Weekly Cyber News Roundup

June 1st to June 7th 2024

Content 

01. News Bites
  • New Linux Variant of TargetCompany ransomware targets VMware ESXi environments with custom script
  • TikTok confirms Zero-Click exploit used to hijack celebrity accounts
  • Researchers link RansomHub Ransomware to defunct Knight Ransomware project
  • FBI urges LockBit Ransomware victims to seek help with 7,000 free decryption keys
  • Cyber-attack on London hospitals triggers critical incident, cancels operations and diverts emergency patients
02. Conclusion

Quick News Bites

New Linux Variant of TargetCompany ransomware targets VMware ESXi environments with custom script

Researchers have discovered a new Linux variant of the TargetCompany ransomware, which targets VMware ESXi environments using a custom shell script to deliver and execute payloads. Also known as Mallox, FARGO, and Tohnichi, the TargetCompany operation emerged in June 2021, focusing on database attacks against organisations in Taiwan, South Korea, Thailand, and India.

In February 2022, Avast released a free decryption tool for variants up to that date. By September, the ransomware group resumed activity, targeting vulnerable Microsoft SQL servers and threatening victims with data leaks on Telegram. Trend Micro reports that the new Linux variant ensures administrative privileges before continuing its malicious routine. The custom script used can exfiltrate data to two separate servers. Once on the target system, it checks for VMware ESXi environments, creates and sends a "TargetInfo.txt" file to the command and control server, and encrypts VM-related files.

The ransomware drops a ransom note with payment instructions, then deletes the payload to erase evidence. Trend Micro attributes these attacks to an affiliate named "vampire," linked to a recent Sekoia report. The IP addresses used trace back to an ISP in China, but this does not confirm the attacker's origin. Recommendations include enabling MFA, creating backups, and updating systems.

TikTok confirms Zero-Click exploit used to hijack celebrity accounts

TikTok has acknowledged a security issue exploited by threat actors to take control of high-profile accounts. Semafor and Forbes reported a zero-click account takeover campaign, where malware in direct messages compromises accounts without user interaction. This exploit leverages a zero-day vulnerability in the messaging component, allowing malicious code to execute upon opening the message.

The extent of affected users remains unclear. A TikTok spokesperson stated the company has taken preventive measures to stop the attack and is working with impacted account holders to restore access, claiming only a "very small" number of users were compromised. Specific details about the attack or mitigation techniques were not provided.

This isn't TikTok's first security issue. Previous flaws reported by Check Point, Microsoft, and Imperva could have enabled attackers to exploit user data and accounts. Concerns over TikTok's security and Chinese roots have led to bans in several countries and legal challenges in the U.S.

Researchers link RansomHub Ransomware to defunct Knight Ransomware project

Security researchers have identified that the RansomHub ransomware-as-a-service (RaaS) has likely evolved from the defunct Knight ransomware project. RansomHub, primarily known for data theft and extortion, gained attention in April by leaking data from Change Healthcare after a BlackCat/ALPHV attack, indicating collaboration between the groups. In May, Christie's acknowledged a security breach after RansomHub threatened to leak stolen data.

Knight ransomware, which launched in July 2023, targeted Windows, macOS, and Linux/ESXi systems. Knight also offered affiliates an info-stealer component to enhance attack impact. In February 2024, Knight's source code was sold on hacker forums, and the operation ceased.

Symantec researchers found significant similarities between Knight and RansomHub, including shared Go language code, Gobfuscate obfuscation, encoded strings, and similar ransom notes and command sequences. These findings suggest RansomHub was derived from Knight, likely by a different actor who purchased the Knight source code. RansomHub has since become a prolific RaaS operation, attracting former ALPHV affiliates.

FBI urges LockBit Ransomware victims to seek help with 7,000 free decryption keys

The FBI is urging past victims of LockBit ransomware to come forward after obtaining over 7,000 decryption keys to help recover encrypted data for free. Bryan Vorndran, FBI Cyber Division Assistant Director, announced this at the 2024 Boston Conference on Cyber Security, stating, "We can help victims reclaim their data and get back online." He encouraged potential victims to visit the Internet Crime Complaint Center at ic3.gov.

This appeal follows the February 2024 international operation "Operation Cronos," which dismantled LockBit's infrastructure, seizing 34 servers and 2,500 decryption keys, leading to a free LockBit 3.0 Black Ransomware decryptor. The U.K.'s National Crime Agency and U.S. Justice Department estimate the gang earned up to $1 billion from 7,000 attacks between June 2022 and February 2024.

Despite these efforts, LockBit remains active, switching to new servers and continuing attacks. Recently, they claimed responsibility for an April 2024 cyberattack on Canadian pharmacy chain London Drugs. The U.S. State Department offers rewards for information leading to the arrest of LockBit leaders and affiliates.

Cyber-attack on London hospitals triggers critical incident, cancels operations and diverts emergency patients

Major hospitals in London declared a critical incident following a cyber-attack, resulting in cancelled operations and emergency patients being diverted. Hospitals partnered with Synnovis, including King’s College Hospital and Guy’s and St Thomas’, have been affected, impacting services like blood transfusions and test results.

The attack occurred on Monday, disrupting connections to a main server, leading to cancellations and redirects. GP services in several boroughs, including Bexley and Southwark, were also impacted. Synnovis has deployed a taskforce of IT experts to assess the situation, and the NHS is working with the National Cyber Security Centre to mitigate the impact.

Patients are advised to attend appointments unless otherwise notified. NHS England London confirmed the ransomware attack and expressed regret for the inconvenience caused. Cyber security experts highlight the need for robust defences and contingency plans in critical institutions to manage such threats and ensure patient safety.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

Security-first-stacked-logo4-No-Padding

Cyber Security Conference

STOCKHOLM | 17 October 2023

Integrity360's flagship conference Security First comes to Stockholm in 2023!

Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.