Sign in Subscribe
By Nicholas de Jong in Updates

CyberSecurity.PH #006

Spy loan malware; Fake Wordpress security advisories; Shodan search dorks; Never ending Atlassian critical vulnerbilities

Welcome to another CyberSecurity.PH weekly - issue 006.

💡
Has this email been forwarded to you? Awesome! We are eager to improve the cybersecurity outcomes for organizations in the Philippines with free weekly cybersecurity reports that matter, up-to-date cyber threat landscape reports and serious security-engineering highlights.
https://www.cybersecurity.ph/

Philippines

“Spy Loan” Android malware on Google Play with 12+ million downloads

Spy Loan malware is a generic term for apps that promise fast-easy personal loans that lead to real-world financial abuse and victimization. Reported that malware operators have been publishing in Google Play (and others) authentic looking personal-loan apps that misuse data extracted from victim mobile-devices collected when an app is installed through excessive device permissions and device privileges.

This data is then used to extort victims into excessive payment obligations that the user did not agree to in the first place.

This is seen as a particular threat in the Philippines since the practice of short-terms loans outside regulated financial institutions is still common and installing an app is trivial with few warnings and prevention mechanisms to help people avoid this common threat scenario.

Additional reporting: Bleeping Computer

Cybersecurity Threat Landscape

Thousands of Microsoft Exchange servers open to attack

Reporting from Bleeping Computer states that 20k+ Microsoft Exchange hosts are running with known vulnerabilities hence placing their organizations at significant risk.

A search using Shodan to check for Philippines based Microsoft Exchange servers returns at least 140 servers. Many of these are reported to have known vulnerabilities such as CVE-2021-31206 (a remote-code-execution vulnerability) - Shodan

Android update for zero-click remote-execution vulnerability

Google announced on Monday a patch update to address CVE-2023-40088 a zero click remote-code-execution vulnerability that does not require additional privileges to exploit - Android.com

Android based handsets are common in the Philippines, if you use one it’s time to get busy with updates for your handset brand; be sure to use the official brand-update source.

State backed threat group APT28 still exploiting Microsoft Outlook

Reported that state backed threat group APT28 (Fancybear, Strontium) have again been reported by Microsoft's Threat Intelligence team for exploiting CVE-2023-23397 that causes emails to unknowingly send authentication information (NTLM hashes) to threat actors without user interaction.

Network administrators are reminded they should consider preventing Microsoft protocols that use NTLM based authentication at their network edges by preventing traffic on ports such as 135, 137 and 445, 636, 3269, 3268 and 3389.

Fake Wordpress security advisories are malicious backdoor

Reports of well written, authentic looking advisories from Wordpress are being reported by two threat intelligence teams - Wordfence and Patchstack

The advisories claim a fictitious vulnerability CVE-2023-45124 has been detected on the victims Wordpress and provides a simple one-click link to “solve” the issue. The link(s) lead to a malicious Wordpress plugin.

When will the critical Atlassian security advisories stop?

Atlassian is again reporting even more critical level vulnerabilities in their core product offerings. The latest batch of four carry CVSS scores between 9.8 and 9.0 making them all critical level issues.

  • CVSS 9.8 - RCE Vulnerability in Assets Discovery - CVE-2023-22523
  • CVSS 9.8 - SnakeYAML library RCE Vulnerability impacts Multiple Products - CVE-2022-1471
  • CVSS 9.6 - RCE Vulnerability in Atlassian Companion App for MacOS - CVE-2023-22524
  • CVSS 9.0 - RCE Vulnerability In Confluence Data Center and Confluence Server - CVE-2023-22522

Cybersecurity Engineering

A weekly highlight on tools and other resources (often open-source) that we use, find useful or is just plain interesting

  • AWS Kill Switch - an AWS lambda function that makes it easy for security teams to quickly lock an AWS account or service when dealing with security incidents - https://github.com/secengjeff/awskillswitch
  • Shodan Dorks - a lovely list of search operators and hints for creating advanced Shodan queries - https://github.com/lothos612/shodan
  • Kali Linux - you really should already know about Kali. The cool kids use Kali Linux for good reason, it’s an open-sourced OS with a wide range of security tools already installed and ready to use. The final release for 2023 just dropped, get it while it’s hot - https://www.kali.org/get-kali

Got news or something you’d like us to mention, feel free to get in contact - [email protected]

Subscribe to CyberSecurity.PH

Subscribe to receive our latest updates as they get released.
[email protected]
Subscribe