CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware
Target Technologies: VMWare ESXi
Introduction
CYFIRMA Research and Advisory Team has found Limpopo while monitoring various underground forums as part of our Threat Discovery Process.
Limpopo
Researchers have uncovered the Limpopo ransomware recently that was possibly active since March.
Details on the infection vector for Limpopo ransomware are currently unavailable. Potential methods include Trojanized software or exploiting vulnerabilities.
Ransomware samples associated with the Limpopo ransomware family were submitted from several countries, indicating potential impacts in Chile, Guatemala, Honduras, India, Italy, Mexico, Peru, Spain, Thailand, the United States, and Vietnam.
Once executed, the Limpopo ransomware encrypts files with the following extensions:
.log | .vmdk | .vmsd | .vmem | .vswp |
.vmx2 | .vmxf | .vmss | .vmtx | .vmtm |
.nvram | .vsb | .vbm | .vlb | .vrb |
.hlog | .rar | .vsm | .vsm | .vbk |
.zip | .iso | .tgz | .bco | .dump |
.gzip | .bck | .bkp | .tmp | .vmx |
.ova | .ovf | .tar | .vmd | .vmsn |
After files are encrypted, the Limpopo ransomware appends a “.LIMPOPO” extension to the filenames. These files are then skipped in subsequent encryption attempts, effectively whitelisting them.
It drops the following file(s) as ransom note:
Researchers found similar ransom notes that may have been used by ransomware variants. For example, the Socorta ransomware, a potential Limpopo variant, drops the following ransom note:
Following are the TTPs based on the MITRE Attack Framework
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0003: Persistence | T1543.003: Create or Modify System Process: Windows Service |
2 | TA0004: Privilege Escalation | T1543.003: Create or Modify System Process: Windows Service |
3 | TA0005: Defense Evasion | T1027: Obfuscated Files or Information |
T1070: Indicator Removal | ||
4 | TA0007: Discovery | T1082: System Information Discovery |
T1083: File and Directory Discovery | ||
T1518.001: Software Discovery: Security Software Discovery | ||
5 | TA0040: Impact | T1486: Data Encrypted for Impact |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’s assessment based on available information suggests that the Limpopo ransomware poses a growing threat across regions such as Chile, Guatemala, Honduras, India, Italy, Mexico, Peru, Spain, Thailand, the United States, and Vietnam since we found ransomware samples submitted from these regions. Given the increasing sophistication of its attack vectors, including potential Trojanized software and vulnerability exploitation, organizations in these areas must bolster their cybersecurity defenses. The ransomware’s ability to target widely used ESXi environments highlights the critical need for securing virtualized infrastructures. Furthermore, its impact on system log files such as /var/log/syslog.1 underscores the importance of maintaining robust logging and monitoring practices to detect and respond to malicious activities promptly. Enhanced vigilance and proactive measures are essential to mitigate the risks posed by Limpopo ransomware and protect valuable data assets across affected regions.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Trojan
Objective: Stealing Banking Credentials, Data exfiltration
Target Technology: Windows OS
Target Industry: Banks
Target Geographies: Latin America (Brazil, Chile, Mexico, and Peru), Spain
Active Malware of the Week
This week “Mekotio” is trending.
Mekotio
The Mekotio banking trojan has been a persistent threat since at least 2015, primarily targeting Latin American countries with the objective of stealing sensitive information, particularly banking credentials. This malware has been notably active in Brazil, Chile, Mexico, Spain, and Peru. Mekotio is often distributed through phishing emails that use social engineering tactics to trick users into interacting with malicious links or attachments.
Attack Method
The Mekotio banking trojan begins with a spam email that appears to come from a legitimate source, such as a tax agency, alleging unpaid tax obligations. This email contains a malicious PDF attachment, often named “Factura_<numbers>.pdf,” which, when opened, connects to a command-and-control (C&C) server via a malicious link. This link leads to the download of a ZIP file containing the Mekotio MSI (Microsoft Installer) file. The MSI file, after verifying the system’s IP region to ensure it targets Latin American countries, executes an AutoHotkey script through AutoHotkey.exe. This script loads the Mekotio DLL, initiating the malware’s core functions. Finally, the infected system establishes a connection with the C&C server, which provides instructions for tasks such as credential theft, information gathering, and maintaining persistence.
The stolen banking information is sent back to the C&C server, where it can be further used by malicious actors for fraudulent activities, such as unauthorized access to bank accounts.
INSIGHTS
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the impact of threats such as Mekotio on organizations and their employees is expected to evolve significantly. As cybercriminals continue to advance their tactics, the frequency and sophistication of attacks targeting financial data are likely to rise. Moreover, the growing reliance on digital transactions could heighten vulnerabilities exploited by malware like Mekotio. The decentralized nature of modern work environments could potentially expand attack surfaces, necessitating comprehensive endpoint security solutions and enhanced employee training programs. In the financial sector, successful breaches by trojans like Mekotio could have broader implications beyond financial losses, including reputational harm and regulatory scrutiny. By investing in advanced cybersecurity defenses and promoting a culture of cybersecurity awareness, organizations can better safeguard their operations and maintain trust in an increasingly digital and interconnected world.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Intelligence Signals:
Cyber Espionage: Kimsuky’s Targeted Attack on Japanese Security and Diplomatic Organizations
Summary:
In March 2024, a researcher identified cyber espionage activities by the North Korean threat actor group Kimsuky, targeting Japanese security and diplomatic organizations. Kimsuky, known for their intelligence-gathering operations, initiated this attack through a sophisticated spear-phishing campaign. They sent targeted emails that appeared to come from legitimate security and diplomatic entities, with attached zip files containing misleadingly named documents with double file extensions.
When the target executed the EXE file within the zip, it triggered a malicious infection chain. The EXE file was downloaded and ran a VBS script using wscript.exe. This VBS script subsequently downloaded PowerShell scripts from an external server, invoking the PokDoc function to collect comprehensive system information. This included system configuration, running processes, network details, a list of files in key user directories (such as Downloads, Documents, and Desktop), and user account information. This data was then exfiltrated to a specified URL, likely to confirm whether the device was in an analysis environment like a sandbox.
To further their espionage efforts, Kimsuky implemented a keylogging mechanism. A VBS file was created and executed another PowerShell script that called the InfoKey function, which operated as a keylogger. This script captured keystrokes and clipboard information, storing the data in a file before sending it to another specified URL. Kimsuky ensured the persistence of their malware by modifying the system registry.
They configured the VBS scripts to execute automatically at startup, specifically targeting files like C:\Users\Public\Pictures\desktop.ini.bak and C:\Users\Public\Music\desktop.ini.bak to maintain their foothold in the infected system. This detailed and structured attack highlights the sophisticated methods employed by Kimsuky to infiltrate high-value targets and underscores the need for vigilant cybersecurity measures to defend against such threats.
Relevancy & Insights:
Kimsuky, a North Korea-based cyber espionage group, has been active since 2012 and is known for its sophisticated cyberattacks primarily aimed at espionage. Their targets often include government entities, think tanks, and individuals across various countries. The recent attack on Japanese organizations aligns with their modus operandi of using spear-phishing emails to deliver malware and collect information. The motivation behind these attacks is consistent with Kimsuky’s broader objectives of supporting North Korean intelligence operations. By targeting Japanese organizations, they aimed to gather sensitive information relevant to geopolitical issues. Similar tactics and procedures have been observed in Kimsuky’s attacks on organizations in South Korea and other regions, indicating a pattern of using VBS and PowerShell scripts to achieve their espionage goals. As a threat intelligence analyst, it’s crucial to understand their tactics, techniques, and procedures (TTPs) to effectively assess the incident and implement appropriate countermeasures.
ETLM Assessment:
Kimsuky, a North Korea-based cyber espionage group, targets government entities, think tanks, and individuals across various countries, focusing on foreign policy, national security, and nuclear policy. Recently, they attacked Japanese organizations using spear-phishing emails with zip file attachments containing EXE files that triggered VBS and PowerShell scripts to collect system information and capture keystrokes. Their motivation is to gather sensitive information to support North Korean intelligence operations. The continuous geopolitical tensions and Kimsuky’s focus on military and defense sectors suggest a persistent threat, requiring Japanese organizations to bolster their cybersecurity defenses to protect against such sophisticated state-sponsored attacks. Additionally, the sophisticated techniques used to bypass security measures suggest a high risk of undetected infiltration, raising concerns about the robustness of current cybersecurity defenses across multiple sectors.
Recommendations:
Chinese hackers targeting Australia
The Australian Signals Directorate’s Australian Cyber Security Centre together with its partners from Canada, Germany, Japan, New Zealand, South Korea, the U.K. and the U.S. has issued an alert outlining new attack techniques used by Chinese state- sponsored actors. The advisory describes attacks launched against Australian networks by APT40, a threat actor tied to China’s Ministry of State Security. The cyber watchdog states: “APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia. Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks to blend in with legitimate traffic and challenge network defenders.”
ETLM Assessment:
The threat actor, also known as Bronze Mohawk or Kryptonite Panda has been active since at least 2011, carrying out cyber-attacks targeting entities in the Asia-Pacific region. It’s assessed to be based in Haikou. It is known for targeting organizations and high-value targets in defense and government with a long-standing interest in maritime industries, naval defense contractors, and associated research institutions. The operations bear all the hallmarks of classic state-driven cyber-enabled espionage and we should assume many similar campaigns are underway at the same time.
OpenAI will block access to its AI tools in China
OpenAI is tightening restrictions on the use of its AI software in certain countries where it does not technically offer support, including China. The Microsoft-backed company has been sending memos to Chinese developers announcing that it will enforce measures to prevent developers in China from using its tools and software starting on July 9. OpenAI officially provides access to its services in a select number of countries, but many Chinese developers have been using its services through workarounds like VPNs. Chinese AI companies, such as Alibaba and Tencent’s Zhipu AI, have been attempting to step into the gap OpenAI will leave in the Chinese market, with Zhipu offering a “Special Migration Program” for OpenAI API users to transition to its products. The United States has been limiting anyone in China’s access to AI tools and hardware in recent years, although it is unclear if OpenAI’s recent decision is tied to the U.S. pressure campaign.
ETLM Assessment:
In April of this year, China’s military underwent its largest reorganization this decade when the Strategic Support Force was eliminated, and a new Information Support Force inaugurated. One of the missions of the force is to bend public opinions in targeted countries, for which AI-operated text bots were engaging on social media, a technique widely used by the Russian intelligence services in recent weeks. Moreover, AI tools have been utilized to sift through the exponentially growing amount of digital data in recent years that has overwhelmed many traditional OSINT methods. Cutting the Chinese market off is probably a way to reduce mass abuse by Chinese intelligence agencies of AI tools and their usage against the West.
The Hunters International Ransomware impacts the Multisuns Communication
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Taiwan; (www[.]multisuns[.]com[.]tw), was compromised by the Hunters International Ransomware. Multisuns Communication is a telecom equipment developer and provider. Multisuns Communication specializes in digital call recording solutions. They offer a variety of recording equipment including EULS, DCRS, EasyLog Web+, MicroLog (TCR-2000), +Log (TCR-3000), and VL2000. The breached data includes sensitive and confidential organizational information, with a total size of approximately 104 GB.
The following screenshot was observed published on the dark web:
Relevancy & Insights:
ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that Hunters International Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Multisuns Communication, a prominent Telecommunications located in Taiwan, underscores the extensive threat posed by this particular ransomware strain in the East Asia region.
The RansomHub Ransomware impacts the Corporate Infotech Pvt. Ltd. (CIPL)
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from India; (www[.]cipl[.]org[.]in), was compromised by the RansomHub Ransomware. Corporate Infotech Pvt. Ltd. aka CIPL, is a company that is into the business of Information Technology, which is driven by the passion, the tools, the infrastructure, and the vision to provide a “one-stop technology destination” for customers across all verticals and to help customers achieve their objectives by providing innovative, best-in-class consulting, IT solutions and services in the most effective & profitable manner. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 200 GB.
The following screenshot was observed published on the dark web:
Relevancy & Insights:
ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Corporate Infotech Pvt. Ltd. (CIPL), a leading Information Technology and consultancy firm in India, highlighting RansomHub’s significant threat presence in South Asia.
Vulnerability in Grandstream GXP2135
Summary:
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
Relevancy & Insights:
The vulnerability exists due to improper input validation in the CWMP SelfDefinedTimeZone functionality. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Impact:
Successful exploitation of this vulnerability may result in complete compromise of vulnerable systems.
Affected Products: https[:]//talosintelligence[.]com/vulnerability_reports/TALOS-2024-1978
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment:
Vulnerability in the Grandstream GXP2135 can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of the GXP2135 is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding online communications and productivity across different geographic regions and sectors.
8Base Ransomware attacked and Published data of LCS and Partners
Summary:
Recently we observed that 8Base Ransomware attacked and published data of LCS & Partners (www[.]lcs[.]com[.]tw) on its darkweb website. LCS & Partners is one of the largest law firms in Taiwan, offering comprehensive legal services in various areas, including antitrust, banking, capital markets, corporate M&A, energy, intellectual property, litigation, and more. The data leak, following the ransomware attack, encompasses Invoices, Receipts, Accounting documents, Personal data, Certificates, Employment contracts, Confidentiality agreements, Personal files, and Others.
Relevancy & Insights:
ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that 8Base Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on LCS & Partners, a prominent Legal consulting company located in Taiwan, underscores the extensive threat posed by this particular ransomware strain in the East Asia region.
Indonesian Cloud Service Provider Admin Access Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a potential SYSMON Admin Access for sale related to the Indonesian Cloud Service Provider in an underground forum. A threat actor on a dark web forum offered a SYSMON Administrator access for an Indonesian cloud service provider offering solutions, including multi-data center services, cloud, cyber security, office collaboration, disaster recovery, cloud software, and much more.
According to the post, the alleged access for sale offers full control over 11,903 devices, including 550 servers, 10 hypervisors, 7 workstations, 3 network devices, 6 firewalls, and 11,325 virtual machines, encompassing over 600 TB of data. With the alleged access, one can connect to any of the devices through TELNET/SSH/SFTP/HTTP and edit any of the devices.
The threat actor set the starting price for the alleged access and an auction-style incremental process started to sell the access where every step is 1000 USD. A Telegram handle and a TOX ID are also included in the post.
Kejaksaan Agung Republik Indonesia data advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a potential data sale related to Kejaksaan Agung Republik Indonesia in an underground forum. The Kejaksaan Agung Republik Indonesia is a key government institution responsible for law enforcement and prosecution in Indonesia. A threat actor claims to be selling data from the Kejaksaan Agung Republik Indonesia, allegedly including all users and databases from 2020 to 2024, for $100,000.
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor “Brokenbutcute” poses a significant risk to organizations by targeting various institutions and profiting from selling sensitive data on the dark web or underground forums. Organizations targeted by “Brokenbutcute” typically have inadequate security measures, making them especially vulnerable to cyberattacks orchestrated by this threat actor.
Recommendations: Enhance the cybersecurity posture by
The CYFIRMA Research team observed a potential unauthorized VPN Access for sale related to various companies across multiple countries and industries. Threat actors are allegedly offering unauthorized VPN access to various companies across multiple countries and industries. The access claims range from domain user to domain admin privileges, with significant potential impacts on each affected organization. Below are the details of the alleged sales:
Domain User Access:
Spain
Revenue: 17.2 million euros Industry: Business Services Price: $800
United Kingdom
Revenue: 5.7 million pounds Industry: Freight & Logistics Services Price: $800
India
Revenue: 65 million rupees Industry: Manufacturing Price: $1000
Indonesia
Revenue: 265 million rupiah Industry: Building Materials Price: $1500
United Kingdom
Revenue: 6.5 million pounds Industry: Manufacturing Price: $800
Domain Admin Access:
Canada
Revenue: Less than 5 million dollars Industry: Business Services
Price: $650 Thailand
Revenue: Not specified
Industry: Seafood Supply (one of the biggest Seafood Exporter Groups) Price: $1750
India
Revenue: More than 1 billion rupees Industry: Business Services
Price: $5000
Puerto Rico, United States Revenue: 17 million dollars Industry: Accounting Services Price: $3000
India
Revenue: 84.9 million rupees
Industry: Telecom Regulatory Authority of India Price: $2500
Japan
Revenue: Less than 5 million yen Industry: Retail
Price: $650
The CYFIRMA Research team observed a potential SSH access sale related to a Taiwan-based telecommunications company. The threat actor “Intel Broker” claims to be selling SSH access associated with a Taiwan-based telecommunications company for $2,000.
ETLM Assessment:
Threat Actor ‘IntelBroker’ group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
Geography-Wise Graph
Industry-Wise Graph
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.