Self Assessment

Weekly Intelligence Report – 06 Dec 2024

Published On : 2024-12-06
Share :
Weekly Intelligence Report – 06 Dec 2024

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found WeHaveSolution Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

WeHaveSolution Ransomware

Researchers have identified a new ransomware strain named WeHaveSolution. Upon infecting a system, it encrypts files, modifies the desktop wallpaper, creates a ransom note titled “READ_NOTE.html,” and appends the “.wehavesolution247” extension to affected filenames.

Screenshot of files encrypted by ransomware (Source: Surface Web)

According to the ransom note, the attackers assert that they have infiltrated the company’s network and encrypted files using RSA and AES encryption. They caution against attempting to use third-party recovery tools or altering the encrypted files, as doing so could cause irreversible damage. The attackers also claim to have stolen sensitive data and threaten to leak or sell it unless a ransom is paid.

To demonstrate their ability to restore the data, they offer to decrypt 2–3 non-critical files for free. They provide a contact method through a Tor website and caution that the ransom amount will increase if they are not contacted within 72 hours.

The appearance of WeHaveSolution’s ransom note (“READ_NOTE.html”):(Source: Surface Web)

Screenshot of WeHaveSolution’s desktop wallpaper (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Tactic ID Technique
Initial Access T1091 Replication Through Removable Media
Execution T1059 Command and Scripting Interpreter
Execution T1129 Shared Modules
Persistence T1542.003 Pre-OS Boot: Bootkit
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1055 Process Injection
Privilege Escalation T1134 Access Token Manipulation
Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
DefenseEvasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
DefenseEvasion T1036 Masquerading
DefenseEvasion T1055 Process Injection
DefenseEvasion T1070.004 Indicator Removal: File Deletion
DefenseEvasion T1112 Modify Registry
DefenseEvasion T1134.004 Access Token Manipulation: Parent PID Spoofing
DefenseEvasion T1140 Deobfuscate/Decode Files or Information
DefenseEvasion T1202 Indirect Command Execution
DefenseEvasion T1222 File and Directory Permissions Modification
DefenseEvasion T1497.001 Virtualization/Sandbox Evasion: System Checks
DefenseEvasion T1542.003 Pre-OS Boot: Bootkit
DefenseEvasion T1564.001 Hide Artifacts: Hidden Files and Directories
DefenseEvasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Discovery T1012 Query Registry
Discovery T1016 System Network Configuration Discovery
Discovery T1018 Remote System Discovery
Discovery T1049 System Network Connections Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1120 Peripheral Device Discovery
Discovery T1135 Network Share Discovery
Discovery T1497.001 Virtualization/Sandbox Evasion: System Checks
Discovery T1518.001 Software Discovery: Security Software Discovery
Discovery T1614 System Location Discovery
LateralMovement T1091 Replication Through Removable Media
Collection T1074 Data Staged
Command and Control T1071 Application Layer Protocol
Command and Control T1090 Proxy
Command and Control T1095 Non-Application Layer Protocol
Command and Control T1573 Encrypted Channel
Impact T1485 Data Destruction
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery
Impact T1491 Defacement
Impact T1496 Resource Hijacking

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • Developers use debugging environments to analyze and troubleshoot software. Ransomware uses this technique to determine whether it is operating in a debug environment, which aids it in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

ETLM Assessment:
According to the assessment from CYFIRMA, the ransom note associated with WeHaveSolution ransomware indicates a primary focus on targeting enterprises to maximize financial returns. This suggests that ransomware is likely to become a serious threat to developed nations, with industries such as Manufacturing, Healthcare, Hospitality, and Finance expected to be key targets due to their substantial ransom payment capacities and heavy reliance on critical data.

Furthermore, the ransomware warns that non-compliance could lead to the exposure or sale of sensitive corporate information.

Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense-evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface web)

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT) | Objectives: Espionage, Financial theft, Remote Access | Target Technologies: Android OS, Pix (Payment Platform), UPI (Unified Payments Interface) | Target Industries: Banks, Financial Sector | Target Geography: Brazil, India, Italy, and Mexico.

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the Week
This week “PixPirate” is trending.

Summary
Researchers have identified a new campaign of PixPirate, which primarily targets Brazilian banks through the Pix payment service, with nearly 70% of infections concentrated in Brazil. However, the campaign has also expanded its reach globally, affecting countries like India, Italy, and Mexico. India has become the second-most affected country, accounting for nearly 20% of all infections worldwide, despite no Indian banks being explicitly targeted. Researchers suggest that the malware’s developers are laying the groundwork for future campaigns in India, leveraging the widespread adoption of India’s Unified Payments Interface (UPI), which serves hundreds of millions of users and is regulated by the Reserve Bank of India.

PixPirate: An Evolving Threat
PixPirate, a sophisticated remote access tool (RAT) malware first identified in late 2021, operates through two key components: a downloader and a droppee application. The downloader spreads via Smishing campaigns or WhatsApp spam, masquerading as a legitimate authentication app to deceive users into downloading it. Once installed, it runs the droppee, executes commands, and facilitates the malware’s malicious activities. PixPirate’s capabilities include remote-control functionality for fraud execution, data theft, spreading through messaging platforms, SMS interception, and recording user activities. It also employs anti-removal and anti-virtual machine (anti-VM) techniques to evade detection, with its latest version introducing a method to hide its icon on the home screen, further enhancing its stealth. This evolution from a region-specific threat to a global challenge underscores PixPirate’s growing potential to exploit emerging payment ecosystems worldwide.

Attack Strategy: How PixPirate Installs and Activates Malware
The latest PixPirate campaign introduces a sophisticated new downloader variant, enhancing its ability to execute malware on victim devices. This downloader is distributed through Smishing and WhatsApp spam messages and includes a link to a YouTube tutorial, which has already garnered over 78,000 views. The video deceptively guides users into installing a malicious Android package kit (APK), disguised as a legitimate financial service app. By following the video, users unknowingly grant the necessary permissions for the malware to execute. Upon installation, the downloader requests users to install an updated version. This update, however, installs the PixPirate droppee application, the actual malware. Once installed, the malware operates invisibly on the device by hiding its icon, making it difficult for the user to detect. Despite this, the malware remains active and is capable of executing fraud, as the downloader continuously manages its execution.

To overcome the challenge of activating the invisible malware, PixPirate’s downloader plays a key role. In this new campaign, the downloader has been enhanced to run the droppee using a refined method. The downloader queries specific activity names associated with the droppee, such as “com.ticket.stage.Service” and “com.sell.allday.Service,” using the “queryIntentActivities” API. This function retrieves all activities related to the droppee, enabling the downloader to launch the malware by creating a targeted intent and invoking the “startActivity” API. By maintaining control over the execution of the droppee, PixPirate’s downloader ensures that the malware remains operational even when hidden, allowing it to conduct fraudulent activities on the victim’s device.

Exploiting WhatsApp: PixPirate’s Advanced Infection Strategy
To further enhance its infection strategy, PixPirate malware employs a sophisticated method to spread and infect devices. During installation, the downloader checks if WhatsApp is installed on the victim’s device. If not, it prompts the victim to install the WhatsApp APK, which is unusually large (nearly 100MB) compared to typical malware downloaders. Once installed, the PixPirate malware uses WhatsApp to send phishing messages from the victim’s account, spreading the infection to their contacts and groups. The new capabilities and functionality related to the WhatsApp app can include:

  • Sending messages
  • Deleting messages
  • Creating groups and sending messages
  • Reading and deleting the user contact list
  • Adding and changing the user contact list
  • Blocking and unblocking other WhatsApp user accounts

Additionally, PixPirate uses an overlay technique to hide its activities, making it less noticeable to the victim.

Fig: PixPirate new infection methodology

PixPirate malware uses a function that enables it to send malicious WhatsApp messages from the victim’s account. This function takes three parameters:

  • Contact list – a list of contacts to send the malicious WhatsApp message
  • messagesArr – array of messages to send
  • sleepTime – time to wait between each message sending

The malware uses the victim’s contact list to create a unique intent for each message, with the WhatsApp package name set to “com.whatsapp.” The malware then triggers the sending action by starting the corresponding activity. To send the messages, PixPirate uses the device’s Accessibility service to click on the “send” button, mimicking the behavior of a legitimate user.

INSIGHTS

  • PixPirate’s expansion beyond Brazil suggests a strategic shift toward targeting countries with rapidly growing digital payment systems. As seen with its attention on India’s UPI, the malware developers may be positioning themselves to exploit the increasing reliance on digital wallets and payment services globally. This trend reflects a broader shift in malware tactics, where attackers focus on regions with high mobile payment adoption, anticipating that these systems will become major targets in the coming years.
  • WhatsApp plays a pivotal role in PixPirate’s infection strategy, as the malware uses it to send phishing messages from the victim’s account, spreading the infection to their contacts and groups. By exploiting the trusted nature of WhatsApp, PixPirate increases the chances of users unknowingly downloading the malware. The malware’s ability to perform a range of malicious actions on WhatsApp, such as sending and deleting messages, manipulating the contact list, and creating groups, makes it a powerful tool for spreading the infection. This highlights the evolving nature of malware campaigns, with PixPirate utilizing social platforms to scale its impact.
  • PixPirate’s ability to exploit trusted user interfaces and payment systems reflects a growing trend in malware development, where attackers aim to exploit user trust rather than relying solely on technical vulnerabilities. This approach not only increases the chances of successful infections but also poses challenges for traditional detection methods that focus on system-level anomalies. As digital ecosystems become more interconnected, malware like PixPirate could begin targeting additional collaborative tools, social media platforms, or even enterprise applications, broadening its impact on both personal and organizational security.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as PixPirate continues to evolve, it may expand its reach to target a broader range of global digital payment systems, including emerging platforms like UPI and Pix, increasing the risks of financial fraud and data theft. As mobile payments gain traction worldwide, organizations could face heightened threats, especially with employees using personal devices that may unknowingly facilitate the malware’s spread, compromising sensitive corporate data. The malware’s exploitation of trusted platforms like WhatsApp suggests a future rise in social engineering tactics, making employees increasingly vulnerable to phishing and fraud. As PixPirate adapts to new payment technologies and communication channels, it will likely present an escalating threat, demanding more sophisticated cybersecurity measures and defense strategies to protect both individuals and enterprises from these evolving attacks.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

Recommendations:

STRATEGIC:

  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT:

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Enforce policies to validate third-party software before installation.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Spear Phishing, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Hunters International Ransomware, Killsec Ransomware | Malware – PixPirate
  • Hunters International Ransomware – One of the ransomware groups.
  • Killsec Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – PixPirate Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

ANEL Strikes Again: The Resurgence of the Earth Kasha Spear-Phishing Campaign in 2024

  • Threat actor: Earth Kasha
  • Initial Attack Vector: Spear Phishing
  • Objective: Espionage
  • Target Geography: Japan
  • Target Industries: Political organizations, research institutions, and organizations related to international relations.
  • Business Impact: Operational downtime, data theft, and potential destruction of sensitive information.

Since June 2024, a spear-phishing campaign targeting individuals and organizations in Japan has been attributed to the threat actor Earth Kasha, which researchers classify as distinct from APT10, though potentially linked. This operation marks the reappearance of the ANEL backdoor, previously utilized by APT10 until 2018, alongside the NOOPDOOR malware, associated with Earth Kasha. The campaign’s targets include individuals linked to political organizations, research institutions, think tanks, and those involved in international relations, particularly with a focus on Japan’s national security. Unlike their 2023 operations, which mainly targeted vulnerabilities in edge devices, Earth Kasha shifted tactics by focusing on spear- phishing emails as the primary intrusion method. The spear-phishing emails in this campaign are crafted to appeal to the targeted individuals, with subjects related to Japan’s economic security and government institutions. The emails typically contain a URL pointing to a OneDrive link, where the victim is encouraged to download a malicious ZIP file. This file is the infection vector, and its contents vary depending on the target. One infection method involves a macro-enabled document, named ROAMINGMOUSE, which, once opened, executes embedded malicious components related to ANEL. Another method involves a shortcut file combined with an SFX file or PowerShell, which ultimately drops ROAMINGMOUSE and proceeds with the same infection flow. ROAMINGMOUSE is designed as a dropper for the ANEL payload, leveraging sandbox evasion techniques, such as responding to specific mouse movements and using custom Base64 encoding to hinder automated analysis. The payload is executed through WMI (Windows Management Instrumentation), bypassing typical detection methods. Once executed, the ANEL backdoor is activated using a legitimate application, which sideloads a malicious DLL. The ANEL-related components include an encrypted payload that is decrypted using AES-256, with further encryption and evasion techniques employed to hinder detection. The ANEL backdoor has been updated in this campaign, with new versions observed. The updates introduce minor fixes, remove features for evasion (such as HTTP cookie error codes), and add new commands, including one that enables the exploitation of a UAC bypass technique using the CMSTPLUA COM interface. The use of NOOPDOOR, another modular backdoor, in conjunction with ANEL suggests that Earth Kasha is leveraging multiple tools for different levels of access. NOOPDOOR is typically deployed on high-value targets, providing additional functionalities for post-exploitation activities, such as taking screenshots or executing system commands. The combination of these tools highlights the advanced and evolving nature of Earth Kasha’s operations, which involve extensive use of custom malware and sophisticated evasion techniques. This campaign reflects a shift in Earth Kasha’s targeting strategy, focusing on individuals rather than enterprises, and employing a mix of old and new tactics, tools, and procedures (TTPs). The attack methods, including spear-phishing and the use of ANEL and NOOPDOOR, are indicative of an ongoing, sophisticated threat actor looking to infiltrate specific high-value targets for espionage purposes.

Relevancy Insights:
This group is focused on telecommunications, technology, defense, and energysectors, with past attacks emphasizing intelligence gathering and data theft. One of their most significant campaigns, Cloud Hopper, involved targeting managed service providers (MSPs) to infiltrate global networks, exfiltrating sensitive data from high-value organizations worldwide. Previously, Earth Kasha relied on malware like ChinaChopperand PlugXfor remote access and persistence in compromised networks.

In 2024, Earth Kasha has pivoted to Japan, focusing on national security, political organizations, and research institutions. Their current malware arsenal includes ANELand NOOPDOOR, showing an evolution of tactics, but a consistent pattern of using spear- phishing and social engineeringfor initial compromise. These tactics are like previous campaigns, indicating a sustained emphasis on stealthy, long-term access for espionage.

The current attack shares many similarities with past operations, particularly in the group’s approach to targeting critical infrastructure and geopolitical intelligence. Despite the evolution of their tools and focus, Earth Kasha’s core goal remains the same: leveraging cyber tools to gather valuable intelligence from high-profile targets across global industries.

ETLM Assessment:
The threat actor Earth Kasha is a sophisticated cyber espionage group. Historically, Earth Kasha has focused on espionage campaigns targeting high-value political, governmental, and economic targets. In the current campaign, which started in mid-2024, Earth Kasha has shifted its focus to individuals and organizations based in Japan, with a particular emphasis on those involved in national security, political organizations, and research institutions. The group uses spear-phishing emails as the primary attack vector, leveraging social engineering tactics to lure victims into downloading malicious attachments, often tied to economic and political themes relevant to Japan. Their attacks are highly targeted, leveraging a mix of sophisticated malware, including the ANEL backdoor, NOOPDOOR, and ROAMINGMOUSE dropper, to establish initial footholds and enable continued surveillance and data exfiltration. These tools allow Earth Kasha to bypass traditional security measures, using custom malware that relies on evasion techniques, such as Base64 encoding, WMI execution, and UAC bypass. In the past, Earth Kasha also used a wider range of tools, including ChinaChopper and PlugX in older campaigns. The group’s ability to continuously evolve its tactics is evident in their use of newer malware variants and updated versions of ANEL in this campaign. The targeted technologiesinclude Windows-based systems, PowerShell, and various legitimate applications exploited for malware delivery. As the threat landscape continues to shift towards more targeted individuals and nation-state espionage, Earth Kasha is expected to increasingly refine its spear-phishing techniques and expand its malware arsenal, leveraging emerging vulnerabilities to continue its operations. Given their focus on high-profile political and defense targets, the threat remains persistent, with the potential for further targeting of countries involved in geo-politicalactivities in the Asia-Pacific region, especially those with strategic relations with Japan. Future assessments indicate the continued evolution of Earth Kasha’s TTPs, emphasizing the need for enhanced defensive postures and detection capabilitiesfor organizations and individuals in the targeted sectors.

Recommendations:

Strategic Recommendations:

  • Develop a Cybersecurity Awareness Program: Ensure that all employees are regularly trained on phishing awareness, social engineering tactics, and recognizing suspicious activity. Earth Kasha has relied on spear-phishing attacks in the past, making it critical to equip your workforce with the necessary skills to detect and respond to such threats.
  • Review and Update Incident Response Plans: Given the sophistication of Earth Kasha’s attack methods, it is essential to regularly update and test your Incident Response Plan (IRP) to ensure that all stakeholders are prepared for a potential breach. This should include clear protocols for containment, eradication, and recovery.

Tactical Recommendations:

  • Network Segmentation and Least Privilege Access: Implement strict network segmentation across sensitive areas of the business to reduce the lateral movement of threat actors within your environment. Also, enforce the principle of least privilege to limit the potential damage in case of a compromise.
  • Multi-Factor Authentication (MFA): Deploy MFA across all critical systems to add an additional layer of security, especially for remote access and privileged accounts, which are common targets for threat actors like Earth Kasha.
  • Advanced Threat Detection: Leverage Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) solutions to monitor for anomalies and suspicious activities that align with Earth Kasha’s known TTPs, such as the use of PlugX, NOOPDOOR, and ANEL malware.

Operational Recommendations:

  • Monitor for Specific IoCs: The IoCs provided in this report should be integrated into your existing security tools to enable real-time detection and automated response to any matches with Earth Kasha’s activity. Ensure that these IoCs are used to update firewall, IDS/IPS, and antivirus definitions across your organization’s infrastructure.
  • Regular Vulnerability Assessments: Given Earth Kasha’s history of exploiting vulnerabilities in popular platforms, it’s critical to perform regular vulnerability scanning and patch management. Focus on timely patching of critical vulnerabilities, especially those identified in software like Microsoft Exchange or VPN appliances.
  • Review and Harden Remote Access: If remote access solutions such as VPNs are used, ensure they are configured with strong security settings, such as strong encryption and multi-factor authentication (MFA). Additionally, monitor for any unauthorized remote access attempts that could signal the early stages of an attack.
MITRE framework
Tactic Technique ID Technique
Initial Access T1566.001 Phishing: Spear phishing Attachment
Initial Access T1566.002 Phishing: Spear phishing Link
Execution T1059 Command and Scripting Interpreter
Persistence T1505.003 Server Software Component: Web
Shell
Privilege Escalation T1068 Exploitation for Privilege Escalation
Defense Evasion T1027 Obfuscated Files or Information
Credential Access T1003 OS Credential Dumping
Discovery T1046 Network Service Discovery
Discovery T1082 System Information Discovery
Lateral Movement T1021.001 Remote Services: Remote Desktop
Protocol
Collection T1005 Data from Local System
Exfiltration T1041 Exfiltration Over C2 Channel
Exfiltration T1071.001 Application Layer Protocol: Web
Protocols
Impact T1486 Data Encrypted for Impact
Impact T0826 Loss of Availability

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

China hosts the tenth annual World Internet Conference
China’s Cyberspace Administration held the 2024 World Internet Conference (WIC) summit in Wuzhen, Zhejiang. The tenth annual conference was themed “Embracing a People-centered and AI-for-good Digital Future: Building a Community with a Shared Future in Cyberspace,” and included subforums on AI governance, global data cooperation, and the Global Development Initiative. The conference hosted technology exhibitions, bilateral ministerial meetings, and an entrepreneurs’ forum.

The conference launched an AI Committee, led by Alibaba Cloud founder Wang Jian, which will bring together over 170 domestic and international experts from academic research institutes, think tanks, and industry to collaborate on AI innovation and safety. Language in speeches at the forum echo China’s broader language on multilateral and cooperative governance. China presents a deliberate alternative to cooperation with the United States on technology standard-setting, calling on a “brighter digital future” and respect for individual countries’ policy objectives.

ETLM Assessment:
China has been accelerating efforts to build its influence in technology governance in recent years, particularly pushing cross-border data flow and establishing collaborations with countries in the Global South. Just this week, while Xi and Brazilian President Lula met and elevated ties, China launched an Open Science initiative with South Africa, the African Union, and Brazil. The language of “respect for individual countries’ policy objectives” aims at steering the internet from one open world network into a series of fragmented “sealed-off national internets” akin to the system in China, where the government pushes its own population behind the so-called “great firewall”. China is trying to export its model both to undermine the current geopolitical order and to gain business opportunities for its companies, which build the great firewall and would be eager to export it to other countries.

Europe’s critical infrastructure is becoming dangerously vulnerable
A former NATO secretary-general Anders Fogh Rasmussen has issued an open letter, warning Europe of its critical infrastructure vulnerability. Rasmussen writes:

Europe’s subsea cables network is a grave cause for concern. Former Russian president Dmitry Medvedev has openly threatened an attack in response to support for Ukraine. These cables carry around 98 percent of the world’s internet traffic, and three EU countries are fully reliant on them for their connectivity. Without these cables, our phones, cars, televisions, and even fridges, will cease to function effectively. The Russian general staff’s main directorate for deep sea research has been linked to sabotage threats to undersea cables. Russian submarine activity to chart the locations of these highly vulnerable cables has also increased significantly, including off the coast of Ireland.

ETLM Assessment
The essay largely echoes our previous assessment from two reports published this spring, one dealing with undersea cables and one titled Threat to Offshore Infrastructure in a Maritime-Centric Century, in which CYFIRMA analysts conclude: The most important evolving threat to the electric grid is associated with cybersecurity and physical security. The power grid in the US, and more so in Europe, is experiencing a transformation as the world shifts to sustainable energy: this transformation, however, is introducing new vulnerabilities to the system as offshore infrastructure is susceptible to physical and cybernetic attacks. Both the US and EU governments have aimed to bolster collaboration between critical infrastructure owners and operators as well as sector risk management agencies, but the hasty nature of the grid transformation will likely leave many openings for sophisticated cyber attackers for years to come.

4. Rise in Malware/ Ransomware and Phishing

The Hunters International Ransomware Impacts CK Power Public Manufacturing

  • Attack Type: Ransomware
  • Target Industry: Energy and Manufacturing
  • Target Geography: Thailand
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand; CK Power Public Manufacturing (www[.]ckpower[.]co[.]th), was compromised by Hunters International Ransomware. CK Power Public Company Limited (CKP) is a leading electricity producer in Thailand specializing in renewable energy. CKP operates power generation projects across multiple sectors, including hydroelectric, solar, and thermal power. The data leak, following the ransomware attack, encompasses sensitive and confidential records, originating from the organizational database. The scale of the data exposure measures approximately 358.6 GB, comprising a total of 1,98,890 discrete files.

Source: Dark Web

Relevancy & Insights:

  • Hunters International is a ransomware group that has gained significant attention since its emergence in October 2023. The group operates under a ransomware-as-a-service (RaaS) model and is known for its aggressive tactics, particularly focusing on data exfiltration alongside file encryption.
  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine, once the data exfiltration gets completed by the Ransomware group.
  • The Hunters International Ransomware group primarily targets countries, such as the United States of America, Italy, the United Kingdom, Germany, and India.
  • The Hunters International Ransomware group primarily targets industries, including Business Support Services, Heavy Construction, Government Agencies, Health Care Providers, and Telecommunications.
  • Based on the Hunters International Ransomware victims list from 1st Jan 2024 to 04th December 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1st Jan 2024 to 04th December 2024 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Hunters International ransomware represents a significant threat within the ransomware landscape due to its sophisticated tactics and focus on double extortion strategies. Organizations are advised to enhance their cybersecurity measures by implementing robust backup solutions, conducting regular employee training on phishing awareness, and maintaining updated security protocols to mitigate risks associated with this evolving threat actor. Continuous monitoring of Hunters International’s activities will be essential for understanding its impact on global cybersecurity efforts.

The Killsec Ransomware Impacts GajiCermat

  • Attack Type: Ransomware
  • Target Industry: Information Technology
  • Target Geography: Indonesia
  • Ransomware: Killsec Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; GajiCermat (www[.]gajicermat[.]com), was compromised by KillSec Ransomware. GajiCermat, operated by PT GajiCermat Mandiri Digital Indonesia, is a cloud-based platform offering HR and payroll management solutions. It is designed to streamline administrative tasks, such as payroll processing, attendance tracking, and employee management for businesses of various sizes. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

  • KillSec is a ransomware group that has gained notoriety for its ransomware-as-a- service (RaaS) model and a series of high-profile attacks.
  • KillSec Ransomware employs various sophisticated methods to infiltrate systems, including phishing attacks, exploiting known vulnerabilities, and using custom malware to maintain persistence within compromised networks.
  • The KillSec Ransomware group primarily targets countries like India, the United States of America, Belgium, Brazil, and Romania.
  • The KillSec Ransomware group primarily targets industries, such as Financial Services, Health Care Providers, Software, Internet, and Computer Services.
  • Based on the KillSec Ransomware victims list from 1st Jan 2024 to 04th December 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the KillSec Ransomware from 1st Jan 2024 to 04th December 2024 are as follows:

ETLM Assessment:
The emergence and evolution of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally.

According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.

5. Vulnerabilities and Exploits

Vulnerability in SimpleSAMLphp

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Web applications
  • Vulnerability: CVE-2024-52596
  • CVSS Base Score: 8.8 Source
  • Vulnerability Type: Improper Restriction of XML External Entity Reference (‘XXE’)
  • Summary: The vulnerability allows a remote attacker to gain access to sensitive information.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied XML input in saml2/src/SAML2/DOMDocumentFactory.php when parsing SAML messages. A remote attacker can pass a specially crafted XML code to the affected application and view the contents of arbitrary files on the system or initiate requests to external systems.

Impact: Successful exploitation of the vulnerability may allow an attacker to view the contents of arbitrary files on the server or perform network scanning of internal and external infrastructure.

Affected Products: https[:]//github[.]com/simplesamlphp/xml- common/security/advisories/GHSA-2×65-fpch-2fcm

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in SimpleSAMLphp can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of SimpleSAMLphp is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding authentication processes and identity management in PHP applications across different geographic regions and sectors.

6. Latest Cyber – Attacks, Incidents, and Breaches

RansomHub Ransomware Attacked and Published the Data of DAM Capital Advisors Limited

  • Threat Actor: RansomHub Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Finance
  • Target Geography: India
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary
Recently, we observed that Ransomhub Ransomware attacked and published the data of DAM Capital Advisors Limited (www[.]damcapital[.]in) on its dark web website. Capital Advisors Limited is a prominent investment bank in India, focusing on financial advisory services in sectors such as capital markets, equity and debt placement, and corporate finance. The company operates as a SEBI-registered entity, offering services including merchant banking, research analysis, and brokerage activities. The data leak, following the ransomware attack, encompasses sensitive and confidential records, originating from the organizational database.

The scale of the data exposure measures approximately 92 GB.

Source: Dark Web

Relevancy & Insights:

  • RansomHub employs a double-extortion model by encrypting files and exfiltrating sensitive data before encryption. They typically gain initial access through methods such as Phishing emails, Exploitation of known vulnerabilities, and Password-spraying attacks.
  • The RansomHub Ransomware group has targeted a wide range of sectors, including healthcare, government services, critical infrastructure, IT services, emergency services, food production, and financial services.

ETLM Assessment:
According to CYFIRMA’s assessment, RansomHub’s rapid ascent in the ransomware ecosystem poses significant challenges for organizations across various sectors. Its sophisticated tactics, aggressive recruitment strategies, and focus on double extortion highlight the evolving nature of cyber threats. Organizations are urged to enhance their cybersecurity measures, including robust incident response plans and employee training on recognizing phishing attempts, to mitigate the risks associated with this emerging threat actor. Continuous monitoring of RansomHub’s activities will be essential for understanding its impact on global cybersecurity efforts.

7. Data Leaks

Indonesia Telecom Access Advertised on a Leak Site

  • Attack Type: Access Sale
  • Target Industry: Telecommunication
  • Target Geography: Indonesia
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary: The CYFIRMA Research team observed an Access sale related to Indonesia Telecom in an underground forum. The details of the sale involve access to server hosting with a firewall in Indonesia Telecom. The offering includes root access to the server, granting full administrative privileges. The access is being sold by a threat actor identified as “Miyako” for a price of $300.

Source: Underground forums

Sararan Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Thailand
  • Target Industry: Fashion, Luxury Goods
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a data leak related to Sararan(www[.]sararan[.]co[.]th) in an underground forum. Sararan is a Jewelry store based in Thailand that specializes in handmade fashion accessories. The leaked data consists of a total of 3,02,100 records in CSV/SQL format. The data breach has been linked to a threat actor known as “NanC.”

Source: Underground forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.

Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor “NanC” poses a significant cybersecurity risk, and organizations are urged to enhance their security protocols to counteract this emerging threat. This includes implementing regular software updates, conducting employee training to recognize phishing attempts, and maintaining robust defense systems. To mitigate the risks associated with NanC and similar groups, continuous surveillance and sharing of cybersecurity intelligence are essential. Collaborative efforts will be key to understanding and addressing the evolving tactics employed by these threat actors.

Recommendations: Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related attacks.
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a data leak related to Entrena Virtua(https[:]//www[.]entrenavirtual[.]es) in an underground forum. Entrena Virtual is a fitness center that provides gym classes and personal training services. The compromised data includes the following details: full name, username, last activity date, registration information, email address, order history, total expense, PMV (potentially a metric for monetary value), country, city, region, and postal code.

The breach has been linked to a threat actor identified as “888.”

Source: Underground Forums

The CYFIRMA Research team observed a data and access sale related to EazyDiner (www[.]eazydiner[.]com) in an underground forum. EazyDiner, a prominent platform for restaurant reservations and payments, providing access to over 25,000 restaurants in India and Dubai, has reportedly experienced a data breach. The breach is attributed to a threat actor identified as “0xy0um0m.”

The compromised data includes:

  • Information of 20,305,000 members, including phone numbers and personal details.
  • Data for 8,500,000 members, comprising email addresses, phone numbers, and personal information, formatted in CSV files.

Additionally, the access for sale includes a base system and access to AWS S3 storage. The threat actor is asking for a price of $13,500 for this package (base + AWS S3 access).

Source: Underground Forums

ETLM Assessment
The threat actor group “888” has gained notoriety in underground forums, emerging as a significant force in cybercrime, primarily motivated by financial gains. This group has already targeted a wide range of industries, including government, industrial conglomerates, retail, staffing, business consulting, banking, e-commerce, and utilities. Their diverse targeting patterns suggest that they plan to broaden their scope and potentially expand their attacks to additional industries worldwide in the future.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.