background pattern
BEHIND THE HEADLINES – MAY 2024

From credential stuffing attacks to new malware observed, we take you behind the headlines of this month's news stories

Financial performance graph with downward arrows indicating a decrease in numbers. Economic downturn concept.

In this edition

case study thumbnail

Lead Article

Okta Rings Alarms Over Massive Spike in Credential Stuffing Attacks

Read more
case study thumbnail

Latrodectus Malware Linked to Notorious IcedID Developer

Read more
case study thumbnail

Black Basta Attacks US Hospital System

Read more
case study thumbnail

Feature Article

American debt collector discloses data breach

Read more
THREAT ACTOR TRENDS

Ransomware insights

According to Cybersixgill’s data, 252 ransomware results were detected on our Investigative Platform in April, in comparison with 730 results in March. The ransomware gang LockBit were responsible for the highest number of ransomware attacks this month. The top targeted industries were Manufacturing, Professional Scientific Services and Health Care. The United States, Canada, Italy and the Germany were the top targeted countries.

Industry attacks May BTH

The top CVE’s this month based on Cybersixgill’s data

  1. 1.

    CVE-2024-3094

    The current DVE score is 10. Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code.

    CVSS: 10

    DVE: 10

  2. 2.

    CVE-2024-21762

    The current DVE score is 10. A outof- bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests.

    CVSS: 9.8

    DVE: 10

  3. 3.

    CVE-2024-3400

    The current DVE score is 10. A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code

    CVSS: 10

    DVE: 10

THREAT ACTOR TRENDS

Malware insights

The most mentioned malware for April 2024

In April, Lumma malware had the highest number of mentions on the underground according to the Cybersixgill Investigative Portal.

Lumma malware, also known as Lumma Stealer, is a data-stealing malware that emerged in 2022. It is primarily distributed through phishing emails, YouTube campaigns, and spear-phishing websites.

Lumma Stealer is designed to steal sensitive information from infected systems, including passwords, cookies, autofill data, desktop files, and even cryptocurrency wallets.

Malware attacks May BTH

Live from the newsroom

  1. State of the Underground 2024: Combating RisePro, Lumma, Vidar, and other top stealer malware

    See Details

  2. LockBit Ransomware Strikes US Finance Agency through a Third-Party IT Vendor

    See Details

  3. RSA 2024: Get an Exclusive Look at our NEW Third-Party Intelligence

    See Details