Self Assessment

Weekly Cyber-Intelligence Report – 28 Mar 2021

Published On : 2021-03-28
Share :
Weekly Cyber-Intelligence Report – 28 Mar 2021

Weekly Attack Type and Trends

  • Ransomware/Malware: njRAT, Agent Tesla, FormBook, DopplePaymer Ransomware, REvil Ransomware
  • Attack Type: Spear-Phishing Attacks, Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, Credential Stealing, Supply Chain Attacks
  • Objective: Data Exfiltration, Data Encryption, Payload Delivery, Cyber Espionage, Reconnaissance
  • Business Impact: Loss of Critical Data, Financial Impact, Reputational Damage

Insights:

Attackers continue to leverage malware and phishing attacks to target organizations as these are the easiest and most widely used techniques that yield maximum results. Attackers are also enhancing their arsenal and using sophisticated techniques that evade detection by conventional security solutions.

With ransomware developers increasingly offering their malicious tools through renting or service models such as Ransomware-as-a-Service (RaaS), cybercriminal groups are taking advantage to distribute the malware and carry out attacks for financial gains.

Threat Actor in Focus

Lazarus hacker group’s latest threat activities targeting Japan

  • Target Countries: Japan
  • Suspected Threat Actor: Lazarus Group
  • Attack Type: Bot Activity, Malware Activity
  • Objective: Unauthorized Access, Malware Implant, Data Exfiltration, Defence Evasion
  • Business Impact: Operational Disruption, Erosion of Intellectual Property, Financial Loss

Summary:

A new report highlights the Lazarus group’s most recent campaign against Japanese firms. The research report underlines the threat actor’s most formidable hacking techniques and notes the use of the VSingle HTTP bot as a primary vector. As part of the recent campaign, the malicious code is stealthily executed to initially embed itself onto a system and download obfuscation and exploitation software. Some versions of the bot also undertake DLL injection to hide their activity. The group also makes use of ValeforBeta, which works similarly to VSingle, to transmit system information, send, and download files. After successful infection of primary system processes, threat actors use tools viz – 3Proxy, Stunnel, and Plink – in this operation to relay communication with C2 server.

Insights:

North Korea’s cyber-warfare is in sync with its military philosophy. Strong anti-Japanese sentiments are manifested in the activities of state-sponsored threat groups like Lazarus that are primarily tasked with four objectives:

1. Financial gain as a method of circumventing long-standing sanctions against the regime
2. Collect intelligence, exfiltrate data and Espionage
3. Propagate states’ geopolitical aspirations
4. Showcase capabilities that will astonish the world.

The recent attacks carried out against pharmaceutical companies that develop vaccines, including AstraZeneca possibly to disrupt vaccine distribution and manufacturing vaccine. The US Department of Justice has accused three North Korean military personnel of participating in several hacking campaigns organized by the Lazarus Group.

Major Geopolitical Developments in Cybersecurity

Following cyberattack alert, India’s Transport Ministry advises its departments to tighten IT security

Insights:

The Indian Computer Emergency Response Team (CERT-In) has provided an Early Warning to the MoRTH (Ministry of Road Transport and Highways) regarding potential targeted intrusion activities directed towards the transportation industry with possible malicious intentions. The threat actors have reportedly used either spear phishing, Drive via Download, or exploited known vulnerabilities present in public-facing applications as an initial entry mode to compromise the enterprise network. Cert-In also urged organizations to monitor and examine their network perimeter logs (firewall, proxy, etc.) particularly with a curated list of Indicators of Compromise for this campaign as provided by them.

Poland’s state-owned websites hacked to spread false information  

Insights:

Two Polish government websites were hacked to spread false information about a non-existent radioactive threat. A suspected Russian originating cyberattack led to the Health Ministry and National Atomic Energy Agency of Poland’s websites being hacked. In the era of ‘fake news’, public opinion can be drastically altered or reinforced with fictitious ‘news’ reporting. To counter this menace, the flow of information must be strictly monitored.

Ministry of Defence Academy hacked by state-sponsored hackers

Insights: 

British newspapers claimed that the Ministry of Defence academy was the victim of a major cyberattack. China and Russian state-sponsored hackers are suspected to be behind this cyberattack. State-sponsored groups from Russia and China continually challenge the existing order without prompting direct conflict, operating in the expanding grey-zone between war and peacetime. The conflict is leading to a new attack surface over the wire, threatening the global interests of the targeted country.

Rise in Malware/Ransomware and Phishing

A US-Based trucking company was targeted by DopplePaymer ransomware

  • Target Industry: Transport
  • Target Geography: US
  • Attack Type: Ransomware Attacks
  • Objective: Data Exfiltration, Data Encryption, Financial Gains
  • Ransomware: DopplePaymer Ransomware
  • Business Impact: Loss of Data, Potential Lawsuits, Reputational Damage, Financial Loss

Summary:

KRD Trucking company based out of Chicago, US, is suspected to be targeted by DopplePaymer Ransomware Operators. The exfiltrated data may include confidential and business-critical data such as agreement details, transportation plan, specification, audit details. Threat actors are observed targeting less secured systems of suppliers, vendors, and partners for making inroads into the primary target’s infrastructure. Further, compromised systems and stolen information may also be used for extortion and tailored attacks on the organization.

The following screenshots were observed published in one of the dark web forums:

Insights:

Ransomware or other forms of extortion represent the biggest cybersecurity threat for organizations. New variants of ransomware, as well as data leak sites (which host and/or advertise stolen information), are coming up every week, including some operated by the famous ransomware operators like Maze, Conti, DoppelPaymer, Sodinokibi, etc. Organizations face the risk of having sensitive data leaked to the public via these data leak sites along with the already tense situation involving encrypted files and locked systems.

Latest Cyber-Attacks, Incidents, and Breaches

REvil ransomware operators new technique to encrypt files in ‘Windows Safe Mode’

  • Target Countries: Global
  • Attack Type: Unknown
  • Objective: Data Exfiltration, Data Encryption, Operational Disruption
  • Business Impact: Data Loss, Financial Loss, Data Encryption, Operational Disruption

Summary:

REvil ransomware has a new technique that can encrypt files in Windows Safe Mode to evade detection by security software. In the new sample of the REvil ransomware discovered by security researchers, a new -smode command-line argument was added that compels the computer to reboot into Safe Mode before encrypting a device. The ransomware will forcefully reboot Windows which cannot be stopped by the user. Right before the process exits, the ransomware creates an additional RunOnce autorun named ‘AstraZeneca’. After the system restarts, the device will start up in Safe Mode with Networking, and the user will be advised to log into Windows. Once they login, the ransomware will be executed without the -smode argument so that it begins to encrypt the files on the device.

Insights:

The motivation of the latest technique used by REvil ransomware operators is that most traditional antivirus software does not run in Windows Safe Mode, a Windows state meant for debugging and recovering a corrupt operating system. The REvil ransomware threat group has asserted that they successfully attacked multiple organizations spread across industries from Africa, Europe, Mexico & the US in the last two weeks. Initial investigation reveals that attacks were launched immediately after an extensive and well-planned drive-by-download campaign, which was launched in late December 2020.

Vulnerabilities and Exploits

RedHat released security advisory for March

  • Target Technology: RedHat
  • Vulnerabilities: CVE-2020-8908 (CVSS Base Score: 3.3), CVE-2020-10687 (CVSS Base Score: 4.8), CVE-2020-28052 (CVSS Base Score: 8.1), CVE-2020-35510 (CVSS Base Score: 5.9), CVE-2021-20220 (CVSS Base Score: 4.8), CVE-2021-20250 (CVSS Base Score: 4.3)
  • Vulnerability Types: Privilege escalation, HTTP Request Smuggling, Denial of Service, Information Disclosure
  • Impact: Confidentiality, Availability, Integrity

Summary:

Red Hat has released its security update for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Multiple bugs and security fixes were addressed in this security advisory.

Insights:

Cybercriminals continue to adopt new attack methods that exploit the vulnerabilities presented by the ever-increasing adoption of digital technologies.

Data Leak

1. 100 Million LinkedIn Information is Leaked

  • Target Industry: Social Media
  • Target Countries: Global
  • Attack Type: Data Leak
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage, Regulatory Implication

Summary:

The threat actor released a sample of thousands of records containing personal information such as Email address, Cell phone, Address, etc. Unlike other data leaks where threat actors often exploit the weakness in the system to exfiltrate unauthorized data, this threat actor claims to have secured access to the database physically.

The following screenshots were observed published in one of the underground forums:

2. Fortune 500 Companies’ DataBase is Leaked

  • Target Industry: Multiple
  • Target Countries: Global
  • Attack Type: Data Breach
  • Objective: Financial Gains, Social Engineering
  • Business Impact: Loss of Critical Data, Financial Loss, Reputational Damage, Regulatory Implication

Summary:

The leaked database includes personal details of major firms. The leaked user details are likely to be used by other threat actors to perform social engineering attacks.

The following screenshots were observed published in one of the underground forums:

Insights:

Organizations are required to take appropriate security measures to protect such critical data as it is one of the major treasure troves for hackers if they get access to them.

Recommendations

STRATEGIC RECOMMENDATIONS:

  1. Deploy an advanced Endpoint Detection and Response (EDR) engine as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  2. Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting weaknesses in systems and potential exfiltration of data.

MANAGEMENT RECOMMENDATIONS:

  1. Mitigation activity must be tracked, and situations in which there has been a formal decision not to mitigate must be documented. Such practices improve vulnerability management and prove helpful during audits and regulatory inquiries in showing due diligence.

TACTICAL RECOMMENDATIONS:

  1. Patch software/applications as soon as updates are available.
  2. Ensure backups of critical systems are maintained, which can be used to restore data in case a need arises.
  3. Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  4. Ensure combination security control such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout are implemented and adequately strengthened to thwart automated brute-force attacks.
  5. Use of network segmentation within converged IT/OT environment as a critical security control based on network type, purpose, access privileges to limit the snowball effect in an event of a compromise of a network segment.
  6. Ensure active network infrastructure monitoring armed with Next-generation security solutions that enable real-time monitoring of any policy violations, data leaks, anomalous activity, and potential threats.