Self Assessment

Weekly Intelligence Report – 06 Oct 2023

Published On : 2023-10-06
Share :
Weekly Intelligence Report – 06 Oct 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Geographies: Argentina, Canada, Germany, Italy, Mexico, Romania, United Kingdom, United States.
Target Industries: Construction, E-commerce, Education, FMCG, Food & Beverage, Government, Health Care, IT, Manufacturing, Real Estate, Telecommunication, Transportation & Logistics.

Introduction

CYFIRMA Research and Advisory Team has found ransomware known as LostTrust while monitoring various underground forums as part of our Threat Discovery Process.

LostTrust:

LostTrust is a newly emerging ransomware that encrypts files and adds the “.losttrustencoded” extension to the names of the encrypted files.
The ransomware generates ransom notes named “!LostTrustEncoded.txt” in every folder on the device. In these notes, the threat actors initially presented themselves as former white hat hackers who had transitioned to cybercrime due to inadequate compensation.

Researchers believe that LostTrust is likely a rebrand of MetaEncryptor. LostTrust began targeting organizations in March 2023 but gained notoriety in September when it started using a data leak site, listing 53 victims globally.

The ransomware variants LostTrust and MetaEncryptor show only slight distinctions such as ransom notes, embedded public keys, names of ransom notes, and file extensions used for encryption.

Furthermore, researchers noted the presence of the ‘METAENCRYPTING’ string in the encryptor, indicating its modification from the MetaEncryptor variant.
The encryptor can be launched with two optional command line arguments, –onlypath (encrypt a specific path) and –enable-shares (encrypt network shares).

Once activated, LostTrust goes to lengths to disable various Windows services, ensuring the encryption of all files, including those related to Firebird, MSSQL, SQL, Exchange, wsbex, postgresql, BACKP, tomcat, SBS, and SharePoint. Additionally, it targets and disables further services associated with Microsoft Exchange.

Ransom demands for LostTrust vary, ranging from $100,000 to several million dollars.


Screenshot of Files Encrypted by LostTrust Ransomware. (Source: Surface Web)


Screenshot of a ransom note by LostTrust Ransomware.


Countries Targeted by LostTrust Ransomware

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • By the victims list we can say that the ransomware’s primary target is the US.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • User Input Checks: This behaviour implies that the ransomware may have the ability to interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities. This behaviour indicates interactivity in the ransomware’s design.

ETLM assessment

CYFIRMA’s Assessment based on available information states that, LostTrust ransomware is likely to continue its malicious activities, with a particular focus on the widely used Windows Operating System. Moreover, its adaptability to disable debugging environments and exploit WMI suggests ongoing efforts to evade detection and expand its reach. Organizations, especially those in the US and other developed nations, should remain vigilant and enhance cybersecurity measures to mitigate the evolving threat posed by LostTrust ransomware.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1129: Shared Modules
T1569.002: System Services: Service Execution
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
3 TA0004: Privilege Escalation T1134: Access Token Manipulation
T1543.003: Create or Modify System Process: Windows Service
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1070: Indicator Removal
T1070.001: Indicator Removal: Clear Windows Event Logs
T1070.004: Indicator Removal: File Deletion
T1070.006: Indicator Removal: Timestomp
T1134: Access Token Manipulation
T1140: Deobfuscate/Decode Files or Information
T1222: File and Directory Permissions Modification
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1562.001: Impair Defenses: Disable or Modify Tools
5 TA0006: Credential Access T1056: Input Capture
6 TA0007: Discovery T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1135: Network Share Discovery
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1518.001: Software Discovery: Security Software Discovery
7 TA0009: Collection T1056: Input Capture
T1560.002: Archive Collected Data: Archive via Library
8 TA0011: Command and Control T1071: Application Layer Protocol
T1095: Non-Application Layer Protocol
9 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.

Sigam Rule:

title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Loader
Objective: Malware Implant, Data Theft and Remote Access
Target Technology: Windows OS, Browsers, Messaging Applications, VPN

Active Malware of the Week

This week “BunnyLoader” is trending.

BunnyLoader

Researchers have identified and disclosed a new C/C++-based malware-as-a-service (MaaS) threat called BunnyLoader, currently advertised for sale on various cybercrime underground forums at a price of $250. It offers multiple functionalities, including downloading and executing a second-stage payload and stealing browser credentials and system information. BunnyLoader employs a keylogger to log keystrokes as well as a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. After gathering the information, BunnyLoader compresses the data into a ZIP archive and transmits it to a command-and- control (C2) server.

Attack Strategy

Researchers have analysed a BunnyLoader malware sample, and upon its execution, the loader performs the following actions:

  • Creates a new registry value named “Spyware_Blocker” in the Run registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run) where the value is the path to the BunnyLoader binary. This registry value allows BunnyLoader to maintain persistence on the machine.
  • Hides the window using ShowWindow() with nCmdShow as SW_HIDE
  • Creates a mutex name “BunnyLoader_MUTEXCONTROL” via CreateMutexW()
  • Performs the following anti-VM techniques:
  • Checks for the following modules:
  • SxIn.dll – 360 Total Security
  • cmdvrt32.dll / cmdvrt64.dll – Comodo Antivirus
  • wine_get_unix_file_name – Detects Wine
  • SbieDll.dll – Sandboxie
  • Checks for a VM using “ROOT\CIMV2” queries:
  • SELECT * FROM Win32_VideoController
  • Win32_Processor
  • Win32_NetworkAdapter
  • Win32_BIOS
  • SELECT * FROM Win32_ComputerSystem
  • Checks for a Docker container via “/proc/1/cgroup” – if the container exists, BunnyLoader does not perform further malicious actions.
  • Checks for the following blacklisted sandbox usernames:
  • ANYRUN
  • Sandbox
  • Test
  • John Doe
  • Abby
  • Timmy
  • Maltest
  • malware
  • Emily
  • Timmy
  • Paul Jones
  • CurrentUser
  • IT-ADMIN
  • Walker
  • Lisa
  • WDAGUtilityAccount
  • Virus
  • fred

If a sandbox is identified, BunnyLoader throws the following error message:

“The version of this file is not compatible with the current version of Windows you are running. Check your computer’s system information to see whether you need an x86 (32- bit) or x64 (64-bit) version of the program, and then contact the software publisher.”

Otherwise, BunnyLoader performs an HTTP registration request to a C2 server.

Task Execution

Following registration, BunnyLoader sends a task request to the C2 server “http[:]//37[.]139[.]129[.]145/Bunny/TaskHandler.php?BotID=” with the user agent specified as “BunnyTasks.” The response to the task request includes the “ID,” “Name,” and “Params.” In this context, the “Name” represents the module (functionality) to be executed, and the “Params” denote the parameters passed to the module. BunnyLoader subsequently carries out actions based on the received module name in the task response.

BunnyLoader is designed to execute various tasks, Such as:

  • Trojan Downloader
  • Download and Execute (Fileless Execution)
  • Download and Execute (Disk Execution)
  • Intruder
  • Run Keylogger
  • Run Stealer
  • Clipper
  • Bitcoin
  • Monero
  • Ethereum
  • Litecoin
  • Dogecoin
  • ZCash
  • Tether
  • Remote Command Execution

Download and Execute Task

BunnyLoader executes two types of downloads and executes functions. The first involves downloading a file from a C2-provided URL, saving it in the AppData\Local directory, and executing it. The second type uses fileless execution, creating a suspended “notepad.exe” process, downloading the payload with the user agent “BunnyLoader_Dropper,” and storing it in a memory buffer. BunnyLoader then employs Process Hollowing to inject the payload into the “notepad.exe” process. Upon task completion, BunnyLoader sends a task completion request with the user agent “TaskCompleted” and the Task ID as the CommandID.

Run Keylogger Task

BunnyLoader employs a simple keylogger utilizing GetAsyncKeyState() to log keystrokes, with the logged data stored in the file “C:\Users\<username>\AppData\Local\Keystrokes.txt.”

Run Stealer Task

BunnyStealer is sophisticated malware designed to extract diverse data from web browsers, cryptocurrency wallets, VPNs, and messaging applications. The harvested information is stored in the “BunnyLogs” folder within the Appdata\Local Directory, compressed into a ZIP archive, and sent to the C2 server. The targeted web browsers encompass popular ones like Google Chrome, Yandex, Vivaldi, Microsoft Edge, BraveBrowser, and others. BunnyLoader specifically steals AutoFill data, credit card details, downloads, browsing history, and passwords from these browsers. Additionally, it targets cryptocurrency wallets such as Armory, Ethereum, Jaxx, Exodus, Coinomi, and Electrum. Steals credentials from VPN clients like ProtonVPN and OpenVPN and extracts information from messaging applications like Skype, Tox, Signal, Element, and ICQ. This comprehensive data theft underscores the malware’s intent to compromise various sensitive information sources.

Clipper Task

BunnyLoader’s clipper module scans a victim’s clipboard for cryptocurrency addresses and substitutes them with a wallet address under the threat actor’s control. The replacement addresses are obtained from the C2 server. The targeted cryptocurrencies include:

  • Bitcoin
  • Monero
  • Ethereum
  • Litecoin
  • Dogecoin
  • ZCash
  • Tether

Remote Command Execution Task

BunnyLoader carries out remote command execution via the C2 panel, receiving commands through an “echoer” request to the C2 server (e.g., http[:]//37[.]139[.]129[.]145/Bunny/Echoer.php) with the user agent set as “BunnyTasks.” The malware parses the response, executing commands like “help,” “cd,” and “pwd” using _popen. The command output is then sent to the C2 server as the “&value=” parameter in a result command request (e.g., http[:]//37[.]139[.]129[.]145/Bunny/ResultCMD.php) with the user agent “BunnyShell.” Additionally, BunnyLoader sends a heartbeat request with the user agent “HeartBeat_Sender” to inform the C2 that the infected system is online.

C2 Panel

The BunnyLoader C2 panel displays a range of tasks, encompassing the download and execution of additional malware, keylogging, credential theft, clipboard manipulation for cryptocurrency theft, and remote command execution on infected machines. The panel includes parameters for download URLs and cryptocurrency wallet addresses.

Furthermore, it offers statistics on infections, total connected/disconnected clients, active tasks, and stealer logs, with the capability to clear information. Notably, the C2 panel allows remote control of infected machines.

INSIGHTS

  • BunnyLoader, highlighted in its advertisement, presents a formidable threat with its C/C++ code base, offering a fileless loader for the in-memory execution of additional malware stages. Combining stealer and clipper capabilities, it facilitates remote command execution and employs anti-analysis techniques for enhanced resilience. The malware’s comprehensive features are complemented by a web panel that provides insights into stealer logs, total clients, active tasks, and more. All these functionalities are available for a one-time purchase at a price of $250.
  • BunnyLoader, initial release on September 4, 2023, has swiftly evolved with continuous updates addressing various aspects until September 27, 2023. The progression includes bug fixes, C2 panel enhancements, and new pricing tiers. Notable features introduced range from AV evasion and credit card recovery to a keylogger, anti-sandbox techniques, and game recovery. Notably, Version 2.0, released on September 27, 2023, introduces critical fixes, GUI changes, and advanced anti-analysis features. The pricing structure also evolves, offering different options like Payload and Payload + Stub at $250 and $350, respectively.
  • BunnyLoader’s affordability, coupled with its quick development cycle, positions it as an enticing option for cybercriminals in search of cost-effective opportunities in emerging malware projects. This appeal is rooted in the chance to secure budget- friendly options before these projects become widely known and potentially see a price hike.

ETLM ASSESSMENT

  • From the ETLM perspective, CYFIRMA believes that the BunnyLoader, a recent Malware-as-a-Service (MaaS) threat, is constantly adapting its strategies and incorporating fresh functionalities to effectively execute campaigns against its targets. CYFIRMA expects this trend to persist, and given the observed frequency of BunnyLoader, researchers anticipate encountering new variants in the future.
  • In the future, BunnyLoader’s evolution and potential development of new variants may intensify challenges for organizations in detecting and countering this malware. The anticipated impact includes an increased risk of sensitive data, credentials, and cryptocurrency wallet theft, posing a direct threat to organizational confidentiality and integrity. Concerns also arise about BunnyLoader enabling remote control, heightening the potential for unauthorized access and exploitation of organizational resources. As cyber threats evolve, organizations are likely to encounter growing complexities in safeguarding their data and networks against emerging iterations of BunnyLoader.

Indicators of Compromise

Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Secure your organization’s internet-facing assets with robust security protocols and encryption, including authentication or access credentials configuration, to ensure that critical information stored in databases/servers is always safe.
  • Enable security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Crypto wallet users should:
  • Copy and paste a crypto wallet address, and always double check that the original and pasted addresses match.
  • Before sending large amounts in crypto, first send a probe “test” transaction with minimal amount.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –8Base Ransomware | Malware – BunnyLoader
  • 8Base Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – BunnyLoader
  • Behavior –Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Iranian Advance Persistent Threat Group APT34 Deployed New Malware Named Menorah

  • Threat Actors: APT34 aka OilRig
  • Attack Type: Spear Phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Saudi Arabia
  • Target Industries: Unknown
  • Business Impact: Operational Disruption

Summary:
In a recent observation, a new malware linked to the Iranian-based APT34 advanced persistent threat group was detected behind a phishing attack. APT34, a sophisticated cyberespionage group, specializes in targeting Middle Eastern organizations, engaging in spear phishing campaigns, and employing advanced techniques for network access. The malware named Menorah, was discovered in a document used during the targeted attack. Menorah was designed for cyberespionage, with capabilities to identify, read, and upload files from the infected machine, as well as download additional files or malware. The victim of this attack was likely an organization in Saudi Arabia, as indicated by pricing information in Saudi Riyal, found in the document. The malware infection process involves a malicious document dropping Menorah and establishing a scheduled task for persistence upon being opened by the victim. Menorah, written in .NET, possesses various capabilities including fingerprinting the target system, listing directories and files, uploading selected files, executing shell commands, and downloading files. Compared to a previous variant, the new SideTwist variant employed by APT34 uses additional techniques to hide its communication with the command-and-control server. The malware checks for specific arguments during execution to ensure its operations run smoothly, terminating if it detects an analytic environment. The C&C server used by the malware was inactive during analysis, but the malware was observed to be capable of executing commands, listing files, and uploading/downloading specific files based on instructions received from the server. This Menorah malware shares significant similarities with the SideTwist backdoor malware, particularly in how they fingerprint compromised systems and communicate with the C&C server.

Relevancy & Insights:
The APT34 initially utilized the SideTwist malware in 2021, and since then, it has been employed in various targets. It appears that the threat actor has made modifications to potentially evade detection. This suggests that the successful attacks using the SideTwist, now transformed into Menorah malware, are still in use by the threat actor because of its successful malicious activity.

ETLM Assessment:
APT34 aka OilRig, a threat group believed to have roots in Iran, has been directing its cyber operations towards Middle Eastern and global targets, since at least 2014. Their focus spans across diverse industries such as finance, government, energy, chemicals, and telecommunications, predominantly within the Middle East. CYFIRMA assess the group will persist in its activities, driven by the objective of advancing Iranian interests in relation to countries with strained relations. The adaptation and modification of their malware strongly indicates an intention to conduct future attacks, with a potential for further improvements in their existing arsenal of malicious tools.

Recommendations:

  • Employ continuous monitoring and threat intelligence services to stay informed about emerging threats and vulnerabilities.
  • Monitor network traffic and system logs for any unusual activities and respond promptly to potential incidents.
  • Enforce strict access controls and implement the principle of least privilege, ensuring that employees only have access to the resources necessary for their job functions
  • Employ strong authentication methods, including multi-factor authentication, to protect sensitive accounts and data.
  • Deploy advanced security solutions like firewalls, intrusion detection/prevention systems, and endpoint protection to safeguard against malware and phishing attacks.
  • Regularly update and patch all software and systems to address known vulnerabilities.
  • Implement robust email filtering and anti-phishing solutions to detect and block malicious emails before they reach users’ inboxes.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

The U.S. and Japan warn of Chinese hackers’ activity
The US and Japanese security and intelligence agencies issued a Joint Cybersecurity Advisory, in which they are warning of BlackTech, an industrial espionage activity cluster operated by China. The Chinese threat actor is exploiting security loopholes in everyday networking equipment and has shown advanced abilities to modify router firmware to stay undetected to exploit routers’ domain-trust relationships. According to the joint advisory, BlackTech often hacks subsidiary networks to leverage access to more sensitive targets including government agencies, defense companies, and telecommunications firms in Japan, the U.S., and countries in East Asia. In January 2023, the U.S. and Japan signed an agreement updating their operational collaboration on cybersecurity issues and to enhance the cybersecurity of industrial control systems, while Japan is rearranging its security posture, influenced by the threat from an increasingly more assertive China.

ETLM Assessment:
The Asia–Pacific region is a host to the most prolific users of cyber as a tool of statecraft with China being by far the largest state sponsor of cyber-attacks in the world. Many of these tensions in the region and with extra-regional powers like the
U.S. have the potential to escalate into conflicts. CYFIRMA assesses any potential future conflict that is likely to begin in cyberspace. The goal of BlackTech’s collection has for the most part been the acquisition of intellectual property, as part of an ongoing massive Chinese state-drive industrial espionage programme.

North Korean hackers targeting Spanish aerospace firm
According to analysts, North Korean hackers connected to the infamous Lazarus Group have successfully targeted Spanish aerospace company with a sophisticated campaign. Employees of the unnamed company were sent messages on LinkedIn from a fake Meta recruiter and tricked into opening malicious files that purported to be coding quizzes or challenges as a part of a bogus hiring process. When opened, the files infected the victim’s device with a backdoor that would allow the hackers to exfiltrate data.

ETLM Assessment:
Pyongyang is working to develop a robust nuclear triad: land-launched stationary and mobile missiles, submarine-launched missiles, and aircraft-launched missiles, although, all vectors remain underdeveloped because of a lack of resources available to the North Korean regime. Since development is very difficult without external expertise and the country is under sanctions, they have little access to external help, the regime is increasingly turning to cyber espionage in order to gain access to dual use and military technologies, especially in the maritime and aerospace domain. This activity on the part of North Korean hackers has been on the rise and similar incidents are to be expected in the future. The technique used in the current attacks appears to be in a similar line to the Operation Dream Job campaign launched by the threat actor a year back.

Rise in Malware/Ransomware and Phishing

Ted Pella Inc is Impacted by 8Base Ransomware

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: 8Base Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America; (www[.]tedpella[.]com), was compromised by 8Base Ransomware. Ted Pella Inc is a manufacturer and markets tools, consumables, and equipment for microscopy and nanotechnology applications. The company offers transmission and scanning electron, atomic force, confocal laser, and light microscopy products The data that was exposed has not been disclosed on the 8Base Ransomware leak site as of now. According to the leak site, the compromised data includes Invoices, Receipts, Accounting records, Personal information, Certificates, Employment agreements, a substantial volume of confidential data, Confidential agreements, Personal documents, and Additional sensitive information.

The following screenshot was observed published on the dark web:


Source: Dark Web

Relevancy & Insights:

  • The 8Base group’s identity, methods, and motivations largely remain a mystery. However, based on its leak site and public accounts, along with the group’s communications, researchers think the group’s verbal style is quite similar to that of RansomHouse; a group that typically purchases already compromised data or works with data leak sites to extort victims. This has led to speculation that 8Base may be an offshoot of RansomHouse.
  • 8Base uses a variety of ransomware strains, including a variant known as Phobos. The group has customized Phobos by appending ‘.8base’ to their encrypted files, but the format of the entire appended portion remains the same as Phobos, which includes an ID section, an email address, and then the file extension. This suggests that 8Base is leveraging Ransomware-as-a-Service (RaaS) offerings, a common practice among ransomware groups.
  • Based on the 8Base Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Industries, most affected by 8Base Ransomware

ETLM Assessment:
CYFIRMA’s assessment remains unchanged: we anticipate 8Base Ransomware will continue to focus their targeting American businesses and Subsidiaries that hold large amounts of PII. However, recent incidents like the attack on Ted Pella Inc., highlight
that even well-known manufacturing comp2a1nies are v©uClnYeFrIaRbMleA t2o02p3o,teAnLtLiaRl ItGaHrgTeStiAngR.E RESERVED.

Vulnerabilities and Exploits

Vulnerability in Arm Mali GPU Kernel Drivers

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Firmware
  • Vulnerability: CVE-2023-4211 (CVSS Base Score 5.5)
  • Vulnerability Type: Use After Free Summary:
  • The vulnerability allows a local application to escalate privileges on the system.

Relevancy & Insights:
The vulnerability exists due to a use-after-free error within Mali GPU Kernel Driver.

Impact :
A local application can trigger memory corruption and execute arbitrary code with elevated privileges.

Affected Products:
https[:]//developer[.]arm[.]com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vul nerabilities

Recommendations:

  • Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

    TOP 5 AFFECTED PRODUCTS OF THE WEEK
    This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 products most affected.

    Latest Cyber-Attacks, Incidents, and Breaches

    The British royal family’s website experienced disruption due to a DDoS attack

    • Threat Actors: Killnet
    • Attack Type: DDoS
    • Objective: Operational Disruption
    • Target Technology: Web Application
    • Target Geographies: United Kingdom
    • Business Impact: Operational Disruption

    Summary:
    On Sunday, the website of the British royal family suffered an outage lasting over an hour, attributed to a distributed denial-of-service attack, carried out by the hacktivist group; Killnet, which is associated with pro-Russia activities. Killnet claimed that it launched the DDoS intrusion as part of its “attack on paedophiles,” in reference to allegations of sexual abuse with a minor involving Prince Andrew; Duke of York. However, the attack also came days after King Charles III expressed support for Ukraine amid its ongoing war with Russia. The U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center has previously identified Killnet as a group that has shown a tendency to target nations aligned with Ukraine, particularly those of NATO members. While Killnet’s connections to official Russian government entities like the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) remain unverified, it is prudent to regard the group as a potential threat to government and critical infrastructure entities, including healthcare.

    Relevancy & Insights:
    The British royal family’s website experienced disruption for over an hour due to a distributed denial-of-service (DDoS) attack conducted by the hacktivist group; Killnet. The timing of the attack is notable, occurring shortly after King Charles III expressed support for Ukraine during its ongoing conflict with Russia.

    ETLM Assessment:
    Based on CYFIRMA’s analysis, it is anticipated that the British royal family’s website is at risk of continued DDoS attacks, and the severity of these attacks could increase. This escalation could result in significant operational disruptions, leading to substantial reputational damage. The Royal Family’s continued support for Ukraine and the media attention surrounding the DDoS attacks could embolden the threat actors to continue their attacks.

    Data Leaks

    BANK SYARIAH INDONESIA Data Advertised in Leak Site

    • Attack Type: Data Leaks
    • Target Industry: Banking
    • Target Geography: Indonesia
    • Objective: Data Theft, Financial Gains
    • Business Impact: Data Loss, Reputational Damage

    Summary:
    CYFIRMA Research team observed a potential data leak related to BANK SYARIAH
    INDONESIA, {www[.]bankbsi[.]co[.]id}. Bank Syariah Indonesia is a state-owned Islamic bank in Indonesia. The bank was officially founded on 1 February 2021 because of the merger between state-owned Sharia banks. The exposed data comprises of ID, Name, MSISDN, IMEI, Activation Code, Registration Information, User Level, Creation Date, Email, Last Access, Access Count Platform, Version, Permanent Block Status, Type, and various other confidential details.


    Source: Underground forums

    Relevancy & Insights:
    Cybercriminals driven by financial incentives are constantly searching for unprotected and weakly defended systems and software applications. Most of these malicious actors are active within hidden online communities, where they participate in discussions related to cybercrime and trade stolen digital assets. Unlike other financially motivated groups, such as ransomware or extortion gangs, who often publicize their attacks, these cybercriminals prefer to remain discreet. They gain unauthorized access and pilfer valuable information by capitalizing on unpatched systems or exploiting vulnerabilities in software or hardware. Subsequently, they advertise the stolen data on underground forums, where it is either resold or repurposed by other attackers for their own nefarious purposes.

    ETLM Assessment:
    Indonesia consistently maintains its position as one of the primary targets for cybercriminals on a global scale. CYFIRMA’s analysis suggests that Indonesian financial organizations along with other South Asian financial institutions with inadequate security measures and infrastructure remain exposed to an elevated risk of potential cyberattacks.

    Other Observations

    CYFIRMA Research team observed a potential data leak related to the Supreme Court of Indonesia, {www[.]mahkamahagung[.]go[.]id}. The Supreme Court of the Republic of Indonesia (Indonesian: Mahkamah Agung Republik Indonesia) is the independent judicial arm of the state. It maintains a system of courts and sits above the other courts and is the final court of appeal. It can also re-examine cases if new evidence emerges. The compromised dataset comprises of confidential and sensitive information stored in SQL format, with a combined data volume of 1.68 gigabytes.


    Source: Underground forums

    STRATEGIC RECOMMENDATIONS

    • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
    • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
    • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
    • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
    • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

    MANAGEMENT RECOMMENDATIONS

    • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
    • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
    • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
    • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
    • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

    TACTICAL RECOMMENDATIONS

    • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
    • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
    • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
    • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
    • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
    • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.