Self Assessment

Weekly Intelligence Report – 07 June 2024

Published On : 2024-06-07
Share :
Weekly Intelligence Report – 07 June 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

CYFIRMA Research and Advisory Team has found Nett Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Nett Ransomware
By the end of May 2024, researchers uncovered a new malicious program named Nett, a variant within the MedusaLocker ransomware family. This ransomware, once activated, encrypts files and appends a “.nett” extension to their names. Upon completing the encryption process, it generates a ransom note in an HTML file titled “Recovery_Instructions.html.” Analysis of this message indicates that Nett specifically targets businesses, rather than individual home users.

Screenshot of files encrypted by ransomware (Source: Surface Web)

The appearance of Nett ransomware’s ransom note “Recovery_Instructions.html” (Source: Surface Web)

Nett’s ransom note informs the victim that their company’s network has been compromised, and files have been encrypted using RSA and AES cryptographic algorithms. The message cautions against renaming or modifying the encrypted files or using third-party recovery software, as these actions could result in permanent data loss.

Additionally, the note reveals that sensitive data has been stolen from the network. The attackers demand payment, threatening to increase the ransom amount if there is no contact within 72 hours. Threat actors stated that the stolen data will be leaked or sold if the victim refuses to pay.

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/ Sub-Techniques
1 TA0001:Initial Access T1091: Replication Through Removable Media
2 TA0002: Execution T1053: Scheduled Task/Job
3 TA0003: Persistence T1053:Scheduled Task/Job
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.002: Hijack Execution Flow: DLL Side-
TA0004:Privilege Escalation
T1053:Scheduled Task/Job
T1547.001: Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder
T1574.002: Hijack Execution Flow: DLL Side – Loading
5 TA0005:Defense Evasion T1027.002: Obfuscated Files or Information: Software Packing
T1070.004: Indicator Removal: File Deletion
T1497:Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify Tools
T1574.002: Hijack Execution Flow: DLL Side – Loading
6 TA0006: Credential Access T1056: Input Capture
7 TA0007: Discovery T1012: Query Registry
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1497:Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
8 TA0008:Lateral Movement T1080: Taint Shared Content
T1091: Replication Through Removable Media
9 TA0009: Collection T1056: Input Capture
10 TA0011: Command and Control T1071: Application Layer Protocol
T1573: Encrypted Channel
11 TA0040:Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The initial access vector for this variant of MedusaLocker ransomware remains unknown. However, past instances indicate that MedusaLocker actors commonly exploit vulnerable Remote Desktop Protocol (RDP) configurations or utilize email phishing and spam campaigns, often attaching the ransomware directly to emails, to gain access to victim devices.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.

ETLM Assessment:
CYFIRMA’s analysis, based on available data, shows that MedusaLocker ransomware has been actively targeting a wide range of sectors—including healthcare, finance, and IT services—since 2019. Projections suggest that Nett, a sophisticated variant of MedusaLocker, will employ advanced evasion techniques to broaden its impact on individuals and businesses. This new variant is likely to continue targeting major industries worldwide. Therefore, maintaining vigilance and implementing robust cybersecurity measures are crucial to mitigate these threats effectively.

Sigma Rule
title: MedusaLocker threatname: MedusaLocker behaviorgroup: 15
classification: 0 mitreattack:
product: windows category: registry_event
detection: selection:
EventID: 13 TargetObject:
– ‘*\Software\MDSLK*Self*’ condition: selection
level: critical
(Source: Surface web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Trojan
Objective: Credentials Stealing & Sensitive Data Harvesting
Target Technology: Android OS
Target Industries: Banks
Target Geographies: US, UK, Germany, Spain, Finland, South Korea, and Singapore

Active Malware of the Week
This week “Anatsa” is trending.

Researchers identified the Anatsa malware (also known as TeaBot) as a known Android banking malware. Initially targeting financial institutions in Europe, it has recently been focusing on banking apps in the US and UK. Current observations indicate that threat actors have expanded their targets to include banking applications in Germany, Spain, Finland, South Korea, and Singapore. This advanced malware uses dropper applications that seem harmless to users, tricking them into unknowingly installing the malicious payload. After installation, Anatsa stealthily extracts sensitive banking credentials and financial information from various global financial apps by employing overlay and accessibility methods to discreetly intercept and gather information.

Distribution Method
Researchers recently discovered two malicious payloads related to Anatsa malware distributed via the Google Play store. These payloads masqueraded as PDF reader and QR code reader apps to attract many users, amassing over 70,000 installations by the time of analysis. The high installation numbers helped deceive victims into believing the apps were legitimate.

Fig: Malicious installers disguised as a legitimate PDF reader and QR code reader in the Google Play store.

Technical Analysis
Anatsa employs remote payloads fetched from C2 servers for additional malicious operations. The dropper app displays encoded links to these servers, from which the subsequent stage payload is downloaded. Alongside downloading the payload, the malware fetches a configuration file from the remote server to execute the next-stage payload.

The DEX file is then downloaded and loaded by the parent fake QR code application. Using reflection, the application invokes code from the loaded DEX file, with the necessary configuration obtained from the control server. After the next stage, the payload is downloaded, and Anatsa conducts checks for the device environment and type, likely to identify analysis environments and malware sandboxes.

Upon successful verification, it proceeds to download the third stage and final payload from the remote server. In this campaign, Anatsa malware injected uncompressed raw manifest data into the APK, intentionally corrupting compression parameters in the manifest file to impede analysis. To statically analyze the payload, the ZIP file headers must be fixed alongside the compressed data.

After loading the APK, the malware requests various permissions, including SMS and accessibility options, commonly associated with mobile banking trojans. The final DEX payload is concealed within asset files. During runtime, the payload decrypts the DEX file using a static key embedded within the code.

Upon execution, Anatsa decodes all encoded strings, including those for C2 communication. It establishes contact with the C2 server to register the infected device and retrieve a list of targeted applications for code injections. To steal data from financial applications, Anatsa downloads a target list of financial application package names and scans the victim’s device to check for installed targets. When it identifies a targeted application, Anatsa informs the C2 server, which responds with a fake login page for the banking application. This fake login page is loaded within a JavaScript Interface (JSI) enabled webview to deceive users into entering their banking credentials. Once the credentials are entered, the data is sent back to the C2 server.


  • The emergence of recent campaigns featuring the Anatsa banking trojan underscores the pervasive dangers facing Android users globally, particularly those who inadvertently install these harmful apps from the Google Play store. This highlights the dynamic nature of mobile threats, emphasizing the imperative for organizations to implement preemptive security measures safeguarding their networks and valuable financial information from sophisticated malware assaults like Anatsa, which present significant risks to both financial integrity and user privacy.
  • Anatsa, a sophisticated malware, employs a multi-stage attack strategy to deliver its malicious payloads. Initially, it masquerades within seemingly legitimate applications, often posing as innocuous utilities like PDF readers or QR code scanners. This guise aids in its widespread distribution and its ability to deceive users, leading to a high number of installations. Once installed, Anatsa begins its malicious activities, particularly targeting financial institutions.
  • The presence of Anatsa signifies an ongoing threat to financial institutions, primarily in Europe, with recent expansions targeting banking applications in the US, UK, Germany, Spain, Finland, South Korea, and Singapore. Its utilization of advanced evasion tactics, such as encoding C2 communications and corrupting compression parameters within APK manifests, underscores the challenges faced by security researchers in detecting and combating this sophisticated malware effectively.


  • From the ETLM perspective, CYFIRMA anticipates that the impact of Anatsa on organizations is expected to grow as it continues to evolve and expand its reach. Financial institutions globally will need to be increasingly vigilant as Anatsa’s sophisticated evasion tactics become more advanced, making them harder to detect and combat. Moreover, as reliance on digital transactions continues to increase, attackers will find it easier to trick victims into downloading malicious software or applications. This trend is likely to lead to a rise in fraudulent transactions and the theft of sensitive credentials, posing significant challenges for both individuals and financial institutions alike. Additionally, Anatsa may expand its geographic targets even further, broadening its scope and affecting more regions worldwide, thereby intensifying the need for robust and adaptive cybersecurity measures.
  • Researchers have observed the most commonly exploited application types and the distribution of malware families in the Google Play store.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Avoid free versions of paid software.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – 8Base Ransomware, LockBit3.0 Ransomware | Malware –Anatsa
  • 8Base Ransomware – One of the ransomware groups.
  • LockBit3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Anatsa
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

LilacSquid: Emerging APT Targets IT, Energy, and Pharma Sectors Across the Globe

  • Threat Actors: LilacSquid
  • Attack Type: Public-facing Vulnerable Web Applications
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: United States, Europe, Asia
  • Target Industries: Research & Industrial Sectors, Energy Sector, Pharmaceutical Sectors
  • Business Impact: Data Loss, Data exfiltration

Cyber espionage-focused threat actor named LilacSquid has been linked to targeted attacks spanning various sectors in the United States (U.S.), Europe, and Asia as part of a data theft campaign active since at least 2021. LilacSquid’s targets include information technology organizations developing software for the research and industrial sectors in the U.S., the energy sector in Europe, and the pharmaceutical sector in Asia, indicating a broad victimology footprint. The attack chains typically exploit publicly known vulnerabilities in internet-facing application servers or use compromised remote desktop protocol (RDP) credentials to deliver a mix of open- source tools and custom malware.

A distinctive feature of the campaign is the use of MeshAgent, an open-source remote management tool, which serves as a conduit to deliver a bespoke version of QuasarRAT codenamed PurpleInk. When compromising RDP credentials, the threat actors either deploy MeshAgent or a .NET-based loader dubbed InkLoader to drop PurpleInk. Successful RDP logins lead to the download of InkLoader and PurpleInk, with these artifacts copied into desired directories on disk and InkLoader registered as a service to deploy PurpleInk.

Since 2021, LilacSquid has actively developed PurpleInk, a highly obfuscated and adaptable tool. PurpleInk can execute new applications, perform file operations, collect system information, enumerate directories and processes, initiate a remote shell, and connect to specific remote addresses provided by a command-and-control (C2) server. However, recent versions of PurpleInk discovered in 2023 and 2024 have been streamlined, focusing mainly on creating a reverse shell and communicating with a proxy for data transfer. This reduction in features is likely an effort to evade detection. Researchers identified another custom tool called InkBox, previously used by LilacSquid to deploy PurpleInk before switching to InkLoader. The use of MeshAgent in post-compromise playbooks is noteworthy, as this tactic has also been adopted by Andariel, a sub-cluster within the infamous Lazarus Group, in attacks targeting South Korean companies. Additionally, LilacSquid employs tunneling tools like Secure Socket Funneling (SSF) to maintain secondary access, creating communication channels to its infrastructure.

The motive behind these attacks is to maintain long-term access to victim organizations, enabling the ongoing theft of valuable data and potentially facilitating broader supply chain compromises. This strategy mirrors tactics used by other advanced persistent threat groups, highlighting LilacSquid’s capability and intent to operate as a significant threat in the cybersecurity landscape.

Relevancy & Insights:
Believed to be UAT-4820, “LilacSquid” is an advanced persistent threat (APT) actor whose activities reveal a persistent and evolving threat. Various tactics, techniques, tools, and procedures (TTPs) employed in this campaign show significant similarities to those used by North Korean Advanced Persistent Threat (APT) groups, including Andariel and its parent organization, Lazarus.

ETLM Assessment:
LilacSquid, believed to be UAT-4820, is an advanced persistent threat (APT) actor targeting a diverse range of industries across various regions, including information technology organizations developing software for the research and industrial sectors in the U.S., energy sectors in Europe, and pharmaceutical sectors in Asia, indicating a broad victimology footprint. The group typically exploits publicly known vulnerabilities in internet-facing application servers or uses compromised remote desktop protocol (RDP) credentials to infiltrate targets. Their toolkit includes open-source tools like MeshAgent and customized malware such as PurpleInk, along with custom loaders InkLoader and InkBox, and tunneling tools like Secure Socket Funneling (SSF). LilacSquid’s tactics bear similarities to those of North Korean APT groups, such as Andariel, which uses MeshAgent for maintaining access, and Lazarus, which employs SOCKs proxy and tunneling tools alongside custom malware. This overlap in tactics and infrastructure illustrates the serious concern that threat actors are now adopting and integrating techniques from other sophisticated groups to enhance their attacks.


  • Regularly scan and patch internet-facing application servers to mitigate the risk of exploitation through publicly known vulnerabilities. Implement a robust vulnerability management program that prioritizes critical and high-severity vulnerabilities.
  • Disable RDP if not necessary. If RDP is required, use strong, unique passwords and implement multi-factor authentication (MFA). Regularly review and update RDP access policies and monitor for unusual login activities.
  • Deploy and maintain advanced EDR solutions to detect and respond to suspicious activities on endpoints. Ensure these solutions are configured to alert on the usage of dual-use tools like MeshAgent and custom malware such as PurpleInk.
  • Segment critical networks and systems to limit lateral movement in the event of a breach. Implement network access controls and ensure that sensitive data is only accessible to authorized users and systems.

Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Russia targets European defense and transportation organizations
Researchers have recently published findings on an espionage campaign attributed to Russia’s military intelligence GRU that deployed a strain of malware called Headlace against networks across Europe between April and December 2023. The threat actor known as “BlueDelta” used credential-harvesting pages that targeted the Ukrainian Ministry of Defence, Ukrainian weapons import and export companies, European railway infrastructure enterprises, and a think tank based in Azerbaijan.

ETLM Assessment:
Russian attempts to destabilize the Ukrainian defense industry have been well documented but interference in their Western counterparts and in European transport networks has been less discussed, even though CYFIRMA analysts warned of this danger in this report last year. The Czech National Cyber and Information Security Agency (NÚKIB) has also warned of growing threats of attacks on transport targets in its report last year. The agency has been one of the strictest digital security watchdogs in Europe and was the first to issue a hawkish warning against the use of components from Chinese companies Huawei and ZTE in 5G mobile networks under construction. Russia is using the intelligence it gains in these attacks in acts of its political war against the West as well its kinetic war against Ukraine, but also as tactical means of delaying transports of Ukrainian grain to the world market as well as movements of Western equipment towards Ukraine both in civilian and military capacity. The incident shows the growing role of cyber in conflict even or rather especially between countries that are not formally at war and demonstrates the future of political relations, in which cyber will be a major means of the statecraft toolkit, affecting governments and businesses alike.

New North Korean threat actor deploying old schemes
Researchers have published a report on a new North Korean threat actor tracked as “Moonstone Sleet” that’s conducting financially motivated attacks alongside cyber espionage. The threat actor has been observed setting up fake companies and job opportunities to engage with potential targets, employing trojanized versions of legitimate tools, creating a malicious game, and delivering a new custom ransomware. The threat actor is targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors.

ETLM Assessment:
North Korean cyber operations have increased in sophistication over the past two years, and our researchers noted last year in a research report that Pyongyang’s threat actors seem particularly interested in stealing information related to maritime and missile technology research, given the emphasis the Kim regime puts onto developing a full nuclear triad. The interest in software is most likely related to Pyongyang’s interest in supply chain attacks. The heavily sanctioned regime in North Korea is hungry for the off-limits technologies it cannot obtain on the open market and thus uses cyber means to obtain them.

4. Rise in Malware/Ransomware and Phishing

The 8Base Ransomware impacts the Matusima

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Ransomware: 8Base Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; (www[.]matusima[.]com), was compromised by the 8Base Ransomware. Matusima Corporation is engaged in the sale and maintenance of agricultural machinery/general- purpose machinery, distribution of agricultural machinery, sale and maintenance of construction machinery, piping/plumbing equipment, mechanical equipment, heating and cooling, water supply and sewerage, air conditioning, septic tank, water supply and sewerage, construction of mechanical equipment, design, and construction, rental of construction equipment, sale and maintenance of cars, sale, and construction of solar energy production systems/, and batteries. The compromised data contains Invoices, Receipts, Accounting documents, Personal data, Certificates, Employment contracts, A huge amount of confidential information, Confidentiality agreements, Personal files, and Others.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • The 8Base ransomware group has seen a significant increase in activity since June 2023, using double extortion tactics to pressure victims into paying ransoms. This group, which first appeared in March 2022, has ramped up its attacks, targeting various industries and listing numerous victims on its dark website.
  • 8Base ransomware is known for its use of the Phobos v2.9.1 ransomware, typically delivered through SmokeLoader, a malware downloader. The ransomware encrypts files with the .8base extension and demands ransom payments for decryption keys. Recent technical analyses show that 8Base employs various sophisticated methods to ensure persistence on victim systems, such as creating multiple copies of itself in startup folders and modifying registry keys for auto-start capabilities.
  • The 8Base Ransomware group primarily targets countries such as the United States of America, Italy, France, Brazil, and Spain.
  • The 8Base Ransomware group primarily targets industries, including Heavy Construction, Business Support Services, Specialized Consumer Services, Media Agencies, and Industrial Machinery.
  • Based on the 8Base Ransomware victims list from 1 Jan 2023 to 5th June 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by 8Base Ransomware from 1 Jan 2023 to 5 June 2024 are as follows:

    emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Matusima, a prominent Manufacturing company located in Japan, underscores the extensive threat posed by this particular ransomware strain in the Asia Pacific region.

The LockBit3.0 Ransomware impacts the Kulicke & Soffa(kns)

  • Attack Type: Ransomware
  • Target Industry: Manufacturing, Information Technology
  • Target Geography: Singapore
  • Ransomware: LockBit3.0 Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Singapore; (www[.]kns[.]com), was compromised by the LockBit3.0 Ransomware. Kulicke and Soffa Industries, Inc. (NASDAQ: KLIC) specializes in developing cutting-edge semiconductor and electronics assembly solutions enabling a smarter and more sustainable future. Their ever-growing range of products and services supports growth and facilitates technology transitions across large-scale markets, such as advanced display, automotive, communications, computer, consumer, data storage, energy storage, and industrial. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. The compromised data encompasses sensitive and confidential information pertinent to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Technical Enhancements: LockBit 3.0 has incorporated sophisticated anti-analysis and evasion techniques to hinder detection and forensic investigation. These include the use of heap memory storage for obfuscated function addresses, trampolines for executing functions like Windows system calls, and detection mechanisms for debugging environments. Additionally, it uses various methods to hide its activities from debuggers and modifies system functions to prevent analysis.
  • Law Enforcement Actions: In February 2024, a major international law enforcement operation, known as Operation Cronos, disrupted LockBit’s infrastructure. Over 30 servers associated with LockBit were seized across multiple countries, including the United States, United Kingdom, Germany, France, and others. This operation also involved the release of decryption tools and resources for victims, making significant strides in combating this ransomware group.
  • Public Outreach and Recruitment: Despite facing law enforcement pressure, LockBit continues to be a significant threat. They have openly challenged law enforcement agencies and are actively recruiting new talent to enhance their capabilities. Their resilience indicates an ongoing risk of increased cyberattacks in the near future.
  • The LockBit3.0 Ransomware group primarily targets countries such as the United States of America, France, the United Kingdom, Canada, and Germany.
  • The LockBit3.0 Ransomware group primarily targets industries, such as Specialized Consumer Services, Heavy Construction, Business Support Services, Health Care Providers, and Industrial Machinery.
  • Based on the LockBit3.0 Ransomware victims list from 1 Jan 2023 to 5th June 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the LockBit3.0 Ransomware from 1st Jan 2023 to 5th June 2024 are as follows:

ETLM Assessment:
CYFIRMA’s assessment underscores the persistent and widespread threat posed by LockBit 3.0 ransomware to companies worldwide. Observations reveal an escalating pattern, wherein LockBit 3.0 exploits vulnerabilities in diverse products to infiltrate systems, facilitating lateral movement within organizational networks. Based on available information, CYFIRMA indicates that LockBit 3.0 will continue targeting various industries globally, with a significant emphasis on the United States, Europe, and Asian regions. A recent breach targeting Kulicke & Soffa (K&S), a leading manufacturing firm based in Singapore, serves as a potential indicator of LockBit 3.0’s inclination towards targeting organizations across Southeast Asia. This attack highlights the ransomware group’s focus on high-value targets and critical infrastructure, leveraging sophisticated techniques to evade detection and maximize impact.

5. Vulnerabilities and Exploits

Vulnerability in CasGate

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Single-Sign-On (SSO)
  • Vulnerability: CVE-2024-36108 (CVSS Base Score 9.8)
  • Vulnerability Type: Improper Authorization

The vulnerability allows a remote attacker to bypass authorization checks.

Relevancy & Insights:
The vulnerability exists due to improper authorization in multiple API endpoints.

A remote attacker can bypass authorization on the target system.

Affected Products:
https[:]//github[.]com/casgate/casgate/security/advisories/GHSA-mj5q- rc67-h56c

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in CasGate a UI-first centralized authentication/Single-Sign-On (SSO) platform based on OAuth 2.0/OIDC can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of this SSO platform is crucial for maintaining the integrity and protection of users’ authentication and authorization data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding authentication activities across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

RansomHouse Ransomware attacked and Published data of ABS-CBN Broadcasting

  • Threat Actors: RansomHouse Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Philippines
  • Target Industry: Business Services
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Recently we observed that RansomHouse Ransomware attacked and Published data of ABS-CBN Broadcasting on its darkweb website. ABS-CBN Broadcasting (www[.]abs-cbn[.]com) is considered one of the country’s leading media and entertainment companies, with service offerings across different platforms of media, servicing a wide array of customer segments. The company is driven to pioneer, innovate, and adapt as it continues to provide information, news, and entertainment that connects Filipinos with one another and with their community – wherever they may be. The data leak, following the ransomware attack, encompasses a broad spectrum of sensitive and confidential information pertinent to the organization. The total volume of compromised data is approximately 500 GB.

Source: Dark Web

Relevancy & Insights:

  • RansomHouse, a ransomware-as-a-service (RaaS) group, has recently been in the spotlight for using a new tool called “MrAgent” to automate attacks on VMware ESXi servers. The MrAgent tool is designed to streamline the deployment of ransomware across large environments by automating tasks such as disabling firewalls, ending non-root SSH sessions, and spreading the ransomware to multiple hypervisors simultaneously. This tool supports both Windows and Linux systems, indicating RansomHouse’s strategy to maximize its reach and impact.
  • Recent reports indicate that RansomHouse has targeted several new organizations. These include Webber International University and GCA Nederland, with both institutions reportedly facing severe data breaches earlier this year. Additionally, the Dubai Gold and Commodities Exchange (DGCX) has also been compromised, with the attackers claiming to have exfiltrated 100GB of data.

ETLM Assessment:
RansomHouse ransomware is known to target large enterprises and high-value targets. RansomHouse ransomware targets its victims through phishing and spear phishing emails. They are also known to use third-party frameworks (e.g., Vatet Loader, Metasploit, Cobalt Strike). Based on the available information, CYFIRMA’s assessment indicates that RansomHouse ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent breach targeting ABS-CBN Broadcasting, a leading Media & Internet firm based in the Philippines, serves as a potential indicator of RansomHouse ransomware’s inclination towards targeting organizations across Southeast Asia.

7. Data Leaks

Dkhoon Emirates Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Retail
  • Target Geography: Saudi Arabia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

The CYFIRMA Research team observed a potential data sale related to Dkhoon Emirates, {www[.]dkhoonemirates[.]com} in an underground forum. In a recent cyber incident, a threat actor claimed to have obtained a substantial database from Dkhoon Emirates, a prominent online retailer. The data, purportedly consisting of 1,187,492 rows, is said to include extensive customer information and transaction details. This alleged breach has been made public with a demand for $4800 USD in cryptocurrency (XMR or BTC) for a one-time sale. The seller has threatened to publish the data if no buyer comes forward.

The data, which is claimed to be updated as of June 2, 2024, is reportedly stored in a file named “Dkhoonemirates.csv,” with a size of 514MB. According to the seller, the dataset includes a comprehensive range of customer and order details, such as:

Customer Information: Names, emails, mobile numbers, and addresses. Order Details: Order status, payment methods, shipping methods, and tracking IDs. Financial Information: Payment statuses, subtotal amounts, VAT, shipping costs, cash on delivery amounts, discounts, and total amounts.

Additional Data: Google Maps locations, coupon codes, product names, SKUs, quantities, order product costs, unit prices, transaction references, and timestamps.

Source: Underground Forums

Chungwa Telecom data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Telecommunication
  • Target Geography: Taiwan
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

The CYFIRMA Research team observed a potential data sale related to Chungwa Telecom, {www[.]cht[.]com[.]tw } in an underground forum. A threat actor known as 303 claims to be selling unauthorized shell access to Chungwa Telecom, the largest telecom company in Taiwan. According to the threat actor, they have access to 910 GB of data from the company’s internal systems. Chungwa Telecom, with a revenue of $7.2 billion, is a major player in Taiwan’s telecommunications industry. The threat actor is offering this unauthorized access for $4,000, though they are open to negotiation. Payments are accepted in Bitcoin (BTC) and Monero (XMR).

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Threat Actor 303’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by Ddarknotevil typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations
CYFIRMA Research team observed a potential data leak related to Heineken. Recently, threat actor “888” has purportedly leaked data associated with the renowned brewing company, Heineken. The company, with a substantial revenue of €36.4 billion, allegedly fell victim to a breach in June 2024. According to the threat actor’s claims, the leaked database comprises 8,174 employee records sourced from multiple countries. The data purportedly includes employee IDs, user IDs, full names, email addresses, company details, and respective roles within the organization.

Source: Underground forums

ETLM Assessment:
Threat actor 888 group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries indicating its intention to expand its attack surface in the future to other industries globally.


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography – Wise and Industry – Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.