Self Assessment

Weekly Intelligence Report – 05 July 2024

Published On : 2024-07-05
Share :
Weekly Intelligence Report – 05 July 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows
Target Countries: Indonesia
Target Industries: Government

CYFIRMA Research and Advisory Team has found Brain Cipher while monitoring various underground forums as part of our Threat Discovery Process.

Brain Cipher
Researchers and its adversary team have identified a new ransomware group, Brain Cipher Ransomware, in the evolving threat landscape. This group uses a variant of the notorious Lockbit 3.0 ransomware, employing double extortion by both exfiltrating and encrypting sensitive data.

However, Brain Cipher has made some minor changes to the encryptor.

One of those changes is that it not only appends an extension to the encrypted file but also encrypts the file name.

Screenshot files encrypted by Brain Cipher (Source: SurfaceWeb)

The encryptor will also generate ransom notes named in the format [extension].README.txt. These notes provide a brief explanation of the situation, include threats, and contain links to the Tor negotiation and data leak sites.

Ransom note of BrainCipher (Source: SurfaceWeb)

In one instance observed by researchers, the threat actor diverged from the usual template and used the file name ‘How To Restore Your Files.txt.’

Another Ransom note of BrainCipher (Source: SurfaceWeb)

Communication channel and Dataleak site overview:
Each victim receives a unique encryption ID, which must be entered into the threat actor’s Tor negotiation site. Like many recent ransomware operations, the negotiation site is quite basic, featuring a chat system for the victim to communicate with the ransomware group.

Communication Channel (Source: Darkweb)

Like other ransomware operations, Brain Cipher infiltrates corporate networks and spreads to other devices. After obtaining Windows domain admin credentials, the ransomware is deployed across the network. Before encrypting files, the attackers steal corporate data to use as leverage, threatening to release it publicly if the ransom isn’t paid.

Brain Cipher recently launched a new data leak site, which currently lists no victims.

According to researchers, ransom demands have ranged from $20,000 to $8 million.

Main page of Leaksite (Source: Darkweb)

Countries targeted by Braincipher

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1129: Shared Modules
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side-Loading
3 TA0004: Privilege Escalation T1055: Process Injection
T1543.003: Create or Modify System Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side-
4 TA0005: Defense Evasion T1006: Direct Volume Access
T1027: Obfuscated Files or Information
T1036: Masquerading
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1202: Indirect Command Execution
T1497: Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.003: Hide Artifacts: Hidden Window
T1574.002: Hijack Execution Flow: DLL Side-Loading
5 TA0006: Credential Access T1003: OS Credential Dumping
T1056.001: Input Capture: Keylogging
T1552.001: Unsecured Credentials: Credentials In Files
T1555.003: Credentials from Password Stores: Credentials from Web Browsers
6 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0009: Collection T1005: Data from Local System
T1056.001: Input Capture: Keylogging
T1074: Data Staged
T1185: Browser Session Hijacking
8 TA0011: Command and Control T1071: Application Layer Protocol
T1090: Proxy
9 TA0040: Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1489: Service Stop

Relevancy and Insights:

  • Targeting widely used Windows operating systems, this ransomware poses a significant threat to diverse industries and organizations.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

ETLM Assessment:
Based on CYFIRMA’s analysis of available data, Brain Cipher Ransomware is likely to escalate ransom demands and expand its operations to economically developed nations in Europe, East Asia, South-East Asia, and the US. This trend is driven by the higher financial capabilities of organizations in these regions to meet ransom demands ranging from $20,000 to $8 million. The ransomware’s sophisticated tactics, including data exfiltration and encryption with file name obfuscation, indicate a continued evolution towards more targeted and lucrative attacks.

import “pe”
rule BrainCipher_Ransomware
description = “BrainCipher Ransomware – Detection Rule” author = “CRT”
date = “2024-07-01”
malware_type = “ransomware”
$s1 = “.rdata$zzzdbg” wide ascii
$s2 = “.text$mn” wide ascii
$sec1 = {55 8B EC 81 EC 7C ?? ?? ?? 53 56 57}
uint16(0) == 0x5A4D and all of them and
for any section in pe.sections : ( == “.itext” ) and pe.imphash() == “41fb8cb2943df6de998b35a9d28668e8” and filesize >= 130KB


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Yara rules for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Remote Access, Data Exfiltration
Target Technology: Android OS, Messaging Application (Telegram)

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the Week
This week “SpyMax” is trending.

Researchers have discovered SpyMax, an Android Remote Access Trojan (RAT) targeting Telegram users through a phishing campaign. This malware can collect personal and private information from infected devices without user consent and send it to a remote threat actor. Notably, SpyMax does not require the targeted device to be rooted, making it easier for attackers to cause damage. This RAT compromises the confidentiality and integrity of the victim’s privacy and data.

Fig: Phishing page mimicking the Telegram app.

Attack Method
Initially distributed via a phishing page impersonates Telegram, when the user clicks on “click to download,” a malware application named “ready.apk” is downloaded from the link: https[:]//telegroms[.]icu/assets/download/ready[.]apk. Once installed, it pretends to be the Telegram app, using a similar icon in the device app drawer. After installation, the RAT repeatedly prompts the user to enable the Accessibility Service for the app until the user complies.

Fig: (Left) Fake Telegram app icon created by the malware, (Right) Request for accessibility service

This APK functions as a Trojan with keylogger capabilities. It establishes a directory named “Config/sys/apps/log” in the external storage of infected devices, saving logs to files named “log-yyyy-mm-dd.log,” where yyyy-mm-dd indicates the date of keystroke capture. The malware collects location data, including altitude, latitude, longitude, precision, and device speed. SpyMax compresses this data using the gZIPOutputStream API before sending it to the C2 server. This RAT communicates with the C2 server at IP 154.213.65[.]28 on port 7771. Once connected, it sends compressed data using gzip to the C2 server, as observed in network packet headers. The server responds with compressed data containing system commands and an APK payload, which are decompressed upon receipt.


  • SpyMax poses a persistent and evolving threat in the digital landscape. Its use of phishing campaigns that impersonate widely used apps such as Telegram illustrates how cybercriminals exploit trust to distribute malware. By masquerading as legitimate platforms, attackers exploit user confidence, enhancing the likelihood of engagement with harmful content. This tactic not only deceives users but also highlights the growing sophistication of social engineering in cyber-attacks.
  • SpyMax’s capability to capture keystrokes and location data highlights substantial privacy risks. This underscores the severe consequences of malware infections, where sensitive personal information can be surreptitiously harvested and transmitted to remote servers without user consent, leading to profound compromises in privacy and security.
  • The persistent nature of SpyMax, which relentlessly prompts users to enable accessibility services, demonstrates its aggressive strategy to gain control over devices. This aggressive behavior, coupled with its sophisticated methods for data exfiltration, underscores the critical need for advanced cybersecurity measures and heightened user awareness to effectively mitigate such threats.

From the ETLM perspective, CYFIRMA anticipates that the rise of sophisticated malware like SpyMax highlights the growing cyber risks facing organizations and their employees. Beyond immediate concerns over privacy and security, SpyMax’s capabilities suggest broader implications for organizational operations and workforce productivity. Its use of phishing campaigns, which mimic trusted apps like Telegram, exploits employee trust and can lead to significant risks such as data breaches, financial losses, and damage to the organization’s reputation. Moreover, the threat extends to employees’ personal devices used for remote work, blurring the line between personal and professional security threats. This dual risk underscores the urgent need for organizations to implement robust cybersecurity measures. Educating employees about phishing and other social engineering tactics, adopting stringent security protocols such as multi-factor authentication and regular software updates, and ensuring the security of devices used for work are critical steps to mitigate these risks.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Avoid free versions of paid software.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends Key

Intelligence Signals:

  • Attack Type: Malware Implant, Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – BlackSuit Ransomware, RansomHub Ransomware | Malware – SpyMax
  • BlackSuit Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – SpyMax
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

New Kimsuky Cyber Espionage Campaign Targets South Korean Academia

  • Threat Actors: Kimsuky
  • Attack Type: Phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: South Korea
  • Target Industries: Academia Sectors
  • Business Impact: Data Loss, Data exfiltration

In March 2024, a researcher uncovered new malicious activity from Kimsuky (aka APT43, Emerald Sleet, Velvet Chollima), a North Korean government-backed cyber espionage group. This threat actor, first observed in 2013, is notorious for targeting South Korean entities such as think tanks, government institutions, and the academic sector. Their recent campaign leverages malicious Google Chrome extensions, notably a new extension named “TRANSLATEXT,” to steal sensitive information. Kimsuky’s latest campaign primarily targets South Korean academia, specifically researchers involved in political research related to North Korean affairs. This focus on academic institutions aligns with their ongoing mission to gather valuable intelligence on geopolitical matters.

The initial method of attack involves delivering a malicious archive file named “한국군 사학논집 심사평서 (1).zip” (“Review of a Monograph on Korean Military History”). This archive contains decoy HWP documents and a Windows executable disguised as related documents. When executed, the malware retrieves a PowerShell script from the attacker’s server, initiating the infection chain. TRANSLATEXT, the malicious Chrome extension, is used to steal email addresses, usernames, passwords, and cookies, and capture browser screenshots. It was uploaded to Kimsuky-controlled GitHub repositories on March 7, 2024, and removed the next day to minimize exposure. This extension can bypass security measures for prominent email services like Gmail, Kakao, and Naver.

The PowerShell script associated with the attack checks for the presence of installed Chrome extensions using the Windows registry key HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelist. This key enforces the installation of specified extensions without user permission. TRANSLATEXT was registered in this key to facilitate its installation.

The malicious extension uses several JavaScript files to bypass security measures and steal information. Scripts like auth.js and gsuit.js are injected into login pages of targeted services to manipulate security features and capture credentials. A background script (background.js) employs the dead drop resolver technique to retrieve commands from a public blog service and execute actions such as capturing browser screenshots and sending stolen data to a command-and-control (C2) server.

Kimsuky’s motive is to conduct surveillance and gather intelligence on South Korean academia, particularly those researching North Korean geopolitical affairs. The stolen data includes browser login information and cookies, indicating an effort to monitor and infiltrate academic researchers’ activities.

The Kimsuky group’s use of malicious Chrome extensions like TRANSLATEXT highlights the persistent threat they pose to South Korean academia. By staying informed about their latest tactics and exercising caution with software installations, potential victims can better protect themselves from such cyber espionage activities.

Relevancy & Insights:
Kimsuky, also known as APT43, has indeed targeted South Korean academia, particularly those involved in political research related to North Korean affairs. Kimsuky employs advanced techniques such as spear-phishing and the use of double base64 encoding to evade detection. They also use malicious Google Chrome extensions, like the newly discovered “TRANSLATEXT,” to steal sensitive information. The primary targets are South Korean academic institutions, especially those researching North Korean military and political affairs1. This focus on academia allows Kimsuky to gather valuable intelligence that could enhance North Korea’s military capabilities. By exfiltrating sensitive information from these institutions, Kimsuky poses significant geopolitical risks. The stolen data could potentially be used to bolster North Korea’s strategic and military planning. The group’s sophisticated tactics include spear- phishing and the use of double base64 encoding to evade detection.

ETLM Assessment:
The threat posed by the Kimsuky group’s deployment of the “TRANSLATEXT” Chrome extension includes potential threats to various sectors beyond academia, such as government agencies, private corporations, and critical infrastructure entities that rely on similar communication platforms. The extension’s capability to steal sensitive data like email addresses, passwords, and browser activity could lead to widespread data breaches, espionage, and targeted cyber-attacks. Additionally, the sophisticated techniques used to bypass security measures suggest a high risk of undetected infiltration, raising concerns about the robustness of current cybersecurity defenses across multiple sectors.


  • Use advanced email filtering solutions to detect and block phishing attempts and malicious attachments. Implement multi-factor authentication (MFA) for all email accounts to add an extra layer of security.
  • Deploy endpoint protection solutions with real-time threat detection capabilities. Regularly update and patch operating systems and applications to mitigate vulnerabilities.
  • Implement policies to control the installation of browser extensions, allowing only trusted and necessary extensions. Regularly audit installed browser extensions across the organization to detect and remove any unauthorized or suspicious ones.
  • Conduct regular cybersecurity awareness training for employees, focusing on recognizing phishing attempts and the dangers of downloading files from untrusted sources. Encourage a culture of skepticism towards unsolicited emails and attachments, even if they appear to come from known sources.
  • Implement network segmentation to limit the spread of malware within the organization. Use intrusion detection and prevention systems (IDPS) to monitor network traffic for signs of malicious activity.
  • Regularly update security tools with the latest IOCs related to Kimsuky. Implement automated systems to detect and respond to these IOCs, preventing further infiltration and data exfiltration.

Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Russian hackers breach TeamViewer
The remote access software provider TeamViewer is investigating a breach of its internal corporate IT environment, which has been ascribed to the threat actor known as APT29 (also known as Cozy Bear and linked to Russia’s foreign intelligence service SVR). Based on current findings of the incident’s investigation, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for the internal environment. The attack was likely contained within the internal environment and there is no evidence that the threat actor gained access to our product environment or customer data, which was likely its intent, either directly, or indirectly – through getting access to the application connected to end users’ accounts.

ETLM Assessment:
CozyBear is a sophisticated APT that enables state-driven espionage by cyber means. Recently, its operators were targeting Hewlett Packard or Microsoft, most likely with the same intention of gaining access to their products the APT could leverage for espionage purposes. This threat actor often targets governments, diplomatic entities, non-governmental organizations and IT service providers, primarily in the U.S. and Europe, a targeting mostly consistent with countries opposing the Russian war against Ukraine.

Google disrupts Chinese influence operations
Researchers have recently published an update on a coordinated influence operator that pushes content aligned with the Chinese government’s positions and is tracked under the moniker DRAGONBRIDGE. According to the researchers, DRAGONBRIDGE accounts create content reacting to breaking news, especially polarizing social issues, usually within a few weeks of the event. In general, this content is of lower quality than the content created for anticipated events, reflecting the speed with which the actor pivots to create content in response to current events. In 2023 alone Google removed more than 65,000 interactions linked to DRAGONBRIDGE, mostly on YouTube. While the operation is high-volume, its effectiveness has been largely questionable as its engagement counts from real users have been low.

ETLM Assessment:
In April of this year, China’s military underwent its largest reorganization this decade when the Strategic Support Force was eliminated, and a new Information Support Force inaugurated. Xi Jinping, the Chinese leader has hailed the new force as a “strategic force” which will (among other critical missions) “efficiently implement information support”. That would be required to enable the military to carry out successful multi-domain joint operations. The latest reorganization hints at the importance Chinese leaders ascribe to its long-standing tradition of information operations of which DRAGONBRIDGE has been just a tiny component. The new agreement will better equip China’s armed forces to fight in the region, particularly the high-stakes joint operations required to threaten and, in the worst-case scenario, overrun Taiwan. Chinese sources point to the reorganization as part of the modernization objective for 2027, which centers on getting the Chinese military ready for a cross-strait battle over Taiwan.

4. Rise in Malware/Ransomware and Phishing

The BlackSuit Ransomware impacts the KADOKAWA Corporation

  • Attack Type: Ransomware
  • Target Industry: Entertainment
  • Target Geography: Japan
  • Ransomware: BlackSuit Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; (www[.]kadokawa[.]co[.]jp), was compromised by the BlackSuit Ransomware. Kadokawa Corporation is a major Japanese multimedia conglomerate, widely recognized for its influence in the publishing, film, and digital entertainment sectors. The compromised data contains contracts, DocuSign papers, various legal papers, platform-related data (emails, data usage, links opened, etc.), employee-related data (personal info, payments, contracts, emails, etc.), business planning (presentations, emails, offers, etc.), projects related data (coding, emails, payments, etc.), financial data (payments, transfers, planning, etc.), other internal-use-only papers and confidential data.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • BlackSuit emerged in May 2023, closely linked to the Royal ransomware gang, itself a successor to the notorious Conti group. Unlike many other ransomware groups, BlackSuit currently operates without affiliates, keeping its operations in-house.
  • The BlackSuit ransomware group encrypts files on both Linux and Windows systems, appending a “.blacksuit” extension and leaving a ransom note titled “README.BlackSuit.txt”.
  • The BlackSuit Ransomware group primarily targets countries such as the United States of America, Canada, the United Kingdom, China, and Italy.
  • The BlackSuit Ransomware group primarily targets industries, including Specialized Consumer Services, Business Support Services, Heavy Construction, Government Agencies, and Health Care Providers.
  • Based on the BlackSuit Ransomware victims list from 1st Jan 2023 to 03 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by BlackSuit Ransomware from 1 Jan 2023 to 03 July 2024 are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that BlackSuit Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on KADOKAWA Corporation, a prominent Entertainment company located in Japan, underscores the extensive threat posed by this particular ransomware strain in the Asia Pacific region.

The RansomHub Ransomware impacts the Midamea

  • Attack Type: Ransomware
  • Target Industry: Architectural Services and Consultancy
  • Target Geography: South Korea
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from South Korea; (www[.]midamea[.]com), was compromised by the RansomHub Ransomware. Midamea is an architecture firm based in South Korea known for its innovative and contemporary designs. The firm specializes in a wide range of architectural projects, including residential, commercial, and public buildings, with a focus on creating functional and aesthetically pleasing spaces. The compromised data includes confidential and sensitive information belonging to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • RansomHub is believed to have evolved from the now-defunct Knight ransomware. Both ransomware families share substantial code similarities, including being written in the Go programming language and using identical command execution methods.
  • RansomHub has recently been reported to target VMware ESXi environments using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data.
  • The RansomHub Ransomware group primarily targets countries such as Brazil, the United States of America, the United Kingdom, Brazil, Italy, and Serbia.
  • The RansomHub Ransomware group primarily targets industries such as Computer Services, Government Agencies, Telecommunications, Financial Services, and Apparel Retailers.
  • Based on the RansomHub Ransomware victims list from 1 Jan 2023 to 03 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the RansomHub Ransomware from 1st Jan 2023 to 03 July 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is supported by the recent attack on Midamea, a leading architectural services and consultancy firm in South Korea, highlighting RansomHub’s significant threat presence in East Asia.

5. Vulnerabilities and Exploits

Vulnerability in Artifex Ghostscript

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Universal components / Libraries
  • Vulnerability: CVE-2023-52722 (CVSS Base Score 5.3)
  • Vulnerability Type: Improper input validation
  • Patch: Available

The vulnerability allows a remote attacker to compromise the affected system.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied input in psi/zmisc1.c.

A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.

Affected Products: https[:]//bugzilla[.]redhat[.]com/show_bug.cgi?id=2278775

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in Ghostscript can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Ghostscript is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding online activities, including interpreting and processing PostScript and PDF files, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

8Base Ransomware attacked and Published data of Hokushinko Co., Ltd

  • Threat Actors: 8Base Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Japan
  • Target Industry: Construction
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Recently we observed that 8Base Ransomware attacked and published data of Hokushinko Co., Ltd (www[.]hokushinko[.]jp) on its darkweb website. Hokushinko Co., Ltd. is a company that specializes in the construction of railway signals and traffic lights, as well as technology implementation. The data leak, following the ransomware attack, encompasses Invoices, Receipts, Accounting documents, Personal data, Certificates, Employment contracts, Confidentiality agreements, Personal files, and Others.

Source: Dark Web

Relevancy & Insights:

  • The 8Base ransomware group has seen a significant increase in activity since June 2023, using double extortion tactics to pressure victims into paying ransoms. This group, which first appeared in March 2022, has ramped up its attacks, targeting various industries and listing numerous victims on its dark website.
  • 8Base ransomware is known for its use of the Phobos v2.9.1 ransomware, typically delivered through SmokeLoader, a malware downloader. The ransomware encrypts files with the .8base extension and demands ransom payments for decryption keys. Recent technical analyses show that 8Base employs various sophisticated methods to ensure persistence on victim systems, such as creating multiple copies of itself in startup folders and modifying registry keys for auto-start capabilities.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that 8Base Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Hokushinko Co., Ltd, a prominent Construction company located in Japan, underscores the extensive threat posed by this particular ransomware strain in the Asia Pacific region.

7. Data Leaks

Indonesian Directorate General of Civil Aviation Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

The CYFIRMA Research team observed a potential data sale related to the Indonesian Directorate General of Civil Aviation in an underground forum. According to the threat actor, the leaked database from the Indonesian Directorate General of Civil Aviation is more than 3GB and it includes data for all employees, passwords for all applications, website user data, ID card photos for all employees, drone pilot certificate participants, flight data, personal data of pilots and all activities in Indonesian air space and airports. The threat actor also included sample data from the alleged leak in the post.

Source: Underground Forums

Indonesia’s Ministry of Law and Human Rights (Kemenkumham) data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

The CYFIRMA Research team observed a potential data leak related to Indonesia’s Ministry of Law and Human Rights (Kemenkumham) in an underground forum. The threat actor has claimed responsibility for leaking the email login credentials of the Ministry of Law and Human Rights (Kemenkumham), potentially exposing sensitive government information.

Details of the Claim:
According to the threat actor, the leaked data includes access to official email accounts used by employees. This exposure could potentially compromise sensitive government information. The threat actor provided specific details about the alleged breach:

Entity Involved:
Ministry of Law and Human Rights (Kemenkumham) Data Exposed: Email login credentials (username and password)

Potential Risks:
Unauthorized access to sensitive communications, data manipulation, identity theft, and more.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
According to CYFIRMA’s evaluation, the financially driven cybercriminal known as ‘Guzmanloeraxxx’ present a substantial threat to organizations. This actor indiscriminately targets various institutions and profits by selling compromised sensitive information on the dark web or underground forums. ‘Guzmanloeraxxx’ often exploits organizations with insufficient security measures, making them particularly susceptible to these orchestrated cyberattacks.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

CYFIRMA Research team observed a potential data breach related to Scrubser Shop (www[.]scrubser-shop[.]com). A threat actor on a dark web forum shared data allegedly belonging to Scrubser Shop, a medical clothing store from Saudi Arabia. According to the threat actor, the compromised data includes customer information such as email addresses, passwords, names, billing and shipping addresses, phone numbers, and a previous backup.
The post indicates that the attack occurred in 2024 and the allegedly leaked data is approximately 5k lines. The size of the leak is 1 GB. The threat actor also shared samples from the alleged leak. There is no contact information or price in the dark web forum post.

Source: Underground forums

The CYFIRMA Research team observed a potential data breach related to Cognizant’s Open Insurance Policy Administration (OIPA) system (USA). IntelBroker, a notorious threat actor, claims to have leaked a database from Cognizant’s Open Insurance Policy Administration (OIPA) system. Cognizant is a global provider of information technology, operations and technology consulting, infrastructure, and business process services.

The alleged database reportedly contains data on approximately 40,000 users and includes a 12-million-line document detailing the internal site used by these users. According to the threat actor, the compromised data includes Policy Number, Role Code, Client name, Company Code, State Code, and other sensitive and confidential data.

Source: Underground forums

ETLM Assessment:
Threat Actor ‘IntelBroker’ group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset.
  • Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromise and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.