CyberSecurity.PH #032

United Nations report on SEA cybercrime; US wiretaps hacked by China; Adobe/Magento stores hacked by CosmicSting campaigns; Critical vulnerabilities in DrayTek; SAP BusinessObjects vulnerability; Qualcomm WLAN vulnerability; CUPS-browsed scanner

Welcome to CyberSecurity.PH issue #032,

You can help improve cybersecurity outcomes in the Philippines by telling your friends about us or just subscribe their email address. We promise they will learn up-to-date valuable cybersecurity insights each week.

CyberSecurity.PH is not just an awesome newsletter, we have free collections of -

  • Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.

  • Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.

  • Plenty of policy templates - to help you get started with your own.

  • Key cybersecurity strategy papers covering cybersecurity in PH.

  • Local education providers - an updated list of the known cybersecurity education providers across PH.

Philippines

United Nations report that organized crime is outpacing law enforcement capacity in South East Asia

The United Nations Office on Drugs and Crime (UNODC) has issued an extensive report describing the current state of cyber enabled crime activity in the South East Asia (SEA) region. The report is a full 140 pages and details in-depth the extent to which crime gangs are operating in the Philippines and other SEA nations.

The entire report is a wide-eyed read on the criminal activity occurring in the region, and of particular interest is the third-section “Developments in cyber-enabled fraud and technological innovation” that focuses on direct cyber-crime activity

Key areas of regional cyber crime development described

  • info-stealers are a current major trend among cyber-crime operators.

  • real time marketplaces for info-stealer outputs are driving the associated criminal economy.

  • improvements in Search Engine Optimization (SEO) poisoning observed to push innocent looking links/advertisements onto legitimate platforms resulting in malware infections for info-stealers and cryptocurrency-drainers.

  • cryptocurrency drainers continue to be very attractive targets for cyber-crime operators since they are relatively easy to steal from without many legal recourse options.

  • the use of artificial intelligence (AI) technologies to conduct convincing deep-fake frauds has risen dramatically in the Philippines.

Further reading - UNODC, The Record, Sumsub

Cybersecurity Threat Landscape

China backed Salt Typhoon hacked law-enforcement wiretaps at Lumen, AT&T and Verizon

The Wall Street Journal and Washington Post have each reported on a major data breach by China backed threat actor Salt Typhoon (also known as GhostEmperor or FamousSparrow) that has been able to access the law-enforcement wiretap equipment from three of the largest ISP in the United States.

“The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers” - Wall Street Journal

Early indications are that threat-actors were able to control certain Cisco routers that enabled their ability to access and possibly exfiltrate data.

Pig Butchering apps found on Google Play and Apple App Store

Cybersecurity company Group-IB are reporting their observations of apps in Google Play and Apple App Store that enable Pig Butchering fraud operations.

The Group-IB report provides evidence of legitimate looking apps that mask their fraud and info-stealer functions. The report provides several indicators of cloned-app names, fraud app namespaces, and domain names used in the fraudsters backed operations - awesome for defenders.

Further reading - Bleeping Computer, Hack Read

Thousands of Magento/AdobeCommerce stores hacked in CosmicSting campaigns by multiple threat gangs

Cybersecurity company Sansec is reporting on their observation of over 4200 compromised Magento and Adobe Commerce stores since the release of CVE-2024-34102 that came with a well-known exploit.

“Our research found seven distinct groups running large scale campaigns. Each group uses CosmicSting attacks to steal secret Magento cryptographic keys. This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through "CMS blocks"“ - Sansec

Further reading - Security Week, Bleeping Computer

Perfctl malware targeting Linux systems leveraging 20k system misconfigurations

Cybersecurity company Aqua Nautilus is reporting on their observations of malware known as Perfctl that typically operates as a resource theft operation for Monero cryptominer activity.

Perfctl hides itself as legitimate looking system files and leverages a collection of ~20k system misconfigurations to gain a foothold, then using Polkit (CVE-2021-4043) to escalate to root.

The report provides excellent technical details of the malware together with IoCs for defenders.

Further reading - Bleeping Computer, Hack Read

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

Cybersecurity Vulnerabilities

Critical vulnerabilities in DrayTek routers expose ~750k devices (CVSS 10.0)

Fourteen vulnerabilities in widely distributed DrayTek routers have been discovered and reported by cybersecurity company Forescout.

Of these, two are critical and lead to full remote compromise of the DrayTek devices

  • CVE-2024-41592 (CVSS Score: 10.0): Buffer overflow vulnerability in the web interface can be exploited to crash the router or gain complete control when chained with CVE-2024-41585. This buffer overflow can be triggered by sending a long query string to CGI pages.

  • CVE-2024-41585 (CVSS Score: 9.1): Operating system command injection that allows attackers to inject malicious code into the router’s operating system leading to full access to the device.

Proof of concept code has been posted that makes it extremely easy to understand the threat-vector making this issue trivial to exploit by any would-be threat-actor.

Up to 750k devices are estimated to be at risk with concentrations of devices in Taiwan, Vietnam, Germany, Netherlands and the United Kingdom.

Further reading - Censys, Hack Read

Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (CVSS 9.8)

Very limited details on the latest security patch release by SAP, however it does include a patch for a CVSS 9.8 issue in SAP BusinessObjects that looks to be a re-release of a previous patch.

The CVE Program item states “In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.”

Further reading - SAP.com, CVE.org

Qualcomm WLAN Resource Manager (CVSS 9.8)

Qualcomm has released patches for zero-day vulnerabilities in their Digital Signal Processor (DSP) services that impact dozens of Qualcomm chipsets.

The main vulnerability (CVE-2024-43047) was reported by Google Project Zero and Amnesty International's Security Lab leading to questions about how this vulnerability was uncovered and who the victims being exploited are.

CISA have added this issue to their known-exploited catalog this week.

10 year old Linux vulnerability in cups-browsed (CVSS 9.9)

Common Linux component cups-browsed has been found to have a vulnerability whereby it will trust packets from any source that can point to a threat-actor controlled URL to download and install printer drivers that in-turn executes arbitrary commands on impacted systems.

Up to 200k Linux based internet connected printer systems have been identified as being in-scope for this issue.

Further reading - Bleeping Computer, Hack Read

Microsoft October 2024 Security Updates - vulnerabilities already under active attack (CVSS 7.8)

United States cybersecurity agency CISA are reporting that two of the most recently patched vulnerabilities in Microsoft’s October 2024 Security Updates release are already under active exploit.

  • CVE-2024-43572 - Microsoft Windows Management Console Remote Code Execution Vulnerability

  • CVE-2024-43573 - Microsoft Windows MSHTML Platform Spoofing Vulnerability

Details of Microsoft’s latest release can be found here.

Cybersecurity Engineering Overload

Principles of operational technology cyber security

Multiple national security agencies have together published a guide that outlines six principles that can be used to guide the creation and maintenance of a safe, security critical infrastructure operational technology (OT) environment.

Their "Principles of Operational Technology Cyber Security" provides security practitioners ways to deploy and implement cybersecurity controls in critical infrastructure, including water, energy, and transportation systems.

The document is well written and a fantastic resource for anyone defending critical infrastructure.

Further reading - Cyber.gov.au, NSA.gov

Got news or something you’d like us to mention, feel free to get in contact - [email protected]