Self Assessment

Weekly Intelligence Report – 16 Aug 2024

Published On : 2024-08-16
Share :
Weekly Intelligence Report – 16 Aug 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found OceanSpy ransomware while monitoring various underground forums as part of our Threat Discovery Process.

OceanSpy
Researchers uncovered a new ransomware dubbed OceanSpy, a ransomware variant based on the Chaos, designed to encrypt files and append a four-character random extension to their filenames. Additionally, OceanSpy modifies the desktop wallpaper and generates a ransom note titled “OceanCorp.txt.”

The threat actors behind OceanSpy ransomware identify themselves as OceanCorp, and have been active since at least April 2024, initially focusing on data dumps and demanding payment along with advisories to victim companies. However, possibly finding this approach unprofitable, they appear to have shifted to ransomware.

Monitoring by CYFIRMA researchers of the Telegram channel provided in the ransom note indicates that OceanCorp has now announced its entry into the ransomware landscape with the launch of OceanSpy ransomware.

(Source: Telegram)

(Source: Telegram)

Screenshot of files encrypted by this ransomware (Source: Surfaceweb)

The ransom note informs victims that their files have been encrypted and cannot be restored without the attackers’ assistance. It instructs victims to purchase a decryption key for 0.015 BTC using the provided cryptocurrency wallet. After making the payment, victims are required to contact the attackers via Telegram and provide the transaction ID to receive the decryption key. The note also offers victims the option to send one file for free decryption before payment, demonstrating the attackers’ ability to decrypt the files.

Screenshot of OceanSpy’s text file (“OceanCorp.txt”) (Source: Surfaceweb)

Screenshot of OceanSpy’s desktop wallpaper (Source: Surfaceweb)

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1053: Scheduled Task/Job
T1059: Command and Scripting Interpreter
T1106: Native API
2 TA0003: Persistence T1053: Scheduled Task/Job
T1543.003: Create or Modify System Process: Windows Service
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.002: Hijack Execution Flow: DLL Side- Loading
3 TA0004: Privilege Escalation T1053: Scheduled Task/Job
T1543.003: Create or Modify System Process: Windows Service
T1548: Abuse Elevation Control Mechanism
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.002: Hijack Execution Flow: DLL Side- Loading
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1140: Deobfuscate/Decode Files or Information
T1202: Indirect Command Execution
T1222: File and Directory Permissions Modification
T1497: Virtualization/Sandbox Evasion
T1548: Abuse Elevation Control Mechanism
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.003: Hide Artifacts: Hidden Window
T1574.002: Hijack Execution Flow: DLL Side- Loading
5 TA0006: Credential Access T1003: OS Credential Dumping
T1552.001: Unsecured Credentials: Credentials In Files
T1555.003: Credentials from Password Stores: Credentials from Web Browsers
6 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0009: Collection T1005: Data from Local System
T1114: Email Collection
T1115: Clipboard Data
8 TA0011: Command and Control T1071: Application Layer Protocol
9 TA0040: Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1489: Service Stop

Relevancy and Insights:

  • Targeting widely used Windows operating systems, this ransomware poses a significant threat to diverse industries and organizations.
  • Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.

ETLM Assessment:
Based on the available data, CYFIRMA assesses that OceanSpy ransomware is likely to target a broad spectrum of industries, including healthcare, business services, construction, telecommunications, finance, banking, and manufacturing, to maximize ransom revenue. The threat actors have previously targeted various regions and sectors without using ransomware, indicating a strong possibility they may now expand their tactics to include ransomware attacks. OceanSpy ransomware is expected to target regions such as the US, Russia, Southeast Asia, Mexico and other economically developed nations, aiming to exploit these markets for financial gain.

SIGMA Rule:
title: Delete shadow copy via WMIC threatname:
behaviorgroup: 18
classification: 0 mitreattack:
logsource:
category: process_creation product: windows
detection: selection:
CommandLine:
– ‘*wmic*shadowcopy delete*’ condition: selection
level: critical

(Source: SurfaceWeb)

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Spyware
Objective: Data theft, Data exfiltration Target Technology: Android OS Target Geography: Russia

Active Malware of the Week This week “LianSpy” is trending.

LianSpy
Researchers have uncovered a previously unknown Android spyware named LianSpy, which has been active since July 2021 and primarily targets individuals in Russia. This malware is designed to capture screen recordings, extract user files, and collect call logs and app lists. The attackers behind LianSpy use various evasive techniques to avoid detection, including utilizing Yandex Disk, a Russian cloud service, for command-and- control communications. They also avoid maintaining dedicated infrastructure and implement additional stealth features. The evidence suggests that LianSpy may be distributed via an unidentified vulnerability or through direct physical access to the victim’s phone.

Technical Analysis
LianSpy starts by checking if it operates as a system app, which gives it automatic permissions. If it is not a system app, it requests various permissions, including for screen overlays, notifications, background activity, contacts, and call logs. After getting these permissions, it makes sure it’s not running in a debugging environment. If the environment is clean, LianSpy sets itself up with default values. It saves this setup locally using SharedPreferences, which keeps the configuration intact even after the device reboots. The spyware uses integer keys in SharedPreferences to link with specific settings.

Fig: Detailed list of configuration parameters

After activation, the spyware hides its icon and sets up a broadcast receiver to receive system intents. This receiver initiates malicious activities, including screen capturing through the media projection API, taking screenshots as root, exfiltrating data, and updating its configuration. LianSpy updates its configuration by checking every 30 seconds for a file on a threat actor’s Yandex Disk that matches the pattern “^frame_.+\\.png$”. If found, the file is downloaded and decrypted using a hardcoded AES key. The decrypted data contains configuration updates for LianSpy. Victim data, stored encrypted in the SQL table Con001, includes device information, contact lists, and call logs, each with a SHA-256 hash. The data is encrypted using an AES key generated by a secure pseudorandom number generator to prevent timing-based attacks. This AES key is then encrypted with a hardcoded public RSA key embedded in the spyware. Only the threat actor with the corresponding private RSA key can decrypt the stolen data.

Stealth features
LianSpy employs unconventional sophisticated evasion techniques to remain undetected.

  • Masquerading as Legitimate Apps: LianSpy disguises itself as the Alipay app or a system service to blend in with legitimate applications.
  • Bypassing Privacy Indicators: It avoids detection of sensitive data access on Android 12 by modifying the icon_blacklist setting to prevent status bar icons from appearing.
  • Hiding Notifications: Utilizes NotificationListenerService to suppress notifications from background services it interacts with.
  • Stealthy Screenshots: Take screenshots using the screencap command with root permissions, leaving no trace of the capture.
  • Using Legitimate Services: Extensively employs cloud and pastebin services to make malicious web activity less detectable.
  • Robust Encryption: LianSpy encrypts exfiltrated data with a strong encryption scheme, making it impossible to identify victims even if Yandex Disk credentials are compromised during APK analysis.
  • Root Access Evasion: LianSpy employs a renamed su binary to gain root access. The Analyzed samples of the malware search for a mu binary in the standard su directories, suggesting an effort to evade root detection. The reliance on a modified binary for acquiring superuser rights indicates that the spyware was likely introduced through an undisclosed exploit or direct physical access to the device.

Infrastructure
LianSpy operates without private infrastructure, using Yandex Disk for both data exfiltration and configuration storage. Victim data is uploaded to a dedicated Yandex Disk folder.

Communication with its command-and-control (C2) server is unidirectional, with no incoming commands; LianSpy autonomously handles updates and data exfiltration. Yandex Disk credentials can be updated via a hardcoded pastebin URL, which may differ among malware variants.

INSIGHTS
LianSpy demonstrates advanced capabilities beyond typical espionage activities, such as collecting call logs and app lists. It employs root privileges for stealthy screen recording and sophisticated evasion techniques. The use of a renamed su binary implies that LianSpy may be a secondary infection after an initial breach. Unlike financially driven spyware, LianSpy’s emphasis on capturing instant message content indicates a highly targeted data-gathering effort.

  • The threat actor behind this novel Android malware complicates attribution by exclusively using legitimate platforms such as Yandex Disk and pastebin services for data exfiltration and command-and-control communication. This malware shows no overlap with current campaigns targeting Russian users, necessitating ongoing vigilance and monitoring for related activities.
  • LianSpy utilizes sophisticated evasion techniques to evade detection, including hiding its icon and suppressing notifications. By altering Android system settings and leveraging root privileges, it operates discreetly, presenting challenges for traditional security measures. Its ability to bypass Android 12’s privacy indicators, which are designed to alert users to sensitive data access, underscores the malware’s advanced evasion tactics and its effectiveness in circumventing built-in security protections.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as smartphones become nearly ubiquitous worldwide, including in rapidly digitizing regions like Asia, the potential for sophisticated Android malware like LianSpy to target a broad geographic range grows. Android is the leading mobile operating system globally, and its usage continues to rise year-over-year. LianSpy’s advanced evasion techniques, which currently focus on specific areas, could soon reach a global audience, impacting organizations and employees across various regions. This shift highlights the urgent need for enhanced cybersecurity measures and employee training to counteract the evolving threat and safeguard sensitive information in an increasingly interconnected world.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Everest Ransomware, RansomHub Ransomware | Malware – LianSpy
  • Everest Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – LianSpy
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Exploring Earth Baku’s Latest Cyber Campaign

  • Threat actor: Earth Baku (linked to APT 41)
  • Initial Attack Vector: Exploit Public-Facing Application – IIS Server
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Europe, the Middle East, Germany, and Africa.
  • Target industries: Government, Media and Communications, Telecom, Healthcare, Technology, Healthcare, and Education.
  • Business impact: Loss of Intellectual Property, Operational Disruption.

Summary:
Earth Baku, a sophisticated threat actor linked to APT41, has recently broadened its operations from its traditional Indo-Pacific base to target countries across Europe, the Middle East, and Africa. This expansion includes high-profile targets such as Italy, Germany, the UAE, and Qatar, with potential activities also noted in Georgia and Romania. The group leverages vulnerabilities in public-facing applications, like IIS servers, to gain initial access, deploying a range of advanced malware tools in the process. Their arsenal includes the Godzilla webshell and custom-developed tools, such as StealthVector and StealthReacher, which are designed to deploy backdoor components, while using AES encryption and code obfuscation to remain undetected. Their newest backdoor, SneakCross, is particularly notable for its use of Google services for command and control, allowing for modular updates and enhanced stealth. Once inside a network, Earth Baku maintains a foothold with tools like a customized iox tool, Rakshasa, and Tailscale, while utilizing MEGAcmd for data exfiltration. This evolving and global reach underscores the increasing sophistication and impact of their cyber operations, highlighting the need for enhanced security measures and vigilance.

Relevancy & Insights:
Earth Baku, an advanced persistent threat (APT) group, focuses on targeting organizations in Southeast Asia. They employ sophisticated tactics, such as spear- phishing emails with malicious attachments or links, to infiltrate high-value targets, including government agencies, and critical infrastructure. In the observed campaign, Earth Baku exploited IIS server vulnerability in public-facing applications. Once inside a network, Earth Baku deploys custom-built malware, such as remote access trojans (RATs), to maintain long-term access, escalate privileges, and move laterally across systems. Their primary objective is to exfiltrate sensitive data, which they do through encrypted channels to avoid detection.

ETLM Assessment:
Earth Baku’s latest campaign reveals several critical aspects for evaluation. The group’s shift to targeting a broader range of regions, including Europe, the Middle East, and Africa, indicates a strategic escalation and diversification of their threat landscape. The advanced tools and techniques used, such as StealthVector, StealthReacher, and SneakCross, highlight the sophistication and adaptability of their malware, emphasizing the need for advanced detection and response capabilities. The use of AES encryption, code obfuscation, and legitimate services for command-and-control communications complicates traditional threat detection methods, suggesting a need for more nuanced and adaptive security measures. Additionally, their persistence mechanisms and data exfiltration tactics underline the importance of continuous monitoring and adaptive security practices.

Recommendations:
To effectively defend against cyberespionage and minimize the risk of compromise, individuals and organizations should follow these best practices:

  • Principle of Least Privilege: Limit access to sensitive data by assigning the minimum permissions necessary for users to perform their roles. This approach makes it harder for attackers to navigate and exploit the network if they gain access.
  • Addressing Security Gaps: Keep systems and applications up-to-date with regular updates and rigorous patch management. For legacy systems where patches might not be available, virtual patching can help close security gaps.
  • Proactive Incident Response: Develop a robust incident response strategy to quickly identify and address threats. Conduct regular security drills to ensure your team is prepared to respond effectively in case of a breach.
  • 3-2-1 Backup Rule: Keep at least three copies of your data in two different formats, with one backup stored off-site and disconnected from the network. Regularly test and update these backups to ensure they are reliable and can be restored if needed.

By implementing these practices, you can strengthen your defenses against cyber threats and better protect your valuable data.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Iran interfering in US elections
Researchers have recently published a report on Iranian cyber operations focused on the US 2024 elections. According to the report, Mint Sandstorm, a threat actor attributed to the Islamic Revolutionary Guard Corps (IRGC) sent a spear-phishing email to a high-ranking official of a presidential campaign from a compromised email account of a former senior advisor. The same group also unsuccessfully attempted to log in to an account belonging to a former presidential candidate. Additionally, Peach Sandstorm, another group tied to the IRGC, compromised a low-level user account at a county government in a swing state.

The Revolutionary Guards are also running an influence operation comprising of four websites masquerading as news outlets, actively engaging US voter groups on opposing ends of the political spectrum with polarizing messaging on issues such as the US presidential candidates, LGBTQ rights, and the Israel-Hamas conflict. The threat actor uses generative AI tools to assist in this operation.

Meanwhile, the Trump campaign disclosed that some of its internal communications had been hacked by “foreign sources hostile to the United States”, and the said internal data were shared with the center-left news website POLITICO, which says it received the hacked information from an anonymous AOL email address. In the past, old anonymous AOL addresses were mostly used by Russian actors.

ETLM Assessment:
In 2018, during his previous term in office, Trump unilaterally abandoned the 2015 nuclear accord that Tehran had signed with world powers and imposed waves of sanctions on the Islamic Republic, putting its economy under severe pressure. Iran’s long-term strategy is trying to manouvere the US out of the Middle East, where Tehran intends to play the role of a dominant power. Looking forward, we can thus expect Iranian actors to employ all forms of statecraft, including cyberattacks against American institutions, while simultaneously intensifying their efforts to sow internal divisions on the US soil, driving the attention of both electorate and politicians inward. These campaigns are likely going to be centered around amplifying existing divisive issues within the US, like racial tensions, economic disparities, and gender-related issues.

North Korean hackers targeting universities in South Korea
Researchers have recently issued a warning about the North Korean threat actor Kimsuky, which is conducting phishing attacks against South Korean universities. The group is targeting university staff, researchers, and professors by creating fake university login pages to steal credentials. Additionally, Kimsuky uses a specialized tool to send spear phishing emails from compromised accounts. The likely objective of these attacks is cyber espionage.

ETLM Assessment:
North Korean cyber operations have increased in sophistication over the past two years, and our researchers noted last year in a research report that Pyongyang’s threat actors seem particularly interested in stealing information related to maritime and missile technology research, given the emphasis the Kim regime puts onto developing a full nuclear triad. The interest in software is most likely related to Pyongyang’s interest in supply chain attacks. The heavily sanctioned regime in North Korea is hungry for the off-limits technologies it cannot obtain on the open market and thus uses cyber means to obtain them.

4. Rise in Malware/Ransomware and Phishing

The Everest Ransomware impacts the NIDEC CORPORATION

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Ransomware: Everest Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; NIDEC CORPORATION (www[.]nidec[.]com), was compromised by the Everest International Ransomware. Nidec Corporation is a prominent global manufacturer specializing in electric motors and related components. Nidec has grown to become the world’s leading comprehensive motor manufacturer, providing motors for a wide range of applications, including automotive, industrial, and consumer products. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes a vast collection of sensitive and confidential records, extracted from the organization’s database.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Data Sale on Dark Web: The group has begun selling stolen data on dark web platforms, including sensitive information from aerospace companies linked to NASA. They have reportedly listed this data for $30,000, indicating a shift towards monetizing their operations through data sales rather than solely relying on ransom payments.
  • The Everest Ransomware group primarily targets countries, such as the United States of America, Italy, Sweden, Japan, and Canada.
  • The Everest Ransomware group primarily targets industries, including Healthcare, Legal Services, Accounting, Financial Services, and Industrial Machinery.
  • Based on the Everest International Ransomware victims list from 1 Jan 2023 to 13 August 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Everest International Ransomware from 1 Jan 2023 to 13 August 2024 are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that Everest Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on NIDEC CORPORATION, a prominent Manufacturing company in Japan, highlights the extensive threat posed by this ransomware strain in the Asia Pacific region.

The RansomHub Ransomware impacts JG Summit Holdings

  • Attack Type: Ransomware
  • Target Industry: Conglomerate – Banking and investments, Transportation, Real estate, Manufacturing, Publishing, Telecommunications, and Power generation
  • Target Geography: Philippines
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the Philippines; JG Summit Holdings (www[.]jgsummit[.]com[.]ph), was compromised by the RansomHub Ransomware. JG Summit Holdings, Inc. is one of the largest conglomerates in the Philippines with business interests in air transportation, banking, food manufacturing, hotels, petrochemicals, power generation, publishing, real estate and property development, and telecommunications. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 300GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • RansomHub has quickly become one of the most prominent ransomware groups, surpassing LockBit3 to take the top spot in June 2024, responsible for 21% of published ransomware attacks.
  • RansomHub is believed to have evolved from the now-defunct Knight ransomware. Both ransomware families share substantial code similarities, including being written in the Go programming language and using identical command execution methods.
  • RansomHub has recently been reported to target VMware ESXi environments, using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data.
  • The RansomHub Ransomware group primarily targets countries, such as the United States of America, the United Kingdom, Italy, Brazil, and Spain.
  • The RansomHub Ransomware group primarily targets industries, such as Computer Services, Government Agencies, Telecommunications, Financial Services, and Business Support Services.
  • Based on the RansomHub Ransomware victims list from 1 Jan 2023 to 13 August 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the RansomHub Ransomware from 1st Jan 2023 to 13 August 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on JG Summit Holdings, from the Philippines, highlighting RansomHub’s significant threat presence in the Southeast Asia region.

5. Vulnerabilities and Exploits

Vulnerability in PostgreSQL

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server applications / Database software
  • Vulnerability: CVE-2024-7348 (CVSS Base Score 7.5)
  • Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition
  • Patch: Available

Summary:
The vulnerability allows a remote user to escalate privileges within the database.

Relevancy & Insights:
The vulnerability exists due to a race condition when executing concurrent pg_dump sessions.

Impact:
A remote user with privileges to create and drop non-temporary objects can execute arbitrary SQL commands with the privileges of the role running pg_dump (which is often a superuser).

Affected Products: https[:]//www[.]postgresql[.]org/support/security/CVE-2024-7348/

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in PostgreSQL can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of PostgreSQL is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguard relational database management activities, emphasizing extensibility and SQL compliance, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

RansomEXX Ransomware attacked and Published data of Brontoo Technology Solutions

  • Threat Actors: RansomEXX Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: India
  • Target Industry: Finance, Technology
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that RansomEXX Ransomware attacked and published data of Brontoo Technology Solutions (www[.]brontoo[.]com) on its dark web website. OstaApp, developed by Brontoo Technology Solutions India Private Limited, is a digital payment platform that offers a secure, fast, and convenient way to make transactions without relying on traditional cards, wallets, or point-of-sale (POS) systems. The platform generates a unique, one-time-use digital number or QR code, which users can utilize for payments at registered merchants, partner ATMs, and more. The ransomware attack resulted in a data leak that exposed a database containing information on 146,123 users.

Source: Dark Web

Relevancy & Insights:

  • RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this ransomware family, and they are known for their limited and exclusive targeting.
  • RansomEXX Ransomware group primarily targets industries, such as Recreational Services, Heavy Construction, Software, Accounting, and Telecommunications.

ETLM Assessment:
RansomEXX ransomware is known to target large enterprises and high-value targets. They have also been known to focus on those in the government, Informational Technology, and healthcare sectors, as well as high-value manufacturing entities. RansomEXX ransomware targets its victims through phishing and spear phishing emails. They are also known to leverage exposed and vulnerable applications and services, such as remote desktop protocol (RDP) and third-party frameworks (e.g., Vatet Loader, Metasploit, Cobalt Strike). Based on CYFIRMA’s assessment, RansomEXX ransomware targets worldwide organizations. The attack on Brontoo Technology Solutions also highlights ransomware groups’ interest in Asian organizations that are financially strong in the region with exploitable vulnerabilities.

7. Data Leaks

People’s Representative Council of the Republic of Indonesia (DPR RI) Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to the People’s Representative Council of the Republic of Indonesia (DPR RI) in an underground forum. The People’s Representative Council of the Republic of Indonesia (DPR RI), generally referred to as the People’s Representative Council (DPR), is one of the high state institutions in the Indonesian constitutional system, which is a legislative institution. The compromised document is confidential and includes the personal information of DPR members.

Source: Underground Forums

CV. TWIN GROUP data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Indonesia
  • Target Industry: Information Technology
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to CV. TWIN GROUP(www[.]twincom[.]co[.]id) in an underground forum. CV. TWIN GROUP(Twincom) is based in Indonesia, specializing in the sale and servicing of computer hardware and accessories. They operate five branches across the region, including locations in Banjarmasin and Banjarbaru. Twincom offers a wide range of products, such as laptops, motherboards, RAM, and printers, along with repair services. The compromised data contains Customer ID, Name, Contact Information, Business Phone Number, Mobile Number, Email, Fax, Website, Primary Currency Notes, Billing Address, Shipping Address, City, Province, Country, Postal Code, Branch Used, Pricing and Discount Categories, Payment Terms, Consignment, Accounts Receivable, Down Payment Account, Default Invoice Status (Tax Included), Taxpayer ID (NPWP),Personal ID (NIK), Transaction and Document Types. The data breach has been attributed to a threat actor identified as “Sedapmalam”.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as “Sedapmalam” poses a significant risk to organizations, as it is known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by “Sedapmalam” typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a potential data leak related to the Manila Health Department, Philippines. A threat actor claims to have leaked a database from the Manila Health Department, containing sensitive patient and employee records. The compromised data reportedly includes usernames, names, dates of birth, appointment details, and 19,000 unique email addresses.

According to the threat actor, the breach occurred in July 2024 and was initially brought to attention by a group called “The Nexus Squad.” The stolen data was subsequently listed for sale on a prominent hacking forum. In addition to the personal information, the breach also exposed passwords in MD5 hash format, further heightening security concerns.

The exposed database includes detailed patient records with fields such as ID, username, password, role, first and last names, health center affiliations, email addresses, dates of birth, and more. The breach represents a significant compromise of the Manila Health Department’s services, raising serious concerns about the protection of sensitive health information in the region.

Source: Underground forums

The CYFIRMA Research team observed a potential data leak related to a Mykukun. A threat actor known as “IntelBroker” has claimed responsibility for a significant data breach involving Mykukun, a company that collaborates with major banks and financial institutions, such as NYK, SOFI, and USBank. The breach, reportedly executed in August 2024, predominantly affects USBank members

The compromised data includes User IDs, usernames, source User IDs, user emails, first and last names, screen names, addresses, zip codes, profile images, avatars, phone numbers (including mobile), additional information, activation keys, user status, phone validation status, registration and verification dates, application details, account activity status, and metadata related to the creation and updates. Approximately 2.7 million lines of user data were exposed.

Source: Underground forums

ETLM Assessment:
The “IntelBroker” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

4. Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.