Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 17 - 23 February
LockBit ransomware infrastructure dismantled
The UK National Crime Agency (NCA), together with law enforcement agencies from 10 other countries including the FBI, have disrupted the infrastructure and services of ransomware operators LockBit. The events took place on Monday, February 19, when LockBit's website began displaying a banner indicating that the above agencies had succeeded in disrupting the threat's infrastructure.
According to Cyberscoop, the FBI has reportedly obtained access to almost 1,000 decryption keys, which would allow the possible recovery or remediation of LockBit's ongoing extortion operations. LockBit's managers have identified that they have been compromised due to the exploitation of the PHP vulnerability registered as CVE-2023-3824, CVSSv3 of 9.8.
AWS service used for smishing campaigns
Security researchers at SentinelOne have discovered a malicious Python script they have named SNS Sender, which is advertised as a way for threat actors to send mass smishing messages leveraging the Amazon Web Services (AWS) Simple Notification Service (SNS).
These messages are designed to propagate malicious links that capture personally identifiable information and credit card details. SNS Sender is also the first tool observed in the wild leveraging AWS to conduct spam attacks via SMS messages and, according to the researchers, there is evidence to suggest that this operation may have been active since at least July 2022.
Analysis of Alpha ransomware shows similarities to NetWalker
The recently discovered Alpha ransomware have similarities to Ransomware-as-a-Service NetWalker, which ceased operations in 2021. According to an analysis published by Netenrich, Alpha is constantly evolving, adding an extension of eight random numbers to encrypted files and changing the content of the ransom note several times, including currently a TOX ID to contact the ransomware's operators.
Meanwhile, researchers at Symantec Threat Hunter Team say that due to the similarity of tools, tactics, techniques, and procedures between the two, it is possible that NetWalker and Alpha are related. The researchers have observed that both employ a Power-Shell-based loader to deploy their payloads, their code overlaps, and their payment gateways employ the same message, among other similarities.
Anatsa campaign detected targeting Europe
The Anatsa banking trojan has affected users in Europe, infecting Android devices via malicious apps on Google Play, in a new campaign observed since November 2023. ThreatFabric researchers observed five separate waves of this campaign in which the malware was distributed in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic, with at least 150,000 infections.
Anatsa, also known as TeaBot and Toddler, is distributed via droppers posing as seemingly harmless apps in the Google Play Store, successfully exploiting the accessibility service, and circumventing Android 13's restricted settings.
High severity vulnerability in Apple Shortcuts patched
Bitdefender researchers have discovered a new vulnerability affecting Apple's Shortcuts application, which would allow an attacker to access and use sensitive data without requiring user interaction. The flaw registered as CVE-2023-23204, CVSSv3 of 7.5 and originates in the Expand URL shortcut action, which allows expanding and cleaning URLs that have been shortened, while removing UTM tracking parameters.
A threat actor could use this vulnerability to transmit the base64-encoded data of a selected sensitive data within Shortcuts to a malicious web server. In addition, the already leaked data can be captured and saved in image format with utilities such as Flask.
The flaw has already been reported to Apple, which released the necessary patches on January 22 for the following product versions: iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3 and watchOS 10.3.+.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
