Weekly Cyber News Roundup

January 8th to January 12th 2024


01. News Bites
  • Ukraine hackers strike Moscow based internet provider in retaliation for Kyivstar attack
  • Warnings issued over Apache OFBiz Authentication Bypass Vulnerability
  • Decryptor for Babuk ransomware variant released
  • Lockbit claims responsibility for November’s Capital Health attac
02. Conclusion

Quick News Bites

Ukraine hackers strike Moscow based internet provider in retaliation for Kyivstar attack

Hackers associated with Ukraine's intelligence agency have penetrated the systems of a Moscow-based internet provider, M9 Telecom, in response to a Russian cyber assault on Ukraine's largest mobile operator, Kyivstar. The group, known as "Blackjack" and linked to Ukraine's Security Service (SBU), reportedly erased 20 terabytes of data from M9 Telecom, disrupting internet services in parts of Moscow. This act was described as a precursor to a more significant cyber operation intended as "serious revenge for Kyivstar." The exact timing of the attack remains unclear.

M9 Telecom's response to inquiries about the incident was not available, and its website remained operational despite the hackers' claims of its destruction. The CEO of M9 Telecom, Andrey Pavolvsky, declined to comment when contacted.

Meanwhile, Kyivstar suffered a major disruption last month, attributed to Russian espionage activities. Ukrainian cyber spy chief Illia Vitiuk revealed that Russian hackers had infiltrated Kyivstar's network for months, resulting in substantial damage. Additionally, Ukraine’s military intelligence disclosed receiving sensitive Russian military information from the Special Technology Centre (STC), a Russian entity sanctioned for supplying drones and intelligence tools to Moscow.

Warnings issued over Apache OFBiz Authentication Bypass Vulnerability

Apache OFBiz, an open-source Enterprise Resource Planning (ERP) system, recently faced critical security vulnerabilities, identified as CVE-2023-49070 and CVE-2023-51467. These vulnerabilities, with a high CVSSv3 Base Score of 9.8, signify critical severity.

CVE-2023-49070, discovered in versions prior to 18.12.9, was initially addressed on December 4, 2023. This vulnerability stemmed from an obsolete XML-RPC component in Apache OFBiz 18.12.09, allowing pre-authentication Remote Code Execution (RCE). The patch removed the XMLRPC endpoint and the OFBiz XMLRPC Library, but it didn't entirely resolve the underlying issue. Attackers could still bypass authentication, leading to Server-Side Request Forgery (SSRF).

CVE-2023-51467 emerged, targeting versions prior to 18.12.10. This subsequent patch, released on December 26, 2023, aimed to fully address the authentication bypass issue left unresolved by the previous fix.

Both vulnerabilities are critically severe, enabling unauthenticated attackers to execute code remotely, potentially leading to full server control, data theft, service disruptions, or malware deployment.

Users are urged to upgrade to Apache OFBiz version 18.12.11 or newer immediately, as these versions contain necessary patches and fixes for these vulnerabilities.

Decryptor for Babuk ransomware variant released

Cyber security researchers in collaboration with the Dutch police, made a significant breakthrough in combating the Tortilla variant of Babuk ransomware, with the collaboration leading to the acquisition of a decryption tool and the arrest of the ransomware's operator in Amsterdam.

Tortilla, a variant that surfaced after the Babuk malware's source code leaked online, has been exploiting Microsoft Exchange servers using ProxyShell vulnerabilities. Unlike the original Babuk, which researchers had developed a decrypter for, Tortilla used a unique private key, rendering the existing tool ineffective.

The decisive moment came when researchers, in partnership with Dutch authorities, obtained a decryptor directly from the ransomware operator, designed for victims who had paid the ransom. This tool contained a single key pair used across all attacks. Cisco Talos shared this key allowing an update for the Babuk decryptor to include the Tortilla decryption key among the existing fourteen ECDH-25519 keys from the 2021 leak.

This development has broader implications in the fight against ransomware. Since December 2021, several operations utilizing the Babuk code, such as Rook, Night Sky, Pandora, Nokoyawa Cheerscrypt, AstraLocker 2.0, ESCiArgs, Rorschach, RTM Locker, and the RA Group, have emerged. Cisco Talos emphasizes that Tortilla is not an isolated case, and the ongoing battle against ransomware operations continues.

Victims of the Babuk variant can now access Avast's updated generic decryption tool for free, offering relief and a way to recover encrypted data without succumbing to ransom demands.

Lockbit claims responsibility for November’s Capital Health attack

The LockBit ransomware group has claimed responsibility for the November 2023 cyberattack on US based Capital Health, a major healthcare provider in New Jersey and Pennsylvania. The attack led to significant IT disruptions, with Capital Health confirming an IT systems outage last November. Although operations have since resumed with enhanced security measures, the investigation into potential data theft continues.

LockBit listed Capital Health on their data leak site, threatening to publish seven terabytes of stolen medical data if their ransom demands aren't met. Interestingly, LockBit states they avoided encrypting files to not disrupt patient care, instead opting for data theft.

Despite general ransomware policies against targeting healthcare providers, LockBit has been implicated in similar attacks on healthcare institutions, including SickKids and hospitals in Germany and New York.

These incidents highlight the threat of ransomware in healthcare, posing risks like data breaches and financial strains, even without direct operational disruption.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 


The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.


Cyber Security Conference

STOCKHOLM | 17 October 2023

Integrity360's flagship conference Security First comes to Stockholm in 2023!

Join leading cybersecurity experts from across the community as we explore the latest threats and industry trends, and learn practical strategies to safeguard your organisation.