New Threat Report from Cato Networks Uncovers Threat Actor Selling Data and Source Code from Major Brands

August 13th, 2024

Cato’s quarterly threat report also reveals top spoofed brands for cybersquatting

TEL AVIV, Israel, August 13, 2024 Cato Networks, the creator of SASE, today published the Q2 2024 Cato CTRL SASE Threat Report, which provides insights into the threat landscape across several key areas: hacking communities and the dark web, enterprise security and network security. The insights are collected from Cato CTRL’s analysis of 1.38 trillion network flows across more than 2,500 customers globally between April and June 2024. 

“With the Q2 2024 Cato CTRL SASE Threat Report, we are putting the spotlight on a notorious threat actor named IntelBroker. He is aggressive in selling data and source code from major brands, including tech companies like AMD, Apple, Facebook and Microsoft,” said Etay Maor, chief security strategist at Cato Networks and founding member of Cato CTRL. “Amazon is another brand that we’re seeing impacted by cybersquatting, which is a popular technique for threat actors to conduct phishing attacks.”  

IntelBroker is a highly active threat actor selling data and source code 

In its investigation of hacking communities and the dark web, Cato CTRL came across a threat actor named IntelBroker, who is a prominent figure and moderator in the BreachForums hacking community.  

IntelBroker’s illicit activities encompass a wide range of cybercriminal tactics. In recent months, IntelBroker has offered to sell data and source code from AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and U.S. Army Aviation and Missile Command. 

Amazon is the top spoofed brand—thanks to cybersquatting  

Cybersquatting involves using a domain name with the intent to profit off another brand’s registered trademark. Threat actors leverage cybersquatting to harvest user credentials through various techniques, including malware distribution or phishing attacks. 

In Q2 2024, Cato CTRL observed that Amazon was the top spoofed brand by a significant margin (66% of domains), with Google ranked second at 7%. Given the popularity of Amazon, users should be wary of threat actors creating counterfeit websites that ask to submit sensitive information. Users could be putting themselves or their organizations at risk. 

Log4j remains a popular vulnerability that threat actors attempt to exploit 

Three years after its discovery in 2021, Log4j remains one of the most used vulnerabilities leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 61% increase in the attempted use of Log4j in inbound traffic and a 79% increase in the attempted use of Log4j in WANbound traffic.  

The Oracle WebLogic vulnerability, which originated in 2020, is another popular exploit leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 114% increase in the attempted use of the Oracle WebLogic vulnerability in WANbound traffic. 

Inbound traffic is traffic that doesn’t originate from within the network, while WANbound traffic resides within a WAN environment. For threat actors, these are different potential entry points to infiltrate organizations and conduct attacks. 

Resources

Methodology

The Q2 2024 Cato CTRL SASE Threat Report summarizes findings from Cato CTRL’s analysis of 1.38 trillion network flows across more than 2,500 customers globally between April and June 2024.

About Cato CTRL

Cato CTRL (Cyber Threats Research Lab) is the world’s first CTI group to fuse threat intelligence with granular network insight made possible by Cato’s global SASE platform. By bringing together dozens of former military intelligence analysts, researchers, data scientists, academics and industry-recognized security professionals, Cato CTRL utilizes network data, security stack data, hundreds of security feeds, human intelligence operations, AI (Artificial Intelligence), and ML (Machine Learning) to shed light on the latest cyber threats and threat actors.

About Cato Networks

Cato Networks delivers enterprise security and networking in a single cloud platform. With Cato, organizations replace costly and rigid legacy infrastructure with an open and modular SASE architecture based on SD-WAN, a purpose-built global cloud network, and an embedded cloud-native security stack.

Want to learn why thousands of organizations secure their future with Cato? Visit us at www.catonetworks.com.

Media Contact

Cato Communications

press@catonetworks.com