Content 

01. News Bites
  • Amazon employee data breached in leak as MOVEit Cyberattack continues to claim victims
  • Microsoft's November Patch Tuesday fixed 89 vulnerabilities, including two actively exploited Zero-Days
  • NCSC and global partners reveal top exploited vulnerabilities, urge swift patching and Secure-by-Design practices
  • Hive0145 escalates attacks with Strela stealer malware, targeting email credentials in Spain, Germany, and Ukraine
  • CISA urges immediate action on critical Microsoft Windows Vulnerabilities CVE-2024-49039 and CVE-2024-43451
02. Conclusion

Quick News Bites

Amazon employee data breached in leak as MOVEit Cyberattack continues to claim victims

Eighteen months after attackers exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer tool, new victims continue to emerge.

This week Amazon confirmed a breach involving the data of over two million employees. The vulnerability, patched in May 2023, was used by the Cl0p ransomware gang to target organisations globally.

Initial UK victims included the BBC, Boots, and British Airways, compromised through payroll specialist Zellis.

Recently, a cyber security firm revealed a data leak affecting at least 25 companies, published by an actor known as "Nam3L3ss" on a cybercrime forum.

Researchers noted that Amazon’s data – 2.8 million records – is the largest dataset leaked. The data includes employee contact details and organisational roles, potentially leading to targeted phishing attacks. Gal confirmed the data's authenticity by cross-referencing LinkedIn profiles and known malware infections.

An Amazon PR representative acknowledged the breach, clarifying that Amazon systems remain secure and only work contact information was exposed. While Nam3L3ss claims no affiliation with ransomware groups and that they are an ethical hacker, security experts remain sceptical of their statements.

The MOVEit breach illustrates how stolen data resurfaces on the dark web, even a year after the initial attack. He observed that although Nam3L3ss may not have been involved in the original breach, their data posts show how hackers continue to monetise stolen information, potentially causing significant harm.

Microsoft's November Patch Tuesday fixed 89 vulnerabilities, including two actively exploited Zero-Days

Microsoft’s November 2024 Patch Tuesday addressed 89 security vulnerabilities, including four critical zero-day flaws, two of which are currently being exploited. These updates cover a range of issues, notably 52 remote code execution vulnerabilities and 26 elevation of privilege flaws.

Among the critical patches, CVE-2024-43451, an NTLM spoofing vulnerability, allows attackers to extract NTLM hashes with minimal interaction, leading to potential impersonation attacks. Another actively exploited flaw, CVE-2024-49039, enables privilege escalation through Windows Task Scheduler, giving attackers higher-level access.

This Patch Tuesday also fixes publicly disclosed vulnerabilities, including a spoofing flaw in Microsoft Exchange (CVE-2024-49040) and a privilege escalation issue in Active Directory (CVE-2024-49019). Notably, this month’s updates address previously fixed issues in Microsoft Edge and cumulative Windows updates (KB5046617, KB5046633 for Windows 11 and KB5046613 for Windows 10).

These patches underscore the continued need for robust cyber security practices, as vulnerabilities, especially zero-days, present immediate risks if left unaddressed. Microsoft advises users to apply these patches promptly to safeguard against potential exploitation.

NCSC and global partners reveal top exploited vulnerabilities, urge swift patching and Secure-by-Design practices

The National Cyber Security Centre (NCSC), in collaboration with partners from the US, Canada, Australia, and New Zealand, has released an advisory listing the top 15 routinely exploited vulnerabilities of 2023. Most of these vulnerabilities were first targeted as zero-days, marking an increase in zero-day exploitation compared to 2022.

This advisory highlights the urgent need for network defenders to strengthen vulnerability management by swiftly applying security updates and thoroughly identifying assets. The NCSC also urges technology vendors to adopt secure-by-design principles to mitigate risks at the source.

NCSC CTO Ollie Whitehouse stressed the importance of proactive measures: “Routine exploitation of zero-day vulnerabilities is now the new normal, underscoring the need for organisations to apply patches promptly and prioritise secure-by-design products.”

Patches are available for all vulnerabilities listed, but for zero-days, swift action is crucial to minimise exposure. The advisory further includes details on 32 additional vulnerabilities exploited last year.

Hive0145 escalates attacks with Strela stealer malware, targeting email credentials in Spain, Germany, and Ukraine

Cybercriminal group Hive0145 has intensified attacks across Europe using Strela Stealer malware to steal sensitive email credentials, with Spain, Germany, and Ukraine particularly affected, according to IBM X-Force researchers. Hive0145’s tactics have evolved from generic phishing to deploying stolen, legitimate emails with real invoice attachments, enhancing credibility and bypassing detection – a method known as “attachment hijacking.”

Operating as a financially motivated initial access broker since 2022, Hive0145 has escalated its activity and complexity since mid-2023, targeting industries such as finance, tech, and e-commerce. In recent campaigns, the group employs uncommon file extensions (.com, .pif) and obfuscated scripts to avoid security tools, with evidence suggesting parts of the process may now be automated for increased scale.

Strela Stealer’s focus remains on email credentials, primarily impacting devices with Spanish, German, or Ukrainian keyboard settings. IBM X-Force advises European organisations to bolster awareness and defences against this escalating threat, particularly in industries commonly mimicked in phishing attacks.

CISA urges immediate action on critical Microsoft Windows Vulnerabilities CVE-2024-49039 and CVE-2024-43451

The Cyber security and Infrastructure Security Agency (CISA) has alerted organisations to two critical Microsoft Windows vulnerabilities, CVE-2024-49039 and CVE-2024-43451, urging prompt mitigations to avoid potential exploitation.

The first vulnerability, CVE-2024-49039, affects Windows Task Scheduler, allowing local attackers to escalate privileges by executing malicious code outside restricted environments. Exploiting this flaw could grant attackers access to privileged Remote Procedure Call (RPC) functions, risking further compromise. Although its use in ransomware campaigns is unconfirmed, the vulnerability's severity warrants immediate attention.

The second vulnerability, CVE-2024-43451, involves NTLMv2 hash disclosure in Microsoft Windows, where attackers could extract NTLMv2 hashes by tricking users into opening malicious files. This hash enables unauthorised user impersonation, posing a substantial threat to organisations reliant on NTLM authentication.

CISA advises following Microsoft’s mitigation instructions or discontinuing use of affected systems if patches are unavailable. Immediate action is crucial to prevent these vulnerabilities from being exploited in future attacks. Organisations are encouraged to remain vigilant and monitor for signs of compromise.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.