This Week in Cyber 6th December 2024

Analyst Insight

This week in cyber we have seen reports of large data breaches affecting major UK companies, A large children’s hospital in the UK being a target of ransomware, Successful operations from law enforcement disrupting national and global organised crime operations and Threat actors increasingly utilizing legitimate services to deliver phishing campaigns to evade detection. These events further underscore the heightened cyber threat landscape across multiple sectors.

NHS Alder Hey Children’s Hospital Suffers Data Breach

The Alder Hey Children's Hospital in Liverpool experienced a data breach, with the INC Ransom group claiming responsibility, publishing screenshots online of spreadsheets containing sensitive patient information, details of donations from benefactors, and procurement records according to The Guardian. Alder Hey is one of Europe’s busiest children’s hospitals, treating over 450 thousand patents a year.

“We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust. We are working with partners to verify the data that has been published and to understand the potential impact.” said in the statement.

Brain Cipher Ransomware Gang Claims Deloitte UK Breach

Deloitte UK, a multi-national professional services network has allegedly been breached by the Brain Cipher ransomware gang. Brain Cipher is a relatively new group, with its first sightings in June 2024 performing several high-profile attacks, including a breach on Indonesia’s national datacentre. The group uses spear phishing and initial access brokers as footholds into networks and delivers payloads based off Lockbit 3.0, a popular ransomware strain among threat actors.

The group has issued a deadline of 15th of December to respond, otherwise the alleged 1TB of stolen data will be released. No samples of the data have been provided as evidence, at the time of writing.

Europol Dismantles “MATRIX” Encrypted Messaging Service Used by Criminals

This week, a joint operation between French and Dutch authorities bring the encrypted messaging app “MATRIX” offline. The messaging app had over 8,000 user accounts, and cost between $1360 and $1700 in cryptocurrency for a Google Pixel phone and a six-month subscription to the messaging service. The platform was widely used by criminals to coordinate illegal activities, including drug trafficking and money laundering. Over a three-month period, authorities intercepted more than 2.3 million messages, leading to significant breakthroughs in ongoing investigations.

NCA Disrupts Multi Billion Dollar Money Laundering Networks with Links to Cybercrime

Operation Destabilise, an international operation led by the National Crime Agency (NCA) has disrupted multi-billion-dollar money laundering networks linked to drugs, ransomware, and espionage leading to 84 arrests and the seizure of over £20 million in cash and cryptocurrency. The investigation uncovered two major networks, Smart and TGR, which facilitated money laundering for various criminal groups. These networks operated globally, moving funds through complex schemes involving cryptocurrency and cash exchanges.

“The networks also support cyber criminals to launder their illicit profits. In 2021, Zhdanova laundered over $2.3 million of suspected ransoms paid in crypto by victims to the Ryuk ransomware group.” stated by the NCA.

Cloudflare Pages Service Increasingly Used for Phishing

Researchers at Fortra have discovered an increasing trend of threat actors utilising the legitimate service Cloudflare Pages for hosting malicious web pages and websites. The platforms strong reputation allows threat actors to make convincing phishing pages that are perceived as legitimate with automatic SSL certificates, custom domains and URL masking, as stated in the article. Cloudflare’s stringent security controls make it harder for security professionals to trace the origin of a malicious page hosted on Pages.

“Fortra’s SEA team has observed a 198% increase in phishing attacks on Cloudflare Pages, rising from 460 incidents in 2023 to 1,370 incidents as of mid-October 2024. With an average of approximately 137 incidents per month, the total volume of attacks is expected to surpass 1,600 by year-end, representing a projected year-over-year increase of 257%.”