Threat Intel Update
Last week, the cybersecurity community celebrated as they witnessed the dismantling of the LockBit ransomware group, known as one of the most prolific in recent years, thanks to a coordinated international law enforcement effort. However, the jubilation was short-lived. Just a week later, LockBit resurfaced, boldly declaring their acquisition of new infrastructure to bolster their ransomware operations. They wasted no time in launching attacks on new victims, underscoring the formidable challenge of staying ahead of such cyber adversaries.
In the ever-evolving landscape of cyber threats, some adversaries falter and never recover. Yet, as exemplified by LockBit, others rebound swiftly. Cybercriminals adeptly adapt their tactics in response to shifts in organizational technology landscapes. This was highlighted by recent reports of Russia’s foreign intelligence service targeting cloud-based environments for compromise.
Addressing these challenges demands relentless collaboration and communication within your security teams. Understanding the evolving nature of cyber threats is essential to safeguarding your network, employees, and customers.
Cybersecurity News
LockBit Ransomware Group Returns Following Law Enforcement Operation Seizing LockBit Infrastructure – In roughly one week, LockBit deployed a new data leak site and started attacking new victims with an updated encryptor. A statement from LockBit indicated the group had not properly addressed a vulnerability within its infrastructure, which allowed law enforcement to gain access and seize its infrastructure. LockBit has indicated it will increase attacks against entities within the government sector. TechCrunch
Cyber Actors Associated with Russia’s Foreign Intelligence Service Adopting New Tactics to Target Cloud-Hosted Environments – The alert was issued by governments of the U.S., United Kingdom, Australia, New Zealand, and Canada. The cyber actors were previously responsible for the compromise of the SolarWinds software and are currently seeking to acquire system-issued tokens to gain access to cloud-hosted environments. Once the actors gain access to the cloud environment, they attempt to maintain access to an environment. In several instances, the cyber actors have gained access and then registered their own devices to be able to maintain access. UK National Cyber Security Centre
Education and Government Sectors Targeted with Phobos Ransomware According to New Advisory from U.S. Government – Phobos has been active since 2019 and has been known to use similar tactics as several other ransomware variants. Phobos utilizes phishing emails to deploy malware and IP scanning tools used to deploy Phobos onto victims’ environments. Phobos will exfiltrate financial records, legal documentation and databases for password management software from victim environments and then delete back-up files from victims. While victims are typically contacted via email, some groups using Phobos ransomware have been contacted victims via phone. CISA
Cyber Actors Compromise 8,000 Domains and 13,000 Subdomains to Support Spam Email Operation – Active since September 2022, the group responsible for the campaign has been reusing old or abandoned domains and registering them under their control to support a spam operation. The spam emails are able to bypass standard security blocks and policies used to identify emails as spam. The Hacker News
U.S. Office of the National Cyber Director Issues Report Urging Organizations to Utilize Memory-Safe Programming Languages to Improve Security of Products – Languages such as Rust can help to reduce memory safety vulnerabilities. Exploiting these vulnerabilities can allow for cyber threat actors to gain unauthorized access to data. Approximately 70% of software security vulnerabilities are due to using unsafe memory language. The report builds on recommendations in the U.S. National Security Strategy released in March 2023. Bleeping Computer
Sign Up
To receive Threat Briefings by email.
