The Ntirety Weekly Threat Intelligence Report: December 2, 2024

Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.

Industry Breaches:

• RansomHub: Ransomware attacks on two municipal governments have been claimed by a notorious cybercriminal operation responsible for dozens of high-profile incidents in 2024. On Monday, the RansomHub operation took credit for damaging attacks on the city of Coppell, Texas, and the Minneapolis Park and Recreation Board.
• Zello: Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach. Zello is a mobile service with 140 million users that allows first responders, hospitality services, transportation, and family and friends to communicate via their mobile phones using a push-to-talk app. Over the past two weeks, numerous people have received security notices from Zello on November 15th asking them to reset their app password.
• Hoboken: The city of Hoboken shut down its government offices on Wednesday after an early morning ransomware attack caused widespread issues. Officials published several messages on city websites and social media around 10 a.m. EST warning local residents that the attack will cause a range of outages and service shutdowns ahead of the Thanksgiving holiday.

Threats to Watch: 

• BlackBasta: The Russian-language ransomware scene isn't all that big. And despite an array of monikers for individual operations, new analysis shows these groups' members are working in close coordination, sharing tactics, botnets, and malware among one another, as well as with the Russian state. And now, a new power player ransomware group brand has emerged — BlackBasta.
• GhostSpider: The Chinese state-sponsored hacking group Salt Typhoon has been observed utilizing a new "GhostSpider" backdoor in attacks against telecommunication service providers. The backdoor was discovered by Trend Micro, which has been monitoring Salt Typhoon's attacks against critical infrastructure and government organizations worldwide. 
• PixPirate: In recent months, the Trusteer research lab monitored and detected a new campaign of PixPirate running in Brazil, and directly attacking Brazilian banks. At the time of this blog, PixPirate still primarily targets the Pix payment services that are integrated with most Brazilian banking apps.
• RomCom: On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.
• NachoVPN: A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them. AmberWolf security researchers found that threat actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to attacker-controlled VPN servers using malicious websites or documents in social engineering or phishing attacks.
• CVE-2023-28461: America's cyber defense agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS. The security issue is tracked as CVE-2023-28461 and has been assigned a critical 9.8 severity score and the agency has included it to the catalog of Known Exploited Vulnerabilities (KEV). The bug can be exploited through a vulnerable URL and is an improper authentication issue that allows remote code execution in Array AG Series and vxAG version 9.4.0.481 and earlier.
• APT-C-60: A cyber-attack targeting Japanese and other East Asian organizations, suspected to be orchestrated by the threat group APT-C-60, has been uncovered. First identified in August 2024, the attack involved phishing emails disguised as job applications to infiltrate recruitment departments, introducing malware via malicious links hosted on legitimate platforms such as Google Drive.
• Bootkitty: Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024.

Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.

For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.

Get Started