Global Botnet Exposed: NCSC and allies urge action against China-Linked Cyber Threat

The UK’s National Cyber Security Centre (NCSC), along with international allies like the FBI and NSA, has issued a warning urging individuals and organisations to take immediate protective measures following the exposure of a global botnet operated by a China-linked company.

The advisory, released in collaboration with the US, Australia, Canada, and New Zealand, reveals that a China-based company is responsible for managing a botnet of over 260,000 compromised devices worldwide. These compromised devices include routers, firewalls, and Internet of Things (IoT) devices such as webcams and CCTV cameras, which have been used for malicious purposes, including malware distribution and distributed denial of service (DDoS) attacks.

The advisory identifies the entity behind the botnet, operational since mid-2021, and exploited by the threat actor known as Flax Typhoon. Compromised devices have been detected across North and South America, Europe, Africa, Southeast Asia, and Australia.

Europol and global taskforce dismantle 'Ghost' encrypted platform used by Organised Crime

Europol, along with law enforcement from nine countries, successfully dismantled an encrypted communication platform called "Ghost," which was used by organized crime for drug trafficking and money laundering.

Ghost boasted advanced security features, including cryptocurrency-based subscriptions, triple-layer encryption, and self-destructing messages that wiped evidence from devices. It had a global user base, exchanging around 1,000 messages daily, with resellers promoting the platform. Subscriptions cost $2,350 for six months, which included a modified smartphone and tech support.

The investigation, led by Europol's Operational Taskforce (OTF), began in March 2022 and involved agents from the US, Canada, Australia, and several European countries. Authorities traced Ghost’s servers to France and Iceland and linked its operators to Australia and assets in the US.

The operation led to 51 arrests globally, with major raids in Australia, Ireland, Canada, and Italy. Authorities also dismantled a drug lab and seized weapons, drugs, and over €1 million.

Cencora pays record-breaking $75 million ransom in largest Cyber Extortion Attack

Cencora Inc., formerly AmerisourceBergen, fell victim to a major cyberattack, paying a record-breaking $75 million ransom, the largest known cyber extortion payment to date. The ransom, initially set at $150 million, was paid in Bitcoin in three installments by March, following the breach discovered in February. Sensitive data was stolen, but Cencora has provided limited details beyond regulatory filings.

In its July report, the company revealed $31.4 million in “other” expenses for the nine months ending June 30, primarily related to the cyber incident, covering investigation and mitigation efforts. Despite the substantial payment, Cencora acknowledged that the stolen data might still be disclosed.

This attack highlights a growing trend of cybercriminals targeting high-value sectors like healthcare, with Cencora’s payment surpassing the previous record of $40 million paid by CNA Financial in 2021. Experts caution against making payments and that such payouts incentivises further attacks.

SolarWinds issues critical Hotfix for web help desk vulnerability allowing unauthorised access

SolarWinds has released a hotfix to address a critical vulnerability (CVE-2024-28987) in its Web Help Desk (WHD) software, which allowed attackers to access systems using hardcoded credentials. Web Help Desk is widely used by government agencies, corporations, and healthcare and educational institutions to manage IT help desk tasks. The vulnerability enabled unauthenticated attackers to modify data and access internal functionality.

SolarWinds has not yet issued a public advisory on the vulnerability and has not confirmed if it was exploited in the wild. The hotfix, released this week, must be installed after updating to Web Help Desk version 12.8.3.1813 or 12.8.3 HF1. Administrators are advised to create backups before applying the hotfix.

The same update also fixes a critical remote code execution flaw (CVE-2024-28986), which was exploited in attacks earlier this year and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalogue.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.