This threat intelligence report was created in tandem between Scot Terban and the ICEBREAKER Intel Analyst created and trained by Scot Terban.

Executive Summary:

The recent surge in cyber threats demonstrates a complex and dynamic challenge to organizations, underscored by incidents ranging from state-sponsored espionage to innovative ransomware and phishing campaigns. Notably, the Lazarus Group’s exploitation of the Windows Kernel flaw exemplifies the advanced techniques employed by state actors to compromise vital infrastructures, signaling a heightened need for robust defensive measures against such sophisticated threats. Moreover, the emergence of ransomware attacks, as witnessed in the case against UnitedHealth by the ‘Blackcat’ group, further highlights the persistent risk to sectors beyond healthcare, emphasizing the financial and operational implications of these attacks.

On another front, phishing campaigns orchestrated by groups like Savvy Seahorse and platforms like ‘LabHost’ reveal an evolution in cybercriminal tactics, targeting financial institutions with refined methods that necessitate an equally sophisticated response strategy. Additionally, the exploitation of supply chain vulnerabilities, as seen through attacks leveraging Ivanti VPN flaws, brings to light the critical importance of securing the supply chain ecosystem against potential breaches. These incidents, coupled with significant global cyber attacks, underline the necessity for organizations to adopt a proactive stance, incorporating continuous threat intelligence, advanced security protocols, and comprehensive employee training. By doing so, they can enhance their resilience against the multifarious nature of cyber threats that continue to evolve in both scale and complexity.

Cyber Attacks:

UnitedHealth Blackcat Ransomware Attack: UnitedHealth reported that the ‘Blackcat’ ransomware group was behind a hack at its tech unit. This incident is part of a larger trend where healthcare providers faced disruptions due to frozen payments in ransomware outages. The hackers initially claimed to have stolen ‘millions’ of records before retracting their statement.

US Data Flow Restrictions: In response to concerns over data privacy and national security, President Biden issued an executive order to restrict US data flows to China and Russia. This move aims to safeguard Americans’ personal data from foreign surveillance and potential misuse.

European Retailer Pepco Phishing Loss: European discount retailer Pepco fell victim to a phishing attack, leading to approximately 15 million euros in losses. This incident underscores the ongoing threat posed by social engineering and phishing campaigns.

Chinese Hackers Targeting Infrastructure: U.S. officials have warned that Chinese hackers are targeting critical infrastructure. This comes despite China’s assurances of non-interference in the U.S. elections. The threat landscape includes espionage campaigns, intellectual property theft, and cyberattacks.

Ransomware and AI-powered Attacks: Ransomware continues to pose a significant threat to organizations, with attacks leading to financial losses, data breaches, and reputational damage. Additionally, AI-powered attacks are becoming more sophisticated, using technologies like large language models (LLMs) for malicious purposes such as spreading misinformation and conducting cyberattacks.

Network Device Security: Ubiquiti router users have been urged to secure their devices due to targeting by Russian hackers. These devices’ utility makes them attractive targets for cybercriminals, highlighting the importance of securing network appliances.

Vulnerabilities:

During the period from February 26 to March 1, 2024, several critical vulnerabilities and cybersecurity threats were reported, highlighting the ongoing challenges in maintaining cybersecurity posture across various technologies and platforms:

Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities: CISA issued an emergency directive and supplemental guidance addressing vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions. Threat actors have been exploiting these vulnerabilities to capture credentials, drop web shells, and enable further compromise of enterprise networks. Agencies were required to disconnect affected products and follow specific mitigation steps to protect against these vulnerabilities.

New Malware Targeting Ivanti VPN Vulnerabilities: A new malware, exploiting vulnerabilities CVE-2023-46805 and CVE-2024-21887, has been reported. The malware variants, named BUSHWALK and FRAMESTING, enable arbitrary command execution and data manipulation on compromised Ivanti appliances. These attacks demonstrate the use of sophisticated techniques for lateral movement and data exfiltration within victim environments.

Google Chrome Vulnerabilities: Google patched six vulnerabilities in its first Chrome update of 2024, including two high-severity issues related to memory safety flaws and use-after-free vulnerabilities in Chrome’s WebAudio and WebGPU components. These vulnerabilities, if exploited, could potentially allow an attacker to execute arbitrary code, leading to data corruption or denial-of-service.

Malware:

During the period from February 26 to March 1, 2024, several significant malware threats and vulnerabilities were highlighted across various cybersecurity platforms:

New Malware Exploiting Ivanti VPN Vulnerabilities: Mandiant identified new malware used by a China-nexus espionage threat actor, known as UNC5221, targeting Ivanti Connect Secure VPN and Policy Secure devices. This included custom web shells like BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE, exploiting vulnerabilities CVE-2023-46805 and CVE-2024-21887. These vulnerabilities have been used as zero-days since early December 2023, with attackers deploying sophisticated tools for post-exploitation activities.

Emerging Malware Threats in 2024: SafetyDetectives listed several malware threats posing significant risks in 2024, including Clop Ransomware, Fake Windows Updates hiding ransomware, Zeus Gameover, Ransomware as a Service (RaaS), and new malware attacks leveraging current news or global events. These threats underline the evolution of malware, becoming more sophisticated and dangerous, emphasizing the need for robust cybersecurity measures.

Malware Impact and Statistics: Over 60% of malicious installation packages detected on mobile devices were identified as banking trojans, highlighting the growing threat to mobile banking security. Additionally, malware attacks continue to have a devastating impact on businesses, especially those in the early stages of cloud security solutions implementation, demonstrating the financial and operational risks associated with cybersecurity breaches.

Google Chrome Vulnerabilities Patched: Google patched six vulnerabilities in its first Chrome update of 2024, addressing issues reported by Qrious Secure and Ant Group Light-Year Security Lab. These included a use-after-free defect in Chrome’s WebAudio component and a vulnerability in WebGPU, highlighting the ongoing efforts to improve memory safety and protect against the exploitation of use-after-free vulnerabilities.

Phishing:

Recent phishing campaigns from February 26 to March 1, 2024, have showcased a variety of sophisticated methods used by cybercriminals to target individuals and organizations:

Savvy Seahorse Financial Scams: A threat actor named Savvy Seahorse has been utilizing CNAME DNS records to power financial scam campaigns, demonstrating the innovative methods employed to deceive victims.

Phishing as a Service Targeting Canadian Banks: The LabHost Phishing as a Service (PhaaS) platform has been facilitating attacks on North American banks, with a notable increase in activities targeting financial institutions in Canada. This highlights the commercialization of phishing techniques and the broadening of cybercriminal networks.

Use of Steganography in Malware Delivery: A group identified as ‘UAC-0184’ has been observed using steganographic techniques in image files to deliver the Remcos remote access trojan (RAT) onto systems of a Ukrainian entity operating in Finland. This technique indicates the evolving sophistication of malware delivery methods.

Massive Spam Campaign Using Hijacked Subdomains: The “SubdoMailing” ad fraud campaign has exploited over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day. This campaign showcases the scale at which phishing and spam operations can operate to generate revenue through scams and malvertising.

Google Cloud Run Abused in Banking Trojan Campaign: Hackers have been abusing the Google Cloud Run service to distribute banking trojans like Astaroth, Mekotio, and Ousaban. The campaign underscores the misuse of legitimate cloud services for malicious purposes.

Qbot Malware Variant Evasion Techniques: The developers of Qakbot malware have been experimenting with new builds, using fake Adobe installer popups for evasion in email campaigns. This adaptation shows the continuous efforts by attackers to avoid detection and increase the success rate of their campaigns.

Bumblebee Malware’s Return: After a four-month hiatus, the Bumblebee malware has reemerged, targeting thousands of organizations in the United States through phishing campaigns. This resurgence highlights the persistent threat landscape organizations face from known malware variants.

Microsoft Azure Account Hijacking Campaign: A phishing campaign detected in late November 2023 has compromised user accounts in dozens of Microsoft Azure environments, including those of senior executives. The targeted nature of this campaign reflects the high value cybercriminals place on infiltrating corporate and executive accounts.

Fake LastPass App on Apple’s App Store: A fake version of the LastPass password manager app distributed on the Apple App Store was likely used as a phishing tool to steal users’ credentials. This incident underlines the importance of vigilance when downloading apps and the potential risks of app store impersonation scams.

Cyber Attacks:

From February 26 to March 1, 2024, the cybersecurity landscape witnessed several significant cyber attacks and incidents across various sectors, illustrating the relentless and evolving nature of cyber threats.

UnitedHealth Ransomware Attack: UnitedHealth revealed that the ‘Blackcat’ ransomware group was behind a cyberattack on its technology unit. This incident is part of a broader trend of ransomware attacks targeting healthcare providers, leading to frozen payments and operational disruptions. The hackers initially claimed to have stolen ‘millions’ of records before retracting their statement.

Rotech and Philips Partnership Breach: Rotech announced that patients were likely impacted by a cyberattack on a Philips unit, showcasing the vulnerabilities within the healthcare and technology sectors and the interconnected risks in partnerships.

Global Data Breaches and Cyber Attacks: A comprehensive overview of 2024’s cyber attacks highlighted that by the beginning of the year, there had been significant breaches across multiple sectors, underscoring the global and widespread nature of cyber threats. This includes the MOAB (mother of all breaches), affecting millions of records and thousands of organizations.

Significant Cyber Incidents of the Previous Quarter: The end of 2023 saw various cyber incidents, including state-sponsored attacks and ransomware campaigns. Notable incidents included Israeli-linked hackers disrupting Iran’s gas stations, Ukrainian state hackers targeting Russia’s largest water utility plant, and suspected Chinese hackers launching espionage campaigns against several countries.

Cyber Attack Trends of 2023 and Predictions for 2024: Reflecting on the major cyber incidents of 2023, such as the Guardian Attack, Toronto SickKids ransomware attack, and the Royal Mail Ransomware attack, it’s evident that cyber threats continue to evolve with increasing reliance on Ransomware-as-a-Service (RaaS), supply chain attacks, zero-day exploits, and cloud security challenges. The utilization of AI in cyber attacks remains a significant concern for the future.

Links:

For the latest cybersecurity news and developments:

• Reuters Cybersecurity News
• The Hacker News
• Bleeping Computer

For detailed reports and analysis on malware and vulnerabilities:

• PortSwigger Daily Swig
• CISA – Cybersecurity & Infrastructure Security Agency

For insights into recent phishing campaigns:

• Bleeping Computer Phishing News
• The Daily Swig on Phishing

For comprehensive overviews of recent significant cyber attacks:

• Reuters Cybersecurity
• IT Governance UK Blog
• CSIS – Strategic Technologies Program
• BCS – The Chartered Institute for IT

These links offer a wealth of information for cybersecurity professionals seeking to stay informed about the latest trends, threats, and protective measures in the ever-evolving landscape of cyber threats.

TLP WHITE Downloadable Executive Summary Threat Intel Report: