This month’s Threat Intelligence Report, published by Ericsson’s Threat Research and Analysis (TR&A) team, highlights how rapid IoT expansion raises risks (Verizon 2024 Mobile Security Index), the OpenVPN vulnerability prompts remote connectivity reassessment, and threat actors shift tactics for evasion and obfuscation.
Each month the TR&A team publishes a threat intelligence report to inform organizations about relevant changes in the threat landscape. This report covers events during August 2024.
At a glance
- IoT risks in critical infrastructure a dominant theme in Verizon’s “2024 Mobile Security Index Report”
- OpenVPN vulnerabilities add to the risks of using VPNs
- Mature threat actors changing tactics increase threat to new targets
- Known exploited vulnerabilities that Ericsson's enterprise solutions would mitigate
Our Views on Recent Attacks:
This month The Verizon 2024 Mobile Security Index and Microsoft’s BlackHat presentation of the OpenVPN vulnerability set the stage for rethinking how to provide remote privileged access to users and devices. And threat actors such as Royal/BlackSuit and RansomHub are changing their techniques to evade detection and attribution.
Verizon 2024 Mobile Security Index Report
While the report covered many industries, the focus was the risks incurred by IoT devices in critical infrastructure. The report confirmed the rapid adoption of IoT into critical infrastructure with 95% of survey respondents having IoT deployments, but 39% have defined organization-wide IoT standards and 37% organizations centrally coordinate IoT projects. Combined with the 85% who agreed that a security breach within their industry could endanger human lives, the conclusion could be that the attack surface is increasing, with limited cohesive device management, and the impact could be fatal. For more details, see the “2024 Mobile Security Index’ report at https://www.verizon.com/business/resources/reports/2024-mobile-security-index.pdf
TR&A Comments: NIST recommends baselining the core technical capabilities for IoT management: device identification, device configuration, data protection, logical access to interfaces, software updates, and cybersecurity state awareness. Organizations could use these requirements to draft their policies for securing IoT devices and the data they collect and transmit. Gartner predicts that by 2025, 75% of enterprise-generated data will be created and processed outside the data or cloud1. Data from IoT devices and edge computing will likely be a significant source of this data.
Ericsson Cradlepoint solutions for active defense: Our NetCloud SASE solution can provide four of the six NIST core technical capabilities: asset and application identification for device identification, data encryption in transit for data protection, logical access to interfaces with Remote Connect, and cybersecurity state awareness with Hybrid Mesh Firewall.
OpenVPN joins list of VPN vulnerabilities exploited for initial access
Four zero-day vulnerabilities in OpenVPN can be exploited in sequence (chained) to achieve remote code execution (RCE) and local privilege escalation (LPE) with a user account. This poses a global risk to organizations across industries, as OpenVPN is an open-source software used in many products to provide a VPN feature. The CVSS CISA-ADP scores of 7.2 (High) for three of the vulnerabilities reflect the increased level of expertise in the OpenVPN software required to exploit the vulnerabilities. However, CVE-2024-1305 tap-windows6 driver is 9.8 (critical) and could cause a denial-of-service attack. For more details, see “Chained for attack: OpenVPN vulnerabilities discovered leading to RCE and LPE”: https://www.microsoft.com/en-us/security/blog/2024/08/08/chained-for-attack-openvpn-vulnerabilities-discovered-leading-to-rce-and-lpe/
TR&A Comments: VPN solution vulnerabilities have been surging in the past two years (such as Ivanti and Cisco), and when paired with stolen credentials have significantly increased the number of successful initial access techniques. VPNs provide privileged remote access for remote users and devices to connect business locations. This can create both cybersecurity and business operations risk. Defenders may want to consider newer and more secure remote access solutions to enable the business.
Ericsson’s enterprise solutions for active defense: Zero trust private access allows an organization to secure remote access to device administration applications, removing the need for VPN devices and software. Additionally, NetCloud SASE provides attack surface reduction using a combination of secure remote access and zero trust network architecture to eliminate the opportunity for a threat actor to attack network devices.
Threat actors change techniques
Long-lived cybergangs “Scattered Spider,” ‘Royal/Blacksuit,” and “Hunters International” have evolved their attack techniques. The Kroll Q2 Threat Landscape Report reported that Scattered Spider shifted to targeting SaaS/cloud services, while maintaining social engineering for initial access. CISA issued a #StopRansomware advisory for cybergang Royal, which is re-emerging as Blacksuit with a new ransomware variant. Recently Royal was responsible for ransoms as high as $60 million USD. Quorum Cyber security researchers reported Hunters International launched a new campaign using a remote access trojan (RAT) via domain typo-squatting, tricking network admins into downloading an infected version of Angry IP Scanner.
TR&A Comments: The shift to new tactics increases risks, as these threat actors are highly skilled and can exploit an organization’s slower security deployments. In 2024, both Hunters International and Scattered Spider each conducted over 130 attacks, while Blacksuit executed fewer but demanded higher ransoms. Defenders should compare new indicators of compromise (IOCs) against current defenses.
Ericsson’s enterprise solutions for active defense: Zero trust internet access blocks or scrubs malicious content from phishing emails and downloads, preventing users from accessing harmful software. NetCloud SASE further mitigates initial access by limiting resource access based on port, protocol, and traffic flow, reducing lateral movement by attackers.
Known exploited vulnerabilities that Ericsson's enterprise solutions would mitigate
The vulnerabilities listed below are actively exploited and relevant to the Ericsson Cradlepoint and NetCloud technologies used by many industries, including vulnerabilities published or added to CISA’s Known Exploited Vulnerabilities Catalog in August 2024. The table “Criticality” shows the CISA-APD score to guide remediation prioritization, if available.
| Product | Criticality (CVSS 3.0) | Impact | Industry | Exploited? | CVE |
| Dahua IP Camera firmware v 2.3 and older | 9.8 Critical |
An unauthenticated remote code execution caused by authentication bypass. | Multiple | Yes | CVE-2021-33045 |
| Product | Criticality (CVSS 3.0) | Impact | Industry | Exploited? | CVE |
| Microsoft Windows 10 and older | 7.5 High |
Systems patched within the last six years are not vulnerable. Actors can gain remote code execution (RCE) if a user downloads a file. | Multiple | Yes | CVE-2018-0824 |
| Microsoft Edge Windows 10 and 11 | 7.5 High |
Flaw in handling of malicious web content can allow RCE. | Multiple | Yes | CVE-2024-38178 |
| Microsoft Office Project 365 and older RCE | 8.8 High |
Flaw in Office Project software allows RCE if the user opens a malicious file. | Multiple | Yes | CVE-2024-38189 |
| Google Chromium V8 | 8.8 High |
Flaws in Type Confusion and Implementation allow malicious code on websites to gain authorized access. | Multiple | Yes | CVE-2024 -7971 -7965 |
For more monthly threat intelligence reports, please visit our threat intelligence blog or watch our weekly Hot Shots video series for tactical threat intelligence in under 15 minutes. If you would like to speak with an Ericsson solutions person, you can contact us using the chat feature on our website.