Self Assessment

Weekly Intelligence Report – 17 Mar 2023

Published On : 2023-03-17
Share :
Weekly Intelligence Report – 17 Mar 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attack, Vulnerabilities & Exploits, Malware Implants, DDoS, Spear Phishing
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – Royal Ransomware | Malware – GoBruteforcer
  • Royal Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – GoBruteforcer
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

China-Based APT SharpPanda Continues Targeting Southeast Asian Region

  • Suspected Threat Actors: SharpPanda
  • Attack Type: Spear Phishing
  • Objective: Unauthorized Access, Espionage, Data Exfiltration
  • Target Technology: Windows
  • Target Geographies: Southeast Asia
  • Target Industries: Government Organizations
  • Business Impact: Data Theft

Summary:
Sharp Panda is a China-based advanced persistent threat group, they have been active from the year 2018 targeting government entities of the Southeast Asian region. The group has been conducting strikes through spear phishing attacks on government entities, in a previous campaign the actor used a custom-made backdoor named VictoryDLL and RoyalRoad Kit. In a recent campaign, a new version of the SoulSearcher loader has been used by the threat actor. Previously it was observed that the soul malware framework was used in targeting Information and Communications Technology, Healthcare, and Defence sector industries in Southeast Asian countries. In the current campaign, the initial attack vector remained the same, the threat actor used RTF and word documents to deliver the final payload. Few changes were observed in the technicality of the malware used in the campaign, such as the threat actor making the malware geo-fenced, and the C&C server being different from what was used in their previous campaigns.

Insights:
Sharp Panda supports the interest of Chinese requirements. APT targets Southeast Asian countries, particularly those with similar territorial claims or strategic infrastructure projects.

It is interesting to know that the C&C servers did not return payloads during the time of Chinese Spring Festivals, however, it was active throughout the time from Monday to Friday.

Major Geopolitical Developments in Cybersecurity

Suspected North Korean cyberespionage effort observed

Researchers have been tracking a campaign from suspected North Korean espionage group UNC2970, which has been observed targeting media and technology companies in the West. The researchers suspect the threat actors to have ties to Pyongyang and consider it to be an offshoot of a group also known as Temp. Hermit, a known ATP which has been observed for at least 10 years. Temp. Hermit was seen targeting primarily South Korean companies, with a small part of the attacks targeting organizations across the globe, whereas the reported campaign by UNC2970 has been primarily targeting entities in the West.

The attacks begin on LinkedIn, with the threat actors posing as recruiters and reaching out to targets. Researchers have identified files and suspicious drivers within compromised hosts. The malicious LIGHTSHOW payload, once delivered, then performs arbitrary read and write operations to kernel memory. The payload relies on trusted yet vulnerable drivers to function and is thus not a state-of-the-art attack.

Pakistani APT romance phishing

Researchers have recently publicly discussed a campaign by Pakistan-based threat actor Transparent Tribe, which appears to be targeting Indian and other military and government officials with romance scams. The victims are persuaded to install hacked versions of secure messaging apps on their Android smartphones. These applications will set up the information stealing CapraRAT backdoor. Experts think the attackers first get in touch with their victims via phone or email before luring them into a romantic scam—a ruse Transparent Tribe has previously employed. The attackers continue to communicate with the victims via the Trojanized chat app once they have downloaded it, all the while stealing information in the background. The researchers were able to identify over 150 victims in India, Pakistan, Russia, Oman, and Egypt thanks to the malicious programs’ lax operational security.

US Presidential Budget dedicated to cybersecurity

The President’s Budget for Fiscal Year 2024 has been published, and it addresses cybersecurity across the spectrum of the US Federal Government’s operations. The Budget contains large spending requests in accordance with the US National Cybersecurity Strategy with a large part of the funding being intended for countering cyber operations by adversaries originating from China and Russia, but also for more enforcement actions against cybercrime, to the countering of “malign influence,” and to “bolstering Federal cybersecurity.” The US Cybersecurity and Infrastructure Security Agency (CISA) would receive, under the plan, a budget of $3.1 billion, an increase of $145 million over current funding.

Russia to rely more on cyber as conventional tactics fail

The US Director of National Intelligence, Avril Haines, has recently predicted to the US Senate Intelligence Committee that Russia could be expected to turn to alternative forms of military power as its conventional forces continue to fail on the battlefield. According to Mr. Haines, Russia will become even more reliant on asymmetric options such as cyber operations and increased cooperation with China.

Operations in the cyber realm however are not without challenges for Russia. Russian cyberattacks against Ukraine and its allies have not been very effective so far. While some of this is attributable to deterrence, especially in countries with superb capabilities, the Ukrainian defenses and Western assistance effectiveness are mostly to blame for the failure. It has also turned out to be harder than expected for Russian intelligence to maintain cohesion among top criminal gangs they use as auxiliary forces. Several of them including Conti broke up due to the conflict but others are trying to acquire new capabilities and take up the space on the privateering market.

Other Observations

The Team also observed a potential data leak related to www[.]venova[.]ch. A Switzerland-based e-commerce platform that deals with household, electronics, sports or leisure items, or garden accessories has been breached by an unknown threat actor, and data leaked in an underground forum. This data leak contains the user id, email, and other confidential information of the customers.


Source: Underground Forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.