By Nicholas de Jong in Updates — 21 Dec 2023

CyberSecurity.PH #008

Instagram Phishing; DevSecOps-Playbook; Shadow Play foreign influence; Microsoft OAuth abuse; Interpol arrest in Manila

💡

CyberSecurity.PH is growing quickly! We are eager to improve the cybersecurity outcomes for organizations in the Philippines with free weekly cybersecurity reports that matter, up-to-date cyber threat landscape reports and serious security-engineering highlights. Subscribe!

Philippines

Interpol operation HAECHI IV seizes $300 million, 3500 arrested, high profile target arrested in Manila

Interpol reports that an international law-enforcement operation against online financial crime with almost 3,500 arrests and seizures of USD 300 million in assets across 34 countries has been completed - interpol.int

Operation HAECHI IV took action against 82,112 bank accounts internationally, targeting “pig-butchering” scams that involve voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.

Philippine law-enforcement arrested in Manila a high-profile online gambling criminal after a two-year manhunt by Korea's National Police Agency as part of the operation.

Plenty of additional reporting - The Register, Bleeping Computer, The Record

GambleForce threat actor targeted 2x Philippine organizations; government victim claimed

Threat research group Group-IB have described a new threat-group they have named GambleForce due to their focus in online gambling platforms - group-ib.com

The report suggests the threat actor used well known SQL-injection discovery tooling (SQLMap) with limited configuration or tuning effort. The pictorial image supplied in the Group-IB report indicates 2x Philippine targets with 1x government target being successful. The report does not name the organizations targeted.

Additional reporting - The Record, Dark Reading

Cybersecurity Threat Landscape

Shadow Play: Foreign influence operation gained 120 million YouTube views and 730,000 subscribers

The Australian Strategic Policy Institute (ASPI) has released a comprehensive report describing a coordinated inauthentic influence campaign on YouTube promoting pro-China and anti-US narratives in an effort to shift English-speaking audiences views in international politics, the global economy and strategic technology competition - aspi.org.au

The campaign has been named “Shadow Play” and involves a network of 30+ YouTube channels, and 4500 videos.

The video content takes the form of a “video essay” that has become a popular style of medium-length YouTube video in which a narrator makes points through a voice over while on-screen content is shown to support those statements. It is reported by ASPI that the content in this campaign is generated with the assistance of AI technologies.

Additional reporting - The Record, The Register

Microsoft OAuth abused for crypto mining and phish-spam

Threat actors (Storm-1283, Storm-1286) have been observed creating applications enrolled into victim organizations with privileges passed to the threat actor application via OAuth. Using the privileges obtained, threat-actors have been conducting phish-spam, and crypto-mining operations.

In the cases reported, the problems start with a Azure/MS365 account that has excessive (Owner) privileges without strong authentication which is then used to enroll the threat-actor application, which makes these less easy to detect or find within those platforms. The recommended detection technique from Microsoft is weak at best "…monitor VM creation in Azure Resource Manager audit logs and look for the activity Microsoft.Compute/virtualMachines/write performed by an OAuth application…"

More reporting - The Register

AlphaV/Blackcat ransomware-as-a-service gang takedown

The US Justice Department announced on Tuesday a disruption campaign against the Blackcat ransomware group - also known as ALPHV or Noberus - that has targeted over 1,000 victims - justice.gov

Multiple outlets are reporting on the takedown of the AlphaV / Blackcat ransomware gang. It is indeed very good news to have this threat group removed from circulation.

If you have been affected by this threat group it is worth getting in contact with the FBI (United States) through official channels since they have been able to develop a decryption tool that allows affected systems to be recovered.

Additional reporting - CISA, Krebs on Security, Tech Crunch, The Register, Bleeping Computer, The Record, Dark Reading

Phishing attack against Instagram accounts

A surprisingly simple (and probably effective) phishing campaign against Instagram highlights how unfortunately easy it is to trick users into giving up credentials and other important authentication tokens.

Reported that the phishing messages create user urgency by claiming their account has been suspended for a copyright infringement complaint with a link that lands at an authentic looking (but not not real) page that walks users through questions that lead up to the user supplying a 2FA backup code 🙁

Hint: this can happen to many online sites, if you operate a system that uses 2FA consider engaging an experienced security engineer; a consultant with a vulnerability scanner is not going to be much help here.

Additional reporting - Bleeping Computer

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting

SQLMap - we mentioned this some weeks ago but we are repeating it here because organizations still falling for SQL injections - https://github.com/sqlmapproject/sqlmap
DevSecOps-Playbook - this resource is gold for any organization that understands they need to automate their cybersecurity - https://github.com/6mile/DevSecOps-Playbook
MISP - Open Source Threat Intelligence and Sharing Platform - https://github.com/MISP/MISP

Cybersecurity Vulnerabilities

SSH Terrapin

An interesting attack on SSH that requires MitM capabilities and the use of certain SSH handshake/encryption modes - terrapin-attack.com

It sounds alarming and anything that impacts SSH is, however it’s not an easy attack to pull off. You can disable [email protected] encryption and *[email protected] MAC algorithms if your organization is likely to experience threat actors with capacity for this type of thing.

Additional reporting - The Register, Bleeping Computer

Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File

In a surprise to no-one, Microsoft Outlook has even more vulnerabilities that can be chained together to form a zero-click remote-code-execution exploit.

The issue starts with a sound-file attached to an email-message where MS Outlook will happily follow the UNC path to an external server to recover the sound-file object, unfortunately this also means exposure of the users NTLM hash etc etc.

If you have to use Microsoft Outlook, keep patching and patching.

If you have responsibility for an organization that uses Microsoft based operating systems then PLEASE ensure you prevent outbound protocols that use NTLM to external networks; this generally means ports 135, 137 and 445, 636, 3269, 3268 and 3389

Additional reporting - Dark Reading

Got news or something you’d like us to mention, feel free to get in contact - [email protected]