Threat Context Monthly: Executive intelligence briefing for October 2024
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from October.
Threat actor of the month: Nitrogen, Interlock, Sarcoma & AposSecurity (Extortion groups)
We initially always observed data encryption as a key part of ransomware attacks. However, we’re now seeing threat groups exfiltrate data and threaten to publish it without the encryption part of the attack. Victims are instead extorted with only the threat of their data being publicly released. The number of extortionist groups focused only on data exfiltration and extortion and not deploying ransomware has kept on growing, with new groups appearing every week.
These groups compromise and exfiltrate the company’s data, create a Data Leak Site (DLS) on the TOR network and threaten with publishing the information if the demanded payment is not fulfilled. The lack of encryption simplifies the process and the sophistication of the attacks, leading to a higher volume of new groups appearing.
Behind these new names would likely operate affiliates from bigger Ransomware-as-a-Service (RaaS) projects that have decided to act independently, giving up on the encryption tools the RaaS projects provided, in exchange for assuming complete control of the operation and benefits.
Not many details transcend as to how these groups carry out their compromises, although it is most likely that they do so by leveraging valid accounts or through the exploitation of public-facing applications.
Attacks are opportunistic, without a preferred targeted sector or region and mostly affecting small and medium-sized enterprises (SMEs). Some of the groups do avoid targeting specific regions like CIS countries.
Spotlight threat: Operation Cronos continues (Law enforcement action)
A coordinated international operation has led to four arrests and significant disruptions to the “LockBit Group”’s infrastructure. Authorities in France, the United Kingdom, and Spain, supported by Europol and Eurojust, arrested key individuals associated with the group, including a developer, a Bulletproof hosting administrator, and two others supporting the group. Nine servers used by the group were also seized. The operation, part of the broader Operation Cronos, builds on previous efforts to dismantle LockBit‘s activities.
In addition to the arrests and seizures, financial sanctions were imposed against LockBit affiliates, including individuals linked to “Evil Corp“, another notorious Russian cybercrime group. Among those individuals would be Aleksandr Ryzhenkov, accused of developing ransomware and making extortion demands.
Sanctions were also placed on 16 Russian citizens for their roles in Evil Corp cybercriminal activities, demonstrating a deep connection between Russian cybercrime groups and the Russian state. Specifically, Eduard Benderskiy, a former high-ranking FSB official, was highlighted as playing a key role in facilitating the relationship between Evil Corp and Russian Intelligence Services.
The authorities made available a decryption tool to help ransomware victims of Lockbit 3.0 to recover their encrypted files through the ‘No More Ransom’ portal.
KrakenLabs observed highlights
Vulnerabilities
Vulnerability in connected cars: Independent security researchers uncovered a vulnerability in Kia’s web portal, allowing hackers to take control of millions of vehicles’ internet-connected features. By exploiting this flaw, the group could track a car’s location, unlock doors, honk the horn, or start the ignition using a custom-built app after scanning a vehicle’s license plate. Learn more →
Trends in exploitation: A study of actively exploited vulnerabilities in 2023, shows that 70% of these were exploited as zero-days, and that the average Time-to-Exploit went down from the previously 32 days in 2021 and 2022 to five days in 2023. Learn more →
Trend
New social engineering technique: Attackers a using a new social engineering technique dubbed “ClickFix” that involves displaying fake error messages in web browsers to deceive users into copying and executing malicious PowerShell scripts to infect their computers. Learn more → / and more →
Underground activity: BreachForums has begun asking for “Proof of Work (PoW) to verify users. Instead of the usual captchas or email confirmations, users are forced to solve computational challenges to fight spam and bots. Learn more →
Ransomware
Vulnerability exploitation: A critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) has been leveraged, along with compromised credentials, to create unauthorized accounts and attempt to deploy the Fog and Akira ransomware variants. Learn more →
What’s new in Threat Context this month?
Threat actors: 0mega, Earth Baxia, Marko Polo, NoName, RaHDit, MetaEncryptor, GoldenJackal, th3darkly, Cashout, AposSecurity, OrderProto, ExplB2412, and Nitrogen.
Tools: SnipBot, ScPatcher, Scarab, Spacecolon, ScRansom, EAGLEDOOR, Splinter, Vo1d, BBTok, Emansrepo, Bulbature, Copybara, Lynx, StealerBot, Hadooken, Gomorrah, Mint Stealer, plus more!
Try Threat Compass for yourself
Want more threat intel? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Request a live demo here.