Threat Intelligence Report Summer 2024

It hasn’t exactly been a quiet summer in terms of cybersecurity. While a certain high-profile incident dominated IT news in July, there’s also been a range of other issues and new threats you might not have heard about.
At Synextra, we’ve been on the lookout, as always, for the important happenings in IT security. So here are the main stories we think you need to know about this month, along with ways to keep your organisation safe from these new threats. 

A newly discovered security flaw dubbed “regreSSHion” has been found in OpenSSH, the widely used tool for secure remote management. This vulnerability allows attackers to bypass authentication or execute unauthorised commands on affected systems. Given OpenSSH’s extensive use across platforms like Citrix NetScaler, MacOS, and Linux, this flaw poses a significant risk. 

The vulnerability impacts any system using OpenSSH, which means it’s critical for organisations to check and update their configurations. 

Actions:

Upgrade to OpenSSH version 9.8/9.8p1 or higher to secure your systems against this threat. 

Microsoft has released a crucial patch addressing a zero-click Remote Code Execution (RCE) vulnerability in the Windows TCP/IP stack. This flaw could allow attackers to take control of your system without any user interaction, particularly affecting systems with IPv6 enabled – a default setting on most Windows devices. 

Given that IPv6 is enabled by default on most systems, this particular vulnerability could impact nearly every Windows user, whether desktop or server. With a CVE score of 9.8, it’s been described as “shocking” with all customers being urged to update immediately. It’s definitely something to address; luckily that’s quite simple to do. 

Actions:

Make sure your systems are up to date by applying the latest Windows updates immediately. Automatic updates should handle this, but you might want to double-check that all your machines are secure. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical vulnerability in VMware ESXi. This flaw allows attackers to bypass authentication and gain full administrative privileges, which has been exploited in recent ransomware attacks.  

The flaw, tracked as CVE-2023-20867, enables attackers to execute arbitrary code on vulnerable systems, posing a serious risk to organisations using VMware ESXi. Some attackers have used it to deploy Black Basta ransomware, which you might remember from a previous Threat Intelligence Report – it’s still out there.

While CISA has mandated federal agencies to secure the vulnerability within three weeks, there’s also a broader recommendation for any organisation to shore up their defences too. With a CVE score of 7.2, it’s definitely not one to ignore.  

Actions:

If you’re using ESXi version 8.0 U3 or later, apply the available patch immediately. For earlier versions, a workaround is available to mitigate the risk. 

SentinelOne reports that the notorious FIN7 cybercrime gang has significantly advanced its operations. FIN7, active since 2015, has shifted its focus towards ransomware, using different aliases and forming alliances with groups including Black Basta. Fin7 has targeted various sectors and caused significant financial losses in industries such as hospitality, energy, finance, high-tech and retail. 

The group developed AvNeutralizer (aka AuKill), an “AV Killer” tool designed to disable security systems while appearing legitimate. It’s been shared widely through the criminal darknet and used by multiple ransomware groups, with a price rumoured to be only $4000. 

SentinelLabs recently discovered a new version of AvNeutralizer that uses a newer technique using the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver). 

Actions:

Firstly, encourage users to utilise browsers with Microsoft Defender SmartScreen to block malicious sites. Activate network protection, cloud antivirus, and EDR (Endpoint Detection and Response) in block mode. You’ll definitely want to educate users on checking URLs and verifying software publishers, too. As well as this, make sure to enable automated investigation and tamper protection features to minimise disruptions. 

Remember Crowdstrike? They won’t be forgotten in a hurry, after July’s $10 billion incident that downed millions of systems around the world.  

After a deeper post-mortem of the event, the company has now released a root cause analysis of what happened. It’s a 12-page PDF that’s worth a quick read.  

The problem centred around their Falcon sensor, resulting in Windows systems experiencing a blue screen of death. The issue stemmed from input validation problems and an out-of-bounds read error within the Falcon sensor software. CrowdStrike has since resolved the issue and plans further improvements for its software, as well as engaging third-party reviews to prevent future incidents. 

Actions:

No action needed, as CrowdStrike has already resolved the issue. 

Another day, another clever scheme to trick end-users into giving up precious data. Scammers are now creating fake IT support websites that trick users into downloading malicious PowerShell scripts disguised as Windows fixes. These scripts, once executed, compromise the system and steal sensitive information. 

This scam was notably connected to a recent Microsoft update that caused an installation error, which scammers exploited by offering fake fixes. They published ‘solutions’ alongside the error codes to get sites shown at the top of the results when users searched for them. They even used hijacked YouTube tech channels to promote the fake sites.  

Actions:

Always verify that any published fix is from an official source, like Microsoft. If you encounter a website offering a fix that asks you to download or run applications – especially if the site seems dodgy at all – do not proceed! Leave the site and wait for official updates from reputable companies. And if something doesn’t seem right with your favourite tech influencer’s latest promotions – be very careful clicking any links. 

Here’s a roundup of some of the current outbreaks and trends we think you should be aware of.  

LockBit ransomware is currently causing problems in UK organisations by encrypting data and threatening to leak it unless a ransom is paid. To protect against this, keep your systems updated, make sure critical data is backed up offline, and implement multi-factor authentication.  

Black Basta ransomware continues to spread through phishing emails, aiming to steal credentials and compromise systems. Organisations should strengthen their email security measures, provide training for employees to recognise phishing attempts, and deploy advanced endpoint protection tools to mitigate the risk. 

Phishing scams are growing in sophistication and targeting more UK organisations. You need to use decent spam filters, deploy anti-phishing tools, and make sure your company has a solid incident response plan to handle any breaches effectively. 

Supply chain attacks are increasingly targeting smaller suppliers as a gateway to infiltrate larger organisations. To counter this, remember to rigorously assess your vendor security, actively monitor for potential risks, and enforce strict cybersecurity standards across all partnerships.