CyberSecurity.PH #018
Philippine law-enforcement frees hundreds of enslaved romance-scam workers; China backed Earth Krahang exploits inter-governmental trust; Acer confirms Philippines employee data leak; Active cyber-attacks on critical water infrastructure; More vulnerabilities from Fortinet, Fortra and Ivanti
Philippines
China-linked threat actor “Earth Krahang” targeting Southeast Asian countries including Philippines with new backdoors
Cyber security company Trend Micro has published an in-depth report describing their detection of APT group “Earth Krahang”. The report details likely links to the recently exposed Chinese company “I-Soon” that is said to be operating hacker-for-hire teams.
The Trend Micro report details observations of the threat-actor tools, tactics and victimology that provides a clear geographic map of targets and denotes the Philippines as a confirmed victim country.
The assessment of this group is that they are not overly sophisticated and are using well known open-source tools to establish initial access that get used as points-of-privilege to target victims.
Plenty of in-depth reporting on this matter from multiple outlets; Trend Micro, The Record, Bleeping Computer, Dark Reading
Philippine law-enforcement free hundreds of workers from romance-scam operation
Presidential Anti-Organized Crime Commission (PAOCC) has raided a POGO firm in Tarlac operating a romance scam (pig butchering) operation with as many as 875 workers.
The rescued "workers" (victims) have been enslaved on the promise of employment. Instead, their passports were confiscated and they were forced to adopt fake romantic personas to extract money from other victims.
Additional reading; The Register, Rappler, PCADG Twitter
Acer confirms via Twitter that Philippines employee data has been leaked
A Twitter account that appears to be operated by Acer Philippines has issued a statement confirming the loss of employee data related to their Philippines based operations - Twitter
The statement indicates the data loss occurred via a third-party.
A link to the leaked data was posted publicly on the well known BreachForums.
Additional reading; Bleeping Computer
Cybersecurity Threat Landscape
United States White House issues warning governors of active cyber-attacks on critical water infrastructure
The White House of the United States has issued a warning to governors describing active cyber-attacks on critical water infrastructure attributed to threat-actors from Iran and China.
The warning comes on the back of Five Eyes organizations releasing updated information and guidance to manage threats from Volt Typhoon.
The Volt Typhoon APT has been observed pre-positioning up to 5 years in advance with compromised end-points inside the networks of critical infrastructure.
Additional reading; Ars Technica, Bleeping Computer, Dark Reading, The Register
Supply chain threat vendor Microsoft patch 60 vulnerabilities including 18 RCEs
Microsoft latest Patch Tuesday (March 12, 2024) included updates for 60 vulnerabilities
- 24x Elevation of Privilege Vulnerabilities
- 18x Remote Code Execution Vulnerabilities
- 6x Information Disclosure Vulnerabilities
- 6x Denial of Service Vulnerabilities
- 3x Security Bypass Vulnerabilities
- 2x Spoofing Vulnerabilities
This batch of patches was over a week already so if you’ve not already done so, it’s time to get busy updating and locating computers that refuse to apply updates.
The Register has a good deep-dive with plenty more detail; The Register
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
- Trufflehog - Scan your source code repositories for secrets that should not be in your source code in the first place. Use as a Github Action (or other repo trigger) to automatically alert you when accidents with secrets happen - github.com/trufflesecurity/trufflehog
- Sign1 Malware Analysis - Not a security engineering tool, but a fantastic pull-apart analysis of a Wordpress based malware by the team at Sucuri who frequently do a great job with stuff like this. Love their work - blog.sucuri.net
Cybersecurity Vulnerabilities
Fortinet warns of critical RCE bug in their endpoint software
Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers.
The security flaw (CVE-2023-48788) is an SQL injection in the DB2 Administration Server (DAS) component, which was discovered and reported by the UK's National Cyber Security Centre (NCSC) and Fortinet developer Thiago Santana.
Additional reading; Bleeping Computer
Vulnerability in WordPress Popup Builder used to infect 3,300 sites with malware
Threat actors are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code.
WordPress statistics show that at least 80,000 active sites currently use Popup Builder 4.1 (or older) that are vulnerable.
Additional reading; Bleeping Computer
Fortra Releases update for critical severity vulnerability
Fortra FileCatalyst has been patched to address CVE-2024-25153 that carries a CVSS score of 9.8
The vulnerability allows an unauthenticated threat actor to execute arbitrary code remotely on affected servers via a file-upload directory traversal.
Additional reading; Dark Reading
Ivanti fixes critical Standalone Sentry vulnerability
Ivanti is warning customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers.
Tracked as CVE-2023-41724, the security flaw impacts all supported versions and it allows unauthenticated bad actors within the same physical or logical network to execute arbitrary commands in low-complexity attacks.
Additional reading; Bleeping Computer
Got news or something you’d like us to mention, feel free to get in contact - [email protected]