Malware Activity
Escalating Cyber Threats: Protecting Critical Infrastructure
Threat actors are increasingly targeting critical national infrastructure (CNI). These sophisticated attacks, often state-sponsored, aim to disrupt essential services like power grids, water treatment, and transportation. The motivations range from espionage and sabotage to financial gain, posing a significant risk to national security and public safety. Protecting CNI requires a multi-layered approach involving robust cybersecurity measures, intelligence sharing, and international cooperation to deter and defend against these evolving threats. The Stealc malware has been recently upgraded with advanced stealth features and sophisticated data theft capabilities, making it more difficult to detect and analyze. Cybercriminals are leveraging these enhancements to target sensitive information across various platforms, including browser data, credentials, and cookies, thereby increasing the threat landscape for users and organizations. This potent combination of attack types means attackers can infiltrate sensitive networks with greater ease, remain undetected for longer periods, and pilfer valuable information or even manipulate critical systems. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- GBHackers: Threat Actors Target Critical National Infrastructure article
- BleepingComputer: StealC Malware Enhanced With Stealth Upgrades article
Threat Actor Activity
Man Who Leaked Over One Terabyte of Data from Disney Pleads Guilty
Ryan Mitchell Kramer, a 25-year-old man from California, has pleaded guilty to hacking into The Walt Disney Company's systems and leaking over 1.1 terabytes of data from its internal Slack channels. Posing as a hacktivist group named "NullBulge," Kramer used malicious software disguised as an AI image generation tool to gain unauthorized access to Disney's network. The tool, promoted on platforms like GitHub, enabled Kramer to steal data and credentials from users who installed it. One victim, Disney employee Matthew Van Andel, downloaded the malware, which allowed Kramer to access his device and obtain stored credentials, including those in Van Andel's password manager. Using these credentials, Kramer infiltrated Disney's Slack channels and extracted confidential data, including messages, information on unreleased projects, login credentials, and source code. Kramer attempted to extort Van Andel, threatening to release both his personal information and the stolen Disney data if he did not cooperate. When Van Andel did not respond, Kramer followed through on his threats, publicly posting the data on the BreachForums hacking platform in July 2024. The Department of Justice charged Kramer with accessing a computer and obtaining information, and threatening to damage a protected computer, with each charge carrying a potential five-year prison sentence. Kramer has admitted to hacking into at least two (2) other victims' systems, with the FBI continuing investigations into these cases. Following the breach, Disney reportedly stopped using Slack for internal communications, and the employee who facilitated Kramer's access was terminated for misconduct, later filing a wrongful termination complaint against Disney.
Vulnerabilities
PoC Exploit for SonicWall Vulnerability Attack Chain Added to CISA's KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two (2) actively exploited SonicWall vulnerabilities tracked as CVE-2023-44221, and CVE-2024-38475, to its Known Exploited Vulnerabilities (KEV) catalog after proof-of-concept (PoC) exploit code targeting them was published. These flaws, affecting SonicWall SMA 200, 210, 400, 410, and 500v devices, enable remote attackers to inject OS commands and map URLs to file system locations. Although patches have been available since December 2023 and December 2024, many devices remain unpatched and at risk. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must become compliant and patch these flaws by no later than May 22, 2025. Exploitation likely involves chaining the two (2) vulnerabilities, with CVE-2024-38475 (originally assigned to an Apache HTTP Server vulnerability) allowing authentication bypass and admin control, followed by CVE-2023-44221 enabling command execution as the "nobody" user. Security firm watchTowr Labs has published technical details and released a Detection Artefact Generator, citing the widespread availability of exploitation details. CTIX analysts urge organizations to patch vulnerable SMA 100 series appliances immediately to mitigate the threat and prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
