{ "id": "96df41b4-b23e-4c2e-bf0a-71a207e0f9db", "created_at": "2026-04-06T00:14:21.224798Z", "updated_at": "2026-04-10T03:35:41.902371Z", "deleted_at": null, "sha1_hash": "2800d7b1eca919d991254f9c4618427c1041d404", "title": "11th December – Threat Intelligence Report - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 727333, "plain_text": "11th December – Threat Intelligence Report - Check Point\r\nResearch\r\nBy lorenf\r\nPublished: 2023-12-11 · Archived: 2026-04-02 11:43:36 UTC\r\nFor the latest discoveries in cyber research for the week of 11th December, please download our\r\nThreat_Intelligence Bulletin.\r\nTOP ATTACKS AND BREACHES\r\nThe American Greater Richmond Transit Company (GRTC), which provides services for millions of\r\npeople, has been a victim of cyber-attack that impacted certain applications and parts of the GRTC\r\nnetwork. The Play ransomware gang claimed responsibility for the attack.\r\nCheck Point Harmony Endpoint and Threat Emulation provide protection against this threat\r\n(Ransomware.Win.Play; Ransomware.Wins.PLAY)\r\nMultinational retailer Aldo has acknowledged a ransomware attack that impacted the systems of an\r\nunspecified franchise partner. The LockBit ransomware gang has claimed responsibility for the attack.\r\nCheck Point Harmony Endpoint and Threat Emulation provide protection against this threat\r\n(Ransomware.Wins.LockBit.ta*; Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit.AI,\r\nRansomware_Linux_Lockbit)\r\nAlphV (aka BlackCat) ransomware gang claimed responsibility for cyber-attacks on three victims:\r\nAmerican medical provider Norton Healthcare; IT services and business consulting company HTC Global\r\nhttps://research.checkpoint.com/2023/11th-december-threat-intelligence-report/\r\nPage 1 of 4\n\nServices; and Tipalti, an Israeli fintech software provider startup with headquarters in Canada. The attack\r\non Tipalti has allegedly resulted in the compromise of over 265GB of confidential information belonging\r\nto the company and its customers, including the video game Roblox and streaming platform Twitch.\r\nAccording to AlphV, an insider from Tipalti was and is still actively involved in the attack.\r\nCheck Point Harmony Endpoint and Threat Emulation provide protection against this threat\r\n(Ransomware.Win.BlackCat; Ransomware.Wins.BlackCat.ta*, Ransomware_Linux_BlackCat,)\r\nAmerican multinational confectionery company Hershey has disclosed a data breach that affected more\r\nthan 2,200 people as the result of a successful email phishing attack against the company. The stolen data\r\npotentially includes full names, health and medical details, debit and credit card data, financial account\r\ninformation and more.\r\nJapanese car manufacturer Nissan has confirmed a cyber-attack that affected Nissan Oceania, its Australian\r\nand New Zealand regional division, and took systems offline as a precaution. The company did not share\r\nspecific information on the type or extent of the breach.\r\nThe Hunters International ransomware group claimed responsibility for cyber-attacks on the Australian\r\nshipbuilder Austal USA and Florida water agency, St. Johns River Water Management District. The attacks\r\naffected Florida water agency’s information technology environment and potentially impacted Austal’s\r\nUSA documents, recruiting information, finance details, certifications, and engineering data.\r\nVULNERABILITIES AND PATCHES\r\nGoogle’s December 2023 Android security update addresses 85 vulnerabilities, notably including a critical\r\nzero-click remote code execution flaw (CVE-2023-40088) in the Android System component. The update\r\naddresses 84 other security vulnerabilities, with three critical ones related to privilege escalation and\r\ninformation disclosure in Android Framework and System components (CVE-2023-40077, CVE-2023-\r\n40076, and CVE-2023-45866), and another critical flaw in Qualcomm’s closed-source components (CVE-2022-40507).\r\nAtlassian has released software fixes to address four critical vulnerabilities that could lead to remote code\r\nexecution (RCE). These flaws include a deserialization vulnerability in the SnakeYAML library (CVE-2022-1471), and RCE vulnerabilities in Confluence Data Center and Confluence Server, Assets Discovery\r\nfor Jira Service Management and in Atlassian Companion app for macOS (CVE-2023-22522, CVE-2023-\r\n22524, CVE-2023-22523).\r\nTHREAT INTELLIGENCE REPORTS\r\nCheck Point Research has examined various attack vectors in modern Outlook and compared the user\r\ninteroperability required for each scenario when attackers use Outlook to deliver their exploits. The attack\r\nvectors have been observed in three categories: the “obvious” Hyperlink attack vector, the “normal”\r\nattachment attack vector, and the “advanced” attack vector.\r\nCheck Point Threat Emulation and IPS provide protection against this threat.\r\nCheck Point Research has identified a shift in the targeting of the Iranian hacktivist proxies which are now\r\nextending their cyber operations to include targets in other countries besides Israel, with a particular\r\nhttps://research.checkpoint.com/2023/11th-december-threat-intelligence-report/\r\nPage 2 of 4\n\nemphasis on the United States. Moreover, groups such as CyberAv3ngers and Cyber Toufan appear to be\r\nadopting a narrative of retaliation in their cyberattacks. They claim to target US entities using Israeli\r\ntechnology, suggesting a strategy of simultaneously targeting both Israeli and US interests.\r\nCheck Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are\r\nmanipulating pool liquidity, sending token prices soaring by 22,000%. The manipulation of pool liquidity\r\nresulted in a swift and calculated theft of $80,000 from unsuspecting token holders. This incident sheds\r\nlight on the evolving strategies scammers employ to exploit decentralized finance platforms.\r\nThe Russia-based actor Star Blizzard (aka COLDRIVER/Callisto Group) persistently employs spear-phishing attack techniques for information-gathering purposes. The threat actor has been observed\r\ntargeting individuals and organizations in the UK and US that involved in international affairs, defense,\r\nand logistics support to Ukraine.\r\nBLOGS AND PUBLICATIONS\r\nCheck Point Research Publications\r\nGlobal Cyber Attack Reports\r\nThreat Research\r\nFebruary 17, 2020\r\n“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign\r\nWe value your privacy!\r\nhttps://research.checkpoint.com/2023/11th-december-threat-intelligence-report/\r\nPage 3 of 4\n\nBFSI uses cookies on this site. We use cookies to enable faster and easier experience for you. By continuing to\r\nvisit this website you agree to our use of cookies.\r\nSource: https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/\r\nhttps://research.checkpoint.com/2023/11th-december-threat-intelligence-report/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/" ], "report_names": [ "11th-december-threat-intelligence-report" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d52f649-28b3-4ae9-9ef9-49d1bc85cf7a", "created_at": "2024-01-09T02:00:04.211752Z", "updated_at": "2026-04-10T02:00:03.514428Z", "deleted_at": null, "main_name": "Cyber Toufan", "aliases": [], "source_name": "MISPGALAXY:Cyber Toufan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434461, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2800d7b1eca919d991254f9c4618427c1041d404.pdf", "text": "https://archive.orkl.eu/2800d7b1eca919d991254f9c4618427c1041d404.txt", "img": "https://archive.orkl.eu/2800d7b1eca919d991254f9c4618427c1041d404.jpg" } }