Weekly Intelligence Report – 17 Nov 2023

Published On : 2023-11-17
Share :
Weekly Intelligence Report – 17 Nov 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Geography: Israel.


CYFIRMA Research and Advisory Team has found ransomware-as-a-service known as GhostLocker while monitoring various underground forums as part of our Threat Discovery Process.


A new Ransomware-as-a-Service (RaaS) program named GhostLocker has been introduced by the hacktivists known as GhostSec.

The threat actor group is promoting their Ransomware-as-a-Service (RaaS) through a Telegram channel, where they initially offer it at a price of $999. If the offer is missed, the price is incrementally raised to $4999. Currently, this Telegram channel has approximately 688 members.

The options are presented in the following manner to give a degree of customization and flexibility to the individuals or groups who are using the service to distribute ransomware:

  • Directories to encrypt: This can be either a directory or a drive letter for encrypting files.
  • Kill processes: This option allows the termination of various processes, including those related to software like MS Office or specific targeted processes.
  • Disable services: This choice deactivates or disrupts various services, including antivirus (AV) or endpoint detection and response (EDR).
  • Ransom amount: The ransom amount is the sum demanded by attackers in exchange for releasing encrypted data or compromised systems, and it is flexible.
  • Session ID: The session ID is used to establish a connection with the victim’s machine.
  • Delay: The delay function is used to postpone execution, which helps in avoiding detection by antivirus (AV) and endpoint detection and response (EDR) systems.

The following options are presented as checkboxes:

  • Self-deleted: This option allows the binary to be deleted from the victim’s machine.
  • Remove background: This choice removes the desktop background.
  • Privilege escalation: This involves obtaining elevated access or permissions beyond the typical allowance, potentially leading to unauthorized control or access.
  • Persistence: This option prevents the process from being terminated when idle.
  • Watchdog process: This process is responsible for automatically restarting the binary if it is unexpectedly terminated, whether due to antivirus (AV) interference or an exploit.


Stage 1 of the GhostLocker ransomware is a compiled x64 binary created with the Python compiler Nuitka. Nuitka optimises and translates Python code into machine code, enhancing performance and making it resistant to reverse engineering. Stage 1 drops various files in a folder in the Windows temporary directory, including .pyd and .dll files, along with Stage 2, which shares the same name.

Stage 1 launches Stage 2 as a child process using the CreateProcess API, with Stage 2 also compiled using Nuitka. The Python script within Stage 2 contains functions and activities. These activities involve copying itself to the Windows startup directory, downloading a watchdog, incrementing launches, generating a symmetric encryption key with Fernet, creating a random ID, sending victim data to a specified URL, terminating services, retrieving the user’s login name, and enumerating directories to encrypt files. Encrypted files receive a “.ghost” extension.

The ransomware utilizes 128-bit AES-CBC encryption implemented through Fernet. It begins by generating a key using Fernet.generatekey(), which is then sent to the hacker via sendDB(). This key is employed to encrypt the data, producing cipher text. The resulting encrypted data, known as a Fernet token, is URL-safe and base64-encoded.

Ransom notes are deposited in all the folders that have been targeted, with the file name “readme.html”.

Screenshot of the files encrypted by GhostLocker ransomware (Source: Surface web)

Ransom note by GhostLocker ransomware (Source: Surface web)

About the Threat Actor:

GhostSec originated as a hacktivist group branching from Anonymous. Initially focused on counterterrorism, they rose to prominence after the 2015 Charlie Hebdo shooting and the emergence of ISIS. Unlike Anonymous, GhostSec claims to collaborate closely with law enforcement and intelligence agencies, emphasizing their dedication to tracking and disrupting ISIS-related online propaganda.

GhostSec made headlines with its cyber activities. Very recent activities include: In April 2023, it targeted the water pump industry; May saw a data leak from unauthorized access to PLC devices. October brought an assault on water pumps coupled with the GhostLocker ransomware. November witnessed a sustained cyber offensive on Israel, purportedly in response to alleged war crimes.

Some of the countries targeted by these hacking groups are as follows,

Russia Columbia Israel
Iran Nigeria South Africa
Pakistan United Arab Emirates Iraq
Lebanon Brazil France
Sudan Nicaraqua Myanmar
Philippines Turkic Canada

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1106: Native API
T1129: Shared Modules
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side-Loading
3 TA0004: Privilege Escalation T1543.003: Create or Modify System Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side-Loading
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1070.006: Indicator Removal: Timestomp
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1562.001: Impair Defenses: Disable or Modify Tools
T1574.002: Hijack Execution Flow: DLL Side-Loading
5 TA0007: Discovery T1046: Network Service Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497.001: Virtualization / Sandbox Evasion: System Checks
T1518.001: Software Discovery: Security Software Discovery
6 TA0009: Collection T1005: Data from Local System
7 TA0011: Command and Control T1071: Application Layer Protocol
T1095: Non-Application Layer Protocol
T1573: Encrypted Channel
8 TA0040: Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1496: Resource Hijacking

Relevancy and Insights:

  • The ransomware specifically focuses on the extensively used Windows Operating System, which is widespread across a multitude of industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Persistence: The ransomware exhibits persistence mechanisms to ensure its survival and ongoing malicious activities within the compromised environment. This could involve creating autostart entries or modifying system settings to maintain a foothold and facilitate future attacks.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • The use of idle periods may indicate that the ransomware is designed to operate more stealthily, waiting for the computer to be idle before encrypting files or performing other malicious activities.
  • The use of 128-bit AES-CBC encryption, implemented through Fernet, shows a high level of encryption strength in GhostLocker ransomware. This makes it exceptionally challenging for victims to decrypt their files without the encryption key.
  • Fernet.generatekey() and sendDB() are employed for secure key exchange between the attacker and victim, enhancing the confidentiality of the encryption key.

ETLM Assessment:

Cyfirma Assessment, based on the available information, indicates that GhostLocker ransomware primarily targets the widely used Windows operating system across diverse sectors. The ransomware deploys robust 128-bit AES-CBC encryption via Fernet, rendering file decryption highly challenging for victims. The secure key exchange process, encompassing Fernet.generatekey() and sendDB(), heightens the confidentiality of the encryption key. It is expected that GhostLocker will maintain its technical sophistication and adaptability. Its developers may continue refining evasion techniques and encryption methods, extending the threat beyond Windows to other platforms. Consequently, organizations should bolster their cybersecurity defenses and remain vigilant to effectively counter this evolving menace.

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.

Sigma Rule:

title: Stop Windows Service Via Sc.EXE tags:
– attack.impact
– attack.t1489 logsource:
category: process_creation product: windows
detection: selection_img:
– OriginalFileName: ‘sc.exe’
– Image|endswith: ‘\sc.exe’ selection_cli:
CommandLine|contains: ‘ stop ‘ filter_kaspersky:
– ‘sc stop KSCWebConsoleMessageQueue’ # kaspersky Security Center Web Console double space between sc and stop
– ‘sc stop LGHUBUpdaterService’ # Logitech LGHUB Updater Service User|contains: # covers many language settings
condition: all of selection_* and not 1 of filter_*
– There are many legitimate reasons to stop a service. This rule isn’t looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low
(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Data exfiltration
Target Technology: Browsers, Windows OS
Target Sectors: Education and Health

Active Malware of the Week
This week “Jupyter” is trending.


In the ever-evolving landscape of cyber threats, the notorious Jupyter Infostealer has resurfaced with persistence. Targeting crucial sectors like Education and Health, this malware is proving to be a formidable adversary. The latest variants employ sophisticated techniques, including PowerShell command modifications and private key signatures, allowing them to masquerade as legitimate files. Over the last two weeks, the number of Jupyter Infostealer infections that researchers have observed has steadily risen, now totalling 26 infections.


Infostealer, (aka Yellow Cockatoo, Solarmarker, or Polazert) emerged in late 2020 and has since undergone continuous evolution to avoid detection. Primarily targeting Chrome, Edge, and Firefox browsers, it employs SEO poisoning and search engine redirects to lure users into downloading malicious files as the initial step in its attack strategy. This malware showcases capabilities such as credential harvesting and encrypted command-and-control communication, enabling the theft of sensitive data.

Certificate Manipulation

In the most recent attacks, the threat actor behind Jupyter employed the tactic of signing files with valid certificates, significantly enhancing their ability to avoid detection. The use of multiple certificates in this process instills trust in the malicious files, facilitating initial access to the victim’s machine. Noteworthy recent signers include:

  • ТОВ “Чеб”
  • ТОВ “Софт Енжін юа”
  • ТОВ “Трафік Девелоп ЮА”

Threat actors actively seek to acquire such certificates, taking advantage of the trust they inspire. Even experienced security analysts may unknowingly place trust in software with these certificates, influenced by their deceptive appearance of authenticity.

Attack method

Jupyter Infostealer employs different delivery methods typical of many malware strains. It can infiltrate systems through malicious websites, drive-by downloads, or phishing emails. Users might accidentally download Jupyter Infostealer when navigating compromised websites or clicking on deceptive ads. The malware predominantly targets popular web browsers like Firefox, Chrome, and Edge. Once downloaded, the executable is triggered by the user’s browser, initiating the malicious actions of the Infostealer.

Deceptive File Names

Researchers observed that the initial files use different names, crafted to trick users into opening them. Examples include:

  • An-employers-guide-to-group-health-continuation.exe
  • How-To-Make-Edits-On-A-Word-Document-Permanent.exe
  • 052214-WeatherPro-Power-Patio-Sport-Replacement-Fabric.exe
  • Iv-Calculations-Practice-Questions-Pdf.exe
  • Sister-Act-Libretto-Pdf.exe
  • Coaches-Gift-Donations.exe
  • Electron-Configuration-Practice.exe
  • Environmental-Accounting-Education-Requirements.exe
  • American-Born-Chinese.exe

Fake Installer

The mentioned executables serve as instances of installation files generated by InnoSetup; an open-source compiler employed for crafting installation packages in the Windows operating system. In these recent infections, the common presence of the installer- bundle.exe file is notable, maintaining a consistent hash despite variations in their file names.

Targeting Autodesk: Unmasking the Installer-Bundle.exe Intrusion

While delving into the details, an incident involving a signed Autodesk Create Installer emerged. This installer, deployed by installer-bundle.exe, exploited Autodesk, a software often targeted in cyber-attacks, as a Remote Desktop application on the victims’ devices. Subsequently, a file named No-Hoa-Letter-Mortgage.tmp executed powershell.exe, establishing a connection to a C2 server in the Netherlands. Multiple files, including a .dat file, were created and granted write privileges in the %Temp% directory.

The malware dropped a decoy PDF file into %Temp%, serving as a diversion for the victim. Shortly after the initial infection, the created files were deleted. Upon gaining a foothold, PowerShell initiated multiple network connections to the C2 server, executing a command to decrypt the .DAT file with a custom XOR key. The decoded PowerShell script revealed its use to decrypt the Infostealer payload and load the DLL payload in-memory through the Reflection.Assembly::load method.


  • Jupyter Infostealer has consistently adapted to avoid detection. It primarily targets Chrome, Edge, and Firefox browsers, employing sophisticated strategies such as SEO poisoning and manipulating search engine results to persuade users into downloading malicious files. Going beyond its initial deceptive tactics, this malware unveils advanced features like harvesting login credentials and using encrypted communication for remote control. This amplifies its threat level, enabling the discreet theft of sensitive data.
  • The continuous evolution of new Jupyter stealer variants involves strategic adjustments by the malware creator. These improvements aim to avoid detection, maintain a long-term presence, and enable attackers to secretly infiltrate targets. Recent Jupyter infostealer attacks have been noticed incorporating adjustments to PowerShell commands and the addition of private key signatures. This tactic is employed to make the malware appear as a legitimately signed file, fostering trust and facilitating access to the victim’s device.
  • Jupyter Infostealer represents a notable and dynamic challenge in the cybersecurity landscape. Its ability to adapt and evolve showcases the resilience of malicious software in circumventing traditional defense mechanisms. The continuous modifications in its tactics underline the importance of staying ahead in the ongoing cat-and-mouse game between cybersecurity measures and evolving threats.


From the ETLM perspective, CYFIRMA anticipates that Jupyter Infostealer continues to demonstrate adaptability and sophistication, the future threat landscape appears increasingly challenging for organizations. The integration of advanced features, such as the ability to execute PowerShell scripts, showcases a resilient and evolving threat. Typically, the impact on organizations is poised to intensify, with the potential for more widespread and targeted attacks. The multifaceted nature of Jupyter Infostealer, coupled with its persistence, suggests a continuous evolution that demands proactive cybersecurity measures. Organizations should anticipate a rise in both the frequency and complexity of Jupyter-related incidents, necessitating enhanced defense strategies to safeguard sensitive data and maintain the resilience of their networks against this persistent threat.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –BlackCat Ransomware | Malware – Jupyter
  • BlackCat Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Jupyter
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Unknown Threat Actor Targets Gilgit-Baltistan Region Using Android Malware

  • Threat Actors: Unknown
  • Attack Type: Watering-Hole
  • Objective: Espionage
  • Target Technology: Android
  • Target Geographies: Gilgit-Baltistan, Pakistan
  • Target Industries: News Readers
  • Business Impact: Data Loss, Data exfiltration

In a recent observation, researchers uncovered an unknown threat actor delivering Android malware via a Hunza news website in the Gilgit-Baltistan region; a disputed region governed by Pakistan. The attack involves a spyware-infected Android app named Kamran, discovered on the website’s Urdu mobile version(urdu[.]hunzanews[.]net), posing as a legitimate news app. This malicious Android application specifically targets Urdu-speaking users in Gilgit-Baltistan. The espionage capabilities of Kamran are alarming, compromising at least 20 mobile devices, and gathering extensive personal data upon user permission. The app requests access to contacts, call logs, location info, SMS, images, and more, exploiting the user’s trust. It’s noteworthy that the app is not available on the Google Play store, requiring users to enable installations from unknown sources. The deployment of Kamran coincided with civil unrest in Gilgit-Baltistan over land rights, power outages, and other grievances. The region’s strategic significance, hosting significant mountain ranges and the Karakoram Highway, connecting China and Pakistan, adds weight to the attack’s implications. This attack marks a concerning trend where malicious software leverages trusted platforms to exploit sensitive data, highlighting the importance of vigilance in downloading apps from secure sources.

Relevancy & Insights:
The attribution of the malware targeting Urdu-speaking users in Gilgit-Baltistan remains uncertain regarding the responsible APT (Advanced Persistent Threat) or nation-based threat actor. While speculation exists about the involvement of an Indian-based threat actor seeking intelligence from residents, it’s equally crucial not to dismiss the potential involvement of Chinese threat actors. The region’s significance in the context of the CPEC (China-Pakistan Economic Corridor) project amplifies its importance to Chinese interests, raising the possibility of Chinese authorities monitoring the region by gathering data from local sources. The complexity of geopolitical interests surrounding Gilgit-Baltistan underscores the challenge of pinpointing the specific actor behind such malicious activities, leaving room for various potential motivations and actors involved in this cyber threat landscape.

ETLM Assessment:
Cyber-attacks involving malware in this particular region are rare occurrences. However, this attack stands out due to its meticulous planning, utilizing a delivery sub- domain of the official domain of Hunza News, indicating a high level of sophistication. The deliberate focus on targeting solely Urdu-speaking users hints at a clear objective of cyber espionage. Witnessing further attacks of this nature would indeed be surprising, considering the difficulty and lengthy process of hijacking a sub-domain and then deploying malware. Our analysis suggests that attacks utilizing these specific tactics may occur, but we don’t anticipate similar tactics will be employed frequently.


  • Implement robust security measures on the Hunza News website to detect and prevent similar cyber threats. Conduct regular security audits, employ web application firewalls, and monitor for any suspicious activities or unauthorized app downloads.
  • Promptly notify Hunza News users, especially those accessing the website through mobile devices, about the identified threat. Advise them to avoid downloading the Hunza News app from any non-official source and to refrain from enabling installations from unknown sources on their Android devices.
  • Advise users to review their device permissions and revoke access for any suspicious or unauthorized apps, especially if they have granted permissions to the Kamran app. Offer guidance on securing their devices and encourage regular data backups.
  • Employ continuous monitoring and threat intelligence gathering to detect any resurgence or new instances of similar attacks targeting the website or its users. This involves monitoring the network traffic and actively seeking indicators of compromise (IoCs) associated with the Kamran spyware.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Australian Ports hit by a Cyberattack
Australia’s National Cyber Security Coordinator announced that the government was
investigating a cyberattack that disrupted several Australian ports. Australia’s leading container terminal and supply chain operator; DP World Australia, has announced it has restricted access to its Australian port operations in Sydney, Melbourne, Brisbane and Fremantle. The operator manages the flow of nearly 40% of the country’s goods and is owned by Dubai-based logistics giant; DP World. This interruption has continued for a number of days and had an impact on the movement of goods into and out of the country, leading to a huge backup of cargo. The cyber incident has not yet been further specified or attributed but the operator noted that it has not received a ransom demand, while the government called it “a nationally significant cyber incident.” According to media reports, the shutdown at the ports was preventive after “unauthorized activity” had been detected in DP World Australia’s systems.

ETLM Assessment:
In a recent report, CYFRIMA analysts have warned about similar attacks on infrastructure in Europe, following Russia’s campaign which aims at disrupting Ukraine’s agricultural exports (parts of which were replaced by Australian exports) and replacing Ukrainian grain with Russian products on the world market. However, Russia is not the only country that would be motivated to perform such an attack.

Since 2020, China has been trying to coerce Australia into subduing to its political demands and a full blown trade war between the two countries had commenced in 2020. In 2022, the Indo-Pacific Economic Framework (IPEF) was formed, including Australia, Brunei, Fiji, India, Indonesia, Japan, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam in response to the security deal between China and the Solomon Islands, which was signed earlier that year. Chinese Foreign Minister; Wang Yi, heavily criticized the new alliance and leading up to the 2022 Australian federal election, China was trying to interfere with the election with the goal of promoting Australian parties more favourable to Chinese demands. With world distracted by the wars in Gaza and Ukraine, China continues to stir trouble in the South China Sea and its surroundings, and this attack could be a part of the campaign. China is even willing to use cyber tools against its allies, as recently reported, two major Chinese APTs engaged in cyberespionage against Cambodia in a campaign targeting at least twenty government and industry organizations in a long-term collection effort.

Cambodia and China enjoy generally good diplomatic and economic relations, but that’s irrelevant to China’s choice of targets. Beijing’s long-range goal is an enhanced naval presence in the waters off Southeast Asia, and the intelligence being gathered is designed to support that end.

There are, however, further possibilities for the perpetrators of the Australia attack. The company operating the ports is incorporated in Dubai, UAE and the attack could have been part of an intricate web of rivalries and shadow cyber wars currently taking place in the Middle East, or the work of some opportunistic criminals.

As we have reported here, the logistics industry, being a critical part of infrastructure, confronts substantial risks from advanced threat actors. Data we have recently published on the industry reveals a consistent pattern of attacks, with a clear emphasis on developed economies and major global logistics hubs. Although true that the detection of APT campaigns has declined, a correlation between the current geopolitical landscape and the most targeted countries remains evident. Moreover, Russia seems to be increasingly employing privateering actors, motivated by financial gains to put distance between Moscow and the global food insecurity. Such a trend is expected to continue as privateers are offered ever more leniency: in the eyes of the Kremlin, the more global instability, the better the attention is deflected from its persecution of Ukraine, with fewer resources available to oppose it. The attack on Australian ports should serve as a reminder of the serious risk that cyber-attacks pose to any country, and to vital infrastructure we all rely on.

Iranian APTs targeting Israel
Researchers have recently described a series of cyberattacks that targeted Israeli organizations as well as other Middle Eastern nations in the transportation, logistics, and technology sectors in October 2023. The campaign has been attributed to the Iranian APT known as IMPERIAL KITTEN, which is widely suspected to be an arm of Iran’s Islamic Revolutionary Guard Corps (IRGC) and which likely fulfils Iranian strategic intelligence requirements, based on the directions from the intelligence wing of IRGC. In this case, the threat actor used spearphishing emails to deliver several strains of malware via malicious Excel documents, including IMAPLoader and Standard Keyboard. While there is a strategic cooperation between Hamas and Iran (directed by IRGC), this attack seems to be an opportunistic cyber espionage action and more likely than a part of an integrated campaign developed in cooperation with Hamas.

So far there are no direct indications that would suggest Iran was involved in planning the operations on October 7, in which Hamas massacred over 1200 Israelis, most of them civilians. Iran cyber operators have been largely reactive in the cyber domain, since the current war in Gaza began, exploiting opportunities to try and take advantage of events on the ground as they unfold. According to the researchers it took more than a week from the start of the ground conflict before Iran entered the war in the cyber domain. So far researchers see Iranian APTs continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks, and amplifying those claims and activities via a well-integrated deployment of information operations.

Besides the aforementioned spearphising attacks, Imperial Kitten has been observed using watering hole attacks and exploitation of one-day exploits, stolen credentials and even targeting upstream IT service providers for initial access. Another Iranian nation- state actor known as MuddyWater has been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel while Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram.

ETLM Assessment:
As we have warned in our assessment last week, we are likely to see a spike in the activity of Iranian APTs attacking Israel and other countries that support Israel. These attacks are likely just the beginning with many more to be revealed in due time. So far Israel seems to have been largely successful in blunting state-directed attacks, since it employs a proactive cyber defensive approach adopted by the Israeli National Cyber Directorate (INCD) as well as the mobilization of the country’s cyber security ecosystem due to the high-tech nature of the Israeli economy. However, the same cannot be said of every country supporting Israel and the risk of potential spill out is imminent.

The conflict in Gaza has revealed the complex and contradictory forces that shape Iran’s behaviour and interests in the Middle East, which are driven by both ideology and pragmatism. Iran’s proxies in the region, namely Lebanese Hezbollah, Iraqi Popular Mobilization Forces and Yemeni Houthis have all joined the struggle and started a low intensity war against Israel and the U.S., mostly by way of rocket and drone attacks. Hezbollah alone has lost over 50 fighters but the recent speech by its leader Hassan Nasrallah and Iranian supreme leader Ali Khamenei suggest that these attacks are likely meant to show Iran’s strength and deterrence capabilities to Israel and the United States, but also that Iran and its proxies are walking a thin line trying to avoid a direct clash that could harm Iran’s interests and security. Iranian officials have been walking a tightrope between their ideological commitment to the Palestinian cause and their pragmatic calculations of regional interests and risks. Their statements expose the dilemmas and difficulties that Iran confronts in dealing with its friends and foes. But they also reflect their domestic concerns and calculations. This, however, does not apply to the fifth domain, where the risk of high scale physical retaliation seems low. Israel’s National Cyber Directorate confirms this observation and states that the prospect of an intensified Iranian cyber campaign is deeply worrying, since Iran “knows that they can act there [in cyberspace] more freely than in physical space”.

Rise in Malware/Ransomware and Phishing

Pricesmart is Impacted by BlackCat Ransomware

  • Attack Type: Ransomware
  • Target Industry: Retail
  • Target Geography: The United States of America
  • Ransomware: BlackCat Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from The United States of America, (www[.]pricesmart[.]com), was compromised by BlackCat Ransomware. PriceSmart, Inc. is only operator of membership warehouse clubs in Central America, the Caribbean, and Colombia, serving over 3 million cardholders. The compromised information comprises over 500 gigabytes of sensitive data, including details related to clients and employees.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • In 2023, there were 553 documented cases of victimization, cementing the group’s status as one of the most prolific ransomware factions. A scrutiny of their attack strategies highlights a distinct focus on infiltrating organizations situated within the United States
  • Based on the BlackCat Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Industries, most affected by BlackCat Ransomware

ETLM Assessment:
CYFIRMA assesses BlackCat Ransomware to maintain a focus on American businesses and related entities that hold significant amounts of Personally Identifiable Information (PII). Nonetheless, the recent attack on Pricesmart underscores the global threat posed by the BlackCat Ransomware.

Vulnerabilities and Exploits

Vulnerability in Discourse

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Forum & blogging software
  • Vulnerability: CVE-2023-47120 (CVSS Base Score 7.5)
  • Vulnerability Type: Improper input validation

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied input within the Onebox favicon URL.

A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Affected Products: https[:]//github[.]com/discourse/discourse/security/advisories/GHSA- 77cw-xhj8-hfp3

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 3 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

DDoS Cyberattack Hits Cairo International Airport

  • Threat Actors: Anonymous Collective
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Industry: Aviation
  • Target Geographies: Egypt
  • Business Impact: Operational Disruption

Anonymous Collective hacker group has claimed Cairo International Airport cyberattack in their latest campaign. The Cairo International Airport allegedly grapples with a relentless Distributed Denial of Service (DDoS) attack orchestrated by the infamous threat actor. This incident, spanned over 25 hours, marks the most extensive cyber assault on any Egyptian airport to date. The airport’s digital infrastructure, including its website and mobile application, remains allegedly crippled, with losses amounting to millions of dollars. Anonymous Collective, in a bold statement, asserts that the Cairo International Airport DDoS attack is a response to Egypt’s perceived support for Israel in the Gaza conflict. The Anonymous Collective’s message, delivered through their Telegram channel, highlights the gravity of the situation. Notably, the email system has also fallen victim to the attack, exacerbating the overall impact on the airport’s operations. In a public declaration, the threat actor emphasized that the attack is complete, having achieved its objectives.

Relevancy & Insights:
Anonymous Collective claims that the DDoS attack on Cairo International Airport is a response to Egypt’s perceived support for Israel in the Gaza conflict. The bold statement delivered through their Telegram channel indicates that the threat actor sees the cyber-attack as a form of protest or retaliation against the country’s political stance.

ETLM Assessment:
CYFIRMA assesses that the DDoS attack on Cairo International Airport is a response to Egypt’s perceived support for Israel in the Gaza conflict. The perpetrators might persist in executing DDoS attacks with the intention of harming the reputation of targeted organizations

Data Leaks

Ringcentral Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Software
  • Target Geography: The United States of America
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Ringcentral, {www[.]ringcentral[.]com}. RingCentral, Inc. offers comprehensive global enterprise solutions for cloud-based communications and collaboration. The company integrates voice, video, team messaging, conferencing, online meetings, and contact center solutions into a unified platform. The breached data includes unique identifiers, names, email addresses, last-seen timestamps, country codes, regions, cities, carrier information, time zones, and other sensitive details.

Source: Underground forums

Relevancy & Insights:
Cybercriminals driven by financial motives are consistently searching for exposed and vulnerable systems and applications. Most of these attackers participate in clandestine forums, where they discuss related matters and trade stolen digital goods. In contrast to other financially motivated groups, like ransomware or extortion collectives that frequently publicize their attacks, these cybercriminals prefer to keep a low profile. They secure unauthorized access and pilfer valuable data by exploiting unpatched systems or vulnerabilities in applications and systems. The purloined data is subsequently promoted for sale in underground forums, where it is resold and repurposed by other attackers for their own malicious activities.

ETLM Assessment:
The United States of America remains a prominent target for cybercriminals globally. As per CYFIRMA’s assessment, U.S. institutions without robust security measures and infrastructure are expected to face an elevated risk of potential cyberattacks.

Other Observations

CYFIRMA Research team observed a potential data leak related to the Farmaciavernile, {www[.]farmaciavernile[.]it}. Farmaciavernile offers a wide assortment of pharmaceutical, parapharmaceutical, homeopathic, herbal, and veterinary products. The pharmacy also has a modern galenic laboratory for the preparation of master medicines and cosmetic preparations with a vast assortment of raw materials. The compromised data comprises of usernames, email addresses, passwords, and other confidential details.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.