Self Assessment

Weekly Intelligence Report – 03 Mar 2023

Published On : 2023-03-03
Share :
Weekly Intelligence Report – 03 Mar 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), Smishing, Malvertising, USB as an Attack Vector
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – BlackCat Ransomware | Malware – PureCrypter
  • BlackCat Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – PureCrypter
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

A new Threat Actor named UAC-0050 aka UAC-0096 attacked the Ukrainian government.

  • Suspected Threat Actors: UAC-0050
  • Attack Type: Spear Phishing
  • Objective: Unauthorized Access, Espionage, Data Exfiltration
  • Target Technology: Windows
  • Target Geographies: Ukraine
  • Target Industries: Public Sector
  • Business Impact: Data Theft, Operational Disruption

Summary:
Ukrainian CERT detected a new threat actor targeting the Ukrainian government. The threat actor disguised as Pechersk District Court of the city of Kyiv with the subject “Pechersk District Court of the City of Kyiv” and an attachment of .RAR file. The .RAR archive contained a text document with the name “access code 3527 .txt” and a password protected RAR archive “electronic court request No. 7836071.rar”, which contained an executable file “electronic court request No. 7836071.pdf.exe” with a size of 688MB with a forged digital signature. The executable file is a stub built by Remcos remote administration tool. Upon executing the malicious .exe file the threat actor will gain full access to the victim’s machine and let the attacker surveillance in the victim’s machine.

Insights:
It’s been a year since the war between Russia and Ukraine broke out. The first stage of the attack was a cyber-attack on Ukraine by Russian state-sponsored hacking groups. The attack led to the disruption of various strategic assets. Till today the attack on delicate institutions and assets hasn’t stopped.

Major Geopolitical Developments in Cybersecurity

CISA advises increased vigilance on the Ukraine war anniversary

The US Cybersecurity and Infrastructure Security Agency (CISA) advised all organizations to stay alert for renewed, more intense Russian cyberattacks as the war Russia wages against Ukraine enters its second year. According to the organization’s press release, CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord around the anniversary of Russia’s 2022 invasion of Ukraine. The agency urged organizations and individuals to increase their cyber vigilance in response to this potential threat and drew particular attention to the threat of DDoS Attacks.

EU agencies warn of Chinese APT actors

The European Union Agency for Cybersecurity (ENISA) and the EU Computer Emergency Response Team (CERT-EU) warned that several Chinese state-sponsored hacking groups are targeting businesses and government organizations in the EU. The joint advisory said that the threat actors were observed conducting malicious cyber activities against businesses and governments in the Union. The Chinese APTs that were named in the report include Emissary Panda, APT 30, Zirconium, Mirage, Gallium, and Mustang Panda. The two cyber agencies stated that the attackers frequently used the invasion of Ukraine and its effect on EU businesses as a hook in phishing attempts. The joint statement called for European organizations to focus on increasing access controls, hardening software products and highly privileged accounts, and using highly secure passwords and multi-factor authentication on all accounts. The advisory comes a week after the FBI warned U.S. secretaries of state about the growing threat of Chinese hacking operations against state government networks.

Russia to launch a new internet surveillance system in 2023

Moscow plans to roll out a new internet surveillance system, dubbed Vepr, the Russian word for boar, later this year, according to the state media outlet TASS. Roskomnadzor, the Russian telecommunications regulator, has been working on the system since early 2022. Analysts post that the Russian government is increasingly trying to insulate its citizens from the free distribution of information, which could put its hazardous foreign policies and domestic repression in the wrong light, thus trying to recreate the totalitarian state monopoly on the distribution of information in the country as in the times of the Soviet Union.

While the government claims the system will not be used to take down content, but only to act as an early-warning system for mass social events, the inspiration in the Chinese censorship model is apparent. The Kremlin has ramped up its automated online censorship programs since the invasion of Ukraine in February 2022, and earlier this month launched the Oculus surveillance system, designed to scan images and text on the internet to search for dissenting users.

Other Observations

CYFIRMA Research team observed that American TV giant and satellite broadcast provider; Dish Network has mysteriously gone offline, with its websites and apps ceasing to function, due to a ransomware attack.


Source: Telegram

The Team also observed a potential data leak related to www[.]pajak[.]go[.]id – The Directorate General of Taxes (Indonesian: Direktorat Jenderal Pajak; also known as DJP) is an Indonesian government agency under the Ministry of Finance, which has the task of formulating and implementing taxation policies and technical standardization in the field of taxation. This data leak contains 34 files on 66 MB of compressed data.


Source: Underground Forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.