Self Assessment

Weekly Intelligence Report – 12 July 2024

Published On : 2024-07-12
Share :
Weekly Intelligence Report – 12 July 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: VMWare ESXi

Introduction
CYFIRMA Research and Advisory Team has found Limpopo while monitoring various underground forums as part of our Threat Discovery Process.

Limpopo
Researchers have uncovered the Limpopo ransomware recently that was possibly active since March.

Details on the infection vector for Limpopo ransomware are currently unavailable. Potential methods include Trojanized software or exploiting vulnerabilities.

Ransomware samples associated with the Limpopo ransomware family were submitted from several countries, indicating potential impacts in Chile, Guatemala, Honduras, India, Italy, Mexico, Peru, Spain, Thailand, the United States, and Vietnam.

Once executed, the Limpopo ransomware encrypts files with the following extensions:

.log .vmdk .vmsd .vmem .vswp
.vmx2 .vmxf .vmss .vmtx .vmtm
.nvram .vsb .vbm .vlb .vrb
.hlog .rar .vsm .vsm .vbk
.zip .iso .tgz .bco .dump
.gzip .bck .bkp .tmp .vmx
.ova .ovf .tar .vmd .vmsn

After files are encrypted, the Limpopo ransomware appends a “.LIMPOPO” extension to the filenames. These files are then skipped in subsequent encryption attempts, effectively whitelisting them.

It drops the following file(s) as ransom note:

Source: SurfaceWeb

Researchers found similar ransom notes that may have been used by ransomware variants. For example, the Socorta ransomware, a potential Limpopo variant, drops the following ransom note:

Source: SurfaceWeb

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/Sub-Techniques
1 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
2 TA0004: Privilege Escalation T1543.003: Create or Modify System Process: Windows Service
3 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1070: Indicator Removal
4 TA0007: Discovery T1082: System Information Discovery
T1083: File and Directory Discovery
T1518.001: Software Discovery: Security Software Discovery
5 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • Targeting widely used ESXi environments, this ransomware poses a critical threat to virtualized infrastructures and the numerous industries relying on VMware’s technology.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Ransomware is seen deleting /var/log/syslog.1, a file crucial for storing system activity logs. Its deletion hinders system administrators from reviewing historical logs for troubleshooting and security analysis, effectively obscuring evidence of malicious activities and complicating incident response efforts.

ETLM Assessment:
CYFIRMA’s assessment based on available information suggests that the Limpopo ransomware poses a growing threat across regions such as Chile, Guatemala, Honduras, India, Italy, Mexico, Peru, Spain, Thailand, the United States, and Vietnam since we found ransomware samples submitted from these regions. Given the increasing sophistication of its attack vectors, including potential Trojanized software and vulnerability exploitation, organizations in these areas must bolster their cybersecurity defenses. The ransomware’s ability to target widely used ESXi environments highlights the critical need for securing virtualized infrastructures. Furthermore, its impact on system log files such as /var/log/syslog.1 underscores the importance of maintaining robust logging and monitoring practices to detect and respond to malicious activities promptly. Enhanced vigilance and proactive measures are essential to mitigate the risks posed by Limpopo ransomware and protect valuable data assets across affected regions.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Implement strict access controls and least privilege principles across ESXi environments to limit the spread and impact of ransomware.

Trending Malware of the Week

Type: Trojan
Objective: Stealing Banking Credentials, Data exfiltration
Target Technology: Windows OS
Target Industry: Banks
Target Geographies: Latin America (Brazil, Chile, Mexico, and Peru), Spain

Active Malware of the Week
This week “Mekotio” is trending.

Mekotio
The Mekotio banking trojan has been a persistent threat since at least 2015, primarily targeting Latin American countries with the objective of stealing sensitive information, particularly banking credentials. This malware has been notably active in Brazil, Chile, Mexico, Spain, and Peru. Mekotio is often distributed through phishing emails that use social engineering tactics to trick users into interacting with malicious links or attachments.

Attack Method
The Mekotio banking trojan begins with a spam email that appears to come from a legitimate source, such as a tax agency, alleging unpaid tax obligations. This email contains a malicious PDF attachment, often named “Factura_<numbers>.pdf,” which, when opened, connects to a command-and-control (C&C) server via a malicious link. This link leads to the download of a ZIP file containing the Mekotio MSI (Microsoft Installer) file. The MSI file, after verifying the system’s IP region to ensure it targets Latin American countries, executes an AutoHotkey script through AutoHotkey.exe. This script loads the Mekotio DLL, initiating the malware’s core functions. Finally, the infected system establishes a connection with the C&C server, which provides instructions for tasks such as credential theft, information gathering, and maintaining persistence.

  • Credential Theft: Mekotio’s primary goal is to steal banking credentials. It achieves this by displaying fake pop-ups that mimic legitimate banking sites, tricking users into entering their details, which the trojan then proceeds to harvest.
  • Information Gathering: Mekotio can capture screenshots, log keystrokes, and steal clipboard data.
  • Persistence Mechanisms: Mekotio employs various tactics to maintain its presence on the infected system, including adding itself to startup programs or creating scheduled tasks.

The stolen banking information is sent back to the C&C server, where it can be further used by malicious actors for fraudulent activities, such as unauthorized access to bank accounts.

Fig: Mekotio attack chain

INSIGHTS

  • The emergence and persistence of the Mekotio banking trojan underscore a concerning trend in digital security, where sophisticated malware is crafted to specifically target financial institutions and their customers in Latin American countries. By leveraging social engineering through convincing phishing emails, Mekotio effectively exploits human trust to gain initial access, Mekotio exemplifies the evolving strategies of cybercriminals to infiltrate systems and steal sensitive information, particularly banking credentials.
  • Mekotio demonstrates a multi-stage infection process that exemplifies its resilience and adaptability. From leveraging AutoHotkey scripts to loading DLLs, the trojan employs sophisticated techniques to evade detection and establish persistence. This modus operandi underscores the necessity of comprehensive threat detection capabilities that can identify anomalous behaviors and signatures indicative of trojan activity. This complexity underscores the challenge faced by cybersecurity professionals in developing proactive defense mechanisms capable of identifying and neutralizing such malware before it can compromise sensitive financial data.
  • Mekotio’s objective remains focused on acquiring valuable banking information, which it achieves through various intrusive methods like keystroke logging and capturing screenshots. This data, once harvested and transmitted to command-and-control servers, poses significant risks not only to individual victims but also to financial institutions targeted by these malicious activities. As such, combating threats like Mekotio requires a holistic approach that integrates advanced threat detection technologies with stringent data protection protocols to safeguard against potential breaches and uphold trust in digital financial transactions.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the impact of threats such as Mekotio on organizations and their employees is expected to evolve significantly. As cybercriminals continue to advance their tactics, the frequency and sophistication of attacks targeting financial data are likely to rise. Moreover, the growing reliance on digital transactions could heighten vulnerabilities exploited by malware like Mekotio. The decentralized nature of modern work environments could potentially expand attack surfaces, necessitating comprehensive endpoint security solutions and enhanced employee training programs. In the financial sector, successful breaches by trojans like Mekotio could have broader implications beyond financial losses, including reputational harm and regulatory scrutiny. By investing in advanced cybersecurity defenses and promoting a culture of cybersecurity awareness, organizations can better safeguard their operations and maintain trust in an increasingly digital and interconnected world.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or Office document.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends Key

Intelligence Signals:

  • Attack Type: Malware Implant, Spear-phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Hunters International Ransomware, RansomHub Ransomware | Malware – Mekotio
  • Hunters International Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Mekotio
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Cyber Espionage: Kimsuky’s Targeted Attack on Japanese Security and Diplomatic Organizations

  • Threat Actors: Kimsuky
  • Attack Type: Spear-phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Japan
  • Target Industries: Security and diplomatic organizations
  • Business Impact: Data Loss, Data exfiltration

Summary:
In March 2024, a researcher identified cyber espionage activities by the North Korean threat actor group Kimsuky, targeting Japanese security and diplomatic organizations. Kimsuky, known for their intelligence-gathering operations, initiated this attack through a sophisticated spear-phishing campaign. They sent targeted emails that appeared to come from legitimate security and diplomatic entities, with attached zip files containing misleadingly named documents with double file extensions.

When the target executed the EXE file within the zip, it triggered a malicious infection chain. The EXE file was downloaded and ran a VBS script using wscript.exe. This VBS script subsequently downloaded PowerShell scripts from an external server, invoking the PokDoc function to collect comprehensive system information. This included system configuration, running processes, network details, a list of files in key user directories (such as Downloads, Documents, and Desktop), and user account information. This data was then exfiltrated to a specified URL, likely to confirm whether the device was in an analysis environment like a sandbox.

To further their espionage efforts, Kimsuky implemented a keylogging mechanism. A VBS file was created and executed another PowerShell script that called the InfoKey function, which operated as a keylogger. This script captured keystrokes and clipboard information, storing the data in a file before sending it to another specified URL. Kimsuky ensured the persistence of their malware by modifying the system registry.

They configured the VBS scripts to execute automatically at startup, specifically targeting files like C:\Users\Public\Pictures\desktop.ini.bak and C:\Users\Public\Music\desktop.ini.bak to maintain their foothold in the infected system. This detailed and structured attack highlights the sophisticated methods employed by Kimsuky to infiltrate high-value targets and underscores the need for vigilant cybersecurity measures to defend against such threats.

Relevancy & Insights:
Kimsuky, a North Korea-based cyber espionage group, has been active since 2012 and is known for its sophisticated cyberattacks primarily aimed at espionage. Their targets often include government entities, think tanks, and individuals across various countries. The recent attack on Japanese organizations aligns with their modus operandi of using spear-phishing emails to deliver malware and collect information. The motivation behind these attacks is consistent with Kimsuky’s broader objectives of supporting North Korean intelligence operations. By targeting Japanese organizations, they aimed to gather sensitive information relevant to geopolitical issues. Similar tactics and procedures have been observed in Kimsuky’s attacks on organizations in South Korea and other regions, indicating a pattern of using VBS and PowerShell scripts to achieve their espionage goals. As a threat intelligence analyst, it’s crucial to understand their tactics, techniques, and procedures (TTPs) to effectively assess the incident and implement appropriate countermeasures.

ETLM Assessment:
Kimsuky, a North Korea-based cyber espionage group, targets government entities, think tanks, and individuals across various countries, focusing on foreign policy, national security, and nuclear policy. Recently, they attacked Japanese organizations using spear-phishing emails with zip file attachments containing EXE files that triggered VBS and PowerShell scripts to collect system information and capture keystrokes. Their motivation is to gather sensitive information to support North Korean intelligence operations. The continuous geopolitical tensions and Kimsuky’s focus on military and defense sectors suggest a persistent threat, requiring Japanese organizations to bolster their cybersecurity defenses to protect against such sophisticated state-sponsored attacks. Additionally, the sophisticated techniques used to bypass security measures suggest a high risk of undetected infiltration, raising concerns about the robustness of current cybersecurity defenses across multiple sectors.

Recommendations:

  • Awareness and Training: Regularly train employees on recognizing and responding to phishing attempts.
  • Email Filtering: Implement advanced email filtering solutions to detect and block spear- phishing attempts.
  • Software Patching: Ensure all software is up-to-date with the latest security patches.
  • Behavioral Analysis: Deploy behavioral analysis tools to detect unusual activity indicative of malware infection.
  • Incident Response Planning: Develop and regularly update incident response plans to quickly address and mitigate attacks.

3. Major Geopolitical Developments in Cybersecurity

Chinese hackers targeting Australia
The Australian Signals Directorate’s Australian Cyber Security Centre together with its partners from Canada, Germany, Japan, New Zealand, South Korea, the U.K. and the U.S. has issued an alert outlining new attack techniques used by Chinese state- sponsored actors. The advisory describes attacks launched against Australian networks by APT40, a threat actor tied to China’s Ministry of State Security. The cyber watchdog states: “APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors for its operations in Australia. Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks to blend in with legitimate traffic and challenge network defenders.”

ETLM Assessment:
The threat actor, also known as Bronze Mohawk or Kryptonite Panda has been active since at least 2011, carrying out cyber-attacks targeting entities in the Asia-Pacific region. It’s assessed to be based in Haikou. It is known for targeting organizations and high-value targets in defense and government with a long-standing interest in maritime industries, naval defense contractors, and associated research institutions. The operations bear all the hallmarks of classic state-driven cyber-enabled espionage and we should assume many similar campaigns are underway at the same time.

OpenAI will block access to its AI tools in China
OpenAI is tightening restrictions on the use of its AI software in certain countries where it does not technically offer support, including China. The Microsoft-backed company has been sending memos to Chinese developers announcing that it will enforce measures to prevent developers in China from using its tools and software starting on July 9. OpenAI officially provides access to its services in a select number of countries, but many Chinese developers have been using its services through workarounds like VPNs. Chinese AI companies, such as Alibaba and Tencent’s Zhipu AI, have been attempting to step into the gap OpenAI will leave in the Chinese market, with Zhipu offering a “Special Migration Program” for OpenAI API users to transition to its products. The United States has been limiting anyone in China’s access to AI tools and hardware in recent years, although it is unclear if OpenAI’s recent decision is tied to the U.S. pressure campaign.

ETLM Assessment:
In April of this year, China’s military underwent its largest reorganization this decade when the Strategic Support Force was eliminated, and a new Information Support Force inaugurated. One of the missions of the force is to bend public opinions in targeted countries, for which AI-operated text bots were engaging on social media, a technique widely used by the Russian intelligence services in recent weeks. Moreover, AI tools have been utilized to sift through the exponentially growing amount of digital data in recent years that has overwhelmed many traditional OSINT methods. Cutting the Chinese market off is probably a way to reduce mass abuse by Chinese intelligence agencies of AI tools and their usage against the West.

4. Rise in Malware/Ransomware and Phishing

The Hunters International Ransomware impacts the Multisuns Communication

  • Attack Type: Ransomware
  • Target Industry: Telecommunications
  • Target Geography: Taiwan
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Taiwan; (www[.]multisuns[.]com[.]tw), was compromised by the Hunters International Ransomware. Multisuns Communication is a telecom equipment developer and provider. Multisuns Communication specializes in digital call recording solutions. They offer a variety of recording equipment including EULS, DCRS, EasyLog Web+, MicroLog (TCR-2000), +Log (TCR-3000), and VL2000. The breached data includes sensitive and confidential organizational information, with a total size of approximately 104 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine once the data exfiltration gets completed by the Ransomware group.
  • Recent updates about the Hunters International ransomware group reveal significant developments since its emergence in late 2023. Notably, Hunters International is strongly linked to the infamous Hive ransomware, utilizing similar source code and infrastructure. After Hive’s operations were disrupted by an international law enforcement action in January 2023, Hunters International emerged, reportedly acquiring Hive’s source code and infrastructure rather than being a direct rebrand of Hive.
  • The Hunters International Ransomware group primarily targets countries such as the United States of America, Taiwan, Italy, Belgium, and Ireland.
  • The Hunters International Ransomware group primarily targets industries, including Industrial Machinery, Heavy Construction, Health Care Providers, Electronic Equipment, and Business Support Services.
  • Based on the Hunters International Ransomware victims list from 1 10 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1 Jan 2023 to 10 July 2024 are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that Hunters International Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Multisuns Communication, a prominent Telecommunications located in Taiwan, underscores the extensive threat posed by this particular ransomware strain in the East Asia region.

The RansomHub Ransomware impacts the Corporate Infotech Pvt. Ltd. (CIPL)

  • Attack Type: Ransomware
  • Target Industry: Information Technology
  • Target Geography: India
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from India; (www[.]cipl[.]org[.]in), was compromised by the RansomHub Ransomware. Corporate Infotech Pvt. Ltd. aka CIPL, is a company that is into the business of Information Technology, which is driven by the passion, the tools, the infrastructure, and the vision to provide a “one-stop technology destination” for customers across all verticals and to help customers achieve their objectives by providing innovative, best-in-class consulting, IT solutions and services in the most effective & profitable manner. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 200 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • RansomHub is believed to have evolved from the now-defunct Knight ransomware. Both ransomware families share substantial code similarities, including being written in the Go programming language and using identical command execution methods
  • RansomHub has recently been reported to target VMware ESXi environments using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data
  • The RansomHub Ransomware group primarily targets countries such as Brazil, the United States of America, the United Kingdom, Italy, Brazil, and Spain.
  • The RansomHub Ransomware group primarily targets industries such as Computer Services, Government Agencies, Telecommunications, Financial Services, and
  • Business Support Services.
  • Based on the RansomHub Ransomware victims list from 1 Jan 2023 to 10 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the RansomHub Ransomware from 1st Jan 2023 to 10 July 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Corporate Infotech Pvt. Ltd. (CIPL), a leading Information Technology and consultancy firm in India, highlighting RansomHub’s significant threat presence in South Asia.

5. Vulnerabilities and Exploits

Vulnerability in Grandstream GXP2135

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Hardware solutions
  • Vulnerability: CVE-2024-32937 (CVSS Base Score 8.1)
  • Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Patch: Available

Summary:
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

Relevancy & Insights:
The vulnerability exists due to improper input validation in the CWMP SelfDefinedTimeZone functionality. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Impact:
Successful exploitation of this vulnerability may result in complete compromise of vulnerable systems.

Affected Products: https[:]//talosintelligence[.]com/vulnerability_reports/TALOS-2024-1978

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in the Grandstream GXP2135 can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of the GXP2135 is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding online communications and productivity across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

8Base Ransomware attacked and Published data of LCS and Partners

  • Threat Actors: 8Base Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Taiwan
  • Target Industry: Legal Consulting
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that 8Base Ransomware attacked and published data of LCS & Partners (www[.]lcs[.]com[.]tw) on its darkweb website. LCS & Partners is one of the largest law firms in Taiwan, offering comprehensive legal services in various areas, including antitrust, banking, capital markets, corporate M&A, energy, intellectual property, litigation, and more. The data leak, following the ransomware attack, encompasses Invoices, Receipts, Accounting documents, Personal data, Certificates, Employment contracts, Confidentiality agreements, Personal files, and Others.

Source: Dark Web

Relevancy & Insights:

  • The 8Base ransomware group has seen a significant increase in activity since June 2023, using double extortion tactics to pressure victims into paying ransoms. This group, which first appeared in March 2022, has ramped up its attacks, targeting various industries and listing numerous victims on its dark website.
  • 8Base ransomware is known for its use of the Phobos v2.9.1 ransomware, typically delivered through SmokeLoader, a malware downloader. The ransomware encrypts files with the .8base extension and demands ransom payments for decryption keys. Recent technical analyses show that 8Base employs various sophisticated methods to ensure persistence on victim systems, such as creating multiple copies of itself in startup folders and modifying registry keys for auto-start capabilities.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that 8Base Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on LCS & Partners, a prominent Legal consulting company located in Taiwan, underscores the extensive threat posed by this particular ransomware strain in the East Asia region.

7. Data Leaks

Indonesian Cloud Service Provider Admin Access Advertised on a Leak Site

  • Attack Type: Access for sale
  • Target Industry: Information Technology
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential SYSMON Admin Access for sale related to the Indonesian Cloud Service Provider in an underground forum. A threat actor on a dark web forum offered a SYSMON Administrator access for an Indonesian cloud service provider offering solutions, including multi-data center services, cloud, cyber security, office collaboration, disaster recovery, cloud software, and much more.

According to the post, the alleged access for sale offers full control over 11,903 devices, including 550 servers, 10 hypervisors, 7 workstations, 3 network devices, 6 firewalls, and 11,325 virtual machines, encompassing over 600 TB of data. With the alleged access, one can connect to any of the devices through TELNET/SSH/SFTP/HTTP and edit any of the devices.

The threat actor set the starting price for the alleged access and an auction-style incremental process started to sell the access where every step is 1000 USD. A Telegram handle and a TOX ID are also included in the post.

Source: Underground Forums

Kejaksaan Agung Republik Indonesia data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to Kejaksaan Agung Republik Indonesia in an underground forum. The Kejaksaan Agung Republik Indonesia is a key government institution responsible for law enforcement and prosecution in Indonesia. A threat actor claims to be selling data from the Kejaksaan Agung Republik Indonesia, allegedly including all users and databases from 2020 to 2024, for $100,000.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor “Brokenbutcute” poses a significant risk to organizations by targeting various institutions and profiting from selling sensitive data on the dark web or underground forums. Organizations targeted by “Brokenbutcute” typically have inadequate security measures, making them especially vulnerable to cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a potential unauthorized VPN Access for sale related to various companies across multiple countries and industries. Threat actors are allegedly offering unauthorized VPN access to various companies across multiple countries and industries. The access claims range from domain user to domain admin privileges, with significant potential impacts on each affected organization. Below are the details of the alleged sales:

Domain User Access:
Spain
Revenue: 17.2 million euros Industry: Business Services Price: $800

United Kingdom
Revenue: 5.7 million pounds Industry: Freight & Logistics Services Price: $800

India
Revenue: 65 million rupees Industry: Manufacturing Price: $1000

Indonesia
Revenue: 265 million rupiah Industry: Building Materials Price: $1500

United Kingdom
Revenue: 6.5 million pounds Industry: Manufacturing Price: $800

Domain Admin Access:
Canada
Revenue: Less than 5 million dollars Industry: Business Services
Price: $650 Thailand
Revenue: Not specified
Industry: Seafood Supply (one of the biggest Seafood Exporter Groups) Price: $1750

India
Revenue: More than 1 billion rupees Industry: Business Services
Price: $5000
Puerto Rico, United States Revenue: 17 million dollars Industry: Accounting Services Price: $3000

India
Revenue: 84.9 million rupees
Industry: Telecom Regulatory Authority of India Price: $2500

Japan
Revenue: Less than 5 million yen Industry: Retail
Price: $650

Source: Underground forums

The CYFIRMA Research team observed a potential SSH access sale related to a Taiwan-based telecommunications company. The threat actor “Intel Broker” claims to be selling SSH access associated with a Taiwan-based telecommunications company for $2,000.

Source: Underground forums

ETLM Assessment:
Threat Actor ‘IntelBroker’ group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.