{
	"id": "b2725896-7e5a-4c0d-b009-c6b024438799",
	"created_at": "2026-04-15T02:23:53.388618Z",
	"updated_at": "2026-04-18T02:22:06.837102Z",
	"deleted_at": null,
	"sha1_hash": "a77217fff402eed49080c6fafd6cbf9daac1e386",
	"title": "17th June – Threat Intelligence Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60991,
	"plain_text": "17th June – Threat Intelligence Report\r\nBy urias\r\nPublished: 2024-06-17 · Archived: 2026-04-15 02:00:41 UTC\r\nJune 17, 2024\r\nFor the latest discoveries in cyber research for the week of 17th June, please download our Threat Intelligence\r\nBulletin.\r\nTOP ATTACKS AND BREACHES\r\nAn attack targeting Snowflake customer databases, identified as the work of threat actor UNC5537, has led\r\nto significant data theft and extortion. UNC5537 used stolen Snowflake customer credentials, obtained\r\nmainly from infostealer malware to access and exfiltrate large volumes of data from Snowflake instances.\r\nThe compromised accounts lacked multi-factor authentication and often had outdated credentials,\r\nfacilitating the attacks. Snowflake has already notified around 165 affected organizations and are\r\ncollaborating with law enforcement to investigate the breaches.\r\nAmerican insurance giant, Globe Life, is investigating a potential data breach of one of its web portals,\r\nwhich may have exposed consumer and policyholder information. The breach prompted Globe Life to\r\nremove external access to the portal, and the full extent of the incident is currently being assessed by\r\nsecurity experts. Representatives said they believe the breach was contained to the specific portal.\r\nA data breach has exposed old marketing data from cybersecurity company Cylance, affecting 34 million\r\ncustomer and employee emails and personally identifiable information. The data, being sold on\r\nunderground marketplaces by threat actor Sp1d3r for $750,000, stems from a third-party platform and\r\ndates back to 2015-2018. Cylance confirmed the legitimacy of the data, however claimed that no current\r\nCylance customers or sensitive information are impacted.\r\nThe city of Cleveland has suffered a cyber incident, forcing it to shut down its city hall and affecting\r\nseveral internal systems and software platforms. Officials say affected systems will stay offline until the\r\nincident is more thoroughly investigated, and they are currently working to secure and restore services.\r\nThe town of Arlington, Massachusetts, has disclosed that over $445,000 were paid to threat actors in a\r\nrecent business email compromise attack. The cyber criminals used compromised business accounts, social\r\nengineering and spoofing to impersonate vendors with whom the town does business. According to the\r\ntown’s statement, no sensitive data was compromised in the campaign.\r\nJapanese media group KADOKAWA Group reported a recent cyber-attack which has disrupted multiple\r\nwebsites, including the Niconico Service, KADOKAWA Official Site, and more. The attack led to the\r\nshutdown of affected servers to protect data. In an announcement, KADOKAWA said they are investigating\r\nhttps://research.checkpoint.com/2024/17th-june-threat-intelligence-report/\r\nPage 1 of 3\n\nthe incident with external experts and law enforcement to determine if any sensitive information was\r\nleaked, and that they are working to restore their systems.\r\nVULNERABILITIES AND PATCHES\r\nMicrosoft’s June 2024 Patch Tuesday addressed 51 vulnerabilities including 18 remote code execution\r\nflaws, among which is one critical vulnerability (CVE-2024-30080), and one zero-day flaw (CVE-2023-\r\n50868). The updates cover various Microsoft products, with significant patches for remote code execution\r\nvulnerabilities in Microsoft Office and privilege elevation flow in Windows Kernel.\r\nCheck Point IPS blade is protecting against this threat (Microsoft Message Queuing Remote Code Execution\r\n(CVE-2024-30080))\r\nResearchers have revealed 24 vulnerabilities after a comprehensive analysis of a popular ZKTeco biometric\r\nterminal. The list of flaws includes 6 SQL injection vulnerabilities, 7 buffer overflow, 5 command\r\ninjection, and 6 arbitrary file read/write flaws. Exploiting these weaknesses could allow authentication\r\nbypass, data leaks, and network access breaches.\r\nResearchers have discovered a high-severity flaw, CVE 2024-21754, in Fortinet firewall firmware, which\r\ncould potentially expose sensitive information such as passwords to attackers. This vulnerability allowed\r\nunauthorized users to decrypt configuration backup files and access user credentials. The flaw was\r\ndisclosed to Fortinet and addressed in FortiOS v7.4.4.\r\nTHREAT INTELLIGENCE REPORTS\r\nCheck Point Research published its Global Threat Index for May 2024, highlighting that the Phorpiex\r\nbotnet is being used to distribute LockBit Black ransomware via millions of phishing emails, marking a\r\nsignificant malspam campaign. Additionally, the LockBit3 ransomware group activity has resurged,\r\naccounting for 33% of ransomware attacks after a recent disruption. This resurgence follows law\r\nenforcement action that had temporarily halted their operations by exposing leaders and releasing\r\ndecryption keys. The report also highlights the prevalence of malware families such as FakeUpdates,\r\nAndroxgh0st, and Qbot.\r\nCheck Point Research warns about online phishing scams related to summer vacations. In May 2024, CPR\r\ndetected a significant surge in summer-related cyber scams, highlighting the need for travelers to stay\r\ninformed and proactive in safeguarding their personal information. Specifically, a notable surge in newly\r\ncreated domains related to holidays or vacations was observed, with a significant increase compared to the\r\nsame period last year.\r\nCheck Point highlights a sophisticated DLL sideloading attack designed to steal login credentials and credit\r\ncard information from users of online payment systems, banks, and crypto exchanges. This attack exploits\r\nlegitimate business applications to run compromised DLL files, making detection difficult. The specific\r\ndescribed attack involved the Casbaneiro banking trojan, which used legitimate resources hosted on\r\nAmazon AWS and GitHub to sideload a malicious DLL.\r\nBLOGS AND PUBLICATIONS\r\nhttps://research.checkpoint.com/2024/17th-june-threat-intelligence-report/\r\nPage 2 of 3\n\nCheck Point Research Publications\r\nGlobal Cyber Attack Reports\r\nThreat Research\r\nFebruary 17, 2020\r\n“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign\r\nWe value your privacy!\r\nBFSI uses cookies on this site. We use cookies to enable faster and easier experience for you. By continuing to\r\nvisit this website you agree to our use of cookies.\r\nACCEPT\r\nREJECT\r\nSource: https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/\r\nhttps://research.checkpoint.com/2024/17th-june-threat-intelligence-report/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/"
	],
	"report_names": [
		"17th-june-threat-intelligence-report"
	],
	"threat_actors": [
		{
			"id": "358432a9-d927-43c7-9201-b7aa7d184c26",
			"created_at": "2024-06-20T02:02:10.317536Z",
			"updated_at": "2026-04-18T02:00:05.407842Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "ETDA:UNC5537",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c24777-7c0f-4772-b273-2163ac5a6b67",
			"created_at": "2024-06-19T02:00:04.373472Z",
			"updated_at": "2026-04-18T02:00:03.969931Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC5537",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d99090fb-318c-46a2-a1b6-9e89ec61a6d8",
			"created_at": "2024-06-19T02:00:04.375337Z",
			"updated_at": "2026-04-18T02:00:03.970901Z",
			"deleted_at": null,
			"main_name": "Sp1d3r",
			"aliases": [],
			"source_name": "MISPGALAXY:Sp1d3r",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1776219833,
	"ts_updated_at": 1776478926,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a77217fff402eed49080c6fafd6cbf9daac1e386.pdf",
		"text": "https://archive.orkl.eu/a77217fff402eed49080c6fafd6cbf9daac1e386.txt",
		"img": "https://archive.orkl.eu/a77217fff402eed49080c6fafd6cbf9daac1e386.jpg"
	}
}