CyberSecurity.PH #016

Philippines

Armed Forces of the Philippines bans TikTok on cyber security concerns

Armed Forces of the Philippines (AFP) has assessed TikTok as a cyber security risk and has banned AFP personnel from using the app.

AFP spokesperson Col. Francel Margareth Padilla said that the TikTok app includes listening capabilities that makes it a perfect tool for cyber espionage.

This action follows similar actions from many other countries that have already banned TikTok from being used among military and government staff.

The threat is quite real, readers are urged to pay attention relative to their own organizations.

Additional reading - The Defense Post

Asian bank accounts compromised using stolen facial recognition data

Threat actors acting against victims in Thailand and Vietnam have been observed deploying malware called “GoldPickaxe” that is designed to take recordings of victims that are later abused to falsely verify those victims in various frauds.

The adaptation of threat actors into this mode-of-operation is disappointing but not surprising given many organizations are seeking mechanisms to increase the number of matching attributes to strongly identify users to combat fraud in the first place.

Self verification technologies have become enabling for these organizations but technology implementers really need to understand they are receiving untrusted user data even if that data comes in the form of images, video or sound clips.

This style of threat action has not (yet) been reported in the Philippines however some of the main Philippine banks are actively advertising their ability to adopt new bank-account customers using an app with video interaction.

Additional reading - The Record, Bleeping Computer

Cybersecurity Threat Landscape

LockBit ransomware gang disrupted by international law enforcement operation

Plenty of news on the LockBit ransomware takedown this week because plenty of agencies and organizations have been involved in this coordinated action. It’s a fantastic win for the law-enforcement agencies involved and the communities they protect.

Key points:

• LockBit has been by far the most prolific ransomware gang in recent years.
• Law enforcement access to LockBit servers was achieved via a straightforward PHP vulnerability.
• Decryption keys have been obtained and law-enforcement agencies are able to provide them to victims.
• Two Russian nationals have received indictment charges in the United States.

Additional reading - Krebs on Security, The Record,

US and partners kicked Russian GRU hackers out of routers

United States FBI Director Christopher Wray, stated at the Munich Cyber Security Conference last week that a takedown involving "well over a thousand" home and small business routers infected with the Moobot malware occurred in January.

The impacted routers were Ubiquiti Edge OS devices with default usernames and passwords - readers should take a hint here, change the default credentials!

The FBI led activity is interesting in that (a) they used the Moobot malware against itself to delete the malware (b) they added customer device firewall rules to prevent threat-actors reestablishing access.

Additional reading - The Record, Ars Technica, Bleeping Computer

Microsoft is the supply chain threat: Over 28,500 Exchange servers vulnerable to actively exploited bug

We threw out the line “Microsoft is the supply chain threat” last week in relation to CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Vulnerability because it has the potential for very large disruption among organizations that are not quick enough to respond.

Since last week Shadow Server is now reporting ~97k in-scope instances where ~28k of those have been confirmed as being vulnerable, and CISA have added CVE-2024-21410 to their known exploited vulnerabilities catalog.

Additional reading - CISA.gov, Bleeping Computer

Cybersecurity Vulnerabilities

ConnectWise tells ScreenConnect admins to update immediately due to CVSS10 vulnerability

ConnectWise is advising their ScreenConnect customers to update immediately due to a CVSS10 level vulnerability that is embarrassingly easy to exploit.

A review of the public Shadow Server dashboard shows there are a limited number of ScreenConnect endpoints in the Philippines.

Additional reading - The Register, Bleeping Computer, Dark Reading

Critical session hijacking vulnerability in VMware vSphere plugin

A discontinued but still popular VMware plugin (Enhanced Authentication Plugin; “EAP”) that makes in-browser login to the vSphere management interface via system Windows authentication has vulnerabilities with a CVSS 9.6

CVE-2024-22245 in particular enables threat actors to trick a domain user with EAP installed in their web browser to cause the relay of Kerberos service tickets for arbitrary Active Directory Service Principal Names.

When you consider the access levels that IT staff typically have when they have access to vSphere then the ability to obtain Kerberos service tickets from them like this is going to be a bad day.

Additional reading - Bleeping Computer, Dark Reading

Got Firefox? Make sure you have the latest v123

Mozilla announced v123 yesterday that addresses at least one vulnerability that is worth paying attention to; CVE-2024-1546: Out-of-bounds memory read in networking channels.

Update your Firefox if it has not already.

Additional reading - CISA.gov, Mozilla.org

Got news or something you’d like us to mention, feel free to get in contact - [email protected]