August 13, 2024 4m read

Highlights from Q2 2024 Cato CTRL SASE Threat Report

Etay Maor
Vitaly Simonovich
Etay Maor , Vitaly Simonovich
Cato CTRL

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

Introduction  

At RSA Conference 2024, Cato Networks introduced Cato CTRL (Cyber Threats Research Lab), which is our cyber threat intelligence (CTI) team. Cato CTRL protects organizations by collecting, analyzing and reporting on external and internal threats, utilizing the data lake underlying the Cato SASE Cloud Platform

For 2024, Cato CTRL is publishing quarterly threat reports that provide an overview of the threat landscape. Today, we published the Q2 2024 Cato CTRL SASE Threat Report, which summarizes findings from Cato CTRL’s analysis of 1.38 trillion network flows across more than 2,500 customers globally between April and June 2024.  

Key Findings 

IntelBroker is a highly active threat actor selling data and source code 

In its investigation of hacking communities and the dark web, Cato CTRL came across a threat actor named IntelBroker, who is a prominent figure and moderator in the BreachForums hacking community.  

IntelBroker’s illicit activities encompass a wide range of cybercriminal tactics. In recent months, IntelBroker has offered to sell data and source code from AMD, Apple, Facebook, KrypC, Microsoft, Space-Eyes, T-Mobile and U.S. Army Aviation and Missile Command. 

Amazon is the top spoofed brand—thanks to cybersquatting  

Cybersquatting involves using a domain name with the intent to profit off another brand’s registered trademark. Threat actors leverage cybersquatting to harvest user credentials through various techniques, including malware distribution or phishing attacks. 

In Q2 2024, Cato CTRL observed that Amazon was the top spoofed brand by a significant margin (66% of domains), with Google ranked second at 7%. Given the popularity of Amazon, users should be wary of threat actors creating counterfeit websites that ask to submit sensitive information. Users could be putting themselves or their organizations at risk. 

Q2 2024 Cato CTRL SASE Threat Report | Get the report

Log4j remains a popular vulnerability that threat actors attempt to exploit 

Three years after its discovery in 2021, Log4j remains one of the most used vulnerabilities leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 61% increase in the attempted use of Log4j in inbound traffic and a 79% increase in the attempted use of Log4j in WANbound traffic.  

The Oracle WebLogic vulnerability, which originated in 2020, is another popular exploit leveraged by threat actors. From Q1 2024 to Q2 2024, Cato CTRL observed a 114% increase in the attempted use of the Oracle WebLogic vulnerability in WANbound traffic. 

Inbound traffic is traffic that doesn’t originate from within the network, while WANbound traffic resides within a WAN environment. For threat actors, these are different potential entry points to infiltrate organizations and conduct attacks. 

Security Best Practices 

Based on our key findings, Cato CTRL recommends that organizations take the following actions: 

  • Implement Continuous Threat Intelligence Monitoring 
    • Set up a system to monitor dark web forums and marketplaces for any mention of your company’s data or credentials being sold. 
  • Educate Yourself on the Perils of Cybersquatting  
    • Incorporate cybersquatting tools and techniques for detecting phishing and other attacks that use this method for nefarious purposes. 
  • Prioritize Patching of Highly Exploited Vulnerabilities  
    • Implement a proactive patching schedule for critical vulnerabilities, especially those actively exploited (ex: Log4j).  
    • Use vulnerability prioritization tools to focus on the most critical and actively exploited vulnerabilities first. 

Resources 

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Etay Maor

Etay Maor

Etay Maor is the Chief Security Strategist at Cato Networks, a founding member of Cato CTRL, and an industry-recognized cybersecurity researcher. Prior to joining Cato in 2021, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of the Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and an MA in Counter-Terrorism and Cyber-Terrorism.

Read More
Vitaly Simonovich

Vitaly Simonovich

Vitaly Simonovich, Threat Intelligence Researcher, Cato Networks. Member of Cato Ctrl. He is based in Israel and has more than eight years of experience in the field of cybersecurity, with a focus on application and data security. Previously, Vitaly worked at Incapsula and Imperva, where he led teams of security analysts and researchers. Apart from his work, Vitaly is an active contributor to the cybersecurity community. He regularly publishes research blogs and webinars, and also presents at various security conferences. He is passionate about teaching cybersecurity to others and is teaching at local colleges. In his free time, he enjoys solving Capture The Flag (CTF) challenges, which helps him to enhance his skills.

Read More