CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware
Target Technologies: MS Windows
Target Geographies: Australia, Brazil, Canada, Colombia, Egypt, El Salvador, France, Honduras, Indonesia, Italy, Japan, Libya, Norway, Romania, Slovakia, South Africa, Spain, Sri Lanka, Sweden, UAE, United Kingdom, United States and Vietnam.
Target Industries: Accounting, Business Services, Construction, E-commerce, Education, Energy, Finance, FMCG, Government, Healthcare, Manufacturing, Media, Real Estate, Retail, Software, Telecommunications, and Transportation.
Introduction
CYFIRMA Research and Advisory Team has found RansomHub Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
RansomHub Ransomware
RansomHub, a new Ransomware-as-a-Service (RaaS) platform, has quickly risen to become one of the largest ransomware groups in operation. It is highly likely that RansomHub is an updated and rebranded version of the older Knight ransomware. The group began listing its victims in mid-February 2024.
RansomHub encrypts the files and renames files by appending a string of random characters to the filenames. The ransom note is provided in a file named “README_[random_string].txt”.
Researchers analyzing the RansomHub payload discovered a high degree of similarity between RansomHub and Knight, suggesting that Knight served as the foundation for RansomHub.
In February 2024, Knight’s developers, who initially launched the ransomware as Cyclops, decided to shut down their operation and offered the source code for sale on underground forums. It is plausible that other actors purchased the Knight source code, updated it, and then launched RansomHub.
Comparison of Ransomhub and Knight
Both ransomware payloads are written in Go, and most variants are obfuscated using Gobfuscate, with only some early versions of Knight lacking this obfuscation.
The significant code overlap between the two families makes distinguishing between them challenging. In many instances, differentiation is only possible by examining the embedded link to the data leak site.
Additionally, the command-line help menus for both families are virtually identical, with the only distinction being the inclusion of a sleep command in RansomHub.
Both threats utilize a distinctive obfuscation technique, encoding important strings with unique keys and decoding them at runtime.
The ransom notes left by both payloads exhibit significant similarities, with many phrases from Knight’s note appearing exactly in RansomHub’s. This suggests that the developers merely edited and updated the original note.
Knight ransom note. (Source: Surfaceweb)
RansomHub ransom note. (Source: Surfaceweb)
Screenshot of files encrypted by ransomware (Source: Surface Web)
One key difference between the two ransomware families lies in the commands executed via cmd.exe. These commands can be configured either when the payload is built or during its configuration. While the specific commands differ, the sequence and manner in which they are executed relative to other operations remain consistent.
Both Knight and RansomHub possess a unique feature that allows them to restart an endpoint in safe mode before initiating encryption. This technique, first employed by Snatch ransomware in 2019, enables encryption to proceed without interference from the operating system or other security processes.
Researchers discovered that the attackers gained initial access by exploiting the Zerologon vulnerability (CVE-2020-1472 [CVSS 10]), which can allow an attacker to obtain domain administrator privileges and seize control of the entire domain.
Before deploying the ransomware, the attackers employed several dual-use tools. Atera and Splashtop facilitated remote access, while NetScan was likely used to discover and gather information about network devices. The RansomHub payload utilized the command- line tools iisreset.exe and iisrstas.exe to halt all Internet Information Services (IIS) services.
Countries targeted by Ransomhub
Following are the TTPs based on the MITRE Attack Framework
Sr. No | Tactics | Techniques/Sub-Techniques |
1 | TA0002: Execution | T1059: Command and Scripting Interpreter |
2 | TA0003: Persistence | T1574.002: Hijack Execution Flow: DLL Side-Loading |
3 | TA0004: Privilege Escalation | T1574.002: Hijack Execution Flow: DLL Side-Loading |
4 | TA0005: Defense Evasion | T1574.002: Hijack Execution Flow: DLL Side-Loading |
5 | TA0007: Discovery | T1082: System Information Discovery |
T1518.001: Software Discovery: Security Software Discovery | ||
6 | TA0011: Command and Control | T1071: Application Layer Protocol |
T1095: Non-Application Layer Protocol | ||
7 | TA0040: Impact | T1486: Data Encrypted for Impact |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA’ s analysis, based on available data, suggests that RansomHub is targeting economically rich nations such as the US, East, and Southeast Asia and is also spreading globally. This ransomware’s sophisticated techniques, including advanced obfuscation and exploitation of critical vulnerabilities like Zerologon, indicate a focus on high-value targets. The deployment of dual-use tools for remote access and discovery, combined with its stealthy operation in idle periods, underscores RansomHub’s strategic targeting of industries and organizations with substantial financial resources and critical data assets.
YARA
rule Detect_Malware_Path
{
strings:
$system32 = “system32”
$path_pattern = /C:\\Windows\\system32\\[a-f0-9]{64}A{50,}/
condition:
all of them
}
(Source: Surface web)
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Type: Remote Access Trojan (RAT)
Objective: Credentials Stealing, Data Exfiltration
Target Technologies: Windows OS, Browsers, FTP clients, VPN clients, IM clients, and other software such as MySQL Workbench, DynDns, Microsoft Credentials, Internet Downloader Manager, and JDownloader
Exploited Vulnerability: CVE-2017-0199, CVE-2017-11882
Active Malware of the Week
This week “Agent Tesla” is trending.
Agent Tesla
A recent discovery unveiled a new phishing campaign distributing a novel variant of Agent Tesla, which specifically targets Spanish-speaking individuals. The campaign employs various tactics, including exploiting known vulnerabilities in MS Office, JavaScript, PowerShell, and fileless modules, to deliver the Agent Tesla core module and evade detection. Agent Tesla is a well-known .NET-based Remote Access Trojan (RAT) designed to covertly infiltrate computers and steal sensitive information, such as hardware details, login credentials, keystrokes, email contacts, browser cookies, clipboard data, screenshots, and other system information, including the login username, computer name, OS information, CPU and RAM information, as well as saved credentials in widely installed software.
Attack Method
The attacker initiates the attack by sending a phishing email to the victim. The email, written in Spanish, masquerades as a standard SWIFT transfer notification from a large financial institution and includes a disguised Excel attachment.
Fig: The phishing email
The message translated into English reads as:
“Good day Attached is proof of payment made to your account according to your client’s instructions.”
The Excel Document
The Excel document utilizes OLE format with carefully crafted embedded data to exploit the CVE-2017-0199 vulnerability. It includes an embedded OLE hyperlink, which triggers automatically upon the victim opening the Excel file. The hyperlink provided in the document leads to “hxxp[:]//ilang[.]in/QqBbmc”. Upon opening the Excel file, an RTF document is automatically downloaded and prompted to open by the Word program.
Exploitation of CVE-2017-11882
CVE-2017-11882 is a Remote Code Execution (RCE) vulnerability found in Microsoft Office’s Equation Editor component (EQNED32.EXE). It can be exploited through Excel, Word, PowerPoint, and RTF documents containing crafted equation data in an OLE object. Successful exploitation permits an attacker to execute arbitrary code on the victim’s system. The vulnerability, a buffer overflow, overwrites a return address in the stack of EQNED32.EXE, allowing the attacker to hijack the process and execute copied malicious code from the stack. Following execution, shellcode is triggered to download and execute JavaScript code from a website.
The shellcode is depicted initiating an API call, URLDownloadToFileW(), to retrieve a JavaScript file from “hxxp[:]//equalizerrr[.]duckdns.org/eveningdatingforeveryone.js” and store it locally as “C:\Users\Bobs\AppData\Roaming\morningdatingroses.js.” Subsequently, the API ShellExecuteW() is invoked to execute the JavaScript file via the Windows program WScript.exe. Finally, the process concludes with a call to the API ExitProcess().
JavaScript Execution Leading to PowerShell Code
The JavaScript snippet confirms its intent to fetch another file from “hxxps[:]//paste[.]ee/d/yWWXG.” Following execution of the eval() function, this JavaScript code is initiated. When opening the URL in a web browser, it appears to be regular JavaScript code. But hidden inside is some malicious code, encoded in base64. After decoding it, this code joins with more instructions and runs in a “powershell.exe” process.
The PowerShell code serves several purposes:
The loader-module, a fileless component, avoids local storage, complicating detection for researchers who aren’t conducting meticulous, step-by-step analysis.
The VAI() method takes arguments:
The loader-module, executing within a PowerShell process, fetches a file from the URL specified in the first argument, holding it in memory—this is the Agent Tesla core module. It then launches the ‘AddInProcess32’ process in a suspended state using the API CreateProcessA() with creation flags of 0x80000004 (CREATE_SUSPENDED).
Subsequently, the loader-module engages in process hollowing on the copied process, injecting and executing the Agent Tesla executable within the “AddInProcess32.exe” process. This operation entails calling various APIs, such as GetThreadContext(), VirtualAllocEx(), WriteProcessMemory(), SetThreadContext(), and ResumeThread().
Agent Tesla Executable Module
This Agent Tesla variant is a 32-bit .NET framework program, cleverly disguised as a fileless module. Debugging reveals obfuscation at the EntryPoint method, obscuring namespaces, classes, methods, and code flow.
To evade analysis environments, it employs various detection methods:
Upon detection of any of these environments, the program promptly terminates its execution.
Theft of Sensitive Information from the Victim’s Device
Agent Tesla targets various web browsers for saved credentials, including Chromium- based ones like Chrome, Opera, and Edge, as well as Mozilla-based browsers like Firefox and Thunderbird. Additionally, it seeks credentials from email clients, FTP clients, VPN clients, IM clients, and other software such as MySQL Workbench, DynDns, Microsoft Credentials, Internet Downloader Manager, and JDownloader.
It also retrieves email contacts from Thunderbird profiles. The malware disables certain features by default, like the keylogger, screen logger, clipboard logger, and cookies.
Moreover, it gathers system information such as date, time, username, computer name, public IP, OS details, CPU, and RAM.
Submission of Stolen Data via FTP
Agent Tesla is preparing to transmit stolen credentials from the victim’s machine using the FTP method “STOR.” The file name format on the FTP server is “PW_{User name- Computer name_System Data&Time}.html,” containing the stolen data in HTML format.
Additionally, collected email contacts are stored in a txt file named “Contacts_Thunderbird.txt_{User name-Computer name_System Data&Time}.txt.” For example, “Contacts_Thunderbird.txt_Bobs-BOBS-PC_2024_05_17_17_34_21.txt” contains all email addresses collected from Thunderbird.
Fig: The whole process of this Agent Tesla campaign
INSIGHTS
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that Agent Tesla’s evolution suggests a continued focus on enhancing its evasion tactics and expanding its target scope. This may lead to increased sophistication in bypassing security measures and broader impacts on organizations. With its demonstrated ability to steal credentials from various applications and platforms, including browsers, email clients, FTP clients, and VPNs, organizations reliant on these technologies will face heightened vulnerability to data breaches and cyberattacks. Furthermore, as Agent Tesla evolves, it may increasingly target industries and regions where it can maximize its impact.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
Security Awareness training should be mandated for all company employees. The training should ensure that employees:
TACTICAL RECOMMENDATIONS
Key Intelligence Signals:
Kimsuky North Korean Cyber Espionage Group Targets Western European Arms Manufacturers
Summary:
On May 16, 2024, attempted intrusions targeting weapons manufacturers in Western Europe were identified, with high confidence attributed to the North Korean state- sponsored group Kimsuky. The report reveals that Kimsuky employed new espionage tools and primarily targeted a Western European weapons manufacturer, using the “General Dynamics” brand as a deceptive lure in their spear-phishing campaign. The attack vector involved emails containing a malicious JavaScript file, “Safety Manager JD (General Dynamics HR Division II).jse,” masquerading as a job description document. Upon execution, the file decodes two base64 data blocks: a benign PDF to distract the user and a malicious payload that executes silently in the background.
The payload consists of a legitimate PDF and a malicious executable library, encoded with double base64 to evade detection, which performs various espionage functions and ensures persistence by creating a new service and modifying the system registry. The espionage tool enables the attacker to enumerate directories, capture screenshots, establish socket connections, execute additional processes, and more. The command and control infrastructure linked to this campaign involves multiple domains and IP addresses associated with Stark Industries, suggesting a strong likelihood of Kimsuky’s involvement.
This incident underscores the escalating risks of cyber warfare targeting critical military industries. The targeted manufacturer plays a crucial role in the defense supply chain, highlighting the potential geopolitical implications of such cyberattacks. It is anticipated that the Kimsuky group will continue to target military and aerospace sectors globally, necessitating enhanced monitoring and protective measures to counter these threats.
Relevancy & Insights:
The cyber espionage attack by Kimsuky on a Western European weapons manufacturer highlights the group’s sophisticated tactics, including spear-phishing and the use of double base64 encoding to evade detection. By targeting the defense industry, Kimsuky aims to exfiltrate sensitive information, potentially enhancing North Korea’s military capabilities and posing significant geopolitical risks.
ETLM Assessment:
Kimsuky’s cyber-espionage attack on a Western European weapons manufacturer represents a significant threat due to its potential to exfiltrate sensitive military information, compromising national security and defense capabilities. This type of attack demonstrates Kimsuky’s advanced tactics, such as spear-phishing and sophisticated evasion techniques, which can be difficult to detect and mitigate. Europe could face more attacks by Kimsuky due to its critical role in global defense manufacturing and its technological advancements, making it a valuable target for intelligence gathering. The continuous geopolitical tensions and Kimsuky’s focus on military and defense sectors suggest a persistent threat, requiring European organizations to bolster their cybersecurity defenses to protect against such sophisticated state-sponsored attacks.
Recommendations:
Implement advanced email filtering to detect and block spear-phishing attempts. Educate employees about recognizing phishing emails and the dangers of opening unexpected attachments.
IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
Russia preparing to target Paris Olympics with information campaigns
Researchers have identified several Russian disinformation campaigns targeting public opinion around the upcoming 2024 Paris Olympic Games, as well as the reputation of the International Olympic Committee (IOC). These efforts are most likely linked to Russia and tracked as Storm-1679 and Storm-1099. The threat actors have utilized AI to generate images and text and spread false information and rumors about the games and corruption in the International Olympic Committee (IOC). The groups have also utilized a common Russian disinformation tactic of impersonating existing news outlets and credible sources to spread misinformation and propagate threats and fears of violence and terrorism around the games. The IOC barred Russian and Belarusian athletes from competing in the Games in October 2023, citing Russia’s ongoing invasion of Ukraine as the reason. Russia has previously leveraged its digital capabilities to wreak havoc at other Olympic Games; in 2018, Russian government- sponsored hackers attempted to disrupt the opening ceremony of the Pyeongchang Winter Olympics in South Korea, using a cyberattack to shut down a significant portion of the digital infrastructure being used to hold and broadcast the event.
ETLM Assessment:
France’s ministry of defense has recently warned of possible sabotage attacks by Russia on military sites this year. Our analyst also concluded that during the Paris Olympics Russia is likely to target civilian targets in France as well in order to embarrass the government as a revenge for president Macron’s repeated comments, in which he suggested NATO could deploy NATO troops in Ukraine. There has been a real stepping up of Russian activity in the intelligence and shadow sphere, intensifying Russian political war on NATO as the freshly inaugurated president Putin reshuffles his government to include more macroeconomists who will be needed for the long war Russia clearly intends to fight in the coming years. Increased aggression from Russian intelligence also reflects the desire for the country’s spymasters to reassert themselves after their most serious setback since the collapse of the Soviet Union. In the weeks following Russia’s full-scale invasion of Ukraine, more than 600 Russian intelligence officers operating in Europe with diplomatic cover were ejected, dealing serious damage to the Kremlin’s spy network across the continent. Russia had gone to great lengths in order to reconstitute its presence in Europe, often using proxies including members of the Russian diaspora as well as organized crime groups with which the Kremlin has long-standing ties. However, given the extent of damage to the Russian intelligence network, the Kremlin will need to boost the cyber operations element of its political war against NATO, which should be expected to include attempts at cyber- enabled physical sabotage.
Chinese hackers active in the South China Sea region
Researchers have described a Chinese state-sponsored cyberespionage operation that targeted a high-profile government organization in Southeast Asia. Three China- linked activity clusters were observed within the respective governments’ networks between March 2023 and December 2023, with evidence of additional compromises dating back to early 2022.
The most likely goal of the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests, i.e. a classic state-driven espionage by cyber means. This includes accessing critical IT systems, performing reconnaissance of specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications.
ETLM Assessment:
Last month, U.S. Secretary of State Antony Blinken traveled to Beijing in the latest of a series of high-level meetings between Chinese and U.S. leadership to ease tensions after China complained about movement of US Navy ships in international waters around Taiwan. That followed last year campaigns in the South China Sea regions by other Chinese actors like Volt Typhoon or Mustang Panda. All the hacking groups have been focused on countries surrounding the South China Sea, where China presses territorial claims on countries like the Philippines, Vietnam or Indonesia, as well as on the United States, with which China is in conflict over primacy in the region and global affairs as a whole. Guam; a US territory in the Western Pacific that is home to significant US military bases, has allegedly been targeted. Chinese hackers have been lately mainly focusing on the defense industrial base, successfully compromising the networks of contractors to the Pentagon’s U.S. Transportation Command 20 times in a single year, while many other incursions have probably never been found. As we have warned in an earlier report, given the increasingly assertive Chinese posturing, it was likely that Beijing’s hacker’s were trying to position themselves in a way it could try to paralyze U.S. critical infrastructure in case of an eruption of conflict between the two countries over the issue of Taiwanese or Philippine waters.An attempt to induce societal panic in their adversary in case of conflict is inherent part of Chinese military doctrine and targeting of critical infrastructure on Guam could affect U.S. military operations in significant way.
The Cactus Ransomware impacts the CTS (Connection Technology Systems Inc.)
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Taiwan; (www[.]ctsystem[.]com), was compromised by the Cactus Ransomware. CTS (Connection Technology Systems Inc.) is a world-class FTTX solution provider for
Telecoms, ISPs, and Service operators all over the world. The compromised data contains Corporate confidential data, engineering documents, financial data, customer information, personal identification documents, database backups, etc. The total size of the compromised data is approximately 93 GB.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
Cactus ransomware is being spread through malvertising campaigns, where malicious ads lead users to compromised websites that download the DanaBot trojan. DanaBot serves as a backdoor for deploying Cactus ransomware, making the initial infection harder to detect. Based on the available information, CYFIRMA’s assessment indicates that Cactus Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on CTS (Connection Technology Systems Inc.), a prominent Telecommunication company located in Taiwan, underscores the extensive threat posed by this particular ransomwar2e2strain in th©eCYEFaIsRtMAAsi2a02re4g, AioLnL. RIGHTS ARE RESERVED.
The Daixin Ransomware impacts the Dubai Municipality
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United Arab Emirates; (www[.]dm[.]gov[.]ae), was compromised by the Daixin Ransomware. Dubai Municipality is the Government of Dubai municipal body with jurisdiction over city services and the upkeep of facilities in the Emirate of Dubai, United Arab Emirates, and reports directly to the Dubai Executive Council. The compromised data encompasses sensitive and confidential information pertinent to the organization.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
Daixin Ransomware Team is known for using various tools to facilitate their operations, including Rclone for cloud storage management and Ngrok for reverse proxying. They also utilize SSH for remote access and data exfiltration, making it challenging to detect and block their activities once they have breached a network. Based on the available information, CYFIRMA’s assessment indicates that Daixin Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Dubai Municipality, a prominent Government company located in the United Arab Emirates, underscores the extensive threat posed by this particular ransomware strain in the West Asia region.
Vulnerability in Trend Micro VPN Proxy One Pro
Summary:
The vulnerability allows a remote user to compromise a vulnerable system.
Relevancy & Insights:
The vulnerability exists due to insufficient validation of file during file upload.
Impact:
A remote user can upload a malicious file and execute it on the system. Affected Products: https[:]//helpcenter[.]trendmicro.com/en-us/article/TMKA-07247
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment:
Vulnerability in VPN Proxy One Pro can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of VPN Proxy One Pro is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding online activities, including accessing geographically blocked content, across different geographic regions and sectors.
8base Ransomware attacked and Published data of Nidec Motor Corporation
Summary:
Recently we observed that 8base Ransomware attacked and published data of Nidec Motor Corporation on its darkweb website. Nidec Motor Corporation is a global manufacturer of electric motors, and related components and equipment. The Company provides general motors, equipment devices, as well as precious small motors, including hard drive and hard disk drive (HDD) spindle motors, other small precision brushless direct current (DC) motors, brushless DC fans, and other small motors. The company is headquartered in Kyoto, Japan. The data leak, following the ransomware attack, encompasses Invoices, Receipts, Accounting documents, Personal data, Certificates, Employment contracts, Confidentiality agreements, Personal files, and Others.
Source: Dark Web
Relevancy & Insights:
ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that 8Base Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Nidec Motor Corporation, a prominent Manufacturing company located in Japan, underscores the extensive threat posed by this particular ransomware strain in the Asia Pacific region.
7. Data Leaks
Dkhoon Emirates Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a potential data sale related to VWholesaleTour, {www[.]vwholesaletour[.]com} in an underground forum. A threat actor claims to be selling data from VWholesaleTour, an online travel agency. The alleged data includes over 196,000 logs and more than 2,800 user records. The data for sale contains ID, name, last name, nickname, email, password, agency, phone number, fax number, address, role, status, and other sensitive and confidential information. The threat actor has set the price for the data at $1,000.
Source: Underground Forums
PT Nap Info Lintas Nusa data advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a potential data sale related to PT Nap Info Lintas Nusa, {www[.]napinfo[.]co[.]id} in an underground forum. A threat actor has announced a data breach at the telecommunications company that is PT Nap Info Lintas Nusa, located in South Jakarta, Indonesia. The company, with a total revenue of $6.2 million, is now facing a severe security threat. Allegedly, the breached data includes credentials, numerous database files, SSL-VPN logs and configurations, system configurations and information, API information, and much more.
The hacker is offering the breached data for sale with the following details:
Data Breach: $1,300 in XMR
Shell Access: $1,800 in XMR
In addition, the hacker has issued a ransom demand to PT Nap Info Lintas Nusa. The company has 30 days to pay $20,000 in XMR to prevent the dissemination of the breached information. If the ransom is not paid within this period, the hacker threatens to brick many of the company’s systems. Furthermore, any attempts to fix the issue, log in for repairs, or other interventions will trigger a fail-safe, causing additional damage to the systems. The data breach is allegedly claimed by the threat actor ‘Interpol404’.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Interpol404’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by Interpol404 typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.
Recommendations: Enhance the cybersecurity posture by
CYFIRMA Research team observed a potential data sale related to Advance Auto Parts (AAP) ( The United States of America). A threat actor has surfaced, claiming to be selling a vast database allegedly belonging to Advance Auto Parts (AAP). The purported data, amounting to a staggering 3TB, reportedly originates from AAP’s Snowflake data warehouse and includes a wealth of sensitive information. The data breach is allegedly claimed by the threat actor ‘Sp1d3r’. According to the threat actor, the database encompasses:
380 Million Customer Profiles: Including names, emails, mobile numbers, phone numbers, addresses, and more.
140 Million Customer Orders: Detailing purchase histories.
44 Million Loyalty / Gas Card Numbers: Accompanied by customer details. 358,000 Employee Records: Containing employment details.
Auto Parts Information: Including part numbers.
Sales History: Comprehensive records of transactions.
Employment Candidate Information: Featuring Social Security Numbers (SSNs), driver’s license numbers, and demographic details.
Transaction Tender Details: Information about payment methods and transactions.
Over 200 Tables of Data: Spanning various aspects of the business. Purchase Information
Price: 1.5 Million USD
Source: Underground forums
ETLM Assessment:
Threat actor 888 group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries indicating its intention to expand its attack surface in the future to other industries globally.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
Geography-Wise Graph
Industry-Wise Graph
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.