Each month, the Ankura Cyber Threat Investigations & Expert Services (CTIX) team compiles and provides a thorough analysis of the latest threats, adversary techniques, and trends into an in-depth report called the Cyber Threat Intelligence Bulletin.
Updated for October - November 2022, this report provides an in-depth look at current global threats and key cyber trends to watch to help prepare your organization for potential threats.
The summary below includes a preview of the key threat topics from this month's Intelligence Bulletin.
Coordinated SEO Poisoning Redirect Campaign Hacked Thousands of Websites
A massive SEO poisoning campaign has compromised almost 15,000 WordPress sites with redirect links that send the user to actor-controlled sites like Q&A forums. The motivations of the threat actors involved are to boost the fake website rankings in Google. So, as multiple IPs from all over the world interact with the compromised site, the website's ranking in Google Search increases, leading even more unsuspecting users to the redirected domain.
Figure 1. Redirect to a Q&A Forum
What Happened to Raidforums?
Two new active successor sites have emerged in the wake of the Raidforums takedown in February 2022, “Breached[.]co,” also known as “BreachedForum.” and “raidforums2[.]com” also known as “Raid2.” BreachedForum appears to be the most popular direct successor to Raidforums thus far while Raid2 appears to have been created by a pro-Ukrainian group and has seen a slower growth rate and less activity. Raidforum users have also appeared to migrate to other well-known and previously established forums with new users spiking in the ten (10) days following the Raidforum seizure.
Recent Cyber Threats Surrounding Twitter
Elon Musk became the owner and CEO of Twitter in October 2022, creating a new verification system in November for high-profile accounts called Twitter Blue. After the rollout of the program, an exponential uptick in account impersonation was quickly observed. Impersonation and inauthentic account services/tools found on dark web forums are not new to the landscape but can be utilized further with the platform’s recent changes. New phishing campaigns are also emerging and taking advantage of Twitter Blue.
Figure 2: Account Takeover Forum Posting
“From Russia with Love”: Somnia Ransomware Overview
“From Russia with Love” (FRwL), a Russian hacktivist group tracked as UAC-0118, has infected various Ukrainian organizations with a new ransomware strain dubbed “Somnia.” Somnia ransomware is similar to wiper malware, where there are no instructions for payment to decrypt the encrypted data. The purpose of wiper malware is purely to destroy as much data as possible.
Figure 1: Example of the fake Advanced IP Scanner Program Used
Threat Actor of the Month: Potential Return of Once Dormant Team TNT
TeamTNT recently pinged several Docker endpoints, showing activity from the group after its reported shutdown in 2021. Known WatchDog (Thief Libra) indicator of compromise uncovered in Base64 code, showing possible affiliation to the attack. While unconfirmed, this security event could be an indication of the return of TeamTNT, or a potential takeover by another threat organization.
Figure 1: TeamTNT Website (December 25, 2021)
Trending Indicators of Compromise (IOCs)
IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Download the full bulletin for a list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.
To stay up to date on the latest cyber threat activity, sign up for our weekly newsletter: the Ankura CTIX FLASH Update.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.