Threat Context monthly: Executive intelligence briefing for July 2024
Every month, we bring you some of the key findings from Outpost24’s Threat Intelligence team, KrakenLabs. Here’s what you need to know from July.
Threat actor of the month: Volcano demon – Ransomware group
“Volcano demon” is a new ransomware group that follows the double-extortion trend and introduces a traditional yet innovative way of extorting and negotiating with its victims. In addition to dropping a ransom note on the victim’s devices, they make phone calls from unidentified caller-ID numbers to leadership and IT executives to negotiate the payment.
The group compromises its victims using common administrative credentials harvested from the network and encrypts their data. For that purpose, they employ LukaLocker, a C++ ransomware capable of targeting both Windows and Linux servers. This ransomware allows full or partial encryption, adds the .nba file extension to the encrypted files, and drops a ransom note. Additionally, they also allegedly exfiltrate the victim’s data and threaten to make it available to the public, clients, and partners.
Volcano demon does not have a dedicated Data Leak Site (DLS) and it is not clear how they would be leaking the exfiltrated data. This DLS absence difficulties victims’ identification. Researchers reported at least two successful attacks on manufacturing and logistics companies.
Spotlight threat: Disinformation in the Games (Storm-1679 + Storm-1099)
In summer 2023, social media platforms witnessed a deceptive campaign centered on “Olympics Has Fallen,” promoted by pro-Russian Telegram channels. This fake documentary, featuring AI-generated audio mimicking Tom Cruise’s voice, condemned the International Olympic Committee (IOC) and marked the onset of a concerted effort by Russia-affiliated actors to undermine the IOC and the upcoming 2024 Paris Olympic Games.
Approaching the event, researchers uncovered a network of Russian influence operations targeting the IOC, President Macron, the games themselves, and highlighting socioeconomic issues in France to provoke social unrest. Led by pro-Russian groups like “Storm-1679” and “Storm-1099” (aka “Doppelgänger”), these campaigns employed sophisticated tactics to spread fear of potential violence. Both groups have been active since 2023 and follow the Russian agenda of interests. Therefore, past operations of both groups have targeted Ukraine directly or indirectly.
They rely on social media and messaging platforms to spread disinformation via fake profiles, posts, and ads. Furthermore, they leverage AI for GAN-generated profile pictures, multilingual content, and voice impersonation to amplify reach and credibility. Particularly concerning was their exploitation of the Israel-Palestine conflict, fabricating threats mimicking militant groups and circulating fake graffiti in Paris, aimed at discouraging attendance and fostering public apprehension about the games.
KrakenLabs key updates
Malware
Distribution: There is a growing trend among cyber attackers to use cloud services for storing malware, distributing payloads, and managing command and control servers. Botnets like UNSTABLE and Condi exemplify this trend, leveraging cloud resources to distribute malware across diverse devices. Learn more →
Distribution: After Microsoft disabled macros in Office in 2022, attackers shifted to various file types. The new GrimResource technique exploits a Windows XSS flaw with malicious MMC files to execute code, actively deploying Cobalt Strike since June, without antivirus detection. Learn more →
Underground activity
Data Leak: A user dubbed “ctf” published in an underground forum “Rockyou2024“, a new password compilation containing over 9.9 billion entries. Outpost24 analysts have analyzed the database and found out that the allegedly new database would be the sum of an old database (Rockyou2021) and new data from low quality sources. Despite the publicity gained, this dataset should pose minimal to no risk to existing customers. Learn more on Specops (an Outpost24 brand) →
Emerging threats
Supply chain attacks: Researchers have been able to attribute recent supply chain attacks involving different CDN services (Polyfill, BootCDN, Bootcss, and Staticfile) to a single entity, and trace back the campaign to June 2023. They reached this conclusion from a leaked file containing secrets, found in a GitHub repository associated with a domain from the Polyfill case. Learn more →
Vulnerabilities: After analyzing a list of critical projects compiled by the Open Source Security Foundation, law enforcement agencies concluded that memory safety vulnerabilities are among the most prevalent types of software vulnerability and generate relevant costs for both software manufacturers and consumers related to patching, incident response, and others. Learn more →
New in Threat Context this month
Threat actors: UTA0137, SneakyChef, Cloak, SEIDR CORP, Rodrigo4, Velvet Ant, Ph0enix, Hunt3r Kill3rs, Unfurling Hemlock, Eldorado, Volcano demon, Cicada3301, plus more!
Tools: Oyster, Diamorphine, SpiceRAT, Medusa rootkit, Hyena Stealer, Nightingale, Xctdoor, Neptune Stealer, Eldorado ransomware, LukaLocker, Typez Stealer, plus more!
Want more threat intel?
Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Get in touch to arrange your free demo.