Major Incidents or Breaches

  • Qantas Airlines suffered a data breach impacting 6 million customers. Personal information was accessed via a third-party call center platform; passport and credit card data were not included.
  • Spanish authorities arrested two individuals in Las Palmas for cybercriminal activity, including data theft from government entities, politicians, and journalists.

Newly Discovered Vulnerabilities

  • Cisco disclosed and patched a critical vulnerability in Unified Communications Manager (Unified CM) and Session Management Edition, involving hardcoded root SSH credentials that allowed remote root access. The backdoor account has now been removed.
  • The Forminator WordPress plugin is vulnerable to an unauthenticated arbitrary file deletion flaw, enabling potential full site takeover attacks.
  • Google Chrome was updated to address a serious security flaw that has been exploited in the wild.
  • Citrix issued a warning that patching recent authentication bypass vulnerabilities in NetScaler ADC and Gateway may cause login page failures.
  • Multiple fake cryptocurrency wallet extensions were discovered in the Firefox add-ons store, designed to steal wallet credentials and sensitive data.

Notable Threat Actor Activity

  • The Russian APT group Gamaredon continues aggressive spearphishing campaigns targeting Ukrainian government entities in 2024, utilizing an evolved cyberespionage toolset and new stealth-focused techniques, including weaponization of network drives.
  • North Korean state-backed actors are targeting Web3 and cryptocurrency organizations with new malware written in Nim, including a macOS variant named NimDoor, which can revive itself if terminated. They are also leveraging the ClickFix technique in the BabyShark campaign to bypass browser safeguards.
  • A China-nexus initial access broker has been observed exploiting unpatched Ivanti vulnerabilities for initial access, then self-patching the vulnerabilities to block other threat actors.
  • Scattered Spider, a group of young cybercriminals, is identified as a significant and imminent threat, having targeted retailers, insurers, and airlines with a flexible and difficult-to-defend structure.
  • Threat actors are increasingly using callback phishing campaigns, impersonating brands such as Microsoft and DocuSign via PDFs to trick users into calling attacker-controlled phone numbers.
  • Attackers are using AI to rapidly generate convincing phishing sites impersonating Okta and Microsoft 365 login pages.
  • Attack chains such as ClickFix and FileFix exploit browser and user behavior to bypass security controls and enable malicious script execution.

Trends, Tools, or Tactics of Interest

  • Nearly 80% of cyber threats now mimic legitimate user behavior, complicating network threat detection.
  • Modern phishing campaigns are leveraging AI and social engineering to increase the speed and realism of attacks.
  • Social engineering tactics are being used in attack chains to manipulate victims into saving and renaming files that execute malicious scripts.
  • Fake browser extensions and add-ons targeting cryptocurrency wallets are proliferating in official app stores.
  • New malware written in the Nim programming language is being used in targeted attacks, reflecting an ongoing trend of threat actors adopting less common languages to evade detection.

Regulatory or Policy Developments Affecting the Security Industry

  • The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Russia-based bulletproof hosting provider Aeza Group for supporting ransomware and malware operations, including affiliations with BianLian and Lumma Stealer.
  • The U.S. Department of Justice is investigating a former ransomware negotiator for alleged criminal collaboration with ransomware gangs to profit from extortion payment deals.
  • A U.S. judge approved the sale of 23andMe’s DNA data to TTAM Research Institute, prompting privacy concerns and increased user requests for data deletion.