Cyber Intel Brief: November 14 – 20, 2024

By Eric Ford, Sr. Threat Intelligence Analyst

Estimated Reading Time: 5 minutes

ClickFix Campaign Unleashes New Infostealer, DEEPDATA Malware Exploits Fortinet FortiClient Zero-Day, 69 Firms Leaked with Manufacturing Hit Hardest, and CISA Adds Progress and Palo Alto Vulnerabilities

In our latest Cyber Intelligence Brief, Deepwatch ATI looks at new threats and techniques to deliver actionable intelligence for SecOps organizations. 

Each week we look at in-house and industry threat intelligence and provide ATI analysis and perspective to shine a light on a spectrum of cyber threats.

ClickFix Phishing Campaign Delivers New Infostealer

The Rundown

Gen Digital Inc., formerly known as Symantec and the parent company of popular consumer security brands like Norton, Avast, Avira, and AVG, has released a report on the discovery of a previously unknown information-stealing malware named “Glove Stealer.” The company revealed that attackers are distributing this malware through phishing emails that leverage the “ClickFix” technique.

According to Gen Digital, Glove Stealer is designed to harvest sensitive information from infected systems, including login credentials, financial data, and personal files. The phishing emails employing the ClickFix technique manipulate click events to bypass security filters and deceive users into executing the malicious payload.

The report did not disclose the campaign’s scale or the threat actors’ identities. However, Deepwatch’s threat intel team warns that the methods used indicate a potentially significant threat to both individuals and organizations.

Source Material: Gen Digital


Zero-Day Exploitation in Fortinet FortiClient: DEEPDATA Malware Unveiled

The Rundown

Volexity, a developer of memory forensics software, has released a report on DEEPDATA, a modular post-initial access malware family. The report highlights a plugin named FortiClient for DEEPDATA that exploits a zero-day vulnerability in Fortinet’s FortiClient Windows VPN. This vulnerability enables attackers to extract credentials directly from the client’s process memory if successfully exploited. At the time of publishing the report, 15 November, the vulnerability remains unresolved, and Volexity is unaware of an assigned CVE number.

Volexity reports that threat actors leverage DEEPDATA to gather and exfiltrate sensitive information from compromised systems. Alongside the FortiClient plugin, DEEPDATA includes 11 additional plugins designed to steal credentials, extract data from messaging applications, collect contacts and emails from Outlook, enumerate system details (such as installed software and WiFi networks), and even record audio.

DEEPDATA’s exploitation of FortiClient showcases the advanced capabilities of state-affiliated threat actors in compromising critical software to steal sensitive credentials. This attack highlights the dangers of zero-day vulnerabilities in widely used systems, exposing enterprises that depend on Fortinet’s VPN for secure communication to significant risks.

BrazenBamboo’s malware ecosystem—DEEPDATA, DEEPPOST, and LIGHTSPY—demonstrates sophisticated surveillance and data exfiltration capabilities, underscoring the critical need for more robust cybersecurity defenses. This evolution also highlights the growing involvement of private enterprises in supporting state-sponsored cyber operations, raising significant concerns about their impact on global cybersecurity and individual privacy.

Source Material: Volexity & BlackBerry


Leak Sites: 69 Firms Listed, Manufacturing Tops the List

The Rundown

In just one week, 69 organizations spanning 17 industries were added to ransomware and data leak sites—a decrease of 73 from the previous week.

Note: Data collection on some ransomware and data extortion leak sites may be limited due to various reasons. 

This week, critical sectors such as Manufacturing, Health Care and Social Assistance, and Construction were most frequently targeted, underscoring the pressing need for comprehensive cybersecurity measures to safeguard sensitive data and ensure operational resilience globally.


CISA Adds Progress and Palo Alto Vulnerabilities to Exploited List

The Rundown

Between November 14 and 20, five vulnerabilities affecting Progress and Palo Alto products were added to CISA’s Known Exploited Vulnerabilities catalog. If not addressed swiftly, these vulnerabilities could expose organizations to potential cyberattacks.

These newly cataloged vulnerabilities highlight looming risks for organizations using widespread technologies. Failure to patch these flaws could lead to full system control, bypass authentication, or expose sensitive data. If state-sponsored and cybercriminal attackers focus on these weaknesses, timely action will be crucial to prevent exploitation.

Recommendations

ATI recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.

Source Material: CISA


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.

Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.

Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Eric Ford

Eric Ford, Sr. Threat Intelligence Analyst

Eric is an accomplished intelligence professional with 10+ years of experience in the intelligence field supporting the Department of Defense and commercial organizations. He is responsible for collecting open-source information and analyzing it to turn it into actionable intelligence.

Read Posts

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog