CyberSecurity.PH #009

Philippines

ASEAN Battle of Hackers (ABOH) 2023

Students from the Philippines took part in the recent ASEAN Battle of Hackers (ABOH) 2023 event held at the Asia Pacific University of Technology and Innovation in Malaysia. Student teams from Indonesia, Singapore and Malaysia took the prizes for the event - apu.edu.my

Cyber security education for Filipino students is vital to defending the future economic interests of the Philippines. Investing in and educating Filipino students in cybersecurity to achieve capability levels that enable their ability to compete and win regional cybersecurity competitions is a part of defending those economic interests.

Cybersecurity Threat Landscape

Extraordinary iPhone hack exploited hidden hardware feature for zero-click remote backdoor

Cybersecurity firm Kaspersky announced their discovery of an obscure iPhone hardware feature that was able to subvert hardware-based security protections for sensitive regions of the kernel memory.

The Kaspersky report describes this vulnerability (CVE-2023-38606) was then chained together with several other vulnerabilities to achieve an exploit that made it possible to send an iMessage to an iPhone target without the target user knowing or interacting with the malicious message. This technique was used to remotely deploy backdoor software on target devices.

Additional reporting - ArsTechnica, The Record

Coordinated inauthentic behavior expected in election influence operations and hacking campaigns in 2024

Multiple countries are due to hold elections in 2024 that will determine the nation-state leadership for billions of people.

Some good reporting on the hazards - The Record, Dark Reading

Peach Sandstorm APT targeting defense industry with FalseFont backdoor

The headline makes it sound like a wild fruit-fight in the offices of defense contractors. It’s nothing of the sort.

Microsoft’s threat intel team are reporting of APT33, otherwise known as “Peach Sandstorm” that have been conducting an at-scale password-spray operation since February 2023, targeting defense industry employees.

A password-spray operation is a tuned brute-force whereby the threat actor develops lists of targets and then generates likely related usernames at target services (Google, Azure, MS365, etc); then using well-known passwords, spray passwords across those generated usernames.

Additional reporting - Microsoft, The Register, Bleeping Computer

Android malware with +300k installed on Google Play

Reported that the McAfee Mobile Research Team have identified malware they have named “Xamalicious” with over 300k installs on Google Play.

• Essential Horoscope for Android - 100k+ installs
• 3D Skin Editor for PE Minecraft - 100k+ installs
• Logo Maker Pro - 100k+ installs
• … plus 10x other smaller apps with ~26k installs

The lesson here is to not install unnecessary apps or install apps from dubious sources on devices that you need to trust.

Additional reporting - Bleeping Computer, The Hacker News

Digital skimming reveals 440+ compromised online merchants

European agencies have collaborated via Europol to uncover 440+ online merchants with digital-skimming software installed in a way the merchants were not aware.

These types of website malwares are known by several names; web skimmers, e-skimmers, formjacking or Magecart. They are often installed after web-server compromise or inadvertently introduced by developers using untrusted libraries and imports in their code. Europol have some good online documentation to help managers and stakeholders understand the threat - europol.europa.eu

Additional reporting - Europol, Bleeping Computer

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting

• Eric Zimmerman’s Tools - an awesome collection of mostly Windows tools for digital forensic tasks that are also super useful in CTF events - https://ericzimmerman.github.io/
• ScubaGear (updated) - CISA have released an updated version of their awesome ScubaGear tool with updated secure configuration baselines for Microsoft 365 - https://github.com/cisagov/ScubaGear
• ASEAN Battle of Hackers 2023 - a nice little github repo of materials from ABOH-2023 that includes a handful of the CTF questions - https://github.com/ChaiChengXun2/ABOH-2023
• GitHub enforcing 2FA - if you use Github mandatory 2FA is coming. As a developer you should already understand the importance of 2FA and have set this up months ago, right? - docs.github.com

Cybersecurity Vulnerabilities

Second Apache OfBiz vulnerability this month

Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system has a second vulnerability tracked as CVE-2023-51467 that allows threat actors to bypass authentication. This is second to CVE-2023-49070 (CVSS score: 9.8) from earlier this month - The Hacker News

Barracuda fixes new ESG zero-day exploited by Chinese hackers

Barracuda says it remotely patched all active Email Security Gateway (ESG) appliances on December 21 against a zero-day bug exploited by UNC4841 Chinese hackers - Bleeping Computer

Google discovers another Chrome zero-day exploited in the wild

Google Chrome has released an emergency security fix for a zero-day flaw that has been exploited in the wild. This vulnerability, tracked as CVE-2023-7024, affects the desktop versions of the browser on Mac, Linux and Windows - The Record

Got news or something you’d like us to mention, feel free to get in contact - [email protected]