This Week in Cyber 17th May 2024

Hackers Deface British News Websites

A number of news sites owned by, Newsquest Media Group, the second largest regional news organisation in the UK, were the victims of a cyber campaign. Affected sites were defaced by an author called "Daniel Hopkins" in Cyrillic. This attack is reminiscent of the GhostWriter campaign that is still considered to be ongoing.

This attack may be a copycat attack or a continuation of the GhostWriter campaign. The attack likely originated in a shared content management system used by Newsquest Media Group. The threat actor and motive remains unclear. While little damage was done, this a notable situation, threatening similar incidents like the Guardian ransomware attack seen last year.

Threat Actor Claims To Have Breached Europol Online Platform

A Threat Actor known as IntelBroker has made claims that they stole confidential information from Europol Platform for Experts (EPE). The claim was made on online forums, and backed up with screenshots supposedly showing internal access to the EPE. Shortly after the claims were made, Europol took their EPE down for maintenance and confirmed that they were the main subject of the incident.

The EPE is a platform for Europol to communicate with specialists across law enforcement agencies. Europol has stated that no operational data from Europol has been compromised. IntelBroker said they were selling data in the form of a list of user information on EPE's secure messaging service including names, job titles and employers. They have since claimed on the notorious hacker forum BreachForums to have sold the data for an undisclosed amount. IntelBroker is a user who has previously bragged about their part in a number of other high profile breaches of other security agencies last month. 

Christie Auction-Site Cyberattack

A recent cyberattack on Christie’s auction house led to the shutdown of its main website, forcing the establishment of a new domain for live auctions. The nature of the attack suggests a possible Distributed Denial of Service (DDoS) strategy, although this remains unconfirmed. The identity of the threat actors is still unknown, and it’s unclear whether they accessed sensitive client or employee information. Notably, the timing of the attack, just before a planned $850m auction, indicates a strategic intent to disrupt Christie’s operations and potentially impact its reputation.

Microsoft’s May 2024 Patch Tuesday Security Updates

In the May 2024 Patch Tuesday updates, Microsoft addressed a total of 61 security flaws. These vulnerabilities were categorised as follows: one Critical, 59 Important, and one Moderate. Among them, two zero-day vulnerabilities were actively exploited in the wild. The first is CVE-2024-30040, a Windows MSHTML Platform Security Feature Bypass Vulnerability with a CVSS score of 8.8. Successful exploitation requires convincing users to open a malicious document.

The second is CVE-2024-30051, a Windows Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability (CVSS score: 7.8), allowing threat actors to gain SYSTEM privileges. Researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group, and Mandiant discovered and reported the latter. Both vulnerabilities have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, requiring federal agencies to apply the latest fixes by June 4, 2024. Additionally, Microsoft resolved several other issues, including remote code execution bugs and privilege escalation flaws in various components of Windows.

Phorpiex and LockBit Ransomware Campaign

In late April, a massive wave of emails containing LockBit ransomware inundated inboxes daily, thanks to the infamous Phorpiex botnet. Phorpiex, also known as Trik or Tldr, has been a persistent threat since 2011, comprising over a million compromised Windows computers. This botnet is often used as a service to spread phishing and malware-laden emails on behalf of various threat actors.

In this recent campaign, Phorpiex facilitated the delivery of LockBit Black ransomware, also known as LockBit 3.0. Emails from fictitious senders such as "Jenny Green" or "Jenny Brown" with subject lines like “Your Document” and “Photo of you???” contained ZIP file attachments. When recipients opened these attachments, they executed a malicious file that connected back to Phorpiex’s infrastructure, downloading and deploying the LockBit ransomware.

LockBit Black encrypts the victim’s files, rendering them inaccessible and displaying a ransom note demanding payment for decryption. The ransomware also exhibits data theft behavior, potentially exfiltrating sensitive information. This campaign was notable not only for the sheer volume of emails—millions per day—but also for the use of ransomware as a first-stage payload, a tactic rarely seen since before 2020. The LockBit Black variant used in this attack was likely built from a leaked LockBit builder, providing threat actors with the tools to customise and deploy sophisticated ransomware.

Analyst Insight

Recent cyber incidents have continued to highlight the diverse tactics and evolving objectives of threat actors. The defacement of Newsquest Media Group’s websites, in a GhostWriter-style campaign, suggests a persistent focus on media manipulation and disruption. Similarly, the cyberattack on Christie’s auction house, which led to a website shutdown before a major auction, indicates strategic attempts to disrupt high-profile events and damage reputations. 

The breach of Europol's Platform for Experts by IntelBroker, who sold user information, demonstrates the persistent need to secure communication channels and prevent the lucrative sale of stolen data. Thankfully, Microsoft's May 2024 Patch Tuesday has resolved critical zero-day vulnerabilities; which were actively exploited in the wild.

Another notable trend is the resurgence of ransomware, exemplified by the Phorpiex botnet's massive email campaign distributing LockBit Black ransomware. This campaign, with millions of emails per day, marks a potential shift back to using ransomware as a first-stage payload, reflecting the broader trend of increased ransomware attacks targeting various sectors.