Wen Bin K.

CRIMSON AND CLOVER: An unnamed high-profile government organization (not disclosed yet at press time, but it's probably the Philippines,) in SE Asia emerged as the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation codenamed Crimson Palace. The attack is notable for the use of undocumented #malware like PocoProxy as well as an updated version of EAGERBEE, alongside other known malware families like NUPAKAGE, PowHeartBeat, RUDEBIRD, DOWNTOWN (PhantomNet), and EtherealGh0st. Other indicators of the campaign include the extensive use of DLL side-loading and other unusual tactics to stay under the radar. PRC cyber threat activity "outpaces other nation-state cyber threats in volume, sophistication and the breadth of targeting," the agency said, calling out their use of compromised (SOHO) routers and living-off-the-land techniques to conduct cyber threat activity and avoid detection. https://lnkd.in/gXq4tpHR #auguryit #cysec #chinatech

22

1 Comment

A function `fnBrowserDetect` in this kit detects the browser used by the victim and then inserts a fake top bar. The goal: to trick the victim into trusting the fake URL bar and so think they're on the police.gov.sg website The line of death still relevant as ever: https://lnkd.in/esf4A786

13

The 📈 fastest growing public cybersecurity companies, sorted by YoY growth rate 🚀  1. 41% SentinelOne  2. 37% Zscaler  3. 34% CrowdStrike  4. 30% CyberArk  5. 26% Datadog  6. 20% Palo Alto Networks  7. 15% Tenable  8. 14% --> market average per Gartner  9. 14% Fortinet 10. 12% Qualys 11. 7% Varonis 12. 5% Check Point Software 13. 1% Cisco Security 14. -7% Radware Global cybersecurity spend for 2024 is around $215B (2023: $188B) according to Gartner, with an annual growth of 14%. So if a cybersecurity company is growing faster than the market, they're either coming from a lower base (e.g. SentinelOne), or doing something right with their product and GTM, or both. Conversely, if you're growing slower than the market (looking at you, Cisco), you either are coming from a high base or your product portfolio needs some updating. SentinelOne is on a tear with 41% YoY growth, and not even that highly valued compared to its peers. 79% non-GAAP gross margins. Might be the bargain of the year below $21 with the pullback the market experienced in the past few days. What happens to Crowdstrike remains to be seen. At $222, the stock is 44% down from their 52-week high ($398). If you loved CRWD at $300 or even $350, you must probably love them now at $222. Cisco is only growing 1% YoY. From a market cap perspective, Cisco is as large as the next three companies (PANW, CRWD, FTNT) combined. Cisco is playing the acquisition game, adding cyber companies to their portfolio and carving out innovation to Outshift by Cisco so that smaller companies / ideas can grow without the burden of corporate overhead. I think Datadog has to make a call how they're going to double down on security, which they called out as a growth area in their annual investor event. While I do think that IT and security team are growing together more closely, they are still separate buyers, and Datadog doesn't have the CISO relationships the other companies have. PANW's platformization strategy has somewhat played out in the market narrative so far. Still far off though from the 52-week high at $380. PANW uses the metric "NGS ARR" (next-gen security ARR) to annualize revenue from active contracts from Prisma and Cortex. Goal is to reach $15B NGS ARR in FY30! Everyone is feeling the competition from Wiz, running at $350M in ARR in February, and a goal of $1B in ARR. They might be able to reach that goal within the next 24 months if they keep growing like they have. Back to the growth rate. To grow faster to the market, I think we're looking at more acquisitions of cybersecurity startups. Either tuck-in technology acquisitions, or fast-growing ARR ($20M+). This applies to all companies, since much of the innovation comes from the smaller companies, in particular in / with AI. Fun times!

21

6 Comments

I'm sharing a critical alert from the Singapore Cyber Emergency Response Team (SingCERT) regarding a phishing scam targeting the public. Scammers are impersonating officers from the Cyber Security Agency of Singapore (CSA) and the Police to trick victims into believing they are facing legal action. The Scam: * You receive a fraudulent email claiming a court order has been filed against your IP address due to illegal activities. * The email threatens legal proceedings if you don't respond within 24 hours. Don't Fall for It! Here's How to Spot the Scam: * CSA and SPF will never: * Ask you to transfer money. * Request your banking, SingPass, or CPF information. * Ask you to click on suspicious links. * Request you to download software or apps from unofficial sources. What to Do: * If you receive such an email: * Do not respond or follow any instructions. * Report the incident to SingCERT at [email protected] or SingCERT Incident Reporting Form. * Always verify the authenticity of emails: * Contact the agency directly using official channels (phone numbers or email addresses listed on their website). By staying vigilant and informed, we can protect ourselves from these cyber threats. Let's spread the word and keep our online community safe! #cybersecurity #phishing #onlinesafety #singcert https://lnkd.in/g5iPbvf4

58

🚨 Breaking News: Major Cyberattack on BingX Crypto Platform! 🚨 Last Friday, Singaporean crypto platform BingX faced a massive cyberattack, losing over $44 million in a sophisticated breach. Blockchain security firms detected the attack, prompting BingX to implement emergency measures, including asset transfers and a temporary suspension of withdrawals. 🛡️ 🔍 Key Details: Losses: Over $44 million stolen, with estimates reaching up to $48 million. Response: BingX froze $10 million and is working with SlowMist and Chainalysis to track the stolen funds. Assurance: BingX will fully compensate for the losses with their own capital. Withdrawals and deposits are gradually being restored. 💡 Threats Involved: Cybersecurity Risks: Increased vulnerability to sophisticated hacking techniques. Financial Stability: Potential loss of investor confidence in crypto platforms. Regulatory Scrutiny: Heightened regulatory measures and compliance costs. 🌍 Economic Impact: Global Economy: Such attacks can shake the global financial system, leading to increased volatility in cryptocurrency markets. National Economy: For countries like India, a similar attack could disrupt financial markets, affect investor sentiment, and lead to significant economic losses. The Indian economy, with its growing digital financial ecosystem, could face severe repercussions, including loss of trust in digital transactions and increased regulatory burdens. 🔗 Factors Involved: Security Infrastructure: Robust cybersecurity measures are crucial to prevent such breaches. Regulatory Framework: Strong regulations and compliance standards can mitigate risks. Public Awareness: Educating users about cybersecurity best practices is essential. Stay tuned for more updates as BingX continues its recovery efforts. Let’s work together to build a safer digital financial future! 💪🔒 #CyberSecurity #CryptoNews #BingX #Blockchain #DigitalEconomy #IndiaEconomy #FinancialSecurity

1

Phone companies MUST take preventative measures against SIM-swapping attacks. SIM-swapping is when an attacker social engineers a phone company to connect your phone number to a device that they control. This way they can intercept text messages, gain access to your private info, and more. These attacks can have devastating consequences, leading to identity theft and financial loss. At the same time, we must be vigilant about our online presence. Avoid sharing too much personal information that could be exploited by cybercriminals. Let's work together to create a safer digital environment. Thank you Brian Krebs for sharing this story. Please go check it out. #CyberSecurity #SIMSwapping #DataProtection #OnlineSafety

3

If you think that crime is not evolving, you are wrong. It's getting very professional, state sponsored in some cases. "Experts Identify 3 Chinese-Linked Clusters Behind Cyberattacks in Southeast Asia" ⚠ With the rush toward fake promises of digital transformations, the economy is getting hammered and destroyed by threat actors ⚠Deceived by big tech and the cloud, poorly understood risk, not only companies are devastated by insider threat from withing third parties like extremely invasive public cloud, they are also bitten by professional teams and mercenaries. ➡ Don't like it ? Well, keep burying your head and get high on digital transformation and public cloud BS. Wake up will be painful. connected=hacked #cybersecurity https://lnkd.in/e3TDdt7d

9

4 Comments

Date: Apr 17, 2024 Industry: Oil & Gas Country: Indonesia Threat Actor: threatbear A threat actor claims to have obtained a database dump from an Indonesian oil and gas company. The dump reportedly contained data from around 22,300, including their names, email addresses, and passwords (hashed with MD5), as well as data from 790 admin users, 327 PertaShop users, and other types of users. #DataBreach #ThreatIntelligence #SecurityAnalyst #CyberSecurity #DataLeaks #SecurityAwareness #BreachAlert #PrivacyBreach

6

I'm thrilled to share that the Cyber Security Agency of Singapore (CSA) has published the Safe App Standard Version 2.0 (SAS 2.0)! This updated standard, a significant advancement from the one released in January 2024, aims to bolster the security posture of mobile applications in Singapore. SAS 2.0 introduces four new key areas: * Network communication * Cryptography * Code quality and exploit mitigations * Platform interactions These enhancements provide app developers and owners with more comprehensive guidelines to fortify the security of their mobile apps. By adopting SAS 2.0, we can collectively elevate the security of Singapore's mobile app ecosystem. Let's leverage this opportunity to safeguard our users and promote a more trustworthy digital environment. #cybersecurity #Singapore #mobileapps #SAS2.0 https://lnkd.in/gRyE5ugj

135

Stuck in Manila due to cancelled flights, so in today’s Poolside Thoughts - the criticality of understanding the fallacy of security through obscurity when it comes to machine learning attacks. To train a model, you need two things: inputs and desired outputs. Your 'black box' system provides the trained output for any input I provide. These input-output pairs allow me to train a surrogate model under my control, which I can then attack without your knowledge. Once I’ve successfully attacked my surrogate model, the transferability property of machine learning means my attack will likely work on your original model as well. In other words, if I can use your ML system, I can replicate it. If I can replicate it, I can attack it. And my attacks on my model will transfer to yours. A hat tip to the excellent book “Not with a Bug, But with a Sticker” for clarifying my understanding. #MachineLearning #CyberSecurity #AI #Transferability #SecurityThroughObscurity #F5Security #F5

38

3 Comments

There have been recent reports of walkie-talkies exploding, similar to earlier incidents involving pagers. This could be part of a psychological operation (Psyops) aimed at undermining trust in these devices. This situation is similar of the Vietnam War and Project Eldest Son, a covert U.S. military operation. In this operation, the U.S. secretly sabotaged ammunition intended for use by North Vietnamese troops, inserting doctored rounds into supply caches. These tampered rounds were designed to explode when fired, causing severe injury or death to the user. The primary goal, aside from physical damage, was psychological. It aimed to make Vietnamese troops question the safety of their ammunition, while also creating mistrust between Vietnamese forces and their Chinese suppliers, who were providing the weaponry. Hezbollah, for instance, has used pagers instead of smartphones to reduce the risk of surveillance. Unlike mobile phones, pagers do not continuously broadcast signals, making them harder to track. The explosions of walkie-talkies and pagers could have similar psychological effects—not only creating fear and doubt about the safety of these devices but also resulting in mistrust between users and their suppliers.

260

19 Comments

>>Overview: CVE-2024-4577 is a critical vulnerability in PHP affecting CGI configurations, allowing attackers to execute arbitrary commands via crafted URL parameters. >Affected Versions: PHP versions prior to 7.4.29 and 8.0.19 on Windows using php-cgi. >Attack Vector: Attackers can exploit this by sending specially crafted requests to the PHP CGI script, injecting malicious parameters to execute arbitrary commands. This can lead to full system compromise. >Mitigation: Upgrade to the latest PHP version. Sanitize and validate input parameters. Use secure configuration settings to limit CGI parameter handling.

1

Pager bombs. some discussion "is it is it not a cyber attack?" Some claim as the trigger was via "online" method then this = cyber attack. So question: are IEDs triggered via cell phone Xg considered a cyber attack then? Not in my opinion.

27

23 Comments

Day 90/100 Bogus npm Packages Used to Trick Software Developers into Installing Malware. A recent social engineering campaign called DEV#POPPER, believed to be orchestrated by North Korean threat actors, is targeting software developers with fake npm packages during job interviews to trick them into downloading a Python backdoor. Securonix researchers tracking the campaign suggest that the threat actors are using fraudulent interviews to encourage developers to download and run software from seemingly legitimate sources like GitHub. However, these downloads contain a malicious Node JS payload that compromises the developers' systems. The campaign first came to light in November 2023 when Palo Alto Networks Unit 42 reported on "Contagious Interview," where developers were tricked into installing malware like BeaverTail and InvisibleFerret through the interview process. These malicious packages on the npm registry aim to steal sensitive information from compromised developer systems. While similar to another North Korean-linked offensive campaign, Operation Dream Job, Contagious Interview primarily targets developers through fake identities on freelance job portals, leading to malware distribution. Operation Dream Job, associated with the Lazarus Group, has been targeting professionals in various sectors like aerospace, cryptocurrency, and defense with malicious files posing as job offers since early 2020. The attack chain described by Securonix involves a ZIP archive from GitHub sent as part of an interview process. Inside the file is an npm module containing a malicious JavaScript file, BeaverTail, which steals information and loads a Python backdoor, InvisibleFerret, from a remote server. The backdoor enables system information gathering, command execution, file enumeration, clipboard and keystroke logging, among other malicious activities. These campaigns highlight the evolving tactics of North Korean threat actors who continue to refine their cyber arsenal and focus on social engineering attacks. Securonix researchers stress the importance of maintaining a security-focused mindset during high-stress scenarios like job interviews, as attackers exploit these situations to their advantage. reference:- https://lnkd.in/gVeNKc33 #100daysofcybersecurity #100dayschallenge #100dayscybersecuritychallenge #100daysoflearning #cybersecurity #cybersecurityawareness #malware

29

As a cybersecurity professional, I'm alarmed by the recent surge in phishing scams targeting online marketplace users in Singapore. The Straits Times reports a staggering 594 victims have lost a combined S$13 million since April in these schemes. These scams are increasingly sophisticated, with fraudsters expertly impersonating egitimate sellers and platforms They prey on Insuspecting buyers, often offering too-good-to-be-true deals that lead to fraudulent payment portals and ultimately, financial loss. Here's how you can protect yourself: -Be wary of deals that seem too good to be true. -Always scrutinize the seller's profile and reviews. -Never make payments outside the official marketplace platform -Look for secure website connections (https://). . Report any suspicious activity to the platform and authorities immediately. Let's work together to combat these scams and create a safer online marketplace for everyone #cybersecurity #phishing #onlinesafety #onlinemarketplace #scamawareness

38

1 Comment

#DFIRInvestigation is a part of the process of an IR engagement. It requires sufficient evidence (usually collected from the logs of compromise systems) and hard-core knowledge to identify the possible root cause and attack path(s) on a compromised network. Of course, it is a part of cyber resilience, but using DFIR as an elite term to claim it can help organizations have cyber resilience and “cherry-pick” a root cause may not be the right way to enhance it. Thanks for sharing the #ADXFlowmaster. I usually upload some collected logs to Splunk to locate the “hidden gem” in past engagements; I can try this one.

19

Alright, we have significant update over VXCON topics which includes Web3 and Mobile Security in Banking. I will update Mobile security research by Thanh Nguyen from Verichains later, this is another amazing technical one. These are main dish for technical engineers and Infosec people. TOPIC: REDEFINE REVERSE ENGINEERING IN WEB3 by KaiJern Lau Certik, Redefine Reverse Engineering In Web3 Reverse engineering has long been an established discipline in the computer science realm, with a rich history of exceptional frameworks and tools crafted by some of the most talented individuals in the field. Yet, as we venture into the era of Web3, the foundational technologies of the Ethereum Virtual Machine (EVM) and Web Assembly (WASM) have revealed a stark gap in the utility of existing tools. While current available emulators for EVM and WASM excel for development purposes, they fall short in the realm of reverse engineering, posing a significant challenge and deterring seasoned reverse engineers from entering the Web3 domain. In this presentation, we are excited to unveil a groundbreaking framework designed to transcend these limitations. Our innovative framework is engineered to support an array of virtual machines, seamlessly integrating the robustness of traditional x86 reverse engineering techniques with the dynamic needs of Web3 environments. We will showcase the full potential of this framework, highlighting its versatility and the ways in which it revolutionizes the reverse engineering process for blockchain-based architectures. Furthermore, we will demonstrate a suite of sophisticated tools developed atop this framework. These tools not only facilitate a deeper and more intuitive analysis of smart contracts and decentralized applications but also mark a significant leap forward in bridging the gap between traditional reverse engineering expertise and the burgeoning Web3 landscape. Join us as we embark on a journey to redefine the boundaries of reverse engineering in the age of blockchain, and open up new avenues for innovation and security in Web3. Main conference agenda is here, hopefully we can get your support, simply clicking the top-right corner menu -> Ticket https://vxcon.hk/ VX Research Limited

3

🔊 Muddling Meerkat's DNS Manipulation A newly identified cyber activity cluster, dubbed "Muddling Meerkat," linked to Chinese state-sponsored operations, has been manipulating DNS systems globally. Key Points: 🔗 Unusual DNS Activity: Muddling Meerkat has been observed altering MX records through the Great Firewall, marking a sophisticated shift in how China’s censorship system is employed to probe global networks. 🔍 Stealth and Strategy: The activity involves injecting fake DNS responses, a tactic that could mislead and misdirect communication channels, such as emails. This manipulation demonstrates an advanced level of interference and network testing capability. #Cybersecurity #DNSManipulation #GlobalSecurity #ChinaCyberOps

7