This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.
For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.ai Previous Threat Intelligence Updates can be found HERE.
A glossary for terms used in our reporting is available HERE.
Contents
NCSC Warns UK Needs “Urgent Interventions” to Counter Cyber Threats Storm-1811 Exploits RMM Tools to Deliver Black Basta
Executive Summary
Ransomware Attack on UK Hospital Sees Confidential Patient Data Leaked
Alder Hey Children’s Hospital suffered a ransomware attack claimed by known threat actor INC Ransom. Screenshots containing sensitive files were released on an unknown underground forum with threats to release all captured material unless the ransom was paid. INC Ransom are known to have previously exploited vulnerabilities in Citrix NetScaler ADC and CTI research has indicated that a Citrix ADC used by the Hospital has been taken offline since.
It is likely INC Ransom has again targeted Citrix NetScaler ADC, highlighting their ability to re-employ TTPs against unpatched networks. They are likely to pose a threat to other organisations that also utilise Citrix.
NCSC Warns UK Needs “Urgent Interventions” to Counter Cyber Threats
Storm-1811 Exploits RMM Tools to Deliver Black Basta
Ransomware Attack on UK Hospital Sees Confidential Patient Data Leaked
On 02 Dec 24, Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust reported a ransomware attack following suspicious network activity detected on 28 Nov 24. The attack captured sensitive patient data from between 2018 and 2024. INC Ransom claimed the attack and posted 11 screenshots on an unnamed underground forum. The stolen data included names, addresses, sensitive medical information as well as financial documents.
Elemendar CTI Analyst comment: Previous Elemendar reporting (TIU: 22 - 28 November 2024) stated that the nearby Wirral University Teaching Hospital suffered a similar attack that caused a “major incident” and significantly disrupted services. INC Ransom is a criminal organisation which originated in 2023. Details of where the group originated are unclear, however they have conducted attacks globally, whose primary targets include the healthcare, education and government sectors. In March 2024, INC Ransom successfully exfiltrated the medical records of 150,000 patients from NHS Dumfries and Galloway in Scotland. These records were later released on the dark web after ransom demands were not met. They also successfully captured, and later released, sensitive data captured during an attack on Leicester City Council. Comment Ends.
NHS Alder Hey has not yet confirmed the type of Ransomware used in the attack, but in public statements claimed that the affected area has been taken offline and redundancy measures are being utilised.
Elemendar CTI Analyst Comment: Further investigation by Elemendar CTI analysts suggest that a Citrix Application Delivery Controller (ADC) used to support virtualisation has been taken offline by the NHS since the attack. INC Ransom are known to have previously targeted Citrix NetScaler. Their TTPs have included using CVE-2023-3519 to enable unauthorised remote code execution and using CVE-2023-4966 (CitrixBleed) to target Citrix NetScaler ADC. They have used CitrixBleed specifically to bypass MFA and hijack legitimate user sessions. Comment Ends.
The Executive Director of National Cyber Security Operations at NHS England has noted that the NHS has an increasing attack surface due to a rapid digitisation process and heavy reliance on third party providers that require frequent patching. Attacks on the NHS specifically have plateaued since 2022, but globally attacks on healthcare are rising and is the third most attacked industry globally.
Elemendar CTI Analyst Comment: Since the COVID lockdowns, large parts of the UK public sector have undergone virtualisation efforts to increase resiliency. The virtualisation efforts have been largely achieved through the use of third party suppliers. Public sector departments that have publicly stated they use Citrix NetScaler ADC include the Department for Work and Pensions (DWP), the Ministry of Justice (MoJ) and multiple NHS trusts. Comment Ends.
Elemendar Intelligence Assessment: It is likely that the threat actors responsible for this attack bypassed MFA and hijacked user sessions by exploiting vulnerabilities with Citrix NetScaler ADC. This is a known TTP of INC Ransom. It is likely that INC Ransom and other threat actors will continue to utilise their known TTPs on Citrix NetScaler ADC to exploit user apathy towards installing updates and target unpatched vulnerabilities, due to this INC Ransom represents an ongoing threat to public sector departments utilising Citrix. The UK healthcare system and other public sector departments are almost certain to remain high-priority targets for ransomware groups due to the vast amount of sensitive data stored within their systems, which can yield significant financial rewards. Such attacks are highly likely to lead to operational disruptions, substantial financial losses, and regulatory penalties, further exacerbating the impact on public trust and service delivery. Assessment Ends.
NCSC Warns UK Needs “Urgent Interventions” to Counter Cyber Threats
On 03 Dec 24, the National Cyber Security Centre (NCSC) released its annual review for 2024. The NCSC findings noted that the overall number of incidents handled by the NCSC between Sep 23 to Aug 24 rose by 16% from 371 to 430 against the previous reporting period. The proportion of attacks that were listed as significant and highly significant (the NCSC’s highest two classifications) rose by 44% from 62 to 89 incidents. The NCSC’s Incident Management Team had also given 258 bespoke notifications to organisations it had detected were at risk. Half of these notifications were related to pre-attack activity.
Fig. 1: Yearly breakdown infographic (Source: NCSC Annual Report 2024)
Richard Horne, the CEO of the NCSC, stated that “urgent interventions” are required across both the public and private sectors in the UK to stay ahead of the increasing number of threat actors targeting the country. The NCSC report also notes that there is a “widening gap between the increasingly complex threats and our collection defensive capabilities”. In addition, Richard Horne states that large swathes of both the private and public sectors are not applying the NCSC’s guidelines for cyber protection and response.
Elemendar CTI Analyst Comment: Cyber attacks in the UK continue to rise year on year with industry statistics assessing that 7.78 million attacks have occurred in the UK as of 13 Nov 24. In addition, 81% of attacks are targeted at small to medium sized businesses. Only 22% of UK businesses are assessed to have a formal cybersecurity incident management plan in place. Comment Ends.
Ransomware was highlighted as a particular threat to UK Critical National Infrastructure (CNI) and public services. Academia, manufacturing, IT, legal, charities and construction were the most targeted sectors for ransomware. In addition, 13 ransomware incidents were listed as nationally significant. The NCSC noted that supply chains were being increasingly targeted to disrupt UK CNI.
Elemendar CTI Analyst Comment: CNI, public and private sectors are all rapidly digitising and increasingly virtualised in the UK, increasing the attack surface for threat actors. Within the NCSC’s reporting period, attacks via third party software to target the NHS include exploiting CVE-2023-20198 (Cisco IOS XE) and CVE-2024-3400 (Palo Alto Networks PAN OS) which resulted in 6 nationally significant incidents. Specific attacks where these CVEs were used are not known. The attack on the diagnostic systems provided by Synnovis in June resulted in six NHS trusts being affected and is known to have been managed by the NCSC. Comment Ends.
Elemendar Intelligence Assessment: It is almost certain that threat actors will continue to target the UK with a growing series of attack vectors. It is highly likely that the number of attacks in the UK will increase in 2025 without successful implementation of the NCSC’s suggestions.
The increasing virtualisation of both the public and private sector will almost certainly continue to grow and as such will almost certainly increase the attack surface for threat groups to exploit. It is likely that attacks will continue to attempt to leverage third party provided systems, particularly in supply chains, as a means to gain access to internal systems and disrupt operations by shutting down critical areas hosted by third parties. Attacks on healthcare, education and CNI are highly likely to increase in 2025 due to their systems containing large amounts of sensitive data and potential for large financial gain for threat actors.
It is highly likely that attacks are aided by various sectors failing to adequately apply sufficient frameworks to both protect against and remediate cyber attacks. Correct implementation of NCSC and industry specific guidelines is likely to mitigate risk.
Storm-1811 Exploits RMM Tools to Deliver Black Basta
A report released on 02 December 2024 by Cybersecurity company Red Canary, states that Storm-1811 has been observed using an updated attack vector by leveraging remote management tools (RMM) such as Microsoft Quick Assist to distribute the Black Basta ransomware. Storm-1811 exploits this functionality to gain unauthorised access, enabling lateral movement, reconnaissance, and the creation of SSH tunnel backdoors within the victim's network.
Elemendar CTI Analyst comment: Storm-1811 is a financially motivated threat actor. Previous TTPs included exploiting Microsoft Quick Assist to deliver the Black Basta ransomware in a series of targeted social engineering attacks since April 2024. Please see previous Elemendar CTI reporting regarding Black Basta for more background information (TIU: 25-31 October 2024). Comment Ends.
The attack begins with an email bombing campaign, overwhelming the victim's inbox with spam. The threat actor then poses as an IT administrator, reaching out via phone or a Microsoft Teams link, offering to resolve the email issue. Victims are instructed to download remote access tools like AnyDesk, TeamViewer, or Microsoft Quick Assist, granting Storm-1811 remote control of their devices.
Once inside the victims network, the threat actor conducts reconnaissance and lateral movement, preparing the environment for the deployment of Black Basta ransomware.
Fig. 02: Storm-1811 attack lifecycle (Source Red Canary)
Elemendar CTI Analyst comment: Initially discovered in April 2022, Black Basta employs a double-extortion strategy, encrypting systems and exfiltrating sensitive data. Affiliates typically gain initial access through phishing and exploiting known vulnerabilities, demanding ransoms to prevent data leaks or restore encrypted systems. Black Basta affiliates have targeted critical infrastructure and industries across Australia, Europe, and North America, affecting over 500 organisations as of May 2024, according to CISA. Comment Ends. Elemendar Intelligence Assessment: Storm-1811’s updated attack vector evidences their level of expertise in social engineering and exploitation of RMM tools demonstrates their ability to modify their TTPs to ensure success. Storm-1811’s use of legitimate tools like Quick Assist and RMM software enables them to bypass security solutions and complicates detection, blending malicious activity into normal IT operations. Increased virtualisation is likely to expand opportunities for threat actors to deploy malware, as a growing number of users increases the likelihood of user error, creating exploitable vulnerabilities. Virtualisation increases the attack surface by enabling multiple virtual machines on a single host, allowing advanced malware to exploit hypervisor vulnerabilities for lateral spread, while evading traditional security tools by disguising activities as legitimate processes within virtual environments.Given Storm-1811’s modification of this attack vector, future modifications are almost certain, due to this, the chance of these attacks succeeding is also highly likely. As such they represent a continued threat to multiple industries. Assessment Ends.
Annex A: References
Ransomware Attack on UK Hospital Sees Confidential Patient Data Leaked
NCSC Warns UK Needs “Urgent Interventions” to Counter Cyber Threats
Storm-1811 Exploits RMM Tools to Deliver Black Basta
Annex B: STIX Entities
Ransomware Attack on UK Hospital Sees Confidential Patient Data Leaked
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1556.006 | Multi-Factor Authentication Interception | Credential Dumping | Monitor for login anomalies post-MFA and bypass attempts. | Attackers bypass MFA mechanisms to gain access to systems. | Authentication logs, MFA logs (Microsoft Authenticator, Duo), VPN logs, Event ID: 4768, Event ID: 4720 |
T1041 | Exfiltration Over C2 Channel | Exfiltration | Look for unusual traffic patterns suggesting data exfiltration. | C2 channels are used to exfiltrate sensitive data, often encrypted. | Network traffic logs, Firewall logs, Proxy logs, IDS/IPS logs, Event ID: 5156, Event ID: 5158 |
T1211 | Exploitation for Credential Dumping | Credential Access | Investigate abnormal tool usage or file access to dump credentials. | Attackers use tools to dump credentials from system memory or files. | Event ID: 4688, PowerShell logs, Command line logs, Process monitor logs, Event ID: 5156 |
NCSC Warns UK Needs “Urgent Interventions” to Counter Cyber Threats
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1190 | Exploitation of CVE-2023-20198 | Initial Access | Exploiting Cisco IOS XE vulnerabilities. | Threat actors may exploit CVE-2023-20198 to gain unauthorized access to critical systems within the NHS and other infrastructures. | Monitor for unusual access patterns or unauthorized changes in Cisco IOS XE logs. |
T1190 | Exploitation of CVE-2024-3400 | Initial Access | Exploiting Palo Alto Networks PAN OS vulnerabilities. | Threat actors may exploit CVE-2024-3400 for initial compromise in third-party systems connected to UK CNI. | Review PAN OS logs for suspicious activity, unauthorized login attempts, or configuration changes. |
T1074.001 | Supply Chain Compromise | Resource Development | Targeting supply chains for access to critical systems. | Threat actors increasingly target supply chains to infiltrate internal networks, causing disruption to UK CNI operations. | Analyze third-party integrations and logs for unauthorized access or modifications. |
T1486 | Ransomware Attacks on UK CNI | Impact | Encrypting and holding critical data for ransom. | Ransomware is being used to disrupt operations in academia, manufacturing, IT, legal, charities, and construction sectors. | Search for indicators of encryption activities and ransom notes in affected systems. |
T1078 | Pre-Attack Notifications | Credential Access | Detecting malicious use of compromised credentials. | Pre-attack activity includes reconnaissance using stolen credentials, flagged by bespoke notifications. | Investigate login anomalies or credential reuse flagged by bespoke notifications from NCSC. |
T1556.004 | Bypass of Cybersecurity Guidelines | Credential Access | Leveraging poor implementation of guidelines. | Threat actors exploit the failure of UK public and private sectors to implement NCSC cybersecurity recommendations effectively. | Examine logs for weak controls, missing patches, or poor adherence to NCSC frameworks. |
T1041 | Exfiltration of Sensitive Data | Exfiltration | Extracting critical data from CNI systems. | Sensitive data exfiltration is highly likely to target healthcare and education systems for financial gains and operational disruptions. | Monitor for unusual data transfers, especially to external or unknown IP addresses. |
Storm-1811 Exploits RMM Tools to Deliver Black Basta
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1608.004 | Drive-by Target | Resource Development | Targeting Victims via Drive-by Downloads | Adversaries create malicious websites or compromise legitimate ones to deliver malware through drive-by downloads. | Web server logs: Increased access to compromised or malicious sites. |
T1114 | Email Collection | Collection | Harvesting Email Data | Accesses email content through compromised accounts or email servers to collect sensitive information. | Email server logs: Unusual access patterns or bulk email export activities. |
T1569 | System Services | Execution | Abuse of System Services for Execution | Utilises system services to execute malicious code. | Windows Event Logs: Service Control Manager events (Event ID 7045) for new or altered services. |
T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration | Data Exfiltration via Encrypted Protocols | Exfiltrates data using symmetric encryption over non-C2 communication channels. | Network traffic logs: Encrypted traffic on non-standard ports. |
T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion | Using Developer Utilities for Execution | Executes malicious code using trusted developer tools to evade detection. | Application logs: Unexpected usage of developer utilities such as MSBuild or GCC. |
T1608.004 | Drive-by Target | Resource Development | Targeting Victims via Drive-by Downloads | Adversaries create malicious websites or compromise legitimate ones to deliver malware through drive-by downloads. | Web server logs: Increased access to compromised or malicious sites. |
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:
Feedback
We welcome your feedback, this ensures we meet your needs.
Please contact our CTI Director at : CTI@elemendar.ai
Acknowledgements
Authored by
Paul Montgomery, CTI Director Elemendar
Matt Orwin, CTI Analyst
Comments