Deep and Dark Web Round Up

Weekly Highlights

• For continuing DarkOwl/overall analysis of the conflict between Israel and Hamas, and what cyber efforts accompany this ongoing situation, please see the first section titled “Middle East Conflict”
• Qilin ransomware hits London hospitals
• RansomHub RaaS operation likely tied to former Knight ransomware
• New, customizable V3B phishing kit appears for sale on Telegram
• Chinese state actors combine to target global organizations

Middle East Conflict

There were no notable cyber activities going on this week with the latest Israel-Hamas conflict, but a few developments below will almost certainly influence continued physical and cyber activities and campaigns.

• ?Houthi attacks continue against maritime vessels. A Maersk report indicated that world trade lines are significantly impacted by constant antagonistic activity in the Red Sea.
• American chain restaurants are under attack throughout Baghdad, Iraq. - Numerous pro-Iranian groups publicly advocated for this type of activity, such as Kataib Hezbollah.
• Iranian authorities announced that Election nominees will be announced on June 22, ahead of the June 28, 2024 Presidential elections, following the death of Raisi.

Malware/Ransomware

Qilin ransomware hits London pathology provider, hospitals

Continuing the trend of ransomware actors targeting the healthcare industry, Qilin ransomware was linked to a recent attack on Synnovis, a pathology provider, and multiple London hospitals. As a result, Synnovis cannot access its own systems and is trying to regain access to understand the full extent of this incident. Non-emergency services have been redirected or postponed, while urgent services are still open and proceeding (as of the time of this writing). The full extent of this incident is unclear but will likely be revealed as soon as incident responders can fully evaluate the network and environment.

RansomHub RaaS likely linked to Knight Ransomware

The cyber threat intel researcher community believes that RansomHub, a new Ransomware-as-a-Service group, derived its operations from Knight ransomware (Knight is no longer operating). RansomHub operates as a data theft and extortion group, selling stolen files and data to whomever is willing to pay the most. This is the group that leaked data from United Health’s Change Healthcare, after BlackCat/ALPHV ransomware attacked them. Any possible link between BlackCat and RansomHub is still unclear. RansomHub also threatened to leak Christie’s Auction House data that was stolen.

Threat Actor Activity

New phishing kit appears on Telegram, targets European banks

A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 - $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability.??

New “Mustang Panda” group debuts tied to multiple other Chinese state actor groups

Chinese actors continue their operations using new malware variants and infrastructure that hint at a coordinated attack. Mustang Panda is the group using activity clusters also related to Chinese threat groups Backdoor Diplomacy, REF5961, and APT41 (and their subgroups). Their goals include disrupting network communications using several TTPs: enumerating admin accounts using Active Directory infrastructure, persistent C2 channels, living off the land, DLL sideloading, dumping credentials, and lateral network movement, to name a few.?

Notable Leaks and Breaches

• Snowflake Warns: Targeted Credential Theft Campaign Hits Cloud Customers
• Live Nation finally confirms massive Ticketmaster data breach
• Advance Auto Parts stolen data for sale after Snowflake attack
• Check-in terminals used by thousands of hotels leak guest info
• Club Penguin fans breached Disney Confluence server, stole 2.5GB of data
• Australian mining company discloses breach after BianLian leaks data
• ARRL says it was hacked by an "international cyber group"
• Collection agency FBCS ups data breach tally to 3.2 million people
• Ransomware attack hits Vietnam Post | Vietnam+ (VietnamPlus) (VNM)
• Telegram Combolists and 361M Email Addresses
• enfit.net - (1,824,189 entries)
• AI platform Hugging Face says hackers stole auth tokens from Spaces

Suggested Further Reading

• Third-Party Cyber Attacks: The Threat No One Sees Coming – Here's How to Stop Them
• FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out
• Unpacking 2024's SaaS Threat Predictions
• Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs
• FBI warns of fake remote work ads used for cryptocurrency fraud
• Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts
• Hackers Use MS Excel Macro to Launch Multi-Stage Malware Attack in Ukraine
• Data firm execs convicted for helping fraudsters target the elderly
• Cox fixed an API auth bypass exposing millions of modems to attacks
• SASE Threat Report: 8 Key Findings for Enterprise Security

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?

For more information, visit www.darkowl.com.