Self Assessment

Weekly Intelligence Report – 19 Apr 2024

Published On : 2024-04-18
Share :
Weekly Intelligence Report – 19 Apr 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Dzen ransomware in the wild while monitoring various underground forums as part of our Threat Discovery Process.

Dzen ransomware
Researchers discovered Dzen, a ransomware from the Phobos family, in the wild in early April 2024. Dzen encrypts files, changes their names, and shows two ransom notes named “info.txt” and “info.hta”. It adds the victim’s ID, email address, and “.dzen” to the end of encrypted filenames.

Screenshot of files encrypted by Dzen ransomware (Source: Surface Web)

The Dzen ransomware presents a complex threat by not just encrypting files but also disabling firewalls, making systems vulnerable to malicious actions. Furthermore, it actively removes Volume Shadow Copies, preventing potential file recovery.

Moreover, Dzen includes functionalities to collect location data and use persistence mechanisms, selectively avoiding specific areas in its operations.

The ransom note notifies the victim that their data has been encrypted and can only be unlocked with the perpetrators’ software. It warns against independent decryption attempts, stressing the risk of permanent data loss.

Furthermore, it advises against involving intermediary or recovery companies. The criminals promise confidentiality and pledge to delete all downloaded data after the ransom is paid. They assure not to sell or exploit the victim’s personal data for future attacks.

However, they set a two-day deadline for contact, threatening data sharing with interested parties if missed. Contact details are provided via two email addresses, with instructions to include a specific ID in the message title.

Screenshot of Dzen’s text file (“info.txt”) (Source: Surface Web)

Screenshot of Dzen’s pop-up window (“info.hta”) (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1053: Scheduled Task/Job
T1059: Command and Scripting Interpreter
T1106: Native API
T1129: Shared Modules
2 TA0003: Persistence T1053: Scheduled Task/Job
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0004: Privilege Escalation T1053: Scheduled Task/Job
T1134: Access Token Manipulation
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1134: Access Token Manipulation
T1222: File and Directory Permissions Modification
T1497: Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.001: Hide Artifacts: Hidden Files and Directories
5 TA0006: Credential Access T1003: OS Credential Dumping
T1056: Input Capture
6 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1016: System Network Configuration Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1135: Network Share Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
7 TA0008: Lateral Movement T1080: Taint Shared Content
8 TA0009: Collection T1005: Data from Local System
T1056: Input Capture
9 TA0011: Command and Control T1105: Ingress Tool Transfer
10 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • To bypass network defenses, ransomware disables the Windows Firewall by altering a specific registry key:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Paramet ers\FirewallPolicy\PublicProfile\EnableFirewall. It changes the DWORD values to 0x00000000, effectively turning off the firewall protection.

  • The ransomware deletes the file “C:\$SysReset\Logs\Timestamp.xml”, this hampers the system’s ability to track events or diagnostics, impairing its capability to actively monitor and record system-related activities in the correct chronological sequence.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

ETLM Assessment:

  • CYFIRMA’s assessment, based on available information, indicates that Phobos ransomware-as-a-service providers, operational since 2019, have targeted various industries such as healthcare, finance, legal, and government sectors. Phobos victims span across nations including the U.S., Indonesia, Japan, Portugal, Brazil, Seychelles, Romania, Germany, and other economically developed countries. Looking ahead, Dzen ransomware, a Phobos variant, is expected to evolve with advanced evasion techniques, widening its target scope to encompass individuals and organizations. There’s a strong likelihood that this new variant will persist in targeting nations in East Asia, Southeast Asia and other developed nations, similar to previous Phobos iterations. This evolution will involve sophisticated encryption methods, increased use of anonymization tactics, and decentralized communication channels, presenting significant challenges for cybersecurity professionals in detection and mitigation efforts.

Sigma Rule
title: Delete shadow copy via WMIC threatname:
behaviorgroup: 18
classification: 0 mitreattack:
logsource:
category: process_creation product: windows
detection: selection:
CommandLine:
– ‘*wmic*shadowcopy delete*’ condition: selection
level: critical
(Source: Surface web)

IOCs:
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Espionage, Data theft, Remote Access
Threat Actor: Virtual Invaders
Target Technology: Android Applications
Target Geographies: South Asia (India and Pakistan)
Campaign: eXotic Visit

Active Malware of the Week
This week “XploitSPY” is trending

Summary
Researchers have identified an ongoing espionage campaign named eXotic Visit targeting Android users. This campaign began in late 2021 and primarily masquerades as messaging apps, distributing these apps via dedicated websites and briefly through the Google Play store, where they had low installation numbers before being removed. The primary targets of this campaign appear to be Android users in Pakistan and India. Researchers have been unable to identify the specific threat group behind this activity, so they internally refer to them as “Virtual Invaders” for tracking purposes.

Researchers have identified that the apps in this campaign, which pose as messaging services, actually contain a customized version of the open-source Android RAT known as XploitSPY, harboring malicious code. This malware allows them to extract contact lists, files, GPS location, and file names from directories associated with the camera, downloads, and messaging apps such as Telegram and WhatsApp.

XploitSPY
XploitSPY, derived from the open-source Android RAT L3MON (which was removed from GitHub by its author), incorporates features inspired by another RAT called AhMyth, expanding its capabilities. This malware is equipped with extensive data-stealing functionalities and has been detected infiltrating devices packaged with seemingly legitimate applications. To further evade detection, XploitSPY utilizes a native library commonly employed in Android app development. Unlike its typical usage to enhance performance and system access, this library is repurposed to conceal critical information like the addresses of command-and-control (C&C) servers. This tactic aims to thwart security tools and complicates the analysis of the app. Below are the capabilities of XploitSPY:

  • Listing files on the device.
  • Sending SMS messages.
  • Obtaining call logs, contacts, text messages, and a list of installed apps.
  • Getting a list of surrounding Wi-Fi networks, device location, and user accounts.
  • Taking pictures using the camera.
  • Recording audio from the device’s surroundings.
  • Intercepting notifications received for WhatsApp, Signal, and any other notification that contains the string new messages.

Malicious App Campaign Timeline: eXotic Visit

  • January 12, 2022: Researchers shared a tweet containing a hash and a link to a website distributing a malicious app named WeTalk, designed to mimic WeChat. The website directed users to a GitHub project hosting the app, which had been uploaded in December 2021. During this time, five apps were available: ChitChat.apk, LearnSindhi.apk, SafeChat.apk, wechat.apk, and wetalk.apk. ChitChat.apk, present since November 2021, was distributed through chitchat.ngrok[.]io along with WeTalk, both utilizing the same Command & Control (C&C) address and admin panel login interface. ChitChat.apk and wetalk.apk apps, while offering messaging functionality as promised, also contain identified malicious code known as XploitSPY, which is openly available on GitHub.
  • February 8, 2022: Dink Messenger version 1.0 was released on Google Play without any malicious functionality included. This release could have been a test by threat actors to assess whether the app would be successfully validated and accepted on the store.
  • February 24, 2022: The C&C address used by wechat.apk and ChitChat.apk is also utilized by Dink Messenger. This sample was found available for download from letchitchat[.]info. The domain letchitchat[.]info was registered on January 28th, 2022. In addition to messaging features, Dink Messenger incorporates malicious code based on XploitSPY, adding to its functionality.
  • May 24, 2022: Dink Messenger version 1.2 was uploaded to Google Play without malicious functionality and had over 15 installations.
  • June 10, 2022: Dink Messenger version 1.3 was uploaded to Google Play, this time containing malicious code.
  • August 15, 2022: The Telco DB app (package name: com.infinitetechnology.telcodb) was uploaded to an alternative app store. This app, claiming to provide phone number, owner information, contains malicious code, including an emulator check, fake C&C address redirection, and an additional C&C server for file exfiltration. The C&C address is not hardcoded but retrieved from a Firebase server, a tactic used to obscure the real server details. This app is assessed to be part of the eXotic Visit campaign, demonstrating a sophisticated approach to hiding and updating the C&C infrastructure.
  • August 19, 2022: The Sim Info app is uploaded to Google Play as part of the campaign. This app also claims to provide phone number owner information. It uses the same C&C server as previous samples and includes a native library. Sim Info reaches over 30 installs on Google Play, with no information available on its removal date.
  • November 8, 2022: Researchers tweeted about alphachat.apk, a malicious android app, with its download link on letchitchat[.]info. This app was hosted on the same domain as Dink Messenger. Alpha Chat used the same C&C server and admin panel login page, but on a different port compared to Dink Messenger. It also contained the same malicious code as previous apps in the eXotic Visit campaign. The trojanized Alpha Chat app included an update to its XploitSPY-based code that implemented emulator detection. If the app detected that it was running in an emulator, it would use a fake C&C address to prevent automated malware sandboxes from identifying the actual C&C server.
  • December 15, 2022: Three more versions of the app were uploaded to Google Play, each containing the same malicious code. The final version, 1.6, was released on December 15th, 2022. Collectively, these six versions amassed over 40 installations. The removal date of the app from the store is unknown. All versions, whether with or without malicious code, were signed using the same developer certificate, indicating they were developed and published by the same malicious developer.
  • June 21, 2023: The malicious Defcom app is uploaded to Google Play. Defcom is a trojanized messaging app part of the eXotic Visit campaign, using the same malicious code and native library to connect to its C&C server. This version uses a new C&C server (zee.xylonn[.]com) but retains the same admin panel login interface. Before its removal, Defcom garnered around six installs on Google Play.
  • July 2023: The same GitHub account has been hosting new malicious android apps with identical malicious code and command-and-control (C&C) servers. These apps are stored in five repositories under various names. However, there is no information available on how these apps are distributed to users.

Fig: Timeline of the first appearance of XploitSPY-riddled apps that are part of the malicious campaign

Attack Method
The eXotic Visit campaign gains initial access to devices by enticing victims to install fake but functional apps. Malicious apps like ChitChat and WeTalk were distributed through dedicated websites and GitHub (https[:]//github[.]com/Sojal87/). Additionally, LearnSindhi.apk, SafeChat.apk, and wechat.apk were hosted on the same GitHub account, although their distribution methods are unknown. These apps were no longer available for download from GitHub as of July 2023. New malicious apps associated with eXotic Visit, containing variants of XploitSPY code, have since appeared on the same GitHub account. The Dink Messenger and Alpha Chat apps were hosted on letchitchat[.]info, enticing victims to download and install them. Apps like Dink Messenger, Sim Info, and Defcom were once available on Google Play but were removed by Google.

Toolset
All analyzed apps associated with the eXotic Visit campaign contain customized versions of the XploitSPY malware code sourced from GitHub. From its inception in 2021 to the latest version introduced in July 2023, ongoing development efforts by Virtual Invaders have been observed. These efforts include:

  • Utilizing a fake Command and Control (C&C) server to deceive emulators.
  • Implementing code obfuscation techniques.
  • Concealing C&C server addresses by retrieving them dynamically from a Firebase server.
  • Incorporating a native library to encode and conceal C&C server details and other critical information from static analysis tools.

One specific analysis focused on the Defcom app, previously available on Google Play, which integrates the XploitSPY code alongside a unique chat feature likely developed by Virtual Invaders. Upon installation, Defcom prompts users to create an account while simultaneously attempting to retrieve the device’s location details via api.ipgeolocation.io. This information is then forwarded to a Firebase server, which serves as the messaging component’s server.

Defcom incorporates a native library named defcome-lib.so, typical in Android app development for optimizing performance and accessing system features. This native library, likely written in C or C++, is used to conceal sensitive information, such as Command and Control (C&C) server details, from static app analysis. The library employs methods that return base64-encoded strings, which are decoded by the malicious code during runtime. Although this technique is not highly sophisticated, it effectively prevents static analysis tools from extracting C&C server information.

Malicious Android Apps Targeting South Asian Users
Researchers have identified that the malicious apps developed by the eXotic Visit campaign were distributed through Google Play and dedicated websites, primarily targeting users in Pakistan and India. Four specific apps— Sim Info, Telco DB (com.infinitetechnology.telcodb), Shah jee Foods, and Specialist Hospital—were key targets. Sim Info and Telco DB allow users to search for SIM owner information for Pakistani mobile numbers via the dbcenteruk.com online service.

On July 8th, 2022, an app named Shah jee Foods, uploaded from Pakistan to VirusTotal, displayed a food ordering website for the Pakistan region (foodpanda.pk) upon startup. The Specialist Hospital app, found on GitHub, masquerades as an app for Specialist Hospital in India (specialisthospital.in) and requests necessary permissions before prompting users to install the legitimate app from Google Play. Although over 380 compromised accounts were identified within these apps, their geolocation remains unknown. The discovery of shared insecure code across ten apps strongly suggests they were developed by the same threat actor.

Device Control Commands
Commands for the compromised device are received from the Command and Control (C&C) server as string values. The commands include:

GB WhatsApp is an unofficial clone of WhatsApp that offers extra features and is widely popular. However, it’s not on Google Play and is typically found on download sites, where versions are often infected with malware. Despite these security risks, GB WhatsApp has a significant user base in countries like India.
Network Infrastructure

Virtual Invaders utilize ngrok as their Command and Control (C&C) server infrastructure. Ngrok is a cross-platform tool used by developers to expose local development servers to the internet. It creates a tunnel connecting local machines to ngrok servers, enabling users (in this case, attackers) to reserve specific IP addresses or redirect victims to the attackers’ domain on specific ports.

INSIGHTS

  • XploitSPY is a sophisticated Android malware known for its advanced obfuscation techniques and anti-analysis mechanisms, which make it difficult to detect and analyze. This malware is capable of enumerating installed applications on a victim’s device and browsing through device files, enabling the exfiltration of specific files of interest. Additionally, XploitSPY exhibits spyware traits, allowing it to access the device’s camera to capture photos and use the microphone to record audio without the user’s awareness.
  • The espionage campaign utilizing the XploitSPY malware is characterized by the distribution of seemingly legitimate apps that actually harbor hidden malicious functionality. Over time, the campaign has evolved with advanced tactics such as obfuscation, emulator detection, and methods to conceal command-and-control (C&C) infrastructure, enhancing its ability to evade detection and analysis by security tools. The primary objective of this campaign appears to be espionage, focusing on users in specific regions like Pakistan and India.
  • The eXotic Visit campaign demonstrates a concerning aspect of malicious app distribution through Google Play. Despite Google’s efforts to maintain a secure app ecosystem, threat actors have managed to upload malicious apps disguised as legitimate services to the platform. These apps, posing as messaging or utility applications, have been able to bypass initial security checks and gain limited traction with low installations on Google Play. However, the distribution through Google Play adds an element of credibility and ease of access, potentially luring unsuspecting users into downloading and using these apps.

ETLM ASSESSMENT

  • From the ETLM perspective, CYFIRMA anticipates that the eXotic Visit campaign underscores the evolving sophistication of cybersecurity threats, particularly the infiltration of malicious apps targeting Android users. With its use of customized malware like XploitSPY, this campaign’s adaptable tactics, including obfuscation, anti- analysis mechanisms, and utilization of GitHub for distribution, suggest a growing threat landscape. Future impacts may include heightened data breaches and compromising sensitive business information stored on employees’ devices, potentially leading to intellectual property theft, customer data exposure, and operational disruptions. The campaign’s focus is currently on South Asia, but with the capabilities of the malware and the use of customized versions of open source indicates that cybercriminals/threat actors have the potential to leverage the malware to expand their attack surface in other geographies such as East Asia, Southeast Asia, Europe, Americas etc, targeting organizations.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – DragonForce Ransomware, Hunters International Ransomware | Malware – XploitSPY
  • DragonForce Ransomware – One of the ransomware groups.
  • Hunters International Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – XploitSPY
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

LightSpy: A State-Sponsored Threat Resurfaces for Espionage in Southern Asia

  • Threat Actors: Chinese Threat Actor Possibly APT41
  • Attack Type: Possibly Watering-hole Attack
  • Objective: Espionage
  • Target Technology: iOS
  • Target Geographies: Southern Asia
  • Target Industries: Media, Government & NGOs
  • Business Impact: Data Loss, Data exfiltration

Summary:
The sophisticated group of native Chinese speakers believed to be behind LightSpy are suspected to have ties to state-sponsored activity, potentially working for the Chinese government. This inference is supported by infrastructure and functionality overlaps observed between the LightSpy malware and that used by MISSION2025, also known as APT41, a Chinese state-sponsored threat actor. These connections raise significant concerns about the geopolitical implications and motives behind the LightSpy campaign. The primary objective of the LightSpy campaign is espionage, with a focus on exfiltrating sensitive information from high-profile targets such as politicians, CEOs, journalists, activists, and diplomats. This includes personal data, financial information, and location tracking.

LightSpy utilizes advanced mobile spyware techniques, employing a modular framework with capabilities such as file theft, audio recording, data harvesting, and system access. The attack involves a multi-stage process, likely initiated through compromised news websites. The malware primarily targets iOS devices, particularly Apple iPhones and iPads. It possesses modules designed to exfiltrate data from popular messenger applications like QQ, WeChat, and Telegram, as well as accessing device information, browser history, and media files.

The campaign primarily targets individuals in Southern Asia. Previous campaigns have been associated with escalating political tensions, such as those in Hong Kong. The targets of LightSpy are diverse, including politicians, CEOs, journalists, activists, and diplomats. This suggests that a wide range of industries and sectors are vulnerable to this espionage campaign.

The resurgence of LightSpy poses a significant threat due to its sophisticated modular capabilities and potential geopolitical implications. Victims risk exposure to personal and sensitive information, leading to potential security breaches, reputational damage, and compromise of confidential data. The ongoing nature of these attacks underscores the need for heightened cybersecurity measures and vigilance among high-profile individuals and organizations.

Relevancy & Insights:
The suspected state-sponsored activity behind LightSpy, coupled with past infrastructure and functionality overlaps with MISSION2025 aka APT41suggests potential Chinese government involvement. This threat has previously targeted IT services, telecom, and healthcare industries, with a focus on facilitating surveillance operations and cooperating in espionage campaigns, including hacker-for-hire activities. The historical impact analysis within Telecommunications & Media underscores the severity of the threat, particularly affecting Telecommunication devices and services, as well as Marketing and Advertising organizations. The cyber espionage campaign in South Asia, deploying LightSpy, posed significant risks, showcasing an agile approach to surveillance framework deployment in the region. This highlights the pressing need for heightened cybersecurity measures and international cooperation to effectively mitigate the threat.

ETLM Assessment:
The threat actor behind LightSpy, suspected to be a sophisticated group of native Chinese speakers possibly working for the Chinese government, poses a significant challenge in the external threat landscape. With reported infrastructure and functionality overlaps with the notorious APT41 group, there are concerning implications for industries targeted by both entities. While the initial focus of the LightSpy campaign has been on IT services, telecommunications, healthcare, and media, organizations must be wary of potential geographical expansions. Despite starting predominantly in Southern Asia, particularly India, the threat actor’s motives could drive them to widen their scope to other strategic targets in the region. Therefore, proactive measures and heightened cybersecurity efforts are imperative for organizations globally to mitigate the risks posed by this dynamic threat landscape.

Recommendations:

  • Strengthen Cybersecurity Measures: Organizations should enhance their cybersecurity posture by implementing robust security protocols, such as regular software updates, network segmentation, and access controls, to prevent unauthorized access and data breaches.
  • Conduct Regular Security Audits: Regular security audits and assessments should be conducted to identify vulnerabilities and weaknesses in systems and networks. This proactive approach allows organizations to address potential risks before they are exploited by threat actors.
  • Employee Training and Awareness: Educating employees about the risks of phishing attacks, social engineering tactics, and the importance of cybersecurity hygiene is crucial. Training programs should be conducted regularly to ensure that staff remain vigilant and capable of identifying and reporting suspicious activities.
  • Implement Endpoint Protection: Deploying advanced endpoint protection solutions, such as antivirus software, intrusion detection systems, and endpoint detection and response (EDR) tools, can help detect and mitigate threats targeting endpoints, including mobile devices.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Ukraine-linked Hackers Targeting Russian Infrastructure Company
Researchers have recently published findings on a strain of ICS malware dubbed “Fuxnet” which was reportedly deployed by Ukraine-linked hackers against a Moscow- based company that manages underground water and communications infrastructure called Moscollector. The “Blackjack” hacking group claimed responsibility for the attack and said it was able to damage 87,000 remote sensors and IoT devices used by the utility company. This claim is deemed to be exaggerated by researchers, but the malware does appear to have bricked at least 500 sensor gateways. If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs and must be either replaced or their firmware must be individually reflashed.

ETLM Assessment:
Russia has been attempting to destabilize Ukrainian energy infrastructure in a massive kinetic campaign for the last couple of months with the apparent aim of destroying the Ukrainian grid and power sources beyond repair. After much deliberation and over the well-publicized grumbling by the Western partners, Ukraine is now trying to retaliate in kind, targeting Russian oil refineries and export infrastructure with further cyber-attacks on critical infrastructure in Russia, trying to deter Russia from further attacks on its infrastructure by punishing retaliation. So far there are no signs that the Kremlin got the memo, and we are likely to see further escalation of cyberattacks on critical infrastructure, which may very well spread beyond the two warring nations.

Heritage Foundation Discloses Cyberattack
The Heritage Foundation, a Washinton, DC-based think tank focused on conservative policy, sustained a cyberattack according to media reports. A Heritage Foundation official told the media that a nation-state actor was likely responsible, but the nature of the attack hasn’t been disclosed. Nation-state actors frequently target think tanks for cyberespionage purposes, and the Heritage Foundation itself was hit by a separate breach in 2015.

ETLM Assessment:
Influential think tanks are attractive targets for intelligence gathering for all government-sponsored actors, as they are perceived to be close to policy-making circles and are thus in a position to influence the intelligence and policy communities. This campaign should be regarded as a classic case of state-driven espionage with many similar ones possibly underway. The Heritage Foundation is perceived by many analysts as the future policy-making center in the case Donald Trump wins the next presidential elections in the United States and gaining insights of the inner workings on the institute could put all governments but especially North Korea, Russia, and China “in the loop” of the highest decision-making circles in the US with profound impact on policymaking. Think tanks typically do not have the cyber defense resources and established best practices like government offices do and are thus the soft underbelly for counterintelligence, which is especially the case with the Heritage Foundation. The organization was singled out, but Chinese and other actors see it as the place from which the upcoming administration of President Trump would draw many loyal cadres that would implement policies envisioned by the think tank.

Rise in Malware/Ransomware and Phishing

The DragonForce Ransomware Impacts The MajuHome Concept

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Malaysia
  • Ransomware: DragonForce Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Malaysia; (www[.]majuhome [.]com[.]my), was compromised by the DragonForce Ransomware. MajuHome Concept has been one of the favourite brands of Malaysian consumers when it comes to furniture solutions that are of good quality and come with the latest and trendy designs. The compromised data includes confidential and sensitive information crucial to the organization’s operations. The total size of the compromised data stands at 6.84 gigabytes.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • A comparatively new pressure of ransomware referred to as DragonForce has made the headlines after a collection of high-profile assaults. Like many different ransomware teams, DragonForce tries to extort cash from its victims by two methods – locking firms out of their computer systems by way of encryption and exfiltrating data with the intention of releasing it to others through the dark web.
  • The DragonForce Ransomware group primarily targets countries such as the United States of America, the United Kingdom, Australia, Argentina, and Switzerland.
  • The DragonForce Ransomware group primarily targets industries, such as Restaurants & Bars, Electronic Equipment, Health Care Providers, Government Agencies, and Heavy Construction.
  • Based on the DragonForce Ransomware victims list from 1 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by DragonForce Ransomware from 1 Jan 2023 to 17 April 2024 are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that DragonForce Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on MajuHome Concept, a prominent Manufacturing company located in Malaysia, underscores the extensive threat posed by this particular ransomware strain in the Southeast Asia region.

The Hunters International Ransomware impacts the Chicony Electronics

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Taiwan
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Taiwan; (www[.]chicony[.]com), was compromised by the Hunters International Ransomware. Chicony Electronics Co., Ltd. is a Taiwan-based multinational electronics manufacturer. Its product lineup includes input devices, power supplies, and digital image products. Chicony Electronics offers desktop keyboards, mobile keyboards, digital cameras, personal computer cameras, integrated webcams, and digital video cameras. It has also been a well-known manufacturer of motherboards for personal computers and notebooks. Chicony Electronics has operations in Australia, Brazil, Canada, China, the Czech Republic, Germany, Ireland, Japan, Mexico, the Philippines, Singapore, Thailand, Taiwan, the United Kingdom, and the United States. The compromised data holds confidential and sensitive information pertaining to the organization. In total, the compromised data amounts to 1.2 terabytes.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine once the data exfiltration gets completed by the Ransomware group.
  • We observed that Hunters International emerged recently as a ransomware-as-a- service (RaaS) operation and is believed to be a rebrand of the Hive ransomware gang, a theory based on the overlaps in the malware code.
  • Hunters International Ransomware group primarily targets countries such as the United States of America, Italy, Mexico, Japan, and Bulgaria.
  • Hunters International Ransomware group primarily targets industries, including Health Care Providers, Industrial Machinery, Computer Services, Apparel Retailers, and Medical Equipment.
  • Based on the Hunters International Ransomware victims list from 1 April 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1 Jan 2023 to 17 April 2024 are as follows:

ETLM Assessment:
Based on CYFIRMA’s assessment, there is a persistent targeting of global companies by the Hunters International Ransomware, as depicted in the accompanying graph. However, recent incidents, such as the attack on Chicony Electronics, highlight the susceptibility of other prominent Manufacturing entities to similar targeting. These events emphasize the dynamic nature of the threat landscape, necessitating heightened vigilance among organizations across different sectors to mitigate the risks associated with ransomware attacks. The attack on Chicony Electronics also highlights ransomware groups’ interest in Asian organizations that are financially strong in the region with exploitable vulnerabilities.

Vulnerabilities and Exploits

Vulnerability in PHP

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Scripting language
  • Vulnerability: CVE-2024-1874 (CVSS Base Score 9.8)
  • Vulnerability Type: Improper Neutralization of Special Elements used in an OS

Command Summary:
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

Relevancy & Insights:
The vulnerability exists due to improper input validation when processing array-ish $command parameter of proc_open. A remote attacker can pass a specially crafted input to the application and execute arbitrary OS commands on the target system.

Impact:
Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system.

Affected Products:
https[:]//www[.]php[.]net/ChangeLog-8.php

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
PHP, extensively used in web development, server-side scripting, and automation, has the potential to impact diverse industries such as technology, e-commerce, finance, healthcare, and education. Its broad application range extends beyond these sectors, potentially disrupting systems and exposing them to security threats across the globe.

Latest Cyber-Attacks, Incidents, and Breaches

8Base Ransomware attacked and Published data of Inno-soft Info Systems Pte Ltd

  • Threat Actors: 8Base Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Singapore
  • Target Industry: Information Technology
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that 8Base Ransomware attacked and Published data of Inno- soft Info Systems Pte Ltd on its dark web website. Inno-soft Info Systems Pte Ltd (www [.]inno-soft[.]com[.]sg) is a prominent technology company based in Singapore, renowned for its innovative solutions and cutting-edge services. Established with a vision to revolutionize the technological landscape, Inno-soft has been a key player in Singapore’s thriving tech industry. The breached data encompasses a broad spectrum of sensitive information, comprising invoices, receipts, accounting documents, personal data, certificates, employment contracts, a significant volume of confidential information, confidentiality agreements, personal files, and various other critical documents.

Source: Dark Web

ETLM Assessment:
The 8Base ransomware group first emerged in March 2022 and swiftly gained notoriety, exhibiting a notable surge in activity throughout 2023 and early 2024. Though their ransom demands remain undisclosed, they employ double extortion tactics, leveraging exfiltrated data for additional leverage. Operating with remarkable sophistication, 8Base employs advanced security evasion techniques and primarily targets Windows systems, with a particular focus on sectors including business services, manufacturing, finance, and information technology. Continuous assessments conducted by CYFIRMA indicate that 8Base ransomware has set its sights on Southeast Asian Nations, driven by a relentless pursuit of substantial financial gains through ransomware operations.

Data Leaks

TELKOM data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Telecommunication
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to TELKOM,
{www[.]telkom[.]co[.]id} in an underground forum. PT Telkom Indonesia (Persero) Tbk (Telkom) is a state-owned information and communications technology enterprise and telecommunications network in Indonesia. The dataset available for sale contains personal information such as names, profile photos, status updates, comprehensive data, birthplaces, and other confidential and sensitive details. The asking price for this data is $345.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Sedapmalam’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by ‘Sedapmalam’ typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

MyRepublic Indonesia data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Telecommunication
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data sale related to MyRepublic Indonesia, {www[.]myrepublic[.]co[.]id} in an underground forum. MyRepublic is an ISP / Mobile carrier based in Singapore. MyRepublic is one of the fastest growing telecom operators in the Asia-Pacific. MyRepublic has operations across Singapore, Indonesia, New Zealand, and Australia, and is set to expand further into the region. A threat actor has successfully breached the Indonesian subsidiary of MyRepublic, gaining unauthorized access to the entire customer database. The compromised data includes sensitive information such as names, email addresses, phone numbers, billing addresses, and NIK (National Identification Numbers), which are unique identifiers for Indonesian citizens, akin to driver’s licenses or ID numbers in the USA. This valuable trove of personal information is now being offered for sale at the price of $2,500.

Source: Underground Forums

ETLM Assessment:
The emergence of a threat actor, identified as “abyss0,” has brought to light concerning financial motives, as evidenced by the active dissemination of data from MyRepublic Indonesia in an underground forum. This data breach includes a variety of sensitive information, such as personally identifiable information (PII), financial records, and other confidential data. This breach not only jeopardizes the security and integrity of MyRepublic Indonesia but also poses a significant risk to the affected individuals whose data has been compromised. It emphasizes the urgent need for organizations to bolster their cybersecurity defenses and implement robust measures to safeguard sensitive information against such malicious threats.

Other Observations

CYFIRMA Research team observed a potential data leak related to Space-Eyes, {www[.]Space-Eyes[.]com}. Space-Eyes provides on-demand tasking to a Synthetic Aperture Radar satellite. Its collections across all weather and lighting conditions are integrated with contextual data and analysed automatically for threats in the maritime domain. Space-eyes.com suffered a data breach that exposed highly confidential documents related to their services for national security within the US government.
Space-eyes customers include:
US Department of Justice
US Department of Homeland Security US Navy / Army / Air Force
Defence Science and Technology Agency US Space Force
National Geospatial-Intelligence Agency.
A threat actor group known as CyberNiggers is attributed to the data breach at Space- eyes.

Source: Underground forums

ETLM Assessment:
CyberNiggers threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.