The Ntirety Weekly Threat Intelligence Report: August 5, 2024

Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.

Threats to Watch?

• Digicert: DigiCert urges critical infrastructure operators to request a delay if they cannot reissue their certificates as required by an ongoing certificate mass-revocation process announced on Tuesday. The company is mass-revoking TLS certificates because of a non-compliance issue with domain control verification.
• Facebook Ads: Facebook users are the target of a scam e-commerce network that uses hundreds of fake websites to steal personal and financial data using brand impersonation and malvertising tricks. These fraudulent sites were accessible only through mobile devices and ad lures, a tactic aimed at evading automated detection systems.
• Python: Stack Exchange has been abused to direct unsuspecting developers into bogus Python packages capable of draining their cryptocurrency wallets. The latest campaign has specifically singled out cryptocurrency users involved with Raydium and Solana.
• TgRat: Researchers have found a sophisticated Linux-based RAT called TgRat, which uses a disguise of being controlled through a private Telegram chat. The malware, which allows cybercriminals to remotely control infected machines, exfiltrate data, and execute commands, was initially discovered in a Windows version, but has now been targeting Linux environments.
• Apple: Apple has expanded its security efforts by backporting a critical zero-day patch to older Mac models running macOS Monterey 12.7.6. The vulnerability (CVE-2024-23296) was previously addressed in March for newer devices but is now confirmed to have been actively exploited in the wild. The zero-day flaw stems from a memory corruption issue within Apple’s RTKit.
• Tycoon 2FA: A sophisticated phishing campaign with Tycoon 2FA Phish-kit has been identified leveraging Amazon Simple Email Service and a series of high-profile redirects to steal user credentials.?The email contains two empty PDF files as attachments and a message from Docusign.
• Azure Outage: Microsoft confirmed today that a 9-hour outage on Tuesday, which took down and disrupted multiple Microsoft 365 and Azure services worldwide, was triggered by a DDoS attack. The mitigation statement published has yet to link the attack to a specific threat actor at this time.
• VMware: CISA has ordered U.S. Federal Civilian Executive Branch agencies to secure their servers against a VMware ESXi authentication bypass vulnerability exploited in ransomware attacks. VMware fixed the flaw (CVE-2024-37085) on June 25. The flaw allows attackers to add a new user to the ‘ESX Admins’ group which can lead to having full administrative privileges.
• Specula: Outlook can be turned into a C2 beacon to remotely execute code by creating a custom Outlook Home Page using WebView by exploiting CVE-2017-11774. The framework used in these attacks has been named “Specula.”
• North Korea-Linked Malware: The threat actors behind an ongoing malware campaign targeting developers have demonstrated new malware tactics, expanding their focus to include Windows, Linux, and macOS systems. The activity cluster, dubbed DEV#POPPER, has been linked to North Korea and has been found to have singled out victims across South Korea, North America, Europe, and the Middle East.
• LODEINFO and NOOPDOOR: Japanese organizations are the target of a Chinese nation-state threat actor that leverages malware families like LODEINFO and NOOPDOOR to harvest sensitive information from compromised hosts while remaining under the radar in some cases. The campaign is being tracked under the name of Cuckoo Spear attributing it to APT10.
• Acronis: Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets attackers bypass authentication on vulnerable servers using default credentials. Unauthenticated attackers can exploit the vulnerability (CVE-2023-45249) in low-complexity attacks that don’t require user interaction to gain remote code execution on unpatched ACI servers.
• July Windows: Microsoft has confirmed that July’s security updates break remote desktop connections in organizations where Windows servers are configured to use the legacy RPC over HTTP protocol in the Remote Desktop Gateway.
• WhatsApp: A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them. For the attack to be successful Python needs to be installed. The attackers could bypass security warnings and perform remote code execution when a Python .pyzw file through the messaging client.
• Proofpoint: An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint’s defenses to send millions of messages spoofing various popular companies like BestBuy, IBM, Nike, and Walt Disney, among others. The campaign has been given the name EchoSpoofing.
• Gh0stGambit: The remote access trojan known as Gh0st RAT has been observed being delivered by an “evasive dropper” called Gh0stGambit as part of a drive-by download scheme targeting Chinese-speaking Windows users. These infections stem from a fake website (“chrome-web[.]com”) serving malicious installer packages masquerading as Google’s Chrome browser, indicating that users searching for the software on the web are being singled out.
• Crowdstrike: Crowdstrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The company said it identified an unattributed spear-phishing attempt on distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity.

Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.?

For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?

Get Started