On February 20th, 2024, the United Kingdom’s National Crime Agency (NCA), alongside the United States Federal Bureau of Investigation (FBI) and international partners, seized servers and disrupted infrastructure linked to the LockBit ransomware operation. Dubbed Operation Cronos, the law enforcement action targeted a site used by LockBit operators for data leaks, various affiliate and support servers, and LockBit’s administrative panel. Two of its operators were also reportedly arrested, while obtained source code can help victims in decrypting their systems. According to reports, the LockBit site, which is now under the control of the NCA, was taken down by exploiting a critical PHP vulnerability, tracked as CVE-2023-3824. A LockBit spokesperson, LockBitSupp, confirmed the takedown but indicated sites not using PHP were ‘untouchable’. BleepingComputer confirmed the group’s ransom negotiation sites are offline, although other sites, such as ones used to host data and send private messages to the gang, remain accessible.
Dragos detailed additional activity by Voltzite, a China-linked cyberespionage group observed targeting electric organisations in North America and Africa between November and December 2023. A more recent attack in January 2024 targeted a large city’s emergency services GIS network. The group has been observed exfiltrating sensitive operational data related to operational technology (OT) networks and processes. The researchers identified two additional newly emerged threat actors in 2023, dubbed Gananite and Laurionite, that could pose a threat to OT organisations. Gananite focuses on espionage and initial access operations against targets in Central Asia and Commonwealth of Independent States members, with some of its tools previously associated with the Russia-linked Turla Group. Laurionite targets Oracle iSupplier instances by exploiting internet-exposed systems, particularly those in air transportation, professional services, government, and manufacturing sectors.
Trend Micro identified a new customised PlugX variant, dubbed DOPLUGS, that has been used as part of Earth Preta’s SmugX campaign to target victims in Taiwan and Vietnam, as well as China, Singapore, Hong Kong, Japan, India, Malaysia, and Mongolia. DOPLUGS is a downloader with four backdoor commands, one of which downloads the ‘general type’ PlugX malware. DOPLUGS is believed to have been in use since 2022, with one variant containing the KillSomeOne module dating as far back as 2018. KillSomeOne is a USB worm that specialises in malware distribution, information collection, and document theft. The identified variant has an extra launcher file that executes a legitimate executable to perform DLL-sideloading behaviours. Observed campaigns distribute DOPLUGS through social engineering and spear phishing emails related to current events. The emails contain a Google Drive link that hosts a password-protected file containing a malicious LNK disguised as relevant documents.
Group-IB researchers discovered a previously unknown information stealer, dubbed VietCredCare, which has been active since at least August 2022 and exclusively targets Vietnamese users, particularly those managing prominent business profiles. The malware stands out for its ability to target Facebook accounts, automatically filtering session cookies and credentials, particularly those managing advertisements and holding a positive Meta ad credit balance. The infostealer is thought to be distributed under a stealer-as-a-service model via phishing sites shared through social media posts and messaging platforms. The posts claim to offer the download of legitimate software such as Word, Excel, or Acrobat Reader. Accessible through a botnet or source code purchase, each threat actor obtains an individual Telegram bot channel for data exfiltration and communication, with Group-IB identifying over 20 such channels.
The United States has allegedly targeted an Iranian military ship, MV Behshad, in a recent covert cyber operation. The attack was designed to degrade the ship’s intelligence-sharing capability. The suspected spy ship has reportedly been collecting intelligence on cargo vessels in the Red Sea and the Gulf of Aden to provide the Houthis with targeting information for their attacks. According to US officials, the attack was part of the Biden Administration’s response to a drone attack by Iranian-backed militias in Iraq that killed three US service members in Jordan.
Volume of blog posts by operators during the last week.
High Priority Vulnerabilities
|Related: Over 28,500 Exchange servers vulnerable to actively exploited bug
|Related: VMware Alert: Uninstall EAP Now – Critical Flaw Puts Active Directory at Risk
|Related: ScreenConnect critical bug now under attack as exploit code emerges
|Related: Autodesk AutoCAD products impacted by multiple high-severity zero-day flaws
|Related: Vulnerable Fortinet Devices: Low-hanging Fruit for Threat Actors