CyberSecurity.PH #025
Four new serious Philippines data-breach events; 4,000 arrested in global Interpol led crackdown; Data Security Officer of Manila Bulletin admits hacking; regreSSHion a difficult-to-exploit OpenSSH vulnerability; Polyfill supply chain attack impacts 400K+ sites; Cisco Zero-Day vulnerability...
CyberSecurity.PH is working hard to help improve cybersecurity outcomes in the Philippines by providing free cybersecurity reports that matter; up-to-date cyber threat landscape reports; and serious security-engineering highlights.
Hi, we have plenty of online resources too! High quality cybersecurity learning materials, local education providers, loads of cybersecurity tools, plenty of policy templates to get you started, information on local conferences, relevant cybersecurity strategy papers and information on local cyber crime reporting.
Tell your friends and subscribe, we promise you will learn something new each week.
Philippines
Four serious Philippines data-breach events claimed in past week
Alternative cybersecurity source Kukublan Philippines (otherwise Deep Web Konek) has published details of four serious data-breach events in the past seven days.
- July 3 - Philippines’ Department Foreign Affairs Faces Data Breach
- July 2 - Philippines’ DICT – DRRMD Suffered From a Data Breach
- June 30 - A Massive Data Breach at Moonton/ByteDance
- June 27 - Alleged Data Breach on GCash KYC System Exposes Thousands of Users’ Information
Kukublan Philippines posts articles are generally well researched and often evidenced with screenshots to substantiate their reporting - many of their leads and screenshots appear to originate from the well known BreachForums site.
Kukublan Philippines is having a positive impact in raising local awareness of cybersecurity events and how they affect people and their organizations with other local mainstream news outlets referencing them and their posts.
Further reading: Kukublan Philippines
4,000 arrested in global Interpol led crackdown includes Philippines
Interpol have announced results from this year’s “Operation First Light” that has been running each year since 2014 to address international cyber-crime operations.
This year, the Interpol action focused on phishing, investment frauds, fake online shopping, romance scams, and impersonation scams leading to the arrest of 3,950 suspects (worldwide) and the identification of 14,643 other suspects. Assets to the value of $250M USD have been seized for recovery including fiat-currency, blockchain-currency, real-estate, vehicles and luxury goods.
The news release from Interpol is understandably thin on detail however the primary image in their news-release shows a common scam-center scene with individuals being arrested and an image-title stating it is in the Philippines.
The viewable scam-center workstation in this image shows a sports betting website interface with features related to betting and a Chinese language headline "Sports Betting High!! Super High Odds" (translated)
Further reading: Interpol, Gizmodo, The Record
Data Security Officer of the Manila Bulletin admits to hacking 90+ sites
The Data Security Officer of the Manila Bulletin newspaper, operating under the name “Kangkong” has admitted to hacking 93 sites.
Kangkong issued a public apology to President Marcos, the general public, and the military community for his actions. Kangkong’s targets have included the Armed Forces of the Philippines and the National Security Council
Kangkong’s apology appears to implicate another individual at the Manila Bulletin as having involvement.
Further reading: Philstar, ABS-CBN, The CyberExpress
Philippines PCO news release states Chinese APT actor responsible for cyberattacks on PCG and DICT
The Philippines Presidential Communications Office (PCO) has issued a news release that details recent cyber-attacks against the Philippine Coast Guard (PCG) and the Department of Information and Communications Technology (DICT) originating from a known Chinese based Advanced Persistent Threat (APT) actor.
DICT Undersecretary Jeffrey Ian C. Dy states -
“The tactics, techniques and procedures, which mean the behavior of the attacker is very, very similar to APT41 which is a Chinese group” and then “Let me clarify. I never said it’s the Chinese government. I’m just saying it’s a Chinese APT. Magkaiba iyon,”
The statements by undersecretary Dy are said to have been made in an “ambush” interview at Malacañang.
Further reading: pco.gov.ph
Cybersecurity Threat Landscape
Researchers uncover rare, difficult-to-exploit OpenSSH vulnerability: regreSSHion
OpenSSH has been found to have a vulnerability (CVE-2024-6387) that is quite difficult to perform but does lead to a full remote exploit.
Understandably, this news has been a big deal because OpenSSH is frequently entrusted as the administrative backdoor gateway into many organizations to provide the “just-in-case” access if the primary access mechanism goes down - as such many SSH endpoints are publicly internet exposed.
The mechanics of the exploit are extraordinary and the announcement is a brain-bending exercise, briefly - a race condition exists such that at the moment an authentication timeout occurs (usually 120 seconds), and if the threat-actor is able to pre-stuff the authentication request with a username (can be up to 128K long!) with exploit code, and if the terminate SIGALRM is making the first syslog() call - then there is opportunity to exploit… if you’re lucky.
The issue is serious due to the wide public exposure of SSH, however a successful exploit is not straightforward and would generate a lot of network traffic together with many failed SSH authentications that would ordinarily be noticed well before it is statistically likely to be successful.
The issue has been dubbed “regreSSHion” because it is a reintroduction of an issue that is similar to a previously patched issue from OpenSSH 4.4 back in 2008.
Further reading: Qualys, Cyberscoop, Bleeping Computer, The Register, The Record
Polyfill supply chain attack impacts 400K+ sites; silently injects malware
Polyfill, a broadly used CDN service used by websites to deliver JavaScript libraries into web-applications has been discovered injecting malware.
The owners/operators of Polyfill that remain anonymous have posted on Twitter that the claims are false, however the evidence to the contrary is quite damning.
Much news in the media about this issue however the key points are
- Andrew Betts the original author of Polyfill service never owned the polyfill[.]io internet domain name - tweet
- The domain name polyfill[.]io was sold to a Chinese company named Funnull in February this year and the contact number for Funnull is a Philippines based +63 number via WhatsApp.
- The Github account used to manage code associated with Polyfill was silently taken over after the polyfill[.]io acquisition.
- A website called “Polykill” was created in late February warning that polyfill[.]io is extremely risky - https://polykill.io/
- A removed comment thread on the polyfill-service Github project details the actual malware payload and how it operates - see the Wayback archive copy.
- Further research has discovered that the Cloudflare account that was managing polyfill[.]io domain has also been operating additional suspect domains - see indicators-of-compromise from Sansec
Make sure you are aware of the additional domain names that are affected by this issue, it is more than just polyfill[.]io!
Further reading: Bleeping Computer, The Record, The Register, Dark Reading
TeamViewer: Threat actors access internal enterprise systems, employee encrypted passwords stolen
TeamViewer have announced that a Kremlin-backed group tracked as APT29 (Midnight Blizzard) has been able to copy employee directory information such as names, corporate contact information and encrypted passwords from the companies internal enterprise environment.
TeamViewer have stressed that their investigations into the incident have shown no indication that their production environment or customer data was accessed in the attack and that they keep their corporate network and product environment isolated from each other.
Further reading: Bleeping Computer, The Register, The Record
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
- IR-Cheatsheets - an awesome collection of Incident Response cheat-sheets from BlackPerl - github.com/BlackPerl-DFIR/IR-Cheatsheets
- sectemplates - a Github repo to watch as it develops, providing Cybersecurity templates describing workflows for various cybersecurity activities - github.com/securitytemplates/sectemplates
- assetnote/wordlists - a well maintained wordlist useful in the assessment of web-resources and APIs that can help discover endpoints that are otherwise not known - github.com/assetnote/wordlists
Cybersecurity Vulnerabilities
Cisco Zero-Day vulnerability, actively exploited by Chinese threat actors
Cisco has released a patch for a vulnerability in the CLI of Cisco NX-OS could allow an authenticated Administrator user to execute arbitrary commands as root on the underlying operating system of an affected device.
The CVE carries a low-grade score (CVE-2024-20399, CVSS 6.0) because you need to be an administrator level user in the first place - the issue however is that this can be leveraged to jail-break out of the usual NX-OS environment and run untrusted code on affected Cisco appliances.
The claim is that well known Chinese APT group “Velvet Ant” are leveraging this issue to plant long-term persistence inside compromised networks - similar as this group has been observed doing in the past.
Further reading: Dark Reading, The Record
New MOVEit vulnerability updated with CVSS score 9.1
Progress Software that makes the MOVEit software has announced a new vulnerability (CVE-2024-5806, CVSS 9.1) that is similar to the previous MOVEit vulnerability that has been the underlying cause of the largest data theft campaigns on record.
Progress Software have released a patch for MOVEit and states they have been working with customers to resolve, however an additional third-party is now reporting yet-another issue altogether - those details are not yet clear.
Cybersecurity company Watchtowr have released PoC exploit for the CVE-2024-5806 issue and it is now reported that threat-activity probing for MOVEit endpoints has increased.
Further reading: The Record, Bleeping Computer, Dark Reading
Emergency patches required for Juniper due to CVSS 10 authentication bypass
Juniper has released a patch for CVE-2024-2973 that is a full 10/10 CVSS that enables full remote access.
"An authentication bypass using an alternate path or channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device," - Juniper said in its advisory.
Shocker!
Further reading: The Hacker News, The Register, Bleeping Computer
Apache Security Advisory - 2024-07-03-001
Eight vulnerabilities in Apache’s HTTPd have been patched that require immediate patching.
Among this batch of issues is CVE-2024-38475 (CVSS 9.1) that can enable accessing files and running code outside the web-root in certain conditions.
Get your Apache httpd servers updated.
Further reading: Apache.org, Securityonline
Got news or something you’d like us to mention, feel free to get in contact - [email protected]