Self Assessment

Weekly Intelligence Report – 10 Nov 2023

Published On : 2023-11-09
Share :
Weekly Intelligence Report – 10 Nov 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Geography: Germany, United States, United Kingdom.
Target Industry: Construction, Education, Pharmaceuticals, Transportation.


CYFIRMA Research and Advisory Team has found a ransomware group known as Hunters International while monitoring various underground forums as part of our Threat Discovery Process.

Hunters International:

In the latest turn of events, a brand-new player in the world of ransomware-as-a-service has emerged, going by the name of Hunters International. This upstart seems to be using code once linked to the infamous Hive ransomware operation.

This connection naturally gave rise to the suspicion that the previous gang might have rekindled their unlawful endeavors under a new alias. Adding weight to this, a meticulous examination of the newly employed encryptor has revealed a multitude of code resemblances(60%).

Nevertheless, the Hunters International group claims to be a fresh entrant in the ransomware landscape, asserting that they acquired the encryptor source code from the developers of the Hive ransomware.

Screenshot Of Hunters Declaration (Source: Underground Forum)

Additionally, Hunters emphasizes that its primary objective does not revolve around encryption; instead, it centers its operations on data theft, leveraging this stolen information to coerce victims into complying with ransom demands.

The encryptor used by Hunters International appends the “.LOCKED” extension to files that have undergone encryption.

Screenshot of Files Encrypted by Hunters International Ransomware. (Source: Surface Web)

Within every directory, the ransomware deposits a plain text file labelled “Contact Us.txt.” This file contains instructions for the victim to establish contact with the attacker via Tor, using a unique login to access a protected chat page.

The ransom note of Hunters International Ransomware. (Source: Surface Web)

Countries targeted by Hunters International Ransomware.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1106: Native API
T1129: Shared Modules
2 TA0003:
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1562.001: Impair Defenses: Disable or Modify Tools
4 TA0007: Discovery T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
5 TA0011: Command and Control T1071: Application Layer Protocol
T1071.001: Application Layer Protocol: Web Protocols
6 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • The ransomware specifically focuses on the extensively used Windows Operating System, which is widespread across a multitude of industries and organizations.
  • Recently targeted industries are:
  • Pharmaceutical industry in Germany
  • Construction and Transport industries in the United States
  • Education sector in the United Kingdom
  • By examining the list of victims, the primary targets of the ransomware currently include the United States and European countries.
  • The use of idle periods may indicate that the ransomware is designed to operate more stealthily, waiting for the computer to be idle before encrypting files or performing other malicious activities.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Adversaries are leveraging native API calls and shared modules for execution. This suggests that attackers are taking advantage of system-level functions and potentially evading detection by using legitimate components.
  • The Ransomware heavily focuses on Persistence by using various registry keys. Some of those include,
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Tracing: The TA is opening this registry key as it contains information about Microsoft OLE (Object Linking and Embedding) Tracing. Modifying its values can potentially enable malware to intercept and manipulate COM objects, allowing for stealthy and malicious actions, potentially bypassing security measures.
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option: The TA is opening this registry key as it contains information about the system’s Safe Boot options. Altering the key’s values could enable malware to start in Safe Mode, evading detection and removal, enhancing its persistence and avoiding security measures.

ETLM Assessment:

CYFIRMA’s assessment based on the available information suggests that Hunters International ransomware will persist in targeting a wide range of global industries, with a notable focus on the United States and European countries. Its heightened emphasis on data theft, rather than just encryption, indicates a higher level of sophistication, posing a more significant threat to victims. Ransomware’s advanced ability to detect and evade debugging environments underscores its development maturity. Its design for stealthy operations during idle periods could make detection and mitigation more challenging.

Organizations should enhance their cybersecurity measures and maintain vigilance to effectively counter this evolving threat.

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

Sigma Rule:
title: Change PowerShell Policies to an Insecure Level – PowerShell tags:
– attack.execution
– attack.t1059.001 logsource:
product: windows category: ps_script
definition: ‘Requirements: Script Block Logging must be enabled’ detection:
ScriptBlockText|contains: ‘Set-ExecutionPolicy’ option:
– ‘Unrestricted’
– ‘bypass’
– ‘RemoteSigned’
# – ParentImage: ‘C:\ProgramData\chocolatey\choco.exe’ Powershell event id 4104 do not have ParentImage
– “(New-Object System.Net.WebClient).DownloadString(‘’)”
– “(New-Object System.Net.WebClient).DownloadString(‘’)”
– ‘\AppData\Roaming\Code\’ condition: cmdlet and option and not filter
– Administrator script level: medium
(Source: Surface Web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Data theft, Stealing crypto wallets, malware implant
Target Technology: Browsers, Email & Social Media Platform
Target Geographies: Europe, Africa, and the Caribbean.

Active Malware of the Week
This week “NodeStealer” is trending.

Social media platforms provide significant opportunities for financially motivated threat actors to carry out large-scale attacks on unsuspecting users. Malicious and fraudulent threats are common on social networks, making it essential for users to stay informed about the latest tactics that could jeopardize the security of their accounts, data, reputation, and finances. One prevalent method used by cybercriminals is to exploit ad networks.

Researchers observed a growing trend of cybercriminals using social media networks for malvertising, with the ultimate goal of hijacking accounts and stealing personal data through malicious software. Malvertising campaigns exploit genuine tools and tactics to circulate online ads, wherein cybercriminals implant infected links within standard advertisement networks. They frequently employ attractive content to entice users into clicking on these compromised links.

NodeStealer is a recently discovered info-stealer that enables threat actors to steal browser cookies and perform large-scale account takeovers. The initial campaign was linked to Vietnamese threat actors, who used JavaScript executed through Node.js to target business users through fake Facebook Messenger communications. This malware allowed attackers to gain control of business accounts and bypass security measures, like two- factor authentication. While its primary purpose was to hijack browser sessions and take over Facebook accounts, the malware has been updated to target additional platforms such as Gmail and Outlook, steal crypto wallet balances, and download more malicious components. It is distributed through Windows executable files disguised as photo albums.

NodeStealer Exploits Facebook Accounts via Deceptive Ads
Researchers discovered that attackers had compromised at least 10 business Facebook accounts, using them to serve malicious ads. These ads introduced a newer version of NodeStealer and used various Facebook profiles that offered access to media files of women. Approximately 140 malicious ad campaigns featured multiple iterations of the same ad. The attackers rotated between a maximum of 5 active ads every 24 hours to avoid user reports. These ads enticed victims with revealing photos of young women and clicking on them led to the immediate download of an archive containing a malicious .exe “Photo Album” file. This file also dropped a second executable written in .NET, responsible for stealing browser cookies and passwords. An estimated 100,000 potential downloads were identified through Ad reach analysis, with individual ads garnering up to 15,000 downloads within just 24 hours. The most affected demographic was males aged 45 and older.

Attack method
Cybercriminals are expanding their attacks beyond hijacking Facebook business accounts to target regular users using unique methods. They exploit compromised business accounts’ ad credit balances to run ads that deliver a malicious payload to their chosen targets.

The attackers create a Facebook page under the name “Album Update” (or similar) with suggestive photos of young women.

After the page is set up, malicious actors begin running ads that promote fake new content and entice users with lewd album covers. Some of the photos advertised appear to have been edited or even AI-generated. Also, attackers use descriptions like “New stuff is online today” to entice users into downloading a media archive. These “Albums” link to repositories storing a Windows executable with updated NodeStealer versions. They exploit Meta’s Ads Manager to target male users aged 18 to 65 from Europe, Africa, and the Caribbean.

Once in control, the hackers can change passwords and add security measures to lock out the rightful owners, enabling various fraudulent activities while evading Meta’s security defences.

Other variations of the fake profiles
Some of the other names of fake profiles include:

  • Album Girl News Update
  • Private Album Update
  • Hot Album Update Today
  • Album New Update Today
  • Album Private Update Today

Fig: Fake Profiles


  • Cybercriminals distribute NodeStealer malware using various tactics, including social engineering, malvertising, and bundling it with legitimate software. They disguise NodeStealer as harmless documents with convincing icons and filenames to deceive users. Social engineering tricks users into opening malicious links or attachments. Fake websites and social media profiles offer counterfeit software updates or free downloads, leading to NodeStealer installation.
  • NodeStealer malware, which has been attributed to threat actors from Vietnam, involves the use of multiple pages and Facebook users to distribute information, enticing victims to download links from trusted cloud file storage providers. The main objective of the NodeStealer malware is to steal cookies and login credentials for Facebook, Gmail, and Outlook accounts that are saved on web browsers that are based on Chromium, such as: –
    • Google Chrome
    • Microsoft Edge
    • Brave
    • Opera
  • This latest NodeStealer variant marks an evolution in the threat landscape, employing advanced tactics to steal credentials and cookies from a range of browsers and websites. This campaign could lead to more focused and precise attacks as threat actors collect valuable information. With stolen Facebook credentials in hand, attackers gain the ability to seize control of accounts and engage in fraudulent activities through legitimate business pages, highlighting the increasing sophistication of cyber threats.

From the ETLM perspective, CYFIRMA anticipates that NodeStealer’s ongoing evolution and advanced tactics suggest a future with increasingly sophisticated cyber threats. We can anticipate a shift towards more targeted attacks, potentially affecting a wider range of browsers and websites. The exploitation of legitimate business pages for fraudulent activities may rise, prompting businesses to enhance their security measures. The emerging trend of threat actors focusing on Facebook accounts is expected to continue in the future. Such attacks have the potential to cause financial and reputational harm to both individuals and organizations.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends Key Intelligence Signals:

  • Attack Type: Malware Implants, Web Attacks, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –LockBit 3.0 Ransomware | Malware – NodeStealer
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – NodeStealer
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Iran-based APT Agrius Targets Israel with Multiple Malware

  • Threat Actors: Agrius
  • Attack Type: Web Attack
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Israel
  • Target Industries: IT & Education
  • Business Impact: Operational Disruption

In a recent observation, researchers detected a cyber-attack piloted by Iran-based threat actors. A sophisticated Iranian advanced persistent threat (APT) group known as Agrius, or by various other aliases like Agonizing Serpens, BlackShadow, Pink Sandstorm, and DEV-0022, has been actively targeting educational and technological institutions in Israel. This APT, suspected to have ties to the Iranian government, has a history dating back to at least 2020 and has expanded its operations into Israel, the United Arab Emirates, and even South Africa. Agrius’s recent campaign, spanning from January to October 2023, focused on compromising Israeli organizations with the dual purpose of stealing sensitive personal information and intellectual property, while simultaneously deploying wipers to erase digital footprints. The APT group utilized a range of tools and techniques, including MultiLayer, PartialWasher, and BFG Agonizer wipers, as well as Sqlextractor for data extraction. To gain initial access, Agrius exploited vulnerable web-facing servers and established multiple web shells for persistence. To remain concealed and overcome security measures, the group employed proof-of-concept exploits, pen-testing tools, and custom utilities.

Agrius’s attack also involved the use of publicly available tools for reconnaissance, credential theft, lateral movement, and data exfiltration, including SMB password spraying and brute force attacks. Additionally, they extracted valuable information from SQL databases, such as ID numbers, passport scans, emails, and addresses. The APT group attempted to execute three distinct wipers during their attacks, demonstrating an evolution in their tactics to evade detection and bypass security solutions. Their enhanced capabilities emphasize stealth and evasive techniques, marking a significant escalation in their threat profile.

Relevancy & Insights:
The timing of the detection of this particular threat is intriguing, given the ongoing conflict between Israel and Gaza. Iran, a strong supporter of Gaza and its people due to a shared religious connection, underscores the need for Israel to remain vigilant and proactively counter potential attacks originating from various adversaries.

ETLM Assessment:
The APT group, Agrius, has a primary objective of targeting various industries in Israel. This pursuit is driven by the contentious relationship between Israel and Iran, with Iran attempting to assert dominance over Israel through cyber espionage, by gathering intelligence. Given the ongoing conflict between Israel and Gaza, the likelihood of such cyberattacks against Israel has significantly elevated. In addition to the potential for malware attacks, there is a heightened risk of Distributed Denial of Service (DDoS) attacks from other hacktivist groups, aiming to demonstrate their support for Gaza.


  • Strengthen endpoint protection with advanced security solutions, such as Endpoint Detection and Response (EDR) technology. Regularly update and patch security software to defend against the evolving attack techniques employed by Agrius.
  • Regularly perform vulnerability assessments on web-facing servers to identify and remediate weaknesses that threat actors like Agrius may exploit for initial access.
  • Employ continuous network monitoring to swiftly detect and respond to any unusual or malicious activity. This will help in identifying lateral movement and data exfiltration attempts.
  • Encrypt sensitive data stored in SQL databases and segment network traffic to prevent data leakage. Data encryption can thwart the efforts of adversaries like Agrius in harvesting sensitive information.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Russia targeting Ukraine’s military-industrial complex
Russia state-run hacking group; Turla, operating under the wing of the FSB intelligence
agency (also known as “Venomous Bear”), has long operated against Ukraine. This APT has recently been observed by researchers employing an advanced and stealthy .NET backdoor” called “Kazuar.” The backdoor has been used against the Ukrainian defense sector, the Ukrainian CERT reported this summer, where it’s been used to obtain access to a range of sensitive access and information. It hijacks legitimate websites for command-and-control, which renders Kazuar resistant to takedowns, and it also has stealthy and anti-analysis features.

ETLM Assessment:
This activity shift is best explained as an act of traditional espionage, in order to gain knowledge on the transformation of Ukrainian defense industry and its links to Western companies, which are providing know-how necessary for the stated goal of making Ukraine an armoury of Europe in the coming decades. Almost two years since Russia’s full-scale invasion, Ukrainian officials know how essential it is to turbocharge their own industry, innovate at speed and mobilize national resources, in order to fill the gaps of key weapon systems which are in short supply. These include anything from artillery ammunition to cheap attritable drones and air defense missiles. Russia is trying to stay ahead of the developments, gain operational data which it could use in kinetic targeting by its stand-off weapons like hypersonic missiles, since their manufacturing and operating costs require big, non-mobile and valuable targets to employ them effectively. Russia will also likely seek to penetrate Western military-industrial complex, exfiltrate data and maybe even interfere in the production of crucial weaponry, like artillery ammunition or long rage rockets.

Iranian APT working in the interest of Hamas
The cyber phases of the war between Hamas and Israel have been mostly marked by nuisance level hacktivism. However, that is now starting to change. Iranian APTs have weighed in on the side of Hamas in its war against Israel – the MuddyWater threat actor has likely utilized spearphishing in a fresh campaign targeting Israeli civil service with an apparent goal of espionage, although battlespace preparation for subsequent attacks can’t be ruled out either. A sponsor and one of the key allies of Hamas; Iran, has displayed a recent increase in its cyberespionage capabilities, deploying increasingly sophisticated malware against regional rivals, especially Israel, but also Saudi Arabia and other sunni-muslim-majority countries. Another group tracked under the name Agonizing Serpens has been attacking the Israeli tech sector and universities since January, with the latest attacks occurring as recently as October. These attacks were characterized by attempts to steal sensitive data, such as personally identifiable information and intellectual property. But following the data exfiltration, the attackers used a variety of wipers to hide their traces and render the compromised endpoints unusable.

In another campaign a group known as LionTail, which is associated with the Iranian Revolutionary Guard Corps has been targeting local and national government agencies and various institutions in Israel, with the goal of exfiltrating sensitive data on civil defense and government issues, while yet another group associated with Iranian proxies has been trying to hack cameras in Israel, including private cameras near the border with Lebanon.

ETLM Assessment:
The conflict in Gaza has revealed the complex and contradictory forces that shape Iran’s behaviour and interests in the Middle East, which are driven by both ideology and pragmatism. Iran’s proxies in the region, namely Lebanese Hezbollah, Iraqi Popular Mobilization Forces and Yemeni Houthis have all joined the struggle and started a low intensity war against Israel and the U.S., mostly by way of rocket and drone attacks. Hezbollah alone has lost over 50 fighters but the recent speech by its leader Hassan Nasrallah and Iranian supreme leader Ali Khamenei suggest that these attacks are likely meant to show Iran’s strength and deterrence capabilities to Israel and the United States, but also that Iran and its proxies are walking a thin line trying to avoid a direct clash that could harm Iran’s interests and security. Iranian officials have been walking a tightrope between their ideological commitment to the Palestinian cause and their pragmatic calculations of regional interests and risks. Their statements expose the dilemmas and difficulties that Iran confronts in dealing with its friends and foes. But they also reflect their domestic concerns and calculations. This, however, does not apply to the fifth domain, where the risk of high scale physical retaliation seems low. Israel’s National Cyber Directorate confirms this observation and states that the prospect of an intensified Iranian cyber campaign is deeply worrying, since Iran “knows that they can act there [in cyberspace] more freely than in physical space”. We are likely to see a spike in the activity of Iranian APTs attacking Israel and other countries that support Israel in the coming months. Israel seems to have been largely successful in blunting state-directed attacks, since it employs a proactive cyber defensive approach adopted by the Israeli National Cyber Directorate (INCD), as well as the mobilization of the country’s cyber security ecosystem due to the high tech nature of the Israeli economy. However, the same cannot be said of every country supporting Israel and the risk of potential spill out is imminent.

Rise in Malware/Ransomware and Phishing

EGCO Group is Impacted by LockBit 3.0 Ransomware

  • Attack Type: Ransomware
  • Target Industry: Electricity, Oil & Gas
  • Target Geography: Thailand
  • Ransomware: LockBit 3.0 Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand, (www[.]egco[.]com), was compromised by LockBit 3.0 Ransomware. The Electricity Generating Public Company Limited or EGCO Group is the first independent power producer in Thailand, established by the Electricity Generating Authority of Thailand (EGAT). The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The breached data includes confidential and delicate information about the company.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • In 2023, the LockBit 3.0 ransomware developed as a global threat, infiltrating numerous public and private organizations worldwide. Notably, the United States has experienced the major impact of this danger, with approximately 30% of the country’s institutions being singled out and subsequently affected by this ransomware.
  • Based on the LockBit 3.0 Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Industries, most affected by LockBit 3.0 Ransomware

ETLM Assessment:
CYFIRMA assesses LockBit 3.0 Ransomware to maintain a focus on American businesses and related entities that hold significant amounts of Personally Identifiable Information (PII). However, the recent targeting of EGCO Group highlights the global risk posed by LockBit 3.0.

Vulnerabilities and Exploits Vulnerability in GLPI

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: CRM System
  • Vulnerability: CVE-2023-41320 (CVSS Base Score 9.8)
  • Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

Relevancy & Insights:
The vulnerability exists due to insufficient sanitization of user-supplied data in UI layout preferences. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Affected Products: https[:]//github[.]com/glpi-project/glpi/security/advisories/GHSA-mv2r- gpw3-g476

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Russian hackers targeted Dutch public transport chip card website

  • Threat Actors: NoName05716
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: Dutch
  • Business Impact: Operational Disruption

The website of public transport chip card (OV chip card) company Translink was unavailable on Saturday (4 November 2023) due to a DDoS attack (Distributed Denial of Service), according to a spokesperson for the public transport chip card company. In the attack, the computer systems were bombarded with data traffic until they could no longer cope and collapsed. The spokesperson stated that due to a DDoS attack, the website is currently inaccessible. They mentioned an initial attack on Friday (3 November 2023), but it was successfully repelled by implementing suitable measures. Despite this, travellers can continue to check in and out as usual by utilizing their chip cards. The attack was claimed by the pro-Russian hacktivist group; NoName05716, which attacked Dutch organizations in retaliation for supporting Ukraine in the war with Russia.

Relevancy & Insights:
The website of Translink; a public transport chip card company, became unavailable on Saturday (4 November 2023) due to a DDoS attack, leading to temporary inaccessibility. The DDoS attack was claimed by the pro-Russian hacktivist group; NoName05716, purportedly as a response to Dutch organizations’ support for Ukraine in the ongoing conflict with Russia.

ETLM Assessment:
CYFIRMA assesses that pro-Russian threat actors will continue to target Dutch and other NATO countries, in an effort to cause reputational damage and general disruption.

Data Leaks

Vengreso Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Advertising & Marketing
  • Target Geography: The United States of America
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Vengreso,
{www[.]vengreso[.]com}. Vengreso is a Virtual Sales and Instant Messaging platform, utilized by professionals globally. Vengreso provides instruction, consultation, and implementation of digital selling tactics, relied upon by B2B brands, including Proofpoint, Seismic, Woodruff-Sawyer, Juniper Networks, and others. The compromised data comprises of names, emails, hashed passwords, profile pictures, StripeIDs, login dates, and other confidential information.

Source: Underground forums

Relevancy & Insights:
Driven by financial incentives, cyber attackers persistently target vulnerable and inadequately secured systems and software applications. A significant number of these malicious actors operate within hidden online communities, engaging in discussions related to cybercrime and the illicit trade of stolen digital assets. Distinguishing themselves from other financially motivated groups, such as ransomware or extortion collectives that often publicize their attacks, these cybercriminals prefer to maintain a low profile. By exploiting unpatched systems or vulnerabilities in software and hardware, they illicitly gain access and abscond with valuable information. Subsequently, they market the stolen data on clandestine forums, where it is either resold or repurposed by other malicious entities for their own unlawful ends.

ETLM Assessment:
The United States of America continues to rank among the top targets for cybercriminals worldwide. According to CYFIRMA’s assessment, U.S. institutions lacking strong security measures and infrastructure will likely remain at a heightened risk of potential cyberattacks.

Other Observations

CYFIRMA Research team observed a potential data leak related to the Ministry of Education Saudi Arabia, {www[.]moe[.]gov[.]sa}. The Ministry of Education, Saudi Arabia is a facility that provides educational training and degrees in health and science fields for students in Saudi Arabia. The breached data includes names, phone numbers, addresses, emails, and other sensitive information.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.