Monthly Threat Report August 2024: A Month of Global Impact

We shared the below info in last month’s report, but as this month is the first month with the new format, it bears repeating.

If you’ve been a regular reader of this Monthly threat report you know that we commonly cover the changes in the email threat landscape. What we’ve identified over the last year of reporting on these statistics is that trends in email threats shift very subtlety unless there is a new emerging trend, vulnerability, attack-type, or threat-actor. With this in mind, we’ve decided to make a change to the way this report is formatted in the coming months as follows:

Statistical data points (email threat types, brand impersonations, threat file types, industry threat index) will be covered on a quarterly basis moving forward. Said statistical data will encompass the entire 3 months of a given fiscal quarter (Ex. Jan-Mar data will be Presented in April). This means that statistical reports will be published in the months of:

• April (Q1 – January to March)
• July (Q2 – April to June)
• October (Q3 – July to September)
• January (Q4 – October to December)

NOTE: We also conduct an annual Hornetsecurity Cyber Security Report that does statistical analysis with annual data as opposed to Monthly/Quarterly.

Moving forward reports that do not fall on one of the quarterly months listed above will instead feature:

• Industry news commentary
• Threat analysis
• Industry predictions
• Recommended actions with regards to security events or incidents
• Emerging security technology guidance

We feel that this new format will bring readers the most value in this publication month-to-month.

The tech news was of course dominated by CrowdStrike over this last month. While there are some indications now that this wasn’t a Windows only incident, the tech press has grabbed onto the mention of “only” 1% of Windows machines being affected, according to Microsoft. The machines that made up that 1%, it turns out though, are VERY important. As CrowdStrike is a software suite that is aimed at the enterprise space, some pretty big names were heavily impacted, including:

• Delta Airlines
• American Airlines
• Air-France-KLM
• The Royal Surrey Hospital in the UK
• UK National Health Service (NHS)
• Allianz
• NBC Universal
• And lots more

The impact was so bad that Delta Airlines, alone, canceled more than 5000 flights, and Delta’s CEO claims the damages have climbed to 500 Million plus. The Royal Surrey Hospital had to suspend radiography treatments, while the NHS stated that the majority of doctor’s practices were being impacted. To put it shortly, there were very real human impacts due to this issue.

There are a number of known “AI Jailbreaks” circulating in the community today that allow users to sidestep some of the ethical guardrails in popular large language models. The “DAN” method is like the most well-known and has been around the longest. While it still works to some degree today, it doesn’t work as well as it once did. There is also the concept of a crescendo attack as well. In a crescendo attack, you’re essentially poking at the model a little bit at a time asking it to divulge just a little more information at a time until it eventually gives you what you want. In short, you’ve asking for bits of information based off AI responses, instead of the end goal all at once.

A new LLC jailbreak attack has come to light in some recent research from Microsoft known as a skeleton key attack. This attack revolves around telling the model that you’re prompting in an educational/academic context and that in order to do proper research you need to get uncensored outputs. When something does come up that would be censored you ask the model to provide it anyway, but to preface the output with “Warning”.

These jailbreaks continue to highlight the fact that generative AI is still easily exploited by threat actors a good 18 months after its mainstream release. In fact, we’ve done multiple webinars here at Hornetsecurity that discuss the ways threat actors make use of Gen AI, using jailbreaks like this, and more importantly, what that means for security teams.

Broadcom, CISA, and Microsoft are all warning of a new ESXI vulnerability that has actively been seen in the wild. CVE-2024-37085 is an authentication bypass bug that allows threat actors to gain unauthorized access to previously AD-Managed ESXi hosts by recreating an AD group that had previously had access, such as “ESX ADMINS”. Even though this attack chain requires that the threat actor have gained enough access to get to active directory, the risk is still high due to the amount of damage that can be done at the hypervisor layer for most organizations. That said….

According to Microsoft, there have been uses of this exploit in the wild already by threat actor group Storm-0506. To quote their findings:

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.

Virtualization hosts are particularly prime targets for attackers looking to drop ransomware on a network. When the entirety of the host’s storage is encrypted, the business impact is much higher than a single system. Multiple hosted VMs are often impacted, which increases the pressure on the target organization.

It’s highly recommended that you install the security patch if you have not done so already.

It’s another month, and there is yet another large-scale private record data breach in the US healthcare system. A Health Savings Account (HSA) provider, HealthEquity was targeted by threat actors, who were able to lift records for 4.5 million individuals from “an unstructured data repository outside our core systems.” Meaning, they were leveraging cloud storage of some sort for this data storage but have yet to name the provider.

While record exfiltration like this is not uncommon, it’s worth mentioning as it highlights once again that businesses are only as safe as their third-party integrations allow them to be. Each and every vendor that is integrated into business IT systems must be rigorously vetted and monitored to ensure that business data stays secure. This case is likely to be another bullet point in a long list of bullet points that are referenced when further regulatory action comes for tech companies operating within the United States.

We track and investigate threat actor groups here regularly at Hornetsecurity. One such group we’ve been looking at recently is Anonymous Sudan. With the new format of this report, some months may include information on threat actor activities or Tactics, Techniques, and Procedures (TTPs)

Anonymous Sudan is a collective of cyber activists that emerged in January 2023. They became known for a series of attacks targeting various institutions and companies, primarily in response to events or actions perceived as hostile to Islam or favorable to Russia. The group takes its name from the famous hacker collective Anonymous, although their actual affiliation with this collective is not confirmed. The group is known for some high-profile attacks like the one that crippled Microsoft infrastructure in June of 2023. Said attack impacted Azure, OneDrive, and Outlook.com

Additionally, the group has taken credit for other large visibility outages, such as the ChatGPT outage back in November of 2023.

• We’re likely to see continued talk of cybersecurity regulation and unfounded general security application stability concerns as a result of the CrowdStrike incident.
• Given the severity of the recent ESXi vulnerability, it’s possible we may see more affected organizations.
• The Olympic Games will be wrapping up before our next report, but once they’re finished, we may learn about how the games were actually targeted, and if there was any impact on ongoing operations.