9 January 2024

6 min read

BlackCat resurgence following law enforcement disruption | Cyber Intelligence Briefing: 9 January

January 2024
Cyber Briefing News

 

Top news stories this week

  1. Cat's back. BlackCat activity surges with threats to critical infrastructure following law enforcement disruption.
  2. Game on. Lapsus$ member receives indefinite hospital order after GTA 6 hack.
  3. Ripe for the picking. Orange Spain’s admin account was hacked using stolen credentials.
  4. Hidden danger. Kyivstar systems were compromised for at least seven months prior to attack.
  5. No silver bullet. Criminals circumvent MFA on Google and X. 
  6. Playback. Hackers access audio-video database of Australian state court.

1. BlackCat resurgence following law enforcement disruption

On 19 December 2023, the FBI confirmed that a joint global law enforcement operation temporarily disrupted the ransomware group ALPHV/BlackCat’s operations. Since 13 December 2023, the group has operated from a new leak site, regularly posting new victims and has declared retaliatory rules in response, including allowing affiliates to target critical infrastructure and refusing to give discounts.

So what?

BlackCat’s resilience in the wake of a law enforcement operation cements the group’s role as one of the most sophisticated and prolific ransomware gangs currently in operation.

[Researcher: Waithera Junghae] 


2. Lapsus$ member behind GTA 6 hack receives indefinite hospital order

Arion Kurtaj, member of the Lapsus$ hacking group, has received an indefinite hospital order based on the assessment that he maintains a skillset which posed a high-risk to society, a stated desire to continue to commit crime, and demonstrated violence whilst in custody. Kurtaj is responsible for leaking source code and clips of the unreleased Grand Theft Auto 6 video game, and breached Rockstar Games while under police custody for charges related to prior attacks against Nvidia and BT/EE.

Another Lapsus$ member, who is still a minor, was sentenced to 18-months of rehabilitation including supervision and a ban from using online Virtual Private Networks (VPNs).

So what?

Law enforcement agencies are increasingly looking to prosecute cyber criminals.

[Researcher: Anna Tankovics]


3. Hackers use stolen credentials to log into network operator’s privileged account

Mobile network company, Orange Spain, suffered hours of internet outage after the breach of their systems. Using the alias ‘Snow’ on X, the threat actor claimed to have hacked one of Orange’s administrator accounts before modifying configurations that resulted in significant disruptions to Orange internet services. The administrator account was reportedly not secured by multifactor authentication (MFA).

So what?

It is imperative to secure administrator accounts with complex passwords and MFA.

[Researcher: Adelaide Parker]

 

Download now

 

4. Russian hackers were hiding inside Kyivstar systems for several months

Affiliates of Sandworm, the Russia-linked hacking group suspected of being responsible for the attack on Ukraine's largest telecommunications service provider Kyivstar, were reportedly hiding inside the organisation’s systems since at least May 2023. As a result of the attack, more than 24 million users across Ukraine were temporarily left without internet connections in December.

So what?

Organisations should undertake threat hunting exercises, to proactively search networks for advanced persistent threats.

[Researcher: Anna Tankovics]


5. Criminals bypass MFA on Google and X  

Criminals are increasingly relying on MFA bypass techniques to gain access to accounts. Most recently, threat actors used the method to hijack verified government and business profile accounts on X, formerly Twitter, to promote cryptocurrency and other scams, according to researchers.

Separately, researchers have uncovered a method to bypass MFA on Google by exploiting third-party authentication cookies, enabling threat actors to access accounts without needing to acquire users’ passwords.

So what?

Organisations should implement MFA alongside complimentary security measures such as conditional access policies and identity monitoring. Google Chrome users should enable Enhanced Safe Browsing to protect against phishing and malware downloads.    

[Researcher: Waithera Junghae]


6. Confidential court recordings accessed during cyber attack

The Victoria Court Services in Australia was targeted in a cyber attack that compromised sensitive data. During the attack, the threat actors disrupted the audio-visual in-court network and accessed the database system holding audio and video recordings of court hearings. The affected system stores recordings of hearings for multiple courts including the Supreme, County, and Children’s courts.

The Court Services have indicated that restoration work will allow January court proceedings to continue as planned.

So what?

The security of sensitive data can be enhanced through various mechanisms, including encryption, robust data retention policies, and off-network storage. 

[Researcher: Adelaide Parker]

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Kyle Schwaeble
Kyle Schwaeble
Senior Associate, Cyber Security

Kyle Schwaeble is a senior associate on S-RM’s cyber security team, bringing expertise in incident response management and, particularly, the secure restoration and recovery from cyber incidents such as ransomware attacks and business email compromises. In addition to his incident response work, Kyle has also supported multinational clients with their security transformation programmes, advising on the development and implementation of new technological, procedural, and cultural security controls.  

Kyle joined S-RM in 2019, initially working as an analyst in the Corporate Intelligence team, where he supported various corporate and diligence investigations. He holds a BCom(LLB) from Stellenbosch University in South Africa and is GSEC certified. 

Miles Arkwright
Miles Arkwright
Associate, Cyber Advisory
James Tytler
James Tytler
Associate, Incident Response

James Tytler is an associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Kyle Schwaeble
Kyle Schwaeble

Senior Associate, Cyber Security

Miles Arkwright
Miles Arkwright

Associate, Cyber Advisory

James Tytler
James Tytler

Associate, Incident Response

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.