28 June 2024

6 min read

New MOVEit vulnerability on the rise | Cyber Intelligence Briefing: 28 June

June 2024
New MOVEit vulnerability on the rise | Cyber Intelligence Briefing: 28 June placeholder thumbnail

Top news stories this week

  1. Still MOVEing. A new critical MOVEit vulnerability is on the rise.
  2. Access alarm. TeamViewer examines intrusion amid alarms of Russia-linked cyber threats.
  3. Lie a Bit. LockBit falsely claim the US Federal Reserve as a victim.
  4. Chemical reaction. US agency warns chemical facilities to secure their online accounts.
  5. Domino effect. Neiman Marcus data breach linked to Snowflake account hacks.
  6. Many heads. Medusa dropper malware targets Android users in 4K sports app.   

Zywave IR Team of the Year 2024


1. A new critical MOVEit vulnerability is on the rise.

Progress Software, the developers of MOVEit, have disclosed a critical vulnerability (CVE-2024-5806) within the MOVEit SFTP module. This vulnerability allows an unauthenticated threat actor access to sensitive data on the MOVEit Transfer server. This follows another critical MOVEit vulnerability in June 2023 that impacted many large firms.

So What?

Progress Software has urged customers to patch to the latest version of MOVEit as threat actors have increasingly exploited this vulnerability

[Researcher: Aditya Ganjam Mahesh] 

2. TeamViewer investigates suspected breach amid nation-state cyber attack alerts

TeamViewer has accused a Russia-based threat group tracked as APT29 of being behind a breach of its corporate IT environment which the company is investigating. Simultaneously, a number of organisations have issued alerts over nation-state attacks using TeamViewer software, with alleged connections to Russia's intelligence service.

So what?

Organisations should closely monitor and review logs for any unusual remote desktop traffic, and closely follow vendor advisories for the latest updates and guidance. Enabling MFA and employing both white and blocklists can help plug security gaps in remote access tools.

[Researcher: Lawrence Copson]

3. LockBit falsely name US Federal Reserve as a victim for publicity.

LockBit recently named the US Federal Reserve as a victim on their leaksite and claimed to possess 33 TB of ‘American banking secrets’. However, an analysis of the stolen data revealed that it belonged to an individual US financial institution. The false claim is likely a publicity stunt after law enforcement seized the group’s infrastructure. 

So what?

Threat actors have historically made false claims to garner media attention or to cause confusion. Victims should always independently verify the nature and extent of an attack.  

[Researcher: Jon Seland]

4. CISA warns chemical facilities of possible data exfiltration

The Cybersecurity & Infrastructure Security Agency (CISA) in the US has disclosed a breach of its Chemical Security Assessment Tool (CSAT) in January this year. Hackers installed an advanced webshell on the CSAT Ivanti device that provides the private sector with sensitive information on facilities that house 'chemicals of interest'. While there is no evidence of credentials being stolen, CISA is urging all CSAT users to reset their passwords for any accounts that used the same password as their CSAT accounts.

So what?

This breach is a reminder to continuously scan for vulnerabilities, especially if organisations are holding sensitive data which could impact national security if exfiltrated.

[Researcher: David Broome]

5. Neiman Marcus suffers data breach following hack of Snowflake account

American department store, Neiman Marcus, confirmed a data breach impacting 64,472 individuals after data from their Snowflake cloud account was advertised for sale on a hacking forum. This follows the recent data breaches of Santander and Ticketmaster which were also linked to Snowflake cloud storage. A joint investigation revealed that the compromise of Snowflake customer accounts could potentially impact up to 165 organisations, of whom Snowflake have notified.


Supply chain attacks can have a wide-reaching impact on multiple organisations. It is important for organisations to assess the security practices of third-party vendors to validate whether they meet your company’s security requirements, and to verify that their security practices are equipped to address the latest cyber threats.

[Researcher: Adelaide Parker]

6. New variant of Medusa banking trojan targets Android users

The Medusa banking trojan, known for its Remote Access Trojan (RAT) capabilities allowing threat actors to execute on-device fraud, has a new version. The dropper malware is delivered via malicious applications, such as fake Chrome browser, 5G connectivity app and 4K Sports and enables the threat actor to display full-screen overlays and remotely uninstall applications.

So what?

To avoid installation of malicious applications, individuals should download applications from trusted app stores and official websites. It is best practice to verify the authenticity of applications by reviewing application and developer names before downloading.

[Researcher: Lena Krummeich]



The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.