CyberSecurity.PH #003
Known exploited Microsoft vulnerabilities; Infostealer utility uses ChatGPT; ICBC pays Lockbit ransom
Welcome to CyberSecurity | PH weekly issue 003.
https://www.cybersecurity.ph/
Cybersecurity Reporting
Lockbit ransomware gang claim ICBC paid ransom
The Industrial & Commercial Bank of China (ICBC) resorted to delivering trade settlements via USB-drives on couriers after suffering an attack by the Lockbit ransomware gang - Time Magazine
It is now reported (Reuters) that ICBC paid the ransom to regain access to their systems. This move does not align with the recent International Counter Ransomware Initiative (CRI) pedge-agreement. While ICBC is not party to the CRI, the markets it operates within (eg US Treasuries) are.
The CRI pledge-agreement is important, as it aims to make it harder for ransomware gangs to operate by removing their ability to receive payments.
Philippines is not yet a member of the International Counter Ransomware Initiative.
Philippines cyber threat scenario used as basis of Columbia University strategy challenge
Columbia University (New York, USA) announced winners of their annual School of International and Public Affairs (SIPA) student cyber-strategy challenge in which a fictional cyber attack against a Philippine telecommunications company was played out - Columbia University
That an influential world-class university is able to assist the Philippines by shining a spotlight on possible threat scenarios while training the next generation of leaders is awesome!
SysAid vulnerability used to deploy Cl0p ransomware
SysAid, a popular help-desk and remote-access software vendor has announced zero-day vulnerability CVE-2023-47246 that allows a path-traversal in which malicious Tomcat payload uploads are possible - SysAid
This vulnerability is being used by threat group “Lace Tempest” TA505 that is actively deploying Cl0p ransomware using it. The same threat group is attributed to a large scale deployment of the MOVEit hack earlier this year - TechCrunch
Australian Ports operator shutdown in cyber incident; lessons for Philippines?
Philippines is a nation of islands that relies on its ports for transport, trade and economy. Last week an Australian ports operator “DP World” was shut down for several days due to a cyber-incident, this in turn impacted 40% of the imports and exports for the Australian economy - BBC World
Can the Philippines learn from the Australian case to improve Philippine cyber reliance for ports and associated trade? There are strong relationships between the two countries to leverage - Australian Defence
Three new known exploited vulnerabilities in latest Microsoft patch Tuesday release
US Cybersecurity agency CISA added 3x new Microsoft related vulnerabilities to their known exploited vulnerabilities list CVE-2023-36033, CVE-2023-36025 and CVE-2023-36036. If you’ve not see the CISA list before check it out, it’s a worthwhile resource (remember to automate!)
These 3x new additional items are important because simultaneously this week, Microsoft issued patches for the same vulnerabilities in their patch Tuesday release 💥💥 - additional reporting The Record and KrebsonSecurity
Predator AI infostealer utility; uses ChatGPT in Python
Using ChatGPT in an active threat/attack context has again become more real. Reported that Predator AI, a stitch together of various threat/attack components that target various online service providers, is written in Python and now has a ChatGPT component interact with the other components making it “easier” for threat operators - SentinelOne
The evolution with AI components being added to malicious software is not surprising; we believe the more concerning AI threat stems from its misuse in crafting misinformation content designed to redirect topic narrative and the understanding of local issues. If you need help accepting this is a real threat then have a read of the recent US DHS report (page 6) that highlights AI generated misinformation as a priority area of concern.
Cross platform StrippedFly malware; 1M infections; impacts Windows and Linux
Anyone that thinks their Linux hosts are safe from malware needs to reconsider; the recently highlighted StrippedFly malware framework impacts both Linux and Windows and threat analysts have described its capabilities as “impressive” - Bleeping Computer
More Confluence; hard to spot backdoor deployed
Anyone with a Confluence server that thinks they got away without being impacted ought to take a hard look at their servers - reports of Effluence malware on systems that have been exploited that is a little non-obvious to detect - The Register
Cybersecurity Engineering
- Intel CPU bug tracked as CVE-2023-23583 may allow virtual compute instances to access other virtual compute instances - Intel Advisory, The Record, Bleeping Computer
- Certain systems may burp SSH key negotiation material that leads to SSH private key compromise, research paper Passive SSH Key Compromise via Lattices - more reporting ArsTechnica
- Some dubious reports about RSA2048 being easy to factor are showing up. Currently all unfounded and sounds like another LK99 episode - from the author on LinkedIn, more on Toms Hardware
Got news or something you’d like us to mention, feel free to get in contact - [email protected]