Cyber Research Discoveries: Weekly Update for November 11, 2024
As the digital landscape continues to evolve, so too does the threat landscape. The week of November 11, 2024, has seen significant developments in cyber research, highlighting the persistent threats posed by advanced persistent threat (APT) groups, ransomware attacks, and vulnerabilities in widely used software. For a comprehensive overview of these findings, readers are encouraged to download the latest Threat Intelligence Bulletin.
Major Attacks and Breaches
This week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement regarding a substantial cyber-espionage campaign orchestrated by the Chinese APT group known as Salt Typhoon. This operation has targeted U.S. telecommunications infrastructure, successfully compromising networks to steal call records, intercept communications involving government officials, and access sensitive data related to U.S. legal requests. The statement follows the confirmation of breaches affecting major telecom companies, including AT&T, Verizon, and Lumen Technologies, in October 2024. T-Mobile has also confirmed being a victim of this campaign, revealing that Salt Typhoon exploited vulnerabilities in Cisco routers to infiltrate its network. Fortunately, T-Mobile reported no significant harm to its systems or compromise of customer data.
In another alarming incident, Hungary’s Defense Procurement Agency (VBÜ) confirmed a cyberattack by the INC Ransomware group. The attackers claim to have accessed and encrypted sensitive data, including military procurement documents, and are demanding a ransom of $5 million. The Ministry of National Defense has stated that VBÜ does not store sensitive military data and is currently investigating the breach.
The City of Sheboygan, Wisconsin, has also reported unauthorized access to its network due to a ransomware attack. The city is actively securing its systems and conducting a forensic investigation to assess the incident’s scope. While there is currently no evidence of compromised sensitive personal information, the city has experienced technology outages since late October.
American Associated Pharmacies (AAP), which manages over 2,000 pharmacies across the U.S., was reportedly targeted by the Embargo ransomware group. The group claims to have stolen 1.469 TB of data and encrypted files, demanding a total of $2.6 million to prevent data exposure. Although AAP has not confirmed the attack, it has reset user passwords and advised credential updates as a precaution.
In a separate incident, a Distributed Denial of Service (DDoS) attack disrupted credit card readers across Israeli gas stations and supermarkets, leading to widespread payment processing issues. Credit Guard, responsible for the cybersecurity of these systems, identified and mitigated the attack within approximately one hour, which was linked to the hacktivist group Anonymous for Justice.
Vulnerabilities and Patches
In response to the ongoing threats, Microsoft published its Patch Tuesday update, addressing 89 vulnerabilities, including four zero-days. Notably, two of these vulnerabilities—CVE-2024-43451 (NTLM Hash Disclosure Spoofing Vulnerability) and CVE-2024-49039 (Windows Task Scheduler Elevation of Privilege Vulnerability)—are actively being exploited in the wild.
Palo Alto Networks has identified a critical zero-day vulnerability (PAN-SA-2024-0015) in the management interfaces of its Next-Generation Firewalls (NGFW). This flaw allows for unauthenticated remote code execution and is currently being exploited in attacks targeting internet-exposed management interfaces. The company has advised implementing security measures, such as restricting access to these interfaces to trusted internal IP addresses, while patches are being developed.
Additionally, WordFence has reported a critical authentication bypass vulnerability in the Really Simple Security plugin for WordPress. This vulnerability allows unauthenticated attackers to gain administrative access to WordPress sites when the plugin’s two-factor authentication feature is enabled. The plugin has pushed forced updates to patch the vulnerabilities, but unmaintained websites may still be at risk.
Threat Intelligence Reports
Check Point Research has released its findings on October 2024’s Most Wanted Malware, revealing a significant rise in infostealer malware, with AgentTesla and Lumma Stealer leading the list of prevalent threats. These malwares are often disseminated through phishing emails and malicious websites, targeting sensitive data such as login credentials and financial information. The report also highlights the emergence of a new version of Necro mobile malware, which has become a significant threat in the mobile malware landscape.
Furthermore, Check Point Research has detailed the activities of a Hamas-linked APT group known as WIRTE, which has expanded its operations beyond espionage to conduct disruptive attacks against Israel. The report connects the custom malware used by the group to SameCoin, a wiper malware targeting Israeli entities.
In another significant finding, Check Point Research has reported on WezRAT, a custom modular Remote Access Trojan (RAT) tool used by the Iranian threat group Emennet Pasargad. This group has been targeting countries including Israel, France, Sweden, and the United States. Recent campaigns have seen WezRAT modified to include additional infostealer capabilities, further enhancing its threat profile.
Conclusion
The cyber landscape remains fraught with challenges as sophisticated attacks and vulnerabilities continue to emerge. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against these evolving threats. For further insights and detailed analysis, the Threat Intelligence Bulletin is available for download, providing a deeper understanding of the current state of cyber threats and defenses.