Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
- CBIZ:
CBIZ Benefits & Insurance Services has disclosed a data breach that involves unauthorized access of client information stored in specific databases. The company claims that a threat actor exploited a vulnerability in one of its web pages and was able to steal customer data between June 2 and June 21.
- Cicada Ransomware:
A new ransomware-as-a-service operation is impersonating the legitimate Cicada 3301 organization and has already listed 19 victims on its extortion portal. Cicada3301 first began promoting the operation and recruiting affiliates on June 29th in a forum post to the ransomware and cybercrime forum know as RAMP.
- Voldemort:
A new malware campaign is spreading a previously undocumented backdoor named “Voldemort” to organizations worldwide, impersonating tax agencies form the U.S., Europe and Asia. The campaign has disseminated over 20,000 emails to over 70 targeted organizations.
- Chrome:
North Korean hackers have exploited a recently patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges using a Windows Kernel exploit.
- GlobalProtect:
Threat actors are targeting Middle Eastern organizations with malware disguised as the legitimate Palo Alto GlobalProtect Tool that can steal data and execute remote PowerShell commands to infiltrate internal networks further.
- APT29:
The Russian state-sponsored APT29 hacking group has been observed using the same iOS and Android exploits created by commercial spyware vendors in a series of cyberattacks between November 2023 and July 2024. The n-day flaws have already been patched but remain effective on devices that have not been updated yet.
- APT33:
The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the US and United Arab Emirates. The threat actors leveraged Microsoft Azure infrastructure for C2, using fraudulent, attacker-controlled Azure subscriptions.
- Microsoft Sway:
A massive QR code phishing campaign abused Microsoft Sway to host landing pages to trick Microsoft 365 users into handing over their credentials. The campaign primarily targeted users in Asia and North America, with the technology, manufacturing, and finance sectors being the most sought-after targets. The emails redirected potential victims to phishing landing pages hosted on the sway.cloud.microsoft
domain, pages that encouraged the targets to scan QR codes that would send them to other malicious sites.
- Head Mare:
A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. The attackers took advantage of the vulnerability (CVE-2023-38831) in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive.
- macOS Vulnerabilities:
Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system’s permissions-based model, which revolves around the Transparency, Consent, and Control framework. If successful, the adversary could gain any privileges already granted to the affected Microsoft applications.
- Cobalt Strike:
Chinese- speaking users are the target of a highly organized and sophisticated attack campaign that is leveraging phishing emails to infect Windows systems with Cobal Strike payloads. The covert campaign is codenamed SLOW#TEMPEST and is not attributed to any known threat actor at this time. The campaign commences with malicious ZIP files that, when unpacked, activates the infection chain.
- Confluence:
Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. The security vulnerability being exploited (CVE-2023-22527) is a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us
to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.
