Weekly Top 10 – 12.18.2023- BlackCat/Alphv Ransomware Gang Likely Seized, Sandman APT Chinese Gov Link, Norton Healthcare Ransomware Incident Impacts 2.5M Patients, and more.

WEEKLY TOP TEN | December 18, 2023, 15:00 GMT

1. BlackCat/Alphv Ransomware Gang Likely Seized by Law Enforcement
   
   The TOR site for the infamous ransomware gang known as BlackCat or Alphv has been inaccessible since December 7^th. Since then, the threat intelligence company RedSense has reported that it and BlackCat’s darkweb affiliates believe the takedown was most likely a police operation. As of right now, no law enforcement agency has publicly claimed the takedown, and leaders of Royal Ransomware, BlackBasta, and LockBit appear to believe this operation had a limited impact on BlackCat’s infrastructure, noting they believe it’s likely it will be operational again shortly.
2. Sandman APT Linked to the Chinese Government
   
   In a joint report by Microsoft and SentinelOne, the fairly new APT being tracked as Sandman was attributed to the Chinese government. Sandman has been a topic of interest due to their advanced backdoor malware named LuaDream, which is a cross-platform malware written in Lua and has primarily been used against telecom providers in Europe, Asia, and the Middle East, likely for cyber-espionage.
3. Norton Healthcare Ransomware Incident Impacts 2.5M Patients
   
   Norton Healthcare runs eight hospitals and thirty clinics in Kentucky and Indiana. Recently, Norton Healthcare divulged a ransomware incident in May in which attackers were able to gain highly sensitive information on nearly 2.5 million patients. Including ID numbers, digital signatures, and financial information. Norton claims they immediately informed the FBI and did not pay the ransom.
4. Fancy Bear in an Ongoing Espionage Campaign Against 13 Countries
   
   The Russian-backed threat actor known as Fancy Bear or APT28 has been crafting email lures relating to the Israel-Hamas conflict targeted at thirteen nations, likely in an attempt to commit cyber espionage. The crafted emails come under the guise of a request for humanitarian aid and leverage UN documents to fake authenticity. The phishing messages have been observed containing RAR files, attempting to exploit CVE-2023-38831 to install a backdoor named HeadLace onto impacted computers.
5. Threat Actors are Targeting Critical Apache Struts Vulnerabilities
   
   A critical vulnerability was recently discovered and subsequently patched in Apache Struts. This vulnerability is tracked as CVE-2023-50164 with a CVSS score of 9.8. It allows for path traversal, file manipulation, and, in some cases, full remote code execution. Since the patch became available, a public proof of concept (POC) has been made available, allowing low-skilled attackers to copy and use this script against potentially vulnerable servers. Exploitation attempts have now been observed in the wild.
6. Ukrainian Cyberattack Targeted Russia’s Tax Systems
   
   The Ukrainian Directorate of Intelligence (GUR) has launched a cyberattack on Russia’s Federal Tax Systems (FTS). Ukrainian intelligence officials have stated that the databases, backups, and configurations of the FTS have been destroyed, critically impacting all involved systems. Officials also claim that the recovery may take “at least a month,” with full recovery being nearly impossible.
7. Apple Releases Security Patches for Critical iOS and macOS vulnerabilities
   
   Apple has recently released patches for nearly all of their proprietary operating systems, including iOS, macOS, and watchOS. Twelve vulnerabilities were patched in these updates; however, the most concerning of these is CVE-2023-45866, which allows attackers to spoof a Bluetooth keyboard, allowing for keystroke injection and nearly full system takeover.
8. Ukraine’s Largest Telcom Provider Taken Down by a Cyberattack
   
   Kyivstar is the largest mobile and telecommunications provider in Ukraine. Recently, a cyberattack linked to the ongoing Russia-Ukraine conflict brought down the carrier, leaving nearly all of their 26 million customers without internet or mobile data. Kyivstar claimed on X (formerly Twitter) that customers’ personal data was not at risk and that compensation would be made to those who lost connectivity.
9. French Authorities Apprehend Suspected Hive Ransomware Affiliate
   
   The French Anti-Cybercrime Office has detained a Russian citizen in Paris under suspicion of assisting the Hive ransomware gang with money laundering. Authorities also seized 570 thousand euros worth of cryptocurrency from the arrested individual. In collaboration with Europol and the Cypriot authorities, they were also able to search the suspects homes for further evidence.
10. Attackers Weaponize OAuth Applications to Compromise Microsoft Accounts
    
    OAuth is a common technology used for cross-platform authentication via a single account, such as sign-in with Google, Facebook, or Microsoft features. Attackers have begun to create sites that ask for high-level permissions when using OAuth logins. This allows attackers to essentially compromise accounts due to a lack of awareness on the user end when not reading or understanding the requested permissions.