Self Assessment

Weekly Cyber-Intelligence Report – 18 Apr 2021

Published On : 2021-04-18
Share :
Weekly Cyber-Intelligence Report – 18 Apr 2021

18 April 2021

1.    Weekly Attack Type and Trends

 

Key Intelligence Signals:

  • Attack Type: Spear-Phishing, Malware Implants, Ransomware, Vulnerabilities & Exploits, Credential Stealing, Supply Chain
  • Objective: Data Exfiltration, Data Encryption, Payload Delivery, Cyber Espionage, Reconnaissance
  • Business Impact: Loss of Critical Data, Financial Impact, Reputational Damage, Operational Disruption
  • Ransomware – Avaddon | Malware – njRAT, Formbook, Agent Tesla
  • njRAT – a .NET Remote Access Trojan with several in-built evasion techniques
  • Formbook – an infostealer‍ trojan sold as PHP control panel as part of Malware-as-a-Service (MaaS) offerings
  • Agent Tesla – spyware, has been observed targeting organizations for multiple objectives including data encryption, data exfiltration, and payload delivery.
  • Behavior – Most of these malware use phishing, and social engineering techniques as their initial attack vector. Apart from these, exploitation of vulnerabilities and defense evasion tactics are being observed.

2.    Threat Actor in Focus

 

Ransomware Cartel Estimated to Have Made USD 75 million

Suspected Threat Actors: Twisted Spider, Viking Spider, Wizard Spider, and the Lockbit Gang

  • Attack Type: Ransomware
  • Target Industry: Multiple
  • Target Geography: Non-CIS Region
  • Ransomware / Malware:
    • Maze ransomware (aka ChaCha), Egregor ransomware, Qakbot worm [Twisted Spider]
    • LockBit ransomware, Hakops keylogger [Viking Spider]
    • Ryuk ransomware, Conti ransomware, MegaCortex ransomware, BazarLoader backdoor, TrickBot trojan [Wizard Spider]
    • LockBit gang [Lockbit gang]
  • Objective: Financial Gains
  • Business Impact: Data Loss, Operational Disruption, Financial Loss – USD 75 million worth of Bitcoin approx.

Summary: Emerging in June 2020, researchers state that four ransomware gangs (Twisted Spider, Viking Spider, Wizard Spider, and the Lockbit Gang) currently exist within the Cartel and are believed to have earned at least USD 75 million worth of Bitcoin from ransom payments. Last year, Twisted Spider issued a press release, claiming they joined forces with several other well-known ransomware attackers. The researchers observed a strong connection between the affiliated ransomware gangs sharing infrastructure, data leak sites, tactics, and re-investing profits to advance both tactics and malware. Attackers are moving towards automating their attacks, offering Ransomware as a Service (RaaS) and leveraging PR interviews, press releases, social media, call centers to harass and pressure victims into paying the ransom.

Insights: Financial gains remain to be the primary intent of a ransomware operator. To achieve the desired outcome, they resort to more aggressive tactics ranging from demanding ransom, the threat to leak data, double extortion to recently emerged “Ransom DDoS attacks” (RDDoS) where the RDDoS attackers use the threat of taking down a company’s website. This collaborative attempt adds another tactic to their arsenal and should be seen as a mere collective of ransomware gangs to appear more powerful and intimidate victims. The gangs may often work together on certain ransomware operations, however, do not present a centralized and authentic entity as in the cases of APT groups.

 

3.    Major Geopolitical Developments in Cybersecurity

 

Natanz Nuclear Facility Hit by ‘Sabotage’, Iran Confirms

SUMMARY: Authorities have labelled this an extremist act but have yet to name the perpetrators. The incident occurred last week and impacted the Tehran-based nuclear facility’s power network. While calling the incident “sabotage” and “nuclear extremism”, authorities have confirmed that there were no casualties or leaks.

In the past, Stuxnet, a computer worm, has been used against Iran’s nuclear facilities. The worm switched off safety devices causing centrifuges to spin out of control.

Cyberattacks have proved to be the weapon of choice, often wielded by state-sponsored entities when targeting critical infrastructure installations of an ‘adversary’ as part of a wider geopolitical conflict.

 

New Vyveva Malware Used by North Korean Hackers to Attack Freighters

SUMMARY: A previously undocumented Lazarus backdoor, dubbed Vyveva, was traced in an attack against a South African freight and logistics firm. While the initial compromise vector is still unknown, Vyveva shares multiple code similar with older Lazarus samples, namely, the NukeSped malware family.

Apart from the code similarities, the use of fake TLS in network communication, command-line execution chains, and the way of using encryption, and Tor services all point towards Lazarus, which is why Vyveva is attributed to the Lazarus group with “high confidence”.

Cyber espionage operations are often targeted towards industrial sectors, critical & strategic infrastructure with a focus on driving geopolitical issues, stealing state, and trade secrets. However, as reported in a recent campaign, CostaRicto, believed to be operated by hackers-for-hire – a group of APT mercenaries with diverse and random targets spanning across various geography.

 

Sweden Blames Russia for Swedish Sports Confederation (SSC) Hack

SSC was hacked by GRU, via its 85th Center aka Unit 26165 in a campaign conducted between December 2017 and May 2018. GRU also targeted other prominent sporting bodies, including World Anti-Doping Agency (WADA) and FIFA. The hackers stole athletes’ personal details, such as medical records, and shared them with local media.

The incident that targeted World Anti-Doping Agency (WADA) was a response to accusations of government-sponsored doping which resulted in some Russian athletes being banned from the 2016 Olympic Games. Eventually, when charges were confirmed, WADA banned Russia from all international sport for four years, as of 9th December 2019. This has since fuelled the Russian hackers’ intent to “teach a lesson” to the authorities responsible for organizing the Olympic Games.

The timeline of the SSC’s data breach coincided with Sweden putting together a bid to host the 2026 Winter Olympics.

 

4.    Rise in Malware/Ransomware and Phishing

 

HealthCare Global Enterprises Hit by Ransomware

  • Attack Type: Ransomware
  • Target Industry: Healthcare
  • Target Geography: India
  • Ransomware: Avaddon
  • Objective: Data Exfiltration, Operational Disruption, Financial Gains
  • Business Impact: Data Loss, Erosion of Intellectual Property, Financial Loss, Reputational Damage

Summary: India’s largest cancer care provider HealthCare Global Enterprises Ltd was hit by the Avaddon ransomware group. The operator has published the exfiltrated data in a dark web forum which may include personally identifiable information (PII) and protected health information (PHI) of patients including diagnostic test reports, CT scans reports, MRI scan reports, prescriptions, patient list among other leaked information. The threat actor has also stated to perform DDoS attack.

The following screenshots were observed published in one of the dark web forums:

 

 

 

5.    Latest Cyber-Attacks, Incidents, and Breaches

 

BRATA Malware Impersonating as Android Security Scanners on Google Play Store

  • Attack Type: Social Engineering, Malware Implant
  • Target Industry: Multiple
  • Target Geography: Brazil, Span, US
  • Target Technology: Android
  • Objective: Unauthorized Access, Data Theft
  • Business Impact: Data Loss, Erosion of Intellectual Property, Financial Loss

Summary: A new set of malicious Android apps posing as app security scanners on the official Play Store to distribute a backdoor capable of gathering sensitive information were identified by researchers. The malicious apps alert unsuspecting users of a security issue on their devices, prompting them to install a fake update of a specific app namely, Google Chrome, WhatsApp, and a non-existent PDF reader app. Once the action is authorized, BRATA requests permissions to access the device’s accessibility service, abusing it to capture lock screen PIN (or password/pattern), record keystrokes, take screenshots, and even disable the Play Protect.

 

Insights: BRATA (Brazilian Remote Access Tool Android), first documented in August 2019, emerged as an Android malware with screen recording abilities and morphed into a banking trojan. The malware has full device control as well as phishing capabilities. BRATA is yet another example of how simple social engineering techniques allow cybercriminals to trick and get total control of the victims’ devices.

 

 

 6.    Vulnerabilities and Exploits

 

Zero-Day Vulnerability in Desktop Window Manager Used in the Wild

  • Suspected Threat Actor: BITTER APT group
  • Target Technology: Desktop Window Manager
  • Vulnerabilities: CVE-2021-28310 (CVSS Base Score: 7.8)
  • Vulnerability Type: Elevation of Privilege, Out-of-bounds Read
  • Impact: Confidentiality (High), Integrity (High), Availability (High)

Summary: While analyzing an exploit for a separate vulnerability, researchers discovered another zero-day exploit suspected to be linked to the BITTER APT group. CVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers can create a situation that allows them to write controlled data at a controlled offset using DirectComposition API.

Insights: Apart from applying the patch, the organization should adhere to best security practices. It is suspected that the vulnerability has exploits available in the wild and potentially leveraged by several threat actors.

 

7.    Data Leak

 

Social Media App Clubhouse Data Leaked

  • Attack Type: Data Leakage
  • Target Industry: Social Media
  • Target Geography: India
  • Objective: Data Exfiltration, Financial Gains
  • Business Impact: Reputational Damage, Regulatory Implication, Financial Loss, Loss of Competitive Advantage

Summary: Clubhouse, an invitation-only social media app for iOS that facilitates auditory communication allegedly suffered a data leak that claims to have affected 1.3 million users. An unknown threat actor published links in one of the underground forums to the leaked data hosted on an external file-sharing site.

The following screenshots are related to the data leak:

 

 

Help University from Malaysia available for Sale in Underground Forums

  • Attack Type: Data Leakage
  • Target Industry: Education
  • Target Geography: Malaysia
  • Objective: Data Exfiltration, Financial Gains
  • Business Impact: Reputational Damage, Regulatory Implication, Financial Loss, Loss of Competitive Advantage

Summary: Details of students at a private Malaysian university, Help University, have been observed to be advertised for sale by unknown threat actors in the underground forums. The leaked data include details such as bank account details, phone number, email address, IC card, and passport details.

The following screenshots are related to the data leak:

 

8.   Recommendations

 

Drop us a note at [email protected] if you’d like more insights.