๐Ÿšจ FBI Takes Down Radar/Dispossessor Ransomware Infrastructure ๐Ÿ’ฅ

Aug 23 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome toย Gone Phishing, your daily cybersecurity newsletter that wishes all our UK readers a sunny, safe, and sound August Bank Holiday Weekend ๐Ÿพ๐Ÿพ๐Ÿพย 

Patch of the Week!ย ๐Ÿฉน

First thingโ€™s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s itโ€ฆ ๐Ÿ˜ณย 

Congrats to Windows, the cybercriminals are no matchโ€ฆ for your (soon to be released ๐Ÿ™ˆ) patch! ๐Ÿฉน

Check out this freshly hatched patch ๐Ÿฃ

๐Ÿ›ก๏ธ๐Ÿšจ Patch Alert: Microsoft Fixes 90 Security Flaws, 10 Zero-Days! ๐Ÿšจ๐Ÿ›ก๏ธ

Microsoft has released patches for 90 security flaws, including 10 critical zero-daysโ€”six of which are actively being exploited in the wild! ๐Ÿ”ฅ Of these, nine are rated Critical, 80 Important, and one Moderate. The key zero-days include CVE-2024-38189 (CVSS 8.8) for remote code execution in Microsoft Project, and CVE-2024-38178 (CVSS 7.5), a Windows Scripting Engine memory corruption vulnerability. ๐Ÿ–ฅ๏ธ๐Ÿ’ฃ

These updates also tackle issues like privilege escalationย (CVE-2024-38193) and bypassing security features (CVE-2024-38213). Don't forget to update your systems ASAP to stay protected! ๐Ÿ’ปโœจ๐Ÿ”’

Additionally, 36 vulnerabilities in Microsoft Edge were patched, and other vendors like Adobe, Google, Intel, and more have released crucial updates. Stay ahead of the threatsโ€”keep your systems secure! ๐Ÿš€๐Ÿ”๐Ÿ“ฑ

Now, on to this weekโ€™s hottest cybersecurity news stories:ย 

  • ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป Dispossesser ransomware servers shut down by FBI ๐Ÿ‘ฎ๐Ÿปโ€โ™‚๏ธ

  • ๐Ÿž Vulnerabilities discovered in AI-powered Azure health bot ๐Ÿค–

  • ๐Ÿ‘ค Black Basta-Linked attacks target Users w/ SystemBC malware ๐Ÿ‘พ

Dispossesser gets dispossessed ๐Ÿ‘ฎ๐Ÿปโ€โ™‚๏ธ๐Ÿ‘€๐Ÿ’€ย 

๐Ÿšจ FBI Takes Down Radar/Dispossessor Ransomware Infrastructure ๐Ÿ’ฅ

๐ŸŽฏ Major Disruption! The FBI has dismantled the online infrastructure of Radar/Dispossessor, a rising ransomware group targeting small-to-mid-sized businesses globally. This operation involved taking down multiple servers and criminal domains across the U.S., U.K., and Germany.

๐Ÿฆน Who is Dispossessor?

Active since August 2023, Radar/Dispossessor quickly made a name for itself in sectors like healthcare, education, and finance. The group, allegedly led by someone using the alias "Brain," employs a Ransomware-as-a-Service (RaaS) model similar to LockBit, using dual-extortion tactics to pressure victims into paying up.

๐Ÿ”— Attack Tactics

Dispossessor exploits security flaws and weak passwords to breach systems, encrypt data, and demand ransom. If victims donโ€™t respond, the group ups the ante by directly contacting company employees and threatening to leak sensitive data on video platforms.

๐ŸŒ Global Reach

So far, 43 companies across 14 countries, including the U.S., U.K., Germany, and Australia, have fallen victim to Dispossessor attacks. The group shares tools and profits with another entity called Radar, suggesting a close collaboration between the two.

๐Ÿ” The Bigger Picture

This takedown is part of a broader global effort to combat ransomware, which remains a significant threat. Ransomware groups are increasingly targeting smaller organisations, exploiting vulnerabilities, and operating with a level of sophistication that mirrors legitimate businesses.

๐Ÿ’ก Stay Vigilant

As ransomware groups continue to evolve, businesses must stay vigilant, bolster security measures, and prepare for the possibility of being targeted.

Power your competitive advantage with intelligent automation from ELEKS

ELEKS' intelligent automation service transforms your business operations through data-driven solutions. We automate complex tasks, streamlining processes to increase productivity and reduce operational costs. Our tailored solutions adapt to your changing needs and help you unlock new growth opportunities by freeing your team to focus on high-value tasks.

The result? Enhanced customer satisfaction, improved client retention, and a stronger market position.

Talk to our automation specialists

Azure as youโ€™re born ๐Ÿ™ƒ

๐Ÿšจ Critical Flaws in Microsoft Azure Health Bot Service Patched ๐Ÿ›ก๏ธ

๐Ÿ” Security Risks in Healthcare Bots! Cybersecurity researchers have uncovered two critical vulnerabilities in Microsoft's Azure Health Bot Service that could have allowed attackers to access sensitive patient data by moving laterally within customer environments. The issues, now patched by Microsoft, were reported by Tenable in a detailed investigation.

๐Ÿค– What is Azure Health Bot?

Azure Health Bot is a cloud platform used by healthcare organisations to develop AI-powered virtual assistants for tasks like managing patient interactions and administrative workloads. These bots are widely used by insurance providers and healthcare entities to help users with tasks such as checking claim statuses or finding nearby doctors.

โš ๏ธ Vulnerabilities Exposed

Tenable's research focused on a feature called Data Connections within the service, which allows bots to integrate with external data sources. Despite built-in security measures, Tenable discovered that these safeguards could be bypassed using redirect responses, allowing attackers to obtain access tokens for sensitive internal resources.

Additionally, another endpoint supporting the FHIR data exchange format was found vulnerable to similar exploits. The flaws raised significant concerns about the security of AI-driven healthcare tools, emphasising the need for robust web app and cloud security practices.

๐Ÿ”ง Microsoftโ€™s Response

After Tenable reported these issues in mid-2024, Microsoft swiftly rolled out patches to all affected regions. There's no evidence to suggest these vulnerabilities were exploited in the wild, but the incident underscores the importance of securing AI-based services in critical sectors like healthcare.

๐Ÿ›ก๏ธ Ongoing Security Efforts

This discovery comes shortly after another reported flaw in Microsoft Entra ID, which allowed for privilege escalation. These incidents highlight the evolving nature of cybersecurity threats in the era of AI and cloud computing.

By keeping software up-to-date and applying rigorous security measures, organisations can better protect sensitive data from emerging threats.

You Black Basta- WOAH! Easy now ๐Ÿ’€๐Ÿ’€๐Ÿ’€

๐Ÿšจ Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Group ๐Ÿ›ก๏ธ

Cybersecurity researchers have uncovered an ongoing social engineering campaign with ties to the Black Basta ransomware group. This campaign, which has been linked to multiple intrusion attempts, is focused on credential theft and deploying the SystemBC malware dropper.

๐ŸŽฃ Attack Methodology

The attack begins with an "email bomb," followed by a phone call from the attackers who pose as IT staff offering a "solution" to the overwhelmed users. The attackers typically make these calls via Microsoft Teams, making the scam appear legitimate.

Victims are then convinced to download and install AnyDesk, a legitimate remote access software, which the attackers use as a channel to deploy further malicious payloads and exfiltrate sensitive data. One notable part of the attack is the use of a fake executable named "AntiSpam.exe," which pretends to be an email spam filter update and tricks users into entering their Windows credentials.

๐Ÿฆ  Malware Deployment

Once the attackers gain access, they execute several binaries, DLL files, and PowerShell scripts, including a Golang-based HTTP beacon that establishes contact with a remote server, a SOCKS proxy, and the SystemBC malware. This layered approach allows the attackers to maintain persistent access and potentially exfiltrate more sensitive data.

โš ๏ธ Broader Context and Trends

This campaign is part of a broader trend in social engineering and phishing attacks. Data from ReliaQuest indicates that SocGholish (FakeUpdates), GootLoader, and Raspberry Robin are among the most commonly observed loader strains in 2024, serving as gateways for ransomware deployment.

Interestingly, GootLoader has replaced QakBot on the top-three list this year, reflecting shifts in malware distribution strategies. Many of these loaders are marketed on dark web forums under subscription models, making it easier for even less technically skilled attackers to launch sophisticated attacks.

๐Ÿ” Additional Threats

Phishing attacks have also been observed using the 0bj3ctivity Stealer and Ande Loader in multi-layered distribution mechanisms. These attacks involve obfuscated and encrypted scripts, memory injection techniques, and enhanced anti-detection features, making them harder to detect.

In a related trend, threat actors have been weaponizing fake QR codes and malvertising campaigns. For instance, some campaigns have hijacked Facebook pages to promote seemingly legitimate AI tools, which are then used to deliver Lumma Stealer malware.

๐Ÿ”ง Mitigation Strategies

To defend against these sophisticated attacks, it is recommended to block unapproved remote desktop solutions, educate employees about phishing tactics, and be vigilant against suspicious communications, especially those purporting to be from internal IT staff.

๐ŸŒ Staying Safe

As attackers continue to innovate with social engineering techniques, itโ€™s crucial for both individuals and organisations to maintain robust security practices, including advanced detection mechanisms and continuous monitoring of potential threats.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆBitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles