CyberSecurity.PH #034

Multi-cloud security testing tool; Awesome GPT agents for cybersecurity; DocuSign abused to send authentic looking invoices; Synology urges updates for critical zero-click RCE; 22k addresses taken down in INTERPOL operation; Signed Remote Desktop Protocol files from Russia; Google Researchers claim first vulnerability found using AI

Welcome to CyberSecurity.PH issue #034,

CyberSecurity.PH is not just an awesome newsletter, we also have (free)

  • Plenty of policy templates - to help you get started with your own.

  • Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.

  • Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.

  • Local education providers - an updated list of the known cybersecurity education providers across PH.

  • Key cybersecurity strategy papers covering cybersecurity in PH.

Cybersecurity Threat Landscape

INTERPOL cyber operation takes down 22k malicious IP addresses

A global INTERPOL operation has taken down more than 22,000 IP addresses linked to malicious activity including phishing, infostealers and ransomware operations in a recent operation dubbed Operation Synergia II.

Operation Synergia II identified approximately 30,000 malicious acting IP addresses, 76 percent of these were taken down and 59 servers were seized. Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized in the arrest of 41 individuals, with 65 others still under investigation.

Geographic highlights

  • Hong Kong: Law enforcement took down more than 1,037 servers linked to malicious services.

  • Mongolia: Conducted 21 house searches, seized a server, and identified 93 individuals connected to cyber abuse activities.

  • Macau (China): Law enforcement took 291 servers offline.

  • Madagascar: Law enforcement identified 11 individuals with links to malicious servers and seized 11 electronic devices for investigation.

  • Estonia: Law enforcement seized over 80GB of server data and are working with INTERPOL to analyze this data that is related to phishing and banking malware.

DocuSign abused to send authentic looking invoices that lead to phishing threats

Threat actors are abusing DocuSign to create and send convincing looking invoices to their targets according to cybersecurity company Wallarm in their recent post.

“In a concerning trend, cybercriminals are leveraging DocuSign's APIs to send fake invoices that appear strikingly authentic. Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard.

Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself.”

Source: Wallarm

Docusign customers have been observed asking public discussion forum posts regarding what appears to be the same issue.

Authentic signed Remote Desktop Protocol files used by Russian “Midnight Blizzard” gang to target foreign networks

US cybersecurity agency CISA has raised an alarm regarding a large-scale spear-phishing campaign that abuses Microsoft RDP by sending signed RDP files to targets.

The use of file signing (using Lets Encrypt) is reported to be causing email filtering products to more-easily permit the delivery of the associated phishing messages into target email-inboxes - and - causes the human-users to be less suspicious about the RDP files in the first place.

Because RDP allows bi-directional connectivity to the victim host, it enables threat actors to install info stealers, copy files from network drives, connect to peripherals (e.g. USB Yubikey) and copy the clipboard data.

The CISA article provides several recommendations, primarily

  • Prevent externally outbound RDP connection traffic

  • Prevent RDP files being communicated on all platforms such as email and messaging

  • Prevent RDP files from being executed (usually done with domain policy)

  • Enable Multi-Factor Authentication (MFA) for users.

Further reading: CISA.gov, Dark Reading

Chinese state-sponsored threat-actors breached 20 Canadian government networks

The Canadian Centre for Cyber Security recently published their National Cyber Threat Assessment 2025-2026 paper that states -

“Over the past four years, at least 20 networks associated with Government of Canada agencies and departments have been compromised by PRC cyber threat actors.”

Source: cyber.gc.ca article

“PRC cyber threat actors have compromised and maintained access to multiple government networks over the past five years, collecting communications and other valuable information.”

Further reading: cyber.gc.ca, The Register

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

Cybersecurity Vulnerabilities

Cisco industrial Wireless access point command injection vulnerability (CVSS: 10.0)

A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points allows unauthenticated, remote threat actors to perform command injection attacks with root privileges on the underlying Cisco operating system.

Further reading: Cisco, Bleeping Computer

Synology urges updates for critical zero-click RCE vulnerability impacting millions of NAS appliances (CVSS: 9+)

Synology has released patches for a vulnerability discovered through the recent PWN2OWN event.

The issue, dubbed as “RISK:STATION” by the team that discovered the issue, enables remote threat actors to gain remote code execution as root on vulnerable NAS appliances exposed online.

No published CVSS has been issued for the vulnerability however it appears to be in the 9+ range.

ServiceNow sandbox escape vulnerability (CVSS 9.8)

ServiceNow have patched two recent vulnerabilities CVE-2024-8923 and CVE-2024-8924 where the former carries a CVSS of 9.8.

CVE-2024-8923 involves an input validation flaw that enables unauthenticated users to execute arbitrary code remotely.

Further reading: Service Now, Security Online

LiteSpeed Cache WordPress plugin vulnerability leads to admin access (CVSS: 8.1)

An unauthenticated privilege escalation vulnerability that allows an external threat actor to gain Administrator level access has been discovered in the LiteSpeed Cache plugin for Wordpress.

Further reading: Patch Stack, Bleeping Computer

Cybersecurity Engineering Overload

Google Researchers claim first vulnerability found using AI in SQLite

Security researchers at Google Project Zero have announced their discovery of a software vulnerability using only LLM technologies to do so.

From the article -

“Today, we're excited to share the first real-world vulnerability discovered by the Big Sleep agent: an exploitable stack buffer underflow in SQLite, a widely used open source database engine. We discovered the vulnerability and reported it to the developers in early October, who fixed it on the same day. Fortunately, we found this issue before it appeared in an official release, so SQLite users were not impacted.”

Got news or something you’d like us to mention, feel free to get in contact - [email protected]