Written by
Team Nucleus
Content
Written on
5th September, 2024
SHARE ARTICLE
Analyst Insight
We have seen more attacks on critical infrastructure, with Transport For London reporting a Cyber Security Incident earlier this week. Luckily there was no disruption to transport services. There is also a rise in malware-as-a-service operations, making it easier than ever to get into cybercrime. We also see a ransomware group impersonating the old mysterious internet puzzle organisation “Cicada 3301”, by using their popularity to launch ransomware attacks on organisations. Planned Parenthood, an American non-profit experienced a cyber attack and RansomHub group claimed responsibility for it.
Ransomware-as-a-service Operation Impersonates Cicada 3301 Organisation
Between 2012 and 2014 the internet mystery “Cicada 3301” published mysterious puzzles through public online forums for users to solve. According to Metro it was dubbed “The most elaborate and mysterious puzzle of the internet age”. Recently, a threat actor has been using the legitimate Cicada 3301 name and logo to launch ransomware attacks on organisations. Cicada 3301 has released a statement denouncing the RaaS group, distancing themselves from malicious activities.
According to BleepingComputer, the group began promoting the RaaS operation on June 29th 2024 seeking affiliates. An “affiliate” is someone who effectively rents ransomware from a threat actor for the use of extorting corporate networks. All successful breaches by “Cicada 3301” threat actors are released publicly on their double-extortion dark web site, which can be used as leverage against an organisation to demand ransom.
Malware Analysis by Truesec reveals the ransomware targets Windows and Linux/ESXi hosts. There are notable similarities in the ransomware code between this group and the defunct BlackCat/ALPHV RaaS, suggesting a possible connection.
Transport For London (TfL) Discloses Cyber Security Incident
Transport for London (TfL) is a local government body that is responsible for managing public transport within the capital, disclosed an “ongoing cyber security incident”. On Monday evening, TfL reassured that there is “no evidence that any customer data has been compromised and there has been no impact on TfL services.”
TfL has been working closely with the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) to address the incident. Further updates will be provided once the incident is resolved. Thanks to the swift response, no services were disrupted due to the attack. Given that TfL handles around four million journeys a day, any disruption could have brought London to a standstill, highlighting the critical importance of cybersecurity in protecting essential services.
Information-Stealing Malware Disguised as Fake Fixes In GitHub Comments
Lumma Stealer is an information-stealing malware which has been advertised and sold on multiple dark web forums since 2022. The group employs a Malware-as-a-Service (MaaS) model where users can pay monthly to different plans based on their cybercriminal intentions. LummaC2 has the same characteristics of other information-stealers by stealing sensitive information such as usernames, passwords, credit card numbers while also being able to access data from installed programs.
Research by BleepingComputer reveals thousands of projects on GitHub with fake fixes to other people’s questions on the platform. One example was a threat actor using the legitimate service MediaFire to trick the user into downloading a fix to their problem, which actually is Lumma Stealer malware. According to reverse engineer Nicholas Sherlock, over 29,000 comments were discovered over a 3-day period, illustrating that it is an ongoing campaign.
Two Critical Vulnerabilities Discovered in Cisco Smart Licensing Utility
Cisco released an advisory on Wednesday addressing two vulnerabilities affecting the “Cisco Smart Licensing Utility” software, which is used by customers to manage their Cisco product licences. The vulnerabilities could allow unauthenticated, remote attackers to access sensitive information, or elevate their privileges in a previously compromised network.
CVE-2024-20439 (CVSS: 9.8) – Undocumented static user credential for admin account which can be used to log in to the vulnerable system.
CVE-2024-20440 (CVSS: 9.8) – Excessive verbosity in debug log file which can be exploited with a crafted HTTP request. Successful exploitation leads to acquiring log files with sensitive data.
Since the disclosure, Cisco has released free software updates to address these vulnerabilities. Versions 2.0.0, 2.1.0 and 2.2.0 were affected, while Version 2.3.0 is unaffected. More information can be found on Cisco Security.
RansomHub Claims Responsibility for Planned Parenthood Cyberattack
Planned Parenthood, an American nonprofit providing reproductive and sexual healthcare education, recently experienced a cyber-attack in their Montana branch. To mitigate the damage, they had to shut down several parts of their infrastructure.
The attack was first discovered on August 28th prompting their IT team to initiate incident response protocols, according to a statement given to Recorded Future. The ransomware group “RansomHub” has claimed responsibility for the attack. Threatening to leak 93GB of data stolen from Planned Parenthood on their dark web extortion portal, according to BleepingComputer research. Although its not confirmed any data was stolen from Planned Parenthood systems, an ongoing investigation is actively looking into this possibility.
