Ankura Cyber Threat Intelligence Bulletin [Report] – Security

Each month, the Ankura Cyber Threat Investigations & Expert
Services (CTIX) team compiles and provides a thorough analysis of
the latest threats, adversary techniques, and trends into an
in-depth report called the Cyber Threat Intelligence Bulletin.

Updated for October – November 2022, this report provides an
in-depth look at current global threats and key cyber trends to
watch to help prepare your organization for potential threats.

Access the complimentary threat report and
expert analysis of tactics and adversary techniques
>

The summary below includes a preview of the key threat topics
from this month’s Intelligence Bulletin.

Coordinated SEO Poisoning Redirect Campaign Hacked Thousands of
Websites

A massive SEO poisoning campaign has compromised almost 15,000
WordPress sites with redirect links that send the user to
actor-controlled sites like Q&A forums. The motivations of the
threat actors involved are to boost the fake website rankings in
Google. So, as multiple IPs from all over the world interact with
the compromised site, the website’s ranking in Google Search
increases, leading even more unsuspecting users to the redirected
domain.

Figure 1. Redirect to a Q&A Forum

What Happened to Raidforums?

Two new active successor sites have emerged in the wake of the
Raidforums takedown in February 2022, “Breached[.]co,”
also known as “BreachedForum.” and
“raidforums2[.]com” also known as “Raid2.”
BreachedForum appears to be the most popular direct successor to
Raidforums thus far while Raid2 appears to have been created by a
pro-Ukrainian group and has seen a slower growth rate and less
activity. Raidforum users have also appeared to migrate to other
well-known and previously established forums with new users spiking
in the ten (10) days following the Raidforum seizure.

Recent Cyber Threats Surrounding Twitter

Elon Musk became the owner and CEO of Twitter in October 2022,
creating a new verification system in November for high-profile
accounts called Twitter Blue. After the rollout of the program, an
exponential uptick in account impersonation was quickly observed.
Impersonation and inauthentic account services/tools found on dark
web forums are not new to the landscape but can be utilized further
with the platform’s recent changes. New phishing campaigns are
also emerging and taking advantage of Twitter Blue.

Figure 2: Account Takeover Forum Posting

“From Russia with Love”: Somnia Ransomware
Overview

“From Russia with Love” (FRwL), a Russian hacktivist
group tracked as UAC-0118, has infected various Ukrainian
organizations with a new ransomware strain dubbed
“Somnia.” Somnia ransomware is similar to wiper malware,
where there are no instructions for payment to decrypt the
encrypted data. The purpose of wiper malware is purely to destroy
as much data as possible.

Figure 1: Example of the fake Advanced IP Scanner Program
Used

Threat Actor of the Month: Potential Return of Once Dormant
Team TNT

TeamTNT recently pinged several Docker endpoints, showing
activity from the group after its reported shutdown in 2021. Known
WatchDog (Thief Libra) indicator of compromise uncovered in Base64
code, showing possible affiliation to the attack. While
unconfirmed, this security event could be an indication of the
return of TeamTNT, or a potential takeover by another threat
organization.

Figure 1: TeamTNT Website (December 25, 2021)

Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security
incidents more quickly as indicators may not have otherwise been
flagged as suspicious or malicious. Download the full bulletin for
a list of technical indicators of compromise within the past sixty
(60) days that are associated with monitored threat groups and/or
campaigns of interest.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.