Weekly Intelligence Report – 02 Dec 2022

Published On : 2022-12-02
Share :
Weekly Intelligence Report – 02 Dec 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), SMiSing, Malvertising, USB as an Attack Vector.
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property.
  • Ransomware – BianLian Ransomware | Malware – Dolphin
  • BianLian Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Dolphin
  • Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

China Sponsored Cyber Espionage APT Group UNC4191 Targets Philippines

Suspected Threat Actors: UNC4191

  • Attack Type: USB as an Attack Vector, Malware Implant
  • Objective: Unauthorized Access, Data Theft, Lateral Movement, Espionage
  • Target Technology: Windows
  • Target Geographies: Philippines, U.S., Europe, Asia Pacific, and Japan (APJ).
  • Target Industries: Public & Private Sector
  • Business Impact: Data Theft

Summary:
In recent observations revealed a new threat actor named UNC4191 running a cyber espionage campaign against the Philippines’ public and private entities. The target organizations are spread across the US, Europe, and APJ. However, their primary target is Southeast Asia. Most of the specific systems targeted were found to be physically established in the Philippines.

Initially, the threat actor infected via USB devices. The malware self-replicates by infecting new removable drives that are plugged into an infected machine, allowing the malicious payloads to spread to additional systems and with a job to collect data. The overall combination of more than two malware come into play. The first of the three malware files are responsible for side-loading a malicious file that impersonates a legitimate dynamic link library (DLL) and launching an encrypted file. The second phase of the attack involves Darkdew, an encrypted DLL payload that can infect removable drives to enable self-propagation. Finally, Bluehaze executes to achieve system persistence.

A successful breach led to the installation of a renamed NCAT binary and the execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor.

The operation led by UNC4191 reveals China’s interest in maintaining access to public and private entities and gathering intelligence from cyber espionage.

Insights:
The campaign started late in 2021, however, the campaign recently came under the radar of security researchers.
The threat actor leveraged legitimately signed binaries to side-load malware, including three new families: MISTCLOAK, DARKDEW, and BLUEHAZE. Upon Successful compromise, the BLUEHAZE deploys NCAT to create a reverse shell to a hardcoded C2.

Major Geopolitical Developments in Cybersecurity

Pentagon Releases Zero Trust Strategy

According to a new defense strategy released by the US Department of Defense (DoD), this November, Defense agencies have five years to convert their networks to architectures that continually check to make sure no one’s accessing confidential data, the so-called zero trust principle. This shift is the main theme of the Pentagon’s new five-year plan to harden its cyber defenses against potential attacks. In the preface of the document, DoD posts that American adversaries are “in our networks, exfiltrating our data, and exploiting the Department’s users”. The strategy and roadmap expect DoD to start piloting zero trust principles with cloud computing, to begin a long-term journey of trustworthiness. However, some research criticizes the Pentagon’s reliance on private companies in the field of cloud computing, which might be vulnerable to cyber espionage.

Russian Cyber-Reconnaissance at a Netherlands LNG Terminal

At least one key EU port with a LNG terminal crucial for energy imports has recently reported Russian cyber-reconnaissance activity. According to Dutch media, Russian military intelligence-linked groups Xenotime and Kamacite have probably engaged in reconnaissance of liquid natural gas terminals in the Netherlands. Both actors have a history of attacking the energy industry and critical infrastructure. CYFIRMA has been warning about the increasing likelihood of attacks on these two sectors and most researchers are now in consensus that LNG terminals are a prime target and a massive cyber-attack against critical infrastructure in Europe, it’s only a question of time and severity/modus operandi. Dutch media report that signals of preparation activity have been spotted in the systems of Gasunie’s LNG terminal in Rotterdam’s port of Eemshaven. The Netherlands is a major hydrocarbon energy hub in Europe and hosts one of the most important commodities exchanges in the world.

Rise in Malware/Ransomware and Phishing

Power Plant Services LLC Impacted by BianLian Ransomware

  • Attack Type: Ransomware, Data Exfiltration
  • Target Industry: Manufacturing
  • Target Geography: United States of America
  • Ransomware: BianLian Ransomware
  • Objective: Financial Gains, Data Theft, Data Encryption
  • Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective CYFIRMA observed Power Plant Services LLC – offers customers an extensive range of parts manufacturing, which extends into Pulp & Paper, Refineries, and Steel Mill industries along with core markets of Power Generation, Utilities, and related industrial sectors – being impacted by the BianLian ransomware group. The ransomware group claimed Power Plant Services LLC (www[.]ppsvcs[.]com) as one of their victims by disclosing the update on their dedicated leak site. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. As per the claims, files and documents relating to business and personal data have been exfiltrated.

Insights:
BianLian ransomware operators usually leverage email spam, malicious attachments, fake downloads, and drive-by downloads as initial infection vectors and use double extortion in their attacks to extort the ransom.

This ransomware was written in the “Go” programming language, which has recently been popular among threat actors due to its cross-platform functionalities and the fact that it makes reverse engineering more difficult.

BianLian ransomware separates the file content into 10 bytes chunks for encryption. First, it reads 10 bytes from the original file, then encrypts the bytes and writes the encrypted data into the target file. Dividing the data into small chunks is a method to evade detection by security products.

It has targeted the following industries: professional services, manufacturing, healthcare, energy, media, banks, and education. BianLian ransomware is targeting businesses all over the world. However, 75% of victim organizations are from the United States, the United Kingdom, and Australia.