Deep and Dark Web Round Up
Weekly Highlights
Middle East Conflict
There were no notable cyber activities going on this week with the latest Israel-Hamas conflict, but a few developments below will almost certainly influence continued physical and cyber activities and campaigns.
Malware/Ransomware
Continuing the trend of ransomware actors targeting the healthcare industry, Qilin ransomware was linked to a recent attack on Synnovis, a pathology provider, and multiple London hospitals. As a result, Synnovis cannot access its own systems and is trying to regain access to understand the full extent of this incident. Non-emergency services have been redirected or postponed, while urgent services are still open and proceeding (as of the time of this writing). The full extent of this incident is unclear but will likely be revealed as soon as incident responders can fully evaluate the network and environment.
The cyber threat intel researcher community believes that RansomHub, a new Ransomware-as-a-Service group, derived its operations from Knight ransomware (Knight is no longer operating). RansomHub operates as a data theft and extortion group, selling stolen files and data to whomever is willing to pay the most. This is the group that leaked data from United Health’s Change Healthcare, after BlackCat/ALPHV ransomware attacked them. Any possible link between BlackCat and RansomHub is still unclear. RansomHub also threatened to leak Christie’s Auction House data that was stolen.
Threat Actor Activity
领英推荐
A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 - $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability.??
New “Mustang Panda” group debuts tied to multiple other Chinese state actor groups
Chinese actors continue their operations using new malware variants and infrastructure that hint at a coordinated attack. Mustang Panda is the group using activity clusters also related to Chinese threat groups Backdoor Diplomacy, REF5961, and APT41 (and their subgroups). Their goals include disrupting network communications using several TTPs: enumerating admin accounts using Active Directory infrastructure, persistent C2 channels, living off the land, DLL sideloading, dumping credentials, and lateral network movement, to name a few.?
Notable Leaks and Breaches
Suggested Further Reading
About DarkOwl
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?
DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?
For more information, visit www.darkowl.com.