- CyberSecurity.PH
- Posts
- CyberSecurity.PH #032
CyberSecurity.PH #032
United Nations report on SEA cybercrime; US wiretaps hacked by China; Adobe/Magento stores hacked by CosmicSting campaigns; Critical vulnerabilities in DrayTek; SAP BusinessObjects vulnerability; Qualcomm WLAN vulnerability; CUPS-browsed scanner
Welcome to CyberSecurity.PH issue #032,
You can help improve cybersecurity outcomes in the Philippines by telling your friends about us or just subscribe their email address. We promise they will learn up-to-date valuable cybersecurity insights each week.
CyberSecurity.PH is not just an awesome newsletter, we have free collections of -
Learning materials - plenty of learning cybersecurity learning material no matter what level you are at.
Engineering tools - and utilities to help conduct your cybersecurity tasks, we like open-source tools.
Plenty of policy templates - to help you get started with your own.
Key cybersecurity strategy papers covering cybersecurity in PH.
Local education providers - an updated list of the known cybersecurity education providers across PH.
Philippines
United Nations report that organized crime is outpacing law enforcement capacity in South East Asia
The United Nations Office on Drugs and Crime (UNODC) has issued an extensive report describing the current state of cyber enabled crime activity in the South East Asia (SEA) region. The report is a full 140 pages and details in-depth the extent to which crime gangs are operating in the Philippines and other SEA nations.
The entire report is a wide-eyed read on the criminal activity occurring in the region, and of particular interest is the third-section “Developments in cyber-enabled fraud and technological innovation” that focuses on direct cyber-crime activity
Key areas of regional cyber crime development described
info-stealers are a current major trend among cyber-crime operators.
real time marketplaces for info-stealer outputs are driving the associated criminal economy.
improvements in Search Engine Optimization (SEO) poisoning observed to push innocent looking links/advertisements onto legitimate platforms resulting in malware infections for info-stealers and cryptocurrency-drainers.
cryptocurrency drainers continue to be very attractive targets for cyber-crime operators since they are relatively easy to steal from without many legal recourse options.
the use of artificial intelligence (AI) technologies to conduct convincing deep-fake frauds has risen dramatically in the Philippines.
Further reading - UNODC, The Record, Sumsub
Cybersecurity Threat Landscape
China backed Salt Typhoon hacked law-enforcement wiretaps at Lumen, AT&T and Verizon
The Wall Street Journal and Washington Post have each reported on a major data breach by China backed threat actor Salt Typhoon (also known as GhostEmperor or FamousSparrow) that has been able to access the law-enforcement wiretap equipment from three of the largest ISP in the United States.
“The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers” - Wall Street Journal
Early indications are that threat-actors were able to control certain Cisco routers that enabled their ability to access and possibly exfiltrate data.
Further reading - WaPo, Ars Technica, The Register, Security Affairs
Pig Butchering apps found on Google Play and Apple App Store
Cybersecurity company Group-IB are reporting their observations of apps in Google Play and Apple App Store that enable Pig Butchering fraud operations.
The Group-IB report provides evidence of legitimate looking apps that mask their fraud and info-stealer functions. The report provides several indicators of cloned-app names, fraud app namespaces, and domain names used in the fraudsters backed operations - awesome for defenders.
Further reading - Bleeping Computer, Hack Read
Thousands of Magento/AdobeCommerce stores hacked in CosmicSting campaigns by multiple threat gangs
Cybersecurity company Sansec is reporting on their observation of over 4200 compromised Magento and Adobe Commerce stores since the release of CVE-2024-34102 that came with a well-known exploit.
“Our research found seven distinct groups running large scale campaigns. Each group uses CosmicSting attacks to steal secret Magento cryptographic keys. This key is then used to generate an API authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process through "CMS blocks"“ - Sansec
Further reading - Security Week, Bleeping Computer
Perfctl malware targeting Linux systems leveraging 20k system misconfigurations
Cybersecurity company Aqua Nautilus is reporting on their observations of malware known as Perfctl that typically operates as a resource theft operation for Monero cryptominer activity.
Perfctl hides itself as legitimate looking system files and leverages a collection of ~20k system misconfigurations to gain a foothold, then using Polkit (CVE-2021-4043) to escalate to root.
The report provides excellent technical details of the malware together with IoCs for defenders.
Further reading - Bleeping Computer, Hack Read
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
cups-browsed scanner - A simple scanner for identifying vulnerable cups-browsed instances on your network
cunctator/traceshark - Best described as wireshark for linux system calls, this tool provides kernel ftrace and perf events visualization
Telemaco019/kubesafe - Safely manage multiple Kubernetes clusters by defining safe contexts and protected commands
Cybersecurity Vulnerabilities
Critical vulnerabilities in DrayTek routers expose ~750k devices (CVSS 10.0)
Fourteen vulnerabilities in widely distributed DrayTek routers have been discovered and reported by cybersecurity company Forescout.
Of these, two are critical and lead to full remote compromise of the DrayTek devices
CVE-2024-41592 (CVSS Score: 10.0): Buffer overflow vulnerability in the web interface can be exploited to crash the router or gain complete control when chained with CVE-2024-41585. This buffer overflow can be triggered by sending a long query string to CGI pages.
CVE-2024-41585 (CVSS Score: 9.1): Operating system command injection that allows attackers to inject malicious code into the router’s operating system leading to full access to the device.
Proof of concept code has been posted that makes it extremely easy to understand the threat-vector making this issue trivial to exploit by any would-be threat-actor.
Up to 750k devices are estimated to be at risk with concentrations of devices in Taiwan, Vietnam, Germany, Netherlands and the United Kingdom.
Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (CVSS 9.8)
Very limited details on the latest security patch release by SAP, however it does include a patch for a CVSS 9.8 issue in SAP BusinessObjects that looks to be a re-release of a previous patch.
The CVE Program item states “In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.”
Qualcomm WLAN Resource Manager (CVSS 9.8)
Qualcomm has released patches for zero-day vulnerabilities in their Digital Signal Processor (DSP) services that impact dozens of Qualcomm chipsets.
The main vulnerability (CVE-2024-43047) was reported by Google Project Zero and Amnesty International's Security Lab leading to questions about how this vulnerability was uncovered and who the victims being exploited are.
CISA have added this issue to their known-exploited catalog this week.
Further reading - Bleeping Computer, The Register, CISA.gov
10 year old Linux vulnerability in cups-browsed (CVSS 9.9)
Common Linux component cups-browsed has been found to have a vulnerability whereby it will trust packets from any source that can point to a threat-actor controlled URL to download and install printer drivers that in-turn executes arbitrary commands on impacted systems.
Up to 200k Linux based internet connected printer systems have been identified as being in-scope for this issue.
Further reading - Bleeping Computer, Hack Read
Microsoft October 2024 Security Updates - vulnerabilities already under active attack (CVSS 7.8)
United States cybersecurity agency CISA are reporting that two of the most recently patched vulnerabilities in Microsoft’s October 2024 Security Updates release are already under active exploit.
CVE-2024-43572 - Microsoft Windows Management Console Remote Code Execution Vulnerability
CVE-2024-43573 - Microsoft Windows MSHTML Platform Spoofing Vulnerability
Details of Microsoft’s latest release can be found here.
Further reading - The Hacker News, The Register, Bleeping Computer
Cybersecurity Engineering Overload
Principles of operational technology cyber security
Multiple national security agencies have together published a guide that outlines six principles that can be used to guide the creation and maintenance of a safe, security critical infrastructure operational technology (OT) environment.
Their "Principles of Operational Technology Cyber Security" provides security practitioners ways to deploy and implement cybersecurity controls in critical infrastructure, including water, energy, and transportation systems.
The document is well written and a fantastic resource for anyone defending critical infrastructure.
Further reading - Cyber.gov.au, NSA.gov
Got news or something you’d like us to mention, feel free to get in contact - [email protected]