Self Assessment

Weekly Intelligence Report – 15 Nov 2024

Published On : 2024-11-15
Share :
Weekly Intelligence Report – 15 Nov 2024

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Weaxor ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Weaxor ransomware
Researchers identified a new strain of ransomware named Weaxor.

Weaxor is a ransomware strain that encrypts files, compelling victims to pay for decryption. It appends the “.rox” extension to affected filenames and leaves a ransom note titled “RECOVERY INFO.txt” with instructions for recovery.

Screenshot of files encrypted by ransomware (Source: Surface Web)

Weaxor’s ransom note informs victims that their data has been encrypted and requires a decryption tool for recovery. Victims are instructed to download the TOR browser and use a provided link to contact the attackers. The note includes two contact emails and offers free decryption of up to three files (5 MB each), excluding databases or backups.

Screenshot of Weaxor’s text file (“RECOVERY INFO.txt”):(Source: Surface Web)

Screenshot of Weaxor’s chat website: (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting Interpreter
    T1129: Shared Modules
2 TA0003: Persistence T1542.003: Pre-OS Boot: Bootkit
    T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    T1574.002: Hijack Execution Flow: DLL Side-Loading
3 TA0004: Privilege Escalation T1134: Access Token Manipulation
    T1543.003: Create or Modify System Process: Windows Service
    T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    T1574.002: Hijack Execution Flow: DLL Side-Loading
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
    T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
    T1036: Masquerading
    T1070.004: Indicator Removal: File Deletion
    T1112: Modify Registry
    T1134: Access Token Manipulation
    T1140: Deobfuscate/Decode Files or Information
    T1202: Indirect Command Execution
    T1222: File and Directory Permissions Modification
    T1497.001: Virtualization/Sandbox Evasion: System Checks
    T1542.003: Pre-OS Boot: Bootkit
    T1564.001: Hide Artifacts: Hidden Files and Directories
    T1564.003: Hide Artifacts: Hidden Window
    T1574.002: Hijack Execution Flow: DLL Side-Loading
5 TA0007: Discovery T1012: Query Registry
    T1016: System Network Configuration Discovery
    T1018: Remote System Discovery
    T1033: System Owner/User Discovery
    T1057: Process Discovery
    T1082: System Information Discovery
    T1083: File and Directory Discovery
    T1087: Account Discovery
    T1497.001: Virtualization/Sandbox Evasion: System Checks
    T1518.001: Software Discovery: Security Software Discovery
    T1614: System Location Discovery
6 TA0008: Lateral Movement  
T1080: Taint Shared Content
7 TA0009: Collection T1560: Archive Collected Data
8 TA0011: Command and Control T1071: Application Layer Protocol
    T1090: Proxy
    T1095: Non-Application Layer Protocol
    T1105: Ingress Tool Transfer
9 TA0040: Impact T1486: Data Encrypted for Impact
    T1489: Service Stop

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Ransomware is seen inactive on infected systems for an extended period before activating. This stealth tactic helps it evade immediate detection and bypass security measures, allowing it to establish a foothold and maximize potential impact once triggered, often surprising the target system.

ETLM Assessment:
CYFIRMA’s assessment based on available info suggests that Weaxor ransomware could continue to evolve in stealth and evasion techniques, targeting Windows systems across diverse sectors. Likely to focus on developed nations and high-value industries like manufacturing, healthcare, finance, and FMCG, Weaxor’s prolonged inactivity tactic makes detection challenging, maximizing impact. Proactive monitoring and defense strategies are essential against this threat.

Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense-evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and
“shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high (Source: Surface web)

IOCs:
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Information stealer | Objectives: Data theft | Target Technology: Windows OS | Target Industries: Entertainment, Media, and Technology, Software Sector | Target Geographies: United States, Europe, East Asia, and South America | Campaign: CopyRh(ight)adamantys

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the Week
This week “Rhadamanthys” is trending.

Rhadamanthys
Researchers have been tracking a large-scale phishing campaign, dubbed CopyRh(ight)adamantys, which deploys the new version of the Rhadamanthys stealer (version 0.7) across regions including the United States, Europe, East Asia, and South America. This sophisticated campaign impersonates various companies, primarily in the Entertainment, Media, and Technology sectors, and falsely claims that victims have committed copyright infringement on their Facebook pages. Phishing emails, often sent from different Gmail accounts, encourage recipients to download an archive file that triggers DLL side-loading, leading to the installation of the Rhadamanthys stealer. While the latest version of the stealer allegedly includes an AI-powered OCR module, researchers have found that it instead uses older machine learning techniques typical of traditional OCR software. The campaign’s scale, automation, and potential use of AI tools indicate a highly organized operation, adopted by both cybercriminals and state- sponsored actors, with ongoing efforts to understand its tactics and improve detection.

Attack method
Check Point Software Technologies reported receiving phishing lures that mimic its own branded emails, which ultimately lead to the deployment of the Rhadamanthys stealer. This campaign begins with spear-phishing emails from Gmail accounts impersonating well-known companies and alleging copyright violations on the recipient’s social media pages. The emails, crafted to appear as communications from the companies’ legal representatives, accuse targets of brand misuse and demand the removal of specific images or videos. To support these claims, attackers provide a download link hosted on appspot.com, which redirects recipients to Dropbox or Discord to access a password- protected archive file (with the password included in the email). This file, once downloaded, initiates the infection process by deploying Rhadamanthys, illustrating both the adaptability and the broad scope of this phishing operation.

Fig: Phishing email impersonating Check Point

Infection Chain
The infection process starts with a spear-phishing email containing a link to download a password-protected archive, which holds three files: a legitimate executable, a malicious DLL with the packed Rhadamanthys, and a decoy Adobe or PDF file. When the executable runs, it uses DLL sideloading to load the malicious DLL, which then unpacks and activates the Rhadamanthys stealer.

Fig: Infection chain

When executed, the malware uses DLL sideloading to load the malicious DLL, triggering the stealer’s deployment. Rhadamanthys then injects itself into common processes like `credwiz.exe`, `dllhost.exe`, or `rundll32.exe` to evade detection and establish persistence. The malware’s modular structure enables multi-stage deployment: in Stage 2, it connects to a Command-and-Control (C2) server, while Stage 3 loads an OCR module embedded in a WAV file, enabling text extraction from images.

Targets and Attribution
The campaign’s targets span the US, Europe, the Middle East, East Asia, and South America, with an emphasis on entertainment, media, and tech sectors due to their frequent copyright-related communications. Despite previous links to state-sponsored groups, this campaign’s indiscriminate targeting pattern and automation suggest a financially driven cybercrime group.

Rhadamanthys 0.7 and OCR Module
The latest Rhadamanthys version, 0.7, introduces an OCR module, albeit not a modern AI-based tool. The module scans images in popular formats (e.g., BMP, JPEG) for specific phrases associated with Bitcoin wallets, indicating a financial motive. Using machine-learning techniques, it searches files for wallet-related phrases from the Bitcoin Improvement Proposal 39 (BIP39) wordlist. The OCR module’s limited capabilities (e.g., font restrictions, inability to read handwritten text) reflect its narrow focus, making it useful in attacks aimed at cryptocurrency assets.

INSIGHTS

  • The Rhadamanthys stealer malware campaign, active since mid-2024, utilizes sophisticated phishing tactics to target individuals and organizations worldwide. Disguising phishing emails as copyright infringement notices from reputable companies, attackers claim the victim’s Facebook pages misuse certain brands, prompting them to download an attached file to “resolve” the issue. This tactic exploits social media’s vast influence, as businesses and individuals alike take brand protection seriously. Once victims download the file, it initiates an infection chain via DLL side-loading, which ultimately deploys the Rhadamanthys stealer, a powerful data-harvesting tool known for advanced features like AI-powered OCR (optical character recognition).
  • The phishing campaign is notable for its scope and adaptability, targeting regions across the U.S., Europe, East Asia, and beyond, with specific industries—especially media, entertainment, and tech—often in the crosshairs. The attackers use automation, likely driven by AI, to generate convincing emails in various languages, enhancing their credibility by appearing like legitimate business correspondences. This automation allows cybercriminals to spread attacks widely and efficiently, capitalizing on sectors accustomed to copyright- related communications. The wide range of targets and regions, as well as the campaign’s automated, impersonal nature, strongly suggest a financially motivated cybercrime group rather than nation-state actors.
  • One of the most intriguing aspects of this campaign is the updated Rhadamanthys stealer, particularly the 0.7 version, which now includes a unique OCR module. This module scans images for specific phrases linked to cryptocurrency wallets, indicating a clear interest in financial data and crypto assets. Although the OCR component was marketed as AI-driven, it relies on older machine-learning techniques, underscoring the cybercriminals’ tactical use of “AI” as a marketing term to generate intrigue and value within underground markets. The Rhadamanthys campaign exemplifies how attackers leverage both automation and psychological tactics to drive large-scale campaigns, aiming to harvest sensitive data and financial information from unsuspecting victims globally.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the Rhadamanthys stealer campaign is likely to expand its reach, posing escalating threats to organizations and employees. As phishing tactics grow more sophisticated, particularly with automated, targeted lures, businesses may face increased risks from email-based attacks, especially in sectors like media, technology, and finance. The malware’s OCR capabilities suggest that attackers will focus on extracting sensitive financial and personal data from images and documents, amplifying the risks of fraud and intellectual property theft. As more organizations adopt image-heavy communication and digital assets, this threat could widen, requiring businesses to rethink their data protection strategies. Additionally, the social engineering tactics used, such as leveraging copyright infringement claims, may prompt organizations to enhance phishing detection and awareness, especially within legal and PR teams, to avoid compliance-driven compromises. With phishing campaigns becoming more sophisticated, businesses will need to invest in dynamic cybersecurity training and more adaptive defenses to mitigate these evolving risks.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

Recommendations:

STRATEGIC:

  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT:

  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Malware implant, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – DarkVault Ransomware, RansomHub Ransomware | Malware – Rhadamanthys
  • DarkVault Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups. Please refer to the trending malware advisory for details on the following:
  • Malware – Rhadamanthys Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Analyzing Earth Estries’ Persistent Tactics, Techniques, and Procedures in Sustained Cyber Operations

  • Threat actor: Earth Estries
  • Initial Attack Vector: Exploiting vulnerabilities, and Malware implant
  • Objective: Espionage
  • Target Technology: Microsoft Exchange Servers and Network adapter management tools
  • Target Geographies: Not Specified
  • Target Industries: Government and technology sectors.
  • Business Impact: Operational downtime, data theft, and potential destruction of sensitive information.

SUMMARY
Earth Estries, an advanced threat actor active since 2020, employs two distinct attack chains to exploit vulnerabilities in systems like Microsoft Exchange servers and QConvergeConsole. In the first infection chain, the group uses CAB files to deliver tools such as Cobalt Strike, Crowdoor, and Trillclient, which enable lateral movement, credential theft, and persistence. PsExec and WMIC facilitate the spread of backdoors, while Trillclient collects credentials from browser caches. The second chain targets Exchange servers, deploying web shells (like ChinaChopper) to introduce backdoors, including Zingdoor and SnappyBee, with components delivered through cURL downloads. Earth Estries’ tactics also include credential theft and data exfiltration via anonymized file-sharing services.

Persistence is maintained through frequent updates to installed tools, while internal proxies help hide backdoor traffic. Notably, the group demonstrates a strategic, adaptive approach, often cleaning up older tools as new backdoors are installed, and employs a variety of credential dumping and data collection methods. Earth Estries’ diverse and evolving toolkit, featuring techniques like DLL sideloading and multi- layered attack strategies, poses significant challenges to detection and remediation efforts.

Relevancy & Insights:
In past campaigns, Earth Estries demonstrated a strong focus on exploiting vulnerable and exposed systems within high-profile Asian organizations, with particular emphasis on Microsoft Exchange servers and network management tools. Previously, they relied heavily on Cobalt Strike and Hemigate as primary backdoors, deployed through CAB files, while employing tools like PsExec and WMIC for lateral movement. Their past operations also included the use of credential-stealing tools and anonymous exfiltration channels, illustrating a layered attack approach designed to secure persistent access and evade detection.

The current incident mirrors these tactics but with evolved methods. Earth Estries now incorporates additional backdoors like Crowdoor, Zingdoor, and SnappyBee, expanding their toolkit for maintaining control and stealthily moving within networks. For instance, instead of solely using PsExec, they now deploy WMIC and cURL to spread and download malware, showing an adaptation toward bypassing modern defenses. Their emphasis on using QConvergeConsole for entry, along with scheduled tasks and internal proxies for persistence, reflects a consistent yet refined methodology from past campaigns. This alignment of old and new techniques highlights Earth Estries’ strategic approach and adaptability, suggesting that their evolving tactics will continue to challenge traditional security measures.

ETLM Assessment:
Earth Estries is a sophisticated threat actor active since 2020, known for targeting high- value entities in Asia, focusing primarily on sectors like finance, telecommunications, and government. Their operations exploit vulnerabilities in widely-used technologies, such as Microsoft Exchange servers, QConvergeConsole, and network management tools, taking advantage of flaws in Apache Tomcat and Exchange’s web-facing components to gain initial access. This group deploys a blend of custom and well- known malware, including recent tools like Zingdoor, SnappyBee, and Crowdoor, as well as older tools like Cobalt Strike and Hemigate, delivered through CAB files or cURL downloads for seamless infiltration and lateral movement.

Earth Estries exhibits high adaptability, frequently updating malware installations and leveraging internal proxies to evade detection. They often use multi-layered backdoor strategies, credential-stealing tools like Trillclient, and anonymized channels for data exfiltration. This adaptability and deep knowledge of targeted environments suggest a persistent threat landscape for organizations using vulnerable or exposed systems, as Earth Estries is expected to continue refining its methods to bypass defenses.

Recommendations:

Strategic Recommendations

  • Enhance Vulnerability Management: Ensure continuous monitoring and timely patching of critical systems, especially external-facing applications like email servers and network management tools. Given Earth Estries’ use of widely exploited vulnerabilities, prioritize patches for Microsoft Exchange and Apache Tomcat, and regularly review the vulnerability status of QConvergeConsole or similar applications.
  • Implement Multi-Layered Defense: Establish a defense-in-depth strategy that layers security across endpoint, network, and cloud environments. Incorporate both preventive and detective controls, focusing on integrating solutions like endpoint detection and response (EDR) and network traffic analysis to monitor for anomalies that indicate potential lateral movement.

Tactical Recommendations

  • Strengthen Email and Web Application Security: Since Earth Estries targets web- facing services, deploy Web Application Firewalls (WAFs) and secure email gateways (SEGs) to block malicious traffic before it reaches vulnerable services. Implement strict monitoring and logging of email servers and web applications to detect exploitation attempts or suspicious activity.
  • Robust Credential Management and MFA Implementation: Enforce strict password policies and implement multi-factor authentication (MFA) across all critical systems to mitigate risks from compromised credentials. Since Earth Estries has previously used credential-stealing tools, ensure that credentials are regularly rotated, especially for privileged accounts.
  • Establish Network Segmentation and Access Controls: Limit Earth Estries’ ability to perform lateral movement by segmenting the network, particularly between critical and less sensitive systems. Enforce strict access controls and use identity- based segmentation where possible to restrict movement based on the least privilege principle.
  • Implement Enhanced Monitoring of IoCs: Incorporate shared IoCs into SOC monitoring workflows, with alerts configured to detect known signatures or behaviors associated with Earth Estries’ tools, such as Cobalt Strike, Trillclient, Crowdoor, and SnappyBee.

Operational Recommendations

  • Proactive Threat Hunting: Regularly perform threat-hunting activities within the SOC focused on TTPs (Tactics, Techniques, and Procedures) associated with Earth Estries. Monitor for behaviors like abnormal PowerShell usage, suspicious cURL commands, CAB file extractions, and signs of DLL sideloading, which are characteristic of this threat group.
  • Enhance Logging and Monitoring Across All Endpoints and Servers: Ensure comprehensive logging across critical endpoints and servers, particularly on email servers, AD controllers, and any machine handling sensitive data. Establish alerting for unusual process execution patterns (e.g., msiexec.exe, rundll32.exe) and use of remote execution tools such as PsExec.
  • Deploy Network-Based Anomaly Detection: Utilize network intrusion detection systems (NIDS) and proxy logs to monitor for unusual traffic, especially related to Earth Estries’ use of internal proxies to obfuscate C2 (command and control) traffic. This will help in detecting early signs of exfiltration or lateral movement.
  • Regularly Test SOC Response Through Red Team Exercises: Conduct red team assessments simulating Earth Estries’ TTPs to test and improve SOC responsiveness. Include scenarios that mimic the use of PsExec, Cobalt Strike, and credential- harvesting tools, challenging SOC analysts to detect, investigate, and contain potential compromises effectively.
MITRE FRAMEWORK
Tactic ID Technique / Sub technique
Execution T1129 Shared Modules
Defense Evasion T1027.001 Obfuscated Files or Information: Binary Padding
Defense Evasion T1027.002 Obfuscated Files or Information: Software Packing
Defense Evasion T1027.003 Obfuscated Files or Information: Steganography
Defense Evasion T1027.004 Obfuscated Files or Information: Compile After Delivery
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion T1036 Masquerading
Defense Evasion T1070.006 Indicator Removal: Timestomp
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1218.011 System Binary Proxy Execution: Rundll32
CredentialAccess T1056 Input Capture
Discovery T1082 System Information Discovery
Discovery T1497.001 Virtualization/Sandbox Evasion: System Checks
Discovery T1083 File and Directory Discovery
Discovery T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks
Discovery T1518 Software Discovery
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1056 Input Capture
Command and Control T1071 Application Layer Protocol

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geo political Developments in Cyber security
Chinese Hackers Target EU Diplomats
The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an entity in the region. According to researchers during this attack, the threat actor used the upcoming World Expo which will be held in 2025 in Osaka, Japan as a lure. MirrorFace has been repeatedly targeting Japan and is now again observed using events related to it as well.

ETLM Assessment
MirrorFace, also identified as Earth Kasha, is believed to be part of the larger APT10 group, which includes other clusters like Earth Tengshe and Bronze Starlight. This group has been targeting Japanese organizations since at least 2019, but a new campaign observed in early 2023 shows an expansion in their activities to now include Taiwan and India. The campaign seems to be a classic state-driven espionage with many similar campaigns like it probably underway at the same time.

4. Rise in Malware / Ransomware and Phishing

The DarkVault Ransomware impacts NEJOUM ALJAZEERA

  • Attack Type: Ransomware
  • Target Industry: Automotive Logistics and Transportation
  • Target Geography: United Arab Emirates
  • Ransomware: DarkVault Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United Arab Emirates; NEJOUM ALJAZEERAI (www[.]naj[.]ae), was compromised by DarkVault Ransomware. Nejoum Al Jazeera, is a UAE-based company specializing in car logistics and auto shipping services, especially for vehicles imported from the U.S. and Canada. The company has expanded its global presence with branches in the UAE, USA, Oman, Iraq, and Cambodia. Nejoum Al Jazeera offers services that include car shipping, customs clearance, and tracking for customers in the Middle East and beyond. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database.

Source: Dark Web

Relevancy & Insights:

  • DarkVault surfaced in November 2023, positioning itself as a sophisticated ransomware operation. It has quickly become notable in the cybersecurity community for its activities, which extend beyond traditional ransomware attacks.
  • DarkVault operates a data leak site that resembles the design of LockBit’s Data Leak Site (DLS). This site is used to publish information about victims and to threaten them with data exposure unless ransoms are paid.
  • The DarkVault Ransomware group employs a double extortion model, encrypting victims’ files while also threatening to release stolen data if ransoms are not paid. This tactic increases pressure on victims to comply with ransom demands.
  • The DarkVault Ransomware group primarily targets countries like the United Kingdom, the United States of America, Brazil, India, and South Africa.
  • The DarkVault Ransomware group primarily targets industries, such as Business Support Services, the Internet, Restaurants & Bars, Software, and e-commerce.
  • Based on the DarkVault Ransomware victims list from 1st Jan 2024 to 13th November 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by DarkVault Ransomware from 1st Jan 2024 to 13th November 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, DarkVault Ransomware represents an evolving threat in the ransomware landscape with its diversified criminal activities and aggressive tactics. Organizations are advised to enhance their cybersecurity measures to protect against such threats, including implementing robust incident response plans and employee training on recognizing phishing attempts and other attack vectors. As the situation develops, continued monitoring of DarkVault’s activities will be essential for understanding its impact on global cybersecurity.

The RansomHub Ransomware Impacts the Melange Systems

  • Attack Type: Ransomware
  • Target Industry: Technology
  • Target Geography: India
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from India; Melange Systems (www[.]melangesystems[.]com) was compromised by RansomHub Ransomware. Melange Systems is a wireless networking company with an emphasis on the Internet of Things (IoT). The company offers low-cost, low-power wireless networking modules, and complementary solutions for the next generation smart grid networks, smart cities, and connected infrastructure. The compromised data contains Personal Documents, Legal Documents, Source Codes for Company Apps/Programs, Credentials of all employees, and many more things. The total size of the compromised data is approximately 1.2 TB.

Source: Dark Web

Relevancy & Insights:

  • The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Italy, and Australia.
  • The RansomHub Ransomware group primarily targets industries, such as Specialized Consumer Services, Heavy Construction, Business Support Services, Software, and Health Care Providers.
  • Based on the RansomHub Ransomware victims list from 1st Jan 2024 to 13th November 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the RansomHub Ransomware from 1st Jan 2024 to 13th November 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Melange Systems, a prominent Technology company from India, highlighting RansomHub’s significant threat presence in the South Asian region.

5. Vulnerabilities and Exploits

Vulnerability in XStream

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Universal components / Libraries used by multiple products
  • Vulnerability: CVE-2024-47072
  • CVSS Base Score: 7.5
  • Vulnerability Type: Memory corruption
  • Summary: The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insights:
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can pass a specially crafted stream to the application, trigger a stack overflow, and perform a denial of service (DoS) attack.

Impact:
Successful exploitation of this vulnerability requires that XStream is configured to use the BinaryStreamDriver.

Affected Products:
https[:]//github[.]com/x-stream/xstream/security/advisories/GHSA- hfq9-hggm-c56q

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in XStream can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of XStream is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding object serialization and deserialization activities, specifically when converting objects to XML, across different geographic regions and sectors.

6. Latest Cyber – Attacks, Incidents, and Breaches

APT73 Ransomware attacked and published the data of PT. Sokka Kreatif Teknologi

  • Threat Actors: APT73 Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Technology
  • Target Geography: Indonesia
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary
Recently, we observed that APT73 Ransomware attacked and published the data of PT. Sokka Kreatif Teknologi (www[.]sokkakreatif[.]com) on its dark web website. PT. Sokka Kreatif Teknologi is a subsidiary of PT. Persada Inti Utama based in Indonesia. This company focuses on Information and Communication Technology (ICT) services, specializing in software engineering and providing IT solutions for businesses. Their offerings include custom ERP (Enterprise Resource Planning) solutions for efficient data management across operations, hospital management systems like Solvus, which handles patient records and financial processes, and MyKlinik, a management tool for clinics and pharmacies. Sokka Kreatif Teknologi also develops solutions tailored to Human Resources with ARYS HRMS, helping companies streamline HR operations, and Hepidesk, a helpdesk system for ISPs to monitor and manage customer interactions. Their mission is to deliver professional services, comprehensive IT products, and innovative solutions that support business growth and operational efficiency. The ransomware attack resulted in a data leak affecting CRM systems, export files, backups, and personal information, with an estimated exposure size of around 10 GB.

Source: Dark Web

Relevancy & Insights:

  • APT73 is a relatively new ransomware group identified in April 2024, reportedly emerging as a spin-off from the notorious LockBit gang. Although it shares some operational traits with LockBit, APT73 has unique characteristics, including a focus on double extortion tactics. This means that in addition to encrypting files, APT73 exfiltrates sensitive data, threatening to release it publicly if their ransom demands are not met. They communicate with victims on platforms such as Telegram, Tox, and Twitter, as well as a data leak site to apply additional pressure through potential reputational damage.
  • APT73 Ransomware group employs various tactics for initial access, including phishing attacks and exploiting known vulnerabilities in software systems. Their operational methods reflect a growing trend among ransomware groups to utilize leaked tools for more effective payload deployment.

ETLM Assessment:
APT73 Ransomware represents a significant addition to the roster of active ransomware groups, leveraging tactics reminiscent of more established players like LockBit while targeting business services across multiple countries. Organizations are advised to implement robust cybersecurity measures, including regular updates and employee training on recognizing phishing attempts, to mitigate risks associated with this emerging threat actor.

7. Data Leaks

National Electricity Company PLN (Perusahaan Listrik Negara) Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary
An extensive dataset from Indonesia’s National Electricity Company, PLN, has reportedly been leaked, encompassing over 44 million records. The exposed data includes sensitive information, such as user IDs, meter numbers, aliases, national ID numbers (KTP), email addresses, phone numbers, taxpayer numbers (NPWP), unit types, energy consumption types, meter kWh numbers, and various location details, such as province codes, district names, and GPS coordinates. This breach has raised significant privacy concerns, particularly regarding the potential misuse of personal and location data of PLN customers. The data breach has been attributed to a threat actor identified as “Cedar”.

Source: Underground forums

Dept of Occupational Safety & Health Malaysia (DOSH) Access Advertised on a Leak Site

  • Attack Type: Access Sale
  • Target Geography: Malaysia
  • Target Industry: Government
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The unauthorized access to the Department of Occupational Safety and Health (DOSH) portal in Malaysia, overseen by the Ministry of Human Resources, is allegedly being offered for sale. This access reportedly includes administrator-level permissions, potentially allowing control over sensitive functions, such as user management, data viewing, and regulatory updates. The DOSH portal plays a critical role in monitoring chemical safety and hazardous materials compliance across Malaysian workplaces, making this breach particularly concerning.

The incident underscores the importance of securing governmental systems that manage essential regulatory functions. Authorities are urged to investigate the breach and enhance cybersecurity measures to prevent unauthorized access. The Ministry of Human Resources has not yet issued an official response to address the alleged incident. The Access Sale has been attributed to a threat actor identified as “Sentap”.

Source: Underground forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.

Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor “Sentap” has recently surfaced in the cybercrime landscape, attracting significant attention due to its activities. CYFIRMA’s assessment underscores growing concerns about this actor, identifying it as a potential cybersecurity risk. Organizations are advised to enhance their defenses to guard against such emerging threats.

Recommendations: Enhance the cybersecurity posture by:

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

An alleged breach of Bahrain Medical Society’s website (http[:]//bhmedsoc[.]com) has been reported, with the attackers claiming access to 21 databases containing sensitive information. The compromised data includes usernames, passwords, IP addresses, payment IDs, and doctors’ information. The breach actor stated that the attack targeted Bahrain Medical Society due to their perceived support of Israel. This incident raises serious concerns about the security of sensitive medical and personal information held by professional organizations.

Source: Underground forums

A recent post claims to have access to a vast database containing information on 100 million users of Zalo (http[:]//Zalo[.]vn), a popular Vietnamese social media platform. The hacker has shared a demo sample and mentioned that they are in the process of updating additional data columns to complete the database. The data breach has been attributed to a threat actor identified as “Binanhang123”.

Source: Underground forums

ETLM Assessment
Threat actor “Binanhang123” represents a significant threat in the cybersecurity landscape due to its sophisticated techniques and focus on critical infrastructure sectors. Organizations are urged to implement robust cybersecurity measures, including regular updates to systems, employee training on phishing awareness, and comprehensive incident response plans to mitigate risks associated with this threat actor group.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.