Threat Context Monthly: Executive intelligence briefing for June 2024
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news, and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team.
Threat actor of the month: UNC5537 – Financially motivated threat actor
“UNC5537” is a financially motivated threat actor that has been identified as responsible for the recent campaign targeting cloud provider Snowflake’s customer database instances. So far, among the victims likely related to this attack campaign would be Santander Bank, Live Nation (TicketMaster), Advance Auto Part, QuoteWizard (LendingTree), and Pure Storage. To date, Mandiant and Snowflake have notified approximately 165 potentially exposed organizations.
The actor carries out identity-based attacks using stolen credentials from customer instances that lack multi-factor authentication (MFA). UNC5537’s intention would be to identify and steal large volumes of records from the victims, to then threaten with its sell or publication in underground forums.
What composes UNC5537’s toolkit?
- Compromised credentials: Credentials that have been previously compromised with different infostealer malware variants like Vidar, RisePro, RedLine, Racoon Stealer, Lumma, and MetaStealer. It remains unconfirmed how the actor would be gaining access to those credentials, with the most plausible option being that they would be just acquiring them from other threat actors.
- “Rapeflake” (aka FROSTBITE): Custom tool designed for carrying out reconnaissance operations like listing users, current roles, current IPs, session IDs, and organization names.
- DBeaver Ultimate: Publicly available database management utility, used to connect and run queries across Snowflake instances.
Once data has been exfiltrated, UNC5537 advertises it on various underground forums under different aliases like “Spidermandata” or “Sp1d3r“. In addition, they have also been leveraging other actors like “ShinyHunters” as intermediates.
Spotlight threat: Law enforcement operations – LockBit Group / BreachForums / Operation Endgame
LockBit Group
After using LockBit‘s old Data Leak Site (DLS) as a press release site during the first phase of Operation Cronos in February, the agencies shut it down. In May 5 they revived it with more information. The most relevant would be the sanctions against Russian national “Dmitry Khoroshev” (aka “LockBitSupp“), administrator and developer of the group, as well as additional information regarding LockBit‘s affiliates.
UK’s National Crime Agency (NCA) also assesses that even though the group would have attempted to reorganize, they would be currently running at limited capacity and the global threat from LockBit has significantly reduced. In addition, the FBI has recently confirmed that it has acquired over 7,000 LockBit decryption keys that victims can utilize to access encrypted data at no cost.
BreachForums
On May 15, US authorities with the assistance from international partners, took down the websites hosting the underground forum BreachForums. This was the successor of the also seized RaidForums, from which it took the baton for hosting publications selling or offering for free leaked and stolen corporate data.
More than a year ago, in March 2023, BreachForums (back then Breached) suffered a first seizure following the arrest of its owner “Pompompurin” (aka “Conor Brian Fitzpatrick“). Right after, users “Baphomet” and “ShinyHunters” took ownership of the site which came to live again on June 2023.
This last seizure lasted until May 28, when it was available again in new domains. However, on June 10 the forum experienced problems, staying down for three days, and some related Telegram accounts were banned. Admin ShinyHunters confirmed the recent issues and their decision to abandon Telegram as well as the transfer of control to “Anastasia“ as the next owner.
Operation Endgame
At the end of May, law enforcement agencies from Europe and the US, together with threat intelligence and cybersecurityprivate companies’ contribution, carried out the biggest international law enforcement operation against botnets: IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
The results of Operation Endgame included over 100 servers taken down or disrupted, more than 2,000 domains brought under the control of law enforcement, the arrests of four individuals and 16 location searches. Furthermore, security agencies successfully tracked the cryptocurrency assets of one of the suspects. Additionally, days after the operation was announced, the authorities in Germany revealed the identities of eight individuals related to “SmokeLoader” and “Trickbot” malware operations.
KrakenLabs highlights observed
Hacktivism
Motivations: The head of the European Cybersecurity Agency (ENISA) claimed that cyberattacks with geopolitical motivations targeting the European Union are increasing. The Agency detected hacktivist activity doubled from the last quarter of 2023 to the first quarter of 2024. Learn more →
Targeting: Due to traditional hacktivism attacks such as DDoS or website defacement often going unnoticed, hacktivism groups, even those with relatively little specialized knowledge, are turning their efforts towards OT systems because of the substantial disruption and therefore notoriety that can be generated. Learn more →
Emerging threat
VPN-related cyberattacks: Zscaler reports a significant rise in VPN-related cyberattacks, likely related to the discovery of more zero-day and high-severity VPN vulnerabilities. In addition, enterprises breached via VPN vulnerabilities alert threat actors focus on lateral movement. Learn more →
Recommendations: The Norwegian National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with more secure alternatives like the Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2). This comes after the repeated exploitation of flaws in edge network devices to breach corporate networks. Learn more →
Ransomware
Extortion schemes: Mandiant alert of a new aggressive tactic used by ransomware groups to force victims to pay, where threat actors “SIM swap the phones of children of executives, and start making phone calls to executives, from the phone numbers of their children.” Sometimes, it’s caller ID spoofing while on other occasions, they did indeed SIM-swapped family members. Learn more →
Extortion targeting: Security researcher Germán Fernandez alerted about a campaign, likely ongoing since February, in which an attacker dubbed “Gitlocker” would be targeting GitHub repositories, stealing the data on them, wiping the content, and asking the victims for a reward. The initial compromise is achieved through spam recruiting emails targeting developers. Learn more →
Learn more about Threat Compass
Want more? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team.
What’s new in Threat Context this month?
Threat actors: TA4557, kapuchin0, dAnOn Hacker Group, UAC-0188, DarkVault, GambleForce, UNC5174, Ember Hemlock, notchy, UAC-0020, Zero Zeno, GitCaught, Storm-1679, etc.
Tools: WAExp, Warp, Cuckoo, GooseEgg, Kaolin RAT, OfflRouter, Deuterbear, LunarWeb, Patriot Stealer, Supershell, V3B, Ebury, ModeLoader, AndarLoader, SPECTR, etc.
and much more!