Self Assessment

Weekly Intelligence Report – 03 May 2024

Published On : 2024-05-03
Share :
Weekly Intelligence Report – 03 May 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found new Crocodile Smile ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Crocodile Smile ransomware
The Crocodile Smile ransomware was uncovered by researchers by the end of April 2024. This malicious software functions by encrypting data and requesting ransoms for decryption. Files affected by it had their names extended with a “.CrocodileSmile” suffix. After completing this encryption process, Crocodile Smile alters the desktop wallpaper and generates a ransom note titled “READ_SOLUTION.txt”.

Screenshot of files encrypted by ransomware (Source: Surface Web)

From Crocodile Smile’s message, it becomes evident that this ransomware is aimed at larger entities rather than individual home users.
The Ransom message indicates that the victim’s files have been encrypted and their sensitive data has been stolen. The victim is directed to pay more than 20 BTC to decrypt their files and prevent the attackers from leaking the exfiltrated data.

Screenshot of Crocodile Smile ransomware’s text file (“READ_SOLUTION.txt”): (Source: Surface Web)

Screenshot of Crocodile Smile desktop wallpaper (Source: Surface Web)

There’s a possibility that multiple variants of this ransomware are circulating in the wild. The following ransom note from another variant of this ransomware will provide evidence of this.

Ransom note (“READ_SOLUTION.txt”) delivered by another variant of Crocodile Smile ransomware

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1053: Scheduled Task/Job
2 TA0003: Persistence T1053: Scheduled Task/Job
T1176: Browser Extensions
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0004: Privilege Escalation T1053: Scheduled Task/Job
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1140: Deobfuscate/Decode Files or Information
T1222: File and Directory Permissions Modification
T1497: Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify Tools
5 TA0006: Credential Access T1003: OS Credential Dumping
6 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0009: Collection T1005: Data from Local System
T1115: Clipboard Data
T1119: Automated Collection
T1185: Browser Session Hijacking
8 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware deletes the file “C:\$SysReset\Logs\Timestamp.xml”, this hampers the system’s ability to track events or diagnostics, impairing its capability to actively monitor and record system-related activities.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

ETLM Assessment:
CYFIRMA’s assessment, based on available information, suggests that Crocodile Smile ransomware, with its demand for more than 20 bitcoins, is likely to target economically developed nations located in Europe, East Asia, South-East Asia, and the US, where organizations are more capable of meeting such demands. This reflects a deliberate strategy aimed at entities capable of fulfilling substantial ransom demands. Furthermore, the ransomware is anticipated to persistently target Windows OS, utilizing sophisticated evasion tactics and persistence methods. This will likely result in heightened encryption complexity and system disruption, posing considerable challenges to detection and recovery efforts across various industries. Vigilance and strong cybersecurity measures are essential to mitigate these threats effectively.

Sigma Rule
title: System File Execution Location Anomaly
tags:
– attack.defense_evasion
– attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
– ‘\svchost.exe’
– ‘\rundll32.exe’
– ‘\services.exe’
– ‘\powershell.exe’
– ‘\powershell_ise.exe’
– ‘\pwsh.exe’
– ‘\regsvr32.exe’
– ‘\spoolsv.exe’
– ‘\lsass.exe’
– ‘\smss.exe’
– ‘\csrss.exe’
– ‘\conhost.exe’
– ‘\wininit.exe’
– ‘\lsm.exe’
– ‘\winlogon.exe’
– ‘\explorer.exe’
– ‘\taskhost.exe’
– ‘\Taskmgr.exe’
– ‘\sihost.exe’
– ‘\RuntimeBroker.exe’
– ‘\smartscreen.exe’
– ‘\dllhost.exe’
– ‘\audiodg.exe’
– ‘\wlanext.exe’
– ‘\dashost.exe’
– ‘\schtasks.exe’
– ‘\cscript.exe’
– ‘\wscript.exe’
– ‘\wsl.exe’
– ‘\bitsadmin.exe’
– ‘\atbroker.exe’
– ‘\bcdedit.exe’
– ‘\certutil.exe’
– ‘\certreq.exe’
– ‘\cmstp.exe’
– ‘\consent.exe’
– ‘\defrag.exe’
– ‘\dism.exe’
– ‘\dllhst3g.exe’
– ‘\eventvwr.exe’
– ‘\msiexec.exe’
– ‘\runonce.exe’
– ‘\winver.exe’
– ‘\logonui.exe’
– ‘\userinit.exe’
– ‘\dwm.exe’
– ‘\LsaIso.exe’
– ‘\ntoskrnl.exe’
# The below processes were seen used by Lazarus Group – https://asec.ahnlab.com/en/39828/
– ‘\wsmprovhost.exe’
– ‘\dfrgui.exe’
filter_generic:
– Image|startswith:
– ‘C:\Windows\System32\’
– ‘C:\Windows\SysWOW64\’
– ‘C:\Windows\WinSxS\’
# – ‘C:\avast! sandbox’
– Image|contains: ‘\SystemRoot\System32\’
– Image:
– ‘C:\Windows\explorer.exe’
– ‘C:\Program Files\PowerShell\7\pwsh.exe’
– ‘C:\Program Files\PowerShell\7-preview\pwsh.exe’
filter_wsl_windowsapps:
Image|startswith: ‘C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux’
Image|endswith: ‘\wsl.exe’
condition: selection and not 1 of filter_*
fields:
– ComputerName
– User
– Image
falsepositives:
– Exotic software
level: high

(Source: Surface web)

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority. 
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Trojan
Objective: Espionage, Credentials Stealing, Device Takeover and Remote Access
Threat Actor: Baron Samedit
Target Technology: Android OS
Target Industries: Banks

Active Malware of the Week
This week “Brokewell” is trending.

Brokewell
Researchers have identified a new Android banking trojan called Brokewell, capable of recording all device activities such as touches, displayed information, text input, and launched applications. The malware is delivered through a fake Google Chrome update that is shown while using the web browser. Brokewell poses a significant threat to the banking industry, providing attackers with remote access to all assets available through mobile banking. Additionally, Researchers have identified that the Brokewell malware was developed by an individual known as “Baron Samedit.” Brokewell is actively evolving, with frequent additions of new commands by its developers.

Baron Samedit
The developer behind Brokewell, identified as Baron Samedit, previously sold tools for checking stolen accounts to cybercriminals across different services for at least two years. Transitioning into mobile malware, Baron Samedit released the “Brokewell Android Loader,” reflecting the rising interest in mobile threats among cybercriminals. Additionally, a server used as a command and control (C2) for Brokewell hosted the “Brokewell Cyber Labs” repository, featuring the source code for the Brokewell Android Loader. This repository underscores cybercriminals’ efforts to professionalize illegal activities, exemplified by the landing page of “Brokewell Cyber Labs,” where various malicious products, including mobile threats, are advertised.

Attack Method
Researchers uncovered a deceptive tactic involving a fake browser update page aimed at tricking users into installing an Android application. This tactic initially appeared ordinary, resembling typical methods used by cybercriminals to entice victims into downloading malware. The fake update page convincingly presents itself as a legitimate browser update, blending seamlessly into normal browsing activity to deceive unsuspecting users.

Upon analysis, it was discovered that the downloaded application is a new malware variant with extensive functionalities. Additionally, further investigation revealed previous campaigns conducted by this malware family, which targeted a popular “buy now, pay later” financial service and an Austrian digital authentication application.

Features of Brokewell Banking Malware
Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware.

Stealing data: Monitoring Everything
Brokewell employs overlay attacks, a common tactic used by Android banking malware, by displaying a fake screen over targeted apps to capture user credentials. It also steals cookies through its own WebView, intercepting the legitimate website’s login process, dumping session cookies, and transmitting them to its command-and-control server (C2). Brokewell includes “accessibility logging” to record all device events such as touches, swipes, displayed information, text input, and opened applications. This data is transmitted to a command-and-control server, enabling the theft of confidential information entered or viewed on the compromised device. Brokewell’s broad logging capability poses a risk to all installed applications on the device. Additionally, this malware acts as spyware, gathering device details, call history, geolocation data, and even recording audio.

Device Takeover via Remote Control Capabilities
After obtaining credentials, attackers can launch a Device Takeover attack using Brokewell’s remote control features. This includes screen streaming and allows the attacker to execute actions on the compromised device, such as touches, swipes, and clicks on specific elements. The malware offers a set of commands for remote control operations. Below are some of the commands utilized by the malware:

These commands demonstrate that attackers have complete control over the infected device, enabling them to act on behalf of the victim. These capabilities could be extended in the future by automating actions to enhance the Device Takeover attack, potentially leading to the development of a functional Automated Transfer System (ATS).

INSIGHTS

  • The Brokewell Android Banking Trojan represents a significant threat to mobile banking security with its advanced features like screen recording, overlay attacks, and keylogging. While the current version is in its early development phase, it’s crucial to anticipate future iterations that will likely introduce more sophisticated capabilities and target new sectors. Expect increased promotion of Brokewell on underground forums and updates on the developer’s portal, highlighting the dynamic and evolving nature of this evolving threat.
  • The discovery of Brokewell, a new malware designed with Device Takeover capabilities, highlights a concerning trend in cybercrime. This development reflects a growing demand among cybercriminals for tools that enable direct fraud on victims’ devices, bypassing traditional fraud detection methods that rely on device identification or fingerprinting. Brokewell’s capabilities pose a significant challenge to cybersecurity professionals, underscoring the need for innovative approaches to detect and mitigate threats targeting mobile devices.
  • Brokewell demonstrates its sophistication as banking malware by executing a diverse array of commands on compromised systems, particularly focusing on harvesting login credentials from financial apps and gathering internet cookies. The frequent updates to Brokewell highlight the dynamic nature of malware development, with developers continuously refining their software to evade detection and enhance malicious capabilities.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the widespread adoption of online mobile banking has revolutionized user convenience in conducting financial transactions, but it has also opened doors for cybercriminals to exploit vulnerabilities and trick users into downloading malicious apps. The Brokewell malware specifically targets individuals heavily reliant on mobile banking, posing a severe threat to financial security within the banking sector. The widespread adoption of mobile banking, particularly in regions such as developed countries in Europe and America, as well as developing countries in regions like East Asia and Southeast Asia with large user bases, makes them more susceptible to banking malware like Brokewell. As digital banking becomes more widespread in these regions, the threat of cyber-attacks targeting a broader audience continues to grow. It’s crucial for individuals and organizations to prioritize cybersecurity measures to safeguard against these risks and ensure the security of financial transactions and sensitive information.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATION

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATION

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear-phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Ransomhouse Ransomware, Cactus Ransomware | Malware – Brokewell
  • RansomHouse Ransomware – One of the ransomware groups.
  • Cactus Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Brokewell
  • Behaviour –Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Escalating Cyber Threats: Pakistani APTs Target Indian Government Entities

  • Threat Actors: APT36
  • Attack Type: Spear-phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: India
  • Target Industries: Government & Défense sectors
  • Business Impact: Data Loss, Data exfiltration

Summary:
The cyberattacks on Indian government entities were orchestrated by Pakistan-linked APT groups, including SideCopy and Transparent Tribe (APT36). These groups employed sophisticated tactics, such as spear-phishing campaigns, to gain access to target systems.

The attackers initiated their operations through sophisticated spear-phishing campaigns, utilizing archive files with double extensions to deceive victims. Upon opening these files, the MSHTA process executed a remote HTA file hosted on compromised domains. These HTA files contained encoded DLLs and decoy files.

The DLLs, once executed in memory, dropped decoy files and downloaded additional HTA files from the compromised domain. These files contained EXE and DLL files, which were decoded and dropped into the public directory, allowing for further malicious activities.

The final payloads deployed were AllaKore RAT for SideCopy and Crimson RAT for Transparent Tribe. These RATs connected to command-and-control (C2) servers using different port numbers, maintaining communication through ping-pong commands to ensure the connection was active.

The attacks resulted in significant disruptions to targeted entities, potential data theft, and the compromise of sensitive information. The infrastructure and C2 servers used in the attacks showed similarities, attributing them to SideCopy and Transparent Tribe with high confidence. The attacks underscore the importance of enhanced cybersecurity measures and proactive defence strategies to mitigate the growing cyber threats posed by APT groups in the region.

Relevancy & Insights:
Transparent Tribe, also known as APT36, suspected to be based in Pakistan, has been active since at least 2013. Primarily targeting diplomatic, defence, and research organizations in India, their sophisticated cyberattacks pose significant threats to national security. In parallel, there has been a noticeable surge in the trade of access to Indian entities, encompassing both governmental and corporate sectors, facilitated by initial access brokers within underground forums. This trend coincides with a rise in high-profile ransomware incidents. In response, Indian cybersecurity forces are urged to bolster their defences by updating security protocols, conducting regular system checks, and providing personnel with comprehensive training to effectively recognize and respond to evolving cyber threats.

ETLM Assessment:
SideCopy and APT36, also known as Transparent Tribe, represent Pakistan-linked Advanced Persistent Threat (APT) groups with a strategic focus on targeting South Asian countries, particularly Indian defence and government entities. These threat actors have demonstrated a persistent intent to infiltrate and compromise governmental infrastructure to facilitate their malicious activities, leveraging compromised infrastructure to carry out their operations. This trend underscores the critical importance of heightened vigilance and robust cybersecurity measures to safeguard against the persistent threats posed by these APT groups.

Recommendations:

  • Conduct regular cybersecurity awareness training sessions for employees to educate them about the risks of spear-phishing and how to identify suspicious emails and attachments.
  • Implement robust email filtering solutions to detect and block malicious emails before they reach users’ inboxes, reducing the likelihood of successful phishing attempts.
  • Ensure that all software and systems are regularly updated with the latest patches and security updates to address known vulnerabilities that could be exploited by attackers.
  • Deploy advanced endpoint protection solutions that include capabilities such as behaviour-based detection and response to identify and mitigate the presence of malicious software on endpoints.
  • Segment the network to limit lateral movement by attackers in case of a successful breach, reducing the impact of potential compromises and making it more challenging for attackers to access sensitive systems and data.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Czech Republic warns of Russia’s cyber sabotage to EU railways
According to the Czech government, Russia has made thousands of attempts to damage the European railway system since the beginning of the invasion of Ukraine. Moscow is suspected of being behind “thousands of attempts to weaken our systems”, the Transport Minister said during an EU meeting in Brussels. The Russian hacking campaign includes attacks on critical infrastructure systems, including attacks on signaling equipment and on the computer networks of Czech state-owned carrier Czech Railways. In the past, the Russians have disabled ticketing systems in this way, for example, raising concerns about whether similar attacks are behind serious train accidents caused by faulty signaling equipment. Last March, the EU Cyber Security Agency (ENISA) published its first ever report on threats to the European transport system. The report mentioned hacking attacks by pro-Russian groups against railways in Latvia, Lithuania, Romania and Estonia. Czech Railways confirmed the government’s remark and acknowledged growing number of attacks on its digital infrastructure.

ETLM Assessment:
Russian attempts to destabilize European energy infrastructure have been well documented but interference in transport networks has been less discussed, even though Cyfirma analysts warned of this danger in this report last year. The Czech National Cyber and Information Security Agency (NÚKIB) has also warned of growing threats of attacks on transport targets in its report last year. The agency has been one of the strictest digital security watchdogs in Europe and was the first to issue a hawkish warning against the use of components from Chinese companies Huawei and ZTE in 5G mobile networks under construction. Russia is using the attacks both as a tool of political war against the West as well as tactical means of delaying transports of Ukrainian grain to the world market as well as movements of Western equipment towards Ukraine both in civilian and military capacity. The incident shows the growing role of cyber in conflict even or rather especially between countries that are not formally at war and demonstrates the future of political relations, in which cyber will be a major means of the statecraft toolkit, affecting governments and business alike.

The Pentagon gets a cyber czar
The US Department of Defense has opened its Office of the Assistant Secretary of Defense for Cyber Policy. Upon confirmation, the new assistant defense secretary for cyber policy (aka cyber czar) Ashley Manning will oversee spending on network operations, outreach to industry, and more. The move is aligned with the recent U.S. Navy cyber strategy, according to which non-kinetic effects rather than missiles, fighter jets and torpedoes are likely to decide the next war on the high seas. The document reflects the central idea that the next fight against a major adversary will be like no other and that the use of non-kinetic effects and defense against those effects prior to and during kinetic exchanges will likely be the deciding factor in who prevails. But the navy sees as imperative that cyber warfare is far more than networks and cybersecurity. Cyber warfare is presented as a warfighting discipline that should be considered a core competency that is going to play a key role in modern warfare.

ETLM Assessment:
The inauguration of the “cyber czar” confirms the growing role of cyber in modern conflicts, which often do not distinguish between military and civilian infrastructure and between times of war and peace. The office intends to provide the U.S. military a more civilian-facing role in the realm of cyber policy. The new office is responsible for coordinating the Pentagon’s cyber strategies, overseeing the military’s cyber operational budget, cyber workforce development and private sector outreach, among other areas.

The US military highlights the pivotal role of non-kinetic effects and defense against such effects in future conflicts. The potential for massive cyberattacks by advanced state actors like China looms large, threatening to disrupt critical infrastructure and the internet-powered amenities that underpin modern life. US documents emphasize that cyber warfare extends far beyond networks and cybersecurity issues, yet neither governments nor businesses are adequately prepared to confront this emerging threat.

Rise in Malware/Ransomware and Phishing

The RansomHouse Ransomware impacts the Bank Pembangunan Daerah Banten Tbk PT

  • Attack Type: Ransomware
  • Target Industry: Finance
  • Target Geography: Indonesia
  • Ransomware: RansomHouse Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; (www[.]bankbanten [.]co[.]id), was compromised by the RansomHouse Ransomware. Bank Pembangunan Daerah Banten Tbk PT is a bank focusing on micro-enterprises and small and medium enterprises. It is a regional development bank owned by the government of Banten province. The compromised data comprises confidential and sensitive information pertaining to the organization. It totals approximately 450 GB.

The following screenshot was observed published on the dark web:

Relevancy & Insights:

  • RansomHouse emerged in March of 2022 and is categorized as a multi-pronged extortion threat. The attackers exfiltrate all enticing data and threaten to post it all publicly.
  • RansomHouse operations tend to be ‘smaller’ or more ‘controlled’ than some bigger players. They openly solicit new ‘team members’ on known underground marketplaces, as well as collaborating on the Telegram service. The group has opted for the more efficient route of exfiltration only. This means the group steals victim data, skipping the encryption step. This can make the attacks stealthier and potentially lead to a much longer dwell time since no encryption means fewer alarms are triggered. Victims, as well as journalists and reporters, are directed to RansomHouse’s ‘PR Telegram Channel’ for any questions or support around the group’s campaigns.
  • The RansomHouse Ransomware group primarily targets countries such as the United States of America, Italy, Malaysia, the United Kingdom, and Spain.
  • The RansomHouse Ransomware group primarily targets industries, such as Pharmaceuticals, Computer Services, Health Care Providers, Business Support Services, and Aerospace.
  • Based on the RansomHouse Ransomware victims list from 1st Jan 2023 to 1st May 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Ransomhouse Ransomware from 1st Jan 2023 to 1st May are as follows:

ETLM Assessment:
RansomHouse ransomware is known to target large enterprises and high-value targets. RansomHouse ransomware targets its victims through phishing and spear phishing emails. They are also known to use third-party frameworks (e.g., Vatet Loader, Metasploit, Cobalt Strike). Based on the available information, CYFIRMA’s assessment indicates that RansomHouse ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent breach targeting the Bank Pembangunan Daerah Banten Tbk PT, a leading finance firm based in Indonesia, serves as a potential indicator of RansomHouse ransomware’s inclination towards targeting organizations across Southeast Asia.

The Cactus Ransomware impacts the Ghim Li

  • Attack Type: Ransomware
  • Target Industry: Retail
  • Target Geography: Australia, Singapore
  • Ransomware: Cactus Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary: From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Australia; (www[.]ghimli[.]com), was compromised by the Cactus Ransomware. Ghim Li’s headquarters are located in Singapore. Ghim Li is a global textile and apparel supply chain manager of casual lifestyle knitwear apparel for major U.S. retailers. Ghim Li supplies over 62 million garments annually through a global marketing and manufacturing network. The compromised data contains highly confidential and sensitive information relevant to the organization.

The following screenshot was observed published on the dark web:

Relevancy & Insights:

  • The Cactus Ransomware Group, first identified in March 2023, has rapidly spread its spines across the digital domain, exploiting vulnerabilities, particularly within VPNs, to gain unauthorized access and establish a foothold within compromised infrastructures. The group has demonstrated a sophisticated understanding of evasion techniques, employing a dynamic approach to encryption and utilizing many tools and techniques to ensure its malicious payload is delivered effectively and covertly.
  • Cactus Ransomware group primarily targets countries such as the United States of America, the United Kingdom, Canada, Australia, and France.
  • Cactus Ransomware group primarily targets industries, such as Heavy Construction, Automobiles, Specialized Consumer Services, Medical Equipment, and Furnishings
  • Based on the Cactus Ransomware victims list from 1st Jan 2023 to 1st May 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Cactus Ransomware from 1st Jan 2023 to 1st May 2024 are as follows:

ETLM Assessment:
Cactus Ransomware Group is known for breaking into networks by exploiting known vulnerabilities in VPN appliances and Qlik Sense software. The group also conducts phishing attacks, buys stolen credentials through crime forums, and partners with malware distributors. Based on CYFIRMA’s assessment, Cactus Ransomware targets worldwide organizations. The attack on Ghim Li also highlights ransomware groups’ interest in Australian and Asian organizations financially strong in the region with exploitable vulnerabilities.

Vulnerabilities and Exploits

Vulnerability in Moby

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server application
  • Vulnerability: CVE-2024-32473(CVSS Base Score 6.3)
  • Vulnerability Type: Security Features

Summary:
The vulnerability allows a remote attacker to compromise the target system.

Relevancy & Insights:
The vulnerability exists due to the IPv6 is not disabled on network interfaces.

Impact:
A remote attacker can gain access to sensitive information or perform a denial of service (DoS) attack.

Affected Products: https[:]//github[.]com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Moby, functioning as a open framework, empowers global developers to craft custom container systems. Its impact is felt across sectors like technology, finance, healthcare, and e-commerce in diverse geographic regions. Vulnerabilities in Moby could disrupt operations and compromise containerized environments worldwide.

Latest Cyber-Attacks, Incidents, and Breaches

8Base Ransomware attacked and Published data of GPI Corporate

  • Threat Actors: 8Base Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Australia
  • Target Industry: Manufacturing
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that 8Base Ransomware attacked and Published data of GPI Corporate on its darkweb website. GPI Corporate is a fully integrated Promotional Marketing solution provider that is committed to delivering fresh ideas, creative products, and solutions that will enhance efficiencies, promote growth, and surpass expectations. The data leak, post ransomware attack encompasses a wide array of sensitive information including invoices, receipts, accounting documents, personal data, certificates, employment contracts, a substantial volume of confidential information, confidentiality agreements, personal files, and additional data.

Relevancy & Insights:
We’ve recently noted that the 8-base Ransomware has targeted prominent organizations such as LEMODOR Lüftungstechnik AG, a top-tier ventilation systems manufacturer based in Switzerland, and Tamura Corporation. Tamura, established in 1924 and headquartered in Tokyo, Japan, specializes in electronic manufacturing. These attacks underscore the 8-base Ransomware’s focus on major manufacturing entities across the globe.

ETLM Assessment:
The 8Base ransomware group first emerged in March 2022 and swiftly gained notoriety, exhibiting a notable surge in activity throughout 2023 and 2024. Though their ransom demands remain undisclosed, they employ double extortion tactics, leveraging exfiltrated data for additional leverage. Operating with remarkable sophistication, 8Base employs advanced security evasion techniques and primarily targets Windows systems, with a particular focus on sectors including business services, manufacturing, finance, and information technology. Continuous assessments conducted by CYFIRMA indicate that 8Base ransomware has set its sights on Australian, European, and Southeast Asian Nations, driven by a relentless pursuit of substantial financial gains through ransomware operations.

Data Leaks

DAGANG GROUP INDONESIA data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Business Services
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to DAGANG GROUP INDONESIA, {www[.]dagang-group[.]com } in an underground forum. Dagang Group Indonesia is a corporation that operates in the form of a business ecosystem. Dagang Group Indonesia’s range of business units is integrated with a focus on digital trade business services targeting Small and Medium Enterprises (SMEs). The compromised data encompasses a range of sensitive information, including employee details such as Employee ID, full name, barcode, organizational affiliation, job position, level, join and resign dates, employee status, end dates, sign dates, and other confidential data points. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

ZOYA data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Retail
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to ZOYA, {www[.]ZOYA[.]co[.]id} in an underground forum. Zoya’s online store offers a wide range of high-quality women’s Muslim clothing and the latest hijab styles, with various pricing options to choose from. The compromised data includes personal information such as names, codes, mobile and phone numbers, email addresses, join and birth dates, addresses, cities, sign-up outlet details, loyalty points, IDs, identifications, customer groups, country information, and other confidential data. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

TUNAS TOYOTA data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Automotive
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary: The CYFIRMA Research team observed a potential data leak related to TUNAS TOYOTA, {www[.]tunastoyota[.]com} in an underground forum. Tunas Toyota is a prominent automotive company known for its excellence in the industry. As one of Indonesia’s leading Toyota dealerships, Tunas Toyota has earned a reputation for providing top-notch vehicles, exceptional customer service, and innovative solutions to meet the diverse needs of its customers. The compromised data includes customer data identifiers, user IDs, phone numbers, email addresses, names, dates of birth, customer agreements, agreement dates, status information, and UTM source details. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:

  • Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Sedapmalam’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by ‘Sedapmalam’ typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

Other Observations

CYFIRMA Research team observed a potential data leak related to Kintetsu World Express, Inc. A significant data breach has been reported at Kintetsu World Express, Inc. (KWE), a major Japanese freight forwarding company, with ramifications extending across its global operations. The breach, claimed by a threat actor identified as 888, has resulted in the leakage of sensitive information from the company’s First Freight CRM Billing system. This incident has affected a substantial number of individuals, with 819 members from nearly 30 countries having their personal data compromised.

ETLM Assessment:
888 threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography – Wise and Industry- Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organization’s geography, industry, technology, please access DeCYFIR.