TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #54
Events for the week of August 12th, 2024
The essential five strategic threat intelligence stories of the week. This is from TLP white/open-source websites, so please feel free to share and enjoy reading about these events. Please reach out if you want to discuss any of these events!
1. Background-check giant confirms security incident leaked millions of SSNs
Overview: One of the largest companies that conducts background checks confirmed that it is the source of a data breach causing national outrage due to the millions of Social Security numbers leaked. In a statement on Friday, National Public Data said it detected suspicious activity in its network in late December, and subsequently a hacker leaked certain tranches of data in April and throughout the summer.
Area of Impact: All U.S. citizens and companies using SSNs as authentication methods.
TRIAGE: Data leaks have gone from massive news to being so common they tend to get ignored unless they are massive. This one is hard to ignore due to SSNs contained in the leak and the amount of people affected. The hype train of comments is still worth acknowledging here for a simple reason - your SSN is probably no longer a secret and SSN’s should not be used for any form of authentication at your organizations due to so many separate leaks over the years.
2. US warns of Iranian hackers escalating influence operations
Overview: In a joint statement from the Office of the Director of National Intelligence (ODNI), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. says that Iran carried out cyberattacks in an attempt to gain access to sensitive information related to U.S. elections. The advisory underlines Iran’s intention to sow doubts about the integrity of democratic institutions in the U.S. and conduct aggressive cyber activity on multiple levels to collect intelligence.
Area of Impact: U.S. Election fraud in the leadup to November 2024 presidential election.
TRIAGE: Election interference is now a trade in itself for many cybercrime and APT groups, with a focus on disruption and misinformation, to score profits and confuse the general public worldwide. In the United States, this is the third presidential election in a row that has had major threat groups targeting one or both sides to sow confusion and cause chaos.
3. The BlackSuit ransomware gang has demanded over $500 million since 2022
Overview: That staggering statistic has been made public in an update to a joint advisory issued by the US Cybersecurity and Infrastructure Agency (CISA) and the FBI, warning organizations about the threat posed by the BlackSuit gang.
Area of Impact: Current ransomware activity and an awareness of the high-priced demands for payment.
TRIAGE: Ransomware and extorsion of money for encrypted data or to prevent data leaks is still a primary threat from cybercrime actors. The amount of money attached to those events can be shocking when seen directly and is a particular point of interest from this group because of such large ransomware demands.
4. ‘Styx Stealer’ malware developer accidentally exposes personal info to researchers in ‘critical opsec error’
Overview: “The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” researchers said in a report published last week.
Area of Impact: Awareness on malware development and OPSEC fails.
TRIAGE: Operational Security (OPSEC) is the focus here as it pertains to catching bad people doing evil things. In this case, an individual creating malware made several mistakes that led to full exposure. It serves as a great reminder how tech can track and reveal data that can be used to find criminals and how many chances you may have as a defender to really track down specifics on threats.
5. Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities
Overview: Recently, SSTI vulnerabilities are becoming increasingly prevalent and concerning with a notable increase in critical CVEs affecting various web applications. These vulnerabilities are particularly dangerous because they can be exploited remotely and allow attackers to gain control over servers hosting these applications.
Area of Impact: Training opportunity/knowledge gathering on SSTI vulns.
TRIAGE: Great opportunity to take a minute and learn a bit more about this kind of vulnerability as they are trending upwards in discovery and severity of impact. Especially when attackers can abuse these vulns remotely and take over servers.