June 2024 featured a string of major cyberattacks impacting diverse sectors from tech to healthcare, including a TeamViewer breach by APT29 and a broad Polyfill supply chain compromise. The month highlighted a mix of intrusions, ransomware, data theft, and credential abuse, offering lessons on strengthening defenses. #APT29 #CozyBear #Polyfill #Funnull #UwULend #TheNewYorkTimes #PandaBuy #CyberNiggers #Qilin #BrainCipher #PDN #TeamViewer #4chan
Keypoints
- TeamViewer breach detected in the internal corporate IT environment, with APT29 (CozyBear) identified as the culprit, raising concerns due to TeamViewer’s widespread usage.
- Polyfill supply chain attack tied to Funnull acquiring Polyfill’s domain and GitHub account, redirecting users to malicious sites and affecting hundreds of thousands of sites.
- UwU Lend DeFi platform suffered nearly $20 million in Ethereum theft, triggering a pause in operations and later an offer to the hacker.
- The New York Times contributor data was exposed via compromised GitHub credentials, with a 270GB torrent posted on 4chan.
- Sanggiero/CyberNiggers claimed PandaBuy records, escalating from 1.3 million to 17 million, with extortion tied to the full database.
- Qilin ransomware disrupted operations across several London hospitals, with no public statements from the group and limited data leakage visibility.
- Brain Cipher ransomware hit Indonesia’s PDN, encrypting government servers and affecting over 200 agencies and essential public services.
MITRE Techniques
- [T1133] External Remote Services – APT29 used TeamViewer for remote access;
[‘On June 26, 2024, TeamViewer detected an irregularity in its internal corporate IT environment.’] - [T1195] Supply Chain Compromise – Polyfill’s domain and GitHub account were acquired and scripts modified to redirect users to malicious sites;
[‘modified the script to redirect users to malicious sites.’] - [T1041] Exfiltration Over Unencrypted/Obfuscated Network – UwU Lend ETH theft;
[‘siphoned’] ETH during June 2024. - [T1078] Valid Accounts – The New York Times breach via exposed GitHub credentials;
[‘gained access to The New York Times’ GitHub repositories by exploiting exposed credentials.’] - [T1041] Exfiltration Over Unencrypted/Obfuscated Network – PandaBuy data sale claim;
[’16–17 million records for sale at $40,000…’] - [T1486] Data Encrypted for Impact – Qilin ransomware attack disrupted operations at London hospitals;
[‘A ransomware attack by the Russian cyber hacking group, Qilin, severely disrupted operations…’] - [T1486] Data Encrypted for Impact – Brain Cipher ransomware encrypted PDN/government servers;
[‘encrypting government servers and causing widespread disruption.’]
Indicators of Compromise
- [Domain] – cdn.polyfill.io, polyfill.io, and 4chan.org – domains involved in the Polyfill supply chain attack and related discussions/posts
- [File] – 270GB torrent file containing The New York Times contributor data – posted on 4chan
Read more: https://socradar.io/major-cy-attacks-in-review-june-2024/