CyberSecurity.PH #022

Philippines

Philippines hacktivist group Ikaruz Red Team using ransomware to create social conflict

Cybersecurity firm Sentinel One has released a report detailing social political motivated hacktivist group Ikaruz Red Team and others.

Ikaruz Red Team (IRT), under various identities, has targeted organizations in the Philippines through website-defacement, denial-of-service and now more recently ransomware attacks. This activity is part of a larger wave of hacktivist groups targeting the South East Asian region as documented by Resecurity in April and previously covered by us.

“… leveraging hacktivist-related monikers allows threat actors to avoid attribution while creating the perception of homegrown social conflict online…” “… this tactic is often combined with false-flag attacks originating under publicly known threat-actor profiles to keep a distance from the real intellectual authors of these malign campaigns…”

The Sentinel One report goes into a good level of detail describing the tools, techniques and procedures (TTP) used by this threat group together with a shortlist of IoCs associated with their more recent ransomware activities.

Further reading: Sentinel One, The Record

ABS-CBN ransomware attack, 500 GB of data compromised

Unconventional cybersecurity news source “Kukublan Philippines” is reporting on a ransomware attack by the so-called RansomHouse Ransomware Group.

The report by Kukublan appears to be corroborated by two dark web monitoring firms that publicly publish summaries of their own dark-web observations, HookPhish, and BreachSense. The report by Kukublan also appears to provide screenshots and further breach details.

Mainstream reporting on this event is notably missing from Philippines media outlets at time of writing.

Further reading: Kukublan Philippines

Unfading Sea Haze: A new threat actor in the South China Sea

Cybersecurity firm Bitdefender has released a report detailing their investigation of the threat group “Unfading Sea Haze” responsible for at least 8 government and military compromise events among countries around the South China Sea in the past 5 years.

The tools techniques and practices (TTP) used by this threat group are relatively straightforward and focus on leveraging; poor credential hygiene (eg password reuse); unpatched or slow-to-update systems; and inappropriately internet connected devices and appliances.

The report provides excellent indicators-of-compromise that security teams can use to examine their logs and systems to help determine if their organizations have been targeted.

Further reading: Bitdefender, The Record, Bleeping Computer

Cybersecurity Threat Landscape

Law enforcement seizes BreachForums

The well-known and notorious BreachForums platform that was a popular haunt among cybercriminals has been seized by a consortium of international law-enforcement.

“…FBI said BreachForums has been run by a threat actor known as ShinyHunters since June 2023 and has been a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services…”

BreachForums operated in-the-clear which also meant it was an uncomfortable-yet-useful source for cyber threat-intelligence operators - it was common to see threat-reports that included screenshots from BreachForums. IC3 has established a dedicated online site to share evidence related to the site.

BreachForums was started in response to the law-enforcement takedown of Raidforums in February 2022.

Further reading: The Register, Bleeping Computer, The Record

Canadian security intelligence chief warns China can use TikTok for espionage

The head of Canada's Security Intelligence Service (CSIS) warned Canadians against using video app TikTok, saying data gleaned from its users "is available to the government of China," CBC News reported on Friday.

"… as director of [the Canadian Security Intelligence Service] is that there is a very clear strategy on the part of the government of China ... to be able to acquire ... personal information from anyone around the world…" CSIS Director David Vigneault told CBC in an interview set to air on Saturday.

Further reading: Reuters, CBC News

Threat actors using fake Docusign sites for BEC threats

Cyber security firm “Abnormal Security” have investigated and reported on a recent uptick in BEC phishing that looks like a Docusign request -

“… these fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information...”

The report details a Russian cybercrime forum in which Docusign and other well known brands.

Further reading: Abnormal Security, Dark Reading

China-Nexus cyber threat actors using open-relays/proxies

Google owned cybersecurity firm Mandiant reports it is tracking a growing trend among China-nexus cyber espionage operations to utilize open-relays and proxies stitched together in mesh arrangements to gain advantage when conducting espionage operations.

The report details two known open-relay-box (ORB) network topologies -

• ORB3 / SPACEHOP - a threat-actor provisioned network where threat-actors control the nodes involved (usually VPS hosted instances); the network is relatively straight-forward with 2 or 3 layers between actors and targets.
• ORB2 FLORAHOX - a non threat-actor managed network that uses TOR relays between the threat-actor and the victim-facing node used to interact with targets.

Further reading: Google, Bleeping Computer

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!

• leondz/garak - “nmap” for LLMs - checks if an LLM can be made to fail in a way we don't want. Probes for hallucination, data leakage, prompt injection, misinformation, toxicity generation, jailbreaks, and many other weaknesses - https://github.com/leondz/garak
• hackertarget/nmap-did-what - docker container and a Python script to parse Nmap XML output into a an SQLite database that is then used as a Grafana datasource to view Nmap scan details in a dashboard - https://github.com/hackertarget/nmap-did-what/
• cak/secure - a lightweight package that adds optional security headers for Python web frameworks like FastAPI and others. - https://github.com/cak/secure

Cybersecurity Vulnerabilities

GitHub SAML auth bypass flaw in Enterprise Server

Tracked as CVE-2024-4985 (CVSS score: 10.0) the vulnerability allows unauthorized access to an Enterprise GitHub instance without authentication.

“… on instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges… " states the release-notes.

The issue impacts all versions of GitHub Enterprise Server prior to 3.13.0 and has been addressed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

Further reading: The Register, The Hacker News, Bleeping Computer

Veeam auth bypass flow in Backup Enterprise Manager

Tracked as CVE-2024-29849 (CVSS score: 9.8) the vulnerability allows an unauthenticated attacker to access the Veeam Backup Enterprise Manager web interface as any user.

Users are advised to upgrade to version 12.1.2.172 immediately according to the Veeam knowledge base article.

Further reading: Bleeping Computer, The Hacker News

QNAP QTS zero-day and public remote-code-exploit

A collection of five vulnerabilities in QNAP appliances has been quickly patched after public disclosure of issues discovered by Watchtowr that supplied a GitHub repo with proof-of-concept exploits.

All the vulnerabilities require a valid account on the QNAP device to take advantage of the exploit.

Version QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520 are said to patch the issues.

Further reading: Qnap, The Hacker News, The Register

D-Link EXO zero-day and public proof-of-exploit

The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that leads to admin-compromise by threat actors that are able to access the HNAP user-interface port.

D-Link does not yet have a patch for the issue.

Further reading: SSD Disclosure, Bleeping Computer

Got news or something you’d like us to mention, feel free to get in contact - [email protected]