eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Check Point Zero-Day Targeted in Ongoing Attacks
Bottom Line: As CVE-2024-24919 is being actively exploited, organizations utilizing Check Point Security Gateways need to review their environments for potential impact and apply the available security patches as soon as possible.
On May 28th, Check Point confirmed the existence of an actively exploited zero-day vulnerability impacting Check Point Security Gateways. The vulnerability, tracked as CVE-2024-24919 (CVSS: 7.5), is an information disclosure vulnerability that impacts all Check Point Security Gateways that have either IPSec VPN or Mobile Access Software Blades enabled; exploitation would allow a remote threat actor to read certain information on Check Point Security Gateways including password hashes for all local accounts. Gateways using only Site-to-Site IPSEC VPN are not affected.
Check Point has confirmed attacks against a “small number of customers” and that exploitation has impacted organizations that continue to use password only authentication. Threat actors are believed to be exploiting the vulnerability to steal information that would enable remote access into victim environments.
On May 29th, Mnemonic published a blog post discussing exploitation of CVE-2024-24919 in the wild stating they have “observed attempts of exploitation in customer environments since April 30, 2024.” Additionally on May 29th, eSentire’s Threat Intelligence team performed threat hunts based on known Indicators of Compromise (IoCs) and published a security advisory warning of active exploitation and encouraging organizations to apply patches. eSentire Managed Vulnerability Service has plugins in place to identify vulnerable versions of Check Point Security Gateways.
eSentire Threat Intelligence Analysis:
CVE-2024-24919 presents a significant risk due to its ease of exploitation and the potential for broad network compromise. Attackers can extract critical account information, facilitating further attacks and lateral movement. The observed active exploitation underscores the urgency for organizations to address this vulnerability promptly.
A robust defense-in-depth strategy is essential in safeguarding against such vulnerabilities. This multi- layered approach includes network segmentation, strict access controls, regular patching, and intrusion detection systems, alongside educating users on recognizing common attack vectors. An integral part of this strategy is the implementation of Multi-Factor Authentication (MFA). MFA significantly enhances security by requiring multiple verification methods; if an attacker gains access to password hashes, MFA ensures that these credentials alone are insufficient for unauthorized access.
Moonstone Sleet Emerges as New North Korean Threat Actor with New Bag of Tricks
Bottom Line: Moonstone Sleet, a newly identified North Korean threat actor, is employing sophisticated tactics including fake companies, trojanized software, and custom ransomware to target sectors such as software, aerospace, and defense. Organizations must remain vigilant and proactive in defending against such threats, implementing robust cybersecurity protocols and employee training to mitigate the risk of unauthorized access.
On May 28th, Microsoft’s Threat Intelligence team released a report on a new North Korean threat actor tracked as Moonstone Sleet (formerly Storm-1789). This actor has been observed employing a diverse range of tactics and techniques to achieve its objectives, which primarily revolve around espionage and revenue generation.
Moonstone Sleet employs various advanced tactics, starting with the establishment of fake companies to lend credibility to its operations. By presenting themselves as legitimate business entities, these actors successfully distribute trojanized software to unsuspecting users. This software is carefully designed to appear harmless, thus bypassing initial scrutiny and infecting devices with malware.
A notable tactic used by Moonstone Sleet involves targeting software developers through malicious npm packages. These packages, once integrated into legitimate software projects, serve as a conduit for the threat actors to inject malicious code. This method not only compromises the targeted developers but also poses a broader risk as the compromised packages could be widely adopted across various platforms.
One of the more innovative methods utilized by Moonstone Sleet is the development of a malicious game. In this campaign the group approached targets through messaging apps or email as a game developer seeking either investment or development support. Moonstone Sleet created a robust public campaign that includes websites and many X (formerly Twitter) accounts to bolster the game’s legitimacy. Malicious DLLs are loaded when the game is launched, resulting in the execution of a custom malware loader tracked as YouieLoad.
In addition to these tactics, Moonstone Sleet has developed and deployed custom ransomware tracked as FakePenny. This ransomware encrypts files on infected systems, demanding a ransom for their decryption. In an incident observed by Microsoft, the ransom demand was $6.6M USD in BTC, significantly higher than previous North Korea ransomware attacks, like WannaCry 2.0.
eSentire Threat Intelligence Analysis:
The tactics employed by Moonstone Sleet highlight the evolving nature of cyber threats from nation-state actors. Organizations must remain vigilant and proactive in defending against such threats, implementing robust cybersecurity protocols and employee training to mitigate the risk of unauthorized access and data breaches.
The use of fake companies and trojanized software to distribute malware reflects a high level of planning and execution, making it challenging for traditional security measures to detect and mitigate these threats. The targeting of software developers through malicious npm packages indicates a deep understanding of software development practices and the potential to cause widespread damage through compromised software.
The deployment of custom ransomware by Moonstone Sleet is particularly concerning, as it highlights a dual-threat scenario where data is both stolen and held hostage. This tactic not only disrupts operations but also imposes financial and reputational costs on the victims. The use of creative lures, such as a malicious game, further demonstrates the adaptability and resourcefulness of the threat actors.
To mitigate the risks posed by actors like Moonstone Sleet, organizations should adopt a multi-layered defense strategy. This includes regular security assessments, employee training on recognizing social engineering tactics, and the implementation of robust incident response plans. Additionally, credential hardening and access control measures are critical in protecting against unauthorized access and data breaches.
Ticketmaster Breach
Bottom Line: The recent Ticketmaster data breach, believed to be orchestrated by the hacking group ShinyHunters, compromised the personal information of over 500 million users. This group has been previously associated with numerous high-profile data breaches. It is critical individuals and organizations change passwords associated with Ticketmaster and enable Multi-Factor Authentication (MFA).
On May 28th, a cybercriminal group posted an alleged database for sale online which they claimed to have contained information of 560 million LiveNation/Ticketmaster users.
Information surrounding the topic is limited. A notorious cybercriminal group using the handle "Shiny Hunters" posted the alleged database on forums, most notably BreachForums which they are the owner of. The database was listed for $500,000 USD and claimed to contain sensitive customer information such as names, addresses, partial payment information (credit card), and more.
According to vx-underground, through “multiple individuals privy to and involved in the alleged Ticketmaster breach" they were able to gather that the breach occurred sometime in April, where an unidentified threat group was able to get access to Ticketmaster's Amazon Web Service (AWS) instances by pivoting from a Managed Service Provider (MSP). They claim that the Shiny Hunters group is not responsible for the breach but is acting as a proxy for the threat group responsible for the compromise.
The Shiny Hunters group has been behind multiple data breaches since 2020 including AT&T and a very recent compromise of Spain’s largest bank, Santander, affecting over 30 million customers.
On May 15th the FBI seized BreachForums, which is operated by ShinyHunters and another threat actor known as Baphomet. ShinyHunters said that Baphomet was arrested, then proceeded to quickly restore the BreachForums site from a backup to a new domain. Since this takedown ShinyHunters posted the Ticketmaster and Santander sale. Both data breaches were first listed on the Russian-speaking Exploit hacking forum days before they were listed on the newly restored BreachForums causing some to believe the posts were a way to restore reputation of the site.
Neither Ticketmaster nor its parent company, Live Nation Entertainment, have commented on the alleged breach and theft of customer records.
eSentire Threat Intelligence Analysis:
This alleged data leak highlights the importance of layered security for companies holding large amounts of customer data, as they are highly valued targets for attackers. The eSentire Threat Intelligence team assesses this data set is likely legitimate and will impact a significant amount of Ticketmaster users.
Data breaches can result in an increase in phishing attacks targeting customers whose information was leaked. It is important for users that may have been compromised through the Ticketmaster breach to remain vigilant of phishing attempts, specifically specially crafted emails posing as Ticketmaster.
Users should change any passwords associated with Ticketmaster to prevent possible compromises and enable Multi-Factor Authentication (MFA). Data breaches may not result in consequences in the immediate future, as the leaked information could be actioned by threat actors several months, possibly even years later. Credit card transactions should be monitored for any suspicious activity as payment information was also compromised.
Large data breaches like the Ticketmaster compromise, highlights the need for defense-in-depth strategies for any company holding valuable information. As multiple services are likely used within organizations, it is important for each of these services or service providers to maintain a high level of security to protect customers from potential compromises.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
