Ransomware attack on Tata Technologies

Tata Technologies, a subsidiary of Indian multinational Tata, has allegedly fallen victim to the Hunters International ransomware gang. The attackers claim to have stolen 1.4TB of data—over 730,000 files—and are threatening to release it next Monday unless a ransom is paid. However, they have yet to disclose the ransom amount or provide evidence of the stolen data.

Tata Technologies, a product engineering firm under Tata Motors, previously disclosed a ransomware incident in January. The company has since restored its IT services and insists client operations remain unaffected.

Hunters International, believed to be a rebrand of the infamous Hive gang, has a track record of targeting major organisations, including China’s Industrial and Commercial Bank. Hive previously attacked Tata Power in 2022, leaking stolen data when demands were unmet.

The attack underscores ongoing cyber threats against global enterprises, reinforcing the need for robust security measures.

Black Basta and Cactus ransomware ties deepen

New research has uncovered stronger links between the Black Basta and Cactus ransomware gangs, with both groups using identical social engineering tactics and the BackConnect proxy malware for post-exploitation access.

BackConnect, a proxy tool used to tunnel traffic and evade detection, was first linked to Black Basta through its connection to Zloader and Qbot. However, a recent Black Basta data leak revealed internal conversations between its manager and a suspected Qbot developer, reinforcing the ties.

Trend Micro’s latest report now links Cactus ransomware to BackConnect, suggesting potential overlap in gang membership. Both groups have been observed bombarding targets with emails before impersonating IT staff via Microsoft Teams to gain remote access.

Black Basta, believed to include former Conti members, has historically relied on Qbot for network access. Following Qbot’s takedown in 2023, its shift to BackConnect suggests continued collaboration with the same malware developers.

New Eleven11bot infects over 86,000 iot devices

A new botnet malware named Eleven11bot has infected more than 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to launch large-scale DDoS attacks. The botnet, loosely linked to Iran, has already targeted telecom providers and online gaming servers.

Discovered by Nokia researchers, Eleven11bot has grown rapidly, with The Shadowserver Foundation confirming infections across the US, UK, Mexico, Canada, and Australia. Attack volumes have reached hundreds of millions of packets per second, lasting multiple days.

GreyNoise and Censys tracked 1,400 IPs tied to the botnet, with 96% coming from real devices. Most are based in Iran, with hundreds flagged as malicious. The malware spreads by brute-forcing weak admin credentials and exploiting exposed Telnet and SSH ports.

Experts urge defenders to block known malicious IPs, disable unnecessary remote access, update firmware, and replace outdated IoT devices to mitigate risk.

UK government proposes new software security code of practice

The UK government is drafting a code of practice to enhance software security and digital supply chain resilience. A response to the Call for Views on Software Resilience and Security was launched in January 2024, and the final code is expected to be published in 2025.

The voluntary measures will establish a baseline of security best practices for software vendors, ensuring greater consistency across development, distribution, and maintenance. The National Cyber Security Centre (NCSC) and Department for Science, Innovation and Technology (DSIT) will refine technical controls and implementation guidance before publication.

To drive adoption, an attestation method and assurance regime will be introduced, allowing vendors to demonstrate compliance using the NCSC’s Principles-Based Assurance Approach. The government will also map the code against existing security standards and frameworks.

MP Feryal Clark emphasised the importance of software security, warning that compromised software can disrupt operations and expose organisations to cyber threats.

New phishing campaign targets U.A.E. aviation sector

Threat hunters have uncovered a highly targeted phishing campaign aimed at fewer than five entities in the United Arab Emirates (U.A.E.), delivering a previously undocumented Golang backdoor named Sosano.

The campaign—tracked as UNK_CraftyCamel—targeted aviation and satellite communications organisations. Attackers compromised an Indian electronics company’s email account to send phishing emails containing malicious ZIP files. These files deployed polyglot PDF and XLS files, ultimately installing the Sosano backdoor.

Sosano enables attackers to change directories, list files, download payloads, execute commands, and delete directories. Proofpoint found no overlap with known threat actors but suggests an Iranian-aligned group—potentially linked to the Islamic Revolutionary Guard Corps (IRGC)—orchestrated the attack.

The operation highlights the advanced tradecraft of state-aligned threat actors, using trusted third-party compromises and obfuscation techniques to evade detection and target critical U.A.E. infrastructure.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.