Weekly Cyber News Roundup

May 25th to May 31st 2024

Content 

01. News Bites
  • Operation endgame: Global sting seizes 100 servers, arrests 4 in major malware bust
  • Check Point VPN Zero-Day exploited since April: Active directory data stolen, urgent updates required
  • Okta warns of credential stuffing attacks on cross-origin authentication feature in customer Identity Cloud
  • Over 90 malicious Android apps found on Google Play, installed 5.5 million times, spreading Anatsa banking trojan

02. Conclusion

Quick News Bites

Operation Endgame: Global Sting Seizes 100 Servers, Arrests 4 in Major Malware Bust

An international law enforcement operation, codenamed 'Operation Endgame', has seized over 100 servers worldwide used by major malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.

Conducted between 27 and 29 May 2024, the operation involved 16 location searches across Europe and resulted in four arrests—one in Armenia and three in Ukraine. Eight fugitives have been identified and will be added to Europol’s ‘Most Wanted’ list. The seized infrastructure, spread across Europe and North America, hosted over 2,000 domains, now under authorities' control.

Operation Endgame was supported by police forces from Germany, the US, the UK, France, Denmark, and the Netherlands, with intelligence from Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.

Malware droppers establish initial device access, often using malicious emails or trojanised installers. They evolve from banking trojans, focusing on initial access and employing evasive tactics. Once established, they deploy more dangerous payloads, such as information stealers and ransomware. Europol revealed one suspect earned over €69 million by renting out ransomware deployment infrastructure.

Check Point VPN Zero-Day Exploited Since April: Active Directory Data Stolen, Urgent Updates Required

Threat actors have been exploiting a high-severity Check Point Remote Access VPN zero-day vulnerability since at least 30 April, stealing Active Directory data to move laterally through victims' networks.

Check Point warned customers that attackers are targeting their security gateways using old VPN local accounts with insecure password-only authentication. The vulnerability, tracked as CVE-2024-24919, allows attackers to read information on Internet-connected Gateways with remote access VPN or mobile access enabled. Check Point released hotfixes for vulnerable CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances to block these attacks.

Despite Check Point's announcement of the zero-day exploitation starting around 24 May, cyber security company mnemonic observed exploitation attempts as early as 30 April. The flaw is particularly critical due to its ease of remote exploitation without user interaction. Attackers have been extracting password hashes, including those used to connect to Active Directory, enabling lateral movement within networks.

Check Point advises customers to update systems, remove vulnerable local users, rotate LDAP connection passwords, search logs for signs of compromise, and update the Check Point IPS signature.

Okta warns of credential stuffing attacks on Cross-Origin authentication feature in customer identity cloud

Okta is warning that a cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential stuffing attacks by threat actors.

Suspicious activity began on 15 April 2024, with the company "proactively" informing customers with the feature enabled. The number of impacted customers was not disclosed.

Credential stuffing involves adversaries using lists of usernames and passwords obtained from previous data breaches or phishing and malware campaigns to sign into online services.

Okta advises users to review tenant logs for unexpected login events—failed cross-origin authentication (fcoa), success cross-origin authentication (scoa), and breached password (pwd_leak). Users should rotate credentials, restrict or disable cross-origin authentication, enable breached password detection or Credential Guard, prohibit weak passwords, and enrol in passwordless, phishing-resistant authentication using new standards such as passkeys.

This warning follows a recent alert about increased credential stuffing attacks facilitated by residential proxy services.

Over 90 malicious Android apps found on Google Play, installed 5.5 million times, spreading Anatsa banking trojan

Over 90 malicious Android apps have been discovered on Google Play, amassing over 5.5 million installations, delivering malware and adware. Notably, the Anatsa banking trojan, also known as "Teabot," has seen a recent surge in activity. Anatsa targets over 650 financial institution applications across Europe, the US, the UK, and Asia, attempting to steal e-banking credentials for fraudulent transactions.

Threat Fabric reported in February 2024 that Anatsa had infected at least 150,000 devices via Google Play since late last year, using decoy productivity apps. Zscaler's analysis revealed that two such apps had already reached 70,000 installations, highlighting the vulnerability of Google's review process.

Anatsa dropper apps evade detection through a multi-stage payload loading mechanism involving four steps: retrieving configuration and strings from the C2 server, downloading and activating a malicious DEX file, fetching a configuration file with the payload URL, and installing the malware APK.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

STOCKHOLM | 17 October 2023

Integrity360's flagship conference Security First comes to Stockholm in 2023!

Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.