Welcome to Ntirety's Threat Intelligence Summary, where our elite Security and Threat Response Team delivers critical insights and expert analysis. Each report highlights the most pressing cyber threats and vulnerabilities currently active, to educate and raise awareness among our partners, customers, and the broader community. Committed to securing mission-critical data, Ntirety's managed security services proactively monitor and combat these threats to ensure the safety of our customers.
- Evasive Panda: The Chinese hacking group tracked as “Evasive Panda” was spotted using new versions of the Macma backdoor and the Nightdoor Windows malware. The team spotted cyber espionage attacks targeting organizations in Taiwan and an American non-governmental organization in China.
- July Patches: Microsoft warned that some Windows devices will boot into BitLocker recovery after installing the July 2024 Windows security update. The impacted KB (KB5040442) might cause the device to show a BitLocker recovery screen upon booting up your device.
- Docker: Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow an attacker to bypass authorization plugins under certain circumstances. The flaw (CVE-2024-41110) allows an attacker to send a specially crafted API request with a Content-Length of 0 to trick the Docker daemon into forwarding it to the AuthZ plugin.
- ServiceNow: Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks. ServiceNow released security updates for the flaws on July 10th, 2024, but tens of thousands of systems potentially remain vulnerable to attacks.
- Stargazer Goblin: A threat actor known as “Stargazer Goblin” has found a new way to leverage GitHub to distribute malware and malicious links to unsuspecting users. The group is using a new tactic that involves convincing victims that malicious repositories are legitimate via a social engineered influence operation involving thousands of inauthentic accounts.
- Okta: Okta Browser Plugin versions 6.5.0 through 6.31.0 are vulnerable to cross-site scripting. The issue (CVE-2024-0981) occurs when the plugin prompts the user to save these credentials within Okta Personal.
- Daolpu: CrowdStrike is warning that a fake recovery manual to repair Windows devices is installing a new information-stealing malware called Daolpu. Since the global IT outages, threat actors have quickly begun to capitalize on the news to deliver malware through fake fixes. A new campaign conducted through phishing emails pretends to be instructions on using a new Recovery Tool that fixes Windows devices impacted by the recent CrowdStrike Falcon crashes.
- BreachForums: The private member information of the BreachForums v1 hacking forum from 2022 has been leaked online, allowing threat actors and researchers to gain insight into its users. Multiple forums have operated under the name of BreachForums, all devoted to building a community of collectors and threat actors who trade, sell, and leak data stolen from breached companies.
- SmartScreen: A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza. The stealer campaign was targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412. The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads.
- EvilVideo: A Telegram for Android zero-day vulnerability, dubbed “EvilVideo,” allowed attackers to send malicious Android APK payloads disguised as video files. The threat actor named Ancryno first began selling the Telegram zero-day exploit in a post on the Russian-speaking XSS hacking forum.
- HATVIBE and CHERRYSPY: The CERT of Ukraine has alerted of a spear-phishing campaign targeting a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to the threat actor UAC-0063 and is characterized by the use of a compromised email account belonging to an employee of the organization to send phishing messages to dozens of recipients.
- FrostyGoop: Researchers have discovered a new ICS focused malware that has been used in a disruptive cyber attack targeting an energy company in the Ukraine. The FrostyGoop malware is the first malware strain to directly use Modbus TCP communications to sabotage operational technology networks.
- Crowdstrike Update: Threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America user the guise of providing a hotfix. The attack chains involve distributing a ZIP archive file named “crowdstrike-hotfix.zip,” which contains a malware loader named Hijack Loader that, in turn, launches a Remcos RAT payload.
- Play: Researchers have discovered a new Linux variant of a ransomware strain known as Play that’s designed to target VMware ESXi environments. Play is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key.
- SocGholish: The JavaScript downloader malware known as SocGholish is being used to deliver a remoted access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. It’s similar to a cryptocurrency miner in the way that it’s designed to reward users with a specific type of cryptocurrency called Gridcoin.
- FLUXROOT: A Latin America- based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purpose. The campaign involved the use of Google Cloud container URLs to host credential phishing pages with the aim of harvesting login information associated with Mercado Pago, an online payments platform popular in the LATAM region.
- Vigorish Viper: A Chinese organized crime syndicate with links to money laundering and human trafficking across Southeast Asia has been using an advanced technology suite that runs the whole cybercrime supply chain spectrum to spearhead its operations.
Concerned about the security of your network, systems, applications, or data? Given the ever-growing list of cyber threats, your concerns are justified.
For over 25 years, Ntirety has been at the forefront of helping organizations anticipate and stay protected from both known and emerging cyber threats. Contact us to discover how our proactive managed security services can strengthen your organization's security posture and provide peace of mind.
Great report! Keeping us informed and secure. Thanks for the update! 🔒🚀