TfL hit by cyber attack, vigilance advised as investigation unfolds

Transport for London (TfL) is currently facing a cyber attack and has involved the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) for assistance. Despite the ongoing incident, TfL assured the public that no customer data has been compromised, and services remain unaffected. However, back-office systems have been impacted, and staff have been asked to work from home.

We recommend that customers remain vigilant during incidents like this and advises commuters to monitor their accounts for any unusual activity, while ensuring passwords and login details are secure. Our team emphasises the importance of enabling two-factor authentication on accounts linked to TfL, such as Oyster cards or online services.

While the full extent of the breach is unclear, TfL is working with authorities to contain the attack. The public should exercise caution in case the situation worsens.

Cisco patches critical command injection vulnerability allowing root privilege escalation

Cisco has addressed a command injection vulnerability, tracked as CVE-2024-20469, that allows attackers to escalate privileges to root on vulnerable systems. The flaw, found in Cisco's Identity Services Engine (ISE) solution, stems from insufficient validation of user-supplied input. This allows local attackers to execute malicious commands through low-complexity attacks requiring no user interaction.

However, successful exploitation is only possible if attackers already possess Administrator privileges on unpatched systems. In a security advisory, Cisco warned that proof-of-concept exploit code for this vulnerability is publicly available, though no active exploitation in the wild has been detected.

Cisco also removed a backdoor account in its Smart Licensing Utility Windows software, which could grant attackers administrative access to unpatched systems. Additionally, in April, it patched other critical vulnerabilities, including one in its Integrated Management Controller (IMC) and another affecting the Security Email Gateway (SEG) appliances, to prevent privilege escalation and system crashes.

RansomHub Ransomware group targets 210 Victims

Threat actors linked to the RansomHub ransomware group have encrypted and stolen data from over 210 victims since February 2024, according to the U.S. government. RansomHub has targeted sectors such as healthcare, government services, and critical infrastructure, including water, IT, and emergency services.

RansomHub, a descendant of the Cyclops and Knight variants, operates as a ransomware-as-a-service (RaaS) platform, attracting affiliates from major groups like LockBit and ALPHV. It uses a double extortion model, exfiltrating and encrypting data before demanding ransom through a .onion URL.

Once inside, RansomHub affiliates use tools like Mimikatz to escalate privileges and move through networks. Experts recommend monitoring for unusual login activity and using endpoint detection and response (EDR) solutions to identify suspicious activity early.

As ransomware tactics evolve, adopting robust backup strategies and offline backups remains critical for recovery in the event of an attack.

We advise organisations to prioritise patching vulnerabilities in key software like Apache ActiveMQ, Atlassian Confluence, and Citrix ADC to limit exposure. Implementing network segmentation and multifactor authentication (MFA) is crucial to prevent lateral movement by attackers.

US disrupts major Russian influence campaign targeting 2024 election with fake domains and AI content

The US government announced the disruption of a major Russian influence campaign, codenamed "Doppelganger," which used cybersquatted domains, AI-generated content, influencers, and social media platforms to spread misinformation. The campaign, aiming to meddle in the 2024 US presidential election, also sought to reduce international support for Ukraine and promote pro-Russian policies.

The Justice Department seized 32 domains created to mimic legitimate news websites like The Washington Post, spreading false stories to mislead visitors. AI-generated content and fake journalist profiles were employed to push Russian propaganda, particularly through social media.

Two Russian nationals, Kostiantyn Kalashnikov and Elena Afanasyeva, linked to state-controlled media outlet RT, have been charged for their roles. RT paid a Tennessee-based company to disseminate divisive content on social platforms. The Treasury Department also imposed sanctions on 10 individuals involved in the operation, while the State Department offered rewards for information about associated groups like RaHDit.

Three men plead guilty to running OTP.Agency and defrauding UK bank customers of Millions

Three men have pleaded guilty to running OTP.Agency, a platform that helped criminals steal one-time passcodes (OTPs) from UK bank customers. OTPs are temporary passwords used in multi-factor authentication to secure accounts. Criminals who subscribed to the service used these codes to access victims' bank accounts.

The trio, Callum Picari (22), Vijayasidhurshan Vijayanathan (21), and Aza Siddeeque (19), targeted over 12,500 people between September 2019 and March 2021, when the National Crime Agency (NCA) shut down the site. Picari owned and developed the platform, while Siddeeque promoted it and provided technical support.

OTP.Agency offered subscriptions ranging from £30 to £380, providing access to OTPs for over 30 services, including banks like HSBC and Lloyds. Authorities believe the group could have earned up to £7.9 million. The trio now faces charges of conspiracy to commit fraud, supply fraudulent tools, and money laundering, with sentencing scheduled for November 2.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.