The Ntirety Weekly Threat Intelligence Report: July 08, 2024
Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
Industry Breaches
Authy: Twilio has confirmed that an unsecured API endpoint allowed threat actors to verify the phone numbers of millions of Authy MFA users, potentially making them vulnerable to SMS phishing and SIM swapping attacks.
Affirm: Buy now, pay later loan company Affirm is warning that holders of its payment cards had their personal information exposed due to a data breach at its third-party issuer, Evolve Bank & Trust. There is evidence that the stolen data includes names, social security numbers, bank account numbers, and contact information.
Threats to Watch
OVHcloud: OVHcloud, a global cloud service provider, says it mitigated a record-breaking DDoS attack earlier this year thar reached an unprecedented packet rate of 840 million packets per second. The company reports that it has seen a general trend of increased attack sizes starting in 2023, with those exceeding 1 Tbps becoming more frequent and escalating to weekly and almost daily occurrences in 2024.
Rejetto: Hackers are targeting older versions of the HTTP File Server from Rejetto to drop malware and cryptocurrency mining software. Researchers believe that the threat actors are exploiting CVE-2024-23692, a critical- severity security issue that allows executing arbitrary commands without the need to authenticate.
Zergeca: Researchers have uncovered a new botnet called Zerjeca that’s capable of conducting DDoS attacks. The botnet is written in Golang and is notable for using DNS-over-HTTPS to perform DNS resolution of the C2 server and using a lesser-known library known as Smux for C2 communications.
Israeli Entities: Researchers have discovered an attack campaign that targets various Israeli entities with publicly- available frameworks like Donut and Silver. The campaign is believed to be highly targeted in nature with the intention of leveraging target-specific infrastructure and custom WordPress websites as a payload delivery mechanism.
FakeBat: A loader-as-a-service known as FakeBat has become one of the most widespread loader malware families distributed using the drive-by download technique this year. FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.
MerkSpy: Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland and the U.S. The starting point of the attack chain is a Word document that contains a job description for a software engineer role, but opening the file triggers the exploitation of CVE-2021-40444.
Orcinius: A sample of Orcinius malware was investigated by researchers this week. Orcinius is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads. It contains an obfuscated VBA macros that hooks into Windows to monitor running windows and keystrokes as well as creating persistence using registry keys.
Conceptworld: Installers for 3 different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware. The installers correspond to Notezilla, RecentX, and Copywhiz. The installers had been trojanized to execute information-stealing malware that has the capability to download and execute additional payloads, but the issue has seen been remediated by Conceptworld.
Transparent Tribe: A threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. The campaign, dubbed CapraTube, resulted in the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT.
Cisco: A Chinese-nexus cyber espionage group named Velvet Ant has been observed exploiting a zero-day flaw in Cisco NX-OS Software used in its switches to deliver malware. The vulnerability (CVE-2024-20399) concerns a case of command injection that allows an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.
Intel CPU: Modern CPUs from Intel, including Raptor Lake and Alder Lake have been found vulnerable to a new side-channel attack that could be exploited to leak sensitive information from the processors. The attack, codenamed Indirector, leverages shortcomings identified in Indirect Branch Predictor and the Branch Target Buffer to bypass existing defenses and compromised the security of the CPUs.
TeamViewer: TeamViewer says a Russian state-sponsored hacking group known as Midnight Blizzard is believed to be behind a breach of their corporate network this week. At this time, TeamViewer says they believe their internal corporate network, not their production environment, was breached on Wednesday, June 26, using an employee’s credentials. The company stated that their investigation has shown no indication that the production environment or customer data was accessed in the attack.
Brain Cipher: The new Brain Cipher ransomware operation has begun targeting organizations worldwide including a recent attack on Indonesia’s National Data Center that encrypted the government’s servers and disrupted immigration services, passport control, issuing of event permits and other online services.
D-Link: Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords. The security issue, tracked as CVE-2024-0769, is a path traversal flaw that leads to information disclosure.
Fake IT Support: Fake IT support sites promote malicious PowerShell “fixes” for common Windows errors to infect devices with information stealing malware. The fake support sites have been promoting a fix for the Windows 0x80070643 error that some users have been dealing with since January.
OpenSSH: OpenSSH maintainers have released security updates to contain a critical security flaw that result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. The vulnerability has been assigned CVE-2024-6387.
Juniper: Juniper Networks has released out-of-band security updates to address a critical security flaw that could lead to an authentication bypass in some of its routers. The vulnerability (CVE-2024-2973) caries a CVSS score of 10.0.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.