Self Assessment

Weekly Intelligence Report – 07 Apr 2023

Published On : 2023-04-07
Share :
Weekly Intelligence Report – 07 Apr 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Cyber Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption
  • Ransomware – LockBit 3.0 Ransomware | Malware – XLoader
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – XLoader
  • Behavior –Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Palestinian APT Arid Viper Targets into their Own Cyber Territory

  • Suspected Threat Actors: Arid Viper aka Mantis
  • Objective: Cyber Espionage, Data Exfiltration
  • Target Technology: Windows
  • Target Geographies: Palestine
  • Business Impact: Data Theft

Summary:
The Mantis is a Palestinian Cyber-Espionage threat actor known as Arid Viper, Desert Falcon, and APT-C-23 active since 2014. The threat actor has a history of targeting the Middle Eastern region and Israel. The threat actor is known for attacking via spear phishing and luring victims through fake social media profiles into installing or executing malware. In past campaigns, the threat actor has used its customized Micropsia and Arid Gopher backdoor.

Recently, it was observed that the threat actor ran a campaign that started the previous year in September. Attack type and the target are however still unknown. What we know so far is that the attackers utilized three different versions of a toolset to target three separate groups of computers. This indicates that the attackers segmented the attack in this manner as a precautionary measure. By utilizing different variants of the same toolset, the attackers were able to ensure that even if one toolset was discovered, they would still maintain a persistent presence on the targeted network.

On the 18th of December 2022, the first indicator was discovered. The attacker deployed an obfuscated 32-bit PowerShell command stager which fetched and executed another stage from a C&C server. Then it used Certutil and BITSAdmin to dump credentials before downloading the Micropsia backdoor. Between December 22nd and January 2nd, 2023, the Arid Gopher backdoor was used by Micropsia to infect three computers. Once infected, Arid Gopher executed a persistence tool called SetRegRunKey.exe and ran an unfamiliar file named localsecuritypolicy.exe. On December 28th, Micropsia spread to three more computers, using the windowspackages.exe tool. Later, on December 31st, Arid Gopher executed two unknown files named networkswitcherdatamodell.exe and networkuefidiagsbootserver.exe. The attackers then replaced their version of Arid Gopher with a new variant on January 2nd. Two days later, on January 4th, Micropsia was responsible for executing two unknown files – hostupbroker.exe and exfiltration of a RAR file.

Insights:
The threat actor targeting assets in their own country raises hints about countering the internal threat that may be in its initial stage, or the asset may be indulged with activities that are helping external threats which are again against the national interest of Palestine.

Micropsia is an implant that takes on different forms, such as Delphi, Python, and Android. Mantis using it and upgrading its functionality shows signs of not backing down and making it hard for adversaries to detect it. Also, it is visible from their previous campaign, most of the campaigns were undetected until the malicious job was finished.

Major Geopolitical Developments in Cybersecurity

Russian cyber auxiliaries attack German ministry

The Russian hacktivist group Killnet has attempted to disable a recently established German government website devoted to the economic reconstruction of Ukraine. According to the German Ministry for Economic Cooperation, the attack started right after the website went up and continued for a week in the form of distributed denial-of-service (DDoS) attack. According to German authorities, similar action has been expected and the attack has been successfully repelled.

China Launches AI research Initiative

China’s Ministry of Science and Technology (MOST) and National Natural Science Foundation (NSFC) jointly launched “Artificial Intelligence for Science,” an initiative to promote the integration of artificial intelligence (AI) into key science and technology fields, including drug development and gene research. According to the plan, the institutions have committed to developing cutting-edge AI models and algorithms and are working to build a “national open innovation platform for the new generation of AI public computing power,” among other strategies for promoting AI’s use in scientific research. The initiative’s debut coincides with the country’s goal of becoming a “global leader” in the field by 2030, which has shifted the focus of Chinese policy toward technological advancement to AI. CYFIRMA analysts have previously reported on the danger of the use of AI in creating malware and based on China’s past behavior it is reasonable to assume some AI research will be aimed at the development of cyber weapons, especially given the fact that China is using the cyber realm as a vital part of her statecraft toolkit.

Russian military contractor leak paints a picture of Russian cyber capabilities

It has been revealed that NTC Vulkan, a Moscow-based IT consultancy, is a significant contractor to all three of the main Russian intelligence agencies, the GRU, the SVR, and the FSB. The creation of tools for cyberattacks is Vulkan’s area of expertise, which has been revealed in a leak of over 1,000 classified documents, including 5,299 pages of project plans, orders, and internal emails from Vulkan from 2016 to 2021.

The documents offer a special glimpse into the depths of Russian cyberwarfare plans despite being entirely in Russian and being of a highly technical nature. The militarized nation, in addition to classic military tools, also heavily utilizes hackers and software in combat. According to the so-called Vulkan papers, the business supports a wide variety of offensive cyber operations. Its services and goods cover disinformation, disruptive attacks meant to damage infrastructure but also acts of espionage. The business also trains its clients in the use of security and intelligence systems. According to Western media, a disgruntled insider who opposes Mr. Putin’s conflict with Ukraine is to blame for the leaks.

Vulkan developed at least three systems for Russian operators. First, Amesit, a mapping system to support and gather data for information warfare operations and cyberattacks against critical infrastructure. Second, Krystal-2B, a training system for practicing attacks on transportation and utility systems, and third, Scan – a platform for vulnerability detection and data collection. Some systems appear to have been deployed multiple times, including as part of Russia’s efforts to influence the result of the 2016 US presidential elections, though experts are unsure whether some of the systems are for practice or could enable an attack on vital infrastructure.

Other Observations

CYFIRMA Research team observed Virgin Mobile Mexico – Admin Access System advertised for sale by a Korean-based threat actor for USD 300.


Source: Telegram

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.