Sign in Subscribe
By Nicholas de Jong in Updates

CyberSecurity.PH #020

Malicious cyber activity spiking in Philippines says US; Palo Alto zero-day and exploits; Telegram zero-day RCE; D-Link NAS device vulnerabilities; Japan and US cyber threat intel sharing; Sisense hack impacts critical infrastructure; AWS security playbooks

💡
CyberSecurity.PH is growing quickly! We are eager to improve the cybersecurity outcomes for organizations in the Philippines with free weekly cybersecurity reports that matter, up-to-date cyber threat landscape reports and serious security-engineering highlights. Subscribe!

Philippines

Malicious cyber activity spiking in Philippines, US Cybersecurity analysts say

Cyberattacks and misinformation campaigns have increased dramatically in the Philippines as geopolitical tensions escalate in the region, according to a new report by U.S. cybersecurity firm Resecurity.

Researchers reported a nearly 325% jump in malicious cyber activity targeting the Philippines during the first months of 2024, compared to levels at the end of 2023.

Further reading - The Record, Resecurity

Japan, Philippines & US Forge Cyber Threat Intel-Sharing Alliance

The US, Japan, and the Philippines are reported to have an agreement to join forces in cybersecurity defense with a strategic cyber threat-sharing arrangement in the wake of rising cyber threat activity from China, North Korea, and Russia.

The trilateral cooperation is expected to extend to Balikatan 2024 that has traditionally only been between the Philippines and US. This year’s Balikatan has been planned to expand in scope to include cyber defense and associated activities.

Further reading - Dark Reading, PCO.gov.ph, GMA Network

Cybersecurity Threat Landscape

CISA says Sisense hack impacts critical infrastructure organizations

CISA, the United States Cybersecurity and Infrastructure Security Agency has announced their active role in responding to the Sisense hack that exposed the data-access credentials for thousands of customers.

At issue is the scale and sensitivity of the credentials that have been stolen because they (typically) represent machine-to-machine access tokens that commonly enable full access to data-stores using direct-APIs or database protocols.

Many of Sisense customers are large-scale businesses, government-organizations and critical infrastructure operators.

Reporting on the hack-event states that the initial Sisense compromise started with their self-hosted Gitlab instance which appears to have then led to S3 bucket access. Indications from the hack-event suggest that Sisense was not appropriately encrypting customer credentials entrusted to it (using a plain S3 bucket), no doubt many many questions are going to be asked of Sisense in this regard.

The advice from Sisense has been to reset and cycle all customer credentials and secrets previously entrusted to it.

Further reading - Krebs on Security, Bleeping Computer, Cyberscoop

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

  • Cloud-active-defense - A reverse-proxy available as a Docker container that can be deployed in-front of your web-application that adds a layer of active defense that then provide threat indicators and signals to you - https://github.com/SAP/cloud-active-defense
  • Aws-customer-playbook-framework - a must read/know for AWS customers from AWS itself. Provides excellent sample security playbook templates to handle various Amazon Web Services scenarios - https://github.com/aws-samples/aws-customer-playbook-framework
  • Pyimps - Quickly see python imports in terminal in a tree view - while Pyimps is not directly a cybersecurity tool it provides Python project observability that enables better code-supply-chain outcomes - https://github.com/bedbad/pyimps

Cybersecurity Vulnerabilities

Palo Alto Networks zero-day VPN vulnerability, exploits released

An unauthenticated-user command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS allows remote users to execute arbitrary code with root privileges on the Palo Alto firewall - CVE-2024-3400 with a CVSS of 10.

This is significant news not just because Palo Alto firewalls are often extremely expensive purchase items, they also appear on approval lists for sensitive government applications which makes this vulnerability rather problematic.

Public security researchers using the Shodan public data-source have noted over 80k publicly accessible Palo Alto firewalls are out there, where 433 of these are observed to be in the Philippines.

Cybersecurity organization Volexity discovered observations of threat-actors actively exploiting CVE-2024-3400 as early as 2024-03-26 and reported the cases to the Palo Alto Networks security team.

Multiple threat-organizations have now been observed acting to capture as many vulnerable appliances as possible.

Loads of additional reading on this matter, it’s a big deal - Volexity, Palo Alto Networks, The Record, Bleeping Computer, The Register, Dark Reading, CISA.gov, The Hacker News

Telegram fixes Windows app zero-day Python RCE

Telegram has applied a server-side fix to prevent further exploitation of a zero-day vulnerability that enabled threat-actors to send Telegram attachments leading to Python code execution without warning - the exploit requires user interaction with a single click.

At issue is a relatively simple typo in the Telegram Windows application that misspelled the pyzw file extension with pywz instead. As a result, threat actors have been able to craft pyzw files with malicious payloads.

Further reading - Bleeping Computer

A pair of vulnerabilities (CVE-2024-3272 and CVE-2024-3273) in end-of-life D-Link NAS devices can be chained together to remotely execute system commands - because the devices are considered end-of-life by D-Link these vulnerabilities will not receive any patches or updates to remediate.

Researchers have noted that up to 92k publicly accessible appliances are impacted - https://github.com/netsecfish/dlink

Further reading - The Hacker News, Bleeping Computer, The Record

Cybersecurity Overload

Crescendo Method Can Jailbreak LLMs Using Seemingly Benign Prompts

AI security researchers at Microsoft have published a paper describing a LLM jailbreak technique that is generic enough that it can be applied and abused against ChatGPT, Gemini, LlaMA, Anthropic and others.

The technique has been named “Crescendo” by the research team and involves a multi-step lead into the jailbreak topic/content.

Further reading - Microsoft

Got news or something you’d like us to mention, feel free to get in contact - [email protected]

Subscribe to CyberSecurity.PH

Subscribe to receive our latest updates as they get released.
[email protected]
Subscribe