2024 Week 37: Weekly Intelligence Briefing

This week's cybersecurity briefing highlights a surge in ransomware, growing vulnerabilities in industrial control systems, and sophisticated nation-state cyber campaigns.

Ransomware

A new ransomware group, Lynx, has emerged, deploying dual extortion tactics across multiple sectors. This group adds to the ransomware momentum seen in 2024's second quarter, with attackers reclaiming strength and increasing their activity. Notably, the healthcare sector continues to be a prime target, as evolving extortion techniques in the Inc Ransom Attack highlight the increasing danger. The cloud is not immune either, with Scattered Spider targeting financial and insurance sectors, emphasizing the broad scope of ransomware attacks in today's threat landscape.

Vulnerabilities

This week saw critical updates from CISA, which issued 25 new advisories for Industrial Control Systems (ICS), underscoring the increasing cyber risks to vital infrastructure. Additionally, CISA's Known Exploited Vulnerabilities Catalog grew with the addition of four new vulnerabilities, including exploits targeting SonicWall SSLVPN. Browser extension exploits and Chinese APT activity targeting Visual Studio Code have also come to light, showing the varied and widespread nature of emerging vulnerabilities.

Nation-State Espionage

On the geopolitical front, APT34 (Iran) launched new malware campaigns, Veaty and Spearal, against the Iraqi government. Similarly, Chinese cyberespionage is making waves, with Crimson Palace resurfacing in Southeast Asia and targeting critical government sectors. In a rare victory, Polish authorities disrupted the Saboteur Group, which had been involved in cyber sabotage activities. Meanwhile, North Korean threat actors have expanded their malware arsenal, demonstrating a continuous evolution of advanced tactics targeting financial systems.

Espionage and Financial Threats

BlindEagle, an advanced persistent threat group, is targeting the Colombian insurance sector with the BlotchyQuasar RAT, highlighting the growing trend of financial cyber-espionage across Latin America. In Mexico, cyber espionage and financial threats have also escalated, with multiple campaigns focusing on undermining national security and economic stability.

Other Notable Developments

The rise of mobile threats is underscored by a SpyAgent campaign targeting Android devices, focusing on crypto wallets through image recognition. Additionally, Meduza Stealer is increasing phishing attacks against Russian companies, expanding the global reach of financially motivated cybercrime.

As we continue to track these developments, organizations across all sectors should prioritize the patching of known vulnerabilities and implement advanced threat detection mechanisms to mitigate these growing risks.

Saturday September 7

ToneShell Backdoor Used to Target Attendees of the IISS Defence Summit

The group is known for its cyber espionage activities targeting government organizations, primarily in Southeast and East Asia. This recent campaign, however, focuses on attendees of the upcoming International Institute for Strategic Studies (IISS) Defence Summit

CyberRisks & Adversary IntelligenceEdward Crowder

Chinese APT Exploits Visual Studio Code to Target Southeast Asian Governments

On September 6, 2024, Unit 42 researchers released a report detailing a new cyber espionage campaign by the Chinese Advanced Persistent Threat (APT) group known as “Stately Taurus.”

CyberRisks & Adversary IntelligenceEdward Crowder

Akira Ransomware Campaign Exploits SonicWall SSLVPN Vulnerability

Akira ransomware affiliates leverage a vulnerability (CVE-2024-40766) in SonicWall’s firewall devices, compromising SSLVPN user accounts not integrated with centralized authentication solutions

CyberRisks & Adversary IntelligenceEdward Crowder

Sunday September 8

Browser Extension Exploits: Detection and Mitigation Strategies

TrustedSec researchers published a detailed analysis on detecting browser extension exploitation in enterprise environments. Web browsers continue to be a primary target for cyber threats, as tools like Redline Malware or SharpChrome steal sensitive data such as cookies and login credentials.

CyberRisks & Adversary IntelligenceEdward Crowder

Meduza Stealer Targets Russian Companies via Phishing Campaigns

On August 2024, BI.ZONE released a detailed report revealing increased phishing attacks leveraging the Meduza Stealer malware to target Russian organizations.

CyberRisks & Adversary IntelligenceEdward Crowder

CISA Releases Four New ICS Advisories Addressing Critical Vulnerabilities

On September 5, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued four new advisories highlighting vulnerabilities in Industrial Control Systems (ICS) used across multiple sectors.

CyberRisks & Adversary IntelligenceEdward Crowder

Monday September 9

Earth Preta Evolves Malware Tactics with Advanced Strategies

The group’s focus has remained within the Asia-Pacific (APAC) region, targeting government entities using worm-based malware and spear-phishing campaigns.

CyberRisks & Adversary IntelligenceEdward Crowder

Saboteur Group Disrupted by Polish Authorities in Major Cybersecurity Victory

On September 9, 2024, Poland’s Deputy Prime Minister and Minister of Digitalization, Krzysztof Gawkowski, announced the successful disruption of a saboteur group operating within the country.

CyberRisks & Adversary IntelligenceEdward Crowder

CISA Adds Three Known Exploited Vulnerabilities to Catalog

(CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, citing active exploitation. These vulnerabilities include critical issues in ImageMagick, the Linux Kernel, and SonicWall SonicOS, each posing significant risks to affected systems.

CyberRisks & Adversary IntelligenceEdward Crowder

Tuesday September 10

BlindEagle Targets Colombian Insurance Sector with BlotchyQuasar RAT

A resurgence of activity by BlindEagle, a South American-focused APT actor, also known as APT-C-36. BlindEagle has a history of targeting individuals and organizations, particularly within the government and financial sectors of Colombia and Ecuador.

CyberRisks & Adversary IntelligenceEdward Crowder

New Android SpyAgent Campaign Targets Crypto Wallets Using Image Recognition

McAfee Labs released a detailed report exposing a new strain of Android malware, dubbed “SpyAgent.” This malicious campaign, first observed in early 2024, is designed to target cryptocurrency credentials through advanced image recognition techniques.

CyberRisks & Adversary IntelligenceEdward Crowder

North Korean Cyber Threat Groups Unleash New Malware Arsenal in 2024

On September 9, 2024, Palo Alto Networks’ Unit 42 released a detailed threat assessment outlining the activities of various North Korean cyber threat groups operating under the Reconnaissance General Bureau (RGB).

CyberRisks & Adversary IntelligenceEdward Crowder

Wednesday September 11

Crimson Palace Resurfaces: Chinese Cyberespionage Campaign Expands in Southeast Asia

Sophos X-Ops released a report detailing renewed cyberespionage efforts by what they assess with high confidence as a Chinese state-directed cyber operation.

CyberRisks & Adversary IntelligenceEdward Crowder

Ransomware in the Cloud: Scattered Spider Targets Financial and Insurance Sectors

The report identifies SCATTERED SPIDER, a cybercriminal group known for using voice and SMS phishing to infiltrate cloud-based environments, as a significant threat actor.

CyberRisks & Adversary IntelligenceEdward Crowder

Cyber Espionage and Financial Threats Targeting Mexico

Mandiant and Google’s Threat Analysis Group (TAG) released a joint report providing critical insights into the cyber threat landscape impacting Mexico. This report uncovers the ongoing cyber espionage operations and financially motivated cyber attacks aimed at Mexican users and enterprises.

CyberRisks & Adversary IntelligenceEdward Crowder

Thursday September 12

Iranian APT34 Targets Iraqi Government with New Veaty and Spearal Malware Campaign

On September 12, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive set of 25 advisories targeting vulnerabilities in industrial control systems (ICS).

CyberRisks & Adversary IntelligenceEdward Crowder

Inc Ransom Attack: Evolving Extortion Techniques Target Healthcare Sector

While typically known for their double-extortion attacks, which combine data theft with encryption, this latest incident diverged by solely focusing on data exfiltration without encrypting the client’s systems.

CyberRisks & Adversary IntelligenceEdward Crowder

CISA Adds Four New Exploited Vulnerabilities to Known Exploited Vulnerabilities Catalog

The inclusion of these vulnerabilities follows verified reports of active exploitation by malicious actors. The vulnerabilities affect various Microsoft systems and could have severe implications for federal agencies and organizations globally.

CyberRisks & Adversary IntelligenceEdward Crowder

Friday September 13

New Ransomware Group Lynx Emerges, Targets Multiple Sectors with Dual Extortion

On July 24, 2024, Rapid7 Labs released a report highlighting the emergence of the Lynx ransomware group. The group, active since July 2024, has already claimed over 20 victims across various sectors, using single and double extortion techniques.

CyberRisks & Adversary IntelligenceEdward Crowder

Ransomware Surge: Attackers Reclaim Momentum in 2024’s Second Quarter

Symantec released a detailed report highlighting the resurgence of ransomware attacks in the second quarter of 2024. According to the report, ransomware actors claimed 1,310 attacks during this period, marking a 36% increase compared to the first quarter.

CyberRisks & Adversary IntelligenceEdward Crowder

CISA Issues 25 New Industrial Control Systems Advisories Amid Growing Cyber Risks

On September 12, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive set of 25 advisories targeting vulnerabilities in industrial control systems (ICS).

CyberRisks & Adversary IntelligenceEdward Crowder