Weekly Intelligence Report – 10 Mar 2023

Published On : 2023-03-10
Share :
Weekly Intelligence Report – 10 Mar 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attack, Vulnerabilities & Exploits, Malware Implants, DDoS, Spear Phishing
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – LockBit 3.0 Ransomware | Malware – MQsTTang
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – MQsTTang
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Blind Eagle Back with New Wave of Attack Against Multiple Nations

  • Suspected Threat Actors: Blind Eagle
  • Attack Type: Spear Phishing
  • Objective: Unauthorized Access, Espionage, Data Exfiltration
  • Target Technology: Windows
  • Target Geographies: Columbia, Ecuador, Spain, and Chile
  • Target Industries: Healthcare, Financial, Law Enforcement, Government
  • Business Impact: Data Theft, Operational Disruption

Summary: The threat actor Blind Eagle also known as APT-C-36, is a South American cyber espionage group, that has been targeting financial and governmental entities in Latin America for the past few years, they especially focus on Colombia as their primary target. The group usually uses a PDF attachment sent by email as the initial vector for infection. The threat actor uses Blind Carbon Copy (BCC) field instead of the “To:” field to evade spam filters and successfully deliver their phishing mail. The PDF attachment contains a URL that redirects the user to a malicious website, which downloads a second-stage payload from the public service Discord. In a recent campaign, the threat actor the masked link in the email, which redirected to dian.server[.]tl. DIAN is Colombia’s Directorate of National Taxes and Customs and, dian.server[.]tl was a fake website that impersonated DIAN’s website. The threat actor manipulated the victim into believing the webpage is the real DIAN website. The fake DIAN website page reflected a download button that lets victims view PDFs. Clicking the download button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam. Upon further research on payload deployment, it was learned that attacks also included Ecuador, Chile, and Spain.

Insights: Previously in the month of January, Blind Eagle was seen targeting by impersonating the ministry of foreign affairs from the Columbian government. The threat actor is targeting the victim in the same manner, but the impersonation part is different.

The threat actor is observed of expanding its attack surface to European nations in addition to targeting nations in Latin America.

Major Geopolitical Developments in Cybersecurity

Europe’s largest cyber warfare exercise took place in Estonia

The largest Western Europe-led cyber exercise has taken place in Tallinn, Estonia with 34 teams taking part in a live-fire cyber battle. The exercise had been led by a team of cyber specialists from the British Army and was the culmination of more than 12 months of training for more than 750 cyber specialists, including defense, government, and industry personnel from 11 countries including Ukraine.

Hosted in Tallinn, Estonia, the exercise saw teams from across the world respond to common and complex simulated cyber threats including attacks to networks, industry control systems, and unmanned robotic systems – simulating some of the tactics Russia used to disrupt Ukrainian cyberspace in the early days of the invasion one year ago. The exercise participants were judged in a competition on the effectiveness and speed of their response and how quickly they identify and adapt to new threats – which is a vital way of training needed for developing war-fighting skills for cyberspace in 21. century.

Russia has banned several messaging apps

Russia’s Internet watchdog Roskomnadzor has banned nine foreign-based messaging apps from use by the Russian government. The agency singles out the apps as providing a way for users to communicate directly with one another with no possibility for public mediation of the content, which seems to be a problem for the Russian government. Rozkomnadzor’s statement makes no specific accusation of subversion or direct complicity with any foreign powers trying to disrupt the Russian government, in contrast to earlier bans on Facebook and Instagram. The apps that fall under the new restrictions include Discord, Microsoft Teams, Skype for Business, Snapchat, Telegram, Threema, Viber, WhatsApp, and WeChat.

Chinese APT uses SoulSearcher malware for espionage in South East Asia

Researchers have observed a Chinese cyberespionage operation that’s targeting government entities in several Southeast Asian countries, including Vietnam, Thailand, and Indonesia. A new version of the SoulSearcher loader is being used by the threat actor to distribute the Soul malware. The researchers come to the conclusion that one or more APTs based in China are using the malware, even though the Soul framework was previously unattributed.

Although the operation bears similarities to earlier campaigns run by the Chinese APT “Sharp Panda,” the researchers note that specific attribution remains a problem because sharing unique tools or operational techniques is very common among threat actors operating out of China.

US Cyber Command warns against underestimating Russia

According to US Cyber Command and NSA chief General Paul Nakasone, who has recently testified in front of the US Senate Armed Services Committee, Russia remains a very capable adversary in cyberspace. The general has also assured the Senators that US Cyber Command was monitoring the Russian war against Ukraine very carefully. Other Cyber Command and NSA officials made similar comments to the media, noting that the agencies anticipate that Russian cyber activities may become bolder and look at broader targets, outside of Ukraine and that there is a chance that Russia will be increasingly brazen in its cyberattacks on civilian infrastructure.

According to US Cyber Command and NSA chief General Paul Nakasone, who has recently testified in front of the US Senate Armed Services Committee, Russia remains a very capable adversary in cyberspace. The general has also assured the Senators that US Cyber Command was monitoring the Russian war against Ukraine very carefully. Other Cyber Command and NSA officials made similar comments to the media, noting that the agencies anticipate that Russian cyber activities may become bolder and look at broader targets, outside of Ukraine and that there is a chance that Russia will be increasingly brazen in its cyberattacks on civilian infrastructure.

The US published its National Cybersecurity Strategy

The White House has released the National Cybersecurity Strategy, which newly refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five-pillar approach. Two primary goals of the strategy shared in a press release are to rebalance the responsibility to defend cyberspace, by shifting the burden of cybersecurity away from individuals and onto specialized organizations in the sector, as well as to realign incentives to favor long-term investments by balancing threat defense with smart planning and investment. The strategy has five core tenets: Defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.

Other Observations

CYFIRMA Research team observed a potential data leak related to www[.]matalan [.]co[.]uk- Matalan provides the retailing of men, women, and children’s clothing and accessories. Their headquarters are located in Liverpool, United Kingdom. This data leak contains the name, email address, and address.


Source: Underground Forums

The Team also observed a potential data leak related to www[.]adata[.]com – ADATA is a technology manufacturing and selling company that focuses on complete memory solutions. It is headquartered in New Taipei City, Taiwan. This data leak contains sensitive data of approximately 1.5TB.


Source: Underground Forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.