Get the TIGR Threat Watch and Bulletin
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc Threat Bulletins in case of critical and time-sensitive vulnerabilities or threats. Threat Bulletins include details and recommendations for mitigation/remediation.
Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
LockBit Ransomware Group Relaunches After Takedown
The notorious LockBit ransomware gang has relaunched its operations on new infrastructure, less than a week after law enforcement disrupted its servers and seized data in Operation Cronos. According to the hackers, the breach occurred due to negligence in updating their PHP software, allowing authorities to exploit a critical vulnerability. In their message, LockBit admitted fault in the disruption and claimed to have upgraded security, including decentralizing affiliate panels across multiple servers. However, they still lost over 1,000 decryption keys and plan to manually handle decryptors and trial decryptions moving forward. The group also threatened increased attacks on government sectors in response.
Impact: The takedown delivered a significant blow to LockBit, but the quick relaunch signals the resilience of the ransomware gang. Although disrupted in the short term, continued operations pose an ongoing threat, especially to previously impacted victims lacking decryption keys.
Recommendation: Organizations should continue ransomware prevention best practices like offline backups, multi-factor authentication, and prompt patching.
High-Severity Apple Shortcuts Vulnerability Allows Access to Sensitive Data
A high-severity vulnerability, identified as CVE-2024-23204, has been discovered in Apple Shortcuts, affecting both iOS and macOS devices. This vulnerability allows attackers to bypass Apple’s Transparency, Consent, and Control (TCC) framework, enabling unauthorized access to sensitive user information. By utilizing the ‘Expand URL’ function within Shortcuts, attackers can covertly transmit base64-encoded data, such as photos, to remote servers without user knowledge. Apple addressed this vulnerability in recent updates; however, unpatched devices leave user privacy and data security at risk.
Impact: Adversaries could exploit this vulnerability to stealthily collect private user information which could then be used for identity theft, fraud, extortion, or other malicious purposes. Both individual users and enterprises that use or develop iOS apps are at risk. With Shortcuts being a widely-used Apple feature, the attack surface for this vulnerability is significant.
Recommendation: Users should install the latest iOS and macOS patches, iOS 17.3 and macOS Sonoma 14.3.
Major Ransomware Attack Disrupts US Healthcare Systems
On February 21, 2024, the healthcare giant UnitedHealth Group suffered a ransomware attack impacting its Optum subsidiary and the Change Healthcare payment platform. The attack appears to be conducted by a sophisticated nation-state actor and involves data theft, likely as leverage for ransom demands. The outage has disrupted Optum’s services, including claims processing, billing, and pharmacy management for healthcare providers nationwide.
Impact: This attack threatens significant disruption to healthcare delivery across the US. Providers cannot access patient records, process claims and payments, or fill prescriptions, severely impacting operations. Patient care and safety could be jeopardized. Data theft also risks violation of HIPAA regulations and loss of patient confidentiality if the information is leaked. This attack demonstrates ransomware’s potential to cripple critical infrastructure.
Recommendation: Healthcare providers should immediately disconnect from Optum/Change Healthcare to prevent infection.
Major Ransomware Attack Disrupts US Healthcare Systems
On February 21, 2024, the healthcare giant UnitedHealth Group suffered a ransomware attack impacting its Optum subsidiary and the Change Healthcare payment platform. The attack appears to be conducted by a sophisticated nation-state actor and involves data theft, likely as leverage for ransom demands. The outage has disrupted Optum’s services, including claims processing, billing, and pharmacy management for healthcare providers nationwide.
Impact: This attack threatens significant disruption to healthcare delivery across the US. Providers cannot access patient records, process claims and payments, or fill prescriptions, severely impacting operations. Patient care and safety could be jeopardized. Data theft also risks violation of HIPAA regulations and loss of patient confidentiality if the information is leaked. This attack demonstrates ransomware’s potential to cripple critical infrastructure.
Recommendation: Healthcare providers should immediately disconnect from Optum/Change Healthcare to prevent infection.
LockBit Ransomware Facing Apparent Decline Due to Mounting Issues
LockBit is a prolific Ransomware-as-a-Service (RaaS) operation that emerged in 2020. The group quickly became one of the most impactful ransomware actors. However, LockBit now appears to be in decline due to leaked source code in 2022, infrastructure instability, restrictive affiliate rules, and signs of developer departure. Based on breach data, the group’s overall share of attacks has dropped over 2022-2023. LockBit is purportedly developing a new .NET-based ransomware version called LockBit-NG-Dev, which may eventually become LockBit 4.0. However, it’s still being determined if a new version can help LockBit regain prominence amid its accumulated issues.
Impact: The apparent dysfunction within the LockBit operation has significant security implications. Organizations in LockBit’s target sectors, like manufacturing, professional services, and healthcare, should be aware of the group’s potential desperation for income. However, the group’s declining capabilities may also present an opportunity for improving defenses before LockBit can rebuild.
Recommendation: Organizations should continue ransomware prevention best practices like offline backups, multi-factor authentication, and prompt patching. Monitoring for .NET executables and behavioral indicators can help detect emerging LockBit activity.
Avast Fined by FTC for Selling User Data
The antivirus vendor Avast has been fined by the U.S Federal Trade Commission for $16.5 million due to charges brought against the company for selling user data to advertisers despite stating they could block online ad tracking. The FTC has also restricted Avast from licensing and selling browser data for advertising and notifying users what data was sold without their permission. Through its Jumpshot subsidiary, Avast sold what is described as “re-identifiable browsing data” to over 100 companies. Non-personally identifiable info could then be correlated with Avast user browsing info to build advertising profiles. This misleading practice was discovered in 2019 by security researchers and browser companies, who removed Avast add-ons from their respective stores. Data collected without consent by Avast includes Google searches, internet footprint, and location.
Impact: Users who installed Avast, believing they would be safe from advertising trackers, ended up being tracked by Avast itself.
Recommendation: Avast users should be on the lookout for communication regarding further details on what amounts of their data, if any, were sold. Additionally, Avast has since merged with other endpoint security companies to become Gen Digital, which includes AVG, CCleaner, Avira, and NortonLifeLock. Avoiding these companies may also be prudent.
Sign up here!
To receive the threat bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS!
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sraio.wpcomstaging.com/blog/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sraio.wpcomstaging.com/blog/category/tigr/feed