Self Assessment

Weekly Intelligence Report – 04 Oct 2024

Published On : 2024-10-03
Share :
Weekly Intelligence Report – 04 Oct 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found ELPACO-team Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

ELPACO-team Ransomware
Researchers have uncovered a new ransomware strain named ELPACO-team, which is designed to both encrypt and rename files. After encrypting the data, it appends the “.ELPACO-team” extension to each file. ELPACO-team also displays a ransom note on the pre-login screen, alerting victims before they access their system. Additionally, the ransomware generates a text file titled “Decryption_INFO.txt,” which contains the same ransom note, instructing victims on how to proceed with payment for decryption.

Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)

Screenshot of ELPACO-team’s text file (“Decryption_INFO.txt”) (Source: Surface Web)

The ransom note from the ELPACO-team ransomware informs victims that their files have been encrypted due to a security vulnerability. It includes a decryption ID and instructs the victim to purchase both a decryption tool and a unique key to recover their files.

The note advises against scanning files with antivirus software, warning that doing so could lead to data loss. It also cautions against renaming encrypted files or using third-party decryption tools, as this may result in permanent loss of data.

Victims are directed to contact the attackers via email or Telegram. Additionally, the note suggests that quicker communication with the attackers could lead to more favourable terms for decryption.

Screenshot of ELPACO-team’s pre-login screen ransom note: (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1091: Replication Through Removable Media
2 TA0002: Execution T1059: Command and Scripting Interpreter
T1106: Native API
T1129: Shared Modules
3 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1546.012: Event Triggered Execution: Image File Execution Options Injection
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.008: Boot or Logon Autostart Execution: LSASS Driver
T1547.009: Boot or Logon Autostart Execution: Shortcut Modification
T1574.002: Hijack Execution Flow: DLL Side- Loading
4 TA0004: Privilege Escalation T1055: Process Injection
T1543.003: Create or Modify System Process: Windows Service
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1546.012: Event Triggered Execution: Image File Execution Options Injection
T1547.008: Boot or Logon Autostart Execution: LSASS Driver
T1547.009: Boot or Logon Autostart Execution: Shortcut Modification
T1548: Abuse Elevation Control Mechanism
T1574.002: Hijack Execution Flow: DLL Side- Loading
5 TA0005: Defense Evasion T1027.002: Obfuscated Files or Information: Software Packing
T1036: Masquerading
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1140: Deobfuscate/Decode Files or Information
T1202: Indirect Command Execution
T1222: File and Directory Permissions Modification
T1497: Virtualization/Sandbox Evasion
T1548: Abuse Elevation Control Mechanism
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.003: Hide Artifacts: Hidden Window
T1574.002: Hijack Execution Flow: DLL Side- Loading
6 TA0006: Credential Access T1056.001: Input Capture: Keylogging
T1539: Steal Web Session Cookie
7 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
8 TA0008: Lateral T1091: Replication Through Removable Media
Movement
9 TA0009: Collection T1056.001: Input Capture: Keylogging
T1113: Screen Capture
10 TA0011: Command and Control T1071: Application Layer Protocol
T1573: Encrypted Channel
11 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment suggests that the ELPACO-team ransomware poses significant risks to various sectors, such as Manufacturing, Healthcare, Construction, Financial institutions and others, particularly in economically developed nations. By exploiting major IT security vulnerabilities, attackers expose organisations to severe data breaches. The increasing reliance on digital systems heightens the potential for operational disruptions and data loss across these industries. Furthermore, the ransom note’s advisories against using antivirus software and third-party decryption tools complicate recovery efforts, underscoring the critical need for robust cybersecurity measures to mitigate such threats. As a result, staying vigilant and adopting strong cybersecurity measures are essential to effectively mitigate these evolving threats.

SIGMA Rule:
title: Shell Open Registry Keys Manipulation tags:
– attack.defense-evasion
– attack.privilege-escalation
– attack.t1548.002
– attack.t1546.001 logsource:
category: registry_event product: windows
detection: selection1:
EventType: SetValue
TargetObject|endswith: ‘Classes\ms-settings\shell\open\command\SymbolicLinkValue’

Details|contains: ‘\Software\Classes\{‘ selection2:
TargetObject|endswith: ‘Classes\ms-settings\shell\open\command\DelegateExecute’ selection3:
EventType: SetValue TargetObject|endswith:
– ‘Classes\ms-settings\shell\open\command\(Default)’
– ‘Classes\exefile\shell\open\command\(Default)’ filter_sel3:
Details: ‘(Empty)’
condition: selection1 or selection2 or (selection3 and not filter_sel3) falsepositives:
– Unknown level: high

(Source: Surface web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Espionage, Data theft, Remote Access
Target Technology: Windows OS
Target Geography: Russia

Active Malware of the Week
This week “DCRat” is trending.

DCRat
Researchers discovered that Russian-speaking users were being targeted with DCRat (aka Dark Crystal RAT), being delivered through HTML smuggling—a notable evolution in its distribution tactics that had not been previously observed for this malware. DCRat, active since 2018 and written in C#, is known for its typical RAT functions like executing shell commands, logging keystrokes, and stealing files and credentials. Historically, it has been spread through compromised websites, password-protected archives, and media such as Signal, Cobalt Strike Beacons, or spam emails containing macro-embedded attachments.

This new delivery method marks an evolution in its distribution tactics.

HTML smuggling
HTML smuggling is a payload delivery method where the malicious code is either embedded in the HTML or retrieved from a remote source. HTML smuggling is often obfuscated using compression, encoding, or encryption, allowing it to bypass network security and reach the victim’s browser more easily. Once the HTML renders in the browser, the malicious payload is restored to its original form. Anti-emulation measures may delay the transformation until user actions, like mouse movement, occur. The payload is then written to disk automatically or through user interaction, often following social engineering efforts by the attacker to encourage execution. This technique has been used by malware like Azorult, Pikabot, and now DCRat, demonstrating its effectiveness in facilitating the delivery of sophisticated threats.

Attack strategy
The initial delivery method of the HTML pages remains unknown; however, the threat actor cleverly used fake HTML pages impersonating popular Russian-language applications like TrueConf and VK Messenger to deceive users.

Fig: Fake HTML Pages

When opened in browsers like Chrome, Firefox, or Edge, the HTML files automatically downloaded a password-protected ZIP archive to the victim’s disk, with the password “2024” provided on the page. This technique evades detection by preventing security tools from accessing the encrypted payload. The smuggling code in the HTML files was based on an open-source GitHub repository, as indicated by the JavaScript structure.

DCRat execution flow

The initial password-protected ZIP payload contained a RarSFX archive mimicking applications like “trueconf.ru.exe” and “vk.exe.” This RarSFX archive held a batch file and another password-protected RarSFX archive, both using the password “riverdD.” The batch file executed the archive, providing the password via command-line, which then ran the embedded payload—DCRat, as confirmed by memory strings, mutex names, and C2 communication.

Password-protect to evade
In phishing campaigns, threat actors often send password-protected attachments, with the password included in the email body, relying on the user to open the file and enter the password. To bypass this dependency, attackers began using nested RarSFX archives, where the first archive automatically executes the password-protected RarSFX archive, eliminating the need for the user to input a password. However, in this case, the initial RarSFX archive was placed inside a password-protected ZIP file, requiring the user to decrypt the ZIP. While the embedded RarSFX archive was widely detected on VirusTotal, the password-protected ZIP had zero detections at the time of analysis, demonstrating how password protection aids in evading security mechanisms.

INSIGHTS

  • DCRat, also known as Dark Crystal RAT, has been active since 2018 and is commonly used by cybercriminals for its modular structure and versatility. As a remote access Trojan (RAT), it allows attackers to remotely control infected devices, steal sensitive information, and execute malicious commands. What sets DCRat apart is its availability as malware-as-a-service (MaaS), making it accessible to a broader range of threat actors. This accessibility increases the frequency and scale of DCRat campaigns, particularly targeting businesses and individuals for data theft and espionage.
  • What’s particularly concerning about recent DCRat campaigns is the shift toward advanced delivery techniques, like HTML smuggling, which allows the malware to evade detection mechanisms. By employing methods that bypass traditional network defenses, such as password-protected archives and hidden payloads in HTML files, DCRat has demonstrated its capacity to exploit security gaps. The recent focus on targeting Russian-speaking users with impersonated applications suggests a more regionally focused approach to cyberattacks, signaling the potential for tailored campaigns that exploit local contexts and popular services.
  • The modular nature of DCRat, combined with its ability to evade detection using methods like password-protected ZIP files and RarSFX archives, signals a growing concern for organizations. The widespread availability of DCRat as a service means it will likely continue to evolve, potentially affecting a broader range of industries and geographic regions. This shift toward more targeted and harder-to-detect malware campaigns underscores the importance of proactive threat detection and user awareness in preventing data breaches.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that DCRat is likely to become a more prominent malware in cybercriminal campaigns, especially as attackers continue to refine its deployment techniques. With the malware becoming increasingly sophisticated at evading detection, organizations may face greater difficulties in identifying threats before significant damage occurs. This could result in a surge in data breaches, financial losses, and operational disruptions across various industries. As DCRat evolves, its global impact is expected to expand, reaching more sectors and regions. The malware-as-a-service model will continue to lower the entry barrier for threat actors, leading to more complex, multi-stage attacks that target a wider array of organizations worldwide.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Always inspect the full URL before downloading files to ensure it matches the source.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.
  • Consider the following multi-layered protection program:
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Medusa Ransomware, Brain Cipher Ransomware | Malware – DCRat
  • Medusa Ransomware – One of the ransomware groups.
  • Brain Cipher Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – DCRat
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

A Closer Look at Sparkling Pisces’ Tools: KLogExe and FPSpy

  • Threat actor: Sparkling Pisces
  • Initial Attack Vector: Spear phishing and Malware Implant
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: South Korea and Japan
  • Target Industries: Government agencies, research institutions, and think tanks
  • Business Impact: Operational Disruption and Data Theft

Summary:
Sparkling Pisces, a North Korean APT group also known as Kimsuky, THALLIUM, or Velvet Chollima, is infamous for its sophisticated cyberespionage and spear phishing campaigns, particularly targeting South Korean organizations and Japan. Recently, the group has broadened its scope to include attacks on Western countries as well.

Investigations have revealed new strains of malware, specifically KLogExe, and FPSpy, both showcasing advanced capabilities like keylogging, data exfiltration, and command execution. KLogExe operates as a keylogger, saving captured data in an INI file, while FPSpy, a DLL file, offers even more extensive functionalities, including multi- threading and the ability to download encrypted modules. Notably, both malware samples exhibit code similarities, suggesting a shared development lineage.

Relevancy & Insights:
Sparkling Pisces has a notable history of sophisticated cyberespionage, including significant attacks like the 2014 breach of Korea Hydro and Nuclear Power (KHNP). This breach aimed to collect sensitive information about South Korea’s energy infrastructure. The group typically targets government agencies, research institutions, energy companies, and large technology conglomerates.

The recent emergence of the KLogExe and FPSpy malware showcases the group’s evolving tactics and tools, building on their established focus on spear phishing and keylogging. This ongoing incident highlights a consistent pattern in their operational methods, highlighting Sparkling Pisces’ persistent commitment to espionage.

ETLM Assessment:
Sparkling Pisces primarily targets South Korea and Japan but has also extended its operations to Western countries the United States. Their focus includes government agencies and research institutions. The group employs various tactics, such as using email for spear phishing and PowerShell for stealthy malware execution. Recent malware developments include KLogExe and FPSpy, while earlier attacks utilized similar keyloggers and backdoors. They often exploit vulnerabilities in legitimate software and take advantage of user behavior, continuously adapting their methods over time. As the threat landscape evolves, Sparkling Pisces’s ability to innovate and enhance its malware toolkit poses ongoing risks.

Recommendations:

  • Conduct a Thorough Investigation: Assess all systems for signs of compromise related to KLogExe and FPSpy. Identify any unauthorized access or data exfiltration.
  • Isolate Infected Systems: Immediately disconnect any compromised machines from the network to prevent further spread.
  • Update Security Solutions: Ensure that antivirus and endpoint detection solutions are updated to recognize and block KLogExe and FPSpy specifically.
  • Implement Multi-Factor Authentication (MFA): Require MFA for all sensitive accounts to reduce the impact of compromised credentials.
  • Train Employees on Spear Phishing: Focus training on recognizing targeted phishing attempts, emphasizing the tactics used by Sparkling Pisces.
  • Audit Remote Access Tools: Ensure that any remote access software is secure, properly configured, and monitored for unusual activity.
  • Limit Administrative Privileges: Restrict access to critical systems and data to only those who absolutely need it, using the principle of least privilege.
  • Use tools to continuously monitor network traffic for indicators of compromise (IOCs) associated with the identified malware.
  • Log and Analyze User Activity: Keep detailed logs of user activity to detect anomalies that may indicate credential misuse or data exfiltration.
  • Regularly simulate scenarios involving these types of attacks to ensure preparedness.
MITRE ATT&CK Tactics and Techniques
Tactics ID Technique
Initial Access T1566.001 Phishing: Spear phishing Attachment
Execution T1059.001 Command and Scripting Interpreter: PowerShell
Execution T1129 Shared Modules
Persistence T1574.002 Hijack Execution Flow: DLL Side- Loading
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Privilege Escalation T1055.001 Process Injection: DLL Injection
Defence Evasion T1070.006 Indicator Removal: Timestomp
Defence Evasion T1027.009 Obfuscated Files or Information: Embedded Payloads
Defence Evasion T1112 Modify Registry
Defence Evasion T1202 Indirect Command Execution
Defence Evasion T1218.011 System Binary Proxy Execution: Rundll32
Defence Evasion T1564.003 Hide Artifacts: Hidden Window
Defence Evasion T1036 Masquerading
Defence Evasion T1497 Virtualization/Sandbox Evasion
Credential Access T1056.001 Input Capture: Keylogging
Discovery T1083 File and Directory Discovery
Discovery T1010 Application Window Discovery
Discovery T1614 System Location Discovery
Discovery T1033 System Owner/User Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1087 Account Discovery
Lateral Movement T1021 Remote Services
Collection T1113 Screen Capture
Collection T1115 Clipboard Data
Collection T1119 Automated Collection
Command and Control (C2) T1071.001 Application Layer Protocol: Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Indian hackers targeting Pakistan
Researchers have recently published a report on “SloppyLemming,” a cyberespionage actor that primarily targets Pakistani government, defense, telecommunications, technology, and energy sector organizations. The threat actor has also hit organizations in Bangladesh, Sri Lanka, Nepal, and China.

The same group is also known as “OUTRIDER TIGER,” and has a nexus with the government of India. The threat actor appears to have a particular focus on Pakistani police departments and other law enforcement agencies. Additionally, there are signs that the actor has also targeted organizations responsible for the operation and maintenance of Pakistan’s only nuclear power plant. Beyond Pakistan, SloppyLemming’s credential harvesting activities have mainly concentrated on government and military institutions in Sri Lanka and Bangladesh, with some attention also directed toward entities in China’s energy and academic sectors.

ETLM Assessment:
SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control. The actor predominantly relies on open-source adversary emulation frameworks, such as Cobalt Strike, Havoc, and others. Targeted sectors predominantly consist of government entities within Pakistan and this campaign constitutes a classic state-driven espionage effort enabled by cyber means with many similar efforts probably underway at the same time.

Iranian hackers continue to target the Trump campaign
Researchers report on a continuous effort by an Iranian hacking group that appears to have continued access to the Trump campaign. Last week the threat actor shared apparent stolen materials with journalists, including a letter dated September 15th. The threat actor had previously stolen a vetting report on vice presidential nominee JD Vance and shared it with US news outlets last month.

Microsoft’s Threat Analysis Center and Google’s Threat Analysis Group have both observed Iranian state-sponsored targeting of US presidential campaigns. Tehran has denied allegations of its involvement.

ETLM Assessment:
Over the past two months, current and former intelligence officials, along with cyber threat researchers from the world’s largest IT companies, have presented growing evidence of Iran’s hacking activities. As our analysts have previously noted, Iran’s attempts to meddle in U.S. elections are not new – hackers tied to Iranian security services have been catching up to Russia and China’s information operations game and have been targeting presidential and midterm elections since at least 2018. In 2021, for instance, the U.S. Justice Department charged two Iranian hackers with election interference for posing as Trump supporters and sending threatening emails to Democrats. In 2018, during his previous term in office, President Trump unilaterally abandoned the 2015 nuclear accord that Tehran had signed with world powers and imposed waves of sanctions on the Islamic Republic, putting its economy under severe pressure. Iran’s long-term strategy is trying to maneuver the U.S. out of the Middle East, where Tehran intends to play the role of a dominant power. And to be able to fulfill this role, the Iranian regime does not want to deal with another Trump administration.

Iran is among world leaders in terms of using cyber warfare as a tool of statecraft. Iranian hackers have been repeatedly successful in gaining access to emails from an array of targets, including government staff members in the Middle East and the US, militaries, telecommunications companies, or critical infrastructure operators. The malware used to infiltrate the computers is increasingly more sophisticated and is often able to map out the networks the hackers had broken into, providing Iran with a blueprint of the underlying cyberinfrastructure that could prove helpful for planning and executing future attacks. Moreover, Iran is now supplementing its traditional cyberattacks with a new playbook, leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims. The scale of foreign disinformation targeting U.S. elections is increasing, especially with the use of artificial intelligence, which is making these efforts more sophisticated. The concerning part about AI is its ability to amplify disinformation at an exponential rate.

As we have outlined in our fresh report on the topic, looking forward, we can thus expect Iranian actors to employ all forms of statecraft including cyber-attacks against American institutions while simultaneously intensifying their efforts to sow internal divisions on US soil, driving the attention of both electorate and politicians inward.

These campaigns are likely going to be centered around amplifying existing divisive issues within the US, like racial tensions, economic disparities, and gender-related issues. This is a page from the Kremlin playbook, while the two countries cooperate more and more closely on countering the rules-based world order.

4. Rise in Malware/Ransomware and Phishing

The Medusa Ransomware impacts AZPIRED

  • Attack Type: Ransomware
  • Target Industry: Business Support Services
  • Target Geography: Philippines
  • Ransomware: Medusa Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the Philippines; AZPIRED (www[.]aspired[.]com), was compromised by the Medusa Ransomware. AZPIRED is a prominent outsourcing service provider based in the Philippines, specializing in a variety of business solutions tailored for clients primarily in the United States, Canada, and Australia. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 205 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Medusa ransomware has been active since late 2021 and has quickly established itself as a major player in the ransomware space, employing a double extortion strategy. Once inside, Medusa uses strong encryption methods (AES-256 and RSA-2048) to secure files, rendering them inaccessible without the decryption key held by the attackers.
  • Medusa ransomware primarily gains access through phishing attacks, exploiting unpatched software vulnerabilities, and targeting weak Remote Desktop Protocol (RDP) configurations.
  • The Medusa ransomware group employs various tactics, such as lateral movement within networks and using legitimate tools to evade detection.
  • The Medusa Ransomware group primarily targets countries like The United States of America, Canada, the United Kingdom, Italy, and Australia.
  • The Medusa Ransomware group primarily targets industries, such as Manufacturing, Healthcare, Finance, Retail, and Transportation.
  • Based on the Medusa Ransomware victims list from 1st Jan 2024 to 1st October 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Medusa Ransomware from 1st Jan 2024 to 1st October 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, Medusa Ransomware continues to pose a significant threat across various sectors. The group’s sophisticated tactics and aggressive demands highlight the need for organizations to enhance their cybersecurity measures, including regular updates, employee training on phishing recognition, and robust incident response plans to mitigate risks associated with ransomware attacks.

The Brain Cipher Ransomware Impacts the Hanwa Co., Ltd. (Thailand)

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Thailand
  • Ransomware: Brain Cipher Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand; Hanwa Co., Ltd. (Thailand) (www[.]hanwa[.]co[.]th), was compromised by Brain Cipher Ransomware. Hanwa Co., Ltd. (Thailand) is a subsidiary of Hanwa Co., Ltd., a Japan-based global trading company. Established to expand Hanwa’s operations in Southeast Asia, this firm specializes in trading a diverse range of products, including steel, metals, food, petroleum, and chemicals. Leveraging its parent company’s extensive network, Hanwa Thailand aims to provide comprehensive trading solutions and foster strong business relationships in the region. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database. The total size of the compromised data is approximately 200 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Brain Cipher ransomware was first identified in June 2024 and is believed to be a variant of the LockBit ransomware family. It employs a double-extortion model, where attackers not only encrypt files but also threaten to leak stolen data if the ransom is not paid.
  • Brain Cipher utilizes a modified version of the leaked LockBit 3.0 builder, incorporating advanced obfuscation techniques to evade detection. The ransomware not only encrypts files but also alters file names and appends specific extensions to encrypted files.
  • The ransomware employs various methods to avoid detection, including hiding threads from debuggers and executing in suspended mode. It also attempts to disable core Windows security services like Windows Defender.
  • The Brain Cipher Ransomware group primarily targets countries, such as The United States of America, France, Indonesia, Thailand, and Portugal.
  • The Brain Cipher Ransomware group primarily targets industries, including Technologies, Manufacturing, Hospitality, Legal consulting, and Finance.
  • Based on the Brain Cipher Ransomware victims list from 1st June 2024 to 1st October 2024, the top 5 Target Countries are as follows:
  • The Top 5 Industries, most affected by BrainCipher Ransomware from 1st June 2024 to 1st October 2024 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Brain Cipher Ransomware represents a growing threat in the cybersecurity landscape, particularly due to its focus on critical infrastructure and government entities. Organizations must enhance their cybersecurity measures, including robust incident response plans and employee training on recognizing phishing attempts, to mitigate risks associated with this evolving threat. Continuous monitoring and updating of security protocols are essential to defend against such sophisticated attacks.

5. Vulnerabilities and Exploits

Vulnerability in Zimbra Collaboration

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Webmail solutions
  • Vulnerability: CVE-2024-45519 (CVSS Base Score 7.3)
  • Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Summary:
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

Relevancy & Insights:
The vulnerability exists due to improper input validation within the postjournal service. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Impact:
Successful exploitation of this vulnerability may result in complete compromise of a vulnerable systems.

Affected Products:
https://wiki[.]zimbra[.]com/wiki/Security_Center#ZCS_9.0.0_Patch_41_Released

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in Zimbra Collaboration can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Zimbra Collaboration is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding collaborative software activities, including email communication and web client services, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

Orca Ransomware attacked and published the data of the Chernan Technology Co., Ltd.

  • Threat Actors: Orca Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing, Technology
  • Target Geography: Taiwan
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that the Orca Ransomware attacked and published data of Chernan Technology Co., Ltd(www[.]chernan[.]com) on its dark web website. Chernan Technology Co. Ltd. is a Taiwanese company and a subsidiary of the Chernan Solder Group, specializing in the manufacturing and distribution of tin and related products. Chernan Metal Industrial Corp. provides a broad range of products, primarily used in electronics manufacturing, such as tin bars, wires, and pastes designed for soldering and circuit board applications. The data leak, following the ransomware attack, encompasses financial data, Invoices, Statements, Company infra, and others. The total size of the data breached is approximately 18 GB.

Source: Dark Web

Relevancy & Insights:

  • Orca Ransomware is identified as a variant of the Zeppelin malware family, known for its potent encryption capabilities. It targets various file types, including documents, images, and databases, rendering them inaccessible without a decryption key.
  • Once it infiltrates a system, Orca encrypts files and modifies their names by appending the extension. ORCA followed by a unique victim ID (e.g., file.jpg becomes file.jpg.ORCA.12345). After encryption, a ransom note named HOW_TO_RECOVER_DATA.hta is created on the victim’s desktop. This note provides instructions for victims to follow in order to recover their files.
  • Orca employs double extortion by not only encrypting files but also exfiltrating sensitive data. Victims are threatened with data publication if they do not pay the ransom within a specified timeframe (typically 72 hours). The ransom must be paid in Bitcoin.

ETLM Assessment:
Orca Ransomware remains a significant threat due to its effective encryption methods and aggressive double-extortion tactics. Organizations must adopt comprehensive cybersecurity measures to protect against this evolving threat and minimize potential impacts from ransomware attacks.

7. Data Leaks

Kreen Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Technology and Digital Services
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
In an alarming post on a prominent dark web forum, a threat actor has advertised a stolen database from major Indonesian digital platforms, offering sensitive user data for sale. The breach occurred in September 2024 and involved Kreen, a digital event promotion platform.

The threat actor is selling the dataset for $50 per copy, accepting only the cryptocurrency Monero (XMR) as payment. The seller has also offered an escrow service, providing additional assurance to potential buyers.

The Kreen application is a digital platform facilitating event promotion across various categories. It allows users to access information about events relevant to Indonesians both locally and abroad. According to the breach details shared by the threat actor, the stolen database contains:

205,717 event orders

86,792 individual orders

63,230 user records

According to the seller data also includes identifying information, such as names, email addresses, phone numbers, and event order details.

Source: Underground Forums

Thaihonda Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Thailand
  • Target Industry: Manufacturing
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
A threat actor has reportedly put up for sale the database of Thai Honda( www[.]Thaihonda[.]co[.]th) Manufacturing Co., Ltd., which is responsible for producing and distributing Honda motorcycles in Thailand. Based in Samut Prakan, the company has allegedly suffered a data breach compromising extensive customer and transaction details.

Compromised Data:
The stolen database is said to include various types of sensitive information, such as customer IDs, motorcycle purchase details, VIN numbers, dealer codes, shop names, payment methods, and other personal and transaction-related data. Specifically, the compromised information spans details like:

Purchase history (buy date, price, financing details)

Customer demographics (name, email, address, phone numbers) Motorcycle models and specifications

Marketing and promotional influences Customer feedback and product preferences

Affected Records:
3.3 million Wing Center customers 38,000 Honda Big Wing customers 5,000 Cub House customers

Date of Breach:
The breach reportedly occurred in September 2024, and the threat actor is offering the data for sale at $10,000 in XMR (Monero). The actor also offers to negotiate and suggests that any staff from Thaihonda contact them for removal. The data breach has been attributed to a threat actor identified as “Thaihub”.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Threat Actor “Thaihub” represents a significant threat in the cyber landscape, utilizing advanced tactics and a focus on high-value targets. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against the evolving threats posed by this and similar groups. Continuous monitoring and updating of security protocols are essential for defending against such sophisticated attacks.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

A threat actor “Cas” claims to have found an IDOR (Insecure Direct Object Reference) vulnerability in Al Rajhi Bank’s APIs. The individual allegedly discovered the flaw through fuzzing, which allows unauthorized access to user shopping carts and possibly other sensitive data.

The threat actor is selling this alleged vulnerability for $69 in Bitcoin. They suggest that with some reconnaissance, further exploitation could reveal more critical flaws, such as a possible NoSQL injection.

The bank is a major investor in Saudi Arabia’s business and is one of the largest joint stock companies in the Kingdom, with over SR 330.5 billion in AUM ($88 billion) and over 600 branches. Its head office is located in Riyadh, with six regional offices. Al Rajhi Bank also has branches in Kuwait and Jordan and a subsidiary in Malaysia and Syria.

Source: Underground forums

A threat actor recently posted a data dump on a dark web forum, claiming responsibility for a significant breach at Mobility Compare, a UK-based service provider specializing in mobility products. The breach, which reportedly took place in September 2024, exposed the sensitive information of more than 128,000 customers.

According to the post, the compromised data includes full names, contact numbers, email addresses, postcodes, physical addresses, and details of specific service inquiries.

The announcement offers the stolen database for download, marking yet another instance of personal information being sold or shared on illicit platforms.

Source: Underground forums

ETLM Assessment:
The “Cas” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted the Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, and Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.