Weekly Intelligence Report – 17 Feb 2023

Published On : 2023-02-17
Share :
Weekly Intelligence Report – 17 Feb 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), Smishing, Malvertising, USB as an Attack Vector
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – Daixin Team Ransomware | Malware – Graphiron
  • Daixin Team Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Graphiron
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

The New Threat Actor Called NewsPenguin Targets Pakistan

  • Suspected Threat Actors: Unknown
  • Attack Type: Spear Phishing
  • Objective: Unauthorized Access, Espionage, Data Exfiltration
  • Target Technology: Windows
  • Target Geographies: South Asia
  • Target Industries: Public Sector
  • Business Impact: Data Theft, Operational Disruption

Summary:
A new threat actor with name NewsPenguin was recently seen using a sophisticated method to target organizations in Pakistan. The actor is taking advantage of the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) to lure victims. The attacker is using targeted phishing emails, with a malicious document attached, which is falsely presented as an exhibitor manual for PIMEC-23 in spear phishing mail. The document employs a remote template injection technique and malicious Visual Basic for Applications (VBA) macro code to deliver the subsequent stage of the attack that ultimately leads to executing the final payload.

The final payload is an advanced espionage tool that uses XOR encryption with a “penguin” encryption key. After the connection between the Command-and-control server and the victim establishes, the server registers the infected system with a unique identifier 12 characters long. This unique identifier is then used for communications between the bot and the server.

Insights:
The threat actor can gain access to information belonging to other military or defense officials from other nations as the target is an international event backed by Pakistan Navy and likely to be attended by different nations.

Major Geopolitical Developments in Cybersecurity

New data on APT with ties to India emerge

Researchers have recently reported on the activities of a new nation-state threat actor dubbed “SideWinder.” The SideWinder APT, also known as Rattlesnake or HN2 has been active at least since 2012. It is mainly conducting cyber espionage against governments in the Asia-Pacific region and researchers believe it to have a nexus with the government of India. A new SideWinder.AntiBot.Script tool was discovered in the summer of 2022 being used against Pakistan companies. The list of targeted organizations had over sixty names including the sectors of government, military, financial, law enforcement, political, telecommunications, and media organizations. The targeted countries were Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka. Researchers found a lot of similarities between the servers and resources used by SideWinder and the BabyElephant APT organization, raising the possibility that they are one and the same APT.

Hacktivists disrupt Iranian TV during an important regime holiday

Hacktivists briefly disrupted a televised speech by President Ebrahim Raisi on the occasion of Revolution Day, a holiday important for the Iranian regime, marking the takeover of power in the country. Domestic dissident hacktivist group Adalat Ali has claimed responsibility for the action. In addition to airing a familiar slogan “Death to Khamenei” (the supreme leader of the clerical regime) the group urged Iranians to withdraw their money from state banks and participate in anti-government protests. The disruption only lasted about a minute but signifies how deeply unpopular the repressive regime is. Authoritarian regimes often lash out both domestically and internationally when under domestic pressure from their own population and thus further worsening of the geopolitical situation in the region is to be expected.

Belarusian Cyber-Partisans release data taken from Russian Internet governance authority

The Byelarusian Cyber-Partisans, dissident hacktivists opposed to both the domestic regime, which is increasingly under pressure from Russia to become a de facto Russian protectorate, and the Russian regime and its war against Ukraine, have released a 335GB dump of emails and other files obtained from Roskomnadzor’s General Radio Frequency Center division. The hacktivists claimed credit on Twitter and promised that more has to come. Further data is promised to contain details on data collection on protests in Ukraine & Kazakhstan for the leadership of the Kremlin by the Russian agency in question.

US to send further funds to bolster Ukraine’s cyber defenses

The U.S. Agency for International Development (USAID) will allocate $60 million to Ukraine in support of efforts to protect the country’s infrastructure from cyberattacks. Attempted Russian cyberattacks against infrastructure have not been confined to Ukraine. Researchers have recently reported on a Russian “Chernovite” threat group, which reportedly undertook preparations against roughly a dozen U.S. electrical and natural gas facilities early in Russia’s war against Ukraine. The cyber-attacks have not been executed, but according to the researchers, the attackers have prepared ground, before they were intercepted in a successful public-private cooperation.

Other Observations

CYFIRMA Research team observed that Pepsi Bottling Ventures LLC suffered a data breach caused by a network intrusion that resulted in the installation of information-stealing malware and the extraction of data from its IT systems.
Pepsi Bottling Ventures is the largest bottler of Pepsi-Cola beverages in the United States, responsible for manufacturing, selling, and distributing popular consumer brands. It operates 18 bottling facilities across North and South Carolina, Virginia, Maryland, and Delaware.


Source: Telegram

The Team also observed a potential data leak related to www[.]oiinternet [.]com [.]br – Oi is an internet Service Provider, Website Hosting & Internet-related Services in Brazil. This data leak contains area code, phone, name, doc type, address, document, address, neighborhood, city, state, zip code, phone line type, phone line status, phone origin, activation date, contract date


Source: Underground Forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.