Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
- Santander: Banco Santander S.A. announced it suffered a data breach impacting customers after an unauthorized actor accessed a database hosted by one of its third-party service providers. The bank did not disclose any details about the types of data exposed but noted that transaction information or online baking account credentials were not impacted.
- Lunar Malware: Researchers discovered two previously unseen backdoors dubbed LunarWeb and LunarMail that were used to compromise a European government’s diplomatic institutions abroad. The attacks start with spear-phishing emails that carry Word files with malicious macro code to install the LunarMail backdoor onto the target system.
- Deuterbear RAT: More information has been released on the Deuterbear RAT used by the BlackTech hacking group. Deuterbear uses a shellcode format, possesses anti-memory scanning, and scares a traffic key with its downloader. Deuterbear is similar to the Waterbear RAT in many ways including a similar infection pathway that implements two stages to install the RAT backdoor component.
- Kimsuky: The North Korean hacking group has been attributed to a new social engineering attack that employs fake Facebook accounts to targets via Messenger and ultimately delivers malware. The multi-stage attack campaign impersonates legitimate people in order to target activists in the North Korean human rights and anti-Noth Korea sectors.
- Malvertising Campaigns: Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines. Clicking on the ad leads to typo squatted domains where the malicious payloads are hosted.
- QakBot: Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. The vulnerability (CVE-2024-30051) is a privilege escalation bug caused by a heap-based buffer overflow in DWM core library. ?
- D-Link: The D-Link EXO AX4800 router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to HNAP port. The device can be completely compromised by combining an authentication bypass with command execution.
- LockBit Black: Millions of phishing emails have been sent through the Phorpiex botnet to conduct a large scale LockBit Black ransomware campaign. The encryptor deployed in these attacks is likely built using the LockBit 3.0 builder.
- GoToMeeting: Malware loaders have been observed abusing GoToMeeting to deploy RemcosRAT. The lures include porn downloads, software setup files, as well as tax forms with file names in Russian and English. ?
- Durian: The North Korean threat actor tracked as Kimsuky has been observed deploying a previously undocumented Golang-based malware dubbed Durian as part of highly-targeted cyberattacks aimed at two South Korean cryptocurrency firms. Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.
- FIN7: The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.
- Python: Researchers have identified a malicious Python package that presents itself as an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver C2 framework. The python package affected is requests-darwin-lite and it has been downloaded 417 times prior to being taken down from the PyPI registry.
- Black Basta: The Black Basta ransomware-as-a-service operation has targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia since its emergence in April 2022. Black Basta uses common initial access techniques such as phishing and exploiting known vulnerabilities.
- Chrome: Google has released emergency security updates for Chrome to address a high-severity zero-day vulnerability that is being exploited in attacks. This issue comes 3 days after Google addressed another Chrome zero-day. The latest bug (CVE-2024-4761) is an out-of-bounds write problem impacting Chrome’s V8 JavaScript engine.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?
