CTI Weekly: Hacktivist Group Expands Tactics to Extortion, Zero-Day Vulnerability Exploited, AlphV Ransomware Upgrade

Key Issue:

Anonymous Sudan targets Scandinavian Airlines in DDoS extortion campaign

Anonymous Sudan, a hacktivist group, has expanded its tactics to include extortion by demanding USD 3 million from Scandinavian Airlines (SAS). This follows a trend of hacktivist groups seeking to monetize their operations. The group has been targeting SAS with Distributed Denial-of-Service (DDoS) attacks since February 2023, also targeting Swedish healthcare organizations and media outlets.

On May 30, 2023, Anonymous Sudan shared a ransom note claiming responsibility for disrupting SAS’s website and services in another DDoS campaign. They warned the company to take action before raising their initial ransom demand from USD 3500 to USD 3 million. Although the group presents itself as a pro-Islamic hacktivist collective, it is assessed to be more likely a pro-Russian group due to its alignment with Russia’s strategic objectives and level of sophistication.

The adoption of extortion tactics by Anonymous Sudan reflects a broader trend among hacktivist groups seeking to generate funding. Another pro-Russian hacktivist group, Killnet, has announced plans to rebrand and pursue operations that generate funds for the group. This suggests that hacktivist groups are seeking to expand and enhance their capabilities beyond low-impact operations. If successful, this trend may lead to politically motivated groups increasingly adopting monetization tactics to pursue their objectives more effectively.

As a result, hacktivist groups are expected to engage in disruptive tactics that can be monetized, such as DDoS extortion or ransomware operations. The MalasLocker campaign, active since March 2023, serves as an example of using ransoms to directly fund ideological objectives

Other news:

Zero-Days

Cybercriminals are currently taking advantage of a zero-day vulnerability in the MOVEit Transfer file transfer software. This vulnerability, known as CVE-2023-2868, has a high severity rating and is being used by malicious actors to carry out data theft campaigns. In addition, these cybercriminals have also been found exploiting the vulnerability to insert their own malware into the Barracuda Email Security Gateway used by customers.

State-sponsored

The Russian Federal Security Service has accused US intelligence agencies of compromising iPhones owned by Russian diplomats, claiming it was part of an intelligence gathering operation. Meanwhile, a Chinese espionage unit called Dark Pink has been identified in a new campaign targeting government, military, and education organizations in several countries including Belgium, Thailand, Indonesia, Brunei, and Vietnam.

Ransomware

The AlphV ransomware group recently unveiled an upgraded version of their ransomware, with advanced features specifically designed to bypass anti-virus and endpoint detection and response solutions, as well as advanced automated data exfiltration. Read our profile on ALPHV containing the RaaS’ commonly used tactics, targeting rationale, and most targeted sectors.

Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.