New Linux Variant of TargetCompany ransomware targets VMware ESXi environments with custom script
Researchers have discovered a new Linux variant of the TargetCompany ransomware, which targets VMware ESXi environments using a custom shell script to deliver and execute payloads. Also known as Mallox, FARGO, and Tohnichi, the TargetCompany operation emerged in June 2021, focusing on database attacks against organisations in Taiwan, South Korea, Thailand, and India.
In February 2022, Avast released a free decryption tool for variants up to that date. By September, the ransomware group resumed activity, targeting vulnerable Microsoft SQL servers and threatening victims with data leaks on Telegram. Trend Micro reports that the new Linux variant ensures administrative privileges before continuing its malicious routine. The custom script used can exfiltrate data to two separate servers. Once on the target system, it checks for VMware ESXi environments, creates and sends a "TargetInfo.txt" file to the command and control server, and encrypts VM-related files.
The ransomware drops a ransom note with payment instructions, then deletes the payload to erase evidence. Trend Micro attributes these attacks to an affiliate named "vampire," linked to a recent Sekoia report. The IP addresses used trace back to an ISP in China, but this does not confirm the attacker's origin. Recommendations include enabling MFA, creating backups, and updating systems.
TikTok confirms Zero-Click exploit used to hijack celebrity accounts
TikTok has acknowledged a security issue exploited by threat actors to take control of high-profile accounts. Semafor and Forbes reported a zero-click account takeover campaign, where malware in direct messages compromises accounts without user interaction. This exploit leverages a zero-day vulnerability in the messaging component, allowing malicious code to execute upon opening the message.
The extent of affected users remains unclear. A TikTok spokesperson stated the company has taken preventive measures to stop the attack and is working with impacted account holders to restore access, claiming only a "very small" number of users were compromised. Specific details about the attack or mitigation techniques were not provided.
This isn't TikTok's first security issue. Previous flaws reported by Check Point, Microsoft, and Imperva could have enabled attackers to exploit user data and accounts. Concerns over TikTok's security and Chinese roots have led to bans in several countries and legal challenges in the U.S.
Researchers link RansomHub Ransomware to defunct Knight Ransomware project
Security researchers have identified that the RansomHub ransomware-as-a-service (RaaS) has likely evolved from the defunct Knight ransomware project. RansomHub, primarily known for data theft and extortion, gained attention in April by leaking data from Change Healthcare after a BlackCat/ALPHV attack, indicating collaboration between the groups. In May, Christie's acknowledged a security breach after RansomHub threatened to leak stolen data.
Knight ransomware, which launched in July 2023, targeted Windows, macOS, and Linux/ESXi systems. Knight also offered affiliates an info-stealer component to enhance attack impact. In February 2024, Knight's source code was sold on hacker forums, and the operation ceased.
Symantec researchers found significant similarities between Knight and RansomHub, including shared Go language code, Gobfuscate obfuscation, encoded strings, and similar ransom notes and command sequences. These findings suggest RansomHub was derived from Knight, likely by a different actor who purchased the Knight source code. RansomHub has since become a prolific RaaS operation, attracting former ALPHV affiliates.
FBI urges LockBit Ransomware victims to seek help with 7,000 free decryption keys
The FBI is urging past victims of LockBit ransomware to come forward after obtaining over 7,000 decryption keys to help recover encrypted data for free. Bryan Vorndran, FBI Cyber Division Assistant Director, announced this at the 2024 Boston Conference on Cyber Security, stating, "We can help victims reclaim their data and get back online." He encouraged potential victims to visit the Internet Crime Complaint Center at ic3.gov.
This appeal follows the February 2024 international operation "Operation Cronos," which dismantled LockBit's infrastructure, seizing 34 servers and 2,500 decryption keys, leading to a free LockBit 3.0 Black Ransomware decryptor. The U.K.'s National Crime Agency and U.S. Justice Department estimate the gang earned up to $1 billion from 7,000 attacks between June 2022 and February 2024.
Despite these efforts, LockBit remains active, switching to new servers and continuing attacks. Recently, they claimed responsibility for an April 2024 cyberattack on Canadian pharmacy chain London Drugs. The U.S. State Department offers rewards for information leading to the arrest of LockBit leaders and affiliates.
Cyber-attack on London hospitals triggers critical incident, cancels operations and diverts emergency patients
Major hospitals in London declared a critical incident following a cyber-attack, resulting in cancelled operations and emergency patients being diverted. Hospitals partnered with Synnovis, including King’s College Hospital and Guy’s and St Thomas’, have been affected, impacting services like blood transfusions and test results.
The attack occurred on Monday, disrupting connections to a main server, leading to cancellations and redirects. GP services in several boroughs, including Bexley and Southwark, were also impacted. Synnovis has deployed a taskforce of IT experts to assess the situation, and the NHS is working with the National Cyber Security Centre to mitigate the impact.
Patients are advised to attend appointments unless otherwise notified. NHS England London confirmed the ransomware attack and expressed regret for the inconvenience caused. Cyber security experts highlight the need for robust defences and contingency plans in critical institutions to manage such threats and ensure patient safety.
