Threat Intelligence RoundUp: August | DarkOwl

September 3, 2024

Our team of analysts shares a few articles each week in our email newsletter that goes out every Thursday. Be sure to sign up! This blog highlights those articles in order of what was most popular in our newsletter – what our readers found most intriguing. Stay tuned for a monthly roundup. We hope that sharing these resources and news articles will highlight the importance of cybersecurity and shed light on the latest developments in threat intelligence.

1. Russian ransomware gangs account for 69% of all ransom proceeds – BleepingComputer

According to new data from TRM Labs, Russian-speaking ransomware groups accounted for 69% of all cryptocurrency ransom payments in 2023, with the total amount exceeding $500 million. LockBit, BlackCat, Black Basta, Cl0p, Play, and Akira were among the most dominant operations in 2023. While North Korea currently leads in cryptocurrency stolen via exploits and breaches, Russia continues to dominate all other malicious activity related to cryptocurrency, according to the latest figures. Full article here.

2. Hackers Posing as Ukrainian Security Service Infect 100 Government PCs – BleepingComputer

On August 12, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that hackers posing as the Security Service of Ukraine had compromised more than 100 systems of Ukrainian government agencies. The attacks began on July 12 and involved the distribution of phishing emails masquerading as official communications from the Security Service of Ukraine. The emails contained a link to a downloadable file titled “Documents.zip,” which, when downloaded, installed AnonVNC malware. CERT-UA noted that the attack appears to have primarily affected “central and local government agencies.” Read more.

3. US DoJ charges North Korean hacker over ransomware attacks on hospitals – The Hacker News

On July 25, the U.S. Department of Justice (DoJ) indicted Rim Jong Hyok, a North Korean national, for his involvement in ransomware attacks on healthcare facilities in the United States. According to the DoJ press release, Hyok used the proceeds from the extortion of U.S. hospitals to “fund additional computer intrusions against defense, technology, and government agencies worldwide.” On the same day as the DoJ indictment, the U.S. State Department’s Rewards for Justice program announced a reward of up to $10 million for information helping locate Rim Jong Hyok. Article here.

6. FBI Disrupts Dispossessor Ransomware Operation, Seizes Servers – BleepingComputer

On Monday, August 12, the Federal Bureau of Investigation (FBI) announced that it had seized websites associated with the Dispossessor ransomware operation, also known as Radar. The investigation was conducted by the FBI in collaboration with the U.K. National Crime Agency (NCA), the Bamberg District Attorney’s Office, the Bavarian State Criminal Police Office (BLKA), and the U.S. Attorney’s Office for the Northern District of Ohio. As detailed in the FBI press release, the joint takedown successfully disrupted three U.S. servers, three U.K. servers, 18 German servers, eight U.S. criminal domains, and one German domain. Full article.

7. North Korean hackers exploit VPN update flaw to install malware – BleepingComputer

In a recent advisory, South Korea’s National Cyber ​​​​Security Center (NCSC) warned that state-sponsored North Korean hacking groups Kimsuky (APT43) and Andariel (APT45) — previously linked to the Lazarus Group — have been conducting campaigns against South Korean entities, particularly in the construction sector. The hackers recently abused a VPN software update to spread malware. The NCSC attributes the campaigns to North Korea’s Reconnaissance General Bureau and believes the recent hacking activities were carried out in support of Kim Jong-un’s “Regional Development 20×10 Policy,” an initiative aimed at modernizing industrial plants over the next decade. Read more .

8. APT41 Hackers Use ShadowPad and Cobalt Strike in Cyberattack on Taiwanese Facility – The Hacker News

According to Cisco Talos, an undisclosed Taiwanese government-affiliated research institute was the target of a cyberattack that began as early as July 2023. The cyberattack has been attributed with medium certainty to the Chinese hacking group APT41 (also known as Double Dragon, BARIUM, Axiom, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, Blackfly, and Brass Typhoo). The campaign used Cobalt Strike and ShadowPad malware. Read the article.

9. Iranian Cyber ​​Actors Facilitate Ransomware Attacks on U.S. Organizations – CISA

On August 28, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber ​​Crime Center (DC3) issued a joint Cybersecurity Advisory warning about ransomware attacks carried out by Iranian threat actors against U.S. organizations. The targeted sectors included healthcare, defense, and education. According to the FBI’s assessment, a “significant percentage” of these operations are believed to be intended to “gain and develop network access and then work with ransomware affiliates to deploy ransomware.” As noted by BleepingComputer, the Iranian hacking group “Pioneer Kitten” — believed to have ties to the Iranian government — has hacked U.S. organizations and “is working with affiliates of various ransomware operations to extort money from victims.” Read more.

Be sure to sign up for our weekly newsletter so you can stay up to date with what our analysts are reading each week.