CyberSecurity.PH #014

Welcome to another awesome week of Cybersecurity.PH, but did we miss an issue last week? Yes! our travel schedule got the better of us, making the time required beyond reach. It highlights two things (1) we are real humans not some LLM/GPT/AI automation (2) we could do with more humans and supporting organizations to get involved, get in contact if you have capacity.

Philippines

Analyzing the DICT reported “China-linked’ cyber attack news

Much news and attention this week about a cyber-event reported by DICT Undersecretary Jeffrey Ian Dy, in which several Philippine government organizations were targeted, including the Philippine Coast Guard, the Department of Justice and the DICT itself.

Among the various news reports on the matter is one from PhilStar in which their reporting indicates the incident was a plain old brute-force (more likely a password stuffing) event that originated from China based IP addresses.

The DICT are reasonably complaining that unwanted network traffic from a few China based IP-addresses is not evidence of a state backed threat actor.

The reporting does not make clear which target was used in the brute-force activity, however the indication is that Administrative access level Google Workspace accounts were impacted as a result. Google does have decent mechanisms in place to slow down password-sprays so it is possible the brute force was performed at a lesser protected target with credentials then re-used against Google Workspace after the fact.

These simple details (if accurate) should set off alarm bells

• It indicates that there are Administrator Google Workspace that do not have appropriate hardware based MFA/2FA implemented.
• It suggests that the Goggle Administrator accounts may not have been enrolled in the Google Enhanced Protection scheme.

We highlight hardware based MFA/2FA because in the context of a state backed threat actor in which the same nation-state produces the phone-handsets and network infrastructure equipment that might otherwise be used. In this threat context it is not possible to rely on mobile-device based MFA/2FA mechanisms.

The cyber threat landscape is asymmetric and the DICT is not in the power-position in that asymmetry, they need all the support, training and experienced cybersecurity practitioners they can get.

Related reporting - PNA, The Record, PhilStar

Cybersecurity Threat Landscape

China linked threat-group Volt Typhoon preparing for destructive cyberattacks

The Five-Eyes have issued a joint report that describes China backed threat group Volt Typhoon has been building threat capacity in preparation for destructive capability against critical infrastructure - CISA

The report indicates cases of threat actors maintaining persistent access for 5+ years have already been observed.

The recommendations are straightforward

• Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
• Implement phishing-resistant MFA.
• Ensure logging is turned on for application, access, and security logs and store logs in a central system.

The CISA report provides plenty of detail on “appliances known to be frequently exploited by Volt Typhoon.” with supplemental guides that cover the common living-off-the-land techniques in use. Main report here and the supplemental material here.

While the report and its assessments are focused on infrastructure in the Five-Eyes realm, the same risks and threats apply to the Philippines.

Additional reporting - The Record, CNN, The Register

Commercial Spyware vendors unwelcome

A lot of push-back activity against commercial spyware vendors this week due to a conference in London focused on tackling the abuses of spyware.

A joint statement by Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the UK and the US calls for international guidelines to be established regarding the responsible use of spyware to prevent these tools from running rampant.

Additionally, the United States announced a visa-ban against individuals involved in commercial spyware.

Additional reporting - Bleeping Computer, Politico

Cloudflare hack caused by stolen Okta credentials used by Nation-state threat actor

Cloudflare has disclosed that its internal Atlassian infrastructure was breached by a nation-state threat actor that was able to access their Confluence, Jira and Bitbucket systems.

Cloudflare have provided a detailed analysis of the event and its impacts in a way that is invaluable for cybersecurity practitioners to learn from, it’s well worth the read, here

The event highlights Cloudflare’s security maturity in being able to respond to cyber threat events, where in this case they rotated more than 5000 production credentials, carried out forensic evaluations on 4893 systems and reimaged and rebooted every machine across its global network.

Additional reading - Bleeping Computer, The Hacker News

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

• Kunai - Kunai is a threat-hunting and observability tool for Linux, you can think of it as a kind-of Windows-Sysmon equivalent for Linux - https://github.com/kunai-project/kunai
• argument-injection-vectors - A curated list of argument injection vectors for use in your red-team and app-sec review activities - https://github.com/SonarSource/argument-injection-vectors
• argumentinjectionhammer - A Burp Extension designed to identify argument injection vulnerabilities - https://github.com/nccgroup/argumentinjectionhammer

Cybersecurity Vulnerabilities

Fortinet SIEM two CVSS level 10 vulnerabilities

Two vulnerabilities in FortiSIEM have surfaced that have been assigned a CVSS score of 10 which suggests these are easy, can be carried out remotely and lead to remote code execution - Fortinet

Tracked as CVE-2024-23108 and CVE-2024-23109

Additional reading - The Register, Dark Reading

Exploits released for Jenkins vulnerability CVE-2024-23897

Last week SonarSource announced their discovery of critical security vulnerabilities in the Jenkins CI/CD software as CVE-2024-23897

This week there are multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files, with some researchers reporting attackers actively exploiting the flaws in attacks.

Shadowserver has reported that up to 45,000 Jenkins servers are exposed and at risk with this vulnerability.

Additional reading - Jenkins, Bleeping Computer, The Register

Got news or something you’d like us to mention, feel free to get in contact - [email protected]