APT INC: The Rebranded Threat to VMware ESXi Servers
The notorious SEXi ransomware group, known for its targeted attacks on VMware ESXi servers, has recently rebranded as APT INC Ransomware. Since February 2024, the cybercriminals have utilized leaked Babuk and LockBit 3 encryptors to compromise both VMware ESXi and Windows systems. Their high-profile attack on Chilean hosting provider IxMetro Powerhost brought significant media attention. Cybersecurity expert Will Thomas identified variants named SOCOTRA, FORMOSA, and LIMPOPO, further diversifying their tactics. The rebranding to APT INC in June 2024 signifies a continued focus on exploiting VMware ESXi servers, encrypting virtual machine-related files while leaving other system files intact. Victims receive randomly assigned names for ransom notes and encrypted files, with ransom demands ranging from tens of thousands to millions. Unfortunately, no weaknesses have been found in the Babuk and LockBit 3 encryptors, leaving organizations vulnerable to these sophisticated attacks.
Scattered Spider Adds Qilin Ransomware to Arsenal
Microsoft reports that the Scattered Spider cybercrime group has integrated Qilin ransomware into their attack toolkit. Known also as Octo Tempest, UNC3944, and 0ktapus, this financially motivated gang gained notoriety with the 0ktapus campaign, targeting over 130 major organizations like Microsoft, Binance, and T-Mobile. In mid-2023, they encrypted MGM Resorts’ systems as BlackCat/ALPHV ransomware affiliates. Scattered Spider employs various techniques for initial network access, including phishing, MFA bombing, and SIM swapping. The Qilin ransomware, previously known as Agenda, emerged in August 2022 and has since claimed over 130 victims. Since late 2023, it has developed advanced Linux encryptors targeting VMware ESXi virtual machines. Qilin operators infiltrate networks, steal sensitive data, and deploy ransomware, often engaging in double-extortion tactics. Ransom demands vary widely, from $25,000 to millions. The group’s recent attack on Synnovis disrupted NHS hospitals in London, leading to numerous cancellations.
Rite Aid’s June Data Breach Affects 2.2 Million Customers
Rite Aid, the third-largest drugstore chain in the U.S., disclosed that a June data breach impacted 2.2 million customers. The breach, detected on June 6, occurred after attackers used an employee’s credentials to access the network. By June 17, it was determined that data linked to the purchase or attempted purchase of specific products had been compromised. As ist often the case, the data that cybercriminals can steal in this case also included names, addresses, dates of birth, and government-issued ID numbers for purchases made between June 6, 2017, and July 30, 2018. The breach did not expose Social Security numbers, financial, or health information.
The RansomHub ransomware gang has claimed responsibility for the attack, stating they stole over 10 GB of customer information, affecting around 45 million records. RansomHub threatened to leak the data after ransom negotiations stalled. Known for data-theft-based extortion, RansomHub has previously targeted major companies, including Frontier Communications, emphasizing the growing threat of ransomware attacks in 2024.
Cisco Fixes Critical Vulnerability Allowing Unauthorized Password Changes
Cisco has patched a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) license servers, tracked as CVE-2024-20419. This flaw allowed attackers to change any user’s password, including administrators, without knowing the original credentials. The vulnerability, present in versions up to 8-202206, stems from an unverified password change weakness in the authentication system.
Unauthenticated remote attackers could exploit this issue by sending crafted HTTP requests to affected devices, gaining access to the web UI or API with compromised user privileges. Cisco urges administrators to upgrade to fixed releases (8-202212 or later) as no workarounds exist.
This patch follows recent fixes for other critical vulnerabilities, including a zero-day attack in NX-OS and exploits targeting ASA and FTD firewalls in the ArcaneDoor campaign. Cisco’s Product Security Incident Response Team (PSIRT) has not yet observed public exploitation of this specific vulnerability.
UK Arrests Suspected Scattered Spider Hacker Linked to MGM Attack
UK police have arrested a 17-year-old boy from Walsall suspected of involvement in the 2023 MGM Resorts ransomware attack and as a member of the Scattered Spider hacking collective. This arrest, coordinated with the National Crime Agency and the FBI, is part of a broader investigation into global cybercrime.
The teenager, accused of violating the Blackmail and Computer Misuse Act, was released on bail while authorities examine seized digital devices. Scattered Spider, also known as 0ktapus and UNC3944, is known for social engineering, phishing, MFA bombing, and SIM swapping. They have collaborated with ransomware gangs, including BlackCat/AlphV, Qilin, and RansomHub.
This arrest underscores the difficulty in tracking decentralized hacking groups. Scattered Spider has also targeted Caesars, DoorDash, MailChimp, Twilio, Riot Games, and Reddit.
Conclusion
In conclusion, the cyber landscape is fraught with various threats, from zero-day vulnerabilities to ransomware attacks and phishing campaigns. Staying vigilant and implementing robust security measures is essential to safeguard sensitive data.
As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization requires assistance in recovering from a ransomware attack or bolstering its cybersecurity defenses, contact us today.