Content 

01. News Bites
  • Apple confirms Zero-Day attacks targeting Intel-based Macs, issues critical security updates
  • Akira Ransomware group unleashes data leak, targeting 35 victims in a single day
  • Helldown Ransomware group exploits Zyxel VPN vulnerabilities to breach Networks and encrypt data
  • Russian Ransomware gangs recruit Penetration Testers to bolster cybercriminal operations
  • T-Mobile confirms hack amid wave of Telecom breaches linked to Chinese Threat Actors
  • Fintech giant Finastra investigates Data Breach after SFTP system hack
02. Conclusion

Quick News Bites

Apple confirms Zero-Day attacks targeting Intel-based Macs, issues critical security updates

Apple has issued urgent security updates for macOS and iOS to address two zero-day vulnerabilities actively exploited on Intel-based Mac systems. The flaws, identified as CVE-2024-44308 and CVE-2024-44309, reside in JavaScriptCore and WebKit, respectively. Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or conduct cross-site scripting attacks through malicious web content.

To mitigate these risks, Apple has released updates for iOS 18.1.1, macOS Sequoia 15.1.1, and iOS 17.7.2 for older devices. Users are strongly advised to install these updates promptly to protect their systems from potential attacks.

This development follows recent reports of North Korean cyber actors targeting macOS users with malware campaigns involving phishing emails and fake PDF applications. These incidents highlight the increasing focus of threat actors on macOS platforms, underscoring the necessity for users to maintain up-to-date security measures.

The recurrence of zero-day exploits targeting macOS systems emphasizes the importance of continuous vigilance and timely software updates to safeguard against emerging threats.

Akira Ransomware group unleashes data leak, targeting 35 victims in a single day

The Akira ransomware group has published data from 35 victims on its darknet leak site in a single day, marking an unprecedented surge in its criminal activities. Emerging in March 2023, Akira operates as a ransomware-as-a-service platform, enabling affiliates to extort victims by stealing and encrypting data. Within its first year, the group amassed $42 million from approximately 250 attacks, according to the FBI.

The recent mass data dump includes 32 new victims, predominantly from the business services sector in the United States, with additional targets in Canada, Germany, and the United Kingdom. Cyber security researcher Adi Bleih noted that this volume of simultaneous disclosures is highly unusual, suggesting a possible escalation in Akira's operations. The group's leak site, styled after 1980s computer interfaces, features sections for recent victims and published data, serving as a tool for extortion.

This development raises concerns about the increasing sophistication and aggressiveness of ransomware groups. Organisations are urged to bolster their cyber security measures to mitigate the risk of such attacks. The unprecedented scale of Akira's recent data leaks underscores the critical need for vigilance and robust security protocols in the face of evolving cyber threats.

Helldown Ransomware group exploits Zyxel VPN vulnerabilities to breach Networks and encrypt data

The Helldown ransomware group is exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate networks, steal data, and encrypt systems. French cyber security firm Sekoia reports that Helldown has rapidly expanded since its emergence in mid-2024, listing numerous victims on its data extortion portal.

Initially documented by Cyfirma in August 2024, Helldown's Windows variant is based on the leaked LockBit 3 builder, sharing operational similarities with Darkrace and Donex ransomware. A Linux variant targeting VMware files was identified by 360NetLab in October, indicating ongoing development efforts.

The group is believed to exploit critical vulnerabilities in Zyxel firewalls, such as CVE-2023-33009 and CVE-2023-33010, both buffer overflow issues allowing unauthenticated attackers to execute remote code or cause denial-of-service conditions. Zyxel released patches for these vulnerabilities in May 2023, urging users to update their systems promptly.

This development underscores the importance of timely software updates and robust cyber security measures to protect against evolving ransomware threats. Organisations are advised to review their network security protocols and ensure all devices are updated to mitigate potential risks.

Russian Ransomware gangs recruit Penetration Testers to bolster cybercriminal operations

Russian ransomware groups, including Apos, Lynx, and Rabbit Hole, are actively recruiting penetration testers to enhance their cybercriminal operations. These gangs are posting job advertisements on Russian-language forums, seeking individuals with expertise in identifying system vulnerabilities.

Penetration testing involves simulating cyberattacks to uncover security weaknesses, a practice traditionally used by legitimate organisations to strengthen defences. However, these ransomware groups are leveraging such skills to improve the effectiveness of their malicious activities. This trend highlights the increasing professionalisation within the cybercriminal ecosystem, where structured recruitment and specialised roles are becoming more common.

The findings are detailed in Cato Networks' "Q3 2024 Cato CTRL SASE Threat Report," which also notes a rise in threats from unauthorised artificial intelligence applications, termed "Shadow AI." Additionally, the report points out that some organisations are hesitant to implement Transport Layer Security (TLS) due to associated risks, potentially leaving them more susceptible to cyber threats.

This development underscores the evolving tactics of ransomware gangs and the necessity for organisations to adopt comprehensive cyber security measures. By understanding and anticipating these sophisticated strategies, businesses can better protect themselves against the growing threat of ransomware attacks.

T-Mobile confirms hack amid wave of Telecom breaches linked to Chinese Threat Actors

T-Mobile has confirmed its involvement in a series of recent telecom breaches attributed to Chinese threat actors aiming to access private communications, call records, and law enforcement information requests. The company stated that, despite the breach, there is no evidence of significant impacts on its systems or customer data. T-Mobile is actively monitoring the situation and collaborating with industry peers and relevant authorities to address the issue.

This incident is part of a broader campaign targeting multiple U.S. telecommunications companies, including AT&T, Verizon, and Lumen Technologies. The breaches have raised concerns about the security of sensitive information within the telecommunications sector.

T-Mobile's prompt response underscores the importance of vigilance and robust security measures in safeguarding customer data against sophisticated cyber threats. The company continues to work closely with authorities to mitigate any potential risks arising from this breach.

Fintech giant Finastra investigates Data Breach after SFTP system hack

Finastra, a leading financial technology provider, is investigating a data breach following unauthorized access to its Secure File Transfer Platform (SFTP) on November 7, 2024. The breach involved compromised credentials, allowing attackers to access the SFTP system.

Finastra serves over 8,000 institutions across 130 countries, including 45 of the world's top 50 banks. The company has engaged external cybersecurity experts to assist in the investigation and has notified affected customers. A threat actor, identified as "abyss0," has claimed responsibility, alleging possession of 400GB of stolen data. Finastra has not confirmed the validity of this claim. The incident underscores the critical importance of robust security measures in protecting sensitive financial data.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.