CyberSecurity.PH #038

Welcome to CyberSecurity.PH issue #038,

You'll notice this week the fancy new design and look that is the result of our new content management system. We are thrilled with the new fast, clean design system that we've deployed, it's an awesome improvement. Hope you like it too.

Philippines

NBI clearance data claimed to be compromised

Unconventional cybersecurity source Kukublan Philippines that tracks dark-web sources for matters impacting Filipinos, was able to highlight on the weekend a post made on the well known dark-web BreachForums (see FalconFeedsio tweet) that claims to leak 45 million rows of NBI clearance data.

The NBI and the clearances they provide are an important component of the Philippine economy (whether liked or not) so it's especially concerning when the integrity of their system is called into question - it's a bad deal for all and really not okay.

Very few of the mainstream media outlets are carrying anything regarding this story which is unusual compared to previous releases that have surfaced via Kukublan Philippines. While readers may speculate why, sources via dark-web are very difficult to rely on and Kukublan have made mistakes in the past.

In a followup DZRH interview with Deep Web Konek that represents Kukublan Philippines, a narrative that suggests the event is an attention grabbing stunt by script-kiddies without political motivation or foreign interference motives is put forward.

Reporting from The STAR notes the following from NBI Director Jaime Santiago -

“Basically, it has nothing to do with the NBI’s database. The data did not come from us,” Santiago told The STAR.

The awkward challenge for NBI is that it does not matter if the (apparently) leaked data came directly from their database or not because third-party data processors still form part of the data threat landscape they need to manage - other industries (eg payments) handle this using data-tokenization techniques to isolate the data-fields available to data processors and their relationship with sensitive internal databases. This has the effect of reducing the data threat landscape by reducing the number of data-fields that a third-party data processors have a plaintext view on.

Further reading - Kukublan Philippines, DZRH, PhilStar, Twitter

Philippines arrests Chinese national for spying on critical infrastructure

Philippine authorities have arrested a Chinese national together with two Filipino citizens that are suspected of conducting surveillance on Philippine critical infrastructure and military facilities.

The suspects have been observed conducting geo-positional data collection activities in the NCR and Luzon regions between December 2024 and January 2025.

Regarding the Chinese national, Armed Forces of the Philippines (AFP) chief Gen. Romeo Brawner Jr stated that

"He is a technical software engineer affiliated with PLAUST, which is controlled and operated by the People’s Liberation Army, with address in Nanjing, Jiangsu in China,"

Security in all military camps and facilities nationwide is due to be further tightened as a result of the incident.

Further reading - PNA.gov.ph, NBI.gov.ph, The Record

Cybersecurity Threat Landscape

VPN credentials of 15,000 FortiGate appliances posted on dark-web forum

There are two eye-opening FortiGate Fortinet stories this week, this one regarding the posting of VPN configurations for ~15k FortiGate appliances and the other (further down) regarding a brand new critical FortiGate vulnerability.

The FortiGate VPN configuration data has been leaked by a so-called "Belsen Group" that has only recently appeared on social media and cybercrime forums. In an effort to self promote they have created a tor-based site where the FortiGate data VPN configuration data is made freely available and posted this link on a well known dark-web forum.

The posted data appears to be 2 years old, so the expectation might be that victims have had more than enough time to discover and remediate their compromised FortiGate appliances - but it's a numbers game, among the large list there are sure to be still exploitable endpoints with valid credentials.

The root cause of exploit leading to these VPN configuration exposures appears to be CVE-2022-40684 based on a report by Kevin Beaumont from DoublePulsar.

With regards to exploitability, all the devices except one ran versions susceptible to CVE-2022–40684 at the time of exploitation

Kevin Beaumont notes that both Russian and Iranian configurations have been removed from the posted data dump by "Belsen Group" despite thousands of IP addresses related to those nations being in the affected address list.

Further reading - Double Pulsar, Bleeping Computer, Dark Reading

Mustang Panda's PlugX malware removed from 4,200 computers in the US

Malware used by Mustang Panda, a now well known Chinese state-backed threat-group, has had its PlugX malware removed from ~4200 computers in the United States in an operation launched by the U.S. FBI and U.S. Justice Department.

U.S. law enforcement has accused the People’s Republic of China of paying Mustang Panda threat-actors to deploy the PlugX malware, where the malware enables abilities to infect, control, and steal information from victim computers.

Of particular note in the Philippine regarding PlugX are its infection spreading capabilities via USB - parts of the Philippine economy still rely on USB drives, particularly among local Barangays and the Bureau of Internal Revenue (BIR).

Further reading - The Record, US Justice.gov

Phishing-as-a-service "Sneaky 2FA" targeting MS365 accounts with bypass

Cybersecurity company Sekoia have released a deep-dive article into phishing-as-a-service (PhaaS) known as "Sneaky 2FA"

The service is said to be provided with phishing kit software that threat actors deploy on victim infrastructure that facilitates the theft of user authentication cookies from MS365 as an authentication provider.

The deep dive is well informed, however there is an item that really stands out regarding the impossible-travel (changes) in user agents across subsequent calls to the MS365 backend API - why MS365 is unable to detect such an obvious threat signal is embarrassing.

Further reading - Sekoia.io, Hack Read, The Hacker News

Cybersecurity Tools and Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our Cybersecurity Tools and Engineering section online too!

CISA playbook for the implementation of MS365 logs

• CISA guidance for enterprises on using expanded MS365 cloud logs as part of their forensic and compliance investigations
• cisa.gov: microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf

CISA bad product practices

• CISA guidance for product developers on cybersecurity practices to avoid when building product
• cisa.gov: joint-guidance-product-security-bad-practices-508c_0.pdf

Five-eyes product buyer security requirements

• An awesome multi agency initiative among five-eyes to help educate operational-technology buyers about what they should be asking for in terms of security
• cisa.gov: SecureByDemandGuide_080624_508c.pdf
• cyber.gov.au: Secure by Demand

Cybersecurity Vulnerabilities

New Fortinet authentication bypass zero-day vulnerability (CVSS 9.8)

An Authentication bypass using an alternate path affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module - CVE-2024-55591

Fortinet states that threat actors are exploiting the vulnerability and creating randomly generated admin or local users on compromised devices and are adding those to existing SSL VPN user groups.

Further reading - The Register, The Record, Bleeping Computer, Cybersecurity News

Microsoft Outlook zero-click vulnerability (CVSS 9.8)

Last weeks Microsoft Patch Tuesday edition has a fix for a zero-click vulnerability that impacts Microsoft Outlook users CVE-2025-21298

The issue relates to Windows handling of OLE in specially crafted RTF documents when handled by Microsoft Outlook - because Outlook parses the email to generate a preview the exploit is able to execute before a user even opens the message.

Further reading - Forbes, Cybersecurity News

OpenVPN client critical vulnerability (CVSS 9.1)

Security vulnerabilities in the OpenVPN client CVE-2024-5594 that were identified and patched in June 2024 have been disclosed publicly (January 2025) and are critical in severity.

Exploitation allows threat-actors to inject arbitrary data into third-party executable and plug-ins thus enabling code execution and denial-of-service.

Further reading - OpenVPN mailing list

Other vulnerabilities and patches to pay attention to

• CVE-2025-0282 (CVSS 9.0) - Ivanti actively exploited, impacting Connect Secure and Policy Secure products - ivanti.com
• CVE-2024-0012 (CVSS 9.3) - Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface for PAN-OS administrator privileges - while this one is from early 2024 it is getting attention at the moment - paloaltonetworks.com
• Microsoft Patch Tuesday Updates (multiple, CVSS 9.8) - Security updates to address 159 vulnerabilities in multiple products. Threat actors can leverage associated vulnerabilities to exploit unpatched systems - microsoft.com
• Oracle January 2025 patch updates - 318 new security patches across the product families - oracle.com

Got news or something you’d like us to mention, feel free to get in contact - [email protected]