Media HubCareers
About Us
Services
EtherLast™DreamLab
    • BlogNews
      19 SEP, 2024

      The Cybersecurity Express – 19 September 2024

      Cybourn Media Hub

      The platform is alive with a quiet buzz of anticipation as you glance down at your ticket, its bold letters reading “The Cybersecurity Express.” The distant hum of the approaching train sends a thrill up your spine. This is no ordinary journey—this is a ride into the heart of the digital world, where every stop promises to reveal new insights, threats, and breakthroughs in the vast landscape of cybersecurity. You feel the excitement build as the sleek, futuristic train glides into the station, its doors opening with a soft hiss, beckoning you to step aboard.

      The conductor, a figure of both mystery and knowledge, tips his hat as you take your seat. Through the window, glimpses of breached firewalls, encrypted data streams, and botnet activity flash by like scenes from a tech thriller. The voice overhead announces the first destination—a deep dive into today’s pressing cybersecurity threat. With a sense of eager curiosity, you settle in, ready for the journey ahead, knowing each article will be a ticket to understanding the evolving cyber frontier. All aboard, the adventure begins now!

      Chinese Spies Built Massive Botnet of IoT Devices to Target U.S. and Taiwan Military

      Researchers working together with cybersecurity divisions of the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA), have brought to light a large-scale botnet named “Raptor Train” that has been operational for over four years, targeting critical sectors in the U.S. and Taiwan. This sophisticated botnet, linked to a Chinese state-sponsored hacking group known as Flax Typhoon, has hijacked hundreds of thousands of Internet of Things (IoT) devices, such as small office/home office (SOHO) routers, network-attached storage (NAS) systems, and IP cameras, to use them for nefarious purposes.

      The U.S. government attributes the botnet’s operations to Integrity Technology Group, a Chinese company with ties to the People’s Republic of China (PRC) government. According to a joint advisory from the FBI, Cyber National Mission Force (CNMF), and the National Security Agency (NSA), the botnet was remotely controlled through China Unicom Beijing Province Network IP addresses.

      Raptor Train’s operations came to light following an investigation by Lumen’s research arm, Black Lotus Labs, which has been tracking the botnet since its creation in May 2020. The botnet reached its peak in June 2023 with over 60,000 active compromised devices, though researchers estimate that more than 200,000 devices have been infected since the botnet’s inception.

      The botnet is organized in a three-tier system, with Tier 1 comprising compromised IoT devices like routers and cameras. These devices are regularly rotated, remaining active for an average of 17 days before being replaced. Tier 2 handles the command-and-control (C2) infrastructure, and Tier 3, known as “Sparrow” manages the exploitation and deployment of malware. The botnet’s primary malware, Nosedive, is a variant of the notorious Mirai malware, designed to operate entirely in memory, making detection difficult.

      While the botnet has not been observed launching distributed denial-of-service (DDoS) attacks, its robust command-and-control infrastructure has facilitated extensive scanning and exploitation activities targeting U.S. military, government, and critical infrastructure entities. Raptor Train has also been linked to exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances, using both zero-day and known vulnerabilities.

      Flax Typhoon’s minimal use of malware and focus on stealthy persistence has made it a formidable actor in the cyber-espionage landscape. The group’s activities align with Chinese interests, further evidenced by the botnet’s command structure and operational hours, which closely follow China’s standard workweek.

      U.S. law enforcement agencies have taken steps to neutralize the botnet, including null-routing traffic to its known command-and-control infrastructure. However, the ongoing recruitment of compromised devices suggests that the botnet remains a significant threat. To mitigate risks, organizations are advised to update vulnerable devices, monitor for unusual outbound traffic, and replace unsupported hardware.

      Raptor Train’s scale and persistence highlight the growing threat of state-sponsored cyber-espionage campaigns targeting critical infrastructure, underscoring the need for vigilant cybersecurity practices.

      Vanilla Tempest Targets U.S. Healthcare with INC Ransomware in Recent Attacks

      Microsoft has identified a ransomware affiliate it tracks as “Vanilla Tempest”, now actively targeting healthcare organizations in the U.S. with INC ransomware attacks. Active since June 2021, Vanilla Tempest—previously known as “Vice Society” and “DEV-0832”—has a long history of targeting key sectors such as education, healthcare, IT, and manufacturing. The group has utilized a variety of ransomware strains, including “BlackCat”, “Quantum Locker”, “Zeppelin”, and “Rhysida”, making them a versatile and persistent threat.

      During its earlier operations under the “Vice Society” alias, the group was notorious for using multiple ransomware strains in their attacks, notably deploying “Hello Kitty” (also known as „Five Hands”) and „Zeppelin”. In August 2023, researchers linked „Vice Society” with the „Rhysida” ransomware gang, another operation known for its healthcare-focused attacks, such as attempting to sell patient data stolen from „Lurie Children’s Hospital” in Chicago.

      „INC Ransom” is a ransomware-as-a-service (RaaS) operation that has been operational since July 2023. It has targeted public and private organizations worldwide, including high-profile entities like „Yamaha Motor Philippines”, the U.S. division of „Xerox Business Solutions (XBS)”, and more recently, „Scotland’s National Health Service (NHS)”. In May 2024, a hacker going by the alias “salfetka” advertised the source code for „INC Ransom’s” Windows and Linux/ESXi encryptors for sale on the Exploit and XSS hacking forums, demanding $300,000.

      Microsoft disclosed that their threat intelligence team has recently observed „Vanilla Tempest” deploying „INC ransomware” in an attack on a U.S. healthcare organization, marking the first time the group has used this ransomware strain. The attack began with network access gained via another threat actor, „Storm-0494”, who infected the victim’s systems with the „Gootloader” malware downloader. Once inside the network, „Vanilla Tempest” used „Supper” malware to backdoor systems and deployed legitimate tools like „AnyDesk” for remote access and „MEGA” for data synchronization.

      Lateral movement through the compromised network was achieved using „Remote Desktop Protocol (RDP)” and the „Windows Management Instrumentation Provider Host (WmiPrvSE)”, eventually allowing the attackers to deploy „INC ransomware” across the healthcare network. While Microsoft did not reveal the name of the healthcare provider affected, the same ransomware was linked to a recent cyberattack on „McLaren Health Care” hospitals in Michigan, which caused significant disruptions. IT and phone systems were compromised, patient databases became inaccessible, and the health system was forced to reschedule non-emergency procedures and appointments.

      This attack underscores the increasing risk ransomware poses to healthcare institutions, as threat actors continue to target critical infrastructure, disrupting services and endangering sensitive data.

      Russian Cybersecurity Firm Dr.Web Temporarily Disconnects Servers Amid Cyberattack

      In a stark reminder that no organization is immune to cyber threats, Russian cybersecurity firm „Doctor Web (Dr.Web)” was forced to take critical measures after a recent cyberattack compromised its IT infrastructure. The company, known for its antivirus software, quickly acted to prevent potential damage by disconnecting all of its servers and implementing strict security protocols.

      The breach, which began on Saturday, September 14, 2024, was swiftly detected by Dr.Web’s internal security team on September 16, when signs of unauthorized access emerged. In response, Dr.Web followed its incident response procedures by immediately isolating its systems from external networks. This precautionary move temporarily halted updates to the virus database—a vital part of the company’s antivirus services—while security measures were fully assessed.

      Dr.Web utilized its in-house diagnostic tool, „Dr.Web FixIt! for Linux”, to conduct a thorough investigation and remediation. This specialized tool allowed the company to perform in-depth analysis and isolate the threat effectively. By September 17, after completing their investigation and securing the affected systems, Dr.Web resumed virus database updates, ensuring that their services were back online without compromising their security standards.

      In a statement, Dr.Web confirmed that no customer data was compromised during the attack. The company emphasized that the breach was contained quickly, preventing any significant impact on its clients or business operations. While the attack caused temporary service disruptions, Dr.Web’s proactive response highlights the importance of having robust incident response plans in place to minimize damage and maintain business continuity.

      This incident is part of a concerning trend of cyberattacks targeting Russian cybersecurity firms, which have become increasingly vulnerable amid rising geopolitical tensions. Earlier this year, other Russian firms, including „Avanpost” and „Infotel”, were targeted by hacking groups like „Cyber Anarchy Squad”, further underscoring the evolving landscape of cyberwarfare in Eastern Europe.

      Though Dr.Web has not disclosed specific details about the attack’s perpetrators or the methods used, the company reassured customers that it has taken all necessary steps to reinforce its security measures and protect its infrastructure from future threats. The firm’s swift response and adherence to strict security protocols serve as a reminder of the importance of vigilance and preparedness in today’s rapidly evolving cyber threat environment.

      This wraps up today’s issue. Wherever you are out there in the digital world just stay safe, install the latest patches and keep a watchful eye out for anything that might want to deceive you. Thank you so much for being a wanderer on The Cybersecurity Express and we look forward to welcoming you on board the next time.

      Share
      Next Article
      The Cybersecurity Express – 17 September, 2024
      BlogNews17 SEP, 2024
      Previous Article
      The A.I. Express
      BlogNewsPress27 SEP, 2024

      We Also Recommend to See:

      The Cybersecurity Express – 12 December 2024
      Blog,News12 DEC, 2024
      The Cybersecurity Express – 27 November 2024
      Blog,News27 NOV, 2024
      The Cybersecurity Express – 14 November 2024
      Blog,News14 NOV, 2024
      The Cybersecurity Express – 7 November 2024
      Blog,News7 NOV, 2024
      EtherLast™
      The versatile platform that allows you to promptly detect complex threats, analyse and respond to them from a single pane of glass.
      Dreamlab
      CyBourn's DreamLab pushes the boundaries of innovation in the cyberspace.

      Tell us about your Cybersecurity needs

      We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.