By Nicholas de Jong in Updates — 06 Jun 2024

CyberSecurity.PH #023

Correlated Chinese state-sponsored cyber threats; Possible S&R and Robinsons data breaches; TikTok zero-click account takeover; Snowflake customer data breaches; Thousands Check Point VPNs vulnerable; Linux kernel vulnerability actively exploited; Awesome pentest cheat sheets

Hi and welcome to CyberSecurity.PH! We have awesome free online content too! Learning materials, Education providers, lots of Security Engineering tools, Policy Templates, local Conferences, local cybersecurity Strategy, and information on local cyber crime Reporting.

CyberSecurity.PH continues to work hard to help improve cybersecurity outcomes in the Philippines by providing free cybersecurity reports that matter; up-to-date cyber threat landscape reports; and serious security-engineering highlights.

Tell your friends and subscribe to get better at cybersecurity.

Philippines

New clusters of Chinese state-sponsored cyber threat activity targeting Southeast Asian governments

A new report released overnight from cybersecurity firm Sophos reports on their in-field observations of Chinese state-sponsored threat activity working to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.

The three clusters of threat-groups identified in the report overlap and correlate with threat reports from other cybersecurity firms in recent months including; BackdoorDiplomacy, REF5961, Worok, TA428, Unfading Sea Haze and Earth Longzhi.

The report is detailed and provides repositories with collections of IoCs ( indicators of compromise) that security teams can use to examine their own infrastructure and logs to help determine if threat actors have been active in their environments.

Further reading: Sophos, The Record, Bleeping Computer, The Hacker News

Multiple new large Philippine data breach events reported outside mainstream media

Non mainstream cybersecurity source Kukublan Philippines, has again reported new large data breach events that are not (yet?) getting much mainstream media attention.

Kukublan Philippines, is a Philippine focused cybersecurity blog written and researched by authors currently unknown, that also operate a Twitter account Deep Web Konek. While their reports are anonymous, they frequently come with screenshot evidence and specific details that appear credible.

In the past week Kukublan has reported on Philippine data breaches involving -

Toyota Makati - 311,594 rows of customer data
Robinsons Malls - approximately 107,000 customers
S&R - about 11,000 members
20+ Philippine government organizations - 93GB of data

We continue to observe Kukublan Philippines and their reporting, their publications and reports from out-of-the-way threat information sources is of interest.

Further reading: Kukublanph: June 4, Kukublanph: May 30

Cybersecurity Threat Landscape

TikTok zero-click account takeover via direct-messages

A currently unknown exploit that enables threat actors to take over TikTok accounts has compromised the accounts of celebrities and brands, including the official CNN account, Paris Hilton an official Sony account.

The exploit is transmitted via direct-messages within the TikTok platform and does not require a download, click, response from the victim other than opening the message. The hacked accounts have not been detected posting content, and it is unknown how many accounts have been affected.

TikTok spokesperson Alex Haurek states: "Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We're working directly with affected account owners to restore access, if needed."

Further reading: Forbes, The Hacker News, The Record, Hack Read

Operation Endgame: 100+ malware delivery servers taken offline

A team of international law enforcement agencies have seized over 100 servers used by several well-known malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.

The seizure by law-enforcement occurred between May 27 and 29, involved searches across Europe and has led to the arrest of 4x individuals, one in Armenia and three in Ukraine. A further eight German individuals have been posted on Europol’s “Most Wanted” list.

This action is important because these malware dropper platforms are commonly used by threat actors to inject and distribute their malicious payloads that steal credentials, documents and other valuable information among others.

Operation Endgame by law-enforcement has posted a website dedicated to the operation - https://www.operation-endgame.com/

Further reading: Krebs on Security, Bleeping Computer, The Record

Snowflake customers involved in large data breaches

Threat actor ShinyHunters has been advertising for sale, stolen data from TicketMaster and Santander Bank that they claim has been stolen via cloud platform provider Snowflake.

TicketMaster: 560 million customers for $500k USD - HackRead
Santander - 30 million customers for $2M USD - Bleeping Computer

Cybersecurity firm Hudson Rock has recently taken down their reporting on the incident that indicated the attack vector occurred via the stolen Okta credentials of a critical Snowflake employee.

Snowflake guidance to customers indicates the threat activity originates in poorly implemented customer-user authentication (ie lack of 2FA) and has supplied indicators of compromise and queries that customers can use to determine if they are impacted - here.

The tension on responsibility for cybersecurity between customer and platform is coming into focus with this incident.

The CyberSecurity.PH view is that different threat typologies have different layers of threat observability depending on the customer/platform frame of reference; defending is not about us or them, you’ll need to work together.

Further reading: Bleeping Computer, Dark Reading

Threat actor plans to leak 3 billion background-check records

US based background-check firm National Public Data that provides an API for conducting background checks appears to have lost their dataset to threat actors.

In early April it was reported via Twitter user H4ckManac that a threat actor going by the name “USDoD” was attempting to sell the dataset for $3.5M USD. Fast forward to this week and the threat actor is now stating the dataset will be publicly released.

The dataset is claimed to contain full names, addresses, and address history, social security numbers, parents, siblings and relatives going back 20 years or more.

Twitter user vxunderground has reported they have been able to review and verify part of the dataset.

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening - https://github.com/CISOfy/lynis
Web-check - Lissy93 is awesome! Her web-check tool with fall source available provides comprehensive, on-demand open source intelligence for any website - https://github.com/Lissy93/web-check
Awesome-pentest-cheat-sheets - An excellent collection of cheat sheets and check lists for cyber security pentesting - https://github.com/ByteSnipers/awesome-pentest-cheat-sheets

Cybersecurity Vulnerabilities

Thousands of Check Point VPNs vulnerable to zero-day exploit

Threat actors are exploiting a high-severity Check Point Remote Access VPN vulnerability and moving laterally through the victims' networks.

Check Point has discovered that threat-actors are exploiting an information disclosure flaw (CVE-2024-24919) that targets older style “local” user accounts using password-only authentication.

Check Point has released patches to prevent exploitation attempts against vulnerable CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances.

Further reading: Dark Reading, The Record, Bleeping Computer

Exploit for critical Fortinet vulnerability provides root

Cybersecurity firm Horizon3 has released a proof-of-concept exploit that provides remote command execution as root without requiring authentication.

The Fortinet vulnerability tracked as CVE-2024-23108 was patched in February so only customers that have not updated their kit are at risk - you’ve patched?