- CyberSecurity.PH
- Posts
- CyberSecurity.PH #036
CyberSecurity.PH #036
Salt Typhoon targeting Southeast Asia telecoms; POGOs re-spawning as BPOs; Predatory money loan apps; Solana web3.js backdoor; Safeline self hosted WAF; Critical vulnerabilities in SailPoint, Veeam, WhatsUp and Cleantalk
Welcome to CyberSecurity.PH issue #036,
You can help improve cybersecurity outcomes in the Philippines by telling your friends about us or just subscribe their email address. We promise they will learn up-to-date valuable cybersecurity insights each week.
Philippines
China based Earth Estries (Salt Typhoon) threat actor targeting telecom and government in Southeast Asia
Cybersecurity company Trend Micro have released their latest assessment of China based cyber-threat group Earth Estries (also known as Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286) indicating the group has been successfully targeting telecommunications companies and government entities with malware in the APAC region. The report names the Philippines as being a country impacted by this cyber-threat activity | source: Trend Micro |
Trend Micro outlines the initial access vectors used by this threat group are typically via any of the following
Ivanti Connect Secure VPN - CVE-2023-46805 and CVE-2024-21887
Fortinet FortiClient EMS - CVE-2023-48788
Sophos Firewall user portal - CVE-2022-3236
Microsoft Exchange proxy login - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
These vectors are all well known and fairly old (ie more than 90 days) that defending organizations should have already addressed.
The Trend Micro report provides indicators of compromise (here) and a YARA rule to assist defenders in determining if they are impacted - both are extremely helpful.
Trend Micro’s report notes that the Salt Typhoon threat-actor name has been applied to recent telecommunications threat activity in the US, however in Trend Micro’s current assessment they do not yet have sufficient evidence to confirm Earth Estries is Salt Typhoon other than an overlap of tactics, techniques, and procedures (TTPs).
Further reading: Trend Micro, The Record, Dark Reading, The Register
Outlawed POGOs re-spawning as smaller BPOs in Visayas and Mindanao says PAOCC
Presidential Anti-Organized Crime Commission (PAOCC) director Winnie Quidato disclosed in a recent Senate investigation hearing that -
[translated] Some big Philippine Offshore Gaming Operators (POGO) are breaking down into smaller groups, rebranding it as business process outsourcing and relocating in the Visayas and Mindanao …
[translated] The big POGO companies that we have raided before or that were existing before ... we are seeing that they've broken into smaller groups.
Securities and Exchange Commission (SEC) Assistant Director Jonathan Paguirigan has stated the SEC is working in coordination with the PAOCC on the matter.
With the advent of the executive order issued by the President, Madam Chair, we are actually taking steps to assure that those who are actually engaging in POGOs would be informed and to comply with the executive order…
Bad acting and criminally influenced POGO operations are being pushed out of the Philippines after President Ferdinand Marcos Jr.’s Executive Order No. 74 that implements a full ban on all POGO activities by 31 December 2024.
Further reading: PNA.gov.ph, Inquirer, GMA Network, Outsource Accelerator
Predatory money loan apps (SpyLoan apps) still available through Play Store
Cybersecurity company McAfee has released a report into the current state of “SpyLoan” apps that trick users into providing sensitive data and providing excessive app permissions. These apps typically lead to unexpected data exfiltration from victim user devices that then enables predatory money loan operators in conducting extortion and harassment activities.
From the report -
During our investigation of this threat, we identified fifteen apps with a combined total of over eight million installations. This group of loan apps share a common framework to encrypt and exfiltrate data from a victim’s device to a command and control (C2) server using a similar HTTP endpoint infrastructure. They operate localized in targeted territories, mainly in South America, Southern Asia, and Africa, with some of them being promoted through deceptive advertising on social media.
The McAfee report states that the Philippines is among the top-10 (third place) with highest prevalence of these SpyLoan / FakeLoan apps.
The McAfee report additionally provides victim experience stories (not Philippines) whereby photos stolen from user devices are edited into compromising situations and then used as extortion material on social media and/or other contacts of the victim.
Watch out for apps that ask for excessive device permissions and teach your people about this threat, it’s ugly and profoundly unfair.
Cybersecurity Threat Landscape
Five-eyes agencies say Chinese threat actors maintain persistence inside US telecom systems and others
A joint five-eyes security agency release has made it clear that threat actors are persisting in their access to telecommunications organizations in the US and elsewhere.
From the Cyberscoop article -
Telecommunications providers are still trying to evict the Chinese government-linked hackers behind a monumental and sweeping breach that the government began investigating this spring, U.S. administration officials said Tuesday, while also providing guidance they believe can attempt to kick the attackers off the network for good.
Government agencies are also still grappling with the attack’s full scope, the officials told reporters. The hackers, a group known as Salt Typhoon, targeted officials from both presidential campaigns, including the phone of President-elect Donald Trump.
The CISA release is excellent guidance for telecommunications companies globally and can equally be used by other enterprises to bolster their own cybersecurity posture.
Further reading: CISA.gov, Axios, The Record, Cyberscoop, The Hacker News
Russian backed Fancy Bear threat-actors spotted hopping between in-range WiFi networks
Much news this week about an incident report from cybersecurity company Veloxity detailing an incident response in 2022 whereby access to a victim network was achieved using the wifi-network-adapter of a company neighbor device and thus gain access remotely via wifi.
source: volexity.com
The attack typology has been dubbed “Nearest Neighbor” and is considered a new technique that defenders should plan for.
Of note in this incident was that the wifi-network operator belonged to an organization with projects and assets related to Ukraine and the incident occurred in February 2022, just before the Russian invasion of Ukraine - the Russian Fancy Bear threat-group was named as being responsible for the incident.
Further reading: Volexity, Cybersecurity News, Wired, Bleeping Computer, Dark Reading
Solana’s (very) popular web3.js library contained a backdoor stealing private keys and blockchain tokens
Software vendor Solana that produces a very popular library among so-called “Web3” technology companies has fallen to a supply-chain attack causing a malicious backdoor to be included in versions 1.95.6 and 1.95.7.
Cybersecurity company Socket have released a technical breakdown of the backdoor highlighting the .xyz domain that private key material was being pushed to.
Until a nation-state with adequate threat-deterrence capacity (Army, Navy, Air Force, etc) is willing to back your cyrpto-bro-chain-thing it’s not going to enjoy the value protections that are implied with trusted nation-state issued currencies - not impossible to get there, but it’s still a bumpy road with risks that continue to be learned.
Further reading: Socket, Decrypt, The Hacker News, Bleeping Computer
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
Safeline - self hosted WAF that implements a reverse proxy to protect your web services from attacks and exploits - github.com/chaitin/safeline
OWASP LLM top-10 - Top 10 risks and mitigations for LLMs and generative AI applications in 2025 - genai.owasp.org/llm-top-10/
Cybersecurity Vulnerabilities
SailPoint IdentityIQ directory traversal vulnerability (CVSS 10.0)
CVE-2024-10905 with a CVSS of 10.0 affects SailPoint IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions - not what you want from an identity and authentication product
Further reading: NIST.gov, The Hacker News, The Register
Veeam service provider console vulnerabilities (CVSS 9.9)
From the vendor announcement -
CVE-2024-42448 - From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
CVE-2024-42449 - From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine.
Further reading: Veeam, Cybersecurity News, HackRead, The Hacker News
Exploit now available for WhatsUp Gold RCE vulnerability (CVSS 9.8)
CVE-2024-8785 does not require authentication and the vulnerable NmAPI.exe service is accessible over the network making this a critical vulnerability.
From the vendor -
The WhatsUp Gold team has identified a series of critical and high vulnerabilities that exist in Progress WhatsUp Gold versions below 24.0.1. We are reaching out to all WhatsUp Gold customers to upgrade their environment as soon as possible to version 24.0.1, released on Friday, September 20. If you are running a version older than 24.0.1 and you do not upgrade, your environment will remain vulnerable.
Further reading: Progress Software, Tenable, Bleeping Computer
WordPress anti-spam plugin vulnerability impacts 200k+ sites (CVSS 9.8)
From cybersecurity company Wordfence -
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
A review of the Cleantalk website notes a recent new release but no mention of CVE-2024-10542
Further reading: Wordfence, Wordpress.org, Cleantalk-github, Cleantalk-website
Got news or something you’d like us to mention, feel free to get in contact - [email protected]