Full Report
Welcome to the Threat Context monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber Threat Intelligence team. Here’s what you need to know from August. Threat actor of the month: NullBulge (Hacktivist group) “NullBulge” is a is a threat group that emerged […] The post Threat Context monthly: Executive intelligence briefing for August 2024 appeared first on Outpost24.
Analysis Summary
# Incident Report: August Threat Landscape Summary
## Executive Summary
This summary covers notable threats observed during August, including the rise of the hacktivist group NullBulge targeting AI/gaming via supply chain attacks, the disclosure of critical Windows downgrade vulnerabilities (CVE-2024-38202, CVE-2024-21302) enabling persistent OS component reversion, and the discovery of the "0.0.0.0 day" browser vulnerability. The incidents highlight risks across supply chain integrity, OS security features, and browser architecture.
## Incident Details
- **Discovery Date:** Throughout August (various dates based on research publications)
- **Incident Date:** Continuous threat activity detailed (No single incident date provided)
- **Affected Organization:** Disney (claimed breach by NullBulge), Various organizations using affected browsers/Windows versions
- **Sector:** Software Development, Gaming, Artificial Intelligence, General Enterprise
- **Geography:** Global (Implied by vulnerability scope and threat actor reach)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing activity attributed to NullBulge surfaced in August reporting.
- **Vector:** Software Supply Chain compromise (leveraging GitHub/Hugging Face for distribution).
- **Details:** NullBulge utilizes trusted platforms to distribute malware masquerading as legitimate software for AI/gaming applications.
### Lateral Movement
- **Details:** NullBulge employs sophisticated malware, including Async RAT and Xworm, suggesting capabilities for network navigation and persistence post-initial access.
### Data Exfiltration/Impact
- **Details:** NullBulge claimed access to internal Slack data at Disney. The Windows downgrade attack (CVE-2024-38202, CVE-2024-21302) allows attackers to leverage past, patched vulnerabilities, effectively creating zero-days against patched systems.
### Detection & Response
- **How it was discovered:**
- Windows Downgrade vulnerability discovered by Alon Leviev (SafeBreach) and responsibly disclosed to Microsoft, leading to CVE issuance.
- "0.0.0.0 day" vulnerability discovered by Oligo researchers in Chromium/Firefox/Safari.
- KnowBe4 detected an attempted infostealer installation after mistakenly hiring a North Korean actor using a stolen identity.
- **Response actions taken:**
- Microsoft issued advisories/patches for CVE-2024-38202 and CVE-2024-21302.
- Vendor efforts to remediate the downgrade vulnerability risks were underway.
## Attack Methodology
- **Initial Access:** Supply chain compromise (NullBulge); Exploitation of application logic flaws (0.0.0.0 day); Stolen/impersonated identity (KnowBe4 hiring incident).
- **Persistence:** Windows Downgrade attack allows for "invisible, persistent, and irreversible downgrades on critical OS components."
- **Privilege Escalation:** Achieved via the Windows downgrade attack mechanism.
- **Defense Evasion:** Windows Downgrade attack creates "fully undetectable" downgrades; FIN7 is selling **AvNeutralizer** to impair EDR systems.
- **Credential Access:** Not explicitly detailed for all reports, but NullBulge employs malware consistent with data theft motives.
- **Discovery:** No specific reconnaissance methods detailed other than general threat actor profiling.
- **Lateral Movement:** Implied through RAT/worm usage by NullBulge/Void Banshee.
- **Collection:** Atlantida stealer deployed by Void Banshee; general data theft operations by NullBulge.
- **Exfiltration:** Implied endpoint data theft related to ransomware/stealer operations.
- **Impact:** OS instability/reversion (Downgrade Attack); Information theft (Atlantida stealer); Potential data extortion/disruption (LockBit ransomware utilized by NullBulge).
## Impact Assessment
- **Financial:** Implied potential financial gain for NullBulge (extortion motive) and FIN7 (malware sales).
- **Data Breach:** NullBulge claimed access to Disney internal Slack data.
- **Operational:** Risk of rendering patched Windows systems vulnerable to historical exploits; Potential operational disruption from ransomware use (LockBit).
- **Reputational:** Negative impact on organizations targeted (e.g., Disney) and vendors associated with flawed security mechanisms (e.g., VBS over 9 years).
## Indicators of Compromise
*Note: Specific IOCs were not detailed in this aggregate report, only CVEs and malware families.*
- **Network indicators:** N/A (Specific network patterns not listed)
- **File indicators:** Async RAT, Xworm, LockBit ransomware (associated with NullBulge); Atlantida stealer.
- **Behavioral indicators:** Reverting secure software versions to old, vulnerable ones on Windows systems; External websites communicating with localhost APIs on major browsers.
## Response Actions
- **Containment measures:** Attempted infostealer installation stopped at KnowBe4.
- **Eradication steps:** Microsoft issuing advisories/patches for disclosed CVEs.
- **Recovery actions:** Recovery from a potential OS downgrade attack remains complex due to the "irreversible" nature claimed by the PoC.
## Lessons Learned
- Software supply chain trust vectors (GitHub, Hugging Face) remain critical entry points for sophisticated threat actors like NullBulge.
- Foundational OS security features (like Windows VBS, present since 2015) can possess architectural flaws that allow for deep, persistent compromises (downgrade attacks).
- Identity verification processes, even professional hiring, remain vulnerable to sophisticated impersonation, including AI-generated profiles.
## Recommendations
- Regularly audit software supply chain intake processes for anomalies, even from "trusted" repositories.
- Promptly apply security advisories related to foundational OS components, as vulnerabilities like downgrade flaws can create wide-sweeping risks.
- Enhance vetting procedures for high-trust roles, focusing on verification steps beyond initial digital profiling, especially given the rise of AI-generated identities.