Self Assessment

Weekly Intelligence Report – 03 Nov 2023

Published On : 2023-11-03
Share :
Weekly Intelligence Report – 03 Nov 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.

Introduction

CYFIRMA Research and Advisory Team has found ransomware known as Good Day ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Good Day:

Good Day ransomware, part of the ARCrypter family, emerged in May 2023.

The Ransomware disguises itself as a Microsoft Windows Update executable named “WindowsUpdate.exe.” The ransomware is intended to be executed using a dropper or script, a tactic consistent with previous ARCrypter operations. To initiate the ransomware, the use of the /START parameter is essential.

The recognizable strings typically associated with the ARCrypter family are present in this sample as well.

Upon execution, Good Day determines the infected host’s location via the Windows Registry (HKEY_USERS…\Control Panel\International\Geo\Nation) and establishes persistence by creating an entry in the RUN key of the registry.

The ransomware also attempts to delete Volume Shadow Copies (VSS).

Furthermore, ransomware gathers information from infected systems through WMIC queries.

Following encryption, affected files receive new names with extensions like .crYptA or .crYptB, which can sequentially advance through the alphabet, ultimately reaching .crYptE as the final extension.

The ransomware makes efforts to detect its presence within specific debuggers. This list comprises S-Ice.exe, ImmunityDebugger.exe, x64dbg.exe, and others.

The Ransomware includes a predefined list of folders and files that it should not encrypt.


Good Day Exclusions list (Source: Surface web)

Researchers noted an increase in new ransom note samples in public malware repositories. This recent wave of Good Day attacks includes unique TOR-based victim portals for each target.

Researchers have identified distinctive Good Day ransom notes, victim portals, and analyzed a sample connected to a known Cloak extortion site. This association links Cloak’s data sales and leaks to Good Day through publicly accessible chats on TOR-based victim portals.


Files Encrypted by GoodDay Ransomware (Source: Surface web)


GoodDay Ransomware Note (Source: surface web)

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • The use of idle periods may indicate that the ransomware is designed to operate more stealthily, waiting for the computer to be idle before encrypting files or performing other malicious activities. The identification of a connection between Good Day ransom notes and Cloak’s data sales offers valuable insights to security practitioners. This understanding aids in the management of risks associated with the evolving landscape of vulnerabilities and the actions of threat actors.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • Good Day ransomware demonstrates advanced obfuscation techniques by disguising itself as a Microsoft Windows Update executable, making it challenging for users to identify malicious activity.

ETLM assessment

Based on current information, Cyfirma predicts that Good Day ransomware, part of the ARCrypter family, will remain a significant cybersecurity threat. Its disguise as a Windows Update and targeting of the widely used Windows OS make it a persistent concern. Its ability to detect debug environments shows its commitment to evading analysis. Moreover, the use of idle periods suggests a stealthy operational approach, possibly during off-peak times. The rise in campaigns and its connection to Cloak underscores the importance of enhanced vigilance and preparedness against evolving cyber threats.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
2 TA0004: Privilege Escalation T1055: Process Injection
3 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1497: Virtualization/Sandbox Evasion
4 TA0007: Discovery T1010: Application Window Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
5 TA0011: Command and Control T1090: Proxy
6 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.

Sigma Rule:

title: CMD Shell Output Redirect
tags:
– attack.discovery
– attack.t1082 logsource:
category: process_creation product: windows
detection: selection_cmd:
– OriginalFileName: ‘Cmd.Exe’
– Image|endswith: ‘\cmd.exe’ selection_cli:
CommandLine|contains: ‘>’ filter_idm_extension:
CommandLine|contains:
– ‘C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe’
– ‘chrome-extension://’
– ‘\\.\pipe\chrome.nativeMessaging’ condition: all of selection_* and not 1 of filter_*
falsepositives:
– Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
level: low
(Source: Surface web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Data Theft
Target Technology: Browsers, Social Media Accounts/Platforms
Target Sector: Technology

Active Malware of the Week
This week “DUCKTAIL” is trending.

DUCKTAIL

Researchers observed a malicious campaign using LinkedIn messages for identity theft attacks. This campaign involves compromised LinkedIn accounts sending messages to users in an attempt to clandestine acquire their cookies, session data, and browser credentials, ultimately compromising their accounts.

In this campaign, they used the DuckTail malware, which is a sophisticated and elusive type of malware designed to avoid detection. It collects victim data, communicates with a Command-and-Control server through a Telegram Bot, and extracts data using ZIP archives. This malware variant possesses an automated feature that facilitates Facebook Business hijacking, granting attackers access to potential victims’ associated email accounts. The attacks were aimed at professionals from different Italian companies, primarily in the technology sector. The attackers particularly targeted employees in the sales and finance departments of these companies.

Attack method

Initially, the campaign operates through compromised LinkedIn accounts, which distribute PDF documents disguised as job offers. Following the establishment of the initial contact with the victim, the compromised account then sends a subsequent message containing the attached PDF document, which contains the details of the job offer. In this particular instance, the deceptive job posting was for a Senior Manager position at Electronic Arts (EA) company.


Fig: Fake Job offer document contains hyperlinks

The PDF document includes two hyperlinks that lead to malicious websites. The first hyperlink directs recipients to a phishing site(ea[.]gr8people[.]com) impersonating Electronic Arts. The page hosts both login and registration forms for candidates to submit their resumes and cover letters. The second malicious link triggers the download of a ZIP archive named Senior_Manager_EA_Sport.zip from Microsoft OneDrive.

The ZIP archive contains three MP4 video files and two identical executables that are disguised as Microsoft Word documents using the Word icon.


Fig: Contents of a zip archive file

These executables are 64-bit PE files with a size of 67.3 megabytes and include a decryption string “AHSDHAS092TEST.” The file seems to have been compiled using Microsoft Visual Studio and contains additional PE headers. One of these headers is associated with a Microsoft .NET executable, protected by the commercial obfuscator Smart Assembly.

The malicious file is created using the .NET Core framework and compiled as a single-file application, which consolidates all necessary libraries and files into a single executable.

This method is uncommon in malware and makes it highly elusive. Currently, only six out of seventy antivirus engines on VirusTotal have identified it as malicious, indicating its ability to avoid detection.

The “single file” application is essentially a collection of concatenated binaries, but the actual malicious code can be found by examining the executable’s dependencies. The primary DLL extracts a mutex named “ICollectVASD” to ensure the malware runs only once. It then collects victim information, including the system’s GUID and IP address, which is temporarily stored at the following path: C:\Users\<User>\AppData\Local\Temp\ic300.

The malware creates a fake PDF document as a decoy, displaying a supposed job description at this path: C:\Users\<User>\AppData\Local\Temp\Job_Description_of_Senior_Manager.pdf.
Communication with the Command and Control (C&C) server is done through a Telegram Bot (BOT ID 6263348871) using TLS encryption. The initial message is a “Start Signal,” which includes system information and a counter in an HTTP POST request to the attacker’s Telegram Bot.

TELEGRAM BOT REQUEST URL:
https[:]//api[.]telegram[.]org/bot6263348871:AAFc1F8GffaY0Bc8rWsvD2BzfK9yD- zrvRQ/sendMessage
Data is transferred in ZIP archives within POST messages, using the /sendDocument API. C&C server details are retrieved from a configuration file named “profile” within the binary’s resources, allowing for multiple profiles with different tokens, chatIDs, and email lists. The malware targets web browsers like Microsoft Edge, Google Chrome, Brave Browser, and Mozilla Firefox, extracting cookies, session data, and saved credentials via Telegram for identity theft attacks. It operates in the background, regularly sending data to the attacker through the Telegram API.The malware also includes a Facebook Business hijacking feature. It interacts with Facebook APIs, using session information from the victim’s browsers, and sends links to email addresses, potentially granting access to the associated Facebook Business Account for the attacker.

TELEGRAM BOT EXFILTRATION URL:
https[:]//api[.]telegram[.]org/bot6263348871:AAFc1F8GffaY0Bc8rWsvD2BzfK9yD- zrvRQ/sendDocument

INSIGHTS

  • DUCKTAIL is a financially motivated malware variant associated with Threat Actors (TAs) based in Vietnam. Since the latter half of 2021, these actors have actively developed and distributed DUCKTAIL malware. This malware is specifically designed to target individuals and businesses using Social Media Business platforms. It is a well- established malware family known for its history of targeting various online platforms. Its tactics include deceiving users into downloading malware through LinkedIn. Furthermore, it infiltrates popular desktop web browsers like Google Chrome, Microsoft Edge, Brave, and Firefox to access and collect user information.
  • DUCKTAIL is a highly sophisticated and adaptable malware strain specializing in social media account theft, notorious for its evasion of detection through encryption and obfuscation techniques. It employs the Telegram messaging app for command and control, offering attackers anonymity and operational flexibility. Its use of encryption and obfuscation complicates the analysis process, making it challenging for cybersecurity experts to understand and reverse-engineer the malware.
  • Ducktail is a malware designed to extract browser cookies and exploit active social media sessions to steal sensitive information from victims’ social media accounts. The threat actors use social engineering tactics, often targeting victims through platforms like LinkedIn. They entice victims with a URL that prompts the download of a ZIP archive containing the Ducktail self-contained .NET application.

ETLM ASSESSMENT

From the ETLM perspective, CYFIRMA anticipates that DuckTail is constantly expanding its use of cloud services for hosting and distributing malicious payloads, suggesting its ongoing evolution. Future versions are likely to employ more advanced evasion techniques. The malware’s adept use of social engineering, notably on platforms like LinkedIn, indicates its operators’ skills in manipulating victims. In the future, we can expect more diverse and sophisticated delivery methods, potentially involving new social engineering tactics or exploiting vulnerabilities. DuckTail’s continued adaptability and evolution make it a persistent and ever-evolving threat in the cybersecurity landscape.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Consider the following multi-layered protection program:
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.
  • Anti-phishing engines to prevent any type of phishing attack before it reaches users.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Play Ransomware | Malware – DUCKTAIL
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – DUCKTAIL
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Lazarus Group Targets Same Victim Several Times

  • Threat Actors: Lazarus Group
  • Attack Type: Vulnerability Exploitations
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Unknown
  • Target Industries: IT Services
  • Business Impact: Operational Disruption

Summary:
In a recently detected campaign, the Lazarus APT group from North Korea repeatedly targeted a software vendor, exploiting vulnerabilities in their software even after multiple patches and warnings from the developer. The hackers’ relentless breaches of the same victim suggest a clear objective: the theft of valuable source code or the orchestration of a supply chain attack. Researchers detected this ongoing breach in July 2023. Their investigation revealed Lazarus employed a diverse infection chain and an array of post-compromise tools. This campaign fits into a broader pattern where Lazarus directed its focus on various software vendors from March to August 2023.

The attack primarily revolved around two malware components: SIGNBT and LPEClient. Lazarus targeted legitimate security software designed for encrypting web communications. The precise method of exploitation used by the hackers remains undisclosed. The deployment of SIGNBT involved injecting the payload into memory using shellcode, establishing persistence by adding a malicious DLL (‘ualapi.dll’) to the startup process, or making Windows Registry modifications. SIGNBT, named for its distinctive strings for command and control (C2) communications, enabled Lazarus to exchange information about compromised systems and receive execution commands. It supports various commands, including system information retrieval, process management, file operations, and more, making it a versatile tool for hackers. SIGNBT could fetch additional payloads from the C2 server, allowing Lazarus to maintain operational flexibility. They exploited this capability to load credential-dumping tools and the LPEClient malware on compromised systems. LPEClient, in its latest versions, displayed significant evolution, employing advanced techniques to enhance stealth and avoid detection.

Relevancy & Insights:

  • Despite the vendor’s efforts to address the software vulnerability and provide a patch, some users failed to apply the update. This oversight created an opportunity for a supply chain attack, allowing threat actors to compromise the software. To safeguard against such attacks, it’s imperative for users to promptly update their software and read our additional recommendations for basic security measures.
  • The Lazarus group is recognized as one of the most prolific Advanced Persistent Threat (APT) groups with a consistent focus on cyber espionage. This group consistently utilizes various exploits tailored to target specific industries. In their latest campaign, which researchers have recently uncovered, the threat actors exploited vulnerabilities in VMware Horizon as their initial entry point into targeted organizations. Subsequently, they deployed a range of custom-built malware implants, including VSingle, YamaBot, and a previously undiscovered malware implant referred to as MagicRAT.

ETLM Assessment:

  • Lazarus is a state-sponsored cyber espionage group, that has enjoyed financial support since 2009. Their primary focus is cyber espionage, targeting government bodies, critical infrastructure, and high-value sectors. Their persistence hinges on the endurance of espionage objectives. Their adaptability shines through the continuous evolution of tactics, staying ahead of cybersecurity measures. Linked to the North Korean regime, geopolitical motivations may fuel their operations when aligned with North Korea’s interests. Lazarus boasts a track record of successful breaches, boosting their confidence to sustain operations. Their history strongly hints at incoming attacks with diverse strategies and the use of both public and private exploits.

Recommendations:

  • Regularly update your operating system, applications, and antivirus software to patch vulnerabilities that cyber attackers might exploit.
  • Be cautious about unsolicited emails, especially those with attachments or links. Avoid clicking on suspicious links or downloading attachments from unknown sources.
  • Install reputable security software that can detect and prevent malware and other threats.
  • If you’re part of an organization, provide cybersecurity training to employees to make them aware of the risks and how to avoid falling victim to cyber espionage.

Indicators of Compromise

  • Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Rise in privateering attacks by Russian actors
In recent weeks, Russia has stepped up cyberattacks directed against Ukraine and its international supporters. The recent increase is partly related to the fact that the Kremlin has been able to enlist cyber-criminals to do its bidding in financially motivated attacks with Moscow providing political cover for actions nominally illegal under the Russian law. For example, the Ukrainian National Cybersecurity Coordination Center (NCCC) reported that it was investigating an increase in Russian criminal attacks using Smokeloader malware. The agency has characterized the threat actors beyond the spread of the Smokeloader-related attacks as financially motivated cybercriminals, would in effect mean they are privateers who were enlisted by the Kremlin in order to supplement the efforts of Russian intelligence and security services and the hacktivist auxiliaries those services direct. Their activity has been on the rise since May, when Ukrainian financial and government organizations have been repeatedly targeted by multi-module malicious software, the functionality of which includes counter analysis methods, data theft, and remote control of the victim’s computer. The threat actors seem to be especially interested in the financial services sector.

ETLM Assessment:
Privateers are often anonymous and at the same time enjoy state protection – state backing remits their actions and makes them more difficult to detect and prosecute, which is a typical reason for their employment by governments worldwide. However, in this specific case, privateering on behalf of Russian cyber criminals is best explained as a process of national mobilization of Russian resources. The Russian official budget allocated to defense spending in 2024 will almost double compared to this year. While that is less than the 12–17 percent of GDP that the Soviet Union was officially spending on defense at the height of the Cold War, it is comparable to U.S. military expenditure in the 1980s. That means the Russian economy is seriously strained and the intelligence and military apparatus is increasingly looking for other ways to bolster its capability. The gradual enlistment of privateers should be a concern especially for the business in countries deemed hostile by the Kremlin, since the privateers are more likely to go after them.

Hamas cyber activity likely connected to Iran
Researchers have identified and analyzed an application disseminated on a Telegram Channel, used by members and supporters of the Hamas terrorist organization, which is configured to communicate with Hamas’s military wing – the Izz ad-Din al-Qassam Brigades’ – website. Based on infrastructure and domain registration tradecraft analysis, the researchers believe the app is a work of AridViper (also known as APT-C- 23, Desert Falcon) a suspected Hamas-connected group. The researchers also observed a likely Iran nexus tied to that domain. It is likely that the newly identified domains were operated by threat actors that share an organizational or ideological affiliation with the Qassam Brigades and who are connected to the Quds force, a sub- organization of Iran’s Islamic Revolutionary Guard Corps (IRGC). The Quds force has been observed to provide cyber technical assistance to Hamas and other Palestinian threat groups in the past and this observation is another link in the chain of support Iran provides to Hamas as its political proxy in the region.

ETLM Assessment:
While Iran is hostile to all other blocks of powers in the Middle East, its relationship with Israel is particularly thorny. Israel has been restrained by the United States from preventive military strike on Iran’s nuclear programme in the past as the United States were able to persuade Israel to join an American cyber warfare operation against the Natanz facility instead. However, given the internal political dynamics of all three countries and a new spiralling of violence between Israel and Iran-supported Hamas in the Gaza strip, a further escalation between Iran and Israel is increasingly likely. The conflict would be manifest in cyberspace as well as on the ground and we are likely to see a spike in the activity of Iranian APTs attacking countries that support Israel in the coming months.

Rise in Malware/Ransomware and Phishing

Online Development is Impacted by Play Ransomware

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: Play Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from The United States of America, (www[.]oldi[.]com), was compromised by Play Ransomware. Online Development Inc. (OLDI) designs and manufactures factory automation products to help manufacturers simplify data transaction, control, and communications tasks. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The breached data includes sensitive personal information such as private and confidential data, client documents, IDs, payroll information, tax records, client directories, passports, financial details, and more.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Recently We observed that the Play ransomware group is using two new, custom- developed tools that allow it to enumerate all users and computers on a compromised network and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.
  • Play’s focus is directed towards midsize enterprises, within sectors like finance, legal services, software development, shipping, law enforcement, and logistics. Their primary geographical targets encompass the United States, the United Kingdom, Germany, Canada, France, and other nations. Moreover, Play’s ransomware operations extend to encompass governmental bodies at state, local, and tribal levels, across the same set of countries.
  • Based on the Play Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Industries, most affected by Play Ransomware

ETLM Assessment:
enumerates the files and folders in a VSS snapshot and copies them to a destination directory. The tool allows the attackers to copy files from VSS volumes on compromised machines prior to encryption. This allows the threat actors to copy files normally locked by the operating system.

Vulnerabilities and Exploits

Vulnerability in Twisted Web

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Web Server
  • Vulnerability: CVE-2023-46137 (CVSS Base Score 5.3)
  • Vulnerability Type: Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)

Summary:
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

Relevancy & Insights:
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Impact:
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
Affected Products: https[:]//github[.]com/twisted/twisted/security/advisories/GHSA-xc8x- vp79-p3wm

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Ukrainian hackers disrupt internet providers in Russia-occupied territories.

  • Threat Actors: IT Army
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: Russia-occupied territories in Ukraine
  • Business Impact: Operational Disruption

Summary:
Internet services have been temporarily disabled in certain areas of the country’s territories occupied by Russia, due to actions by Ukrainian hackers. The group of cyber activists known as the IT Army said on Telegram that their distributed denial-of-service (DDoS) attack took down three Russian internet providers — Miranda-media, Krimtelekom, and MirTelekom — operating in the territories. Early on Friday, Russian internet operators confirmed that they had experienced an “unprecedented level of DDoS attacks from Ukrainian hacker groups,” temporarily disrupting their operations. The attack affected services such as cellular networks, phone calls, and internet connections. On Friday evening, Miranda-media reported that it had restored 80% of its services, including those provided by it and two other affected operators for law enforcement agencies, government organizations, and “socially significant services.” The operator’s security experts said that DDoS attacks were “carefully planned by cybercriminals.” On Saturday, internet connections in certain regions of Crimea were still disrupted as operators worked to improve their network resilience. After occupying parts of eastern Ukraine and the Crimea peninsula, Russia disconnected Ukrainian telecommunications infrastructure there and rerouted internet traffic through Russia’s network instead. Ukraine strongly criticized this move, saying that Russia wants to make its propaganda “an uncontested source of information.”

Relevancy & Insights:
The IT Army, a prominent group of cyber activists, claimed responsibility for a distributed denial-of-service (DDoS) attack that targeted Russian internet providers, including Miranda-media, Krimtelekom, and MirTelekom, operating in the affected territories. This deliberate act was described as a strategic move by the Ukrainian cyber army to impede the enemy’s military communication on the frontlines.

ETLM Assessment:
CYFIRMA assesses similar attacks will continue as the Ukraine/Russian conflict continues, with Ukrainian threat actors seeking to undermine and cause disputation to Russian infrastructure.

Data Leaks

Turk Ekonomi Bank (TEB) Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Banking
  • Target Geography: Turkey
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to Turk Ekonomi Bankasi (TEB), {www[.]teb[.]com[.]tr}. Turk Ekonomi Bank (TEB), a reputable and prestigious institution in the Turkish banking sector, was established in 1927. Since its inception, TEB has expanded its branch network and broadened its array of products and services. The breached data includes individuals’ names, surnames, national identification numbers, addresses, and other sensitive details.


Source: Underground forums

Relevancy & Insights:
Cyber attackers driven by financial incentives continuously seek out vulnerable and insufficiently secured systems and software applications. Many of these malicious actors operate within obscured online communities, participating in discussions concerning cybercrime and the illegal trading of stolen digital assets. Setting themselves apart from other financially motivated groups like ransomware or extortion collectives, who often publicize their attacks, these cybercriminals prefer to maintain a discreet presence. By exploiting unpatched systems or weaknesses in software and hardware, they illicitly gain entry and make off with valuable information. Subsequently, they promote the pilfered data on secretive forums, where it is either sold again or repurposed by other malicious entities for their own unlawful purposes.

ETLM Assessment:
CYFIRMA assesses the banking industries of advanced economies such as Turkey, are at continued risk of attack by financially motivated threat actors.

Other Observations

CYFIRMA Research team observed a potential data leak related to Planetminecraft,
{www[.]planetminecraft[.]com}. Planet Minecraft is a family-friendly community that shares and respects the creative works and interests of others. The breached data includes usernames and passwords saved as MD5 hashes, alongside other sensitive information.


Source: Underground forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromise, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.