The notorious Hive ransomware gang, which was shut down in January 2023 after a major operation by the FBI and other law enforcement agencies, may be making a comeback under a new name. BleepingComputer reports that a new ransomware-as-a-service operation called “Hunters International” has emerged, and there are suspicions that it is a rebranding of the Hive gang. The original Hive gang was responsible for numerous high-profile ransomware attacks before its operations were disrupted. If confirmed, the return of the Hive gang under a new guise could pose a significant threat to organizations and individuals.
In other cybersecurity news, there has been a surge in the exploitation of the Citrix Bleed vulnerability, which affects NetScaler ADC and NetScaler Gateway. The vulnerability, also known as CVE-2023-4966, was patched by Citrix in October 2023. However, security researchers have now reported incidents of session hijacking and targeted attacks exploiting the vulnerability. At least two ransomware groups have been identified as actively exploiting the vulnerability, with one group even distributing a python script to automate the attack chain. Organizations that have not yet patched their systems are at risk of falling victim to these attacks.
Meanwhile, the Lazarus Group, a North Korean state-sponsored hacking group, has been prospecting blockchain engineers with a newly observed strain of macOS malware called “KANDYKORN.” The group is known for its cyber espionage activities and has previously targeted financial institutions and cryptocurrency exchanges. This latest campaign represents a shift in tactics, as the group is now targeting individuals with specific blockchain expertise. The malware is delivered via a camouflaged Python application advertised as an arbitrage bot for blockchain engineers. The Lazarus Group’s interest in blockchain technology suggests that they may be exploring new avenues for financial gain or seeking to exploit vulnerabilities in cryptocurrency systems.
In other cybersecurity developments, low-grade Russian cybercriminals have been empowered by commodity tools that enable them to create large numbers of fake social media accounts. The tool, known as “Kopeechka,” bypasses the requirement for accounts to be associated with unique email addresses and phone numbers. According to Trend Micro, the tool has been active since 2019 and allows criminals to create fraudulent accounts on platforms such as Facebook, X (formerly Twitter), Discord, Telegram, and Roblox. The availability of such tools at low cost makes it easier for cybercriminals to carry out illicit activities and poses a challenge for law enforcement agencies trying to combat cybercrime.
In the Middle East, internet and telecoms services in Gaza have been severely interrupted, both due to infrastructure damage caused by Israeli airstrikes and remote shutdowns. The interruption of services has not only inconvenienced Hamas but has also had a significant impact on the civilian population, depriving them of vital communication channels. In response to this, Elon Musk has promised to provide Starlink connectivity to internationally recognized humanitarian organizations operating in the region. However, it will take time to implement this and restore connectivity fully.
Additionally, a recent report by Cisco Talos highlights the activities of Arid Viper, an espionage group based in Gaza believed to be affiliated with Hamas. The group has been targeting Arabic speakers’ Android devices, deploying malicious software disguised as an update for a legitimate dating app called Skipped. Once installed, the spyware collects sensitive information, disables security notifications, and establishes backdoors for further malware installation. While Arid Viper’s activities are not directly linked to the ongoing war with Israel, they highlight the ongoing cyber threats in the region.
Furthermore, Iran has been showing improved cyberespionage capabilities, primarily targeting regional rivals such as Israel, Saudi Arabia, and Jordan. The cyberespionage campaigns have the dual purpose of espionage and battlespace preparation for potential future cyberattacks. The involvement of Iranian threat group MuddyWater in the cyber phases of the war between Hamas and Israel indicates the increasing convergence of cyber and kinetic warfare. The group has employed updated tactics, techniques, and procedures (TTPs) and spear-phishing techniques to carry out its operations.
Russian threat group Turla, also known as Venomous Bear, has been observed deploying a new advanced and stealthy .NET backdoor called “Kazuar” against the Ukrainian defense sector. The backdoor allows the threat actor to obtain access to sensitive information and maintains resilience against takedowns by hijacking legitimate websites for command-and-control purposes. The use of Kazuar by Turla highlights the ongoing cyber warfare between Russia and Ukraine.
In the realm of hacktivism, both the ongoing conflict between Hamas and Israel and Russia’s war against Ukraine have seen hacker groups engaging in various cyber activities. While the attacks carried out by hacktivists may have little consequence on national security operations, they create disruptions and disconcert the public. Hacktivist groups on both sides of these conflicts have been identified, with allegiances and specialties listed. The attacks range from website defacements to distributed denial-of-service (DDoS) actions.
In conclusion, the cybersecurity landscape continues to evolve, with the resurgence of the Hive ransomware gang, ongoing exploitation of vulnerabilities such as Citrix Bleed, and the use of advanced malware by state-sponsored hacking groups like Lazarus Group and Turla. Additionally, the empowerment of low-grade cybercriminals through the use of commodity tools and the disruptions to internet and telecoms services in conflict zones highlight the multifaceted nature of cyber threats in today’s world. It is essential for organizations and individuals to stay vigilant and take proactive measures to protect themselves from these evolving threats.