Self Assessment

Weekly Intelligence Report – 12 Apr 2024

Published On : 2024-04-11
Share :
Weekly Intelligence Report – 12 Apr 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found RSA-4096 ransomware while monitoring various underground forums as part of our Threat Discovery Process.

RSA-4096 ransomware
A new strain of ransomware, dubbed RSA-4096, has been uncovered by researchers. The ransomware is seen in the wild by March 2024. The malicious software encrypts data on infected systems and demands payment from victims in exchange for decryption. RSA-4096 belongs to the Xorist ransomware family, known for its sophisticated encryption techniques and extortion tactics.

Files encrypted by the RSA-4096 ransomware have been identified with a distinct “.RSA- 4096” extension appended to their original filenames.

Encryption employed a unique RSA-4096 public key generated.

Following the completion of the encryption process, the ransomware deposited a text file named “HOW TO DECRYPT FILES.txt,” containing instructions for the victim on how to retrieve their encrypted data.

The ransom note issued by the criminals demands a huge ransom payment in Bitcoin within 48 hours. The threat actors also state that failure to comply within the specified timeframe results in permanently deleting all files belonging to the victim.

Screenshot of files encrypted by RSA-4096 ransomware (Source: Surface Web)

Screenshot of Ransomnote (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/ Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting Interpreter
2 TA0003: Persistence T1547.004: Boot or Logon Autostart
Execution: Winlogon Helper DLL
3 TA0004: Privilege Escalation T1055: Process Injection
T1547.004: Boot or Logon Autostart
Execution: Winlogon Helper DLL
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1055: Process Injection
T1070.001: Indicator Removal: Clear Windows Event Logs
T1070.004: Indicator Removal: File Deletion
T1070.006: Indicator Removal: Timestomp
T1112: Modify Registry
T1564.001: Hide Artifacts: Hidden Files and Directories
5 TA0006: Credential Access T1056: Input Capture
6 TA0007: Discovery T1010: Application Window Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1518.001:Software Discovery: Security Software Discovery
7 TA0008: Lateral Movement T1080: Taint Shared Content
8 TA0009: Collection T1056: Input Capture
9 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • Targeting widely used Windows operating systems, this ransomware poses a significant threat to diverse industries and organisations.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • User Input Checks: The ransomware is also performing checks on user input. This behaviour implies that the ransomware may have the ability to interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities. This behaviour indicates a level of sophistication and interactivity in the ransomware’s design.

ETLM Assessment:

  • CYFIRMA’s assessment unveils XORIST ransomware targeting Diversified Financial Services, IT Services, Industrial Conglomerates, and other industries. RSA 4096 is part of the same threat family, suggesting a broader target scope and expanding its attack surface across global industries. Demanding substantial ransoms underscores profit- driven motives. This underscores the evolving ransomware threat landscape and emphasizes the imperative for heightened cybersecurity measures.

Sigma Rule
title: Wow6432Node CurrentVersion Autorun Keys Modification tags:
– attack.persistence
– attack.t1547.001 logsource:
category: registry_set product: windows
detection: selection_wow_current_version_base:
Target Object | contains : ‘\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion’
selection_wow_current_version_keys: TargetObject|contains:
– ‘\ShellServiceObjectDelayLoad’
– ‘\Run\’
– ‘\RunOnce\’
– ‘\RunOnceEx\’
– ‘\RunServices\’
– ‘\RunServicesOnce\’
– ‘\Explorer\ShellServiceObjects’
– ‘\Explorer\ShellIconOverlayIdentifiers’
– ‘\Explorer\ShellExecuteHooks’
– ‘\Explorer\SharedTaskScheduler’
– ‘\Explorer\Browser Helper Objects’ filter_empty:
Details: ‘(Empty)’ filter_edge:
Image|contains|all:
– ‘C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{‘
– ‘\setup.exe’ filter_msoffice1:
Image: ‘C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe’
Target Object | contains : ‘\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\’
filter_msoffice2: Image:
– ‘C:\Program Files\Microsoft Office\root\integration\integrator.exe’
– ‘C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe’ TargetObject|contains: ‘\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-
BE8A-2923E76605DA}\’
filter_dropbox:
– Details|endswith: ‘-A251-47B7-93E1-CDD82E34AF8B}’
– Details: ‘grpconv -o’
– Details|contains|all:
– ‘C:\Program Files’
– ‘\Dropbox\Client\Dropbox.exe’
– ‘ /systemstartup’ filter_evernote:
TargetObject|endswith: ‘\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424- B0DB-499CF856608E}\NoExplorer’
filter_dotnet:
Image|contains: ‘\windowsdesktop-runtime-‘ TargetObject|endswith:
– ‘\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d- 4ad7-a298-10e42e7840fc}’
– ‘\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382- 448c-89a7-4765961d2537}’
Details|startswith: ‘”C:\ProgramData\Package Cache\’ Details|endswith: ‘.exe” /burn.runonce’
filter_office:
Image|startswith:
– ‘C:\Program Files\Common Files\Microsoft Shared\ClickToRun\’
– ‘C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\’ Image|endswith: ‘\OfficeClickToRun.exe’
filter_ms_win_desktop_runtime:
Details|startswith: ‘”C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04- a38da5f06e41}\windowsdesktop-runtime-‘
filter_vcredist:
Image|endswith: ‘\VC_redist.x64.exe’ Details|endswith: ‘}\VC_redist.x64.exe” /burn.runonce’
filter_upgrades: Image|startswith:
– ‘C:\ProgramData\Package Cache’
– ‘C:\Windows\Temp\’ Image|contains:
– ‘\winsdksetup.exe’
– ‘\windowsdesktop-runtime-‘ # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205- 99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe
– ‘\AspNetCoreSharedFrameworkBundle-‘ # “C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle- x86.exe” /burn.runonce
Details|endswith: ‘ /burn.runonce’ filter_uninstallers:
# This image path is linked with different uninstallers when running as admin unfortunately
Image|startswith: ‘C:\Windows\Installer\MSI’ TargetObject|contains: ‘\Explorer\Browser Helper Objects’
filter_msiexec:
Image: ‘C:\WINDOWS\system32\msiexec.exe’
Target Object | contains : ‘\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\’
condition: all of selection_wow_current_version_* and not 1 of filter_* fields:
– SecurityID
– ObjectName
– OldValueType
– NewValueType falsepositives:
– Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason.
– Legitimate administrator sets up autorun keys for legitimate reason level: medium.

(Source: Surface web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Espionage, Data theft, Remote Access
Target Organization: Finance
Target Geography: Asia–Pacific (APAC) and Middle East and North Africa (MENA)

Active Malware of the Week
This week “JsOutProx” is trending.

JsOutProx
Researchers have identified a new variant of JSOutProx, a sophisticated JScript-based Remote Access Trojan (RAT) that combines JavaScript and .NET technologies. This version specifically targets financial institutions and organizations in the APAC and MENA regions. JSOutProx utilizes .NET (de)serialization to communicate with a JavaScript module on the victim’s system. Once activated, the malware enables the framework to install plugins, which carry out further malicious operations on the compromised system. The recent campaigns abuse GitHub and GitLab for distributing malicious payloads, reflecting the actors’ evolving tactics.

Malicious Activity Timeline: Transition from GitHub to GitLab

  • November 14, 2023, independent cybersecurity researchers first reported payloads hosted on GitHub repositories, most of which were associated with Solar Spider. Solar Spider utilized a classic masquerading technique (T1036), disguising its code as a PDF file instead of JavaScript (JS) code. This technique was part of a multi-stage infection chain, where the actors deployed multiple JavaScript-based obfuscated payloads to collect sensitive information and establish a remote proxy server connection with the victim.
  • February 8, 2024, a spike in malicious activity was identified following an incident reported by a major system integrator in the Kingdom of Saudi Arabia. The incident targeted customers of a regional bank. The attackers utilized an impersonation attack using the email account “mike.will@my[.]com” to target multiple banking customers. They employed a fake SWIFT payment notification for enterprise customers and a Moneygram template for private customers, using misleading notifications to confuse victims and execute malicious code.
  • March 25, 2024, the actors registered multiple GitLab accounts and utilized them to deploy repositories containing malicious payloads. This shift to GitLab suggests an adaptation in tactics by the threat actors to distribute their malware.
  • March 27, 2024, Researchers identified a new malware sample associated with the same group. A notable difference was the use of GitLab instead of GitHub in a multi- stage infection chain. The identified repositories controlled by the actor were:
    • docs909 (created April 2, 2024)
    • dox05 (created March 26, 2024)

  • After successfully delivering the malicious code, the actor promptly removes the repository and creates a new one. This tactic is likely employed by the actor to efficiently manage multiple malicious payloads and differentiate targets.
  • April 2, 2024, researchers obtained the latest malware payloads uploaded by the actor.

Technical Analysis
The JSOutProx RAT malware is characterized by sophisticated obfuscation within its JavaScript-based backdoor structure. It includes a modular plugin architecture that allows it to perform various malicious activities, such as executing shell commands, managing file uploads and downloads, running files, modifying the file system, maintaining persistence, capturing screenshots and controlling keyboard and mouse actions. Notably, this malware utilizes the Cookie header field in its command and control (C2) communications. The implants were downloaded and extracted from their archives. Subsequently, they underwent obfuscation using obfuscator[.]io. After deobfuscation, the JavaScript code was successfully decoded for analysis.

First stage implant supports the following commands:

  • pat – update implant
  • uss.s – set proxy and update sleep time
  • uss.g – set proxy and set sleep time to C2
  • upd – update and restart implant
  • l32 – start x86 process.
  • l64 – start x64 process.
  • dcn – exit
  • ejs – evaluate javascript code.
  • int.g – send sleep time to C2
  • int.s – update sleep time

The script utilizes Windows Script Host (WSH) objects like ActiveXObject for malicious purposes, performing operations such as HTTP requests with WinHttp.WinHttpRequest.5.1, executing commands via WScript.Shell, and accessing the file system with Scripting.FileSystemObject. Additionally, it employs WMI to gather detailed information about the victim’s system environment. The implant uses a specific static User Agent for potential tracking purposes:

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.76

Communication with command and control (C2C) servers is facilitated using Dynamic DNS URLs, such as:

  • http[:]//mdytreudsgurifedei[.]ddns[.]net[:]9708/
  • http[:]//kiftpuseridsfryiri[.]ddns[.]net[:]8907/
  • http[:]//hudukpgdgfytpddswq[.]ddns[.]net[:]8843/
  • http[:]//ykderpgdgopopfuvgt[.]ddns[.]net[:]7891/

A notable feature of this malware is its utilization of the Cookie header field in C2C communication. During initialization, the malware collects various information, concatenates them with the delimiter “_|_”, hex-encodes the concatenated value, and sets it in the Cookie header field.

C2C Communications
Researchers have identified concerning details about the recent JSOutProx campaign from April 2, 2024, notably involving IP addresses (185.244.30.218) linked to the Freemesh project. Freemesh redirects to a website dedicated to a non-commercial initiative for free wireless networks. It appears that the threat actor deliberately deployed command and control (C2C) hosts within this infrastructure to exploit and conceal malicious network activity. Specifically, an IP address like 185.244.30.218 is associated with “The Privacy First Project,” a non-profit organization providing IPv4 space to various communities including Freifunk and TOR node operators, with a stated commitment to privacy and no log files. Virustotal historical data indicates extensive malicious activity associated with this IP address and multiple subdomains linked to the JsOutProx infrastructure. Researchers have engaged with the operators of these projects to understand the situation better and have successfully coordinated takedowns of multiple C2C servers to disrupt the new JsOutProx campaign.

INSIGHTS

  • The recent discovery of an updated version of JSOutProx, along with the exploitation of platforms like GitHub and GitLab for distribution, highlights the persistent and sophisticated tactics employed by malicious actors. Originally detected in 2019, JSOutProx continues to pose a substantial and evolving threat, particularly targeting customers of financial institutions. This year, there is concerning evidence of these threat actors expanding their operations into the MENA region, indicating an intensified cybercriminal presence in new geographic areas.
  • The attribution of early operations of JSOutProx to the threat actor ‘Solar Spider’ contrasts with the lack of concrete attribution in the latest campaign. The malware’s significant sophistication and the specific profiles of targeted organizations, particularly in financial sectors, suggest a high level of expertise and strategic intent behind its development and deployment. Geographical patterns of past attacks, coupled with the nature of the targets, lead to a moderate level of confidence that JSOutProx may have been developed by actors associated with China or having affiliations with Chinese interests.
  • In April 2020, targeted attacks were observed on Indian government establishments and the banking sector, specifically targeting organizations such as the Reserve Bank of India (RBI), IDBI Bank, and the Department of Refinance (DOR) within the National Bank for Agriculture and Rural Development (NABARD). These attacks utilized email- based phishing tactics with archive file attachments containing JavaScript and Java- based backdoors. Further analysis revealed the presence of the JSOutProx RAT malware within the JavaScript-based backdoor, indicating the involvement of a sophisticated threat actor group.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the impact of JSOutProx and similar malware is expected to continue posing significant challenges for organizations, particularly in the financial sector. As these threats evolve and leverage platforms like GitHub and GitLab for distribution, organizations may face increased disruptions to operations, financial losses, and reputational damage from data breaches or unauthorized access. Additionally, the geographical scope and range of targets impacted by JSOutProx may expand, posing a broader threat landscape for organizations globally. To address these evolving threats, proactive and comprehensive cybersecurity strategies will be crucial to mitigate the future impact of JSOutProx and similar threats on organizational security and resilience.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enable Network traffic/security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – 8Base Ransomware, Rhysida Ransomware | Malware – JsOutProx
  • 8Base Ransomware – One of the ransomware groups.
  • Rhysida Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – JsOutProx
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Unveiling CoralRaider: The Emerging Threat Actor Targeting Asia and Southeast Asia

  • Threat Actors: CoralRaider
  • Attack Type: Social Engineering, Spear Phishing
  • Objective: Financial Gains
  • Target Technology: Windows
  • Target Geographies: Asia and Southeast Asia – India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam
  • Target Industries: Construction, Real Estate, Marketing, and the Internet
  • Business Impact: Data Loss, Data exfiltration

Summary:
CoralRaider; a financially motivated threat group originating from Vietnam, has been active since at least 2023, focusing its efforts on victimizing individuals and organizations primarily across Asia and Southeast Asia. Their main objective revolves around seeking financial gains through illicit means, particularly by engaging in data theft activities. To achieve this goal, CoralRaider employs sophisticated social engineering tactics, distributing malicious Windows shortcut files with deceptive filenames to entice unsuspecting victims into opening them. These files serve as the initial infection vector, facilitating the deployment of customized malware payloads such as RotBot and XClient stealer.

Once deployed, these malicious payloads enable CoralRaider to execute various attack techniques, including the theft of credentials, financial data, and social media accounts. RotBot; a customized variant of QuasarRAT, serves as a remote access tool, while XClient stealer, a .Net executable, exhibits extensive information-stealing capabilities targeting social media and financial data. To communicate with their infrastructure and exfiltrate stolen data, CoralRaider leverages Telegram bots as command-and-control servers, enhancing their operational efficiency and evading traditional detection mechanisms.

CoralRaider’s targets span a wide range of industries, reflecting their opportunistic approach, but they demonstrate a particular interest in sectors associated with advertising and online businesses. Their activities have significant implications for victims, including potential financial losses, reputational damage, and compromised security posture. Effective cybersecurity measures, including robust endpoint protection and threat intelligence sharing, are imperative to counter the threat posed by CoralRaider and similar malicious actors operating in the region.

Relevancy & Insights:
CoralRaider; a threat actor from Vietnam, has been active since 2023, targeting victims across Asia and Southeast Asia. Their focus on stealing financial information, login credentials, and social media profiles, including business and advertisement accounts, underscores the need for international cooperation among cybersecurity agencies and governments. The group’s use of Windows shortcut files as the initial vector in their campaign highlights the evolving tactics used by cybercriminals to target a wide range of industries and individuals in multiple countries.

ETLM Assessment:
CoralRaider; a financially motivated threat actor group originating from Vietnam, poses a significant threat to organizations and individuals across Asia and Southeast Asia specifically India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam. Their primary goal is financial gains, leading them to conduct data theft activities targeting credentials, financial data, and social media accounts. Recent indications of active promotion within the Vietnamese cybercriminal community suggest potential collaboration or support networks, amplifying CoralRaider’s capabilities. Operating across diverse industries like Construction, Real Estate, Marketing, and the Internet.

Recommendations:

  • Conduct regular cybersecurity awareness training sessions to educate employees about the latest threats, including social engineering tactics used by threat actors like CoralRaider. Employees should be trained to recognize phishing attempts and suspicious activities to prevent inadvertent data breaches.
  • Employing strong authentication methods, such as multi-factor authentication (MFA), can help mitigate the risk of credential theft by adding an additional layer of security beyond passwords.
  • Develop comprehensive incident response plans that outline the steps to be taken in the event of a security breach or data compromise. This includes procedures for containing the incident, conducting forensic analysis, and restoring systems and data integrity.
  • Continuously monitor the threat landscape for emerging threats and vulnerabilities and stay informed about the latest cybersecurity trends and developments. Maintain vigilance and readiness to adapt security measures accordingly to address evolving threats effectively.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Czech Republic warns of Russia’s cyber sabotage of EU Railways
According to the Czech government, Russia has made thousands of attempts to damage the European railway system since the beginning of the invasion of Ukraine. Moscow is suspected of being behind “thousands of attempts to weaken our systems”, the transport minister said during an EU meeting in Brussels. The Russian hacking campaign includes attacks on critical infrastructure systems, including attacks on signalling equipment and the computer networks of Czech state-owned carrier, Czech Railways. In the past, the Russians have disabled ticketing systems in this way, for example, raising concerns about whether similar attacks are behind serious train accidents caused by faulty signalling equipment. Last March, the EU Cyber Security Agency (ENISA) published its first-ever report on threats to the European transport system. The report mentioned hacking attacks by pro-Russian groups against railways in Latvia, Lithuania, Romania, and Estonia. Czech Railways confirmed the government’s remark and acknowledged the growing number of attacks on its digital infrastructure.

ETLM Assessment:
Russian attempts to destabilize European energy infrastructure have been well documented but interference in transport networks has been less discussed, even though CYFIRMA analysts warned of this danger in this report last year. The Czech National Cyber and Information Security Agency (NÚKIB) has also warned of growing threats of attacks on transport targets in its report last year. The agency has been one of the strictest digital security watchdogs in Europe and was the first to issue a hawkish warning against the use of components from Chinese companies Huawei and ZTE in 5G mobile networks under construction. Russia is using the attacks both as a tool of political war against the West as well as a tactical means of delaying transports of Ukrainian grain to the world market as well as movements of Western equipment towards Ukraine both in civilian and military capacity. The incident shows the growing role of cyber in conflict even or rather especially between countries that are not formally at war and demonstrates the future of political relations, in which cyber will be a major means of the statecraft toolkit, affecting governments and businesses alike.

The Pentagon gets a cyber czar
The US Department of Defense has opened its Office of the Assistant Secretary of Defense for Cyber Policy. Upon confirmation, the new assistant defense secretary for cyber policy (aka cyber czar) Ashley Manning will oversee spending on network operations, outreach to industry, and more. The move is aligned with the recent U.S. Navy cyber strategy, according to which non-kinetic effects rather than missiles, fighter jets, and torpedoes are likely to decide the next war on the high seas. The document reflects the central idea that the next fight against a major adversary will be like no other and that the use of non-kinetic effects and defense against those effects prior to and during kinetic exchanges will likely be the deciding factor in who prevails. But the navy sees it as imperative that cyber warfare is far more than networks and cybersecurity. Cyber warfare is presented as a warfighting discipline that should be considered a core competency that is going to play a key role in modern warfare.

ETLM Assessment:
The inauguration of the “cyber czar” confirms the growing role of cyber in modern conflicts, which often do not distinguish between military and civilian infrastructure and between times of war and peace. The office intends to provide the U.S. military a more civilian-facing role in the realm of cyber policy. The new office is responsible for coordinating the Pentagon’s cyber strategies, overseeing the military’s cyber operational budget, cyber workforce development and private sector outreach, among other areas.

The US military highlights the pivotal role of non-kinetic effects and defense against such effects in future conflicts. The potential for massive cyberattacks by advanced state actors like China looms large, threatening to disrupt critical infrastructure and the internet-powered amenities that underpin modern life. US documents emphasize that cyber warfare extends far beyond networks and cybersecurity issues, yet neither governments nor businesses are adequately prepared to confront this emerging threat.

Rise in Malware/Ransomware and Phishing

The 8Base Ransomware impacts the PT Pupuk Iskandar Muda (Pim)

  • Attack Type: Ransomware
  • Target Industry: Chemicals, Petrochemicals, Glass & Gases and Manufacturing
  • Target Geography: Indonesia
  • Ransomware: 8Base Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; (www[.]pim[.]co[.]id), was compromised by the 8Base Ransomware. PT Pupuk Iskandar Muda (Pim) is engaged in industry, trade, and services in the fields of fertilizers, petrochemicals, and other chemicals. The compromised data includes invoices, receipts, accounting documents, personal data, certificates, employment contracts, a substantial amount of confidential information, confidentiality agreements, personal files, and other sensitive documents.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • 8Base is a ransomware group that first emerged in 2022 but ramped up its operations and refined its methods significantly in 2023. The malware began as a crypto ransomware but has since evolved to perform multi-extortion in its attacks. The malware is very similar to that of Phobos and related groups; however, there is no known, formal relationship between the different groups.
  • The 8Base group’s identity, methods, and motivations largely remain a mystery. However, based on its leak site and public accounts, along with the group’s communications, researchers think the group’s verbal style is quite similar to that of RansomHouse; a group that typically purchases already compromised data or works with data leak sites to extort victims. This has led to speculation that 8Base may be an offshoot of RansomHouse.
  • Recently, we observed that the new variant used by the 8Base group includes features that can enable the attackers to establish persistence on victims’ systems, perform speedy encryption, and remove backup and shadow copies. Furthermore, it includes advanced features, such as .NET profiler DLL loading vulnerability, API calls, and Cyrillic language, to avoid detection by security products.
  • The 8Base Ransomware group primarily targets countries such as the United States of America, Brazil, Italy, Canada, and the United Kingdom.
  • The 8Base Ransomware group primarily targets industries, including Business Support Services, Heavy Construction, Specialized Consumer Services, Financial Administration, and Oil & Gas.
  • Based on the 8Base Ransomware victims list from 1 Jan 2023 to 10 April 2024, the top 5 Target Countries are as follows:
  • Based on the 8Base Ransomware victims list from 1 Jan 2023 to 10 April 2024, the top 5 Target Countries are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that 8Base Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on PT Pupuk Iskandar Muda (Pim), a prominent Chemicals, Petrochemicals, Glass & Gases, and Manufacturing company located in Indonesia, underscores the extensive threat posed by this particular ransomware strain in the Southeast Asia region.

The Rhysida Ransomware impacts the Malaysian Industrial Development Finance

  • Attack Type: Ransomware
  • Target Industry: Finance
  • Target Geography: Malaysia
  • Ransomware: Rhysida Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary: From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Malaysia; (www[.]midf[.]com[.]my), was compromised by the Rhysida Ransomware. Malaysian Industrial Development Finance (MIDF), established in 1960 and based in Kuala Lumpur, is a financial development institution to modernize Malaysia’s manufacturing industries. The Group offers financial services including, but not limited to, Investment Banking, Development Finance, Asset Management, and Mezzanine Financing. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data contains unique and valuable information. The total price for the compromised data is set at 8 BTC.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Rhysida ransomware group, which first appeared in May 2023, operates as a ransomware-as-a-service. It utilizes the malware families PortStarter and SystemBC. Rhysida employs a double extortion technique; stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid.
  • Motivated by financial gains, Rhysida’s operators have been known to use phishing attacks as a means of gaining initial access, after which Cobalt Strike is used for lateral movement in infected machines. In July 2023, we observed that the Rhysida ransomware was using PsExec to deliver a script, detected as SILENTKILL, to terminate antivirus programs. In August 2023, we observed the PowerShell versions of the Rhysida ransomware. Notably, the PowerShell variant does not include any command-line arguments for execution.
  • The Rhysida Ransomware group primarily targets countries such as the United States of America, the United Kingdom, Italy, Germany, and China.
  • The Rhysida Ransomware group primarily targets industries including Specialized Consumer Services, Health Care Providers, Industrial Machinery, Software, and Computer Services.
  • Based on the Rhysida Ransomware victims list from 1 Jan 2023 to 10 April 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Rhysida Ransomware from 1 Jan 2023 to 10 April 2024 are as follows:

ETLM Assessment:
Based on CYFIRMA’s assessment, there is a persistent targeting of global companies by the Rhysida ransomware, as depicted in the accompanying graph. However, recent incidents, such as the attack on Malaysian Industrial Development Finance, highlight the susceptibility of other prominent finance entities to similar targeting. These events emphasize the dynamic nature of the threat landscape, necessitating heightened vigilance among organizations across different sectors to mitigate the risks associated with ransomware attacks. The attack on Malaysian Industrial Development Finance also highlights ransomware groups’ interest in Southeast Asian organizations that are financially strong in the region with exploitable vulnerabilities.

Vulnerabilities and Exploits

Vulnerability in NVIDIA ChatRTX

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Software
  • Vulnerability: CVE-2024-0083 (CVSS Base Score 6.5)
  • Vulnerability Type: Improper Neutralization of Input During Web Page Generation

Summary:
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

Relevancy & Insights:
The vulnerability exists due to insufficient sanitization of user-supplied data in the UI. A remote attacker can trick the victim into following a specially crafted link and execute arbitrary HTML and script code in the user’s browser in the context of a vulnerable website.

Impact:
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change the appearance of the web page, and perform phishing and drive-by-download attacks.
Affected Products: http[:]//nvidia[.]custhelp[.]com/app/answers/detail/a_id/5532

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Given that ChatRTX is utilized by developers and AI enthusiasts for connecting PC Large Language Models (LLMs) to their data, using retrieval-augmented generation (RAG) techniques, the industries that could be affected by this vulnerability span across multiple sectors. This includes, but is not limited to, technology, cybersecurity, education, and any other industry relying on advanced AI tools and applications for development, research, or operational purposes.

Latest Cyber-Attacks, Incidents, and Breaches

Medusa Ransomware attacked and Published data of PT Bank Pembangunan Daerah Banten Tbk

  • Threat Actors: Medusa
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Indonesia
  • Target Industry: Finance
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that Medusa Ransomware attacked and Published data of PT Bank Pembangunan Daerah Banten Tbk on its website. PT Bank Pembangunan Daerah Banten Tbk was founded in 1992, it is currently owned by the Banten Provincial government and has the status of a regional development bank. Currently, the Company serves customers of deposits, credit distribution (MSME, Consumer Credit, and Commercial Credit), and other services and has been appointed as a partner of the Provincial Government of Banten in local cash management. The total amount of data leakage is 108.47 GB and includes all customer financial information SQL Database.

Source: Dark Web

Relevancy & Insights:
Medusa is a ransomware malware family targeting businesses and institutions. Medusa encrypts crucial data, rendering it inaccessible, and attempts to pressure users to pay to regain control of their information. One notable incident involving Medusa Ransomware took place in 2023. The group successfully infiltrated Toyota’s European division, demanding a substantial ransom of $8 million. When negotiations broke down, the attackers proceeded to release the stolen data on their dark web portal.

ETLM Assessment:
Medusa Ransomware first emerged in June 2021 and has since targeted various industries, including Information technology, Finance, education, manufacturing, healthcare, and the retail sector. In 2023 alone, it is reported to have affected over 70 organizations globally, operating under the Ransomware-as-a-Service (RaaS) business model. The cybercriminals behind Medusa Ransomware maintain a dedicated TOR website where they publish information about their victims, accompanied by a countdown clock indicating the time left before the data is released. CYFIRMA’s assessment, relying on the available information about the Medusa ransomware, suggests that the threat is poised to evolve further in sophistication. Future iterations are likely to incorporate advanced evasion tactics, heightened focus on specific sectors and regions, and potentially more intricate methods for disseminating exfiltrated data. Moreover, the ransomware’s persistence mechanisms and anti-detection measures are anticipated to undergo further refinement, presenting continuous challenges for Organizations. Organizations should prioritize robust cybersecurity measures and remain vigilant against emerging variants.

Data Leaks

BANK SYARIAH INDONESIA(BSI) data advertised on the Leak Site

  • Attack Type: Data Leak
  • Target Industry: Finance
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to BANK SYARIAH INDONESIA(BSI), {www[.]bankbsi[.]co[.]id}. Bank Syariah Indonesia (BSI) is a state-owned Islamic bank in Indonesia. Threat Actor Offers Unauthorized CASH MANAGEMENT SYSTEM(CMS) Account Access of Bank Syariah Indonesia. A concern about selling has emerged offering unauthorized access to an employee account of Bank Syariah Indonesia’s cash management system. The evidence shared for the accounts indicates that the respective accounts have significant processing power. Among these accounts are DPD Persagi Sulsel and RSU Vina Estetika. The actor has shared the relevant access free of charge.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as Sedapmalam poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by Sedapmalam typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Patching all software products to the latest version to avoid any exploitation of vulnerabilities.
  • Configure the database properly to avoid any database type of attacks.
  • Implement proper password management policies including multi-factor authentication and roles-based access to ensure credentials are not leaked easily.

BADAN PEMERIKSA KEUANGAN REPUBLIK INDONESIA (BPK RI) data advertised on Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Finance
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to BADAN PEMERIKSA KEUANGAN REPUBLIK INDONESIA (BPK RI), {www[.]bpk[.]gov[.]id}. BADAN PEMERIKSA KEUANGAN REPUBLIK INDONESIA (BPK RI) is a Financial Audit agency in Indonesia. The compromised data includes confidential and sensitive information crucial to the organization. The total size of the compromised data is 200 megabytes.

Source: Underground Forums

ETLM Assessment:
A threat actor known as “InterSystems” has surfaced with financial motives, engaging in the active leakage of data belonging to BADAN PEMERIKSA KEUANGAN REPUBLIK INDONESIA (BPK RI) in online forums. The leaked data comprises personally identifiable information (PII), financial records, and other confidential data. This poses a substantial risk to both the affected organization and individuals, underscoring the critical importance of implementing robust cybersecurity measures to protect sensitive information from such malicious activities.

Other Observations

CYFIRMA Research team observed a potential data leak related to the Home Depot, {www[.]homedepot[.]com}. The Home Depot, Inc. operates as a home improvement retailer. The Home Depot stores sell various building materials, home improvement products, and lawn and garden products, as well as providing installation, home maintenance, and professional service programs. The company offers installation programs that include flooring, cabinets, countertops, water heaters, and sheds; and professional installation in various categories sold through home sales programs, such as roofing, siding, windows, cabinet refacing, furnaces, and central air systems. The data breach has exposed the corporate information of 10,000 employees of the company. The compromised data includes both the full names and email addresses of these individuals. The CyberNiggers threat actor group is responsible for the data breach at The Home Depot.

Source: Underground forums

ETLM Assessment:
CyberNiggers threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.