Self Assessment

Weekly Intelligence Report – 13 Dec 2024

Published On : 2024-12-13
Share :
Weekly Intelligence Report – 13 Dec 2024

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found AllCiphered Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

AllCiphered Ransomware
Researchers have recently identified a new variant of the MedusaLocker ransomware family, named AllCiphered. This ransomware encrypts files and appends the “.allciphered70” extension to the encrypted file names, with the number in the extension potentially varying depending on the specific variant.

After completing the encryption process, AllCiphered creates a ransom note in the form of an HTML file titled “How_to_back_files.html,” demanding payment for file decryption.

Screenshot of files encrypted by ransomware (Source: Surface Web)

The ransom note informs the victim that their company’s network has been compromised, and that the encrypted files were secured using RSA and AES cryptographic algorithms. It warns that any attempts to rename, modify, or decrypt the files using third-party tools will render them irreversibly corrupted.

In addition to file encryption, the attackers have exfiltrated confidential and personal data from the network. The note states that the victim will receive decryption software upon payment of the ransom, but if they refuse, the stolen data will be leaked or sold. Victims are given the opportunity to test the decryption process by sending several files to the attackers. If the ransom is not paid within 72 hours, the demand will increase.

Appearance of AllCiphered ransomware’s ransom note “How_to_back_files.html” (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Tactic ID Technique
Initial Access T1091 Replication Through Removable Media
Execution T1047 Windows Management Instrumentation
Execution T1059 Command and Scripting Interpreter
Execution T1129 Shared Modules
Execution T1569.002 System Services: Service Execution
Persistence T1542.003 Pre-OS Boot: Bootkit
Persistence T1543.003 Create or Modify System Process: Windows Service
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
PrivilegeEscalation T1055 Process Injection
PrivilegeEscalation T1134.004 Access Token Manipulation: Parent PID Spoofing
PrivilegeEscalation T1543.003 Create or Modify System Process: Windows Service
PrivilegeEscalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
PrivilegeEscalation T1574.002 Hijack Execution Flow: DLL Side-Loading
PrivilegeEscalation T1548 Abuse Elevation Control Mechanism
Defense Evasion T1014 Rootkit
Defense Evasion T1027.002 Obfuscated Files or Information: Software Packing
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion T1036 Masquerading
DefenseEvasion T1055 Process Injection
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1112 Modify Registry
Defense Evasion T1134.004 Access Token Manipulation: Parent PID Spoofing
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1222 File and Directory Permissions Modification
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1542.003 Pre-OS Boot: Bootkit
Defense Evasion T1548 Abuse Elevation Control Mechanism
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
CredentialAccess T1056.001 Input Capture: Keylogging
Discovery T1010 Application Window Discovery
Discovery T1012 Query Registry
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1120 Peripheral Device Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1614 System Location Discovery
LateralMovement T1091 Replication Through Removable Media
Collection T1056.001 Input Capture: Keylogging
Collection T1074 Data Staged
Command and Control T1071 Application Layer Protocol
Command and Control T1105 Ingress Tool Transfer
Impact T1485 Data Destruction
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery
Impact T1496 Resource Hijacking

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.

ETLM Assessment:
CYFIRMA’s analysis of available data indicates that MedusaLocker ransomware has been actively targeting a wide range of sectors, including Manufacturing, Healthcare, Finance, IT services, and much more, since 2019. Projections suggest that AllCiphered, a more advanced variant of MedusaLocker, will likely use enhanced evasion techniques to broaden its impact, targeting both individuals and businesses. It is expected to continue affecting major industries worldwide.

Therefore, maintaining vigilance and implementing robust cybersecurity measures are crucial to mitigating these evolving threats effectively.

Sigma Rule
title: Boot Configuration Tampering Via Bcdedit.EXE
tags:
– attack.impact
– attack.t1490 logsource:
category: process_creation product: windows
detection:
selection_img:
– Image|endswith: ‘\bcdedit.exe’
– OriginalFileName: ‘bcdedit.exe’ selection_set:
CommandLine|contains: ‘set’ selection_cli:
– CommandLine|contains|all:
– ‘bootstatuspolicy’
– ‘ignoreallfailures’
– CommandLine|contains|all:
– ‘recoveryenabled’
– ‘no’
condition: all of selection_*
fields:
– ComputerName
– User
– CommandLine falsepositives:
– Unlikely level: high

(Source: Surface web)

IOCs:
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Information Stealer| Objectives: Data theft, Data Exfiltration | Target Technology: Windows OS

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week “RedLine Stealer Hidden in Modified HPDxLIB Activators” is trending.

RedLine Stealer Hidden in Modified HPDxLIB Activators
Researchers identified that attackers distributed malicious activators, targeting users of unlicensed corporate software used for automating business processes. These activators, found to be modified versions of the well-known HPDxLIB activator, contained the RedLine stealer. The malicious code was concealed using a highly sophisticated method: the activator library was obfuscated with .NET Reactor, and the malicious code was compressed and encrypted in multiple layers. This campaign, which began in January 2024, remains active and continues to pose a threat to users of unlicensed software.

Malicious Activator Distribution
The attackers target entrepreneurs using software for automating business processes by distributing a malicious version of the HPDxLIB activator. This version, disguised as an update, is developed using .NET and includes a new self-signed certificate, in contrast to the “clean” version, which is written in C++ and signed with a valid certificate. After modifying the activator, attackers distribute it via business and accounting forums, promoting the software’s ability to bypass license checks and highlight updates while omitting mention of the malicious payload.

As the malware was detected by security solutions, some forums began warning users about the RedLine stealer, but the instructions still advised disabling security protections and adding the malicious files to exceptions, ensuring the activators would function.

Technical Analysis
The malicious HPDxLIB activator instructs users to replace the legitimate techsys.dll file with a version from the activator. While this method is also used by the “clean” versions, the attackers’ version leads the legitimate process (1cv8.exe) to load the malicious library, which then activates the RedLine stealer. The attackers exploit the victim’s trust rather than software vulnerabilities. Inside the malicious techsys.dll is another DLL (loader.hpdx.dll), which is heavily obfuscated and contains an encrypted RedLine payload. The payload is encrypted in multiple layers, starting with XOR encryption, followed by Base85 encoding, and further encrypted using AES-256-CBC. The RedLine stealer is unpacked using Assembly.Load().

RedLine is a malware distributed through a Malware-as-a-Service model, allowing attackers to either purchase a one-time build or subscribe for ongoing use. It specializes in exfiltrating sensitive data like browser information, instant messages, and system details. The malware communicates with a command server at 213.21.220[.]222:8080, with evidence suggesting the server is rented by different attackers, indicating the version used in this attack may have been obtained through a subscription service.

INSIGHTS

  • The attackers behind this campaign appear to be targeting Russian-speaking entrepreneurs who use software to automate business processes. While attacks involving pirated software or activators designed to bypass license checks are not unusual, the focus on businesses rather than private users is noteworthy. Furthermore, the attackers employed sophisticated techniques to hide the RedLine stealer implant, signaling a high level of planning and investment in their campaign. Given that RedLine is distributed through a service model, it is likely that the attackers paid for access to the malware rather than obtaining it for free.
  • This campaign highlights the risks associated with using pirated software and activators. Stealers like RedLine often exfiltrate sensitive data, which is then sold on the darknet, potentially falling into the hands of cyber espionage groups or extortionists. These actors can exploit stolen data to infiltrate organizations, encrypt critical files, and demand ransoms far exceeding the cost of legitimate software. To safeguard against such threats, companies should avoid using unlicensed software altogether.
  • The sophisticated distribution method employed by the attackers, which showcases their ability to exploit trusted platforms. The attackers primarily distribute the malicious activators via business and accounting forums, which are frequented by users seeking solutions to bypass software license checks. By using these platforms, the attackers’ prey on the trust of users who are seeking “updates” for pirated software. This approach significantly reduces suspicion compared to traditional malware distribution methods, making it harder for victims to recognize the threat. The use of these trusted community spaces highlights how attackers are adapting their strategies to target specific user groups, further emphasizing the need for awareness and caution when engaging with unlicensed software.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the use of malicious activators to distribute RedLine stealer suggests a growing trend in exploiting users’ trust in familiar software. As cybercriminals refine their techniques, there could be a sharp rise in attacks targeting businesses that rely on unlicensed software, with attackers increasingly using trusted forums and platforms to distribute malicious tools. This could lead to more widespread data theft, with attackers exfiltrating sensitive business information for resale or exploitation. As these threats evolve, the impact on organizations may intensify, especially if sensitive data is stolen and sold to malicious actors. The consequences could include significant reputational damage, financial losses, and even regulatory scrutiny, as companies may struggle to defend against such sophisticated, multi-layered threats. Additionally, with the use of malware-as-a- service, these attacks may become more accessible to a wider range of cybercriminals, expanding their reach and potentially increasing the frequency of incidents.

Recommendations:

STRATEGIC:

  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.

MANAGEMENT:

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Spear Phishing, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Play Ransomware, Sarcoma Ransomware | Malware – RedLine stealer
  • Play Ransomware – One of the ransomware groups.
  • Sarcoma Ransomware – One of the ransomware groups. Please refer to the trending malware advisory for details on the following:
  • Malware – RedLine stealer Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Blue Alpha Exploits Cloudflare Tunnels for GammaDrop Malware Deployment

  • Threat actor: Blue Alpha
  • Initial Attack Vector: Spear Phishing
  • Objective: Espionage
  • Target Technology: Exploits email systems (Cloudflare)
  • Target Geographies: Ukraine
  • Target Industries: Ukrainian entities
  • Business Impact: Data exfiltration and credential theft.

SUMMARY
A cyber-espionage campaign has been observed targeting Ukrainian entities, employing advanced evasion techniques and sophisticated malware. BLUE ALPHA, a state-sponsored threat group, associated with Russian intelligence, has been observed utilizing spear phishing campaigns to distribute malicious HTML attachments designed for data exfiltration, credential theft, and persistent network access.

Key tactics involve HTML smuggling, where JavaScript embedded in email attachments decodes and downloads compressed files containing malicious shortcuts (.lnk). These shortcuts execute a payload using mshta.exe to deploy a malware variant named GammaDrop. GammaDrop acts as a loader, embedding and executing GammaLoad, a custom backdoor. The malware establishes persistence by modifying registry keys and monitors for security processes to evade detection. GammaDrop also stages additional malware and opens decoy documents to mimic legitimate activity.

GammaLoad, delivered via VBScript, continuously communicates with command- and-control (C2) servers. It uses DNS and DNS-over-HTTPS (DoH) for C2 resolution, enhancing its resilience against blocking techniques. Fast-flux DNS is employed to dynamically update C2 IP addresses, ensuring operational continuity.

Communication includes device-specific metadata, such as hostnames and hardware details. The group has demonstrated operational security lapses by exposing unprotected IP addresses during malware staging.

A novel aspect of this campaign is the abuse of legitimate tunneling services to obscure staging infrastructure. By leveraging free tools, the attackers create subdomains that route traffic through encrypted tunnels, bypassing traditional network security measures. These techniques hinder detection and allow the deployment of malicious payloads while concealing their infrastructure.

Relevancy & Insights:
The threat actor has a history of targeting the Ukrainian government and military entities, consistently employing spear phishing and custom malware for espionage and persistent access. Previous campaigns used tools like Pterodo and GammaSteel, with traditional C2 infrastructure and basic obfuscation techniques.

In the current incident, the group has evolved its methods by using HTML smuggling for malware delivery and abusing legitimate tunneling services to evade detection. This shift complicates attribution and mitigation. They continue to use fast-flux DNS for resilient C2 operations, now enhanced with DNS-over-HTTPS (DoH) to bypass monitoring.

Despite operational advancements, occasional security lapses, such as exposed IPs, provide insights into their infrastructure. This attack demonstrates a continuation and refinement of their techniques, maintaining a consistent focus on high-value Ukrainian targets.

ETLM Assessment:
The threat actor, linked to Russian intelligence, targets the Ukrainian government, military, and critical infrastructure. It exploits email systems via spear phishing with HTML smuggling and abuses legitimate services like Cloudflare Tunnels for malware staging. Current tools include GammaDrop, an HTA loader, and GammaLoad, a backdoor supporting command-and-control operations. Earlier campaigns featured Pterodo and GammaSteel.

The group employs advanced evasion tactics, such as DNS-over-HTTPS and fast-flux DNS, complicating detection and blocking. They continue to evolve their techniques, focusing on stealth and resilience.

Future campaigns are likely to refine these methods, extending threats to other regions or sectors of strategic interest. Enhanced email security, endpoint monitoring, and DNS traffic analysis are critical to countering this evolving threat.

Recommendations:

Strategic Recommendations:

  • Strengthen Threat Intelligence Integration: Leverage the provided Indicators of Compromise (IoCs) and continuously integrate them into the client’s security systems. Regularly update threat feeds to identify and block malicious domains, IPs, and file hashes used by the threat actor.
  • Enhance Security Awareness: Conduct targeted security training to educate employees about spear phishing risks and HTML smuggling techniques used in email-based attacks.
  • Engage in Proactive Threat Hunting: Utilize threat intelligence insights to conduct regular hunts for anomalous activities associated with GammaDrop and GammaLoad malware families within your environment.

Tactical Recommendations:
Email Security Enhancements:

  • Implement advanced filtering for HTML attachments, focusing on identifying smuggling techniques, such as onerror or onmousemove events in email attachments.
  • Enable sandboxing for all attachments and links in emails to detect and neutralize malicious content before reaching end users.

Endpoint and Network Monitoring:

  • Monitor for the execution of suspicious binaries like mshta.exe and block untrusted .lnk files using endpoint protection solutions.
  • Establish rules to flag traffic to suspicious trycloudflare[.]com subdomains and monitor DNS/DoH queries to detect anomalous resolution patterns.
  • Limit Tunneling Abuses: Implement firewall rules to monitor and restrict the use of tunneling services like Cloudflare Tunnels, ensuring legitimate use is verified.

Operational Recommendations:

  • Rapid Response to IoCs: Immediately deploy shared IoCs into the client’s SOC systems, such as SIEM and EDR solutions, to block known malicious infrastructure and detect ongoing activities.
  • Malware Behavior Analysis: Analyze the behaviors of GammaDrop and GammaLoad in a controlled environment to develop behavioral signatures and monitor these across all systems.
  • Visibility into Encrypted Traffic: Implement traffic inspection capabilities for DNS- over-HTTPS (DoH) and HTTP to identify communications with C2 infrastructure, especially associated with the provided IoCs.
MITRE FRAMEWORK
Tactic ID Technique
Initial Access T1566.001 Phishing: Spear phishing Attachment
Execution T1059.005 Command and Scripting Interpreter: Visual Basic
Execution T1059.007 Command and Scripting Interpreter: JavaScript
Execution T1204.002 User Execution: Malicious File
Persistence T1547.001 Boot or Logon Auto start Execution: Registry Run Keys / Startup Folder
Defense Evasion T1027.006 Obfuscated Files or Information: HTML Smuggling
Defense Evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Command and Control T1568.001 Dynamic Resolution: Fast Flux DNS

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geo political Developments in Cybersecurity

US organizations breached by Chinese hackers
Researchers say a “large US organization with a significant presence in China” sustained a four-month-long intrusion between April and August 2024. Researchers note that the available evidence suggests that the organization was breached by a China-based actor. Aside from the fact that DLL sideloading is a widely favoured tactic among Chinese groups, the same organization was targeted in 2023 by an attacker with tentative links to the China-based Daggerfly group.

The attackers moved laterally across the organization’s network, compromising multiple computers. Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations.

Meanwhile, US Deputy National Security Adviser for Cyber and Emerging Technologies, Anne Neuberger, revealed in a press call that China’s Salt Typhoon hacking campaign breached at least eight US telecoms as well as telecommunications companies in dozens of other countries.

ETLM Assessment:
CYFIRMA concludes the hacking campaigns in question are intended as a Chinese espionage program focused, again, on key government officials, and key corporate IP, so that will determine which telecoms were often targeted, and how many were compromised as well. The communications of US government officials rely on these private sector systems, which is why the Chinese were able to access the communications of some senior US government and political officials. Officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said that China’s Salt Typhoon hackers likely still have access to critical telecommunications systems in the US and that companies should focus on updating and patching all systems to minimize risk.

Big tech urges Donald Trump to ‘push harder’ against Russia and China hacks
In our recent blog concerning the return of Donald Trump to the office of the president of the United States, we note the urges of Microsoft and other big tech companies that are trying to get the president-elect to push back strongly against Russian and Chinese hacking campaigns. Trump will reportedly have the backing of businesses on the issue of cyber-criminality, with Microsoft’s president calling for a harder push against cyber-attacks from Russia, China, and Iran amid a wave of state-sponsored hacks – a sentiment echoed by many other big tech businesses that constitute key drivers of the US economy. While Trump is not known for listening to the whims of big tech, should there be stock market ramifications following a cyber- incident, the administration is very likely to react strongly.

ETLM Assessment:
A second Trump presidency would likely bring heightened focus on cybersecurity, with particular emphasis on countering threats from China. Building on the bipartisan recognition of cybersecurity’s importance, Trump’s administration could implement policies to strengthen critical infrastructure defenses, encourage private-sector collaboration, and amplify responses to state-sponsored cyberattacks. Likely prioritization of trade protectionism and economic decoupling from China would also increase the urgency of safeguarding intellectual property and critical networks, making cybersecurity a cornerstone of both national security and economic policy.

This approach could face challenges, however, including the potential for an increased number of cyber-attacks from key adversaries like China, Iran, and North Korea. While businesses may benefit from incentives to bolster defenses, they will also bear increased expectations to protect against relentless cyber threats, and, as
cyber espionage grows in scope and sophistication, the Trump administration’s handling of these threats will play a pivotal role in shaping U.S. resilience in an increasingly contested digital landscape.

4. Rise in Malware / Ransomware and Phishing

The Play Ransomware Impacts ITO EN, Ltd

  • Attack Type: Ransomware
  • Target Industry: Food & Beverage
  • Target Geography: Japan
  • Ransomware: Play Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; ITO EN, Ltd (www[.]itoen[.]co[.]jp), was compromised by Play Ransomware. ITO EN, Ltd. is a leading Japanese beverage company known for its tea-based products, including the popular “Oi Ocha” brand. The company operates from its headquarters in Tokyo and manages various domestic and international production facilities. Its product lineup includes green tea, black tea, herbal infusions, coffee, mineral water, and health-focused beverages. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data contains Private and personal confidential data, clients’ documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, etc.

Source: Dark Web

Relevancy & Insights:

  • The Play Ransomware group is known for employing a double extortion strategy, where they not only encrypt files but also exfiltrate sensitive data and threaten to publish it if ransoms are not paid.
  • In a significant development, a North Korean threat actor tracked as Jumpy Pisces has been observed collaborating with Play Ransomware between May and September 2024. This marks the first recorded partnership between this state-sponsored group and the Play ransomware network, indicating a potential escalation in the sophistication of their attacks.
  • The Play Ransomware group primarily targets countries, such as the United States of America, Canada, Sweden, Germany, and the United Kingdom.
  • The Play Ransomware group primarily targets industries, including Construction, Manufacturing, Heavy Construction, Retail, and Industrial Machinery.
  • Based on the Play Ransomware victims list from 1st Jan 2024 to 11th December 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Play Ransomware from 1st Jan 2024 to 11th December 2024 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Play Ransomware continues to evolve as a significant threat within the cybersecurity landscape, marked by its innovative tactics and recent collaborations with other threat actors. Organizations are advised to enhance their cybersecurity measures by implementing robust defenses against phishing attacks, maintaining updated security protocols, and monitoring for unusual network activity to mitigate risks associated with this evolving threat actor. Continuous vigilance is essential as ransomware groups adapt their strategies and expand their operations.

The Sarcoma Ransomware Impacts Pan Gulf Holding

  • Attack Type: Ransomware
  • Target Industry: Conglomerate, Manufacturing, Finance, Engineering & Construction, Energy Services, and Food Distribution
  • Target Geography: Saudi Arabia
  • Ransomware: Sarcoma Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Saudi Arabia; Pan Gulf Holding (www[.]pangulfholding[.]com), was compromised by Sarcoma Ransomware. Pan Gulf Holding is a diversified conglomerate based in Saudi Arabia, with business operations spanning multiple sectors, including Industrial Manufacturing, Steel Fabrication, Valves Manufacturing, Oil & Gas Services, Food Processing, and Investment Services. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data consists of confidential and sensitive information related to the organization, stored in SQL format, with a total size of approximately 113 GB.

Source: Dark Web

Relevancy & Insights:

  • Sarcoma ransomware first appeared in late 2023 and has quickly established itself as a formidable adversary in the ransomware landscape. Its sophisticated approach and rapid victimization have drawn attention.
  • The Sarcoma ransomware group employs a double extortion model, encrypting victims’ data while also exfiltrating sensitive information to leverage for ransom payments. For instance, Sarcoma threatened to publish stolen data within days if ransoms were not paid, showcasing their aggressive extortion tactics.
  • The Sarcoma Ransomware group primarily targets countries like the United States of America, Australia, Canada, Spain, and the United Kingdom.
  • The Sarcoma Ransomware group primarily targets industries, such as Industrial Goods & Services, Specialized Consumer Services, Retail, Computer Services, and Home Improvement Retailers.
  • Based on the Sarcoma Ransomware victims list from 1st Jan 2024 to 11th December 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Sarcoma Ransomware from 1st Jan 2024 to 11th December 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, Sarcoma ransomware is rapidly becoming a significant threat due to its aggressive tactics and increasing victim count. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate risks associated with this evolving threat landscape.

5. Vulnerabilities and Exploits

Vulnerability in Python

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Scripting language
  • Vulnerability: CVE-2024-12254
  • CVSS Base Score: 8.7 Source
  • Vulnerability Type: Resource exhaustion
  • Summary: The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insights: The vulnerability exists because the application does not properly control the consumption of internal resources in asyncio. SelectorSocketTransport.writelines().

Impact: A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Affected Products: https[:]//www[.]openwall[.]com/lists/oss-security/2024/12/06/1

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Python can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Python is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding software development and application functionality across different geographic regions and sectors, while leveraging its code readability and versatile programming capabilities.

6. Latest Cyber – Attacks, Incidents, and Breaches

Killsec Ransomware Attacked and Published the Data of Delux Holdings (M) Sdn. Bhd.

  • Threat Actor: Killsec Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing
  • Target Geography: Malaysia
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary
Recently, we observed that Killsec Ransomware attacked and published the data Delux Holdings (M) Sdn. (www[.]mydelux[.]com[.]my) on its dark web website. Delux Holdings (M) Sdn. Bhd. is a premier manufacturer and distributor of high-quality auto gates, security doors, and digital locks throughout Malaysia. The company is renowned for its innovative products, including the first fully aluminium trackless folding auto gate and advanced security doors featuring 14 locks and a fast-lock system. Delux has expanded its business internationally to countries such as Singapore, Brunei, India, Indonesia, and Thailand. The data leak, following the ransomware attack, encompasses sensitive and confidential records, originating from the organizational database.

Source: Dark Web

Relevancy & Insights:

  • KillSec is a ransomware group that has gained notoriety for its ransomware-as- a-service (RaaS) model and a series of high-profile attacks.
  • KillSec Ransomware employs various sophisticated methods to infiltrate systems, including phishing attacks, exploiting known vulnerabilities, and using custom malware to maintain persistence within compromised networks.

ETLM Assessment:
The emergence and evolution of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally.
According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.

7. Data Leaks

LIXIL Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
LIXIL, a leading Japanese company specializing in manufacturing housing and building materials, has experienced a data breach. The incident is said to have resulted in the exposure of sensitive customer information, including names, contact details, and other personal identifiers. This breach raises significant concerns about user privacy and security practices within the building and construction industry.

The incident highlights the importance of implementing robust cybersecurity measures to protect customer data from unauthorized access. Affected individuals are advised to monitor their accounts for suspicious activity and be cautious of potential phishing attempts. LIXIL has not yet issued an official statement addressing the breach or the steps being taken to enhance data security. The data breach has been linked to a threat actor known as “Metadata.”

Source: Underground forums

Thai Armed Forces Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Thailand
  • Target Industry: Government
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
A major security breach involving the Thai Armed Forces Headquarters has surfaced on a dark web forum. The reported leak includes highly sensitive documents, such as internal communications, strategic plans, and personnel records. This incident poses significant risks to Thailand’s national security and raises serious concerns about the protection of confidential military operations. The data breach has been linked to a threat actor known as “Saltedegg.”

Source: Underground forums

Relevancy & Insights:

  • Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.
  • Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor “SaltedEgg” poses a serious risk within the cybercrime landscape due to its 888advanced tactics. Organizations should strengthen their cybersecurity defenses by implementing robust anti-phishing measures, keeping security protocols up to date, and actively monitoring network activity for suspicious behavior. Gaining insight into the tactics used by SaltedEgg and similar adversaries is essential for reducing risks and enhancing overall cybersecurity resilience.

Recommendations: Enhance the cybersecurity posture by:

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a data leak related to SalonBiz in an underground forum. SalonBiz is technology-driven salon management software that increases productivity, automates operations and creates a personalized guest experience. The data breach affected 23,867 customers, resulting in the exposure of sensitive personal information, including First Name, Last Name, Email Address, and Phone Number. The breach has been linked to a threat actor identified as “888.”

Source: Underground Forums

The CYFIRMA Research team observed a data leak related to Prince jewellery (www[.]princejewellery[.]com) in an underground forum. Prince jewellery store located in India is one of Chennai’s most contemporary jewellers, specializing in the latest variation of fashionable ornaments, a la mode, ranging from gold, diamond, rubies, emeralds, silver, platinum jewellery, and coloured gold. The leaked data includes ID, customer ID, cart ID, order ID, first name, last name, gender, company name, address, postcode, city, state, country, email, phone number, VAT ID, and additional sensitive information. The breach is attributed to a threat actor identified as “Gwap.”

Source: Underground Forums

ETLM Assessment
The threat actor group “888” has gained notoriety in underground forums, emerging as a significant force in cybercrime, primarily motivated by financial gains. This group has already targeted a wide range of industries, including government, industrial conglomerates, retail, staffing, business consulting, banking, e-commerce, and utilities. Their diverse targeting patterns suggest that they plan to broaden their scope and potentially expand their attacks to additional industries worldwide in the future.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.