Weekly Threat Briefing: June 3 - 7, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Get up to 50% off eSentire Threat Intelligence?
We’re thrilled to announce the launch of our first standalone cybersecurity product, eSentire Threat Intelligence, a curated feed of high-fidelity Indicators of Compromise (IOCs) with a 99% true positive rate that have been verified by our Elite Threat Hunters and Threat Response Unit (TRU).?
Learn how you can leverage eSentire Threat Intelligence to reduce false positive alerts and enhance your threat detection and response capabilities.
Attackers Pose as Helpful Users on Stack Overflow to Distribute Malware
In a recent report released by Sonatype, attackers have been abusing Stack Overflow to spread malware. Attackers are providing seemingly helpful answers to user questions on the forum, promoting a malicious PyPi package which installs a Windows information stealer.
The PyPi package is called “pytoileur”; to trick unsuspecting users into executing the package, it masquerades as an API management tool. In several examples, users appear to be asking questions related to debugging, which are met with responses from the threat actors claiming the malicious package is a solution to their issues.
eSentire recently observed a similar incident where a user attempted to find a solution to a Windows error message and would have been infected with Vidar. However, eSentire MDR for Endpoint was able to prevent the malware from executing. The user was met with a fake IT support website that provided instructions on how to copy, paste and run a PowerShell script claiming to fix the issue.
Organizations should provide user awareness training, specifically around code sharing and troubleshooting websites. As most of the observed malware being executed on devices are related to credential stealing, it is important users enable Multi-Factor Authentication (MFA) to prevent account compromises if passwords are stolen.
Threat Actors Target Recent High Severity Check Point VPN Vulnerability
According to a new report from researchers at GreyNoise , exploitation of the high-severity Check Point Security Gateway vulnerability, CVE-2024-24919, has transitioned from limited exploitation to widespread attacks. CVE-2024-24919 (CVSS: 8.6), is an information disclosure vulnerability.
Exploitation would allow a remote threat actor to read certain information on Check Point Security Gateways which may enable access, lateral movement, and domain admin privileges. The vulnerability was disclosed on May 28th but was exploited as a zero-day vulnerability as early as April 7th, 2024. Functional Proof-of-Concept (PoC) exploit code is widely available.
领英推荐
Beginning June 3rd, and continuing through June 4th, GreyNoise identified a significant increase in attempts to exploit the vulnerability. According to the report, at least 10 separate payloads have been delivered via exploitation to date. GreyNoise does not provide details on the observed payloads or attacker goals.
We have observed at least one instance of exploitation of the vulnerability. In the observed case, threat actors established persistence on the Check Point service account by registering a new Microsoft Multifactor Authenticator device. The attack was disrupted before attacker goals could be ascertained.
We released an advisory for CVE-2024-24919 on May 29th. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices and eSentire MDR for Network has rules to identify exploitation attempts. Additionally, the eSentire Threat Response Unit (TRU) has, and continues to, perform threat hunts based on known Indicators of Compromise (IoCs).
Cyber Threats Facing the 2024 Paris Olympics
This week, Microsoft , Recorded Future , and Mandiant all released reports detailing the range of cyber threats facing the 2024 Paris Olympic Games. For state-sponsored actors, cybercriminals, and hacktivists, the high-profile nature of the event makes it an attractive target for espionage, influence operations, disruptive cyberattacks, and financial gain.
The games face significant state-sponsored threats from Russia, China, Iran, and North Korea, with each nation employing different tactics based on their geopolitical interests. Russia is expected to be the most active, with a history of disruptive cyberattacks, such as the GRU's 2018 Pyeongchang Winter Olympics incident and the 2016 Rio de Janeiro Olympics hack-and-leak campaign .
To mitigate the risks posed by the diverse and sophisticated cyber threats to the 2024 Paris Olympics, a multi-faceted and proactive approach is essential. Enhanced cybersecurity measures should be implemented across all critical infrastructure sectors, including multi-layered security protocols, regular vulnerability assessments, and advanced threat detection systems.
Additionally, awareness and training programs are crucial; in educating staff, volunteers, and stakeholders about phishing, social engineering tactics, and other cyber threats.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.