The Ntirety Weekly Threat Intelligence Report: December 16, 2024

Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.

Industry Breaches

• Artivion: This leading manufacturer of heart surgery medical devices disclosed a November 21 ransomware attack that disrupted its operations and forced it to take some systems offline. The Atlanta-based company employs over 1,250 people worldwide with sales representatives in more than 100 countries and manufacturing facilities in the US and Germany. 

• Byte Federal: Byte Federal disclosed a data breach that exposed the data of 58,000 customers after its systems were breached using a GitLab vulnerability. Byte Federal is the largest US operator of Bitcoin ATMs across the United States, with over 1,200 ATMs located in 42 states. 

• Kadokawa: A major Japanese media company known for producing manga, anime and video games appears to have paid nearly $3 million to Russia-linked hackers following a data breach earlier this year. 

• Krispy Kreme: The doughnut chain suffered a cyberattack in November that impacted portions of its business operations, including placing online orders in the United States. In a recent SEC filing, Krispy Kreme says it detected unauthorized activity on November 29, 2024. 

• LKQ Corporation: The automobile parts giant disclosed that one of its business units in Canada was hacked, allowing threat actors to steal data from the company. LKQ is a public American company specializing in automotive replacement parts, components, and services to repair and maintain vehicles. The company has 45,000 employees in 25 countries and operates numerous brands, including Keystone, Tri Star, and ADL.

Threats to Watch

• Amadey: Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign targeting the manufacturing industry, leveraging a deceptive LNK file disguised as a PDF file. This campaign leverages multiple Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe, to bypass traditional security mechanisms and remotely execute the next-stage payload.

• Cisco: Cisco released security patches for a vulnerability, tracked as CVE-2024-20397 (CVSS score of 5.2), in the NX-OS software’s bootloader that could be exploited by attackers to bypass image signature verification. 

• Citrix: Citrix Netscaler is the latest target in widespread password spray attacks targeting edge networking devices and cloud platforms this year to breach corporate networks. In March, Cisco reported threat actors were conducting password spray attacks on the Cisco VPN devices which in some cases caused a denial-of-service state.

• IOCONTROL: Iranian threat actors are utilizing a new malware named IOCONTROL to compromise Internet of Things (IoT) devices and OT/SCADA systems used by critical infrastructure in Israel and the United States. Targeted devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), IP cameras, firewalls, and fuel management systems. 

• Ivanti: Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution. The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel.

• Pumakit: A new Linux rootkit malware called Pumakit has been discovered that uses stealth and advanced privilege escalation techniques to hide its presence on systems. The malware is a multi-component set that includes a dropper, memory-resident executables, a kernel module rootkit, and a shared object (SO) userland rootkit. 

• Termite: The November ransomware attack on supplier Blue Yonder that affected large companies like Starbucks, Sainsbury’s and Morrisons has been claimed by the Termite ransomware group. On its data leak site, the group claims to have stolen 680GB of data, including more than 16,000 email lists and more than 200,000 insurance documents.

• WPForms: A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. Tracked under CVE-2024-11205, the flaw was categorized as a high-severity problem due to the authentication prerequisite. However, given that membership systems are available on most sites, exploitation may be fairly easy in most cases.

Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.

For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.

Get Started