Self Assessment

Weekly Intelligence Report – 13 Jan 2023

Published On : 2023-01-13
Share :
Weekly Intelligence Report – 13 Jan 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), Smishing, Malvertising, USB as an Attack Vector
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – PLAY Ransomware | Malware – New SHC-compiled Linux malware
  • PLAY Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – New SHC-compiled Linux malware
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Ecuador-Based Organizations Targeted by Blind Eagle

  • Suspected Threat Actors: Blind Eagle aka APT-36
  • Attack Type: Spear Phishing
  • Objective: Unauthorized Access, Financial motive
  • Target Technology: Windows
  • Target Geographies: South America
  • Target Industries: Private Sector
  • Business Impact: Data Loss, Financial Loss

Summary:
Blind Eagle aka APT-C-36 is a cyber espionage group, active since 2018, based in South America. They are known for targeting Columbian government cyber assets, and financial institutions and have targeted the petroleum industry. In recent attacks, Blind Eagle targeted Spanish-speaking targets in Colombia and Ecuador. In the attack, phishing emails acting to be a Colombian Ministry of Foreign Affairs, threatened the recipient with issues related to leaving the country without settling bureaucratic matters. The phishing mail drops the payload belonging to Quasar RAT; however, it is also wrapped up with a more complex infection chain that exploits the legitimate mshta.exe binary to execute VBScript embedded in an HTML file, to ultimately download two Python scripts, which adds a new stage in the infection chain. The threat actor weaponized a geo-filter feature in one of the campaigns, that redirected requests made from outside of Ecuador and Colombia to the website of the Ecuadorian Internal Revenue Service, revealing the APT’s focus.

Insights:
APT-C-36 usually targets a single country, however, in this attack the threat actor has extended his targeting region and launched campaigns against Ecuador, hinting to be more aggressive in near future.

Major Geopolitical Developments in Cybersecurity

Ukrainian hacktivists campaign in Iran

While the Russian hacktivists, like Killnet, have served as auxiliaries in Russia’s hybrid war and have filled the media with headlines, far less has been published on the efforts of hacktivists, working on behalf of the cause of Ukraine. Ukraine has many foreign backers, while Russia enjoys good relations and support for its war effort only from a handful of countries, the most prominent of them being Iran. Tehran has been supplying the Russian military with armed drones, which Russia is using to devastate civilian infrastructure in Ukraine, which made Iran a target for Ukrainian hacktivists recently. The Cyber Sec group has claimed responsibility for a series of recent distributed denial-of-service (DDoS) attacks, which have affected several Iranian websites, including but not limited to sites belonging to the National Iranian Oil Company and Iran’s supreme leader Ali Khamenei. The group stated that their operations are a reprisal, specifically for the supply of Iranian-made Shahed kamikaze drones, used by Russia in attacks against Ukrainian civilian infrastructure. The group has also claimed, the attacks were just a showcase and threatened to attack industrial control systems in Iran if Tehran doesn’t stop the weapons flow.

Phishing campaigns attack the government of Moldova

Moldova is one of the countries, whose stability has been shaken by the Russian invasion of neighbouring Ukraine. The situation in Moldova shares numerous similarities to the situation of Ukraine before the war; Moldova has its own Russia-sponsored breakaway region, with a sizable Russian minority, and tries to balance its act between Russia and the West. Moldova, like Ukraine, has also been targeted by Russian cyberattacks. Recently, Moldova’s government institutions have been flooded by phishing emails, containing malicious links. The impersonation campaigns have been led by threat actors, that faked the identities of senior Moldovan officials, to lure government employees to click on malicious links. Local authorities discovered over 1300 malicious emails, sent to the email addresses of government and public institutions. Authorities have not published more details or named the attackers, but in line with recent events, researchers expect the motivation of the attacker to be lateral movement into the organizations and data espionage and their origin to be in Russia. Last year, the government of Moldova suffered from several cyberattacks. In one of them, Russian hackers targeted 80 information systems, platforms, and public portals in the country. In another, an unknown threat actor set up a website called Moldova Leaks and published damaging private exchanges of several senior politicians, which resulted in a major political scandal.

Cyberespionage against US nuclear labs

According to researchers, a little-known Russian group known as Cold River has been conducting a cyberespionage campaign against nuclear labs in the United States. More specifically, the campaign entailed the possibly FSB-linked (Russian intelligence) threat actor attempted social engineering of US employees working in nuclear research at the US Department of Energy and Lawrence Livermore National Laboratories. The campaign culminated in the late summer of the past year, during a time of heightened risk of the Russian conflict in Ukraine getting into a nuclear stage. Threats by Russian officials of potential nuclear use reached their peak during the campaign. It has not yet been made public, whether the campaign led to any results for the hackers; the US Department of Energy and the FSB declined to comment on the matt.

Other Observations

CYFIRMA Research team observed New Dark Pink APT group targets govt and military with custom malware.

Attacks targeting government agencies and military bodies in multiple countries in the APAC region have been attributed to what appears to be a new advanced threat actor that leverages custom malware to steal confidential information.

Security researchers refer to this group as Dark Pink, noting that it employs uncommon tactics, techniques, and procedures (TTPs).


Source: Telegram

Observed a potential data leak related to www[.]epson[.]co[.]id – Digital label printers are one of the companies in Indonesia. This data leak contains the customer’s names, email addresses, and phone numbers of file size 4 GB.


Source: Underground Forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor effectiveness of risk- based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations and lessons learned.
  • Move beyond traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security system to compensate the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased visibility of security metrics and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services and other similar mechanism to avoid accepting content from known and potentially malicious sources.