Deep and Dark Web Round Up

Weekly Highlights

• For continuing DarkOwl/overall analysis of the conflict between Israel and Hamas, and what cyber efforts accompany this ongoing situation, please see the first section titled “Middle East Conflict”
• LockBit ransomware re-emerges after law enforcement takedown
• Steel company impacted by cyber attack, unauthorized access
• Healthcare sector continuously targeted by malicious cyber actors; numerous incidents occurred just last week
• Threat actors heavily target the healthcare sector
• Iranian actors target aerospace, aviation industries throughout the Middle East

Middle East Conflict

Physical and digital activities continue to rage on both sides of the Israel-Hamas conflict:

• Underwater sea telecom cables that transit approximately 17% of international data were damaged as maritime conflict continues in the Red Sea. Some media outlets blame Houthi militants, while other experts state the cables were damaged by ships sinking and hitting them, as they are in shallow waters.

Malware/Ransomware

LockBit ransomware re-emerges after law enforcement takedown

Proving resilient, LockBit ransomware came back into operation using new infrastructure just days after a global law enforcement operation took them offline. The actors debuted a new onion address and already had 12 new victims in their post-takedown operations. Additionally, the actors themselves authored a long note explaining what happened from their perspective.

Steel company hit by a cyber incident

ThyssenKrupp revealed a breach of its automotive division on February 26, 2024. One of the largest producers of steel, the company had to shut down parts of its systems to contain the incident. The company stated that no other parts of their businesses were impacted.?

Threat Actor Activity

Threat actors continue to heavily target the healthcare sector

US law enforcement agencies warned of continued hospital targeting after BlackCat/ALPHV actors targeted Change Healthcare, part of United Health’s subsidiary Optum, on February 26, 2024. The outage impacted a payment exchange platform as well as pharmacies all over the United States, delaying prescription deliveries; some services were noted offline on the website setup to provide the status during this incident. United Health and Optum themselves were not believed to be impacted in this incident.

Furthermore, the city of Oakley, California experienced a ransomware attack on February 26, 2024. City services were not disrupted or impacted, but systems were taken offline in order to contain the incident.

Iranian actors observed targeting aerospace and aviation industries in the Middle East

Malicious Iranian cyber activity was observed targeting various industries using cloud infrastructure for their command and control (C2) along with social engineering tactics to deliver two backdoors named Minibike and Minibus. Targeting these industries allows for strategic information to be procured and sent back to the Iranian government.?

Notable Leaks and Breaches

• UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
• tigodating.com - (10,764,134 entries)
• 8,000+ Subdomains of Trusted Brands Hijacked for Massive Spam Operation
• Tangerine - 243,462 breached accounts
• Insomniac Games alerts employees hit by ransomware data breach

Suggested Further Reading

• Five Eyes Agencies Expose APT29's Evolving Cloud Attack Tactics
• Ransomware Groups Are Bouncing Back Faster from Law Enforcement Busts
• RCMP investigating cyber attack as its website remains down
• White House urges devs to switch to memory-safe programming languages
• Russian hackers shift to cloud attacks, US and allies warn
• Savvy Seahorse gang uses DNS CNAME records to power investor scams

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?

For more information, visit www.darkowl.com.