The Ntirety Weekly Threat Intelligence Report: July 22, 2024
Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
Industry Breaches
AT&T: AT&T is warning of a massive data breach where threat actors stole the call logs for approximately 109 million customers from an online database on the company’s Snowflake account. The company confirmed that the data was stolen between April 14 and April 25, 2024.
Rite Aid: Rite Aid said that by June 17, it confirmed that an attacker stole information about customers' purchases or attempted purchases between June 6, 2017, and July 30, 2018. Exposed information included the customer's name, address, birthdate, and driver's license number or a number from another form of government-issued identification.
Threats to Watch
Faulty CrowdStrike update: Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. The company acknowledged reports of “Blue Screens of Death” on Windows hosts. The outage has also impacted Google Cloud Compute Engine, causing virtual machines using CrowdStrike’s csagent.sys to crash and go into an unexpected reboot state.
APT41: Several organizations operating within global shipping and logistics, media and entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. have become a target of a sustained campaign by the Chinese APT41 hacking group.
SolarWinds: SolarWinds has addressed a set of critical security flaws impacting its Access Rights Manager software that could be exploited to access sensitive information or execute arbitrary code. Of the 13 vulnerabilities there were 8 that were rated critical and 5 rated high in severity.
Revolver Rabbit: A cybercriminal gang that researchers tracked as Revolver Rabbit has registered more than 500,000 domain names for infostealer campaigns that target Windows and macOS systems. The threat actor relies on RDGAs an automated method that allows registering multiple domain names in an instant.
Splunk: A recently fixed vulnerability (CVE-2024-36991) affecting Splunk Enterprise on Windows is more serious than initially appeared. The vulnerability is a path traversal vulnerability in Splunk Web that can be exploited with a specially crafted GET request and allows an attacker to perform a directory listing on the Splunk Endpoint. Successful exploitation does not require prior authentication.
HardBit: Researchers have shed light on a new version of ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. The group does not operate a data leak site, but instead pressures victims to pay up by threatening to conduct additional attacks in the future.
Void Banshee: An APT group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. The vulnerability (CVE-2024-38112) was used as part of a multi-stage attack chain using specially crafted URL files.
BeaverTail: Researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People’s Republic of Korea. The artifact in is an Apple macOS disk image filed named “MiroTalk.dmg” that mimics that legitimate video call service of the same name but serves as a conduit to deliver a native version of BeaverTail.
HugeGraph-Server: Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. The flaw (CVE-2024-27348) impacts all version of the software before 1.3.0 that is described as a remote command execution flaw in the Gremlin graph traversal language API.
Scattered Spider: The cybercrime groups known as Scattered Spider has incorporated ransomware strains such as RansomHub and Wilin into its arsenal. Scattered Spider is the designation given to a threat actor that’s know for its sophisticated social engineering schemes to breach targets and establish persistence for follow up on exploitation and data theft.
BugSleep: The Iranian-backed MuddyWater hacking group has partially switched to using a new custom-tailored malware implant to steal files and run commands on compromised systems. The backdoor, dubbed BugSleep, is being distributed via well-crafted phishing lures disguised as invitations to webinars or online courses. The emails redirect the targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.
Cisco: Cisco has fixed a maximum severity vulnerability that allows attackers to change any user’s passwords on vulnerable Cisco Smart Software Manager On-Prem license servers. The flaw (CVE-2024-20419) is caused by an unverified password change weakness in SSM On-Prem’s authentication system.
Netgear: Netgear warned customers to update their devices to the latest available firmware, which patches stored cross-site scripting and authentication bypass vulnerabilities in several WiFi 6 router models. Successful exploitation can let threat actors hijack user sessions, redirect users to malicious sites or display fake login forms, and steal restricted information.
FishXProxy: A new toolkit is making it very simple for even novice cybercriminals to launce sophisticated scams. Researchers have disclosed details on FishXProxy, a new phishing kit discovered on the DarkWeb. FishXProxy is an end-to-end solution that lowers barriers for cybercriminals by offering advanced features like antibot configurations, Cloudflare Turnstile integration, built-in redirector, and page expiration settings.
APT41: The Chinese government-backed cyber espionage gang has very likely added a loader dubbed DodgeBox and a backdoor named MoonWalk to its malware toolbox. Dodgebox is a shellcode loader written in C that can be configured with various features including decrypting and loading embedded DLLs, conducting environment checks and bidings, and executing cleanup procedures. After DodgeBox enters the final phase of decrypting its payload, the MoonWalk backdoor is dropped as a DAT file on the infected machine.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.