The Ntirety Weekly Threat Intelligence Report: September 23, 2024

Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.

Industry Breaches:

• Stillwater Mining: The owner of the only platinum and palladium mines in the U.S. confirmed that it experienced a cyberattack this summer that exposed the sensitive information of thousands of employees.?
• Dell: Dell has confirmed to BleepingComputer that they are investigating recent claims that it suffered a data breach?after a threat actor leaked the data for over 10,000 employees. The allegations were published yesterday by a threat actor named "grep," who alleges that the computing vendor suffered a "minor data breach" in September 2024, exposing?internal employee and partner information.
• Disney: The Walt Disney Company is reportedly ditching?Slack after a July data breach exposed over 1TB of confidential messages and files posted to the company's internal communication channels. According to?CNBC, Disney has already begun migrating?to new "streamlined enterprise-wide collaboration tools" and emailed employees this week to say that they will finish the migration at the end of the company's next fiscal quarter.?

Threats to Watch:?

• Greasy Opal: Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users' credentials.?
• Marko Polo: The Marko Polo cybercrime gang represents a growing, global financial threat, steering at least 30 ongoing fraud campaigns at the same time and wielding an arsenal of sophisticated malware that has compromised tens of thousands of devices so far.?
• CVE-2022-46723: A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOS's brand name security protections and ultimately compromise victims' iCloud data.?
• ServiceNow: Over 1,000 misconfigured ServiceNow enterprise instances were found exposing Knowledge Base (KB) articles that contained sensitive corporate information to external users and potential threat actors.?
• CVE-2024-6091: A significant security vulnerability has been discovered in AutoGPT, a powerful AI tool designed to automate tasks through intelligent agents. With over 166k stars on GitHub, AutoGPT has gained popularity for its ability to streamline complex operations. However, the discovery of CVE-2024-6091, an OS Command Injection vulnerability with a CVSS score of 9.8, has raised serious concerns about the security of its shell command execution features.?
• Vanilla Tempest: Microsoft says a ransomware affiliate it tracks as Vanilla Tempest now targets U.S. healthcare organizations in INC ransomware attacks. INC Ransom is a ransomware-as-a-service (RaaS) operation whose affiliates have targeted public and private organizations since July 2023.?
• Raptor Train: The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries. The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan.?
• Salesforce: Varonis Threat Labs uncovered a vulnerability in Salesforce's public link feature that threat actors could exploit to retrieve sensitive data. By manipulating the API calls sent to the undocumented Salesforce Aura API — combined with SOQL subqueries — hackers could commit a blind SOQL injection attack to retrieve customer information, including PII.?
• VICIdial Contact Center Suite: In a concerning development for call centers using VICIdial, a popular open-source contact center solution, two high-severity security vulnerabilities have been discovered that could lead to severe data breaches and full system compromise. With over 14,000 registered installations globally, many businesses relying on VICIdial’s platform may be at risk unless they update their systems promptly.?
• Apache HugeGraph-Server: The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server. The flaw, tracked as?CVE-2024-27348?and rated critical (CVSS v3.1 score: 9.8), is an improper access control vulnerability that impacts HugeGraph-Server versions from 1.0.0 and up to, but not including 1.3.0.?
• Ivanti: Less than two weeks after patching one flaw, Ivanti announced on Sept. 19 that a second, critical Cloud Services Appliance (CSA) vulnerability is being exploited in the wild.?
• Acronis: In a recent advisory published on September 16th, data protection powerhouse Acronis disclosed a critical security vulnerability in its popular backup plugins for server management platforms like cPanel, Plesk, and DirectAdmin. The vulnerability, identified as CVE-2024-8767, poses a serious risk to users, with a severity score of 9.9 on the Common Vulnerability Scoring System (CVSSv3.0)—classifying it as Critical. ?
• FortiClient Endpoint Management Server: In a concerning new development, cybersecurity researchers at?Darktrace?have unveiled a report detailing the exploitation of Fortinet’s FortiClient Endpoint Management Server (EMS) by cybercriminals. The report highlights critical vulnerabilities, particularly CVE-2023-48788, and outlines a sophisticated attack chain and post-exploitation tactics observed across various environments. ?
• Lumma: Security professionals are sounding the alarm about a novel cyberattack vector: the use of counterfeit CAPTCHA tests to distribute malware on Windows devices. Users are urged to exercise increased vigilance and skepticism when interacting with CAPTCHA challenges.?

Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.?

For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.?

Get Started ?