Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
- Transak:
A recent data breach at the crypto payment processor Transak exposed the information of more than 92,000 people after an employee's laptop was accessed. The company said on Sunday that “no financially sensitive or critical information was compromised” but admitted that names, birthdays, passports, driver’s license information and user selfies were leaked in the breach.?
- Internet Archive:
The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens. Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens.?
- Easterseals:
A notorious ransomware gang previously responsible for attacks on multiple hospitals has now claimed a new victim: disability nonprofit Easterseals. The Rhysida ransomware group stooped to new lows this week when it attempted to extort $1.3 million from the organization, which provides support to disabled children, seniors, military veterans and others.?
- Henry Schein:
Henry Schein has finally disclosed a data breach following at least two back-to-back cyberattacks in 2023 by the BlackCat Ransomware gang, revealing that over 160,000 people had their personal information stolen.?
- CVE-2024-44068:
A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in?Samsung's?mobile processors and is being used in an exploit chain for arbitrary code execution. The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.
- Lumma:
Lumma Stealer stars in a new campaign that uses malicious CAPTCHA pages to scam targets into clicking through the "verification" process — triggering the initial malware download. Malware-as-a-service (MaaS)?Lumma Stealer?is commonly used by threat actors to steal sensitive information like passwords and crypto-wallet data, researchers at Qualys, who recently detailed the latest attack chain, explained.
- SRBMiner:
Bad actors have been observed targeting Docker?remote API servers?to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro. "In this attack, the threat actor used the?gRPC?protocol over?h2c?to evade security solutions and execute their crypto mining operations on the Docker host," researchers Abdelrahman Esmail and Sunil Bharti?said?in a technical report published today.
- Grandoreiro:
New variants of a banking malware called?Grandoreiro?have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.
- Lazarus:
The North Korean Lazarus hacking group exploited a Google Chrome zero-day tracked as CVE-2024-4947 through?a fake decentralized finance (DeFi) game targeting individuals in the cryptocurrency space
- ScienceLogic SL1:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday?added?a critical security flaw impacting ScienceLogic SL1 to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation as a zero-day. The vulnerability in question, tracked as?CVE-2024-9537?(CVSS v4 score: 9.3), refers to a bug involving an unspecified third-party component that could lead to remote code execution.
- VOIDMAW:
VOIDMAW is an innovative memory scanning bypass technique that can effectively hide problematic code from antivirus software. It supports multithreaded payloads and is compatible with all Command-and-Control (C2) beacons. Additionally, VOIDMAW can run any non-.NET executables, making it a powerful tool in the hands of attackers.
- APT29:
Russia's premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises. APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of?SolarWinds?and the?Democratic National Committee (DNC).
- BlackBasta:
The BlackBasta ransomware operation has moved its social engineering attacks to Microsoft Teams, posing as corporate help desks contacting employees to assist them with an ongoing spam attack. Black Basta is a ransomware operation?active since April 2022?and responsible for hundreds of attacks against corporations worldwide.
- Gophish:
Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called?Gophish?by an unknown threat actor.??The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us
to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.
