- CyberSecurity.PH
- Posts
- CyberSecurity.PH #034
CyberSecurity.PH #034
Multi-cloud security testing tool; Awesome GPT agents for cybersecurity; DocuSign abused to send authentic looking invoices; Synology urges updates for critical zero-click RCE; 22k addresses taken down in INTERPOL operation; Signed Remote Desktop Protocol files from Russia; Google Researchers claim first vulnerability found using AI
Welcome to CyberSecurity.PH issue #034,
CyberSecurity.PH is not just an awesome newsletter, we also have (free)
Plenty of policy templates - to help you get started with your own.
Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.
Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.
Local education providers - an updated list of the known cybersecurity education providers across PH.
Key cybersecurity strategy papers covering cybersecurity in PH.
Cybersecurity Threat Landscape
INTERPOL cyber operation takes down 22k malicious IP addresses
A global INTERPOL operation has taken down more than 22,000 IP addresses linked to malicious activity including phishing, infostealers and ransomware operations in a recent operation dubbed Operation Synergia II.
Operation Synergia II identified approximately 30,000 malicious acting IP addresses, 76 percent of these were taken down and 59 servers were seized. Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized in the arrest of 41 individuals, with 65 others still under investigation.
Geographic highlights
Hong Kong: Law enforcement took down more than 1,037 servers linked to malicious services.
Mongolia: Conducted 21 house searches, seized a server, and identified 93 individuals connected to cyber abuse activities.
Macau (China): Law enforcement took 291 servers offline.
Madagascar: Law enforcement identified 11 individuals with links to malicious servers and seized 11 electronic devices for investigation.
Estonia: Law enforcement seized over 80GB of server data and are working with INTERPOL to analyze this data that is related to phishing and banking malware.
Further reading: Interpol, Bleeping Computer, The Record, The Register
DocuSign abused to send authentic looking invoices that lead to phishing threats
Threat actors are abusing DocuSign to create and send convincing looking invoices to their targets according to cybersecurity company Wallarm in their recent post.
“In a concerning trend, cybercriminals are leveraging DocuSign's APIs to send fake invoices that appear strikingly authentic. Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard. … Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself.” | Source: Wallarm |
Docusign customers have been observed asking public discussion forum posts regarding what appears to be the same issue.
Further reading: Hack Read, Bleeping Computer, The Register, Dark Reading
Authentic signed Remote Desktop Protocol files used by Russian “Midnight Blizzard” gang to target foreign networks
US cybersecurity agency CISA has raised an alarm regarding a large-scale spear-phishing campaign that abuses Microsoft RDP by sending signed RDP files to targets.
The use of file signing (using Lets Encrypt) is reported to be causing email filtering products to more-easily permit the delivery of the associated phishing messages into target email-inboxes - and - causes the human-users to be less suspicious about the RDP files in the first place.
Because RDP allows bi-directional connectivity to the victim host, it enables threat actors to install info stealers, copy files from network drives, connect to peripherals (e.g. USB Yubikey) and copy the clipboard data.
The CISA article provides several recommendations, primarily
Prevent externally outbound RDP connection traffic
Prevent RDP files being communicated on all platforms such as email and messaging
Prevent RDP files from being executed (usually done with domain policy)
Enable Multi-Factor Authentication (MFA) for users.
Further reading: CISA.gov, Dark Reading
Chinese state-sponsored threat-actors breached 20 Canadian government networks
The Canadian Centre for Cyber Security recently published their National Cyber Threat Assessment 2025-2026 paper that states -
“Over the past four years, at least 20 networks associated with Government of Canada agencies and departments have been compromised by PRC cyber threat actors.”
Source: cyber.gc.ca article
“PRC cyber threat actors have compromised and maintained access to multiple government networks over the past five years, collecting communications and other valuable information.”
Further reading: cyber.gc.ca, The Register
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
Halberd - Halberd is a multi-cloud security testing tool for use with Entra ID, M365, Azure, and AWS. - github.com/vectra-ai-research/Halberd
blst-security/cherrybomb - CLI tool that helps you avoid undefined user behavior by auditing your API specifications, validating them and running API security tests - github.com/blst-security/cherrybomb
fr0gger/Awesome-GPT-Agents - A curated list of awesome GPT agents focused on cybersecurity - github.com/fr0gger/Awesome-GPT-Agents
Cybersecurity Vulnerabilities
Cisco industrial Wireless access point command injection vulnerability (CVSS: 10.0)
A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points allows unauthenticated, remote threat actors to perform command injection attacks with root privileges on the underlying Cisco operating system.
Further reading: Cisco, Bleeping Computer
Synology urges updates for critical zero-click RCE vulnerability impacting millions of NAS appliances (CVSS: 9+)
Synology has released patches for a vulnerability discovered through the recent PWN2OWN event.
The issue, dubbed as “RISK:STATION” by the team that discovered the issue, enables remote threat actors to gain remote code execution as root on vulnerable NAS appliances exposed online.
No published CVSS has been issued for the vulnerability however it appears to be in the 9+ range.
Further reading: Synology, Midnight Blue, Bleeping Computer, The Hacker News
ServiceNow sandbox escape vulnerability (CVSS 9.8)
ServiceNow have patched two recent vulnerabilities CVE-2024-8923 and CVE-2024-8924 where the former carries a CVSS of 9.8.
CVE-2024-8923 involves an input validation flaw that enables unauthenticated users to execute arbitrary code remotely.
Further reading: Service Now, Security Online
LiteSpeed Cache WordPress plugin vulnerability leads to admin access (CVSS: 8.1)
An unauthenticated privilege escalation vulnerability that allows an external threat actor to gain Administrator level access has been discovered in the LiteSpeed Cache plugin for Wordpress.
Further reading: Patch Stack, Bleeping Computer
Cybersecurity Engineering Overload
Google Researchers claim first vulnerability found using AI in SQLite
Security researchers at Google Project Zero have announced their discovery of a software vulnerability using only LLM technologies to do so.
From the article -
“Today, we're excited to share the first real-world vulnerability discovered by the Big Sleep agent: an exploitable stack buffer underflow in SQLite, a widely used open source database engine. We discovered the vulnerability and reported it to the developers in early October, who fixed it on the same day. Fortunately, we found this issue before it appeared in an official release, so SQLite users were not impacted.”
Further reading: Google Project Zero, SC World, The Record
Got news or something you’d like us to mention, feel free to get in contact - [email protected]