New iMessage 0-Day Exploit, U.S. Healthcare Breach, Access Sales & Dark Web Recruitment Posts

Each day, fresh threats surface on the Dark Web. In the “The Week in the Dark Web” series, the SOCRadar Dark Web Team highlights the most notable incidents from a trove of data leaks, illicit sales, and other incidents. Notable finds from the past week include a new criminal partnership search and a 950GB data breach impacting a US healthcare provider. Furthermore, the sale of a zero-day exploit for iMessage and unauthorized Citrix access to a Spanish company pose significant risks.

Receive a Free Dark Web Report for Your Organization:

A New Partnership Searching Post is Detected

The SOCRadar Dark Web Team has detected a new post on a hacker forum where a threat actor actively seeks partners for a criminal venture involving a self-developed Android Remote Access Trojan (RAT). The post details a comprehensive and dangerous toolkit that includes features like BlindVNC, screen projection, and support for Android versions 8 through 14.

The actor claims successful previous campaigns with two partners and states that the RAT’s implant has a footprint of only 2 MB, with a combined loader and implant size of 4 MB. It is also designed to avoid Android’s background process management, achieving an uptime of up to 80 days.

Data of Pediatric Urology Associates are Leaked

The SOCRadar Dark Web Team has detected a post in a hacker forum announcing a new alleged data leak targeting Pediatric Urology Associates, a healthcare provider specializing in pediatric urological services in the US. According to the threat actor’s claims, the leak encompasses a substantial 950GB of sensitive data, including customer and medical information, corporate data, and employee details.

Unauthorized Citrix Access Sale is Detected for a Spanish Business Services Company

SOCRadar has detected a hacker forum post claiming to offer unauthorized Citrix access to a Spanish business services company. The company, which reportedly earns $416.5M in revenue, has its network access listed for sale at $1,500.

0-Day Exploit for iMessage is on Sale

The SOCRadar Dark Web Team has detected that a hacker forum post is advertising an alleged zero-day exploit for iMessage. This exploit allegedly allows zero-click Remote Code Execution (RCE), which could enable attackers to take control of iOS devices without any user interaction. The post claims the exploit affects iOS version 17.x, granting full access to the device’s functions and data. Details and a Proof-of-Concept (PoC) video are offered to serious buyers via a Telegram contact specified in the post.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.