Deep and Dark Web Round Up

Deep and Dark Web Round Up

Weekly Highlights

  • For continuing DarkOwl/overall analysis of the conflict between Israel and Hamas, and what cyber efforts accompany this ongoing situation, please see the first section titled “Middle East Conflict”
  • Qilin ransomware hits London hospitals
  • RansomHub RaaS operation likely tied to former Knight ransomware
  • New, customizable V3B phishing kit appears for sale on Telegram
  • Chinese state actors combine to target global organizations

Middle East Conflict

There were no notable cyber activities going on this week with the latest Israel-Hamas conflict, but a few developments below will almost certainly influence continued physical and cyber activities and campaigns.

  • ?Houthi attacks continue against maritime vessels. A Maersk report indicated that world trade lines are significantly impacted by constant antagonistic activity in the Red Sea.
  • American chain restaurants are under attack throughout Baghdad, Iraq. - Numerous pro-Iranian groups publicly advocated for this type of activity, such as Kataib Hezbollah.
  • Iranian authorities announced that Election nominees will be announced on June 22, ahead of the June 28, 2024 Presidential elections, following the death of Raisi.

Malware/Ransomware

Qilin ransomware hits London pathology provider, hospitals

Continuing the trend of ransomware actors targeting the healthcare industry, Qilin ransomware was linked to a recent attack on Synnovis, a pathology provider, and multiple London hospitals. As a result, Synnovis cannot access its own systems and is trying to regain access to understand the full extent of this incident. Non-emergency services have been redirected or postponed, while urgent services are still open and proceeding (as of the time of this writing). The full extent of this incident is unclear but will likely be revealed as soon as incident responders can fully evaluate the network and environment.

RansomHub RaaS likely linked to Knight Ransomware

The cyber threat intel researcher community believes that RansomHub, a new Ransomware-as-a-Service group, derived its operations from Knight ransomware (Knight is no longer operating). RansomHub operates as a data theft and extortion group, selling stolen files and data to whomever is willing to pay the most. This is the group that leaked data from United Health’s Change Healthcare, after BlackCat/ALPHV ransomware attacked them. Any possible link between BlackCat and RansomHub is still unclear. RansomHub also threatened to leak Christie’s Auction House data that was stolen.

Threat Actor Activity

New phishing kit appears on Telegram, targets European banks

A new “V3B” phishing kit is on Telegram, used to target financial institutions in the Netherlands, Austria and Germany, Finland, Italy, and several other European countries. The kit runs between $130 - $450 a month and has customization options. The Telegram channel selling it has approximately 1,250 members as of the time of this writing and is expected to grow due to ease of use and availability.??

New “Mustang Panda” group debuts tied to multiple other Chinese state actor groups

Chinese actors continue their operations using new malware variants and infrastructure that hint at a coordinated attack. Mustang Panda is the group using activity clusters also related to Chinese threat groups Backdoor Diplomacy, REF5961, and APT41 (and their subgroups). Their goals include disrupting network communications using several TTPs: enumerating admin accounts using Active Directory infrastructure, persistent C2 channels, living off the land, DLL sideloading, dumping credentials, and lateral network movement, to name a few.?

Notable Leaks and Breaches

Suggested Further Reading

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?

For more information, visit www.darkowl.com.

要查看或添加评论,请登录

DarkOwl的更多文章

社区洞察

其他会员也浏览了