Eric Ford, Sr. Threat Intelligence Analyst 
North Korea’s Ransomware Collaboration Escalates Threats, SharePoint Vulnerability CVE-2024-38094 Exploitation Details Released, 107 Firms Leaked with Manufacturing Most Affected, and CISA Adds PTZOptics Vulnerabilities
In our latest Cyber Intelligence Brief, Deepwatch ATI looks at new threats and techniques to deliver actionable intelligence for SecOps organizations.
Each week we look at in-house and industry threat intelligence and provide ATI analysis and perspective to shine a light on a spectrum of cyber threats.
Contents
North Korea’s Collaboration with Ransomware Groups Elevates Threat to Organizations
The Rundown
The Adversary Tactics and Intelligence Threat Intel team assesses that a Play ransomware attack conducted between May and September almost certainly involved Jumpy Pisces, a subgroup within the Reconnaissance General Bureau of the Korean People’s Army (North Korea).
Historically, Jumpy Pisces has deployed the custom-developed ransomware Maui. This likely shift to a known ransomware family highlights North Korea’s escalating cybercrime threat and its collaboration with established ransomware groups. It suggests that the group is either acting as an initial access broker or is an affiliate of the Play ransomware group.
While Adlumin reported that they discovered evidence that Play ransomware has transitioned to a Ransomware-as-a-Service (RaaS), Play ransomware has a banner on its leak site (Figure 1) stating that it does not provide a RaaS. For this reason, Unit 42 tracks the group that develops and distributes Play ransomware as Fiddling Scorpius.
Source Material: Palo Alto Unit 42
Exploitation Details Released for Known Exploited Vulnerability CVE-2024-38094 Affecting SharePoint
The Rundown
Exploitation details have been disclosed for CVE-2024-38094 in SharePoint server. This exploitation allowed the attacker to gain remote code execution, install malware, and move laterally within the network.
The exploitation of CVE-2024-38094 underscores a critical vulnerability affecting all industries. It puts sensitive data, corporate infrastructure, and cyber resilience at risk. This incident highlights organizations’ ongoing challenges in securing systems, making proactive security measures essential for protecting against sophisticated, persistent threats.
As we reported on October 23, CISA added CVE-2024-38094 to its Known Exploited Vulnerabilities catalog on October 22. The vulnerability is due to an input validation error in the SharePoint Server Search component.
Source: Rapid7
Leak Sites: 107 Firms Listed, Manufacturing Tops the List
The Rundown
In just one week, 107 organizations from 17 industries were added to ransomware and data leak sites, a decrease of 55 organizations from the previous week.
This week, critical sectors like Manufacturing, Professional, Scientific, and Technical Services, Health Care and Social Assistance, and Construction were listed the most, emphasizing the urgent need for robust cybersecurity measures to protect sensitive data and operations worldwide.
CISA Adds PTZOptics Vulnerabilities to Exploited List
The Rundown
Between October 31 and November 6, two critical vulnerabilities affecting PTZOptics cameras were added to CISA’s Known Exploited Vulnerabilities catalog. If not addressed swiftly, these vulnerabilities could expose organizations to potential cyberattacks.
These newly cataloged vulnerabilities highlight looming risks for organizations using widespread technologies. Failure to patch these flaws could lead to remote code execution. If state-sponsored and cybercriminal attackers focus on these weaknesses, timely action will be crucial to prevent exploitation.
Recommendations
ATI recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.
Source Material: CISA
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Eric is an accomplished intelligence professional with 10+ years of experience in the intelligence field supporting the Department of Defense and commercial organizations. He is responsible for collecting open-source information and analyzing it to turn it into actionable intelligence.
Share