This week, SASE pros, Cato Networks have published the Q2 2024 Cato CTRL SASE Threat Report, which provides insights into the threat landscape across several key areas: hacking communities and the dark web, enterprise security and network security. The report found that threat actors are selling data and source code from major brands on the dark web.
The insights are collected from Cato CTRL’s analysis of 1.38 trillion network flows across more than 2,500 customers globally between April and June 2024.
IntelBroker is a highly active threat actor selling data and source code
In its investigation of hacking communities and the dark web, Cato CTRL came across a threat actor named IntelBroker, who is a prominent figure and moderator in the BreachForums hacking community.
IntelBroker’s illicit activities encompass a wide range of cybercriminal tactics. In recent months, IntelBroker has offered to sell data and source code from AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and U.S. Army Aviation and Missile Command.
Amazon is the top spoofed brand—thanks to cybersquatting
Cybersquatting involves using a domain name with the intent to profit off another brand’s registered trademark. Threat actors leverage cybersquatting to harvest user credentials through various techniques, including malware distribution or phishing attacks.
In Q2 2024, Cato CTRL observed that Amazon was the top spoofed brand by a significant margin (66% of domains), with Google ranked second at 7%. Given the popularity of Amazon, users should be wary of threat actors creating counterfeit websites that ask to submit sensitive information. Users could be putting themselves or their organisations at risk.
Log4j remains a popular vulnerability that threat actors attempt to exploit
Three years after its discovery in 2021, Log4j remains one of the most used vulnerabilities leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 61% increase in the attempted use of Log4j in inbound traffic and a 79% increase in the attempted use of Log4j in WANbound traffic.
The Oracle WebLogic vulnerability, which originated in 2020, is another popular exploit leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 114% increase in the attempted use of the Oracle WebLogic vulnerability in WANbound traffic.
Inbound traffic is traffic that doesn’t originate from within the network, while WANbound traffic resides within a WAN environment. For threat actors, these are different potential entry points to infiltrate organisations and conduct attacks.
“With the Q2 2024 Cato CTRL SASE Threat Report, we are putting the spotlight on a notorious threat actor named IntelBroker. He is aggressive in selling data and source code from major brands, including tech companies like AMD, Apple, Facebook and Microsoft,” said Etay Maor, chief security strategist at Cato Networks and founding member of Cato CTRL. “Amazon is another brand that we’re seeing impacted by cybersquatting, which is a popular technique for threat actors to conduct phishing attacks.”
This research comes after Cato Networks announced that it had surpassed $200 million in annual recurring revenue in the second quarter of 2024.
