Self Assessment

Weekly Intelligence Report – 02 Feb 2024

Published On : 2024-02-02
Share :
Weekly Intelligence Report – 02 Feb 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows

CYFIRMA Research and Advisory Team has found Kasseika ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Kasseika ransomware
Kasseika was first discovered in mid-December 2023, and the ransomware shares similarities with the BlackMatter. The similarities involve pseudo-ransom extensions and the use of extension string.README.txt as the ransom note file name and format.

After a rise in bring-your-own-vulnerable-driver (BYOVD) attacks by ransomware groups in 2023, Kasseika has joined the trend. Alongside Akira, BlackByte, and AvosLocker, Kasseika utilizes this tactic to halt antivirus processes, allowing for the deployment of ransomware. Researchers found that Kasseika misused the Martini driver to terminate the victim machine’s antivirus-related processes.

Analysing the recent attack involving Kasseika Ransomware:
Kasseika ransomware employed targeted phishing methods for initial access. It also collected credentials from an employee within the targeted company. Subsequently, the ransomware utilized remote administration tools to acquire privileged access and navigate through the network.

Kasseika misused the legitimate Windows Remote Administration Tool PsExec to run its malicious files (.bat file in a recent attack). Originally intended for network management, the tool’s exploitation enables threat actors to remotely execute a malicious file.

The ransomware starts by employing a batch script to introduce its malicious elements. The script first checks for the presence of a process named Martini.exe. If detected, it proceeds to terminate the process, ensuring there is only one instance running on the machine.

Upon further analysis, it was observed that Martini.exe initially checks if the Martini.sys driver has been successfully downloaded to the compromised system. The signed driver Martini.sys, initially identified as viragt64.sys, is a component of the VirIT Agent System developed by TG Soft. Kasseika exploits vulnerabilities in this driver to disable several security tools effectively. If Martini.sys is not present, the malware terminates itself, preventing the continuation of its intended routine.

Once verifying the existence of the system file, Kasseika goes on to generate a service and subsequently activates it. Martini.exe loads the Martini.sys driver using the CreateFileW function.

Following the loading of Martini.sys, Martini.exe consistently scans all active processes in the system. Upon identifying a listed process, it communicates this information to the driver using the DeviceIoControl function.

The control code 0x82730030 is sent to the driver, instructing it to terminate many processes, including antivirus products, security tools, analysis tools, and system utility tools.

Ransomware also makes use of the FindWindowA API to compare strings.

The ransomware identifies applications associated with monitoring processes, system monitoring, and analysis tools.

A list of process monitoring, system monitoring, and analysis tools that Kasseika looks for. (Source: Surface web)

Ransomware enhances its defense evasion methods by identifying active processes linked to security and analysis tools. It terminates itself if these processes are found in the system.

A list of process names related to security and analysis. (Source: Surface web)

The figure below illustrates that the script will delete any directories under the malicious batch script, ensuring a clean state. Kasseika establishes variables to store different paths and executable file names. These variables enhance the script’s flexibility, facilitating effortless modification of file paths and names for future use.

Initialization of variables (Source: Surface web)

Execution of payloads (Source: Surface web)

Following this, Kasseika moves files from a network share to a local directory, using the /E switch to ensure comprehensive copying of all subdirectories, including empty ones. Martini.exe is then run to terminate processes linked to antivirus vendors. Subsequently, the execution moves on to launch smartscreen_protected.exe, identified as the Kasseika ransomware binary by researchers. Finally, clear.bat is executed to remove any traces of the operation on the machine.

Kasseika payload analysis:
The Kasseika ransomware is a 32-bit Windows PE file packed using Themida. Binaries packed with Themida are recognized for their robust code obfuscation and anti-debugging techniques, making them challenging to reverse-engineer.

Before initiating encryption, Kasseika terminates all processes and services currently interacting with the Windows Restart Manager. Ransomware initiates a new session, modifying the Owner value in the registry keys listed below. It subsequently begins enumerating session hashes (SessionHash) of processes and services from the same registry keys. After termination, it retrieves the paths of the terminated files, which will be later examined for encryption: HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session{numbers}
Owner = {hex values}

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session{numbers} SessionHash = {hex values}

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session{numbers} Sequence = 0x01

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session{numbers} RegFiles{numbers} = {encrypted path and file}

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session{numbers} RegFilesHash = {hex values}

The ransomware proceeds to decrypt its encrypted extension by first obtaining a hard- coded string from CryptoPP::StringSinkTemplate. Subsequently, it employs Base64 to encode the initial nine characters of the string. Finally, to address the incompatibility of the characters “+” , “/”, and “=” in Base64 with a file extension, the ransomware substitutes them with “a”, “l”, and “e”, respectively.

Kasseika obtains its encryption algorithm key, ChaCha20, and the RSA encryption algorithm from the open-source C++ library CryptoPP. It creates a modified version of the ChaCha20 matrix that consists of randomly generated bytes. This matrix is then copied to a buffer, which is encrypted by the RSA public key. The encrypted buffer is subsequently written into the modified ChaCha20 matrix. Kasseika then employs the modified ChaCha20 matrix to encrypt the targeted files.

Upon successful encryption, the Kasseika ransomware modifies the names of the encrypted files as {original filename}.{original extension}. CBhwKBgQD.

Sample encrypted files by the Kasseika ransomware. (Source: Surface web)

Subsequently, Kasseika utilizes the encrypted file extension as the name for its ransom note, CBhwKBgQD.README.txt, which it places in every directory that it encrypts within the affected system.

A Kasseika ransom note (Source: Surface web)

At the end of its encryption routine, the Kasseika ransomware changes the wallpaper of the affected system as below.

(Source: Surface web)

The ransomware can erase its traces by executing commands to clear the system’s event logs.

The commands that Kasseika uses to clear the event logs. (Source: Surface web)

The command wevutil.exe effectively erases the Application, Security, and System event logs on the Windows system. This method is employed for discreet operations, increasing the difficulty for security tools to detect and respond to malicious activities.

Relevancy & Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware modifies the HKLM\System\CurrentControlSet\services\VSS\Start registry key, setting the dword value to 0x00000004, effectively disabling the Volume Shadow Copy Service (VSS). This alteration hampers data backup and recovery, increasing the impact of potential data loss and hindering restoration efforts.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
2 TA0005: Defense Evasion T1006: Direct Volume Access
T1027: Obfuscated Files or Information
T1027.002: Obfuscated Files or Information: Software Packing
T1027.004: Obfuscated Files or Information: Compile After Delivery
T1036: Masquerading
T1112: Modify Registry
T1140: Deobfuscate/Decode Files or Information
T1222: File and Directory Permissions Modification
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1620: Reflective Code Loading
3 TA0006: Credential Access T1003: OS Credential Dumping
4 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1518.001: Software Discovery: Security Software Discovery
T1614.001: System Location Discovery: System Language Discovery
5 TA0009: Collection T1005: Data from Local System
T1115: Clipboard Data
T1119: Automated Collection
6 TA0011: Command and Control T1071.001: Application Layer Protocol: Web Protocols
T1573: Encrypted Channel
7 TA0040: Impact T1486: Data Encrypted for Impact

ETLM Assessment:
A threat actor on one of the underground hacking communities claims to have found out the phone number of one of the developers of Kasseika ransomware. However, it cannot be confirmed if this is actually the threat actor of interest or someone with a fake identity.

(Source: Underground forums)

CYFIRMA’s assessment, based on available information, suggests that Kasseika ransomware will likely continue evolving its techniques, including leveraging legitimate tools for malicious purposes and targeting organizations with sophisticated phishing tactics. Future variants may exploit vulnerabilities in system processes and security protocols. Organizations should prioritize robust cybersecurity measures and remain vigilant against emerging variants.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Sigma Rule

title: Suspect Svchost Activity tags:
– attack.defense_evasion
– attack.privilege_escalation
– attack.t1055 logsource:
category: process_creation product: windows
detection: selection:
CommandLine|endswith: ‘svchost.exe’ Image|endswith: ‘\svchost.exe’
– ParentImage|endswith:
– ‘\rpcnet.exe’
– ‘\rpcnetp.exe’
– CommandLine: null # no CommandLine value available condition: selection and not filter
– CommandLine
– ParentCommandLine falsepositives:
– Rpcnet.exe level: high

(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Backdoor
Objective: Remote Access, Espionage
Suspected Threat Actor: APT10
Target Technology: Windows OS
Target Industries: Media, Diplomacy, Public institutions, Defense, and Think tanks
Target Geography: Japan

Active Malware of the Week
This week “LODEINFO” is trending.

LODEINFO is a fileless malware discovered in spear-phishing email campaigns since December 2019, primarily targeting Japanese media, diplomacy, public institutions, defense industries, and think tanks. Recently, a new version, v0.7.3, has been identified, indicating ongoing development. Security experts suspect the involvement of APT10 due to similarities in methods and malware. Attacks persist in 2023, with updated versions featuring new capabilities and anti-analysis techniques. The attackers seem focused on concealing their Tactics, Techniques, and Procedures (TTPs). Limited information on detection suggests that identifying LODEINFO is becoming more challenging, as only a few samples were found in 2023, and details of their analysis are not widely publicized.

Attack Method
LODEINFO initiates its infection through a malicious Word document (Maldoc), which eventually injects the malware into memory. In 2023, the VBA code within the Maldoc was updated to include Downloader Shellcodes for both 32-bit and 64-bit systems. This adaptation allows LODEINFO to select the appropriate shellcode based on the target environment. The shift to 64-bit architecture in Windows OS poses a challenge for organizations, and it is likely that LODEINFO has adjusted to this architecture change. The alterations in the infection flow occurred between versions v0.6.8 and v0.7.1 observed in 2023 or later.

Remote Template Injection
In LODEINFO v0.6.9, researchers discovered more complex instances of Remote Template Injection in the infection process. This technique involves opening a Word file that, through Remote Template Injection, downloads and reads the template from the attacker’s C2 server. The downloaded template serves as malware, similar to the Maldoc mentioned earlier, containing VBA code with embedded Downloader Shellcode that eventually calls the LODEINFO main body. This injection method makes detection challenging, as the Word file itself only reads the template, aiming to evade security product detection. To analyze the structure of the Word file using Remote Template Injection, researchers suggest checking the contents of the \word\_rels\settings.xml.rels file, revealing its design to read the template file from a specific URL (https[:]//45[.]76[.]222[.]130/template[.]dotm).

What is Remote template Injection?
Microsoft Word includes a “template” feature, enabling users to create files based on templates from other users. When a Word file with an inserted template is opened, the template is downloaded from either a local or remote machine. Exploiting this feature, attackers can host a Word template file (.dotm) containing malicious Macros on their server. This allows the malicious template to be retrieved and executed from the attacker’s server each time a victim opens a Word file containing the template, creating a method for delivering and executing malicious content.

Researchers found that the VBA code embedded in the Maldoc includes both 64-bit and 32-bit Downloader Shellcodes. To determine the target device’s operating system architecture, the Macro checks and then executes the corresponding Downloader Shellcode. Each Shellcode is encoded using Base64 and fragmented into multiple parts, likely as a technique to avoid detection by security products. Upon Macro execution, the split parts are reassembled, and the Base64-decoded Shellcode is injected into memory.

Microsoft Office language check
In the v0.7.0 Maldoc of LODEINFO, code was implemented to check the language settings of Microsoft Office, specifically verifying if the Office setting is Japanese. This suggests the malware was designed to operate exclusively in the target language environment.

However, in v0.7.1, the attacker removed this language-checking feature and changed the filename of the Maldoc from Japanese to English. These alterations indicate that v0.7.1 was likely adapted for attacking environments in languages other than Japanese.

The Downloader Shellcode
In LODEINFO v0.7.1, the Downloader Shellcode functions as a simple malware that downloads and decrypts a file, posing as a PEM file (referred to as Fake PEM), from the C2 server. The decrypted data from the Fake PEM file is then used to create files infected with LODEINFO. The analysis focuses on the process of decrypting data from the Fake PEM file, as the Shellcode itself is described as a straightforward downloader.

What is a PEM file?
PEM stands for Privacy Enhanced Mail, serving as a file format for keys and certificates in public key infrastructure (PKI). Initially designed to enhance email security, PEM has become the standard for internet security. These files find applications in various settings, including web servers, email servers, and secure communication protocols like HTTPS.

Fake PEM file decryption
The Downloader Shellcode in LODEINFO retrieves the Fake PEM file from the C2 server and proceeds to decrypt it through a following of steps:

  • The header and footer of the Fake PEM file are removed.
  • The data from step 1 is decoded using Base64.
  • The first 3 bytes of the data decoded in step 2 are removed.
  • An HMAC is generated using the SHA1 hash algorithm from the password hardcoded in the Downloader Shellcode.
  • The HMAC generated in step 4 is used as the key for AES, and the data from step 3 is decrypted using AES.
  • The data decrypted in step 5 is further decoded using a single-byte XOR key.

What is HMAC (Hash-based Message Authentication Code)?
A code and technique for ensuring the integrity and authenticity of a message using a one- way hash function. It is widely used in secure communications where it is necessary to verify the sender of the data or that the data has not been tampered with in transit.

The investigated samples of LODEINFO contained hardcoded passwords in a specific format. The availability of this password is crucial for successfully decrypting subsequent data obtained from the Fake PEM file. If the password is not present, decrypting the subsequent data becomes extremely challenging.

Deployment of LODEINFO Backdoor Shellcode loaded into Memory
In the decryption process, the data is structured with unique objects, including Elze.exe, Frau.dll, and Elze.exe_bak. The Downloader Shellcode creates files for each object and installs them on the infected endpoint. Upon execution, Elze.exe, a legitimate file, loads the malicious Frau.dll using DLL side-loading. Frau.dll acts as a simple malware, loading the LODEINFO Backdoor Shellcode as a payload into memory.

Versions v0.6.6, v0.6.8, and v0.6.9 employ strengthened obfuscation techniques such as Control-Flow Flattening (CFF) and Junk code. This complexifies the program flow, with a significant portion of the code dedicated to CFF and Junk code, while only a small portion contains actual malicious code. This indicates the attacker’s emphasis on hindering analysis efforts.

Lastly, the Elze.exe_bak file, containing the LODEINFO Backdoor Shellcode encoded with a single-byte XOR, is read by Frau.dll and decoded, serving as a payload.

LODEINFO Backdoor Shellcode
LODEINFO Backdoor Shellcode is a fileless malware that enables remote access and control over infected hosts. The following features are:

  • The C2 server address uses a unique data structure.
  • A mechanism that refers to the address of the embedded data is characteristic.
  • The Backdoor Command ID is hidden using 2-bytes XOR.
  • The structure and encryption of the communication data with the C2 server are very complex, as shown in the figure below.
  • The above encryption uses the Vigenere cipher multiple times.

Researchers analysed multiple LODEINFO samples found in 2023 and identified two key differences.

  • Change in the hash calculation algorithm for obtaining API function names.
  • Addition of backdoor commands

Change 1: Change in the hash calculation algorithm for obtaining API function names.
In version v0.7.0, a new hash calculation algorithm is employed compared to v0.6.9. This alteration renders the matching of signatures using previous rules impossible. The hash calculation algorithm is crucial for the malware to compute the hash of API function names and resolve function addresses. The algorithm incorporates a hard-coded XOR key unique to each sample, used for XOR decoding. Consequently, the hash values embedded in each sample differ due to this key variation.

Change 2: Additions to backdoor commands
LODEINFO incorporates various backdoor commands to control infected hosts. In version v0.6.5, the number of commands was reduced to 11, but in v0.7.1, 6 commands were reinstated, and a new command, “runas,” was added, resulting in a total of 18 commands. Notably, four commands (keylog, ps, pkill, autorun) that were removed in v0.7.2 and v0.7.3 have been restored. Additionally, the content of the “config” command, previously displaying “Not Available,” has now been implemented.


  • LODEINFO malware showcases a high level of sophistication through its continuous evolution, targeting specific sectors such as Japanese media and defense industries. Employing advanced techniques like Remote Template Injection, unique hash calculation algorithms, and obfuscation methods, LODEINFO operates as a fileless malware, making detection challenging.
  • The inclusion of a diverse set of backdoor commands for remote control, the adaptation of attack strategies, and efforts to impede analysis demonstrate the malware’s persistence and the attacker’s commitment to evading security measures. As it targets critical sectors and adapts rapidly, organizations must stay vigilant and leverage updated cybersecurity practices to counter this evolving threat.
  • Researchers, through analysis, identified three similarities between the Downloader Shellcode and the known downloader DOWNIISSA. These shared features include a self-patching mechanism for concealing malicious code, a common encoding method for C2 server information, and a similar structure in the data decrypted from the Fake PEM file. Despite these commonalities, researchers conclude that DOWNIISSA and the analyzed Downloader Shellcode belong to distinct malware families due to differences in their overall structures.

From the ETLM perspective, CYFIRMA anticipates that the evolving sophistication of malware, exemplified by LODEINFO and its variants, presents a growing challenge for organizations. Those dependent on Windows OS may encounter heightened difficulties in detecting and preventing these advanced threats, potentially resulting in breaches, and compromised security. Future variants of LODEINFO could expand to target other industries or geographic regions, broadening the impact on organizations and their employees. The commitment to ongoing research and the development of countermeasures will be imperative in adapting to the evolving tactics of LODEINFO and similar advanced threats in the future.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Actively monitor the infrastructure for potential exploitation attempts and respond accordingly.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Regularly reinforce awareness of unauthorized attempts with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Black Basta Ransomware | Malware – LODEINFO
  • Black Basta Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – LODEINFO
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Navigating the Cybersecurity Landscape: Insights and Responses to Recent APT29 Attacks

  • Threat Actors: Midnight Blizzard aka APT29
  • Attack Type: Password spray
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: USA and Europe
  • Target Industries: Governments, NGOs, and Information Technology
  • Business Impact: Data Loss, Data exfiltration

In a recent observation, the Microsoft security team detected an incident on their corporate systems on January 12, 2024. Researchers identified the threat actor as the Russian state-sponsored threat group, APT29 or Midnight Blizzard, campaign started in late November 2023. This revelation follows a similar acknowledgment by IT service providers of falling victim to an attack orchestrated by the same hacking crew, known by aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

APT29’s primary targets include governments, diplomatic entities, NGOs, and IT service providers in the U.S. and Europe in the campaign. The group’s strategic objectives involve prolonged, undetected access to gather sensitive information for Russia. Researchers note that the scope of APT29’s campaign may be more extensive than initially thought, although specific entities affected by the recent wave of attacks have not been disclosed.

One significant tactic employed by APT29 is the manipulation of OAuth applications. Breached user accounts are used to create, modify, and grant high permissions to these applications, ensuring sustained access even if the initial account is compromised. This approach facilitates lateral movement across cloud infrastructures and supports post-compromise activities, such as email collection.

In November 2023, APT29 utilized a password spray attack to infiltrate a legacy, non- production test tenant account lacking multi-factor authentication (MFA) in Microsoft. The threat actors then exploited their initial access to compromise a legacy test OAuth application, subsequently creating additional malicious OAuth applications. By granting these applications the Office 365 Exchange Online full_access_as_app role, the attackers obtained access to mailboxes within the Microsoft corporate environment. To obfuscate their activities and make detection challenging, APT29 used a distributed residential proxy infrastructure. This network allowed them to interact with the compromised tenant and Exchange Online through a vast array of IP addresses shared with legitimate users.

In a recent disclosure, Microsoft emphasized the urgency for organizations to enhance their defensive measures against the sophisticated tactics employed by APT29, particularly focusing on mitigating the risks associated with rogue OAuth applications and password spraying. This incident underscores the evolving and persistent nature of nation-state cyber threats and the need for continuous vigilance and adaptive cybersecurity strategies.

Relevancy & Insights:
Midnight Blizzard, also known as APT29 and associated with the Russian Foreign Intelligence Service (SVR), has recently broadened its strategic focus to target organizations influencing NATO countries’ foreign policies. In the past, Iranian hackers have utilized password spray attacks for initial access, and it now appears to be a common tactic among various threat actors. This adaptation showcases Midnight Blizzard’s agility and indicates potential cross-pollination of cyber tactics among state- sponsored threat groups.

ETLM Assessment:
A nation-state attack by Midnight Blizzard, also known as APT29, linked to the Russian Foreign Intelligence Service (SVR), demands a closer look at managing external threats. This strategic threat actor is targeting organizations shaping NATO countries’ foreign policies, spanning sectors like education, energy, and government. Their use of password spray attacks is a concerning trend seen in multiple threat actors. This highlights the importance of companies bolstering defences against password attacks. For guidance, check out our Recommendations section to stay ahead of evolving threats posed by sophisticated actors like APT29.


  • Enforce MFA across all user accounts to add an additional layer of security, making it significantly harder for threat actors to compromise accounts through password-based attacks.
  • Ensure that all systems and software are kept up to date with the latest security patches. Consistently applying patches helps eliminate vulnerabilities that threat actors may exploit.
  • Scrutinize OAuth applications for any suspicious activities or unauthorized modifications. Establish a robust monitoring system to promptly detect and respond to any anomalies related to application permissions and usage.
  • Perform routine security audits and assessments to identify potential weaknesses in the network, applications, and configurations. Regular testing helps in proactively addressing vulnerabilities before they can be exploited.

Major Geopolitical Developments in Cybersecurity

Ukrainian infrastructure hit by Russia, researchers warn against Russian operations
Four Ukrainian state-owned critical infrastructure companies were hit by disruptive cyberattacks, including an energy company, postal service and other logistical agencies. The attacks targeted Ukraine’s largest state-owned oil and gas company; Naftogaz, the country’s national postal service provider; Ukrposhta, transport safety organization DSBT, and Ukraine’s state railway Ukrzaliznytsia. It remains uncertain whether these attacks are linked and the identities of those responsible remain unclear. A Russian group of cyber volunteers known as the National Cyber Army has claimed responsibility for the attack on DSBT’s system, yet they have not made any mention of targeting other services.

ETLM Assessment:
The logistics industry and other parts of infrastructure confront substantial risks from advanced threat actors. Data we have recently published on the industry reveals a consistent pattern of attacks, with a clear emphasis on developed economies and major global logistics hubs. A correlation between the current geopolitical landscape and the most targeted countries remains evident. Moreover, Russia seems to be increasingly employing privateering actors, motivated by financial gains to put distance between Moscow and the global food insecurity. Such a trend is expected to continue as privateers are offered ever more leniency: in the eyes of the Kremlin, the more global instability, the better the attention is deflected from its persecution of Ukraine, with fewer resources available to oppose it.

US government disrupts Chinese hacking operation
The US Justice Department and FBI have recently claimed that the agencies disabled portions of a network of compromised devices that were being used by the China- linked threat actor to target US critical infrastructure in a joint operation. The hacking group had been forming a botnet by compromising vulnerable devices, including routers, modems, and IoT devices, in order to hide later intrusions into sensitive targets.

ETLM Assessment:
According to analysts, Volt Typhoon has been conducting battlespace preparation by staging potentially disruptive attacks. Volt Typhoon (also known as Vanguard Panda) was not focusing on the quiet intelligence collection and theft of secrets that has been the norm for most other Chinese threat actors. This actor has been probing sensitive critical infrastructure in the U.S. and on the U.S. dependency of Guam (the closest U.S. territory to Taiwan) so it could position itself to disrupt major services if, and when, the order comes down in case of confrontation between China and the U.S., most likely in case of attack on Taiwan.

Rise in Malware/Ransomware and Phishing

The Black Basta Ransomware impacts Sipi Corporation

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: Black Basta Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United States of America; (www[.]sipicorp[.]com), was compromised by Black Basta Ransomware. Sipi Metals Corporation is a metal supplier, with services ranging from precious metals refining to copper alloys to IT asset disposition. Sipi operates in four key lines of business. Those are Precious Metals, Engineered Alloys, Enterprise IT Asset Disposition, and Secure

Data Destruction. The compromised data encompasses users’ personal folders, sensitive accounting files, corporate documents, and various confidential information. The entirety of the compromised data is substantial, amounting to 145 gigabytes in size.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • A recent investigation into the Black Basta ransomware group has uncovered that the group amassed at least $107 million in ransom payments from over 90 victims, since April 2022. Black Basta operates as a Russia-linked ransomware-as-a-service (RaaS) operation, recruiting affiliates to carry out ransomware attacks in exchange for a share of the profits. The group emerged following the shutdown of the notorious Conti ransomware operation in June 2022, with its members branching into several smaller groups, one of which is believed to be Black Basta. This underscores the increased prominence and activity of Black Basta since April 2022.
  • Since September 2023, a threat actor linked to Black Basta ransomware attacks has been employing a new loader reminiscent of the resilient Qakbot, as part of a broad phishing campaign. This campaign aims to infiltrate organizational networks for subsequent malicious actions.
  • The Black Basta ransomware group primarily targets countries such as the United States of America, the United Kingdom, Canada, Germany, and Italy.
  • The Black Basta ransomware group primarily targets industries including Specialized Business Support Services, Heavy Construction, Building Materials and fixtures, Industrial Machinery, and Delivery Services
  • Based on the Black Basta Ransomware victims list from 1 Jan 2023 to 31 Jan 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Black Basta Ransomware from 1 Jan 2023 to 31 Jan 2024 are as follows:

ETLM Assessment:
CYFIRMA assesses Black Basta Ransomware will continue to focus on American businesses and related entities that hold significant amounts of Personally Identifiable Information (PII), financial information, or other sensitive data. However, the recent assault on Sipi Corporation underscores the dangers posed to companies, in advanced economies by the Black Basta Ransomware.

Vulnerabilities and Exploits

Vulnerability in SystemK NVR 504/508/516

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Hardware solutions / Firmware
  • Vulnerability: CVE-2023-7227 (CVSS Base Score 9.8)
  • Vulnerability Type: Command injection
  • Patch: Not available
  • Public exploit: Available

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

Relevancy & Insights:
The vulnerability exists due to improper input validation in the dynamic domain name system (DDNS) settings. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Affected Products: https[:]//www[.]cisa[.]gov/news-events/ics-advisories/icsa-24-025-02

Monitoring and Detection : Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Akira claims major ransomware attack on British cosmetics retailer; Lush

  • Threat Actors: Akira
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: UK and Ireland
  • Target Industry: Retail
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Major British cosmetics retailer; Lush, was claimed to have been compromised by the Akira ransomware operation. More than 100 GB of data was exfiltrated from Lush, including employees’ documents, such as passport scans, as well as files about the company’s projects, finances, taxes, accounting, and clients, according to Akira ransomware. On January 11, Lush announced that it was addressing a cybersecurity issue impacting its facilities in the UK and Ireland. The renowned company, known for its beauty and personal care products available in 49 countries worldwide, refrained from disclosing the specifics of the incident at that time. A representative from Lush stated that the company enlisted external cybersecurity experts to carry out a comprehensive investigation, aimed at understanding the nature and extent of the cyber-attack. However, Lush refrained from commenting on whether the incident affected its production facilities in Europe, Japan, and Australia.

Relevancy & Insights:
Akira ransomware operations were initiated in March 2023. The actor gained attention due to the ‘retro aesthetic’ applied to their DLS (Data Leak Site) and messaging. The group is known to require outrageous ransom payments, reaching hundreds of millions of dollars. The attackers pinpointed and targeted organizations with vulnerable
internet-facing Cisco ASA or FTD devices and found and wiped target organizations’ backups before deploying the ransomware.

ETLM Assessment:
The Akira attackers display a lack of discrimination in their victimology, extending beyond targeting only large enterprises. As of the latest information, educational institutions, along with entities in the financial, manufacturing, real estate, and medical sectors, have all fallen prey to Akira attackers. According to ongoing assessments by CYFIRMA, there is a notable likelihood that Akira will continue its endeavors to compromise companies on a global scale, with the primary goal of securing substantial financial gains through its ransomware activities.

Data Leaks

Ministry of Economy and Finance, Republic of Mozambique Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Government
  • Target Geography: Republic of Mozambique
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data sale related to the Ministry of Economy and Finance, Republic of Mozambique, {www[.]Mef[.]gov[.]mz}. The Ministry of Economy and Finance of the Republic of Mozambique plays a vital role in driving economic growth, promoting financial stability, and advancing the overall well-being of the country’s citizens. Through effective policy formulation, prudent financial management, and strategic partnerships, the ministry strives to create an enabling environment for sustainable development and prosperity. The data available for sale comprises a comprehensive set of user information stored in SQL format. It includes sensitive details, such as user IDs, unique identifiers (UIDs), codes, last update timestamps, creation timestamps, surnames, first names, email addresses, phone numbers, job titles, introductions, gender identities, birthdays, nationalities, employer details, educational backgrounds, and other confidential information. This dataset is substantial, with an initial uncompressed size of 36.2 gigabytes (GB).

Source: Underground forums

Relevancy & Insights:
Opportunistic cybercriminals, driven by financial motives, are perpetually scouring the internet for exposed and vulnerable systems and applications. This breed of attackers predominantly operates within underground forums, engaging in discussions related to the trade of stolen digital assets. Unlike ransomware or extortion groups, who tend to publicize their attacks, these cybercriminals prefer to operate discreetly. They clandestinely infiltrate systems and pilfer valuable data by exploiting unpatched software or vulnerabilities within applications and systems.

Once the data is illicitly obtained, these cybercriminals advertise it for sale within underground forums. Subsequently, the stolen data may be resold or repurposed by other malicious actors for their own nefarious activities. This cycle perpetuates the underground economy of cybercrime, facilitating the exchange of stolen information and fuelling further illicit endeavors.

ETLM Assessment:
CatDox; an emerging threat actor primarily motivated by financial gains, is actively selling breached data. This data for sale encompasses Personally Identifiable Information (PII), financial data, and other sensitive information. According to CYFIRMA’s assessment, organizations in the Republic of Mozambique that lack adequate security measures are pinpointed as potential targets for this particular threat actor.

Other Observations

CYFIRMA Research team observed a potential data leak related to BeatBase, {www[.]Beatbase[.]com}. BeatBase is a comprehensive ticketing and event management solution for the niche electronic music industry. The compromised data consists of various sensitive information, including user IDs, email addresses, first names, last names, encrypted passwords, roles, and other account details. The total size of the compromised data is 677 megabytes (MB).

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.