By Nicholas de Jong in Updates — 14 Dec 2023

CyberSecurity.PH #007

Cyber crime scam compounds in South East Asia; Security Baselines for Google; JetBrains exploited by Russian foreign intelligence; Log4j vulnerabilities exploited by Lazarus

💡

Has this email been forwarded to you? Awesome! We are eager to improve the cybersecurity outcomes for organizations in the Philippines with free weekly cybersecurity reports that matter, up-to-date cyber threat landscape reports and serious security-engineering highlights
https://www.cybersecurity.ph/

Philippines

National Security Advisors of Philippines, Japan and United States in three way call

Reported that National Security Advisors of the Philippines, Japan and United States, respectively Eduardo Manahan Año, Akiba Takeo and Jake Sullivan, have taken a three-way call today (December 13, 2023 in Washington) to discuss security in the context of People’s Republic of China’s (PRC) conduct in the Indo-Pacific realm.

Of particular note for cybersecurity is the agreement for three way cooperation in improving and enhancing capabilities, particularly cybersecurity as reported in a statement today - whitehouse.gov

Cybersecurity Threat Landscape

Cyber crime “scam compounds” and human trafficking across South East Asia

Cyber criminals that lure workers into servitude to carry out online scams have become a serious problem in the South East Asia region, with reports suggesting these scam call centers are generating billions of USD per year.

Interpol has announced Operation Storm Makers II in cooperation with 27x law-enforcement agencies across the South East Asia region, including the Philippines.

Additional reporting - Dark Reading, The Record and The Register

Log4j vulnerabilities are still a thing, North Korean threat actors taking advantage

Software pipeline scanning/testing vendor, Veracode made a splash this week by announcing 38% of applications are still using vulnerable version of Log4j that can easily lead to system compromise deep within internal systems.

On that backdrop, it has also been reported that North Korean state sponsored cyber threat group Lazarus have been observed exploiting Log4Shell (CVE-2021-44228) to deploy various remote access trojans that invariably lead to poor security outcomes - The Record

Short story; Log4j vulnerabilities are really bad and state based threat actors are still taking advantage of it, you really need to pay attention. A good place to start is CISA log4j-vulnerability-guidance

SVR (Russian foreign intelligence) exploiting JetBrains vulnerability is supply chain risk

Multiple cybersecurity agencies are reporting active exploitation of JetBrains TeamCity installations - cisa.gov

TeamCity is a platform that enables software development teams to manage and automate building, testing, and releasing their products. The very real concern is that a compromise of these platforms likely leads to legitimate software deployments being injected with threat-actor components that get distributed far and wide.

Additional reporting - The Record and Bleeping Computer

LogoFAIL presented at BlackHat EU

Fabio Pagani a Research Scientist at cybersecurity company Binarly delivered a presentation at Blackhat EU recently in which techniques for appending malicious payload data to the operating-system logo file that is contained within a UEFI firmware update. This has the effect of malware that is able to persist even after a full system reinstall and many motherboard BIOS are impacted.

That’s a head spin, so breaking it down

Motherboard BIOS are able to have their firmware updated to include a logo image of the operating system via a UEFI update (it looks cool!)
Because the logo image file is not part of the signed firmware content, it is possible to modify the file with additional malicious payload data that deploys malware.
The possible malware is not part of the regular system storage and exists in the motherboard bios and thus will remain in place even after a full system rebuild.

Additional reporting - Ars Technica, Bleeping Computer, Binarly

Patch and update everything

If your role involves the update of systems your going to be busy, in the past week you have 5x CISA update alerts.

Adobe Releases Security Updates for Multiple Products - cisa.gov
Apache Software Foundation Updates Struts 2 - cisa.gov
Microsoft Releases Security Updates - cisa.gov and krebsonsecurity
Apple Releases Security Updates for Multiple Products - cisa.gov
Atlassian Releases Security Advisories for Multiple Products - cisa.gov

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting

ScubaGoggles - Security Configuration Baselines and assessment tool for Google Workspace (it’s in alpha but worth watching)https://github.com/cisagov/ScubaGoggles
Telegram Explorer - Telegram Explorer tool created to help Researchers, Investigators and Law Enforcement Agents to Collect and Process the Huge Amount of Data Generated from Criminal, Fraud, Security and Others Telegram Groupshttps://github.com/guibacellar/TEx
Microsoft-Extractor-Suite - acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposeshttps://github.com/invictus-ir/Microsoft-Extractor-Suite

Got news or something you’d like us to mention, feel free to get in contact - [email protected]