18th November – Threat Intelligence Report - Check Point Research

18TH NOVEMBER – THREAT INTELLIGENCE REPORT November 18, 2024 For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, led by the APT group Salt Typhoon. This operation compromised networks to steal call records, intercept communications involving government and political figures, and access data linked to U.S. legal requests. This statement follows confirmation of breaches affecting multiple telecom companies, including AT&T, Verizon, and Lumen Technologies, in October 2024. T-Mobile has also confirmed being a victim of this campaign, stating that Salt Typhoon infiltrated its network using vulnerabilities like those in Cisco routers to spy on senior government and national security officials. However, T-Mobile reported no significant harm to its systems or compromise of customer data. Hungary’s Defense Procurement Agency (VBÜ) has confirmed a cyberattack by the INC Ransomware group. The group claims to have accessed and encrypted the VBÜ’s data, including documents on military procurements, and are demanding a $5 million ransom. The Ministry of National Defense stated that VBÜ does not store sensitive military data and is currently investigating the breach. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat The City of Sheboygan, Wisconsin updated that it has recently experienced unauthorized access to its network by a ransomware attack. In response, the city has secured its systems and is conducting a thorough forensic investigation with cybersecurity experts to assess the incident’s scope. Currently, there is no evidence that sensitive personal information has been compromised, however, the city has been dealing with technology outages since late October. American Associated Pharmacies (AAP), managing over 2,000 U.S. pharmacies, was reportedly targeted by the Embargo ransomware group, which claims to have stolen 1.469 TB of data and encrypted files. Embargo claims AAP paid $1.3 million for decryption and now faces another $1.3 million demand to prevent data exposure. While AAP has not confirmed the attack, it reset user passwords and advised credential updates. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Embargo, Ransomware.Wins.Embargo) A Distributed Denial of Service (DDoS) attack disrupted credit card readers across Israeli gas stations and supermarkets, causing widespread payment processing issues. Credit Guard, the company responsible for the readers’ cybersecurity, identified the attack and restored services after approximately one hour. The attack is linked to the hacktivist group Anonymous for Justice. VULNERABILITIES AND PATCHES Microsoft published their Patch Tuesday update, fixing 89 vulnerabilities, including four zero-days. Two of the zero-day vulnerabilities CVE-2024-43451 (NTLM Hash Disclosure Spoofing Vulnerability) and CVE-2024-49039 (Windows Task Scheduler Elevation of Privilege Vulnerability) are actively exploited in the wild. Palo Alto Networks has identified a critical zero-day vulnerability (PAN-SA-2024-0015) in the management interfaces of its Next-Generation Firewalls (NGFW). This flaw, which allows unauthenticated remote code execution, is currently being exploited in attacks targeting internet-exposed management interfaces. The company advised multiple security measures while patches are being developed, including restriction of access to these interfaces by permitting connections only from trusted internal IP addresses. WordFence identified a critical authentication bypass vulnerability in the Really Simple Security plugin. This flaw allows unauthenticated attackers to gain administrative access to WordPress sites when the plugin’s two-factor authentication feature is enabled. The plugin has pushed forced updates to patch the vulnerabilities, but unmaintained websites might still be vulnerable. THREAT INTELLIGENCE REPORTS Check Point Research has released October 2024’s Most Wanted Malware, highlighting a significant rise in infostealer malware during October, with AgentTesla and Lumma Stealer dominating the list of prevalent threats. These malwares are often spread through phishing emails and malicious websites, targeting sensitive data such as login credentials and financial information. The report also mentions the new version of Necro mobile malware that has emerged as a significant threat, ranking 2nd among mobile malwares. Check Point Research revealed the latest activity during 2024 of a Hamas-linked APT group dubbed WIRTE. The group continued its espionage activity against Middle Eastern countries and has expanded its activity beyond espionage to conduct disruptive attacks against Israel. The report connects the custom malware used by the group and SameCoin, a wiper malware targeting Israeli entities. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Wins.Wirte.ta.A/B/C/D/E/F; ransom.win.honey, infostealer.win.blackguard.d) Check Point Research reports on WezRAT, a custom modular RAT tool used by Iranian threat group Emennet Pasargad, following the advisory published by the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate. The group has been targeting Israel, France, Sweden and the United States lately. In recent campaigns, WezRAT was modified to include additional infostealer capabilities. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Behavioral.Win.FakeChrome.B, Trojan.Wins.FakeUpdater.A) GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 This website uses cookies in order to optimize your user experience as well as for advertising and analytics.  For further information, please read our Privacy Policy and ourCookie Notice. 404 Not Found nginx When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices