Self Assessment

Weekly Intelligence Report – 19 Jan 2024

Published On : 2024-01-19
Share :
Weekly Intelligence Report – 19 Jan 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows
Target Industries: Agriculture, Accessories, Accounting Services, Business Services, Customer Services, Construction, E-Commerce, Education, Energy, Finance, Government, Law Firms, Healthcare, Hospitality, Manufacturing, Media, Non-Profit Organizations, Retail, Software, Telecommunications, Transportation.
Target Geography: Argentina, Australia, Belgium, Brazil, Canada, Colombia, Chile, France, India, Italy, Japan, Malaysia, New Zealand, Spain, South Africa, Slovakia, Turkey, United Kingdom, United States.

CYFIRMA Research and Advisory Team has found Medusa ransomware in the wild while monitoring various underground forums as part of our Threat Discovery Process.

Medusa ransomware appeared in late 2022 and became well-known in early 2023. It specifically goes after Windows systems. It’s important to note that Medusa is not the same as another ransomware called MedusaLocker, which has been around since 2019.

Medusa encrypts data, adds the “.MEDUSA” extension to encrypted filenames, and places a ransom note in a file named “!!!READ_ME_MEDUSA!!!.txt.”

Screenshot of a Files Encrypted by Medusa Ransomware. (Source: Surface Web)

Medusa ransomware ransom note. (Source: Surface Web)
Tools and techniques used by Medusa ransomware actors that were discovered during a recent incident:

Medusa ransomware operators were seen uploading a webshell to a Microsoft Exchange Server that had been compromised.
After engaging in webshell activity, threat actors employed PowerShell to initiate a bitsadmin transfer from a file hosting site known as filemail[.]com. The downloaded file from this site was a ZIP archive named baby[.]zip. Upon decompression and execution, it installed remote monitoring and management (RMM) software called ConnectWise.

The operators of the Medusa ransomware deployed two kernel drivers, each designed to target distinct sets of security products. These kernel drivers were safeguarded using a software protector named Safengine Shielden. The Safengine Shielden protector applied code obfuscation techniques by randomizing the code through various mutations.

Additionally, it utilized an embedded virtual machine interpreter to execute the obfuscated code.

Each of the drivers was coupled with its loader. These loaders underwent packing using a tool known as ASM Guard. The packed loaders employed a deceptive UPX header, along with subsequent addresses positioned adjacent to the fabricated UPX bytes.

In the resource section, there are numerous references to ASM Guard, fake WINAPI imports, and various other junk paddings, as shown in the figure below.

The resource section of the driver loader is packed with ASM Guard. (Source: Surface Web)

The primary objective of both drivers is to contain a list of security endpoint products to target for termination or deletion.

The comparison operation involves utilizing a fixed list of string names corresponding to security products, as depicted in the figure below. This list is then compared against the processes currently running on a system.

First driver targeting list of security processes for termination. (Source: Surface Web)

If the system identifies a running process with a name matching any of the predetermined security tool process names, an undisclosed IOCTL code (0x222094) is employed to terminate that process, as illustrated in the figure below. The key distinction between the two drivers lies in their utilization of file paths and the specific IOCTL (0x222184). This IOCTL, based on the provided file path, facilitates the deletion of the corresponding file.

The second driver targeting file paths and list of processes. (Source: Surface Web)
The threat actors are employing a unique approach by utilizing the portable version of Netscan. They have paired it with an associated netscan.xml file, enhancing the software’s overall functionality right from the start. This enhanced functionality encompasses diverse types of remote service discovery and preconfigured mappings for actions like PsExec.

Additionally, it facilitates the deployment of the ransomware binary.

Many options are available from the custom configuration related to the following:

  • WMI
  • Registry
  • Services
  • Files
  • SNMP
  • Account groups
  • XML
  • SSH
  • PowerShell

The capabilities of the tool VBScript and JScript.

Remote scripts utilize Cyrillic script, but they are translated into English. This translation indicates that the preferred language of the creator and users of the configuration are English speaking individuals.

After completing a network scan, the operator of the tool can right-click on a device listed in the results, revealing numerous custom point-and-click options on a remote system, as illustrated in below figure. The menu options in figure, concluding with “Gaze,” adhere to a naming convention employed by Medusa ransomware. This provides insights into a technique for deploying the Medusa ransomware, as indicated by the associated ransomware binary.

Medusa ransomware configuration. (Source: Surface Web)

A consistent theme within the Medusa ransomware binary aligns with the mythology of Medusa herself, notably the utilization and incorporation of the term “gaze” in the debug path within PEStudio. This thematic pattern extends to the binary’s name and the naming convention applied in the netscan.xml configuration file.

The Medusa ransomware can be run with 11 possible arguments, as shown below.

(Source: Surface Web)

Executing a recent Windows executable sample with the -V argument reveals that the sample is identified as version 1.20, as depicted in the figure below. This versioning system indicates a development cycle for the ransomware. One of the earliest publicly observed instances of the ransomware binary, uploaded in February 2023, corresponds to version 1.10, as indicated by its SHA-256.

Ransomware sample version. (Source: Surface Web)

The ransomware binary employs string encryption for the following functions:

  • Targeted services
  • Targeted processes
  • File extension allowlist
  • Folder path allowlist

The ransomware employs RSA asymmetric encryption to safeguard the AES256 key, which, in turn, is utilized for encrypting a victim’s files. The AES256 key is established using a 32-byte key along with a 16-byte initialization vector.

While enumerating and encrypting files, the sample steers clear of files with the following extensions:

  • .dll
  • .exe
  • .lnk
  • .medusa

The following is the list of folder paths that the ransomware skips:

  • \Windows\
  • \Windows.old\
  • \PerfLogs\
  • \MSOCache\
  • G_skp_dir
  • Program Files
  • Program Files (x86)
  • ProgramData.

The ransomware executes various vssadmin-related operations and delete itself using the following commands to hinder recovery and forensic efforts:

  • vssadmin Delete Shadows /all /quiet
  • vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  • vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  • cmd /c ping localhost -n 3 > nul & del

Researchers observed a significant increase in ransomware activities, marked by the launch of the new Medusa Blog accessible through TOR on an .onion site in early 2023. This platform serves as a means for the perpetrators to expose sensitive data of victims who resist complying with their ransom demands.

Additionally, the group has incorporated links to Telegram and X (formerly known as Twitter) on the Medusa Blog site. The Telegram channel utilized by Medusa is named “information support” and is employed to disseminate and publish data exfiltrated by the group. Conversely, the link to X directs to a search result page for “Medusa ransomware.”

Countries targeted by Medusa. Relevancy & Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Recent targeted victims of this ransomware include Non-Profit Organizations in the US. Agriculture Sector in Belgium.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • Top targeted Sectors by Medusa Ransomware in the last 3 Months include Healthcare, Manufacturing, and Education.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Top 5 Nations targeted by Medusa in the last 3 Months.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1059: Command and Scripting Interpreter
T1106: Native API
T1129: Shared Modules
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0004: Privilege Escalation T1543.003: Create or Modify System Process: Windows Service
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1140: Deobfuscate/Decode Files or Information
T1222: File and Directory Permissions Modification
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.001: Hide Artifacts: Hidden Files and Directories
T1564.003: Hide Artifacts: Hidden Window
5 TA0006: Credential Access T1056: Input Capture
6 TA0007: Discovery T1010: Application Window Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1135: Network Share Discovery
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
7 TA0009: Collection T1056: Input Capture
T1560: Archive Collected Data
8 TA0011: Command and Control T1090: Proxy
9 TA0040: Impact T1486: Data Encrypted for Impact
T1489: Service Stop
T1490: Inhibit System Recovery

ETLM Assessment:
CYFIRMA’s assessment, relying on the available information about the Medusa ransomware, suggests that the threat is poised to evolve further in sophistication. Future iterations are likely to incorporate advanced evasion tactics, heightened focus on specific sectors and regions, and potentially more intricate methods for disseminating exfiltrated data. Moreover, the ransomware’s persistence mechanisms and anti-detection measures are anticipated to undergo further refinement, presenting continuous challenges for Organizations. Organizations should prioritize robust cybersecurity measures and remain vigilant against emerging variants.

Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘diskshadow.exe’ selection1_cli:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the
    compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Trojan/Hacktool
Objective: Infiltration, Credential Harvesting
Target Technology: Cloud, SaaS, Web Services & Payment Services (AWS, Office365, PayPal, Sendgrid, and Twilio)

Active Malware of the Week
This week“FBot”is trending.

Researchers have identified a new Python-based malware called FBot designed to target cloud and payment services. This sophisticated tool allows threat actors to compromise various web services, including Amazon Web Services (AWS), Office365, PayPal, Sendgrid, and Twilio. FBot stands out from other malware like AlienFox, Predator, Greenbot, and Legion as it does not utilize the Androxgh0st code.

FBot’s primary purpose is to facilitate the hijacking of cloud, SaaS, and web services, with a secondary focus on acquiring accounts for spamming attacks. The tool offers features for credential harvesting, allowing actors to gain initial access, which can be sold to other parties. Additionally, FBot includes various utilities such as an IP address generator, port scanner, and an email validator that leverages an Indonesian technology service provider.

FBot’s AWS Attack Functions
FBot focuses on AWS account attacks with three dedicated functions.

  • aws_generator
  • aws_checker
  • ec_checker

The first function, aws_generator, creates a random AWS access key ID by appending 16 randomly selected alphabetic characters to the standard AKIA prefix. Subsequently, it generates a secret key using 40 randomly selected alphabetic characters. Despite not incorporating Androxgh0st modules, FBot shares a feature with the Legion stealer and an older Androxgh0st variant. This feature, identified in research, remains unchanged and is deemed unlikely to effectively brute force account credentials due to the vast number of potential combinations of access key and password.

The second AWS feature in FBot is the Mass AWS Checker, managed by the aws_checker function. This function examines AWS Simple Email Service (SES) email configuration details, including the maximum send quota and rate, as well as the number of messages sent in the past 24 hours. It also creates a new user account and associates the AdministratorAccess policy to elevate privileges for the new account, possibly for maximizing spamming efforts. Unlike other cloud attack tools, FBot does not delete the compromised account used for gaining access.

The third AWS feature is an AWS EC2 Checker, specifically focused on obtaining the EC2 VCPU Limit. The ec_checker function reads AWS identities from a text file and checks the targeted account’s EC2 service quotas. The tool provides information on the account’s EC2 configurations and capabilities, detailing the types of EC2 instances that can run. The script iterates through specified AWS regions, performs queries for each region, and logs the results to a text file.

Payment Services Exploitation: PayPal Validator
FBot includes features targeting payment services and SaaS configurations. One such feature is the PayPal Validator, managed by the paypal_validator function. This function validates PayPal account status by contacting a hardcoded URL with an email address from an input list, using the email in the customer details section to determine if it is associated with a PayPal account.

Notably, all identified FBot samples utilize the Lithuanian fashion designer’s retail sales website(hxxps[:]//www[.]robertkalinkin[.]com/index[.]php) for authenticating PayPal API requests, and several Legion Stealer samples also employ the same approach. The PayPal Validator feature crafts requests to this site, including a fake item ID and fabricated customer details, and then parses the response to determine the success status.

FBot’s SaaS Focus: Sendgrid and Twilio Exploits
FBot extends its targeting to various SaaS platforms such as Sendgrid and Twilio. For Sendgrid, there is a feature named Sendgrid API Key Generator, producing keys with a specific format. The Twilio feature involves taking the Twilio SID and Twilio Auth Token as input, separated by a pipe. This function checks the SID and auth token combination, retrieving details about the account, including balance, currency, and a list of phone numbers connected to the account.

Web Framework Features
FBot comes equipped with functionalities to verify whether URLs contain a Laravel environment file and to extract credentials from these files. The Hidden Config Scanner feature accepts a URL as input and constructs an HTTP GET request to multiple PHP, Laravel, and AWS-related URIs, where configuration values, including credentials, might be stored, including:

The response is analyzed for keys and secrets associated with the following services, and the outcome is recorded in a text file.

FBot extends its focus to various popular Content Management Systems (CMS). The cms_scanner function utilizes a map of CMS and web frameworks to corresponding regular expressions (regex) linked to the service. The tool generates a request to the specified URL and analyzes the response for the presence of the following technologies:

FBot relies on configuration values provided through a configuration file or headers, and FBot has a version compiled as a Windows executable. The consistent use of the handle “iDevXploit” as the author is observed across all samples, with the aws_checker function leaving artifacts in targeted AWS consoles. FBot’s username and password are uniform in new AWS account creations. Unlike similar cloud hacktools, FBot lacks references to the Androxgh0st code present in tools like AlienFox, GreenBot, and Predator. While both Androxgh0st and FBot share a similar logic of parsing environment configuration files for credentials related to mail and cloud services, their implementations differ, indicating no direct code borrowing. There is notable similarity with the Legion cloud infostealer in how both tools scrape URLs for PHP configuration. However, FBot is smaller and less feature- rich than Legion, with FBot samples averaging around 200 KB, while Legion ranges from 800-1200 KB in size.


  • FBot, a Python-based Malware, stands out for its systematic targeting of critical infrastructures, including web servers, cloud services, CMS, and prominent SaaS platforms like AWS, Microsoft 365, PayPal, Sendgrid, and Twilio. The utility’s primary aim is to compromise these services by acquiring credentials, emphasizing unauthorized access, and subsequent monetization through the sale of credentials to other malicious actors. The tool’s distinctiveness lies in its modest footprint, suggesting a potential origin in private development.
  • Threat actors can leverage FBot’s credential harvesting features to gain initial access and exploit these credentials for transactions with other parties. FBot’s distinctive approach, using a Python-based hacking mold, sets it apart within the realm of cloud malware families, allowing it to target a broad-spectrum encompassing web server, cloud services, and SaaS platforms. This underscores FBot’s versatility and potential impact across diverse online environments.
  • FBot stands out from other cloud infostealers as researchers cannot pinpoint a dedicated distribution channel for the tool, in contrast to many being sold on Telegram. Despite references to the retired Telegram channel buffer_0x0verfl0w, researchers suggest FBot is likely a product of private development. This implies that contemporary builds may be distributed through smaller, more discreet operations. This aligns with the trend of cloud attack tools being custom-built “private bots” tailored for individual buyers, resembling the approach seen in AlienFox builds.

From the ETLM perspective, CYFIRMA anticipates that FBot’s persistent targeting of critical infrastructures, including web servers, cloud services, and SaaS platforms, suggests a continuing threat to organizational cybersecurity. As it refines its capabilities, the potential for unauthorized access and credential exploitation may increase, posing heightened risks to the affected organizations. The adaptability demonstrated by FBot, along with its potential ties to private development, indicates an ongoing evolution that may lead to more sophisticated and targeted attacks in the future.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Actively monitor the infrastructure for potential exploitation attempts and respond accordingly.


  • Build and undertake safeguarding measures by monitoring/blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Always listen to the research community and customer feedback when contacted about potential vulnerabilities detected in your infrastructure, or
  • related compliance issues.

  • Employ User and Entity Behavior Analytics (UEBA) in tracking, collecting, and analyzing of user and machine data to detect threats within an organization.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Rhysida Ransomware | Malware – FBot
  • Rhysida Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – FBot
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Guarding Against Cyber Threats: Analysing a Surge in Android Malware Attacks

  • Threat Actors: Unknown
  • Attack Type: Social Engineering
  • Objective: Financial Gains
  • Target Technology: Android
  • Target Geographies: China
  • Target Industries: Banking Sector
  • Business Impact: Data Loss, Data exfiltration

In a recent observation, researcher have uncovered a series of malicious Android Package Kit (APK) files targeting Chinese users, orchestrating a sophisticated financial fraud scheme. The threat actors, posing as law enforcement officials, manipulate victims into downloading a deceptive app, leading to the theft of sensitive information and subsequent draining of bank accounts.

This malicious APK activity first appeared on our radar in November 2022, with a surge in delivery attempts more than 717 times in September 2023 after months of dormancy. The attackers exploit non-official third-party sources to distribute their malware, utilizing social engineering tactics observed in Chinese security advisories.

The malicious Android application, disguised as “安全防护” (Security Protection), requests permissions to control phone calls and block SMS messages. By impersonating law enforcement.

The threat actor’s financial fraud strategy involves masquerading as an official authority, providing a fake legal case number and urging victims to input sensitive information. Once trust is established, victims are directed to download a next-stage payload under the guise of investigating bank transactions. The app supports various banking institutions, enabling the theft of personal details, including payment card information.

Relevancy & Insights:
With an alarming trend, threat actors are increasingly directing their efforts towards the banking sector, aiming to generate substantial financial losses. This shift highlights a growing sophistication in cyber threats, emphasizing the need for enhanced cybersecurity measures within the financial industry. Organizations must proactively strengthen their defences to treat these targeted attacks and safeguard sensitive financial information. The evolving landscape underscores the importance of staying vigilant, investing in cutting-edge cybersecurity technologies, and fostering collaboration across the financial sector to counteract emerging threats effectively.

ETLM Assessment:
In the current cybersecurity landscape, threat groups are employing advanced tactics, as seen in recent attacks on China using malicious APKs disguised as “Security Protection.” This threat extends beyond regional boundaries, raising concerns about potential cross-border proliferation. With a focus on financial losses and data theft, these attackers may revisit with upgraded malware and new features, employing social engineering for increased impact. The evolving nature of this external threat underscores the importance of global cooperation in implementing proactive cybersecurity measures and sharing threat intelligence to effectively thwart these malicious activities.


  • Educate users, especially in the banking sector, about the tactics employed by threat actors in social engineering attacks.
  • Emphasize the importance of downloading applications only from official app stores, such as Google Play Store, to minimize the risk of malicious APKs.
  • Promote the use of multi-factor authentication to add an additional layer of security, making it harder for threat actors to gain unauthorized access.
  • Implement and enforce robust security policies within organizations, especially in the financial sector, outlining secure practices for downloading apps and handling sensitive information.
  • Develop and regularly update an incident response plan to ensure a prompt and effective response in the event of a security incident.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Paraguay’s largest telecommunications company targeted by a cyber attack
Tigo; Paraguay’s largest telecommunications company, was hit by a ransomware attack early January. The attack, launched by the ransomware gang; BlackHunt, encrypted around three hundred servers maintained by the company. The attack reportedly affected several of Tigo’s customers, including several government agencies, and the Paraguayan Army’s cybersecurity team called on organizations in the country to work to harden their own networks and said that the attack was having a significant impact on the country’s economy. The director of Paraguay’s main civilian cybersecurity agency (CERT-PY) said that he hoped that Tigo was working with the FBI and U.S. National Security Agency on the hack, but that Tigo had been very secretive about its response to the incident. Tigo issued a statement denying the scope of the disruption, saying that “outside of the specific services of the corporate segment cited, no internet, phone or wallet services have been affected.”

ETLM Assessment:
At the time of writing, the most probable attacker seems to be the opportunistic financially motivated group; BlackHunt. However, Paraguay is not without some complicated relations. Hezbollah; a Lebanese political party and militant group (designated a terrorist organization by many countries), and a transnational criminal organization, has been long operating in the country, thanks to its long-standing and well-documented partnership with Latin American drug cartels. A focal point of Hezbollah operations in the Western Hemisphere is the Tri-Border Area of Argentina, Brazil, and Paraguay; a sanctuary for all sorts of organized crime. Numerous terrorism financing, money laundering, and drug trafficking operations, which include Hezbollah- aligned Lebanese nationals operate in the area, often on the Paraguay side of the border, because Paraguay has been the most reluctant to recognize and address the problem. In times of heightened tension in the Middle East, this might have attracted attention of a wide variety of actors opposing Iran, since Hezbollah is directly controlled from Tehran.

China claims it cracked Apple’s AirDrop Encryption
A Chinese cybersecurity research agency, Wangshen Dongjian, associated with the Beijing Municipal Bureau of Justice says that it managed to crack the encryption of Apple’s AirDrop file sharing function, allowing authorities to identify the phone numbers and emails associated with devices sharing content via AirDrop. AirDrop was frequently used in the 2019 pro-democracy rallies in Hong Kong and to spread photographs of a protestor in Beijing brandishing a sign labelling President Xi Jinping a “despotic dictator.” AirDrop has been an important tool for demonstrators in China and Hong Kong to share information clandestinely. It has been alleged that authorities have already made advantage of this innovation to track down and apprehend individuals who shared papers during various protests via AirDrop. Apple and the Chinese government have been at odds over AirDrop. In November 2022, Apple controversially changed the AirDrop settings for iPhones in China, limiting the duration of the “everyone” sharing option to ten minutes.

ETLM Assessment:
Within a matter of just a few years, Beijing has copied and successfully used many of Russia’s information warfare techniques, while it developed its own digital authoritarianism mechanisms, through which its cracking on even the potential of domestic dissent. But unlike Russia, the Chinese government believes it has the ability and even the mandate to turn its domestic online surveillance apparatus outward, to disrupt and, perhaps eventually, even control global narratives in real time. Developments like cracking of AirDrop’s encryption are to be absolutely expected from China on every thinkable platform in the future.

Rise in Malware/Ransomware and Phishing

The Rhysida Ransomware impacts Lee Spring

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: Rhysida Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United States of America; (www[.]leespring[.]com), was compromised by Rhysida Ransomware. Lee Spring is a global manufacturer of mechanical springs and related products. Lee Spring carries a line of 25,000+ stock springs and manufacturers custom springs made to customer specifications. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. Within the compromised data are confidential and sensitive details pertaining to the organization. The ransom demanded for the entire dataset is set at 8 BTC.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Rhysida ransomware group, which first appeared in May 2023 and operates as a ransomware-as-a-service. It utilizes the malware families PortStarter and SystemBC.Rhysida employs a double extortion technique, stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid.
  • Victims of the Rhysida group are spread across 25 countries, with a majority of victims in the United States.
  • The Rhysida Ransomware primarily targets industries including Specialized Consumer Services, Software, Government Agencies, Computer Services, and Health Care Providers
  • Based on the Rhysida Ransomware victims list from 1 Jan 2023 to 16 Jan 2024, the top 5 Target Countries are as follows:
  • Ranking the Top 10 Industries, most affected by Rhysida Ransomware from 1 Jan 2023 to 16 Jan 2024 are as follows:

ETLM Assessment:
CYFIRMA’s assessment indicates a sustained focus on US-based companies by the Rhysida ransomware, as illustrated in the attached graph. Despite this, recent events, including the Lee Spring attack, underscore the potential vulnerability of other prominent manufacturing entities to similar targeting. It is evident that the threat landscape is dynamic, and organizations across various sectors should remain vigilant to mitigate risks associated with ransomware attacks.

Vulnerabilities and Exploits

Vulnerability in Apache Shiro

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Universal components / Libraries / Software for developers
  • Vulnerability: CVE-2023-46749 (CVSS Base Score 6.6)
  • Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

The vulnerability allows a remote attacker to perform directory traversal attacks.

Relevancy & Insights:
The vulnerability exists due to input validation error when processing directory traversal sequences.

A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. This can lead to authentication bypass when used together with path rewriting.

Affected Products: https[:]//seclists[.]org/oss-sec/2024/q1/19

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Anonymous Collective Launches Cyberattack on Bahrain

  • Threat Actors: Anonymous Collective
  • Attack Type: DDoS
  • Objective: Operational disruption
  • Target Technology: Web Application
  • Target Geographies: Bahrain
  • Target Industry: Media
  • Business Impact: Operational Disruption

We recently observed that the Anonymous Collective has orchestrated an alleged cyberattack on Bahrain, pointing to the country’s support for the US and UK strikes on Yemen. According to the hacker collective, the distributed denial-of-service (DDoS) attack has affected several websites, including prominent media outlets like Akhbar al- Khaleej, Al-Ayam, Gulf Daily News, and Al-Bilad. The Anonymous Collective, in a statement on its dark web channel, declared, “! In retaliation to the Bahrain attacks and bombing operations in Yemen, we have conducted a massive cyberattack on the main media outlets of the country. We will not back down. Bahrain will pay for their actions!” The listed organizations, known for their involvement in the media and news sector, have yet to issue an official statement or response regarding this cyberattack on Bahrain and the involvement of the Anonymous Collective hacker group, leaving the claims unverified.

Relevancy & Insights:
Anonymous Collective is a well-known group of hacktivists. Recently, the Anonymous Collective claimed responsibility for a cyberattack on Cosmote; Greece’s largest mobile network operator. Additionally, they orchestrated a Distributed Denial of Service (DDoS) attack on Cairo International Airport, citing motivations related to Egypt’s perceived support for Israel in the Gaza conflict.

ETLM Assessment:
The hacktivist group Anonymous Collective has reportedly targeted Bahrain by executing a distributed denial-of-service (DDoS) cyberattack. The attack is purportedly motivated by Bahrain’s alleged support for US and UK airstrikes on Yemen. According to CYFIRMA’s assessment, there is a likelihood that Anonymous Collective will persist in its campaign of DDoS attacks on Bahrain and other countries’ organizations supporting the mentioned airstrikes. The aim is to induce reputational damage and operational disruptions within these entities.

Data Leaks

Qonstanta Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Education
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Qonstanta, {www[.]qonstanta[.]id}. Qonstanta is one of the study guidance in Indonesia, with support from a management team and tutors, who have proven experience in guiding many students to enter the FA major. The compromised data encompasses a variety of sensitive information, including names, telephone numbers, email addresses, usernames, passwords, addresses, class details, National Student Identification Numbers (NISN), bank names, genders, account numbers, department affiliations, dates, and more. The entirety of compromised data amounts to 4.17 gigabytes.

Source: Underground forums

Relevancy & Insights:
Cybercriminals with financial motivations frequently exploit exposed and vulnerable systems and applications. A significant number of these individuals engage in covert discussions within online forums dedicated to illegal activities, where they trade stolen digital assets. In contrast to certain financially driven groups such as ransomware or extortion gangs that boast about their exploits, these opportunistic attackers choose a more discreet approach. They capitalize on unpatched systems and vulnerabilities in applications to illicitly access and abscond with valuable data. Following the theft, they promote the pilfered data for sale within clandestine forums, where it may be further circulated and repurposed by other malicious actors in their nefarious endeavors.

ETLM Assessment:
MastaBeen; an emerging threat actor based in Indonesia, focuses on targeting organizations within the country. According to CYFIRMA’s assessment, organizations in Indonesia that lack adequate security measures are deemed potential targets for this particular threat actor.

Other Observations

CYFIRMA Research team observed a potential data leak related to McDonald’s Corporation, {www[.]mcdonalds[.]com}. McDonald’s is the world’s leading global food service retailer with over 36,000 locations in over 100 countries. More than 90% of McDonald’s restaurants worldwide are owned and operated by independent local businessmen and women. The data available for purchase comprises internal tools, names, and email addresses, along with bank logs and additional sensitive information.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.