Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
- Ticketmaster:
A threat actor is selling what they claim to is the personal and financial information of 560 million Ticketmaster customers on the recently revived BreachForums hacking forum for $500,000. The allegedly stolen database supposedly contains 1.3 TB of data and the customers’ full details including names, addresses, emails, phone numbers, as well as ticket sales, order, and event information.
- RedTail:
The threat actors behind the RedTail cryptocurrency mining malware have added a recently disclosed security flaw impacting Palo Alto networks firewalls. The infection sequence exploits a now-patched vulnerability in PAN-OS tracked as CVE-2024-3400 that could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
- LilacSquid:
A previously undocumented cyber espionage-focused threat actor named LilacSquid has been linked to targeted attacks spanning various sectors in the United States, Europe, and Asia as part of a data theft campaigns. Attack chains are known to exploit either publicly known vulnerabilities to breach internet-facing application servers or make use of compromised RDP credentials to deliver a mix of open-source tools and custom malware.
- FlyingYeti:
Cloudflare said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti. The FlyingYeti campaign targeted the Ukraine and was capitalizing on anxiety over the potential loss of access to housing and utilities by sending malicious files via debt-themed lures.
- Linux Kernel:
CISA added a security flaw impacting the Linux kernel to the KEV. The flaw (CVE-2024-1086) is a high-severity issue that relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges from a regular user to root and possibly execute arbitrary code.
- AllaSenha:
Brazilian banking institutions are the target of a new campaign that distributes a custom variant of the Windows-based AllaKore RAT called AllaSenha. The malware is specifically aimed at stealing credentials that are required to access Brazilian bank accounts and leverages Azure cloud as C2 infrastructure.
- Check Point:
Check Point is warning of a zero-day vulnerability in its Network Security gateway products that threat actors have exploited in the wild. The flaw (CVE-2024-24919
) potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled.
- Okta:
Okta is warning that a cross-origin authentication feature in Customer Identity Cloud is susceptible to credentials stuffing attacks orchestrated by threat actors. Users are being asked to review tenant logs for any signs of unexpected login events.
- LightSpy:
A macOS version of the LightSpy surveillance framework has been discovered. LightSpy is an iOS and Android surveillance framework used to steal a wide variety of data from mobile devices, including files, screenshots, location data, voice recordings during WeChat calls, payment information from WeChat Pay, and data exfiltration from Telegram and QQ Messenger.
- FakePenny:
Microsoft has linked a North Korean hacking group it tracks as Moonstone Sleet to FakePenny ransomware attacks. Previously tracked as Storm-17, Moonstone Sleet has been observed attacking both financial and cyberespionage targets using trojanized software, malicious games and npm packages, custom malware loaders, and fake software development companies.
- Fortinet:
Researchers have released a PoC exploit for a maximum-severity vulnerability in Fortinet’s security information and event management solution, which was patched in February. The flaw (CVE-2024-23108) is a command injection vulnerability that enables remote command execution as root without requiring authentication.
- CatDDoS:
The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past 3 months to infiltrate vulnerable devices and turn them into a botnet for conducting DDoS attacks. The malware gets its name for the cat-related references in strings like “catddos.pirate” and “password_meow” for C2 domains.
- TP-Link:
A maximum-severity security flaw has been disclosed in the TP-Link Archer C5400X gaming router that could lead to remote code execution on susceptible devices. The vulnerability is tracked as CVE-2024-5035 and impacts all versions of the router firmware including and prior to 1_1.1.6.
- Cloudflare Workers:
Researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users’ credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. The attackers use Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victims and the login page to capture credentials, cookies, and tokens. The phishing campaigns make use of a technique called HTML smuggling, which involves using malicious JavaScript to assemble the malicious payload on the client side to evade security detections.
- Minesweeper:
Hackers are utilizing code from a Python clone of Microsoft’s Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. The threat actor, UAC-0188, is using the legitimate code to hide Python scripts that download and install the SuperOps RMM.
- ShrinkLocker:
A new ransomware strain called ShrinkLocker creates a new boot partition to encrypt corporate systems using Windows BitLocker. ShrinkLocker is written in VBScript and can detect the specific Windows version running on the target machine by using WMI. The attack continues only if specific parameters are met. The malware then uses the BCDEdit command-line tool to reinstall the boot files on the newly created partitions.
- UAC-006:
The CERT of Ukraine warned of a surge in cyber attacks linked to the financially motivated group, UAC-006. The threat actors focus on compromising accountants’ PCs. Since May 20th, the group has carried out at least 2 massive campaigns aimed at distributing SmokeLoader malware via email.
- Cisco:
Cisco addressed a vulnerability tracked as CVE-2024-20360, in the web-based management interface of the Firepower Management Center software. The vulnerability is an SQL injection issue, an attacker can exploit the flaw to obtain any data from the database, execute arbitrary commands on the underlying OS and elevate privileges to root.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.?
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us
to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?
The increasing number of cyber threats makes continuous monitoring and proactive measures essential for maintaining strong security. Great to see Ntirety emphasizing comprehensive threat management. ?? What specific strategies or tools do you recommend for enhancing threat intelligence and response?