Sign in Subscribe
By Nicholas de Jong in Updates

CyberSecurity.PH #004

Zimbra zero-day impacts governments; WinRAR used to exploit embassies; Tools for cybersecurity practitioners

Welcome to CyberSecurity | PH weekly issue 004.

💡
Has this email been forwarded to you? Awesome! Feel free to subscribe and receive weekly cybersecurity reports, threat landscape updates and security-engineering highlights from industry experts for the Philippines
https://www.cybersecurity.ph/

Cybersecurity Reports

Threat actors target government organizations with Zimbra zero-day

Zimbra is well known email collaboration software often used by national government organizations that have data sovereignty requirements. Zimbra software has been found to contain XSS vulnerabilities that have been leveraged by threat-actors to steal authentication-session tokens to then access target user(s) email content.

Google Threat Analysis Group (TAG) have reported this week their observation of these vulnerabilities (now patched) being exploited against various governmental organizations earlier this year - Google Blog

A review of the public Shodan service highlights at least 182 organizations in the Philippines that use Zimbra, some of them government related. The details available via Shodan do not make apparent if these Zimbra instances are up-to-date - Shodan

Yamaha Motor Philippines suffers ransomware attack

Yamaha Motor Philippines (YMPH) reports that a server managed by the local subsidiary was impacted by ransomware and that local employee data has been impacted. The Yamaha public statement states the event was limited to a single server and did not impact other parts of the Yamaha organization.

While the event is frustrating news for Yamaha, it appears they have done a respectable job of communicating the event in a timely manner despite it being uncomfortable for any organization.

Additional reporting - The Record

Philippines media outlet MindaNews discovers 100’s of clone websites translated to Chinese directing visitors to gambling sites

Philippines media outlet MindaNews recently discovered a clone of their website from September 2021 had been translated into Chinese with ads and links directing visitors to football gambling sites.

An investigation by Qurium discovered that MindaNews is just one of 100’s of other businesses and universities targeted in a similar way.

The event underscores the importance of content canaries, automated threat discovery and log monitoring by organizations with an online presence.

Additional reporting - The Register

Cybersecurity Threat Landscape

Citrix Bleed vulnerability targeted by nation-state and criminal hackers

The alert level on Citrix Bleed (CVE-2023-4966) is ramping up with a joint cybersecurity advisory from multiple international cybersecurity agencies advising the vulnerability is being actively exploited by the Lockbit Ransomware gang - CISA

We reported on this vulnerability some weeks ago that impacts unpatched NetScaler ADC and NetScaler Gateway by forcing an application error state that contains crash-dump information including authentication material.

Additional reporting - The Record

AlphV threat gang use compliance reporting as extortion weapon

Reported that a US based provider of loan origination, MeridianLink suffered a data-breach event by criminal threat gang AlphV that claims to have exfiltrated files and content.

AlphV then reported the incident to US regulators in an effort to ramp up the pressure on MeridianLink to extort funds relating to the incident.

Additional reporting DataBreaches.net and ArsTechnica

State backed threat actors exploiting WinRAR exploit to attack embassies

State backed threat actors APT28 (Fancy Bear) and APT29 (Cozy Bear) have been detected exploiting a vulnerability (CVE-2023-38831) in popular Windows software WinRAR to target diplomats, particularly in Ukraine.

Of note is that the campaign leverages Ngrok, a well known reverse tunnel provider to provide a static-endpoint that is used to back-channel to threat-actor infrastructure.

Additional reporting - Bleeping Computer

Cybersecurity Engineering

We skipped our security-tools section last week in favor of other news and promptly received feedback that readers want it back! Back to the usual schedule of tools and other resources (often open-source) that we use, find useful or is just plain interesting

  • Shodan - Well known and valuable threat research resource, sign up for a free account for extended search features - https://www.shodan.io
  • Caido - new kid on the block for web application security testing that will give Burp Suite a run for the money - https://github.com/caido/caido
  • Sigma - if you understand what an intrusion detection system (IDS) does then you’ll appreciate Sigma that enables threat-signatures based on logging data - https://github.com/SigmaHQ/sigma

Got news or something you’d like us to mention, feel free to get in contact - [email protected]

Subscribe to CyberSecurity.PH

Subscribe to receive our latest updates as they get released.
[email protected]
Subscribe