in the implementation of their DCE/RPC protocol.
Further reading: Bleeping Computer, The Hacker News, The Register
Grafana critical vulnerability with remote code execution (CVSS 9.9)
Grafana have issued patched for Grafana 11.0.x, 11.1.x, and 11.2.x that contain a fix for CVE-2024-9264
The issue is a critical vulnerability that enables command injection and local file inclusion (LFI) via SQL expressions.
Oracle WebLogic Server Vulnerability (CVSS 9.8)
Oracle WebLogic has an easily exploitable vulnerability that allows an unauthenticated attacker with network access to compromise Oracle WebLogic Server.
Successful attacks result in full takeover of the Oracle WebLogic server.
Default credential in Kubernetes Image Builder for Proxmox allows SSH root access (CVSS 9.8)
Kubernetes Image Builder uses default credentials in the image build process that in the case of Proxmox images are not disabled.
Kubernetes nodes that use the resulting images may be accessible using these default root credentials.
Further reading: Github.com/kubernetes, Bleeping Computer, The Register
WordPress plugin Jetpack vulnerability impacts Contact Form feature
Automattic the company that produces the Jetpack plugin, has announced a vulnerability in the contact-form feature that impacts 101 previous versions back to 2016 - that is Jetpack version 3.9.10 through to 13.9.1.
The vulnerability can be used by any logged in user to read forms submitted by visitors.
Further reading: Jetpack.com, The Record, Bleeping Computer, The Register
Got news or something you’d like us to mention, feel free to get in contact - [email protected]