CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware
Target Technologies: MS Windows
Introduction
CYFIRMA Research and Advisory Team has found MoneyIsTime ransomware while monitoring various underground forums as part of our Threat Discovery Process.
MoneyIsTime
Researchers recently uncovered a new ransomware strain called MoneyIsTime. MoneyIsTime is a ransomware variant that encrypts files on compromised computers. Beyond encryption, it alters file names by appending a random string of characters followed by the “.moneyistime” extension. The malware also creates a ransom note titled “README.TXT” to inform victims of the attack and provide payment instructions.
Researchers discovered that this ransomware shares identical characteristics with the Beast and LostInfo ransomware variants.
The ransom note informs the victim that their documents, photos, databases, and other files have been encrypted. It warns against modifying the contents of any zip file containing the ransom note and claims that only a unique decryption tool, available for purchase from the attackers, can restore the files.
To demonstrate the effectiveness of their decryptor, the attackers offer to decrypt one non- critical file for free. The note provides contact information, including the email address and a messenger ID. Additionally, the victim is cautioned not to rename or alter the encrypted files, or to use third-party decryption tools or services, as doing so may result in permanent data loss.
Following are the TTPs based on the MITRE Attack Framework.
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0002: Execution | T1047: Windows Management Instrumentation |
T1059: Command and Scripting Interpreter | ||
T1129: Shared Modules | ||
2 | TA0003: Persistence | T1543.003: Create or Modify System Process: Windows Service |
T1574.002: Hijack Execution Flow: DLL Side – Loading | ||
3 | TA0004: Privilege Escalation | T1134: Access Token Manipulation |
T1055: Process Injection | ||
T1543.003: Create or Modify System Process: Windows Service | ||
T1548: Abuse Elevation Control Mechanism | ||
T1574.002: Hijack Execution Flow: DLL Side- Loading | ||
4 | TA0005: Defense Evasion | T1027.005: Obfuscated Files or Information: Indicator Removal from Tools |
T1036: Masquerading | ||
T1055: Process Injection | ||
T1070.004: Indicator Removal: File Deletion | ||
T1112: Modify Registry | ||
T1134: Access Token Manipulation | ||
T1222: File and Directory Permissions Modification | ||
T1562.001: Impair Defenses: Disable or Modify Tools | ||
T1564.003: Hide Artifacts: Hidden Window | ||
T1548: Abuse Elevation Control Mechanism | ||
T1574.002: Hijack Execution Flow: DLL Side- Loading | ||
5 | TA0006: Credential Access | T1003: OS Credential Dumping |
T1056.001: Input Capture: Keylogging | ||
T1539: Steal Web Session Cookie | ||
T1552.001: Unsecured Credentials: Credentials In Files | ||
6 | TA0007: Discovery | T1010: Application Window Discovery |
T1012: Query Registry | ||
T1016: System Network Configuration | ||
Discovery | ||
T1018: Remote System Discovery | ||
T1033: System Owner/User Discovery | ||
T1057: Process Discovery | ||
T1082: System Information Discovery | ||
T1083: File and Directory Discovery | ||
T1087: Account Discovery | ||
T1135: Network Share Discovery | ||
T1518.001: Software Discovery: Security Software Discovery | ||
T1614.001: System Location Discovery: System Language Discovery | ||
7 | TA0008: Lateral Movement | T1080: Taint Shared Content |
8 | TA0009: Collection | T1005: Data from Local System |
T1056.001: Input Capture: Keylogging | ||
T1074: Data Staged | ||
T1114: Email Collection | ||
T1185: Browser Session Hijacking | ||
9 | TA0011: Command and Control | T1071: Application Layer Protocol |
T1095: Non-Application Layer Protocol | ||
T1573: Encrvted Channel | ||
10 | TA0040: Impact | T1485: Data Destruction |
T1486: Data Encrypted for Impact | ||
T1489: Service Stop |
Relevancy and Insights:
ETLM Assessment:
Based on the available data, CYFIRMA’s assessment indicates that the MoneyIsTime ransomware presents a serious threat to economically developed nations, and various prominent sectors, particularly those reliant on Windows operating systems. With characteristics identical to Beast, which is offered as Ransomware-as-a-Service (RaaS), and LostInfo, known to sell victim data to other hackers if ransom demands are unmet, MoneyIsTime may adopt a similar model, potentially expanding its impact. The ransomware’s advanced techniques, such as leveraging Windows Management Instrumentation (WMI) and deleting Volume Shadow Copies (VSS), along with its ability to evade debugging environments, suggest that organizations in finance, healthcare, and critical infrastructure are especially vulnerable. Its persistence tactics and command-and-control capabilities make it well-suited for sophisticated, long-term attacks, underscoring the need for immediate defensive measures in these high-value sectors.
SIGMA Rule:
title: Uncommon File Created In Office Startup Folder tags:
– attack.resource-development
– attack.t1587.001 logsource:
product: windows category: file_event
detection: selection_word_paths:
– TargetFilename|contains: ‘\Microsoft\Word\STARTUP’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\STARTUP’
filter_exclude_word_ext: TargetFilename|endswith:
– ‘.docb’ # Word binary document introduced in Microsoft Office 2007
– ‘.docm’ # Word macro-enabled document; same as docx, but may contain macros and scripts
– ‘.docx’ # Word document
– ‘.dotm’ # Word macro-enabled template; same as dotx, but may contain macros and scripts
– ‘.mdb’ # MS Access DB
– ‘.mdw’ # MS Access DB
– ‘.pdf’ # PDF documents
– ‘.wll’ # Word add-in
– ‘.wwl’ # Word add-in selection_excel_paths:
– TargetFilename|contains: ‘\Microsoft\Excel\XLSTART’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\XLSTART’
filter_exclude_excel_ext: TargetFilename|endswith:
– ‘.xll’
– ‘.xls’
– ‘.xlsm’
– ‘.xlsx’
– ‘.xlt’
– ‘.xltm’
– ‘.xlw’ filter_main_office_click_to_run:
Image|contains: ‘:\Program Files\Common Files\Microsoft Shared\ClickToRun\’ Image|endswith: ‘\OfficeClickToRun.exe’
filter_main_office_apps: Image|contains:
– ‘:\Program Files\Microsoft Office\’
– ‘:\Program Files (x86)\Microsoft Office\’ Image|endswith:
– ‘\winword.exe’
– ‘\excel.exe’
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_* falsepositives:
– False positive might stem from rare extensions used by other Office utilities. level: high
Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Trojan
Objective: Data theft, Data Exfiltration
Target Technology: Android OS, Cryptocurrency wallets
Target Geography: Korea
Active Malware of the Week
This week “SpyAgent” is trending.
SpyAgent
Researchers have recently uncovered a new mobile malware called SpyAgent that targets mnemonic keys by scanning device images for them. Mnemonic keys, used for cryptocurrency wallet recovery, are 12-word phrases simpler to remember than complex private keys. This Android malware disguises itself as legitimate apps, such as banking, government, and streaming services. Once installed, it secretly collects and transmits text messages, contacts, and images to remote servers, distracting users with fake loading screens, unexpected redirects, or brief blank screens to hide their true activities. Since January 2024, SpyAgent has been used in over 280 fake apps, primarily targeting users in Korea.
Attack strategy
SpyAgent malware, which targets users in Korea, is primarily spread through clever phishing campaigns. Attackers send harmful links via text messages or social media, posing as trusted organizations or individuals to trick users into clicking. These links lead to realistic-looking fake websites that prompt users to download apps, which secretly install SpyAgent.
When a user clicks the download link, they are prompted to download an APK file that appears legitimate but is actually malicious. Upon installation, the app requests access to sensitive information like SMS messages, contacts, and storage and asks to run in the background. These permissions, claimed to be necessary for the app’s function, are instead used to compromise the user’s privacy and security.
Capabilities and Behavior
Once the malicious app is installed and launched, it begins stealing sensitive data and sending it to a remote server controlled by attackers. The targeted data includes:
The malware operates as an agent, with the ability to receive and execute instructions from a remote server. These commands include:
Command and Control Servers
Researchers discovered that several Command and Control (C2) servers had weak security configurations, which allowed unauthorized access to index pages and files without credentials. This vulnerability revealed detailed information about the server’s functions and the data being collected. Upon examination, researchers found that the server’s root directory contained various folders for different operations, such as imitating banking or postal services. The misconfiguration not only exposed the server’s internal components but also made sensitive personal data, including victim photos stored in the ‘uploads’ directory, publicly accessible, highlighting the seriousness of the data breach.
Admin Pages
The exposed index pages included admin pages for managing victims. These pages displayed a list of devices with detailed information and various controllable actions. As the number of victims increases, the list of devices on these pages will grow accordingly.
Targeting Cryptocurrency Wallets
The examination of the page revealed that the attackers primarily aimed to obtain mnemonic recovery phrases for cryptocurrency wallets, indicating a major focus on accessing and potentially depleting the victims’ crypto assets.
Data Processing and Management
This threat employs Python and JavaScript on the server-side to process stolen data. Images are converted to text using optical character recognition (OCR) and then organized and managed through an administrative panel, indicating a sophisticated approach to handling and utilizing the stolen information.
INSIGHTS
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as this malware continues to evolve, organizations and employees are likely to face increasingly sophisticated threats. The malware’s ability to exploit personal emotions by mimicking sensitive content, such as obituary notices, will make it harder for users to detect and avoid phishing attempts. This could lead to higher rates of successful attacks, especially as the malware leverages victims’ contacts to spread deceptive messages. The discovery of an item labeled “iPhone” in the admin panel indicates that the malware may soon target iOS users, expanding its reach to a broader range of devices and platforms. Additionally, the malware has expanded its geographic reach, recently spreading to the UK, showing a deliberate effort to target new user groups with localized versions. Organizations will need to enhance their security measures and stay vigilant across all mobile platforms to protect against these emerging threats, while employees must be cautious about handling sensitive communications and app permissions.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Key Intelligence Signals:
Malware – SpyAgent
TIDRONE Sets Its Sights on Taiwan’s Military and Satellite Sectors
Summary:
Since early 2024, researchers have identified a threat cluster, TIDRONE, targeting Taiwan’s military and satellite industries, with a focus on drone manufacturers. The research highlights the threat actors’ sophisticated tactics, techniques, and procedures (TTPs), including advanced anti-analysis and anti-antivirus measures. Advanced malware toolsets, such as the CXCLNT and CLNTEND are observed in the campaign. CXCLNT and CLNTEND often use methods like service creation, credential dumping, and lateral movement to infiltrate systems. Notable techniques involve anti-analysis by verifying parent processes and employing unconventional methods like fiber-based threading. In the campaign, backdoors such as Backdoor.CXCLNT and Backdoor.CLNTEND have been observed to support various communication protocols and exhibit espionage motives, as indicated by their focus on sensitive military-related information. The consistent use of misleading C&C server names and the connection to Chinese espionage activities further point to a likely Chinese-speaking threat group. Organizations are advised to monitor for suspicious WinWord.exe processes and related command-line arguments to defend against TIDRONE.
Relevancy & Insights:
The TIDRONE threat actor is a sophisticated cyber espionage group known for targeting high-value sectors to gather sensitive information. Currently, their focus is on Taiwan, particularly within the military and satellite industries, with a specific interest in drone manufacturers. TIDRONE exploits various technologies, including remote access tools like UltraVNC, and has recently employed advanced malware such as CXCLNT and CLNTEND, which feature refined anti-analysis and anti-antivirus capabilities. Historically, the group has used similar custom malware, reflecting a consistent pattern of employing stealthy and adaptive attack techniques. They typically exploit vulnerabilities in both proprietary and widely-used software to gain unauthorized access and maintain persistence. The threat landscape surrounding TIDRONE is characterized by increasingly complex and evolving cyber espionage tactics, indicative of a broader trend in sophisticated state-sponsored attacks. Looking ahead, TIDRONE is expected to continue refining its methods to bypass emerging security measures, making it crucial for organizations in targeted sectors to enhance their threat detection and response strategies.
ETLM Assessment:
The primary motive behind TIDRONE’s attacks appears to be espionage, with a particular focus on military-related industries and drone manufacturers, suggesting a strategic intent to acquire sensitive and potentially classified information. This is consistent with past behaviors where the threat actor targeted entities possessing valuable technological and defense-related data. Organizations involved in military, defense, and satellite industries, especially those within Taiwan, need to be vigilant. Companies engaged in drone manufacturing and related technologies are particularly at risk due to their potential possession of sensitive information.
Recommendations:
Deploy Advanced Monitoring Tools: Implement comprehensive threat detection systems
Enhanced Threat Detection and Monitoring:
that utilize behavioral analytics and machine learning to identify unusual activities, such as lateral movement or unauthorized access.
Monitor for Known Indicators: Keep an updated list of TIDRONE’s indicators of compromise (IOCs), such as file hashes, command-and-control (C&C) server domains, and malware signatures.
Strengthen Security Posture:
Regular Vulnerability Assessments: Conduct frequent vulnerability assessments and penetration testing to identify and address weaknesses in your systems and applications.
Patch Management: Ensure timely application of security patches and updates to all software, especially those commonly targeted by advanced threats.
Improve Endpoint Protection:
Implement Advanced Endpoint Protection: Use endpoint detection and response (EDR) solutions that provide real-time monitoring and response capabilities.
Use Anti-Malware Tools: Deploy anti-malware solutions with strong heuristic and behavioral analysis capabilities to detect and block sophisticated malware.
Access Control and Privilege Management:
Apply the Principle of Least Privilege: Restrict user and system permissions to the minimum necessary for job functions to reduce the impact of a potential compromise.
Monitor Privileged Accounts: Implement monitoring and logging for privileged accounts to detect unauthorized activities.
Incident Response and Preparedness:
Develop an Incident Response Plan: Create and regularly update an incident response plan tailored to address sophisticated cyber espionage threats. Ensure it includes procedures for containment, eradication, and recovery.
Conduct Regular Drills: Perform regular incident response exercises to test the effectiveness of your plan and the readiness of your response team.
Training and Awareness:
Employee Training: Conduct regular cybersecurity training for employees to raise awareness about phishing, social engineering, and other common attack vectors used by threat actors.
Executive Awareness: Ensure that executives and decision-makers are informed about the threat landscape and understand the importance of robust cybersecurity measures.
Network Segmentation and Defense in Depth:
Segment Critical Networks: Use network segmentation to isolate critical systems and reduce the impact of potential breaches.
Employ Defense in Depth: Implement multiple layers of security controls, including firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS), to protect against various attack vectors.
Stay Informed and Collaborate:
Engage with Threat Intelligence Communities: Participate in threat intelligence sharing communities to stay updated on the latest threats, tactics, and indicators of compromise.
Collaborate with Industry Peers: Work with industry peers to share information about emerging threats and best practices for defense.
MITRE ATT&CK Tactics and Techniques | ||
Tactics | ID | Technique |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
Command and Control | T1105 | Ingress Tool Transfer |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
Persistence | T1078 | Valid Accounts |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
Russia targeting the US presidential election, an APT attributed to Russia’s military intelligence
The United States government has accused Russia of conducting a widespread influence campaign focused on the US presidential election, which researchers dubbed “Doppelganger”. The US Justice Department seized thirty-two domains that were allegedly being used to covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in the U.S. and foreign elections, including the U.S. 2024 Presidential Election. The US Treasury Department’s Office of Foreign Assets Control (OFAC) has designated ten individuals and two entities for their alleged involvement in a scheme to covertly recruit unwitting American influencers in support of their malign influence campaign. The US State Department has also announced a $10 million reward for information on foreign interference in US elections.
In addition to that, a cluster of Western government agencies, including four of the Five Eyes, has recently issued a joint advisory on Cadet Blizzard, a threat actor attributed to the Russian GRU’s Unit 29155. The threat actors appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions, while also relying on cooperation from known cyber-criminals and privateers to conduct their operations. According to the advisory, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, Central Asia, and of course Ukraine. The activity includes cyber campaigns, such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine.
ETLM Assessment:
Russia has inherited the rich Soviet legacy of information operations and put it to early use by pioneering the instrumentalization of social media for large-scale high-efficiency influence operations around the globe. As we have noted in a recent report, Russia has a highly developed lexicon for hybrid warfare and applies it systematically across all potential weapons, be that information, psychological operations, or acts of physical sabotage. It now appears that even sections of military intelligence like Unit 29155 which were previously known mainly for physical tactics, including poisonings, attempted coups, and bombings inside Western countries are also increasingly moving their activities into the fifth domain as the global economy goes increasingly online. We have also previously warned that Russia will likely increasingly use privateers in its operations. This trend will only continue and every large organization should take preventive measures, in expectation of an increasingly dangerous online environment.
North Korean hackers scamming the cryptocurrency sector
The US Federal Bureau of Investigation (FBI) has issued an advisory on North Korean social engineering campaigns targeting employees in the cryptocurrency industry. According to the FBI, North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products. For companies active in or associated with the cryptocurrency sector, the FBI emphasizes that North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products.
ETLM Assessment:
As we have noted in an earlier report, North Korean state hackers both collect intelligence and generate revenue for the state. The cyber espionage efforts are focused on the state’s perceived adversaries: mainly South Korea, the United States, and Japan; collecting intelligence on other countries’ military capabilities and stealing technologies that could be used by the North Korean military – these efforts also include Russia and China as potential technology sources; and increasingly on stealing funds in the form of cryptocurrency that the state later uses to fund its UN sanctioned missile and nuclear programs. The distinct North Korean threat actors have repeatedly shown overlaps in targeting in the recent past and their efforts have been increasingly sophisticated.
The RansomHub Ransomware impacts the Sanyo Bussan Co., Ltd
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Sanyo Bussan Co., Ltd (www[.]sanyo-bussan[.]co[.]jp), was compromised by the RansomHub Ransomware. Sanyo Bussan Co., Ltd., is a company that specializes in the planning, manufacturing, and sale of hotel amenity products. Their products include a wide range of items such as toothbrushes, shaving razors, hairbrushes, slippers, and other hotel-related consumables. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 12 GB.
The following screenshot was observed published on the dark web:
Relevancy & Insights:
ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Sanyo Bussan Co., Ltd, a prominent Manufacturing company from Japan, highlighting RansomHub’s significant threat presence in the Asia Pacific region.
The Meow Ransomware Impacts the Special Oilfield Services Company LLC
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Oman; Special Oilfield Services Company LLC (www[.]specialoilfield[.]com), was compromised by Meow Ransomware. Special Oilfield Services Company LLC is a prominent energy services provider based in the Middle East. The company specializes in delivering comprehensive solutions for the oil and gas industry, including drilling, well services, and project management. Renowned for its commitment to safety, innovation, and operational excellence, the company supports energy production with advanced technologies and skilled expertise. The compromised data contains an 800 MB data pack which includes Employee data, Client information, Scanned payment documents, Personal data (including dates of birth, passport scans, and more), Internal financial documents, Agreements and certifications, and much more confidential information. This data is being offered for sale at a price of 10000$.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
The Top 10 Industries, most affected by Meow Ransomware from 1st Jan 2023 to 11 September 2024 are as follows:
ETLM Assessment:
Meow Ransomware employs various infection methods, including phishing emails, exploit kits, Remote Desktop Protocol (RDP) vulnerabilities, and malvertising. Based on recent assessments by CYFIRMA, Meow ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Special Oilfield Services Company LLC, a leading Energy company in Oman, highlighting Meow Ransomware’s significant threat presence in the Middle East.
Vulnerability in HPE HP-UX NFS
Summary:
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied input in HPE HP- UX System’s Network File System (NFSv4) services.
Impact:
A remote attacker can send specially crafted input to the system and perform a denial of service (DoS) attack.
Affected Products: https[:]//support[.]hpe[.]com/hpesc/public/docDisplay?docId=hpesbux04697en_us &docLocale=en_US
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment:
Vulnerability in HP-UX can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of HP-UX is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding server operations, particularly for systems utilizing the RISC architecture, across different geographic regions and sectors.
KillSec Ransomware attacked and Published the data of Medisetter
Summary:
Recently, we observed that the KillSec Ransomware attacked and published data of Medisetter(www[.]medisetter[.]com) on its dark web website. Medisetter builds and operates digital communities of healthcare practitioners (HCPs) in developing countries for peer-to-peer knowledge exchange, continuing medical education (CME) and overall professional development purposes. Through multiple digital touchpoints, member healthcare practitioners HCPs can stay updated on their clinical knowledge, drug discoveries, and medical innovations and participate in case discussions, seamlessly, through their smartphones. In Vietnam, where they started, they operate the country’s largest multichannel digital community of doctors and medical students. The data breach, resulting from the ransomware attack, involves the exposure of client information, including the following details for both doctors and students: Name, Email, Phone Number, City, Work Address, Specialty Type, and District. The data is being offered for sale at a price of $5,000.
Relevancy & Insights:
Launch of KillSec RaaS: On June 25, 2024, KillSec announced the introduction of its Ransomware-as-a-Service platform via its Telegram channel. This platform is designed to provide aspiring cybercriminals with advanced tools and user-friendly features to facilitate ransomware attacks. The core component of this service is an advanced locker written in C++, which encrypts files on victims’ machines, making them inaccessible, without a decryption key provided after a ransom is paid.
Pricing Model: Access to the KillSec RaaS platform is priced at $250, with KillSec taking a 12% commission on any ransom payments collected. This model aims to make sophisticated ransomware tools accessible to less technically skilled individuals, potentially increasing the frequency of ransomware incidents globally.
ETLM Assessment:
The emergence of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally. According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.
Lotte Mart Indonesia Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a potential data leak related to Lotte Mart Indonesia ( www[.]lottemartmall[.]co[.]id) in an underground forum. Lotte Mart Indonesia is a chain of hypermarkets and retail stores. Lotte Mart operated 50 stores across Indonesia, providing a wide range of products including groceries, clothing, electronics, and household goods. The alleged database contains 165,000 rows of data, including name, email, billing details, shipping details, and more.
Thai Hospital Data Advertised on a Leak Site
Summary:
A threat actor “FantomeJ3” has posted a data breach from a major Thai hospital on a dark web forum. The compromised dataset allegedly contains the personal information of over 600,000 individuals, including sensitive medical and demographic data. The seller has set the asking price at $3,000, providing a sample to verify the legitimacy of the leak.
The post details the contents of the breach, which includes patient information, such as health record numbers (HN), names, addresses, phone numbers, birthdates, and even medical information, such as blood type and marital status. Additional data fields include educational background, occupation, religion, and even patient images, among other details.
The alleged threat actor has shared a Telegram link to facilitate communication with potential buyers.
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
According to CYFIRMA’s assessment, the threat actor known as ” FantomeJ3 ” poses a serious risk to organizations due to its financial motivations and ability to exploit vulnerable institutions. This actor is notorious for infiltrating organizations with weak security measures and profiting by selling stolen sensitive data on the dark web or underground forums. The typical targets of ” FantomeJ3 ” are institutions with inadequate cybersecurity defenses, making them particularly susceptible to the sophisticated cyberattacks orchestrated by this threat actor.
Recommendations: Enhance the cybersecurity posture by
Threat Actor Claims to Sell Unauthorized VPN Access to a Taiwanese Bank. The target is a major Taiwanese bank headquartered in Taipei, boasting a revenue of approximately $17 billion. The alleged access includes a user within the bank’s network via an F5 BIG-IP VPN, a critical security infrastructure. The price for this access is negotiable.
A threat actor identified as “888” has claimed to have breached Plastix Marketing(USA), a division of Evolve Marketing that specializes in long-term growth strategies for plastic surgery and med spa practices. The alleged data breach, occurring in September 2024, reportedly exposed sensitive information from 34,320 users.
According to the threat actor, the leaked database contains:
ETLM Assessment:
The “888” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
Geography-Wise Graph
Industry-Wise Graph
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.