Self Assessment

Weekly Intelligence Report – 10 May 2024

Published On : 2024-05-10
Share :
Weekly Intelligence Report – 10 May 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Repair ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Repair ransomware.
In late April 2024, researchers uncovered a ransomware dubbed “Repair”, which is identified as a member of the notorious MedusaLocker ransomware family.

Since appearing in September 2019, MedusaLocker ransomware has attracted notice for its focus on healthcare and finance sectors, while also impacting various other industries. Operating under a Ransomware-as-a-Service (RaaS) model, it encrypts files using sophisticated techniques like AES and RSA, rendering them inaccessible to users.

Perpetrators then demand payment for decryption keys, amplifying the threat.

MedusaLocker has become infamous for its multiple variants, each identifiable by unique extensions attached to encrypted files. The introduction of “Repair” represents a fresh phase in its changing strategies.

Repair ransomware encrypts the files and adds a “.repair” extension to the encrypted files. Upon completing the encryption process, the Repair ransomware generates an HTML file named “How_to_back_files.html,” which houses the ransom note. This ransom note not only demands payment for decryption but also employs double extortion tactics, threatening victims with the potential of data leaks.

Screenshot of files encrypted by ransomware (Source: Surface Web)

Screenshot of Text presented in Ransom note (Source: Surface Web)

The ransom note from the “Repair” ransomware communicates a clear message that it will target the company rather than individuals and encrypt all crucial files using RSA+AES encryption, making restoration without the attackers’ assistance impossible and any attempt to do so with third-party software risks permanent corruption. The note emphasizes the exclusivity of the attackers’ decryption capability, warning against file modification or renaming.

Additionally, it reveals that highly sensitive personal data has been obtained and stored on a private server, which will be destroyed upon payment. However, refusal to pay will result in the data being made public or sold.

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
2 TA0003: Persistence T147.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0004: Privilege Escalation T1134.004: Access Token Manipulation: Parent PID Spoofing
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1548: Abuse Elevation Control Mechanism
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1070: Indicator Removal
T1112: Modify Registry
T1134.004: Access Token Manipulation: Parent PID Spoofing
T1140: Deobfuscate/Decode Files or Information
T1202: Indirect Command Execution
T1222: File and Directory Permissions Modification
T1548: Abuse Elevation Control Mechanism
5 TA0006: Credential Access T1056.001: Input Capture: Keylogging
6 TA0007: Discovery T1012: Query Registry
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1614: System Location Discovery
7 TA0008: Lateral Movement T1080: Taint Shared Content
8 TA0009: Collection T1056.001: Input Capture: Keylogging
T1074: Data Staged
9 TA0011: Command and Control T1071: Application Layer Protocol
10 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • The initial access vector for the Repair variant of MedusaLocker ransomware remains unknown. However, past instances indicate that MedusaLocker actors commonly exploit vulnerable Remote Desktop Protocol (RDP) configurations or utilize email phishing and spam campaigns, often attaching the ransomware directly to emails, to gain access to victim devices.

ETLM Assessment:
CYFIRMA’s assessment, based on available information, suggests that MedusaLocker ransomware, operational since 2019, has consistently targeted various sectors globally, including healthcare, finance, and IT services. Looking ahead, Repair ransomware, a variant of MedusaLocker, is expected to evolve with sophisticated evasion tactics, posing potential risks to businesses of all scales. The likelihood of this new variant targeting major industries worldwide remains significant. Vigilance and strong cybersecurity measures are essential to mitigate these threats effectively.

Sigma Rule
title: Process Creation Using Sysnative Folder tags:
– attack.defense_evasion
– attack.privilege_escalation
– attack.t1055 logsource:
category: process_creation product: windows
detection: sysnative:
– CommandLine|contains: ‘:\Windows\Sysnative\’
– Image|contains: ‘:\Windows\Sysnative\’ condition: sysnative
falsepositives:
– Unknown level: medium
(Source: Surface web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Information Stealer
Objective: Infiltration, Data Exfiltration
Target Technology: macOS, including iCloud Keychain, Apple Notes, Web Browsers, Crypto Wallets, Discord, FileZilla, Steam, and Telegram.

Active Malware of the Week
This week “Cuckoo” is trending.

Cuckoo
Researchers have identified a new information-stealing malware known as Cuckoo, targeting Apple macOS systems. Disguised as a legitimate music conversion application named DumpMediaSpotifyMusicConverter, this malware poses a serious threat due to its advanced capabilities combining infostealing and spyware functionalities. It infiltrates macOS systems by hijacking resources to collect and exfiltrate sensitive data to a remote command-and-control server controlled by malicious operators.

Attack Strategy
The researchers examined a file named DumpMediaSpotifyMusicConverter, also known as upd, a universal Mach-O binary compatible with both Intel and ARM-based Macs. This file was discovered on the dumpmedia[.]com website, ostensibly offering applications to convert music from streaming services to MP3 format. Upon downloading and analyzing the DMG file for the Spotify version of the application, researchers discovered suspicious behavior during installation. Unlike typical macOS applications, users were instructed to right-click and select Open instead of dragging the app to the /Applications folder.

Upon inspecting the application bundle by selecting “Show Package Contents” instead of “Open,” researchers discovered a Mach-O binary named upd within the macOS folder. This raised suspicions because such binaries would bear the name of the application. In addition, within the Resources folder of the bundle, they found another application bundle named DumpMedia Spotify Music Converter, which seemed to be the legitimate application bundle. Further investigation into the upd file revealed that it was signed adhoc without a developer ID. This implies that Gatekeeper, macOS’s security feature, would initially prevent the app from running and prompt the user to manually authorize its execution.

Running the Application
After allowing the application to run, researchers observed that it initiated a bash shell and began gathering host information using the system_profiler command to extract the hardware UUID. The malware’s strings were XOR-encoded, and a subroutine decoded the output of the system_profiler command. The decoding process involved loading a pointer to the XOR-encoded string and a key for decryption. Once decoded, the string was passed to a function that executed commands using popen(). The decoded UUID was saved for later use. The malware used a similar XOR encoding method for all commands passed to popen(). Subsequently, the application created a duplicate of itself named DumpMediaSpotifyMusicConverter, stored it in a hidden folder within the /Users directory, and occasionally appeared as either upd or DumpMediaSpotifyMusicConverter. The original malware then removed the quarantine flag from itself and the copied file using the xattr -d com.apple.quarantine command.

Locale Check
After querying for the UUID, the Cuckoo malware checks the system’s LANG environmental variable. It retrieves this value using the getenv() function and compares it against specific locales within an If statement to determine its further actions. The obtained LANG value, typically en_US.UTF-8, is then formatted using snprintf() to truncate it to five characters followed by a semicolon (e.g., en_US;). The If statement employs the strstr() function to search for the formatted LANG value within a list of prohibited locales.

Additionally, it includes another function call to _sem_open() as part of its evaluation criteria.

if (_sem_open(&_/mtx-%.2 and UUID, 0x200) != -1 &&
_strstr(&hy_AM;be_BY;kk_KZ;ru_RU;uk_UA;, &localeReturn(en_US;)) == 0)

The malware creators intended to avoid infecting devices in five specific countries:

  • Armenia (hy_AM)
  • Belarus (be_BY)
  • Kazakhstan (kk_KZ)
  • Russia (ru_RU)
  • Ukraine (uk_UA)

If the current system’s locale does not match any of these prohibited locales, the malware proceeds to open the legitimate SpotifyMusicConverter application.

Creating Persistence
This malware’s behavior deviates from typical stealers by incorporating persistence features more commonly associated with spyware. It decodes the necessary strings using an XOR function to prepare for creating and populating a plist. After decoding, the malware checks for the existence of ~/Library/LaunchAgents; if absent, it creates this directory. To establish persistence, the malware duplicates itself and saves it to a newly created folder within the user’s home directory using NSGetExecutablePath() to obtain its binary path and create the necessary folder structure. The fcopyfile() function is then employed to copy the binary to this new location. To ensure persistence, the application utilizes launchctl to load a LaunchAgent for a plist derived from the application. Upon inspecting the plist, it’s revealed that the objective is to execute a login script every 60 seconds. The setup of persistence involves further XOR decoding of strings and using snprintf() to replace values in format strings used to construct the plist.

Privilege Escalation
The malware prompts the user for their password using osascript with the message “macOS needs to access System Settings,” without explicitly stating that a password is required. Upon entering the correct password, upd stores it in a file named pw.dat located at ~/.local-UUID/, the same directory as the copied and renamed upd.

The malware employs a tactic called PasswordCapture() to test the captured password. This function builds and executes a script to parse the returned text value, which is then passed to a passwordChecker() function along with the user’s password obtained from getpwuid(getuid()). The passwordChecker() function uses Core Services Identity functions to authenticate the password and writes the result to the pw.dat file. To proceed, the malware requires the user to accept TCC (Transparency Consent and Control) prompts for access to the Finder, microphone, and downloads. It then gathers more host information by executing commands such as sw_vers, system_profiler SPHardwareDataType, and ps aux to obtain details about macOS version, hardware, and running processes. Lastly, the malware sets a variable for the Desktop folder path using osascript and mutes the computer’s volume as part of its operations.

Spying and Infostealing Capabilities
This malware conducts targeted file queries associated with specific applications to gather comprehensive system information. The primary engine of the malware categorizes collected information by keywords observed in network communications.

The function runIT() at address 0x100016024 exemplifies the malware’s capabilities:

  • Decoding and usage of strings like “NFTktRMW” in network communications.
  • Decoding strings for sending information to the Command and Control server (C2), including captured passwords, system build, hostname, and username obtained through system queries like getuid() and hostname().
  • Utilizing system profiler commands to gather hardware information.
  • Employing ps aux to capture running processes.
  • Querying for installed applications while excluding specific file types like .DS_Store and localized.

Each function follows a pattern where encoded strings are decoded using an XOR function, paths to relevant files are created, and file pointers are obtained for data collection. The malware possesses capabilities to execute various commands, including extracting hardware information, capturing running processes, querying installed applications, taking screenshots, and harvesting data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps like Discord, FileZilla, Steam, and Telegram. These actions reflect a comprehensive approach to data exfiltration and system reconnaissance.

TCC Reset
Following the collection of data from third-party applications, the malware initiates a call to tccutil, decoded and executed via popen(), to reset the TCC database specifically for AppleEvents permissions. This action is puzzling because it typically prompts users for permission. Afterward, the malware executes another osascript command related to the Desktop. Once this process is complete, data collection shifts focus to Apple applications. The malware copies files related to Safari, Notes, and Keychain to temporary locations in /var/folder, determined using getenv(TMPDIR).

Specific data is targeted from Apple applications:

  • SAFARIQUERY(): Paths to files like bookmarks, cookies, and history are created and passed to functions for file access. Osascript is utilized to duplicate and store these files in a temporary directory.
  • KEYCHAINS(): The malware builds a path to the user’s Keychain directory (~/Library/Keychain) and captures files within this directory.
  • NOTES(): Similar to other captures, paths to files related to the Notes application are created and used to copy files via osascript executions.

Additional File Capture and Screen Capture
Following the previous data collection actions, the malware extends its reach to locate various file-type extensions within the Desktop and Document directories. It reverses its previous action of muting the computer, presumably to prevent audio notifications during screen capture activities.

The malware executes the SCREENCAPTURE() function, invoking the screencapture command with arguments specifying the file type (.jpg) and storage path for screenshots. This command is decoded and executed via popen() to capture and save screenshots. It is suspected that the system is muted during screen capture to avoid user detection, although this action prompts TCC permissions. Notably, there is uncertainty regarding the completeness of the screenshot functionality, as there were no observed cross-references indicating what triggered these functions within the malware.

Opening the Actual Converter Application
The malware disguises its activity by copying a legitimate application from its resource folder to the /Applications directory. It achieves this by locating the legitimate app within its own Resource directory using CFBundleCopyResourceURL() and then executing cp (copy) and open commands to launch the application. This process is intended to conceal the malicious behavior, making it appear as though a legitimate file is being executed to avoid user suspicion.

Network Communication and Data Exfiltration
This malware uses sockets and the curl API to establish communication with its Command and Control (C2) server for data exfiltration. After socket function calls, the malware employs the send() function to transmit data, including the machine UUID captured during the initial execution of the malware, to the IP address 146.70.80.123. The purpose of this communication is to check the UUID on the C2 server to determine if the malware has already been executed on the host. During subsequent runs, the malware halts after removing the quarantine flag, suggesting it recognizes previous executions. However, disconnecting from the internet before subsequent runs allows the malware to proceed as if it were the first execution, bypassing this detection mechanism.

Curl Usage
The malware utilizes the curl API to facilitate communication with its Command and Control (C2) server by posting information. It configures curl using curl_easy_setopt() function calls, decoding the target URL and passing it along with the flag 0x2712 for setup. This setup allows the malware to interact with the specified URL for data transmission and other communications with the C2 server.

INSIGHTS

  • The discovery of the Cuckoo malware poses a serious threat to macOS users due to its advanced capabilities, combining infostealing and spyware functionalities. Disguised as a legitimate music conversion application, Cuckoo infiltrates macOS systems, exploiting system resources to collect and exfiltrate sensitive data to a remote command-and-control server controlled by malicious operators.
  • Cuckoo malware reveals its sophisticated capabilities aimed at stealing sensitive information, including passwords, cryptographic keys, screen captures, and application data, which are then transmitted to a remote command-and-control server controlled by the malware operators. To evade detection, Cuckoo encrypts its network traffic and employs advanced evasion tactics, ensuring that its malicious components operate discreetly under specific conditions. This combination of data theft, remote control, encryption, and evasion tactics underscores Cuckoo’s advanced nature and highlights the complex strategies employed by modern malware to remain undetected and impactful within targeted systems.
  • The discovery of this malware across multiple websites, including tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, reveals a widespread distribution beyond its initial site (DumpMedia). This suggests a coordinated effort to distribute malicious applications across diverse platforms, ranging from music ripping tools to iOS and Android recovery applications, each offering free and paid versions of tools for ripping music from streaming services and iOS and Android recovery. The similarity in appearance and functionality of these websites indicates a sophisticated distribution network, emphasizing the complexity and scale of this malware operation.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the discovery of malware like Cuckoo highlights the evolving threat landscape for macOS users and organizations. This type of advanced malware is likely to become more widespread and may target macOS users on a larger scale in the future. As cybercriminals refine their tactics, macOS users may face heightened risks of malware infections and compromised system security, potentially leading to disruptions, data breaches, and unauthorized access to sensitive information. Organizations relying on macOS systems could experience significant disruptions and reputational damage from the infiltration of sophisticated malware like Cuckoo. To address future risks effectively, organizations may need to invest more in advanced cybersecurity defenses tailored specifically for macOS environments, emphasizing proactive measures to mitigate evolving threats.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS
Security Awareness training should be mandated for all company employees. The training should ensure that employees:

  • Avoid downloading and executing files from unverified sources.
  • Avoid free versions of paid software.
  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Social engineering Attacks, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Underground Ransomware, RansomHub Ransomware | Malware – Cuckoo
  • Underground Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Cuckoo
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Unveiling APT42: Iran’s Cyber Espionage Campaign

  • Threat Actors: APT42
  • Attack Type: Social Engineering
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: U.S., Israel, Europe & Middle East
  • Target Industries: Universities, NGOs & Media
  • Business Impact: Data Loss, Data exfiltration

Summary:
APT42, a notorious cyber espionage group with ties to the Iranian state, operating under the alias Mint Sandstorm, has recently been identified as orchestrating a highly sophisticated social engineering campaign. This campaign revolves around the impersonation of journalists to infiltrate networks and gather intelligence, particularly targeting high-profile experts in Middle Eastern affairs.

Geographically, APT42’s operations span across strategic regions such as the United
States, Israel, Europe, and the Middle East. Within these areas, their targets encompass a diverse range of industries, including but not limited to non-governmental organizations (NGOs), media outlets, academia, legal services, and activist groups.

The initial phase of their attack involves meticulously crafting personas as credible journalists to establish trust and rapport with their targets. Once trust is established, APT42 utilizes various means to exploit this connection and gain unauthorized access to victim networks.

Their arsenal includes custom backdoors like TAMECAT and NICECURL. TAMECAT functions as a PowerShell toehold, allowing the execution of arbitrary commands within compromised systems. On the other hand, NICECURL, a VBScript backdoor, serves the purpose of downloading and executing additional modules for data mining and command execution, thereby providing APT42 with a wide range of capabilities within compromised networks.

The primary motive driving APT42’s activities is to further Iran’s intelligence objectives, particularly those aligned with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). By targeting influential individuals and organizations involved in Middle Eastern affairs, APT42 aims to gather valuable intelligence, influence decision-making processes, and ultimately advance Iran’s strategic interests in the region.

Relevancy & Insights:
APT42; the Iranian state-backed hacking group, utilizes highly targeted spear-phishing and social engineering techniques to establish trust with their victims, facilitating access to email accounts and the installation of malware. Their operations encompass three main categories: credential harvesting, surveillance, and malware deployment. While credential theft remains their primary objective, they also engage in surveillance activities, particularly through malware, to monitor individuals of interest to the Iranian government. Additionally, APT42 demonstrates versatility by incorporating custom backdoors and lightweight tools into their operations, suggesting broader strategic objectives beyond mere credential theft. The group has previously targeted industries such as education, government, healthcare, and pharmaceuticals, indicating a wide- ranging and adaptable approach to achieving their goals.

ETLM Assessment:
APT42; a cyber espionage group believed to operate under the sponsorship of the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO), demonstrates a significant threat to both Western and Middle Eastern regions. With a primary focus on policy and government sectors, media organizations and journalists, as well as NGOs and activists, APT42 employs sophisticated tactics, particularly spear-phishing campaigns, to harvest credentials. Their operations span diverse industries, including academia and legal services, indicating a broad strategic interest. APT42’s modus operandi emphasizes the establishment of trust and rapport with targets before attempting to steal credentials. Additionally, they deploy malware such as custom backdoors like NICECURL and TAMECAT to supplement their activities. This assessment underscores the need for robust cybersecurity measures to mitigate the threat posed by APT42’s state-sponsored cyber espionage activities.

Recommendations:

  • Implement advanced email security protocols and solutions to detect and block spear- phishing attempts, particularly those tailored to build trust and rapport with targets. Regular training for employees on identifying phishing emails can also bolster defences.
  • Enforce strong password policies and encourage the use of multi-factor authentication (MFA) to protect against credential theft. Regularly monitor for unauthorized access and implement automated alerts for suspicious login attempts.
  • Deploy robust anti-malware solutions capable of detecting and mitigating the threat posed by custom backdoors like NICECURL and TAMECAT. Conduct regular scans of systems and networks to identify and remove any malicious software
  • Foster collaboration with law enforcement agencies to investigate and prosecute cybercriminal activities associated with APT42. Reporting incidents promptly can help disrupt their operations and hold perpetrators accountable.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Chinese hackers target UK Ministry of Defense
As per government-acknowledged reports, a suspected Chinese threat actor compromised the UK Ministry of Defense’s payroll system, gaining access to personal and financial information belonging to more than a quarter of a million current and former armed forces members. According to the office of the UK Prime Minister, there are indications that a malicious actor has compromised the armed forces’ payment network and the Ministry of Defence has already taken the network offline and provided employees with assistance.

ETLM Assessment:
The office of the Defense Secretary has not directly attributed the hack to China, although research analysts believe Beijing was to blame for the incident. CYFIRMA analysts believe the attack to be a classic example of state espionage, with Chinese government hackers probably looking at the financial records of employees and trying to single out potentially vulnerable employees, who could be singled out for further HUMINT action with a view to potentially deliver government secrets to Beijing.

North Korea’s hackers targeting Western media organizations
A joint advisory from the FBI, the NSA, and the US State Department has recently warned that the North Korean threat actor Kimsuky is exploiting weak DMARC policies as part of its spearphishing campaigns. As per the advisory, Pyongyang hackers are trying to exploit the vulnerability to send spoofed emails as if they came from a legitimate domain’s email exchange. The North Korean cyber actors have conducted spearphishing campaigns posing as legitimate journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles. North Korea leverages these spearphishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting North Korean interests by gaining illicit access to targets’ private documents, research, and communications.

ETLM Assessment:
North Korean cyber operations have increased in sophistication over the past two years, and our researchers noted last year in a research report that Pyongyang’s threat actors seem particularly interested in stealing information related to maritime and missile technology research, given the emphasis the Kim regime puts onto developing a full nuclear triad. The interest in media is most likely related to Pyongyang’s interest in the media links to intelligence and government bodies providing media houses with advance clues of the US policy. The heavily sanctioned regime in North Korea is hungry for the off-limits technologies it cannot obtain on the open market and for any information on the Western policies towards the country following its bid to support Russia in its military support to Russia in its war in Ukraine. Pyongyang has sold at least a million artillery rounds to Moscow during the past year and the regime is possibly scanning for the planned reaction of Western governments in this matter.

Rise in Malware/Ransomware and Phishing

The Underground Ransomware impacts the Frencken Group

  • Attack Type: Ransomware
  • Target Industry: Business Services
  • Target Geography: Singapore
  • Ransomware: Underground Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Singapore; (www[.]frenckengroup[.]com), was compromised by the Underground Ransomware. Frencken Group is a global integrated technology solutions company that’s fully committed to providing complete and integrated one-stop solutions in partnership with its valued customers. The Frencken Group serves customers in Europe, Asia, and the US through a global network of operating subsidiaries. The compromised data comprises documents spanning information technology, human resources, finance, and other categories of sensitive and confidential information. Its total size is approximately 439.4 gigabytes.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • The Underground ransomware gang announced a massive operation recently. The hackers listed 11 victims on their leak website, along with a short summary of each. The amount of data leaked varies between 35 GB and 1.6 TB.
  • We observed that the Underground Ransomware group uses the double-extortion practice to force the victims into paying the ransom. They always leave a ransom note behind, containing information about the type of data they stole and where they’ve exfiltrated it.
  • The Underground Ransomware group primarily targets countries such as the United States of America, Taiwan, Singapore, UAE, and South Korea.
  • The Underground Ransomware group primarily targets industries, such as Business Support Services, Manufacturing, and Information Technologies Consulting.
  • Based on the Underground Ransomware victims list from 1 Jan 2023 to 08 May 2024, the top 5 Target Countries are as follows:
  • The Top 3 Industries, most affected by Underground Ransomware from 1st Jan 2023 to 08 May 2024 are as follows:
  • There are some conflicting reports and theories at play regarding Underground’s actual identity. One such theory claims that the gang is the successor of the infamous Industrial Spy ransomware that was active in 2022. This hasn’t been confirmed yet. Based on the available information, CYFIRMA’s assessment indicates that Underground ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent breach targeting the Frencken Group, a leading Business Services firm based in Singapore, serves as a potential indicator of Underground ransomware’s inclination towards targeting organizations across Southeast Asia.

The RansomHub Ransomware impacts the ExtraCo

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United Arab Emirates (UAE)
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United Arab Emirates (UAE); (www[.]extraco[.]ae), was compromised by the RansomHub Ransomware. Extra Co is a leading manufacturer in the Middle East offering many products and services in the fields of fibreglass composites, prefabricated houses, interior furnishings, fit-outs, structural and aesthetic precast, and metal works. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. The compromised data encompasses sensitive and confidential information pertinent to the organization. The total size of the compromised data is approximately 20 gigabytes.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • A new threat actor has emerged in the ransomware landscape, distinguishing themselves by making claims and backing them up with data leaks. In February 2024, RansomHub posted its first victim, the Brazilian company YKP.
  • RansomHub comprises hackers from various global locations united by a common goal of financial gains. The gang explicitly mentions prohibiting attacks on specific countries and non-profit organizations. The gang’s website states that they refrain from targeting CIS, Cuba, North Korea, and China. While they suggest a global hacker community, their operations notably resemble a traditional Russian ransomware setup.
  • In February 2024, a UnitedHealth Group subsidiary faced IT system shutdowns due to a cyberattack by an ALPHV affiliate on Change Healthcare, a platform it uses. ALPHV operators dismantled their infrastructure post-attack, failing to pay the affiliate. Change Healthcare allegedly paid a $22 million ransom, only to be hit again by a new group, RansomHub, claiming to possess 4 terabytes of sensitive data. It’s suspected that the affiliate collaborated with RansomHub after ALPHV didn’t pay up, using previously stolen data for leverage. Change Healthcare’s removal from RansomHub’s DLS suggests possible negotiation with the threat actors as of April 20, 2024.
  • RansomHub Ransomware group primarily targets countries such as the United States of America, Brazil, Slovakia, Canada, and Malaysia.
  • RansomHub Ransomware group primarily targets industries, such as Computer Services, Software, Renewable Energy Equipment, Restaurants & Bars, and Heavy Construction.
  • Based on the RansomHub Ransomware victims list from 1 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2023 to 08 May 2024 are as follows:

    ETLM Assessment:
    The RansomHub group seems to be a recently emerged ransomware group, likely with roots in Russia. Due to the benefit it offers its affiliates and the strict controls it enforces, they could be vying for the leadership position amidst pressure from security forces to major players like LockBit and ALPHV. However, their ransomware strains appear to be just a revised version of an old sample for now. An interesting part is that this strain is also written in the Golang language. Based on CYFIRMA’s assessment, RansomHub Ransomware targets worldwide organizations. The attack on ExtraCo also highlights ransomware groups’ interest in Asian organizations financially strong in the region with exploitable vulnerabilities.

    Vulnerabilities and Exploits

    Vulnerability in Tinyproxy

    • Attack Type: Vulnerabilities & Exploits
    • Target Technology: Proxy Application
    • Vulnerability: CVE-2023-40533 (CVSS Base Score 5.9)
    • Vulnerability Type: Use of Uninitialized Variable

    Summary:
    The vulnerability allows a remote attacker to gain access to potentially sensitive information.

    Relevancy & Insights:
    The vulnerability exists due to an uninitialized variable while parsing HTTP requests.

    Impact:
    A remote attacker can send a specially crafted HTTP request and gain unauthorized access to sensitive information on the system.

    Affected Products: https[:]//talosintelligence[.]com/vulnerability_reports/TALOS-2023-1902

    Recommendations:
    Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

    TOP 5 AFFECTED PRODUCTS OF THE WEEK
    This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

    ETLM Assessment:
    Tinyproxy, a nimble HTTP/HTTPS proxy daemon designed for POSIX operating systems, delivers swift performance in a compact form. Suited for embedded deployments lacking resources for larger proxies, it finds utility globally across industries such as technology, finance, healthcare, and beyond.

    Latest Cyber-Attacks, Incidents, and Breaches

    Space Bears Ransomware attacked and Published data of Mr Bean

    • Threat Actors: Space Bears Ransomware
    • Attack Type: Ransomware
    • Objective: Data Leak, Financial Gains
    • Target Technology: Web Application
    • Target Geographies: Singapore
    • Target Industry: Food & Beverage
    • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

    Summary:
    Recently we observed that Space Bears Ransomware attacked and Published data of Mr Bean on its darkweb website. Mr Bean(www[.]mrbean[.]com[.]sg) is the leading chain soya bean food & beverage retailer in Singapore today. With more than 60 stores in Singapore & Asia, Mr Bean offers a variety of soya bean drinks and snacks. Young and old can enjoy refreshing ice-blended flavored soya drinks, ice creams, pastries, and more. The data leak, following the ransomware attack, encompasses a broad spectrum of sensitive and confidential information pertinent to the organization.

    Source: Dark Web

    ETLM Assessment:
    The newly emerged Space Bears Ransomware has declared 7 victims in its inaugural ransomware operation, marking a significant milestone for the group. These victims are distributed across 7 countries: Germany, Norway, the US, South Africa, Ecuador, Morocco, and Singapore. The hackers have publicized evidence of the breaches on their recently established leaked website. Ongoing evaluations conducted by CYFIRMA reveal that Space Bears Ransomware is targeting nations in Asia, America, and Europe, driven by an unwavering quest for considerable financial gains through ransomware activities.

    Data Leaks

    EdcComp Indonesia data advertised on a Leak Site

    • Attack Type: Data Leak
    • Target Industry: Retail
    • Target Geography: Indonesia
    • Objective: Data Theft, Financial Gains
    • Business Impact: Data Loss, Reputational Damage

    Summary:
    The CYFIRMA Research team observed a potential data leak related to EdcComp Indonesia, {www[.]edccomp[.]com } in an underground forum. EdcComp Indonesia is an online consumer electronics & computer retail store. The compromised data includes customer information such as Name, Calling Code, Mobile Number, Email Address, Blacklist Status, Total Amount Spent, Total Number of Orders, Address, Group Membership, First Order Date, Last Order Date, Gender, Date of Birth, WhatsApp Contact, Instagram Handle, Facebook Profile, Notes, Creation Time, etc. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

    Source: Underground Forums

    PT. PROLABIOS MITRA ANALITIKA – INDONESIA data advertised on a Leak Site

    • Attack Type: Data Leak
    • Target Industry: Business Services
    • Target Geography: Indonesia
    • Objective: Data Theft, Financial Gains
    • Business Impact: Data Loss, Reputational Damage

    Summary:
    CYFIRMA Research team observed a potential data leak related to PT. PROLABIOS MITRA ANALITIKA – INDONESIA, {www[.]prolabios[.]com} in an underground forum. PT. PROLABIOS MITRA ANALITIKA (PMA) was built to be one of the distributors in Indonesia with a passion for fulfilling the need for products or services. The compromised data comprises Vendor, Customer, and Employee information, encompassing Display Name, Company Name, Title, First Name, Middle Name, Last Name, Email Address, Mobile Number, Phone Number, Fax Number, Billing Address, and other sensitive and confidential details. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

    Source: Underground Forums

    Relevancy & Insights:
    Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

    ETLM Assessment:
    Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Sedapmalam’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by ‘Sedapmalam’ typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

    Recommendations: Enhance the cybersecurity posture by

    • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
    • Ensure proper database configuration to mitigate the risk of database-related attacks.
    • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

    Other Observations

    CYFIRMA Research team observed a potential data leak related to The Post Millennial(www[.]thepostmillennial[.]com). The Post Millennial is a media and internet platform that provides various reports on issues such as Canadian politics, business, local provincial news, analysis coverage, and opinion pieces. The breached data includes sensitive information such as Emails, Usernames, Full Names, Display Names, Phone Numbers, and other confidential details. The volume of the breached data stands at 7.5 gigabytes.

    Source: Underground forums

    ETLM Assessment:
    DevEye threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

    STRATEGIC RECOMMENDATIONS

    • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
    • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
    • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
    • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
    • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

    MANAGEMENT RECOMMENDATIONS

    • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
    • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
    • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
    • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
    • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

    TACTICAL RECOMMENDATIONS

    • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
    • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
    • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
    • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
    • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

    Situational Awareness – Cyber News

    Please find the Geography – Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

    Geography-Wise Graph

    Industry-Wise Graph

    For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.