CyberSecurity.PH #043

Welcome to CyberSecurity.PH issue #043,

Philippines and South East Asia

Philippine Presidential Communications Office responding to fake news and misinformation

Presidential Communications Office (PCO) Secretary Jaybee C. Ruiz has entered into an agreement with the Cybercrime Investigation and Coordinating Center (CICC) to fight against fake news and misinformation.

The Philippines is at particular risk of fake news and misinformation campaigns with external nation state threat actors now well established in their ability to drive narrative bending stories and alternative facts that cause confusion and discord among citizens.

Such risks are exacerbated by Filipino's broad usage of social media platforms in day-to-day life including government offices that rely on communications delivery capability via social media platforms - the challenge is very real for many organizations that need to get legitimate messages with verifiable alternatives not readily available.

The Presidential Communications Office is making a concerted effort to address these risks through this new agreement with the Cybercrime Investigation and Coordinating Center.

Additionally, Scam Watch Pilipinas has been engaged to assist, fact checking company VERA Files has been engaged to assist, and the PCO has launched a media and information literacy campaign to help educate youth to assess and validate information sources.

Further reading: pco.gov.ph, pia.gov.ph, pna.gov.ph

Chinese threat actor hidden inside another Asian telecommunication network for four years

Cybersecurity company Sygnia has produced a report describing known China based threat group "Weaver Ant" as maintaining access to a "major" Asian telecommunication network over four years.

The report from Sygnia does not identify the telecommunications network or the country involved.

The threat group has been observed tunneling web shells via Operational Relay Box (ORB) networks as primary mechanisms to maintain persistence that enables lateral movement among victims networks.

The report is very well put together with clear descriptions of the tools, techniques and procedures utilized, recommendations for defending against Weaver Ant and plenty of indicators of compromise to help defenders catch and prevent this threat group.

Further reading: Sygnia, The Hacker News, The Record

Malaysia refuses to pay $10USD million ransom related to airport outages

Operations at Kuala Lumpur International Airport (KLIA) were disrupted the weekend before last due to a cyber-ransom in which a $10USD million was demanded for recovery.

Malaysia’s Prime Minister Anwar Ibrahim confirmed the situation last Tuesday in a speech

When I was informed about this … I did not wait five seconds. I said no ... There is no way this country will be safe if its leaders and system allow us to bow to ultimatums by criminals and traitors, be it from inside or outside the country

The event at KLIA underscores the vulnerabilities of heavily regulated industries that are not able to quickly adapt to cyber threats that can change within a few hours. An international airport is just one example of the challenges faced, many large public infrastructure organizations are in similar positions across the APAC region.

Further reading - South China Morning Post, Dark Reading, The Record

Cybersecurity Threat Landscape

Oracle cloud compute data breach confirmed

Oracle is feeling the heat over a data breach involving its cloud infrastructure product. Security firm CloudSek has called Oracle out stating that sensitive customer data, including credentials and keys, have been compromised.

Oracle initially denied the breach, but the new mounting evidence, including confirmations from affected customers, suggests otherwise.

Reports indicate stolen data is valid, raising concerns about the security of Oracle's cloud services. The breach appears to have exposed customer environments to threat actor access. The incident has triggered urgent calls for affected users to take immediate action, including the rotation of all credentials, reviewing security configurations and event logs.

What has now become a dispute between Oracle and security researchers, with Oracle facing criticism for its initial denials and handling of the breach.

Further reading - CloudSek, HackRead, Bleeping Computer, The Register, Dark Reading

Threat actor claims breach of Check Point Cybersecurity selling access for 5 bitcoin

A threat actor going by the moniker "CoreInjection" has posted on a well known data breach site with claims to be selling sensitive data from cybersecurity company Check Point Cybersecurity.

The threat actor account is new (January 2025) and the "CoreInjection" name is otherwise unknown causing the veracity of the claim to be questioned.

Check Point have acknowledged the incident and are describing it as a limited, contained incident, not a large-scale breach as suggested.

“This was handled months ago and didn’t include the description detailed on the dark forum message,” Check Point said in a statement. “These organisations were updated and handled at that time, and this is not more than the regular recycling of old information.”

The threat actor (CoreInjection) appears to be focused on impacting Israel-based companies, and appears to be selling data access for 5x large Israeli organizations all recently posted.

Further reading - Hack Read, Dark Reading, The Register, Dark Web Informer

New Twitter (X) staff insider data-leak combined with previous data-leak to create apparent ~2.8B profiles

A claimed data leak involving ~2.8 billion Twitter/X user profiles has been reported. The leaked data includes profile metadata such as account creation dates, user IDs, screen names, profile descriptions, location and time zone settings, and follower counts. However, unlike a previous leak in 2023, this one does not contain email addresses.

It has been claimed that the leak is the work of a disgruntled X employee who stole the data during mass layoffs. The claim is not verified.

The details on this matter are unclear with few reporting agencies running the story.

Further reading - Hack Read, SC World, Mashable

Cybersecurity Tools and Engineering

• threatpatrols/env-alias - Powerful helper utility to create shell alias commands to easily set collections of environment variables often with secret values from a variety of data-sources and data-formats - github.com/threatpatrols/env-alias
• cybrota/whispr - A multi-vault secret injection tool for safely injecting secrets into app environment - github.com/cybrota/whispr

Cybersecurity Vulnerabilities

Nginx ingress controller vulnerability allows RCE without authentication (CVSS 9.8)

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller.

This can lead to disclosure of secrets accessible to the controller - note that in the default installation, the controller can access all Secrets cluster-wide.

Further reading - wiz.io, nist.gov, The Register, The Hacker News

Next.js vulnerability allows threat actors to bypass middleware authorization checks (CVSS 9.1)

Next.js is a React framework for building full-stack web applications.

Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

This vulnerability is fixed in 14.2.25 and 15.2.3.

Further reading - The Hacker News, Cyberscoop, Akamai

Firefox vulnerability allows threat actors to escape sandbox on Windows systems (CVSS 10.0)

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in Firefox IPC code. A compromised child process can cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild.

This only affects Firefox on Windows. Other operating systems are unaffected.

The vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.

Further reading - Mozilla, Bleeping Computer, The Hacker News

Cybersecurity Engineering Overload

Salvador Stealer: Android malware phishing for banking details and OTPs

A new Android malware, dubbed "Salvador Stealer" that is designed to steal sensitive user information, specifically banking details and OTPs has been spotted in the wild. The malware employs a two-stage infection process, using a dropper APK to install a banking stealer payload. It embeds a phishing website within a fake banking app to trick users into providing credentials, which are sent to a C2 server via Telegram.

Check out the excellent write up at Any.run on Salvador Stealer.