Top News from the Underground - European edition - Week 13/2024

ALLEGED SALE OF ACCESSES FOR AN ITALIAN COMPANY OPERATING IN THE HEALTHCARE SECTOR

On March 24, 2024, we observed a threat actor proposing for sell several accesses for an Italian company operating in the healthcare sector on a Russian-speaking underground forum. Healthcare is confirmed as one of the sectors of greatest interest in the criminal underground.

A 'NET WORKER ALLIANCE' AFFILIATE TARGETS THE MONTPELLIER–MEDITERRANEAN AIRPORT'S WEBSITE

On March 21, 2024, we tracked the activities of a Net Worker Alliance hacktivist affiliate while targeting the Montpellier–Mediterranean Airport's website through (D)DoS-based attacks. (D)DoS attacks continue to be the most widespread type of attack in the context of hacktivist movements.

ALLEGED SALE OF DATABASE OF A FRENCH NON-PROFIT ORGANIZATION OPERATING IN THE ENTERTAINMENT SECTOR

On March 21, 2024, a threat actor proposed for sell the database of an important French organization operating in the sport and entertainment sector on an English-speaking underground forum. According to threat actor's claims, the database contains records of both professional and non-professional athletes, totaling over 10 million individuals.

HACKING GROUP TARGETS ONE OF MAJOR FRENCH CLOUD PROVIDER WITH DDOS ATTACKS

On March 18, 2024, we observed a hacking group targeting one of the major French cloud provider with (D)DoS-based attacks. The actor claimed responsibility for the attack on its Telegram channel.

ALLEGED SALE OF DATABASE BELONGING TO GERMAN AND BULGARIAN WEBSITES

On March 22, 2024, a threat actor offered to sell databases containing information from German and Bulgarian websites. According to threat actor's claims, the databases include various records from different websites, along with their respective dates and prices.

UNDERGROUND IAB (INITIAL ACCESS BROKER) OFFERS CITRIX ACCESS FOR SALE FOR DIFFERENT EUROPE-BASED ORGANIZATIONS

On March 18, 2024, Cluster25 observed an IAB (Initial Access Broker) offering for sale Citrix accesses belonging to several EU-based organizations on Russian speaking underground forum. According to threat actor claims, most impacted Countries are United Kingdom, Spain and Germany.

IAB (INITIAL ACCESS BROKER) OFFERS FOR SALE RDP ACCESSES TO AN UK-BASED CORPORATE OPERATING IN THE FINANCIAL SECTOR

On March 18, 2024, we observed the activities of an IAB (Initial Access Broker) on a Russian-speaking underground forum offering RDP accesses with domain user rights to an UK-based corporate. According to threat actor claims, the company is a very big one and operates in financial and insurance sectors.

ALLEGED SALE OF A NOVEL ANDROID RAT ON RUSSIAN-SPEAKING UNDERGROUND FORUM

On March 21, 2024, we observed the sale of a novel Android-based RAT (Remote Access Tool) on Russian-speaking underground forum. According to threat actor claims, the RAT is capable of stealthy installation without user permission and to bypass security measures such as Google Play Protect and Xiaomi Secure Scan.

NOVEL MSI-BASED MALWARE LOADER ADVERTISED ON A RUSSIAN-SPEAKING UNDERGROUND FORUM

On March 18, 2024, we observed a threat actor advertising a novel MSI-based malware loader on a Russian speaking underground forum. According to threat actor claims, the loader is capable to effortlessly bypass Windows Defender and browser alerts, offering seamless execution of malicious payloads while evading security measures.