Law enforcement disrupts RedLine and MetaStealer infrastructure | Cyber Intelligence Briefing: November 1, 2024

Top news stories this week

1. Operation Magnus. Dutch police and FBI disrupt RedLine and MetaStealer infrastructure.
2. Perfect target. Ransomware groups are exploiting SonicWall VPN accounts to breach networks.
3. Healthcare under attack. Ransomware attacks in the healthcare sector have surged by 300%.
4. Go phish. Novel phishing techniques abuse Microsoft Teams and imitate Google’s ‘I’m not a robot’  request.
5. Geo-leak. The location of world leaders leaked by their bodyguards using Strava.
6. Mouse click mayhem. Ex-Disney worker charged with hacking and menu tampering after termination.

1. Dutch police and FBI disrupt RedLine and MetaStealer infrastructure

The FBI alongside law enforcement from the Netherlands, Belgium, and other partners have seized RedLine and MetaStealer network infrastructure as part of a joint operation that shut down three servers and two domains in the Netherlands belonging to the infostealer malware.

The US Department of Justice also unsealed charges against Russian national Maxim Rudometov, who was identified as a developer and administrator of RedLine. Meanwhile, Belgian police detained two individuals, later releasing one.

So What?

The operation has caused disruption to RedLine, one of the most prevalent infostealers in the world, which targeted millions of victim computers.  

[Researcher: Waithera Junghae] 

2. Akira and Fog ransomware operators actively exploiting SonicWall VPN vulnerability

Hackers are exploiting a critical vulnerability (CVE-2024-40766) in SonicWall SSL VPN appliances to breach corporate networks and deploy the Fog and Akira ransomware strains. SonicWall released a patch for the flaw in August, and has since strongly advised all customers to reset passwords and enforce MFA in addition to applying the patch. S-RM has recently observed a number of cases likely involving this method of entry.

So what?

It is important to follow all vendor advice relating to software vulnerabilities. Patching alone may not protect you if credentials have already been compromised.

[Researcher: Adelaide Parker]

3. Ransomware attacks against the healthcare industry have surged by 300%

A recent study by Microsoft found that ransomware attacks in the healthcare sector have surged by 300% since 2015. Healthcare organizations are often seen as prime targets due to the valuable patient data they hold and potential willingness to pay a higher sum in order to avoid serious disruptions.

Recently, Henry Schein, a healthcare solutions provider, revealed that over 160,000 people had their personal information stolen as a result of a cyber attack by the BlackCat ransomware gang.

So what?

A broad attack surface combined with inconsistent security protocols and resource constraints, make healthcare organizations especially vulnerable to attacks, which can have serious financial and patient care consequences.

[Researcher: Anna Tankovics]

4. Novel social engineering techniques target users to gain access to networks

Ransomware group Black Basta has been posing as helpdesk employees on Microsoft Teams to gain access to corporate networks. Attackers have targeted users with spam attacks before offering to remediate the problem and tricking users into installing remote access software.

Separately, Russian nation-state actors have been targeting policy-making organisations with highly targeted spear phishing emails. The emails containing imitation Google ‘I’m not a robot’ reCAPTCHA requests, leading to the compromise of victim’s devices when clicked.

SO WHAT? 

Application allowlisting on corporate devices can ensure that users do not have the ability to run and install malicious software if they fall victim to a social engineering attack.

[Researcher: David Broome]

5. The location of world leaders leaked by their bodyguards using Strava

Workout sessions tracked on Strava by bodyguards have revealed the highly confidential movements of US president Joe Biden, US presidential candidates Donald Trump and Kamala Harris, French president Emmanuel Macron and Russian president Vladimir Putin.

SO WHAT? 

Organizations should train their employees to protect sensitive information and to inform them about various ways that it could be unintentionally leaked.

[Researcher: Milda Petraityte]

6. Former Disney employee arrested after sabotaging restaurant menus post termination 

Authorities have arrested and charged a former Disney employee for gaining unauthorized access into the company's network. The individual used their valid work credentials to log in, altered allergen notes on Disney's restaurant menus, carried out denial of service attacks on ex-colleagues, and took the company's menu system offline for weeks.

So what?

Companies should disable or reset credentials when offboarding employees to ensure disgruntled leavers cannot access corporate systems. 

[Researcher: Lawrence Copson]