1. INFORMATION SECURITY NEWS
Warning: Vulnerability in WP-Automatic plugin being exploited to create Admin accounts on WordPress sites.
Warning: ArcaneDoor cyber attack campaign affects Cisco network devices.
APT attack campaign: ToddyCat attack group uses advanced tools to steal data.
The ToddyCat attack group was discovered using a variety of tools to infiltrate user systems and steal sensitive data. Security agencies said the group used a variety of tools to collect large-scale data from government and defense organizations in the Asia-Pacific region.
After a thorough analysis of ToddyCat’s activities, it was discovered that the group uses several tools such as LoFiSe and Pcexter to exfiltrate data and upload it to Microsoft OneDrive. In the latest campaign, ToddyCat has expanded its toolkit by adding software that collects data through tunnel channels. This usually happens after the group has gained access to privileged accounts on the system.
Security experts recommend that administrators use firewalls to block resources and IP addresses of cloud services that are capable of tunneling traffic. Additionally, users should avoid saving passwords in web browsers to enhance the security of the organization's infrastructure.
The list of recorded IoCs will be continuously updated at https://alert.khonggianmang.vn/
Some attackers are exploiting a serious information security vulnerability targeting the ValvePress Automation plugin on WordPress to take control of websites. The vulnerability, identified as CVE-2024-27956 (CVSS Score: 9.9 – Critical), affects all plugin versions older than 3.92.0. This vulnerability has now been patched in version 3.92.1 of the plugin released on February 27, 2024, however, the information is not recorded in the patch content. This is a SQL Injection error that allows attackers to take control of the website by creating an account with admin rights, uploading malicious files and thereby taking full control of the website.
This vulnerability exists because the plugin's user authentication mechanism can be simply circumvented to execute SQL queries against the website's hosting database using inputted requests.
At the same time, the vulnerability CVE-2024-32514 (CVSS Score: 9.9) was also announced by WordPress. This vulnerability exists in the Poll Maker plugin that allows an attacker with subscriber access or higher to upload arbitrary files to the server, thereby allowing the attacker to remotely execute code. This vulnerability has not yet been patched.
Warning: ArcaneDoor cyber attack campaign affects Cisco network devices.
The ArcaneDoor cyberattack campaign affects Cisco network devices. Once the attackers gain access to these devices, they can reroute or modify network traffic, monitor network communications, and perform unauthorized actions.
Through analytical investigation, analysts found that attack groups often deploy malicious code, remotely executing code on affected devices. The two vulnerabilities exploited include:
CVE-2024-20353 (CVSS Score: 8.6 – High) exists in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, allowing an attacker to cause a denial of service attack.
CVE-2024-20359 (CVSS Score: 6.0 -Moderate) exists in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, allowing an attacker to execute arbitrary code with root privileges.
2. WEAKNESSES AND VULNERABILITIES
During the week, NCSC's technical system recorded TOP 10 notable vulnerabilities, which are vulnerabilities with high severity or are being exploited in real environments by attack groups.
Notably, there are 03 vulnerabilities affecting Cisco and CrushFTP products, specifically as follows:
CVE-2024-20359 (CVSS Score: 6.0 – Moderate): A security vulnerability exists in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defeéne (FTD) software that allows an attacker to execute arbitrary code with root privileges. An exploit is currently available and is being exploited in the wild.
CVE-2024-20353 (CVSS Score: 8.6 – High): A security vulnerability exists in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software that allows attackers to perform denial of service attacks. Exploit code is currently available and is being exploited in the wild.
CVE-2024-4040 (CVSS Score: 10 – Critical): A server-side template injection vulnerability exists in CrushFTP versions before 10.7.1 and 11.1.0 on all platforms, allowing an attacker to read files from a filesystem outside the VFS Sandbox, bypass authentication measures to gain administrative privileges and execute remote code on the server. The vulnerability currently has exploit code and is being exploited in the wild.
List of TOP 10 notable vulnerabilities of the week
3. DATA, STATISTICS
DRDoS Attacks: During the week, there were 40,172 (down from 40,763 last week) devices that were potentially mobilized and became a source of DRDoS attacks.
Web Attacks: During the week, there were 157 attacks on Vietnamese websites/portals: 117 phishing attacks, 40 malware attacks
List of malicious IP/domain names with many connections from Vietnam
4. PHISHING ATTACKS AGAINST VIETNAMESE USERS
During the week, there were 293 reports of fraud reported by Vietnamese Internet users to the National Cyber Security Monitoring Center (NCSC) via the system at https://canhbao.khonggianmang.vn. Through inspection and analysis, there were many cases of fraud impersonating bank websites, e-commerce sites, etc.
Below are some cases where users need to increase vigilance.
For detailed report, see: 2024_CBT17.pdf