CyberSecurity.PH #017
Predator spyware detected in Philippines; Russian APT29 targeting cloud environments; Australia signs cybersecurity agreements with Philippines; Maria Ressa deepfake targeting Philippines audiences; Lazarus exploited Windows zero-day that Microsoft knew about
Philippines
Australia signs agreements with Philippines on cybersecurity, maritime and trade
During President Ferdinand R. Marcos Jr.'s (PBBM) recent visit to Canberra, agreements between the Philippines and Australia to enhance cooperation in cybersecurity and critical technology have been signed.
The agreement aims to promote information sharing, capacity building, and a secured digital economy, alongside achieving a better understanding of international law norms in cyberspace.
This initiative is part of a broader effort to strengthen the existing partnership between the two countries, adding to the extensive list of over 120 agreements previously established in various fields.
Additional reading - pco.gov.ph
Predator spyware detected with Philippines based infrastructure; United States sanctions developers
Cybersecurity company Inskit Group has released a report this week that states the operators of the Predator spyware have been active in the Philippines among a list of eleven countries where the Predator infrastructure has been observed - PDF report.
The Inskit Group report provides indicators of compromise (IoC) including IP addresses and domain names where readers may note a certain typo-squatted PH domain name among these.
Additionally this week, the U.S. imposed sanctions on individuals and entities tied to the Intellexa Consortium that is responsible for the Predator spyware, due to its role in targeting U.S. officials, journalists, and activists, presenting national security threats.
Additional reading - The Record, Tech Crunch, Dark Reading, CyberScoop
Russian scam network circulates Maria Ressa deepfake through Facebook and Microsoft Bing
A deepfake video targeting Maria Ressa, CEO of Rappler and Nobel Peace Prize laureate, was circulated on social media and Microsoft's Bing platform, falsely portraying her endorsing Bitcoin.
This scam, traced to a Russian network specifically targeting the Philippines, exploited AI technology to manipulate a past Maria Ressa interview.
Despite the deepfake's removal by platforms, the incident highlights the challenges in combating digital misinformation and the potential harms of deepfakes in influencing public opinion and discrediting individuals, especially in sensitive contexts like elections.
Additional reading - Rappler
Cybersecurity Threat Landscape
Russian cyber threat group APT29 observed using new tools techniques and tactics aimed at cloud environments
The UK National Cyber Security Centre (NCSC) together with their Five-Eyes partners from the United States, Canada, Australia and New Zealand have issued a short report detailing recently observed activities of Russian cyber threat group APT29 in their targeting of organizations with cloud-hosted infrastructure.
APT29 threat actors are using residential proxies to target dormant accounts that may not have MFA enabled and/or using password-sprays coupled with MFA bombing until the target-victim gives up and just presses “okay“.
Threat actors are then observed enrolling new devices to victim accounts to maintain persistence and pivot deeper access into their targets.
Additional reading - NCSC.gov.uk
North Korean threat group Lazarus exploited Windows zero-day that Microsoft knew about for 6 months (Windows is the supply chain threat)
Lazarus Group, a North Korean threat group, has been observed exploiting a previously unknown vulnerability in the Windows AppLocker driver (appid.sys), identified as CVE-2024-21338, to gain kernel-level access and disable security tools on Microsoft Windows.
The exploitation allowed Lazarus to use an updated version of the FudModule rootkit for enhanced stealth and functionality, including new techniques to evade detection and disable security protections like Microsoft Defender and CrowdStrike Falcon.
This incident underscores the advanced capabilities of state-sponsored threat actors and highlights the importance of applying security patches promptly to protect against complex threats.
YARA rules to help defenders catch this threat are available here.
Additional reading - The Record, ArsTechnica, Bleeping Computer
German military Webex conversation intercepted by Russia
An intercepted conversation involving high-ranking German military officials discussing the potential supply of Taurus cruise missiles, was leaked by Russia in an apparent attempt to stir divisions within Germany.
The conversation, hosted on Cisco's WebEx platform rather than secure military channels, raises concerns about the security of German military communications and is seen as part of a broader information war by Russia to undermine unity among its adversaries.
Additional reading - The Register, The Record
Cybersecurity Engineering
A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting; check out our engineering-section online at CyberSecurity.PH too!
- United States NSA Guidelines on zero-trust designs - an excellent document from the NSA that describing design considerations for deploying zero-trust - defense.gov
- Safety CLI - Python dependency vulnerability scanner to detect packages with known vulnerabilities and malicious packages in local development environments, CI/CD, and production systems - https://pypi.org/project/safety/
Cybersecurity Vulnerabilities
Exploits now available for recent JetBrains TeamCity vulnerabilities
A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains allows a remote unauthenticated actor to obtain administrative privileges.
The vulnerabilities discovered by Rapid7 and reported to JetBrains have been caught up in controversy between the two companies arguing about due process in announcing the issues - we believe the goal should be harm minimization.
Additional reading - The Record, Bleeping Computer, The Register
New Apple iOS zero-day vulnerabilities patched
Apple has released security updates to address two vulnerabilities that Apple states have been actively exploited in the wild.
- iOS Kernel (CVE-2024-23225)
- RTKit (CVE-2024-23296)
Additional reading - Apple.com, Bleeping Computer, The Hacker News
Got news or something you’d like us to mention, feel free to get in contact - [email protected]