Self Assessment

Weekly Intelligence Report – 05 Jan 2024

Published On : 2024-01-05
Share :
Weekly Intelligence Report – 05 Jan 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows
Target Industries: Business Services, Education, Government, Healthcare, Manufacturing.
Target Geography: United States

CYFIRMA Research and Advisory Team has found Meow ransomware while monitoring various underground forums as part of our Threat Discovery Process.

1 Meow ransomware:
Meow ransomware, associated with the Conti ransomware, initially surfaced in August 2022 but disappeared in February 2023. Recently, it has resurfaced.

The ransomware encrypts files and appends the “.MEOW” extension to their filenames. It also drops the “readme.txt” file (a ransom note).

The Ransomware employs ChaCha20 and RSA-4096 encryption.

The ransom note says that victims must contact threat actors if they need to decrypt files. It provides meowcorp2022@aol[.]com, meowcorp2022@proton[.]me, meowcorp@msgsafe[.]io, and meowcorp@onionmail[.]org email addresses, and two Telegram usernames (@meowcorp2022 and @meowcorp123) for contacting the attackers.

Screenshot of files encrypted by Meow ransomware.

Screenshot of Meow ransomware’s Ransom note

Countries targeted by Meow ransomware.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1129: Shared Modules
2 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1497: Virtualization/Sandbox Evasion
3 TA0006: Credential Access T1056: Input Capture
4 TA0007: Discovery T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
5 TA0008: Lateral Movement T1080: Taint Shared Content
6 TA0009: Collection T1056: Input Capture
7 TA0011: Command and Control T1071: Application Layer Protocol
T1573: Encrypted Channel
8 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • The ransomware specifically focuses on the extensively used Windows Operating System, which is widespread across a multitude of industries and organizations.
  • Recent Victims of Meow groups are:
  • Business Services, Education, Government and Manufacturing sectors in the United States.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to perform post exploitation analysis.
  • The ransomware exploits WMIC to delete shadow copies, hindering recovery.
  • Detect-debug-environment: the ransomware has mechanisms to detect whether it is running in a debugging or analysis environment. It’s a defensive measure to avoid detection and analysis.
  • By looking into the targeted geography, we can say that the US is the primary target of this ransomware.
  • The revenue range of the disclosed victims ranges from below $5M to $6.6B.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment suggests that the Meow ransomware, with its reappearance and evolving tactics, will likely remain a persistent threat. Its emphasis on Windows systems, varied target sectors, anti-analysis measures, and a strategic geographical focus on the US highlight its sophistication and adaptability. We can expect the wide spread of the ransomware to other geographies and even the new variants may emerge soon. Organizations should prioritize robust cybersecurity measures and remain vigilant against emerging variants.

Sigma Rule
title: Process Creation Using Sysnative Folder tags:
– attack.t1055 logsource:
category: process_creation product: windows
detection: sysnative:
CommandLine|startswith: ‘C:\Windows\Sysnative\’ condition: sysnative
– CommandLine
– ParentCommandLine falsepositives:
– Unknown level: medium

(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Trojan
Objective: Espionage, Financial theft Target
Technology: Android OS
Target Geographies: USA, Brazil, Argentina, UK, Spain, and Germany
Target Apps/Category: Health, Games, Horoscope, and Productivity

Active Malware of the Week
This week “Xamalicious” is trending.

Researchers discovered an Android backdoor named Android/Xamalicious, which utilizes the Xamarin open-source framework to build apps for Android and iOS using .NET and C#. Xamalicious trojans masquerade as apps in various categories, including health, games, horoscope, and productivity. Notably, a number of these malicious apps are still accessible for download on third-party marketplaces. Additionally, researchers have established a connection between Xamalicious and the ad-fraud app “Cash Magnet.” The latter engages in automatic clicking of ads, app installations, and other actions to fraudulently generate revenue. Users who install it may earn points that are supposed to be redeemable as a retail gift card. This suggests that the developers behind these threats are financially motivated, indicating that ad-fraud could be a primary payload of Xamalicious.

The use of the Xamarin framework enabled malware authors to operate covertly and evade detection for an extended period. They exploited the APK build process as a packing mechanism to conceal the malicious code. The authors also incorporated various obfuscation techniques and custom encryption for data exfiltration and communication with the command-and-control server. Approximately 25 malicious apps carrying this threat were identified, some of which were distributed on Google Play since mid-2020.

Attack Method
Xamalicious employs a multi-stage attack method to compromise Android devices. The backdoor employs social engineering to acquire accessibility privileges, followed by communication with a command-and-control server. It assesses whether to download a second-stage payload, dynamically injected as an assembly DLL at runtime. This allows the attacker to gain full control of the device, enabling potentially fraudulent activities like clicking on ads, installing apps, and other financially motivated actions without user consent.

Xamalicious malware operates in a multi-stage process to compromise devices Obtaining Accessibility Services

The Xamalicious trojan employs social engineering through apps like “Numerology: Personal horoscope & Number predictions” to prompt users to enable accessibility services. The activation process involves manual steps, accompanied by warnings from the operating system.

Where is the Malicious Code?
Unlike conventional Java or native ELF Android applications, the Xamalicious malware module is originally crafted in .NET and compiled into a dynamic link library (DLL). This DLL undergoes LZ4 compression, possibly residing in a BLOB file or directly accessible in the /assemblies directory within the APK structure. The loading of malicious code occurs at runtime through either a native library (ELF) or the DEX file. Certain samples demand additional steps for unpacking, and the malicious code typically manifests in two assembly files: core.dll and a .dll. While certain variations disguise the DLL assemblies to elude analysis, others maintain the authenticity of the original code.

Communication with Command-and-Control Server:
After obtaining accessibility permissions, the malware establishes communication with a malicious server to dynamically load a second-stage payload.

Device Information Collection
Xamalicious collects various device data, including installed applications, to assess if the device is a suitable target for the second stage. It gathers information on location, carrier, network, rooting status, and ADB connectivity. If the device is connected via ADB or is rooted, the C2 will not provide a second-stage payload DLL for download.

Data Encryption using JWT
Communication between the Command-and-Control server and the infected device is encrypted using JSON Web Encryption (JWE) tokens with RSA-OAEP. The malware sends encrypted data via HTTP POST to the “Updater” path. Then it waits for the C2 response and passes it to the decrypt() function which has a hardcoded RSA private key to properly decrypt the received command which might contain a second stage payload for the “getURL” command.

C2 evaluation
Collected data is transmitted to the Command-and-Control server, which evaluates whether the device is an appropriate target for the second-stage payload based on multiple environment validations, including rooting status and ADB connectivity.

DLL Custom Encryption
When the infected client issues the getURL command, it requests the malicious payload. If the Command-and-Control (C&C) Server approves the device to receive the malicious library, it encrypts a Dynamic Link Library (DLL) using Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC). The encryption employs a custom key generated for the specific client based on parameters such as the device ID. This symmetric encryption method allows the same key to work for both the encryption and decryption of the payload.

Payload Delivery in JWT
The encrypted DLL is delivered as part of an HTTP response in an encrypted JSON Web Token (JWT). The client decrypts the token, then decrypts the ‘url’ parameter with AES CBC and a custom key. This means that the DLL has multiple layers of encryption.

  • It’s a HTTPS protected.
  • It’s encrypted as a JWE Token using RSA-OAEP with a 128CBC-HS256 algorithm.
  • URL parameter that contains the DLL is encrypted with AES and encoded as base64.
  • All these efforts are related to hiding the payload and trying to stay under the radar where this threat had relative success since some variants might have been active years ago without AV detections.

DLL Injection
Xamalicious names the DLL “cache.bin” and stores it locally, dynamically loading it using the Assembly.Load method. This second-stage payload compromises the device, granting the malware the ability to observe and interact with any activity. The downloaded second- stage payload may be limited due to specific conditions, but Xamalicious poses a high-risk backdoor, capable of dynamically executing any command on the affected device, including spying, impersonation, or financially motivated actions. The malware employs various encryption methods and efforts to conceal its activities, contributing to its success in avoiding detection by antivirus solutions.

Connection between Xamalicious and the ad-fraud app Cash Magnet
Researchers analyzed one of the Xamalicious sample, the app “LetterLink” (com.regaliusgames.llinkgame), was available on Google Play at the end of 2020, disguised with a book icon. Poorly described as a hidden version of “Cash Magnet,” it engages in ad-fraud activities such as automated clicker actions and app downloads, leading to monetization for affiliate marketing. Users are promised redeemable points for retail gift cards or cryptocurrency. Originally published on Google Play in 2019, “Cash Magnet” (com.uicashmagnet) was a passive income app removed by Google. The authors then infiltrated “LetterLink” and more recently “Dots: One Line Connector” (com.orlovst.dots), hidden versions of the same ad-fraud scheme. “LetterLink” exhibits multiple Xamalicious activities, connecting to the same C2 server and using the same private RSA certificate, establishing a link to the developers of Cash Magnet. “Dots: One Line Connector,” despite its game-like appearance, behaves differently, prompting authentication without referencing Cash Magnet. Although lacking the same DLLs as its predecessor, “Dots” maintains communication with the C2 server using similar RSA key parameters. Google promptly removed “Dots” from Google Play after it was reported by researchers.


  • Xamalicious represents a persistent and evolving threat in the Android ecosystem, demonstrating the adaptability of malware authors in crafting advanced strategies for unauthorized and malicious activities. Engaging in fraudulent activities such as ad- clicking and app installations without user consent, it demonstrates financial motivation.
  • Employing obfuscation and encryption techniques, it evades detection, with potential compromise of over 327,000 devices globally. Geographically, it impacts users in the USA, Brazil, Argentina, UK, Spain, and Germany. The malware’s dynamic loading of a second-stage payload grants full control over infected devices, highlighting its persistence and adaptability. Detection challenges arise from its obfuscation strategies and use of Xamarin, emphasizing the evolving nature of this threat.
  • The integration of Xamarin injects non-Java code into Android applications, posing a challenge to conventional detection methods. Exploiting the APK build process as a packing mechanism effectively concealed the malicious code. The incorporation of diverse obfuscation techniques and custom encryption for data exfiltration and communication with the command-and-control server further contributed to the covert nature of the operation.

From the ETLM perspective, CYFIRMA anticipates that the trajectory of Xamalicious malware suggests a potential for continued growth and impact on a global scale. As technology advances, the malware is likely to evolve, adapting its tactics to exploit emerging vulnerabilities and bypass evolving security measures. Its impact on users and organizations worldwide may intensify, with a growing number of individuals falling victim to privacy breaches, financial losses, and other malicious activities facilitated by Xamalicious. The malware’s global reach could expand, infiltrating devices across diverse regions and demographics. Its sophisticated techniques, coupled with financial motivations like ad-fraud, may make it a persistent threat, challenging cybersecurity frameworks globally.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Avoid free versions of paid software.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –LockBit 3.0 Ransomware | Malware – Xamalicious
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Xamalicious
  • Behaviour –Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

APT28’s Coordinated Phishing Attacks in Ukraine and Poland

  • Threat Actors: APT 28 (aka Fancy Bear APT or UAC-0028)
  • Attack Type: Spear Phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Ukrainian and Poland
  • Target Industries: Government Agencies
  • Business Impact: Data Loss, Data exfiltration

In December, state organizations faced sophisticated cyberattacks, indicating the involvement of the APT28 group with ties to Russia. These attacks were notable for their meticulous planning and advanced tactics, demonstrating a focused strategy aimed at compromising the complete information and communication systems within the targeted organizations. The attackers sought to undermine the interconnected nature of the network, emphasizing their objective to infiltrate and compromise the entire infrastructure.

The tactics of the attacks involved the use of phishing emails as a vector of compromise. These emails contained malicious links that, upon interaction, led victims to download a shortcut file through the exploitation of JavaScript and the “ms-search” application protocol. Once opened, this shortcut file executed a PowerShell command, triggering a cascade of malicious activities.

The malicious campaign involves the distribution of harmful links that lead to malicious websites. These websites utilize JavaScript to deploy a Windows shortcut file (LNK), initiating a sequence of PowerShell commands to activate a new Python malware downloader known as ‘MASEPIE.’ MASEPIE ensures its persistence on the compromised device by making changes to the Windows Registry and introducing a deceptively named LNK file (‘SystemUpdate.lnk’) into the Windows Startup folder.

The primary function of the malware is to download additional malicious software onto the infected device and pilfer sensitive data. Additionally, APT28 employs a set of PowerShell scripts called ‘STEELHOOK’ to extract data from web browsers based on Chrome. This likely includes obtaining sensitive information such as passwords, authentication cookies, and browsing history.

Another tool utilized in the attack is ‘OCEANMAP,’ a C# backdoor primarily designed for executing base64-encoded commands through cmd.exe. To maintain persistence on the system, OCEANMAP creates a .URL file named ‘VMSearch.url’ in the Windows Startup folder. OCEANMAP uses the Internet Message Access Protocol (IMAP) as a covert control channel for receiving discreet commands, storing them as email drafts containing the command, username, and OS version. Following the execution of commands, OCEANMAP stores the results in the inbox directory, allowing APT28 to silently retrieve the outcomes and adapt their attack strategy as necessary.

Geographically, the impact extended to Polish organizations, indicating a broader regional targeting strategy. CERT-UA issued a security alert on December 28, 2023, confirming APT28’s phishing attacks against Ukrainian government agencies and urging organizations to fortify their cybersecurity measures.

Relevancy & Insights:
APT28 group’s December 2023 cyberattacks underscore the persistent and evolving cyber threats organizations face. Their sophisticated tactics, including the exploitation of the “ms-search” protocol and strategic use of phishing emails, highlight the need for heightened cybersecurity awareness. As technology evolves, the relevance of proactive cybersecurity measures cannot be overstated. Insights from these attacks serve as valuable lessons, emphasizing the need for organizations to stay ahead of evolving threats through collaboration, advanced detection mechanisms, and a comprehensive cybersecurity strategy.

ETLM Assessment:
A persistent cybersecurity threat, APT28, also known as Fancy Bear, is a Russian cyber espionage group. Recent discoveries indicate that they have launched a new wave of attacks primarily targeting Ukraine and Poland. The focus of these attacks has been on Ukrainian government entities and communication companies based in Poland. APT28 employs sophisticated techniques, with their initial access often initiated through phishing. They have developed new malware, such as the Python- based MASEPIE malware, for this campaign. Once inside the targeted systems, APT 28 deploys a multi-stage attack. The MASEPIE malware is used to download and execute OPENSSH for tunneling, STEELHOOK (a PowerShell script designed for stealing data from Internet browsers), and the OCEANMAP backdoor. Furthermore, within an hour of the initial compromise, the attackers create and use tools like IMPACKET and SMBEXEC for network reconnaissance and lateral movement. The implementation of adaptive security measures is crucial to fortify defenses against potential future threats from this sophisticated cyber espionage group. These measures collectively enhance an organization’s ability to resist APT28’s sophisticated and dynamic cyber operations.


  • Provide comprehensive cybersecurity awareness training for employees to recognize and avoid phishing attempts. Emphasize the importance of verifying the legitimacy of emails and avoiding the opening of suspicious links or attachments.
  • Implement advanced email filtering solutions to detect and block phishing emails before they reach end-users. Enable multi-factor authentication (MFA) to add an extra layer of security to email accounts and other sensitive systems.
  • Actively participate in threat intelligence sharing communities and collaborate with industry-specific and national cybersecurity organizations. Establish communication channels with Computer Emergency Response Teams (CERTs) and other cybersecurity agencies.
  • Conduct regular security audits and vulnerability assessments to identify and remediate weaknesses in the organization’s infrastructure.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity Iranian hackers threatening critical infrastructure

Recent incursions by Iranian hacktivist group CyberAv3ngers into control systems used in US and European municipal water systems represent a threat to industrial controls, with a special focus on systems made by Israeli companies. According to researchers, the incidents did not represent a serious attempt at physical disruption of the operation of hardware infrastructure. The attacks were probably meant to drive a geopolitical message and pose a threat that can be escalated further should Tehran choose so.

Another group probably operating from Iran called Cyber Toufan claimed to have breached dozens of Israeli organizations and has promised to dump stolen data online over the coming month. While the group poses as a grassroots Hamas activist organization, it is likely driven by political command from Tehran where it probably takes residence. In addition to Israeli organizations, Cyber Toufan claims to have also breached international firms doing business in Israel.

ETLM Assessment:
As Israel’s military campaign in Gaza continues in response to Hamas’ Oct. 7 attacks, the United States is contending with regional provocations by Iranian proxies. There have now been more than 100 attacks against U.S. and allied forces based in Iraq and Syria since mid-October, and repeated attacks by the Houthis in Yemen. More than 100 drones and missiles were fired in recent weeks against vessels in the Red Sea and Israel, in addition to low-level cyber-attacks against Israel and countries that support it. Washington announced the establishment of a multinational naval task force dubbed Operation Prosperity Guardian, to support freedom of navigation in key Red Sea waterways. America’s broad approach has thus far been primarily reactive in nature and limited in scope, though media reports suggest at least some debate within

U.S. President Joe Biden’s administration over a more robust response. In such a case, cyber-attacks by Iran and Iran-aligned forces are increasingly likely with a special focus on logistical hubs and other parts of critical infrastructure, which faces heightened risks from advanced threat actors.

Rise in Malware/Ransomware and Phishing Contimade is Impacted by the LockBit 3.0 Ransomware
Attack Type: Ransomware
Target Industry: Manufacturing
Target Geography: Czech Republic
Ransomware: LockBit 3.0 Ransomware
Objective: Data Theft, Data Encryption, Financial Gains
Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the Czech Republic; (www[.]contimade[.]cz), was compromised by LockBit 3.0 Ransomware. Contimade has been engaged in the production of containers and the development of modular solutions, which are currently being used throughout Europe, namely in Germany, Iceland, Belgium, Switzerland, Lithuania, the Netherlands, Scandinavia, the Czech Republic, and many other countries. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • We observe that the Citrix Bleed vulnerability (CVE 2023-4966), CVSS score of 9.4 (Critical), exploited by LockBit 3.0 affiliates, enables threat actors to circumvent password requirements and multifactor authentication (MFA). This leads to the successful hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. By taking control of these sessions, malicious actors gain elevated permissions, allowing them to harvest credentials, move laterally, and access data and resources.
  • In 2023, the LockBit 3.0 ransomware developed as a global threat, infiltrating numerous public and private organizations worldwide. Notably, the United States has experienced the major impact of this danger, with approximately 30% of the country’s institutions being singled out and subsequently affected by this ransomware.
  • In 2023, LockBit 3.0 has primarily focused its ransomware attacks on several industries globally, with the most frequently targeted sectors being Heavy Construction, Business Support Services, Specialized Consumer Services, Industrial Machinery, and Health Care Providers. This trend highlights the diverse range of organizations affected by LockBit 3.0 activities across different sectors.
  • Based on the LockBit 3.0 Ransomware victims list in 2023, the top 5 Target Countries are as follows:
  • Ranking the Top 10 Industries, most affected by LockBit 3.0 Ransomware

ETLM Assessment:
CYFIRMA assesses that LockBit 3.0 Ransomware remains a significant and ongoing global threat to companies across the world. Our observations indicate a growing trend where LockBit 3.0 Ransomware is actively leveraging vulnerabilities and exploits within various products to establish initial access, subsequently enabling lateral movement within organizational networks. The recent incident involving the targeting of Contimade, a manufacturing company based in the Czech Republic, underscores the pervasive global risk posed by this ransomware strain.

Vulnerabilities and Exploits

Vulnerability in Apache OpenOffice
Attack Type: Vulnerabilities & Eploits
Target Technology: Office Application
Vulnerability: CVE-2023-47804 (CVSS Base Score 8.8)
Vulnerability Type: Input validation error

The vulnerability allows a remote attacker to compromise the affected system.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied input when executing internal macro with arbitrary arguments.

A remote attacker can trick the victim into opening a specially crafted file, bypass the user approval for opening the links from the document, and execute arbitrary scripts on the system.

Affected Products: https[:]//www[.]openoffice[.]org/security/cves/CVE-2023-47804.html

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

The INC RANSOM ransomware group claims to have hacked the American multinational corporation Xerox Corp
Threat Actors: INC RANSOM
Attack Type: Ransomware
Objective: Data Leak, Financial Gains
Target Technology: Web Application
Target Geographies: USA
Target Industry: Electronics
Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

The INC RANSOM ransomware group claims to have hacked the American multinational corporation Xerox Corp. The latter delivers document management solutions on a global scale. Within its Document Technology segment, the company provides an array of products, including desktop monochrome and color printers, multifunction printers, copiers, digital printing presses, and light production devices. Additionally, Xerox offers advanced production printing and publishing systems tailored for both the graphic communications marketplace and large enterprises. The INC RANSOM group added Xerox to the list of victims on its Tor leak site. The ransomware group published the images of eight documents, including emails and an invoice, as proof of the hack.

Relevancy & Insights:
INC Ransom, a recently identified ransomware group, surfaced in August 2023 and has since asserted accountability for breaching over 40 organizations as of now. The modus operandi of these threat actors involves gaining access to their targets’ networks through spearphishing emails. However, their tactics have extended to utilizing Citrix NetScaler CVE-2023-3519 exploits, showcasing a multi-faceted approach to infiltrating systems and carrying out cyberattacks.

ETLM Assessment:
INC Ransom has directed its cyber-attacks toward organizations across diverse sectors, including healthcare, education, and government, and mainly targets the United States and Europe. CYFIRMA assesses INC Ransom will continue to target companies in the US and Europe which will result in large financial gains.

Data Leaks

Zettle Data Advertised in Leak Site
Attack Type: Data Leaks
Target Industry: Finance
Target Geography: Sweden
Objective: Data Theft, Financial Gains
Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Zettle, {www[.]Zettle[.]com}. Zettle builds game-changing commerce tools, such as mobile card readers and point-of-sale apps that empower small businesses to compete with the big players. Zettle is part of the PayPal family. The Zettle card readers make it possible for anyone to accept card payments – anytime, anywhere, while their intuitive free point-of-sale app, Zettle Go, helps users get paid, tracks sales, and lets them keep an eye on stock levels. Business-verified accounts are available for purchase at prices ranging from USD 100 to USD 150.

Source: Underground forums

Relevancy & Insights:
Cybercriminals driven by financial motives often seize opportunities presented by
exposed and vulnerable systems and applications. Many of these perpetrators actively participate in clandestine online forums where they discuss, and trade stolen digital assets. In contrast to some financially motivated groups, like ransomware or extortion groups that publicize their activities, these opportunistic attackers prefer to operate discreetly. They exploit unpatched systems or vulnerabilities in applications to gain unauthorized access and pilfer valuable data. Subsequently, they advertise the stolen data for sale in underground forums, where it may be resold and repurposed by other malicious actors in their attacks.

ETLM Assessment:
CrimeVPN, a recently emerged entity in the dark forum landscape, is primarily dedicated to selling VPNs. Simultaneously, they engage in advertising and selling data within dark forums for financial gain. In their ongoing data breach campaign, CrimeVPN is actively marketing verified account information. According to the CYFIRMA assessment, this new threat is honing in on financial organizations that may have insufficient security measures in place and is a threat to companies that hold significant PII information.

Other Observations

CYFIRMA Research team observed a potential data leak related to Cross-Switch,
{www[.]Cross-Switch[.]com}. Cross-Switch is an online payment gateway management company. The compromised data includes complete names, email addresses, phone numbers, messages, physical locations, banking details, bearer tokens, dates of birth (DOBs), usernames, and other confidential information.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.