Weekly Intelligence Report - 14 June 2024 - CYFIRMA (2024)

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows
Target Geographies: Australia, Brazil, Canada, Colombia, Egypt, El Salvador, France, Honduras, Indonesia, Italy, Japan, Libya, Norway, Romania, Slovakia, South Africa, Spain, Sri Lanka, Sweden, UAE, United Kingdom, United States and Vietnam.
Target Industries: Accounting, Business Services, Construction, E-commerce, Education, Energy, Finance, FMCG, Government, Healthcare, Manufacturing, Media, Real Estate, Retail, Software, Telecommunications, and Transportation.

Introduction
CYFIRMA Research and Advisory Team has found RansomHub Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

RansomHub Ransomware
RansomHub, a new Ransomware-as-a-Service (RaaS) platform, has quickly risen to become one of the largest ransomware groups in operation. It is highly likely that RansomHub is an updated and rebranded version of the older Knight ransomware. The group began listing its victims in mid-February 2024.

RansomHub encrypts the files and renames files by appending a string of random characters to the filenames. The ransom note is provided in a file named “README_[random_string].txt”.

Researchers analyzing the RansomHub payload discovered a high degree of similarity between RansomHub and Knight, suggesting that Knight served as the foundation for RansomHub.

In February 2024, Knight’s developers, who initially launched the ransomware as Cyclops, decided to shut down their operation and offered the source code for sale on underground forums. It is plausible that other actors purchased the Knight source code, updated it, and then launched RansomHub.

Comparison of Ransomhub and Knight
Both ransomware payloads are written in Go, and most variants are obfuscated using Gobfuscate, with only some early versions of Knight lacking this obfuscation.

The significant code overlap between the two families makes distinguishing between them challenging. In many instances, differentiation is only possible by examining the embedded link to the data leak site.

Additionally, the command-line help menus for both families are virtually identical, with the only distinction being the inclusion of a sleep command in RansomHub.

Both threats utilize a distinctive obfuscation technique, encoding important strings with unique keys and decoding them at runtime.

The ransom notes left by both payloads exhibit significant similarities, with many phrases from Knight’s note appearing exactly in RansomHub’s. This suggests that the developers merely edited and updated the original note.

Knight ransom note. (Source: Surfaceweb)

RansomHub ransom note. (Source: Surfaceweb)

Screenshot of files encrypted by ransomware (Source: Surface Web)

One key difference between the two ransomware families lies in the commands executed via cmd.exe. These commands can be configured either when the payload is built or during its configuration. While the specific commands differ, the sequence and manner in which they are executed relative to other operations remain consistent.

Both Knight and RansomHub possess a unique feature that allows them to restart an endpoint in safe mode before initiating encryption. This technique, first employed by Snatch ransomware in 2019, enables encryption to proceed without interference from the operating system or other security processes.

Researchers discovered that the attackers gained initial access by exploiting the Zerologon vulnerability (CVE-2020-1472 [CVSS 10]), which can allow an attacker to obtain domain administrator privileges and seize control of the entire domain.

Before deploying the ransomware, the attackers employed several dual-use tools. Atera and Splashtop facilitated remote access, while NetScan was likely used to discover and gather information about network devices. The RansomHub payload utilized the command- line tools iisreset.exe and iisrstas.exe to halt all Internet Information Services (IIS) services.

Countries targeted by Ransomhub

Following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

• This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
• Recently ransomware is seen targeting
• Business Services sector in Sweden
• Software industry in Italy
• Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
• The use of idle periods may indicate that the ransomware is designed to operate more stealthily, waiting for the computer to be idle before encrypting files or performing other malicious activities.
• The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.

ETLM Assessment:
CYFIRMA’ s analysis, based on available data, suggests that RansomHub is targeting economically rich nations such as the US, East, and Southeast Asia and is also spreading globally. This ransomware’s sophisticated techniques, including advanced obfuscation and exploitation of critical vulnerabilities like Zerologon, indicate a focus on high-value targets. The deployment of dual-use tools for remote access and discovery, combined with its stealthy operation in idle periods, underscores RansomHub’s strategic targeting of industries and organizations with substantial financial resources and critical data assets.

YARA
rule Detect_Malware_Path
{
strings:
$system32 = “system32”
$path_pattern = /C:\\Windows\\system32\\[a-f0-9]{64}A{50,}/

condition:
all of them
}
(Source: Surface web)

STRATEGIC RECOMMENDATIONS

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

• A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
• Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

• Update all applications/software regularly with the latest versions and security patches alike.
• Add the Yara rules for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Credentials Stealing, Data Exfiltration
Target Technologies: Windows OS, Browsers, FTP clients, VPN clients, IM clients, and other software such as MySQL Workbench, DynDns, Microsoft Credentials, Internet Downloader Manager, and JDownloader
Exploited Vulnerability: CVE-2017-0199, CVE-2017-11882

Active Malware of the Week
This week “Agent Tesla” is trending.

Agent Tesla
A recent discovery unveiled a new phishing campaign distributing a novel variant of Agent Tesla, which specifically targets Spanish-speaking individuals. The campaign employs various tactics, including exploiting known vulnerabilities in MS Office, JavaScript, PowerShell, and fileless modules, to deliver the Agent Tesla core module and evade detection. Agent Tesla is a well-known .NET-based Remote Access Trojan (RAT) designed to covertly infiltrate computers and steal sensitive information, such as hardware details, login credentials, keystrokes, email contacts, browser cookies, clipboard data, screenshots, and other system information, including the login username, computer name, OS information, CPU and RAM information, as well as saved credentials in widely installed software.

Attack Method
The attacker initiates the attack by sending a phishing email to the victim. The email, written in Spanish, masquerades as a standard SWIFT transfer notification from a large financial institution and includes a disguised Excel attachment.

Fig: The phishing email

The message translated into English reads as:
“Good day Attached is proof of payment made to your account according to your client’s instructions.”

The Excel Document
The Excel document utilizes OLE format with carefully crafted embedded data to exploit the CVE-2017-0199 vulnerability. It includes an embedded OLE hyperlink, which triggers automatically upon the victim opening the Excel file. The hyperlink provided in the document leads to “hxxp[:]//ilang[.]in/QqBbmc”. Upon opening the Excel file, an RTF document is automatically downloaded and prompted to open by the Word program.

Exploitation of CVE-2017-11882
CVE-2017-11882 is a Remote Code Execution (RCE) vulnerability found in Microsoft Office’s Equation Editor component (EQNED32.EXE). It can be exploited through Excel, Word, PowerPoint, and RTF documents containing crafted equation data in an OLE object. Successful exploitation permits an attacker to execute arbitrary code on the victim’s system. The vulnerability, a buffer overflow, overwrites a return address in the stack of EQNED32.EXE, allowing the attacker to hijack the process and execute copied malicious code from the stack. Following execution, shellcode is triggered to download and execute JavaScript code from a website.

The shellcode is depicted initiating an API call, URLDownloadToFileW(), to retrieve a JavaScript file from “hxxp[:]//equalizerrr[.]duckdns.org/eveningdatingforeveryone.js” and store it locally as “C:\Users\Bobs\AppData\Roaming\morningdatingroses.js.” Subsequently, the API ShellExecuteW() is invoked to execute the JavaScript file via the Windows program WScript.exe. Finally, the process concludes with a call to the API ExitProcess().

JavaScript Execution Leading to PowerShell Code
The JavaScript snippet confirms its intent to fetch another file from “hxxps[:]//paste[.]ee/d/yWWXG.” Following execution of the eval() function, this JavaScript code is initiated. When opening the URL in a web browser, it appears to be regular JavaScript code. But hidden inside is some malicious code, encoded in base64. After decoding it, this code joins with more instructions and runs in a “powershell.exe” process.

The PowerShell code serves several purposes:

• It downloads a regular jpg file with a base64-encoded .Net module (the loader- module) attached to it. The URL of the jpg file is constant: “hxxps[:]//uploaddeimagens[.]com[.]br/images/004/773/812/original/js.jpg?171388277 8”.
• It extracts the loader-module from the jpg file, decodes it from base64, and loads it into PowerShell’s memory.
• It calls the VAI() method of the loader-module under the namespace PROJETOAUTOMACAO.VB and the class Home.

The loader-module, a fileless component, avoids local storage, complicating detection for researchers who aren’t conducting meticulous, step-by-step analysis.

The VAI() method takes arguments:

• A reversed URL to the Agent Tesla core module, here: “hxxp[:]//equalizerrr[.]duckdns[.]org/droidbase64controlfire.txt.”
• A switch: if “1,” it establishes persistence on the victim’s system by adding itself to the auto-run group in the system’s registry. In this case, it’s “desativado,” meaning disabled.
• The penultimate argument designates a process name, which for this variant is “AddInProcess32.”

The loader-module, executing within a PowerShell process, fetches a file from the URL specified in the first argument, holding it in memory—this is the Agent Tesla core module. It then launches the ‘AddInProcess32’ process in a suspended state using the API CreateProcessA() with creation flags of 0x80000004 (CREATE_SUSPENDED).

Subsequently, the loader-module engages in process hollowing on the copied process, injecting and executing the Agent Tesla executable within the “AddInProcess32.exe” process. This operation entails calling various APIs, such as GetThreadContext(), VirtualAllocEx(), WriteProcessMemory(), SetThreadContext(), and ResumeThread().

Agent Tesla Executable Module
This Agent Tesla variant is a 32-bit .NET framework program, cleverly disguised as a fileless module. Debugging reveals obfuscation at the EntryPoint method, obscuring namespaces, classes, methods, and code flow.

To evade analysis environments, it employs various detection methods:

• Using the Windows API CheckRemoteDebuggerPresent() to detect debugging.
• Calculating tick count differences after a short sleep to detect VM environments.
• Checking for specific AV or sandbox-related DLLs in the process.
• Executing WMI queries to gather hardware information and scrutinizing keywords to detect virtualization environments.
• Accessing a specific URL to determine if it’s running in a host provider or data center.

Upon detection of any of these environments, the program promptly terminates its execution.

Theft of Sensitive Information from the Victim’s Device
Agent Tesla targets various web browsers for saved credentials, including Chromium- based ones like Chrome, Opera, and Edge, as well as Mozilla-based browsers like Firefox and Thunderbird. Additionally, it seeks credentials from email clients, FTP clients, VPN clients, IM clients, and other software such as MySQL Workbench, DynDns, Microsoft Credentials, Internet Downloader Manager, and JDownloader.

It also retrieves email contacts from Thunderbird profiles. The malware disables certain features by default, like the keylogger, screen logger, clipboard logger, and cookies.

Moreover, it gathers system information such as date, time, username, computer name, public IP, OS details, CPU, and RAM.

Submission of Stolen Data via FTP
Agent Tesla is preparing to transmit stolen credentials from the victim’s machine using the FTP method “STOR.” The file name format on the FTP server is “PW_{User name- Computer name_System Data&Time}.html,” containing the stolen data in HTML format.

Additionally, collected email contacts are stored in a txt file named “Contacts_Thunderbird.txt_{User name-Computer name_System Data&Time}.txt.” For example, “Contacts_Thunderbird.txt_Bobs-BOBS-PC_2024_05_17_17_34_21.txt” contains all email addresses collected from Thunderbird.

Fig: The whole process of this Agent Tesla campaign

INSIGHTS

• Agent Tesla’s evolution demonstrates the increasing sophistication of cyber threats. By targeting Spanish-speaking individuals, this campaign highlights the attackers’ ability to localize and customize their tactics to enhance the likelihood of success. The use of well-crafted phishing emails, disguised as legitimate financial notifications, showcases the ongoing reliance on social engineering as an effective initial attack vector.
• The malware’s comprehensive anti-analysis mechanisms, including debugger detection, environment checks for sandbox and virtualization, and even external checks for hosting environments, reflect a high level of sophistication. These features enable Agent Tesla to evade detection by automated analysis tools and researchers, ensuring it can carry out its malicious activities with minimal interruption.
• Agent Tesla’s extensive data theft capabilities are particularly concerning. Its ability to extract credentials from a wide range of browsers, email clients, FTP clients, VPNs, and other software indicates a broad attack surface and potential for significant data breaches. The inclusion of email contact extraction from Thunderbird demonstrates a focus on gathering as much personal and professional information as possible, which could be leveraged in further attacks or sold on the dark web.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that Agent Tesla’s evolution suggests a continued focus on enhancing its evasion tactics and expanding its target scope. This may lead to increased sophistication in bypassing security measures and broader impacts on organizations. With its demonstrated ability to steal credentials from various applications and platforms, including browsers, email clients, FTP clients, and VPNs, organizations reliant on these technologies will face heightened vulnerability to data breaches and cyberattacks. Furthermore, as Agent Tesla evolves, it may increasingly target industries and regions where it can maximize its impact.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

• Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
• Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
• Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS
Security Awareness training should be mandated for all company employees. The training should ensure that employees:

• Avoid downloading and executing files from unverified sources.
• Avoid free versions of paid software.
• Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
• Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
• Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATIONS

• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
• Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
• Exert caution when opening email attachments or clicking on embedded links supplied via email communications.
• Consider the following multi-layered protection program:
• Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.
• Anti-phishing engines to prevent any type of phishing attack before it reaches users.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

• Attack Type: Malware Implant, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware – Cactus Ransomware, Daixin Ransomware | Malware –Agent Tesla
• Cactus Ransomware – One of the ransomware groups.
• Daixin Ransomware – One of the ransomware groups.
• Please refer to the trending malware advisory for details on the following:
• Malware – Agent Tesla
• Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Kimsuky North Korean Cyber Espionage Group Targets Western European Arms Manufacturers

• Threat Actors: Kimsuky
• Attack Type: Spear Phishing
• Objective: Espionage
• Target Technology: Windows
• Target Geographies: Europe
• Target Industries: Defence Industry
• Business Impact: : Data exfiltration & Operational Disruption

Summary:
On May 16, 2024, attempted intrusions targeting weapons manufacturers in Western Europe were identified, with high confidence attributed to the North Korean state- sponsored group Kimsuky. The report reveals that Kimsuky employed new espionage tools and primarily targeted a Western European weapons manufacturer, using the “General Dynamics” brand as a deceptive lure in their spear-phishing campaign. The attack vector involved emails containing a malicious JavaScript file, “Safety Manager JD (General Dynamics HR Division II).jse,” masquerading as a job description document. Upon execution, the file decodes two base64 data blocks: a benign PDF to distract the user and a malicious payload that executes silently in the background.

The payload consists of a legitimate PDF and a malicious executable library, encoded with double base64 to evade detection, which performs various espionage functions and ensures persistence by creating a new service and modifying the system registry. The espionage tool enables the attacker to enumerate directories, capture screenshots, establish socket connections, execute additional processes, and more. The command and control infrastructure linked to this campaign involves multiple domains and IP addresses associated with Stark Industries, suggesting a strong likelihood of Kimsuky’s involvement.

This incident underscores the escalating risks of cyber warfare targeting critical military industries. The targeted manufacturer plays a crucial role in the defense supply chain, highlighting the potential geopolitical implications of such cyberattacks. It is anticipated that the Kimsuky group will continue to target military and aerospace sectors globally, necessitating enhanced monitoring and protective measures to counter these threats.

Relevancy & Insights:
The cyber espionage attack by Kimsuky on a Western European weapons manufacturer highlights the group’s sophisticated tactics, including spear-phishing and the use of double base64 encoding to evade detection. By targeting the defense industry, Kimsuky aims to exfiltrate sensitive information, potentially enhancing North Korea’s military capabilities and posing significant geopolitical risks.

ETLM Assessment:
Kimsuky’s cyber-espionage attack on a Western European weapons manufacturer represents a significant threat due to its potential to exfiltrate sensitive military information, compromising national security and defense capabilities. This type of attack demonstrates Kimsuky’s advanced tactics, such as spear-phishing and sophisticated evasion techniques, which can be difficult to detect and mitigate. Europe could face more attacks by Kimsuky due to its critical role in global defense manufacturing and its technological advancements, making it a valuable target for intelligence gathering. The continuous geopolitical tensions and Kimsuky’s focus on military and defense sectors suggest a persistent threat, requiring European organizations to bolster their cybersecurity defenses to protect against such sophisticated state-sponsored attacks.

Recommendations:
Implement advanced email filtering to detect and block spear-phishing attempts. Educate employees about recognizing phishing emails and the dangers of opening unexpected attachments.

• Conduct frequent vulnerability assessments and penetration testing (VAPT) to identify and mitigate potential security gaps within your systems.
• Deploy and maintain up-to-date endpoint protection solutions capable of detecting and responding to malware and other malicious activities.
• Regularly train employees in cybersecurity best practices, including recognizing social engineering attempts and securely handling sensitive information.
• Develop and regularly update an incident response plan to ensure a swift and effective response to any security breaches. Include specific procedures for handling malware infections and data breaches.
• Advanced Threat Detection: Implement advanced threat detection solutions, such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), to identify and block suspicious activities.
• Multi-Factor Authentication (MFA): Use MFA for all critical systems and sensitive accounts to add an extra layer of security against unauthorized access.
• Establish continuous monitoring of network traffic and system activities to detect anomalies and potential security incidents in real time.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Russia preparing to target Paris Olympics with information campaigns
Researchers have identified several Russian disinformation campaigns targeting public opinion around the upcoming 2024 Paris Olympic Games, as well as the reputation of the International Olympic Committee (IOC). These efforts are most likely linked to Russia and tracked as Storm-1679 and Storm-1099. The threat actors have utilized AI to generate images and text and spread false information and rumors about the games and corruption in the International Olympic Committee (IOC). The groups have also utilized a common Russian disinformation tactic of impersonating existing news outlets and credible sources to spread misinformation and propagate threats and fears of violence and terrorism around the games. The IOC barred Russian and Belarusian athletes from competing in the Games in October 2023, citing Russia’s ongoing invasion of Ukraine as the reason. Russia has previously leveraged its digital capabilities to wreak havoc at other Olympic Games; in 2018, Russian government- sponsored hackers attempted to disrupt the opening ceremony of the Pyeongchang Winter Olympics in South Korea, using a cyberattack to shut down a significant portion of the digital infrastructure being used to hold and broadcast the event.

ETLM Assessment:
France’s ministry of defense has recently warned of possible sabotage attacks by Russia on military sites this year. Our analyst also concluded that during the Paris Olympics Russia is likely to target civilian targets in France as well in order to embarrass the government as a revenge for president Macron’s repeated comments, in which he suggested NATO could deploy NATO troops in Ukraine. There has been a real stepping up of Russian activity in the intelligence and shadow sphere, intensifying Russian political war on NATO as the freshly inaugurated president Putin reshuffles his government to include more macroeconomists who will be needed for the long war Russia clearly intends to fight in the coming years. Increased aggression from Russian intelligence also reflects the desire for the country’s spymasters to reassert themselves after their most serious setback since the collapse of the Soviet Union. In the weeks following Russia’s full-scale invasion of Ukraine, more than 600 Russian intelligence officers operating in Europe with diplomatic cover were ejected, dealing serious damage to the Kremlin’s spy network across the continent. Russia had gone to great lengths in order to reconstitute its presence in Europe, often using proxies including members of the Russian diaspora as well as organized crime groups with which the Kremlin has long-standing ties. However, given the extent of damage to the Russian intelligence network, the Kremlin will need to boost the cyber operations element of its political war against NATO, which should be expected to include attempts at cyber- enabled physical sabotage.

Chinese hackers active in the South China Sea region
Researchers have described a Chinese state-sponsored cyberespionage operation that targeted a high-profile government organization in Southeast Asia. Three China- linked activity clusters were observed within the respective governments’ networks between March 2023 and December 2023, with evidence of additional compromises dating back to early 2022.

The most likely goal of the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests, i.e. a classic state-driven espionage by cyber means. This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications.

ETLM Assessment:
Last month, U.S. Secretary of State Antony Blinken traveled to Beijing in the latest of a series of high-level meetings between Chinese and U.S. leadership to ease tensions after China complained about movement of US Navy ships in international waters around Taiwan. That followed last year campaigns in the South China Sea regions by other Chinese actors like Volt Typhoon or Mustang Panda. All the hacking groups have been focused on countries surrounding the South China Sea, where China presses territorial claims on countries like the Philippines, Vietnam or Indonesia, as well as on the United States, with which China is in conflict over primacy in the region and global affairs as a whole. Guam; a US territory in the Western Pacific that is home to significant US military bases, has allegedly been targeted. Chinese hackers have been lately mainly focusing on the defense industrial base, successfully compromising the networks of contractors to the Pentagon’s U.S. Transportation Command 20 times in a single year, while many other incursions have probably never been found. As we have warned in an earlier report, given the increasingly assertive Chinese posturing, it was likely that Beijing’s hacker’s were trying to position themselves in a way it could try to paralyze U.S. critical infrastructure in case of an eruption of conflict between the two countries over the issue of Taiwanese or Philippine waters.An attempt to induce societal panic in their adversary in case of conflict is inherent part of Chinese military doctrine and targeting of critical infrastructure on Guam could affect U.S. military operations in significant way.

4. Rise in Malware/Ransomware and Phishing

The Cactus Ransomware impacts the CTS (Connection Technology Systems Inc.)

• Attack Type: Ransomware
• Target Industry: Telecommunication
• Target Geography: Taiwan
• Ransomware: Cactus Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Taiwan; (www[.]ctsystem[.]com), was compromised by the Cactus Ransomware. CTS (Connection Technology Systems Inc.) is a world-class FTTX solution provider for

Telecoms, ISPs, and Service operators all over the world. The compromised data contains Corporate confidential data, engineering documents, financial data, customer information, personal identification documents, database backups, etc. The total size of the compromised data is approximately 93 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

• Qlik Vulnerability Exploitation: Recently Cactus ransomware has been exploiting vulnerabilities in Qlik Sense servers, particularly targeting the CVE-2023-48365 vulnerability. Many Qlik servers remain unpatched, making them susceptible to attacks. Once the attackers gain access, they typically move laterally within the network, often using RDP tunnels and brute-force attacks to escalate their privileges and establish persistence.
• Recent Incidents: One notable incident involved Schneider Electric, where the Cactus ransomware gang claimed to have stolen 1.5TB of data. The data breach included sensitive customer and employee information, underscoring the impact such attacks can have on large enterprises.
• The Cactus Ransomware group primarily targets countries such as the United States of America, Cañada, the United Kingdom, Australia, and Chile.
• The Cactus Ransomware group primarily targets industries, including Heavy Construction, Computer Services, Automobiles, Financial Services, and Specialized Consumer Services.
• Based on the Cactus Ransomware victims list from 1Jan 2023 to 12June 2024, the top 5 Target Countries are as follows:
  
• The Top 10 Industries, most affected by Cactus Ransomware from 1 Jan 2023 to 12 June 2024 are as follows:
  

ETLM Assessment:
Cactus ransomware is being spread through malvertising campaigns, where malicious ads lead users to compromised websites that download the DanaBot trojan. DanaBot serves as a backdoor for deploying Cactus ransomware, making the initial infection harder to detect. Based on the available information, CYFIRMA’s assessment indicates that Cactus Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on CTS (Connection Technology Systems Inc.), a prominent Telecommunication company located in Taiwan, underscores the extensive threat posed by this particular ransomwar2e2strain in th©eCYEFaIsRtMAAsi2a02re4g, AioLnL. RIGHTS ARE RESERVED.

The Daixin Ransomware impacts the Dubai Municipality

• Attack Type: Ransomware
• Target Industry: Government
• Target Geography: United Arab Emirates
• Ransomware: Daixin Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United Arab Emirates; (www[.]dm[.]gov[.]ae), was compromised by the Daixin Ransomware. Dubai Municipality is the Government of Dubai municipal body with jurisdiction over city services and the upkeep of facilities in the Emirate of Dubai, United Arab Emirates, and reports directly to the Dubai Executive Council. The compromised data encompasses sensitive and confidential information pertinent to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

• Data Breach in Dubai: Most recently, in June 2024, Daixin Team reportedly attacked government networks in Dubai, exfiltrating between 60 to 80 GB of sensitive data, including ID cards and passports. This breach could have severe implications due to the high concentration of wealthy residents and expatriates in Dubai, potentially leading to identity theft and targeted phishing attacks.
• New Attack on Omni Hotels & Resorts: In April 2024, Daixin Team claimed responsibility for a cyberattack on Omni Hotels & Resorts. The attack led to a significant IT outage, disrupting reservation systems and hotel operations. The group threatened to leak sensitive customer data if their ransom demands were not met. They claimed to have exfiltrated millions of records, including personal information of guests from 2017 onwards.
• The Daixin Ransomware group primarily targets countries such as the United States of America, the United Arab Emirates, Indonesia, Germany, and Malaysia.
• The Daixin Ransomware group primarily targets industries, such as Hotels, Media Agencies, Health Care, Food Products, and Software.
• Based on the Daixin Ransomware victims list from 1 Jan 2023 to 12 June 2024, the top 5 Target Countries are as follows:
  
• The Top 10 Industries, most affected by the Daixin Ransomware from 1st Jan 2023 to 12June 2024 are as follows:
  

ETLM Assessment:
Daixin Ransomware Team is known for using various tools to facilitate their operations, including Rclone for cloud storage management and Ngrok for reverse proxying. They also utilize SSH for remote access and data exfiltration, making it challenging to detect and block their activities once they have breached a network. Based on the available information, CYFIRMA’s assessment indicates that Daixin Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Dubai Municipality, a prominent Government company located in the United Arab Emirates, underscores the extensive threat posed by this particular ransomware strain in the West Asia region.

5. Vulnerabilities and Exploits

Vulnerability in Trend Micro VPN Proxy One Pro

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Virtual Private Network (VPN) Application
• Vulnerability: CVE-2024-36473 (CVSS Base Score 5.3)
• Vulnerability Type: Unrestricted Upload of File with Dangerous Type

Summary:
The vulnerability allows a remote user to compromise a vulnerable system.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of file during file upload.

Impact:
A remote user can upload a malicious file and execute it on the system. Affected Products: https[:]//helpcenter[.]trendmicro.com/en-us/article/TMKA-07247

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in VPN Proxy One Pro can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of VPN Proxy One Pro is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding online activities, including accessing geographically blocked content, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

8base Ransomware attacked and Published data of Nidec Motor Corporation

• Threat Actors: 8base Ransomware
• Attack Type: Ransomware
• Objective: Data Leak, Financial Gains
• Target Technology: Web Application
• Target Geographies: Japan
• Target Industry: Manufacturing
• Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that 8base Ransomware attacked and published data of Nidec Motor Corporation on its darkweb website. Nidec Motor Corporation is a global manufacturer of electric motors, and related components and equipment. The Company provides general motors, equipment devices, as well as precious small motors, including hard drive and hard disk drive (HDD) spindle motors, other small precision brushless direct current (DC) motors, brushless DC fans, and other small motors. The company is headquartered in Kyoto, Japan. The data leak, following the ransomware attack, encompasses Invoices, Receipts, Accounting documents, Personal data, Certificates, Employment contracts, Confidentiality agreements, Personal files, and Others.

Source: Dark Web

Relevancy & Insights:

• The 8Base ransomware group has seen a significant increase in activity since June 2023, using double extortion tactics to pressure victims into paying ransoms. This group, which first appeared in March 2022, has ramped up its attacks, targeting various industries and listing numerous victims on its dark website.
• 8Base ransomware is known for its use of the Phobos v2.9.1 ransomware, typically delivered through SmokeLoader, a malware downloader. The ransomware encrypts files with the .8base extension and demands ransom payments for decryption keys. Recent technical analyses show that 8Base employs various sophisticated methods to ensure persistence on victim systems, such as creating multiple copies of itself in startup folders and modifying registry keys for auto-start capabilities.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that 8Base Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Nidec Motor Corporation, a prominent Manufacturing company located in Japan, underscores the extensive threat posed by this particular ransomware strain in the Asia Pacific region.

7. Data Leaks
Dkhoon Emirates Data Advertised on a Leak Site

• Attack Type: Data Leak
• Target Industry: Travel and Tourism
• Target Geography: Thailand
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to VWholesaleTour, {www[.]vwholesaletour[.]com} in an underground forum. A threat actor claims to be selling data from VWholesaleTour, an online travel agency. The alleged data includes over 196,000 logs and more than 2,800 user records. The data for sale contains ID, name, last name, nickname, email, password, agency, phone number, fax number, address, role, status, and other sensitive and confidential information. The threat actor has set the price for the data at $1,000.

Source: Underground Forums

PT Nap Info Lintas Nusa data advertised on a Leak Site

• Attack Type: Data Leak
• Target Industry: Telecommunication
• Target Geography: Indonesia
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to PT Nap Info Lintas Nusa, {www[.]napinfo[.]co[.]id} in an underground forum. A threat actor has announced a data breach at the telecommunications company that is PT Nap Info Lintas Nusa, located in South Jakarta, Indonesia. The company, with a total revenue of $6.2 million, is now facing a severe security threat. Allegedly, the breached data includes credentials, numerous database files, SSL-VPN logs and configurations, system configurations and information, API information, and much more.

The hacker is offering the breached data for sale with the following details:
Data Breach: $1,300 in XMR
Shell Access: $1,800 in XMR

In addition, the hacker has issued a ransom demand to PT Nap Info Lintas Nusa. The company has 30 days to pay $20,000 in XMR to prevent the dissemination of the breached information. If the ransom is not paid within this period, the hacker threatens to brick many of the company’s systems. Furthermore, any attempts to fix the issue, log in for repairs, or other interventions will trigger a fail-safe, causing additional damage to the systems. The data breach is allegedly claimed by the threat actor ‘Interpol404’.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Interpol404’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by Interpol404 typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

• Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
• Ensure proper database configuration to mitigate the risk of database-related attacks.
• Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

CYFIRMA Research team observed a potential data sale related to Advance Auto Parts (AAP) ( The United States of America). A threat actor has surfaced, claiming to be selling a vast database allegedly belonging to Advance Auto Parts (AAP). The purported data, amounting to a staggering 3TB, reportedly originates from AAP’s Snowflake data warehouse and includes a wealth of sensitive information. The data breach is allegedly claimed by the threat actor ‘Sp1d3r’. According to the threat actor, the database encompasses:
380 Million Customer Profiles: Including names, emails, mobile numbers, phone numbers, addresses, and more.
140 Million Customer Orders: Detailing purchase histories.
44 Million Loyalty / Gas Card Numbers: Accompanied by customer details. 358,000 Employee Records: Containing employment details.
Auto Parts Information: Including part numbers.
Sales History: Comprehensive records of transactions.
Employment Candidate Information: Featuring Social Security Numbers (SSNs), driver’s license numbers, and demographic details.
Transaction Tender Details: Information about payment methods and transactions.
Over 200 Tables of Data: Spanning various aspects of the business. Purchase Information
Price: 1.5 Million USD

Source: Underground forums

ETLM Assessment:
Threat actor 888 group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

• Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

• Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
• Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
• Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
• Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.