Self Assessment

Weekly Intelligence Report – 13 Sep 2024

Published On : 2024-09-13
Share :
Weekly Intelligence Report – 13 Sep 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found MoneyIsTime ransomware while monitoring various underground forums as part of our Threat Discovery Process.

MoneyIsTime
Researchers recently uncovered a new ransomware strain called MoneyIsTime. MoneyIsTime is a ransomware variant that encrypts files on compromised computers. Beyond encryption, it alters file names by appending a random string of characters followed by the “.moneyistime” extension. The malware also creates a ransom note titled “README.TXT” to inform victims of the attack and provide payment instructions.

Researchers discovered that this ransomware shares identical characteristics with the Beast and LostInfo ransomware variants.

Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)

Screenshot of MoneyIsTime’s text file (“README.TXT”) (Source: SurfaceWeb)

The ransom note informs the victim that their documents, photos, databases, and other files have been encrypted. It warns against modifying the contents of any zip file containing the ransom note and claims that only a unique decryption tool, available for purchase from the attackers, can restore the files.

To demonstrate the effectiveness of their decryptor, the attackers offer to decrypt one non- critical file for free. The note provides contact information, including the email address and a messenger ID. Additionally, the victim is cautioned not to rename or alter the encrypted files, or to use third-party decryption tools or services, as doing so may result in permanent data loss.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1129: Shared Modules
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side – Loading
3 TA0004: Privilege Escalation T1134: Access Token Manipulation
T1055: Process Injection
T1543.003: Create or Modify System Process: Windows Service
T1548: Abuse Elevation Control Mechanism
T1574.002: Hijack Execution Flow: DLL Side- Loading
4 TA0005: Defense Evasion T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1134: Access Token Manipulation
T1222: File and Directory Permissions Modification
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.003: Hide Artifacts: Hidden Window
T1548: Abuse Elevation Control Mechanism
T1574.002: Hijack Execution Flow: DLL Side- Loading
5 TA0006: Credential Access T1003: OS Credential Dumping
T1056.001: Input Capture: Keylogging
T1539: Steal Web Session Cookie
T1552.001: Unsecured Credentials: Credentials In Files
6 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1016: System Network Configuration
Discovery
T1018: Remote System Discovery
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1135: Network Share Discovery
T1518.001: Software Discovery: Security Software Discovery
T1614.001: System Location Discovery: System Language Discovery
7 TA0008: Lateral Movement T1080: Taint Shared Content
8 TA0009: Collection T1005: Data from Local System
T1056.001: Input Capture: Keylogging
T1074: Data Staged
T1114: Email Collection
T1185: Browser Session Hijacking
9 TA0011: Command and Control T1071: Application Layer Protocol
T1095: Non-Application Layer Protocol
T1573: Encrvted Channel
10 TA0040: Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1489: Service Stop

Relevancy and Insights:

  • Targeting widely used Windows operating systems, this ransomware poses a significant threat to diverse industries and organizations.
  • Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.

ETLM Assessment:
Based on the available data, CYFIRMA’s assessment indicates that the MoneyIsTime ransomware presents a serious threat to economically developed nations, and various prominent sectors, particularly those reliant on Windows operating systems. With characteristics identical to Beast, which is offered as Ransomware-as-a-Service (RaaS), and LostInfo, known to sell victim data to other hackers if ransom demands are unmet, MoneyIsTime may adopt a similar model, potentially expanding its impact. The ransomware’s advanced techniques, such as leveraging Windows Management Instrumentation (WMI) and deleting Volume Shadow Copies (VSS), along with its ability to evade debugging environments, suggest that organizations in finance, healthcare, and critical infrastructure are especially vulnerable. Its persistence tactics and command-and-control capabilities make it well-suited for sophisticated, long-term attacks, underscoring the need for immediate defensive measures in these high-value sectors.

SIGMA Rule:
title: Uncommon File Created In Office Startup Folder tags:
– attack.resource-development
– attack.t1587.001 logsource:
product: windows category: file_event
detection: selection_word_paths:
– TargetFilename|contains: ‘\Microsoft\Word\STARTUP’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\STARTUP’
filter_exclude_word_ext: TargetFilename|endswith:
– ‘.docb’ # Word binary document introduced in Microsoft Office 2007
– ‘.docm’ # Word macro-enabled document; same as docx, but may contain macros and scripts
– ‘.docx’ # Word document
– ‘.dotm’ # Word macro-enabled template; same as dotx, but may contain macros and scripts
– ‘.mdb’ # MS Access DB
– ‘.mdw’ # MS Access DB
– ‘.pdf’ # PDF documents
– ‘.wll’ # Word add-in
– ‘.wwl’ # Word add-in selection_excel_paths:
– TargetFilename|contains: ‘\Microsoft\Excel\XLSTART’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\XLSTART’
filter_exclude_excel_ext: TargetFilename|endswith:
– ‘.xll’
– ‘.xls’
– ‘.xlsm’
– ‘.xlsx’
– ‘.xlt’
– ‘.xltm’
– ‘.xlw’ filter_main_office_click_to_run:
Image|contains: ‘:\Program Files\Common Files\Microsoft Shared\ClickToRun\’ Image|endswith: ‘\OfficeClickToRun.exe’
filter_main_office_apps: Image|contains:
– ‘:\Program Files\Microsoft Office\’
– ‘:\Program Files (x86)\Microsoft Office\’ Image|endswith:
– ‘\winword.exe’
– ‘\excel.exe’
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_* falsepositives:
– False positive might stem from rare extensions used by other Office utilities. level: high

(Source: SurfaceWeb)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Trojan
Objective: Data theft, Data Exfiltration
Target Technology: Android OS, Cryptocurrency wallets
Target Geography: Korea

Active Malware of the Week
This week “SpyAgent” is trending.

SpyAgent
Researchers have recently uncovered a new mobile malware called SpyAgent that targets mnemonic keys by scanning device images for them. Mnemonic keys, used for cryptocurrency wallet recovery, are 12-word phrases simpler to remember than complex private keys. This Android malware disguises itself as legitimate apps, such as banking, government, and streaming services. Once installed, it secretly collects and transmits text messages, contacts, and images to remote servers, distracting users with fake loading screens, unexpected redirects, or brief blank screens to hide their true activities. Since January 2024, SpyAgent has been used in over 280 fake apps, primarily targeting users in Korea.

Fig: Timeline of SpyAgent campaign

Attack strategy
SpyAgent malware, which targets users in Korea, is primarily spread through clever phishing campaigns. Attackers send harmful links via text messages or social media, posing as trusted organizations or individuals to trick users into clicking. These links lead to realistic-looking fake websites that prompt users to download apps, which secretly install SpyAgent.

Fig: Fake Websites

When a user clicks the download link, they are prompted to download an APK file that appears legitimate but is actually malicious. Upon installation, the app requests access to sensitive information like SMS messages, contacts, and storage and asks to run in the background. These permissions, claimed to be necessary for the app’s function, are instead used to compromise the user’s privacy and security.

Fig: App installation and requesting permissions

Capabilities and Behavior
Once the malicious app is installed and launched, it begins stealing sensitive data and sending it to a remote server controlled by attackers. The targeted data includes:

  • Contacts: The malware extracts the user’s complete contact list, which can be exploited for fraudulent activities or to facilitate the malware’s spread.
  • SMS Messages: It intercepts and forwards all incoming SMS messages, potentially capturing sensitive information such as two-factor authentication codes or other confidential details.
  • Photos: The app transfers any images stored on the device to the attackers’ server, which may include personal or sensitive photos.
  • Device Information: It collects data about the device, such as the operating system version and phone numbers, allowing attackers to tailor their malicious actions more effectively.

The malware operates as an agent, with the ability to receive and execute instructions from a remote server. These commands include:

  • ‘ack_contact’: A confirmation signal that the server has received the contacts list.
  • ‘ack_sms’: A confirmation signal that the server has received SMS messages.
  • ‘ack_image’: A confirmation signal that the server has received images.
  • ‘sound_mode_update’: A command that changes the sound settings of the device.
  • ‘send_sms’: A command that enables the malware to send SMS messages from the device, which could be used to distribute phishing texts.

Command and Control Servers
Researchers discovered that several Command and Control (C2) servers had weak security configurations, which allowed unauthorized access to index pages and files without credentials. This vulnerability revealed detailed information about the server’s functions and the data being collected. Upon examination, researchers found that the server’s root directory contained various folders for different operations, such as imitating banking or postal services. The misconfiguration not only exposed the server’s internal components but also made sensitive personal data, including victim photos stored in the ‘uploads’ directory, publicly accessible, highlighting the seriousness of the data breach.

Fig: Exposed Indexing page of the root prior to the site being taken down(left), Leaked images list from one of the victims of the ‘aepost’ campaign prior to the site being taken down (Right)

Admin Pages
The exposed index pages included admin pages for managing victims. These pages displayed a list of devices with detailed information and various controllable actions. As the number of victims increases, the list of devices on these pages will grow accordingly.

Fig: Admin control panel

Targeting Cryptocurrency Wallets
The examination of the page revealed that the attackers primarily aimed to obtain mnemonic recovery phrases for cryptocurrency wallets, indicating a major focus on accessing and potentially depleting the victims’ crypto assets.

Data Processing and Management
This threat employs Python and JavaScript on the server-side to process stolen data. Images are converted to text using optical character recognition (OCR) and then organized and managed through an administrative panel, indicating a sophisticated approach to handling and utilizing the stolen information.

INSIGHTS

  • SpyAgent malware is a highly targeted cyber threat, primarily focused on users in Korea. It is typically spread through phishing campaigns where attackers pose as trusted organizations to lure victims into downloading malicious apps. These fake apps, disguised as legitimate services, secretly collect sensitive information such as contacts, SMS messages, photos, and device details. This data is then sent to a remote server controlled by the attackers, compromising the privacy and security of the victims.
  • What makes SpyAgent particularly dangerous is its ability to target mnemonic recovery phrases used for cryptocurrency wallets. By gathering this information, the malware aims to access and potentially drain the crypto assets of its victims. The malware spreads through more than 280 fake applications, making it a significant and widespread threat in the region. The impact of SpyAgent goes beyond just individual users, as it can potentially be used to spread further phishing attacks or broaden its reach within an organization. The exposure of sensitive data, including images and contacts, not only threatens user privacy but also creates opportunities for further exploitation.
  • The malware has evolved significantly, shifting from simple HTTP requests to WebSocket connections for communication with its command and control (C2) server, enabling more efficient, real-time interactions while avoiding detection by traditional security tools. Along with this, the malware has enhanced its obfuscation techniques, using strategies like string encoding, irrelevant code insertion, and renaming functions to confuse security software and delay detection.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as this malware continues to evolve, organizations and employees are likely to face increasingly sophisticated threats. The malware’s ability to exploit personal emotions by mimicking sensitive content, such as obituary notices, will make it harder for users to detect and avoid phishing attempts. This could lead to higher rates of successful attacks, especially as the malware leverages victims’ contacts to spread deceptive messages. The discovery of an item labeled “iPhone” in the admin panel indicates that the malware may soon target iOS users, expanding its reach to a broader range of devices and platforms. Additionally, the malware has expanded its geographic reach, recently spreading to the UK, showing a deliberate effort to target new user groups with localized versions. Organizations will need to enhance their security measures and stay vigilant across all mobile platforms to protect against these emerging threats, while employees must be cautious about handling sensitive communications and app permissions.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Avoid free versions of paid software.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Enforce policies to validate third-party software before installation.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –RansomHub Ransomware, Meow Ransomware | Malware – SpyAgent
  • RansomHub Ransomware – One of the ransomware groups.
  • Meow Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – SpyAgent

  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

TIDRONE Sets Its Sights on Taiwan’s Military and Satellite Sectors

  • Threat actor: TIDRONE
  • Attack type: ERP software or remote desktops
  • Objective: Espionage
  • Target Technology: UltraVNC
  • Target Geography: Taiwan
  • Target industries: Military-related industries, and Manufacturers of drones
  • Business Impact: Operational Disruption

Summary:
Since early 2024, researchers have identified a threat cluster, TIDRONE, targeting Taiwan’s military and satellite industries, with a focus on drone manufacturers. The research highlights the threat actors’ sophisticated tactics, techniques, and procedures (TTPs), including advanced anti-analysis and anti-antivirus measures. Advanced malware toolsets, such as the CXCLNT and CLNTEND are observed in the campaign. CXCLNT and CLNTEND often use methods like service creation, credential dumping, and lateral movement to infiltrate systems. Notable techniques involve anti-analysis by verifying parent processes and employing unconventional methods like fiber-based threading. In the campaign, backdoors such as Backdoor.CXCLNT and Backdoor.CLNTEND have been observed to support various communication protocols and exhibit espionage motives, as indicated by their focus on sensitive military-related information. The consistent use of misleading C&C server names and the connection to Chinese espionage activities further point to a likely Chinese-speaking threat group. Organizations are advised to monitor for suspicious WinWord.exe processes and related command-line arguments to defend against TIDRONE.

Relevancy & Insights:
The TIDRONE threat actor is a sophisticated cyber espionage group known for targeting high-value sectors to gather sensitive information. Currently, their focus is on Taiwan, particularly within the military and satellite industries, with a specific interest in drone manufacturers. TIDRONE exploits various technologies, including remote access tools like UltraVNC, and has recently employed advanced malware such as CXCLNT and CLNTEND, which feature refined anti-analysis and anti-antivirus capabilities. Historically, the group has used similar custom malware, reflecting a consistent pattern of employing stealthy and adaptive attack techniques. They typically exploit vulnerabilities in both proprietary and widely-used software to gain unauthorized access and maintain persistence. The threat landscape surrounding TIDRONE is characterized by increasingly complex and evolving cyber espionage tactics, indicative of a broader trend in sophisticated state-sponsored attacks. Looking ahead, TIDRONE is expected to continue refining its methods to bypass emerging security measures, making it crucial for organizations in targeted sectors to enhance their threat detection and response strategies.

ETLM Assessment:
The primary motive behind TIDRONE’s attacks appears to be espionage, with a particular focus on military-related industries and drone manufacturers, suggesting a strategic intent to acquire sensitive and potentially classified information. This is consistent with past behaviors where the threat actor targeted entities possessing valuable technological and defense-related data. Organizations involved in military, defense, and satellite industries, especially those within Taiwan, need to be vigilant. Companies engaged in drone manufacturing and related technologies are particularly at risk due to their potential possession of sensitive information.

Recommendations:
Deploy Advanced Monitoring Tools: Implement comprehensive threat detection systems

Enhanced Threat Detection and Monitoring:
that utilize behavioral analytics and machine learning to identify unusual activities, such as lateral movement or unauthorized access.

Monitor for Known Indicators: Keep an updated list of TIDRONE’s indicators of compromise (IOCs), such as file hashes, command-and-control (C&C) server domains, and malware signatures.

Strengthen Security Posture:
Regular Vulnerability Assessments: Conduct frequent vulnerability assessments and penetration testing to identify and address weaknesses in your systems and applications.

Patch Management: Ensure timely application of security patches and updates to all software, especially those commonly targeted by advanced threats.

Improve Endpoint Protection:
Implement Advanced Endpoint Protection: Use endpoint detection and response (EDR) solutions that provide real-time monitoring and response capabilities.

Use Anti-Malware Tools: Deploy anti-malware solutions with strong heuristic and behavioral analysis capabilities to detect and block sophisticated malware.

Access Control and Privilege Management:
Apply the Principle of Least Privilege: Restrict user and system permissions to the minimum necessary for job functions to reduce the impact of a potential compromise.

Monitor Privileged Accounts: Implement monitoring and logging for privileged accounts to detect unauthorized activities.

Incident Response and Preparedness:
Develop an Incident Response Plan: Create and regularly update an incident response plan tailored to address sophisticated cyber espionage threats. Ensure it includes procedures for containment, eradication, and recovery.

Conduct Regular Drills: Perform regular incident response exercises to test the effectiveness of your plan and the readiness of your response team.

Training and Awareness:
Employee Training: Conduct regular cybersecurity training for employees to raise awareness about phishing, social engineering, and other common attack vectors used by threat actors.

Executive Awareness: Ensure that executives and decision-makers are informed about the threat landscape and understand the importance of robust cybersecurity measures.

Network Segmentation and Defense in Depth:
Segment Critical Networks: Use network segmentation to isolate critical systems and reduce the impact of potential breaches.

Employ Defense in Depth: Implement multiple layers of security controls, including firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS), to protect against various attack vectors.

Stay Informed and Collaborate:
Engage with Threat Intelligence Communities: Participate in threat intelligence sharing communities to stay updated on the latest threats, tactics, and indicators of compromise.

Collaborate with Industry Peers: Work with industry peers to share information about emerging threats and best practices for defense.

MITRE ATT&CK Tactics and Techniques
Tactics ID Technique
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Command and Control T1105 Ingress Tool Transfer
Exfiltration T1041 Exfiltration Over C2 Channel
Persistence T1078 Valid Accounts
Execution T1059.001 Command and Scripting Interpreter: PowerShell

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Russia targeting the US presidential election, an APT attributed to Russia’s military intelligence
The United States government has accused Russia of conducting a widespread influence campaign focused on the US presidential election, which researchers dubbed “Doppelganger”. The US Justice Department seized thirty-two domains that were allegedly being used to covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in the U.S. and foreign elections, including the U.S. 2024 Presidential Election. The US Treasury Department’s Office of Foreign Assets Control (OFAC) has designated ten individuals and two entities for their alleged involvement in a scheme to covertly recruit unwitting American influencers in support of their malign influence campaign. The US State Department has also announced a $10 million reward for information on foreign interference in US elections.

In addition to that, a cluster of Western government agencies, including four of the Five Eyes, has recently issued a joint advisory on Cadet Blizzard, a threat actor attributed to the Russian GRU’s Unit 29155. The threat actors appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions, while also relying on cooperation from known cyber-criminals and privateers to conduct their operations. According to the advisory, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, Central Asia, and of course Ukraine. The activity includes cyber campaigns, such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine.

ETLM Assessment:
Russia has inherited the rich Soviet legacy of information operations and put it to early use by pioneering the instrumentalization of social media for large-scale high-efficiency influence operations around the globe. As we have noted in a recent report, Russia has a highly developed lexicon for hybrid warfare and applies it systematically across all potential weapons, be that information, psychological operations, or acts of physical sabotage. It now appears that even sections of military intelligence like Unit 29155 which were previously known mainly for physical tactics, including poisonings, attempted coups, and bombings inside Western countries are also increasingly moving their activities into the fifth domain as the global economy goes increasingly online. We have also previously warned that Russia will likely increasingly use privateers in its operations. This trend will only continue and every large organization should take preventive measures, in expectation of an increasingly dangerous online environment.

North Korean hackers scamming the cryptocurrency sector
The US Federal Bureau of Investigation (FBI) has issued an advisory on North Korean social engineering campaigns targeting employees in the cryptocurrency industry. According to the FBI, North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products. For companies active in or associated with the cryptocurrency sector, the FBI emphasizes that North Korea employs sophisticated tactics to steal cryptocurrency funds and is a persistent threat to organizations with access to large quantities of cryptocurrency-related assets or products.

ETLM Assessment:
As we have noted in an earlier report, North Korean state hackers both collect intelligence and generate revenue for the state. The cyber espionage efforts are focused on the state’s perceived adversaries: mainly South Korea, the United States, and Japan; collecting intelligence on other countries’ military capabilities and stealing technologies that could be used by the North Korean military – these efforts also include Russia and China as potential technology sources; and increasingly on stealing funds in the form of cryptocurrency that the state later uses to fund its UN sanctioned missile and nuclear programs. The distinct North Korean threat actors have repeatedly shown overlaps in targeting in the recent past and their efforts have been increasingly sophisticated.

4. Rise in Malware/Ransomware and Phishing

The RansomHub Ransomware impacts the Sanyo Bussan Co., Ltd

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Sanyo Bussan Co., Ltd (www[.]sanyo-bussan[.]co[.]jp), was compromised by the RansomHub Ransomware. Sanyo Bussan Co., Ltd., is a company that specializes in the planning, manufacturing, and sale of hotel amenity products. Their products include a wide range of items such as toothbrushes, shaving razors, hairbrushes, slippers, and other hotel-related consumables. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 12 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • We also recently observed that RansomHub ransomware operators are using a new malware, dubbed EDRKillShifter, to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware deploys a legitimate but vulnerable driver on targeted devices to escalate privileges and disable security solutions. During a May 2024 attack, the tool attempted to disable protection but failed due to endpoint safeguards. EDRKillShifter can deliver various driver payloads based on attackers’ needs, and its code suggests it was compiled on a Russian-localized computer. This tactic, involving proof-of-concept exploits, represents an escalating threat to organizational cybersecurity.
  • As of August 2024, the RansomHub Ransomware group has reportedly targeted at least 210 victims across various critical sectors.
  • We recently observed that the RansomHub ransomware gang has been using TDSSKiller, a legitimate tool, to disable endpoint detection and response (EDR) services on target systems. After taking down the defenses, RansomHub deployed the LaZagne credential-harvesting tool to extract logins from various application databases that could help move laterally on the network.
  • RansomHub is believed to have evolved from the now-defunct Knight ransomware. Both ransomware families share substantial code similarities, including being written in the Go programming language and using identical command execution methods.
  • RansomHub was also observed targeting VMware ESXi environments, using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data.
  • The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Italy, and Australia.
  • The RansomHub Ransomware group primarily targets industries, such as Specialized Consumer Services, Heavy Construction, Business Support Services, Software, and Government Agencies.
  • Based on the RansomHub Ransomware victims list from 1 Jan 2023 to 11th September 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHub Ransomware from 1 Jan 2023 to 11 September 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Sanyo Bussan Co., Ltd, a prominent Manufacturing company from Japan, highlighting RansomHub’s significant threat presence in the Asia Pacific region.

The Meow Ransomware Impacts the Special Oilfield Services Company LLC

  • Attack Type: Ransomware
  • Target Industry: Energy
  • Target Geography: Oman
  • Ransomware: Meow Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Oman; Special Oilfield Services Company LLC (www[.]specialoilfield[.]com), was compromised by Meow Ransomware. Special Oilfield Services Company LLC is a prominent energy services provider based in the Middle East. The company specializes in delivering comprehensive solutions for the oil and gas industry, including drilling, well services, and project management. Renowned for its commitment to safety, innovation, and operational excellence, the company supports energy production with advanced technologies and skilled expertise. The compromised data contains an 800 MB data pack which includes Employee data, Client information, Scanned payment documents, Personal data (including dates of birth, passport scans, and more), Internal financial documents, Agreements and certifications, and much more confidential information. This data is being offered for sale at a price of 10000$.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Meow Ransomware, which emerged in late 2022, has been notably active in 2024, with 24 victims to date. This group is linked to the Conti v2 ransomware variant, utilizing similar sophisticated tactics and methods.
  • The Meow Ransomware group’s website is currently named “Meow Leaks,” and they maintain a presence on the dark web where they list victims who have not paid the ransom. There have been no recent detections of sample encryptors, further supporting the theory that they are focusing on extortion rather than traditional ransomware tactics.
  • The Meow Ransomware utilized the ChaCha20 encryption algorithm to secure files, appending the .MEOW extension to encrypted files. The ransom note typically instructed victims to contact the attackers via email or Telegram.
  • The Meow Ransomware group primarily targets countries, such as the United States of America, the United Kingdom, Israel, Italy, and Australia.
  • The Meow Ransomware group primarily targets industries, including Heavy Construction, Software, Business Support Services, Retail, and Financial Administration.
  • Based on the Meow Ransomware victims list from 1st Jan 2023 to 11 September 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Meow Ransomware from 1st Jan 2023 to 11 September 2024 are as follows:

ETLM Assessment:
Meow Ransomware employs various infection methods, including phishing emails, exploit kits, Remote Desktop Protocol (RDP) vulnerabilities, and malvertising. Based on recent assessments by CYFIRMA, Meow ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Special Oilfield Services Company LLC, a leading Energy company in Oman, highlighting Meow Ransomware’s significant threat presence in the Middle East.

5. Vulnerabilities and Exploits

Vulnerability in HPE HP-UX NFS

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Virtualization Software
  • Vulnerability: CVE-2024-42500 (CVSS Base Score 9.3)
  • Vulnerability Type: Improper input validation
  • Patch: Available

Summary:
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied input in HPE HP- UX System’s Network File System (NFSv4) services.

Impact:
A remote attacker can send specially crafted input to the system and perform a denial of service (DoS) attack.

Affected Products: https[:]//support[.]hpe[.]com/hpesc/public/docDisplay?docId=hpesbux04697en_us &docLocale=en_US

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in HP-UX can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of HP-UX is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding server operations, particularly for systems utilizing the RISC architecture, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

KillSec Ransomware attacked and Published the data of Medisetter

  • Threat Actors: KillSec Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Industry: Health Care Providers
  • Target Geography: Vietnam
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that the KillSec Ransomware attacked and published data of Medisetter(www[.]medisetter[.]com) on its dark web website. Medisetter builds and operates digital communities of healthcare practitioners (HCPs) in developing countries for peer-to-peer knowledge exchange, continuing medical education (CME) and overall professional development purposes. Through multiple digital touchpoints, member healthcare practitioners HCPs can stay updated on their clinical knowledge, drug discoveries, and medical innovations and participate in case discussions, seamlessly, through their smartphones. In Vietnam, where they started, they operate the country’s largest multichannel digital community of doctors and medical students. The data breach, resulting from the ransomware attack, involves the exposure of client information, including the following details for both doctors and students: Name, Email, Phone Number, City, Work Address, Specialty Type, and District. The data is being offered for sale at a price of $5,000.

Source: Dark Web

Relevancy & Insights:
Launch of KillSec RaaS: On June 25, 2024, KillSec announced the introduction of its Ransomware-as-a-Service platform via its Telegram channel. This platform is designed to provide aspiring cybercriminals with advanced tools and user-friendly features to facilitate ransomware attacks. The core component of this service is an advanced locker written in C++, which encrypts files on victims’ machines, making them inaccessible, without a decryption key provided after a ransom is paid.

Pricing Model: Access to the KillSec RaaS platform is priced at $250, with KillSec taking a 12% commission on any ransom payments collected. This model aims to make sophisticated ransomware tools accessible to less technically skilled individuals, potentially increasing the frequency of ransomware incidents globally.

ETLM Assessment:
The emergence of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally. According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.

7. Data Leaks

Lotte Mart Indonesia Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Retail
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to Lotte Mart Indonesia ( www[.]lottemartmall[.]co[.]id) in an underground forum. Lotte Mart Indonesia is a chain of hypermarkets and retail stores. Lotte Mart operated 50 stores across Indonesia, providing a wide range of products including groceries, clothing, electronics, and household goods. The alleged database contains 165,000 rows of data, including name, email, billing details, shipping details, and more.

Source: Underground Forums

Thai Hospital Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Thailand
  • Target Industry: Health Care Providers
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
A threat actor “FantomeJ3” has posted a data breach from a major Thai hospital on a dark web forum. The compromised dataset allegedly contains the personal information of over 600,000 individuals, including sensitive medical and demographic data. The seller has set the asking price at $3,000, providing a sample to verify the legitimacy of the leak.

The post details the contents of the breach, which includes patient information, such as health record numbers (HN), names, addresses, phone numbers, birthdates, and even medical information, such as blood type and marital status. Additional data fields include educational background, occupation, religion, and even patient images, among other details.

The alleged threat actor has shared a Telegram link to facilitate communication with potential buyers.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
According to CYFIRMA’s assessment, the threat actor known as ” FantomeJ3 ” poses a serious risk to organizations due to its financial motivations and ability to exploit vulnerable institutions. This actor is notorious for infiltrating organizations with weak security measures and profiting by selling stolen sensitive data on the dark web or underground forums. The typical targets of ” FantomeJ3 ” are institutions with inadequate cybersecurity defenses, making them particularly susceptible to the sophisticated cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

Threat Actor Claims to Sell Unauthorized VPN Access to a Taiwanese Bank. The target is a major Taiwanese bank headquartered in Taipei, boasting a revenue of approximately $17 billion. The alleged access includes a user within the bank’s network via an F5 BIG-IP VPN, a critical security infrastructure. The price for this access is negotiable.

Source: Underground forums

A threat actor identified as “888” has claimed to have breached Plastix Marketing(USA), a division of Evolve Marketing that specializes in long-term growth strategies for plastic surgery and med spa practices. The alleged data breach, occurring in September 2024, reportedly exposed sensitive information from 34,320 users.

According to the threat actor, the leaked database contains:

  • First and Last Names
  • Email Addresses
  • Phone Numbers
  • Activity Metrics such as Sent Count, Bounced, Delivered, Opened, Clicked, Spam, and Unsubscribed status.

Source: Underground forums

ETLM Assessment:
The “888” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.