Sunday 13th October 2024

Good morning everyone, a very happy Sunday to you all and welcome to another instalment of Cyber Daily. Today, we’ll look into the latest tricks from cybercriminals who are making a name for themselves by changing theirs. From INC’s quiet transformation into Lynx, to Russian hackers targeting vulnerabilities at scale, and Sophos uncovering ransomware exploits in Veeam, it’s a reminder that in the world of cybersecurity, the players might change, but the game stays the same. Let’s jump in.

Russian Hackers Are Busy Again, Warn Cybersecurity Agencies

The U.S. and U.K. cyber agencies have jointly alerted organisations about a new wave of cyber threats originating from Russia's Foreign Intelligence Service (SVR) and specifically APT29, the group responsible for the SolarWinds hack. APT29 has been spotted actively scanning for vulnerabilities in internet-facing systems. The agencies released a list of 24 Common Vulnerabilities and Exposures (CVEs), including flaws in Cisco and JetBrains software, as the group capitalizes on unpatched systems for mass exploitation.

Agencies advise disabling unnecessary internet-facing services, configuring systems securely, and prioritising timely patching. The message is clear—upgrading cyber defences is essential to ward off opportunistic exploits.

Ransomware Actors Exploit Veeam Vulnerability for RCE Attacks

Sophos X-Ops is sounding the alarm over a severe remote code execution (RCE) vulnerability in Veeam Backup & Replication (CVE-2024-40711), which ransomware operators are exploiting to create rogue admin accounts and deploy malware. Veeam patched this flaw in September 2024 as part of a broader security update that addressed 18 high and critical vulnerabilities across its platforms. Despite these patches, attackers are actively leveraging compromised credentials and unpatched Veeam systems to deliver ransomware like Fog and Akira.

The exploit targets Veeam’s URI on port 8000, allowing attackers to use the system’s “net.exe” command to add accounts with admin privileges, facilitating ransomware deployment. Sophos researchers observed attackers accessing systems via outdated VPNs lacking multifactor authentication (MFA), emphasizing the need for up-to-date security practices.

Takeaway: Organisations using Veeam should prioritise patching to prevent unauthorised access, secure VPN gateways with MFA, and retire unsupported software versions to minimise the attack surface.

Did the INC Ransomware Gang Rebrand as Lynx?

Palo Alto Networks' Unit 42 believes the infamous INC ransomware group has rebranded as "Lynx" after a quiet transition period between April and July 2024. Known for headline-grabbing attacks on targets like NHS Scotland and Leicester City Council, INC established a reputation despite not being a top ransomware player. However, Lynx has quickly become more prevalent, with its detected samples outpacing INC’s since July. By September, INC sample detections fell to zero, suggesting the group might indeed have moved on.

Supporting evidence includes a 70.8% code overlap between samples from both groups, revealed through BinDiff analysis. Additionally, both Lynx and INC maintain similar leak sites with nearly identical layouts, from the sidebar to section names, suggesting continuity. Despite Lynx’s claimed “no hospital or nonprofit” targeting policy, it shares striking similarities with INC’s operation and likely the same actors.

Even though Lynx claims to operate with a moral code, its ties to INC suggest otherwise, underscoring the ease with which ransomware groups can rebrand and reposition themselves.