Highlights from Q2 2024 Cato CTRL SASE Threat Report

Listen to post: Getting your Trinity Audio player ready...

Introduction  

At RSA Conference 2024, Cato Networks introduced Cato CTRL (Cyber Threats Research Lab), which is our cyber threat intelligence (CTI) team. Cato CTRL protects organizations by collecting, analyzing and reporting on external and internal threats, utilizing the data lake underlying the Cato SASE Cloud Platform. 

For 2024, Cato CTRL is publishing quarterly threat reports that provide an overview of the threat landscape. Today, we published the Q2 2024 Cato CTRL SASE Threat Report, which summarizes findings from Cato CTRL’s analysis of 1.38 trillion network flows across more than 2,500 customers globally between April and June 2024.  

Key Findings 

IntelBroker is a highly active threat actor selling data and source code 

In its investigation of hacking communities and the dark web, Cato CTRL came across a threat actor named IntelBroker, who is a prominent figure and moderator in the BreachForums hacking community.  

IntelBroker’s illicit activities encompass a wide range of cybercriminal tactics. In recent months, IntelBroker has offered to sell data and source code from AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and U.S. Army Aviation and Missile Command. 

Amazon is the top spoofed brand—thanks to cybersquatting  

Cybersquatting involves using a domain name with the intent to profit off another brand’s registered trademark. Threat actors leverage cybersquatting to harvest user credentials through various techniques, including malware distribution or phishing attacks. 

In Q2 2024, Cato CTRL observed that Amazon was the top spoofed brand by a significant margin (66% of domains), with Google ranked second at 7%. Given the popularity of Amazon, users should be wary of threat actors creating counterfeit websites that ask to submit sensitive information. Users could be putting themselves or their organizations at risk. 

Q2 2024 Cato CTRL SASE Threat Report | Get the report

Log4j remains a popular vulnerability that threat actors attempt to exploit 

Three years after its discovery in 2021, Log4j remains one of the most used vulnerabilities leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 61% increase in the attempted use of Log4j in inbound traffic and a 79% increase in the attempted use of Log4j in WANbound traffic.  

The Oracle WebLogic vulnerability, which originated in 2020, is another popular exploit leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 114% increase in the attempted use of the Oracle WebLogic vulnerability in WANbound traffic. 

Inbound traffic is traffic that doesn’t originate from within the network, while WANbound traffic resides within a WAN environment. For threat actors, these are different potential entry points to infiltrate organizations and conduct attacks. 

Security Best Practices 

Based on our key findings, Cato CTRL recommends that organizations take the following actions: 

• Implement Continuous Threat Intelligence Monitoring 
  • Set up a system to monitor dark web forums and marketplaces for any mention of your company’s data or credentials being sold. 

• Educate Yourself on the Perils of Cybersquatting  
  • Incorporate cybersquatting tools and techniques for detecting phishing and other attacks that use this method for nefarious purposes. 

• Prioritize Patching of Highly Exploited Vulnerabilities  
  • Implement a proactive patching schedule for critical vulnerabilities, especially those actively exploited (ex: Log4j).  
  • Use vulnerability prioritization tools to focus on the most critical and actively exploited vulnerabilities first. 

Resources 

• Download the Q1 2024 Cato CTRL SASE Threat Report.  
• Download the Q2 2024 Cato CTRL SASE Threat Report.
• Read the press release.  
• Visit the Cato CTRL page to learn more about Cato’s threat intelligence team.