Self Assessment

Weekly Intelligence Report – 19 July 2024

Published On : 2024-07-19
Share :
Weekly Intelligence Report – 19 July 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows
Target Countries: Australia, Canada, Colombia, Curacao, France, Germany, Ireland, Italy, Malaysia, New Zealand, Palau, Portorico, South Africa, Spain, Sweden, United Kingdom, United States.
Target Industries: Accounting, Business Service, Construction, Education, Energy, Finance, Government, Healthcare, Hospitality, Law, Manufacturing, Real Estate, Retail, Software, Transportation.

Introduction
CYFIRMA Research and Advisory Team has found DragonForce while monitoring various underground forums as part of our Threat Discovery Process.

DragonForce
Researchers uncovered a new ransomware variant dubbed DragonForce in the mid of July 2024. This ransomware encrypts files, renames each encrypted file, and leaves a ransom note titled “readme.txt.” The renaming process involves replacing the original filenames with random strings and appending the “.dragonforce_encrypted” extension.

Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)

The ransom note from the DragonForce ransomware states that the cybercriminals have stolen and encrypted files, demanding payment in Bitcoin for their decryption. The recovery process involves contacting the attackers, receiving a list of stolen files, verifying their decryption capabilities, agreeing on a payment amount, and then receiving a decryption tool.

The note instructs victims to contact the attackers via a Tor Browser link and a unique ID, with additional support available through Tox messenger.

It also warns against resetting or shutting down the system, renaming or moving files, and deleting the ransom note, to avoid further damage. The note threatens that if the victim does not comply by the specified time and date, the stolen files will be published, and the decryption tool will be destroyed.

Screenshot of DragonForce’s text file (“readme.txt”) (Source: SurfaceWeb)

Screenshot of DragonForce’s contact website (Source: SurfaceWeb)

Screenshot of DragonForce’s data leaking site (Source: SurfaceWeb)

Targeted countries

Following are the TTPs based on the MITRE Attack Framework

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1053.005: Scheduled Task/Job: Scheduled Task
T1129: Shared Modules
T1569.002: System Services: Service Execution
2 TA0003:Persistence T1053.005: Scheduled Task/Job: ScheduledTask
T1543.003: Create or Modify System Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side – Loading
3 TA0004: Privilege Escalation T1053.005: Scheduled Task/Job: Scheduled Task
T1543.003: Create or Modify System Process: Windows Service
T1548: Abuse Elevation Control Mechanism
T1574.002: Hijack Execution Flow: DLL Side – Loading
4 TA0005: Defense Evasion T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1070: Indicator Removal
T1055: Process Injection
T1497: Virtualization/Sandbox Evasion
T1548: Abuse Elevation Control Mechanism
T1562.001: Impair Defenses: Disable or Modify Tools
T1574.002: Hijack Execution Flow: DLL Side- Loading
5 TA0006: Credential Access T1003: OS Credential Dumping
T1552.001: Unsecured Credentials: Credentials In Files
6 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0008: Lateral Movement T1080: Taint Shared Content
8 TA0009: Collection T1005: Data from Local System
T1114: Email Collection
9 TA0011: Command and Control T1071: Application Layer Protocol
T1090: Proxy
T1095: Non-Application Layer Protocol
T1573: Encrypted Channel
10 TA0040: Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1489: Service Stop

Relevancy and Insights:

  • Targeting widely used Windows operating systems, this ransomware poses a significant threat to diverse industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.

ETLM Assessment:
CYFIRMA’s anticipates with available data, DragonForce ransomware could likely expand its attack footprints in other regions in Southeast Asia possibly to include nations such as Thailand, Indonesia, Singapore and others, given that its already observed presence in Malaysia. This anticipated shift could be attributed to the increasing digital transformation in these regions, presenting lucrative opportunities for cybercriminals. Technically, DragonForce may enhance its obfuscation techniques, leverage advanced persistence mechanisms, and increase the use of WMI and registry manipulation to evade detection and hinder data recovery efforts.

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

SIGMA Rule:
title: Uncommon File Created In Office Startup Folder tags:
– attack.resource_development
– attack.t1587.001 logsource:
product: windows category: file_event
detection: selection_word_paths:
– TargetFilename|contains: ‘\Microsoft\Word\STARTUP’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\STARTUP’
filter_exclude_word_ext: TargetFilename|endswith:
– ‘.docb’ # Word binary document introduced in Microsoft Office 2007
– ‘.docm’ # Word macro-enabled document; same as docx, but may contain macros and scripts
– ‘.docx’ # Word document
– ‘.dotm’ # Word macro-enabled template; same as dotx, but may contain macros and scripts
– ‘.mdb’ # MS Access DB
– ‘.mdw’ # MS Access DB
– ‘.pdf’ # PDF documents
– ‘.wll’ # Word add-in
– ‘.wwl’ # Word add-in selection_excel_paths:
– TargetFilename|contains: ‘\Microsoft\Excel\XLSTART’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\XLSTART’
filter_exclude_excel_ext: TargetFilename|endswith:
– ‘.xll’
– ‘.xls’
– ‘.xlsm’
– ‘.xlsx’
– ‘.xlt’
– ‘.xltm’
– ‘.xlw’ filter_main_office_click_to_run:
Image|contains: ‘:\Program Files\Common Files\Microsoft Shared\ClickToRun\’ Image|endswith: ‘\OfficeClickToRun.exe’
filter_main_office_apps: Image|contains:
– ‘:\Program Files\Microsoft Office\’
– ‘:\Program Files (x86)\Microsoft Office\’ Image|endswith:
– ‘\winword.exe’
– ‘\excel.exe’
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_* falsepositives:
– False positive might stem from rare extensions used by other Office utilities. level: high

(Source: SurfaceWeb)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Trojan
Objective: Stealing financial information, Data exfiltration
Target Technology: Windows OS
Target Industry: Financial Institutions, Banks
Target Geographies: Latin America (Brazil)

Active Malware of the Week
This week “Coyote” is trending.

Coyote
Coyote is a .NET banking Trojan that targets Brazilian financial institutions in the LATAM region. It is notable for its unique execution methods, which set it apart from other similar Trojans. First detected in February 2024, Coyote earned its name by leveraging Squirrel, a legitimate software tool used for managing Windows application installations and updates. During attacks, Coyote injects a compromised DLL into legitimate files like OBS and Chromium Embedded Framework, using the Nim programming language. This allows it to persistently harvest financial information from users of Brazilian banks. Coyote has also been observed targeting Binance, the world’s largest cryptocurrency exchange, by daily trading volume.

Technical Analysis
While the delivery method of the Coyote Trojan wasn’t directly observed during analysis, it is typically distributed through phishing. Users are lured into clicking malicious links rather than receiving them as email attachments, likely due to their large file size (+170 MB), which could cause emails with such attachments to be blocked by systems limiting large files. File names in Brazilian Portuguese found on systems suggest the Trojan targets exclusively Brazilian victims. Examples of filenames used during the attack include:

  • Pdfpapel327088636055.zip (“papel” = paper)
  • Pdfmensal4669787638.zip (“mensal” = monthly)

Upon execution of the main malicious file, such as pdfpapel327088636055.exe, the Coyote Trojan initiates a complex installation process using Squirrel for updates:

  • The Squirrel update process is triggered:
  • “C:\Users\<username>\AppData\Local\SquirrelTemp\Update.exe” — install
  • Concurrently, “designlesotho.exe” from a specific directory under AppData is executed:
  • “C:\Users\<username>\AppData\Local\designlesotho\app-0.7.2\designlesotho.exe” — Squirrel-install 0.7.2
  • Additionally, via cmd.exe, the command is executed to launch OBS with “obs-browser- page.exe”:
  • “C:\Windows\system32\cmd.exe /d /s /c “C:\Users\Admin\Videos\Captures\obs- browser-page.exe”

Persistence on the infected system is ensured through modifications in the Registry:

  • HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
  • C:\Users\<username>\Videos\Captures\obs-browser-page.exe

Upon launching the benign obs-browser-page.exe, the Squirrel update process loads libcef.dll, a non-malicious Google Chrome DLL vulnerable to DLL sideloading. This DLL then loads the malicious chrome_elf.dll. The final loaded DLL, chrome_elf.dll, functions as a Nim loader, facilitating the execution of the embedded Coyote banking Trojan in memory.

Nim, a modern programming language incorporating features from Python, Ada, and Modula, enables Coyote to perform advanced operations upon activation. The Trojan selectively communicates with its command-and-control (C2) servers only when the active window title matches the predefined targets list. Coyote’s capabilities encompass 24 distinct commands and functions, including capturing screenshots, displaying full-screen overlays (such as fake banking apps), modifying registries, simulating mouse movements, initiating system shutdowns, and logging keystrokes.

INSIGHTS

  • Coyote is a sophisticated .NET banking Trojan targeting Brazilian financial institutions in the LATAM region. Its unique installation process leverages legitimate tools like Squirrel, highlights a growing trend where malware authors exploit trusted software to bypass security measures. This approach not only facilitates the initial compromise but also helps in maintaining a low profile, making detection and analysis more challenging for security professionals. By leveraging such legitimate tools, Coyote can effectively blend in with regular system processes, reducing the likelihood of immediate detection.
  • The adoption of Nim, a relatively new and multi-platform language, for writing the final malicious DLL demonstrates a strategic move by the malware developers. Nim’s ability to produce highly efficient executables with minimal footprints makes it an ideal choice for malware, as it combines features from languages like Python and C, offering both flexibility and performance. This choice of language not only enhances the Trojan’s operational capabilities but also complicates reverse engineering efforts due to Nim’s relative obscurity in the malware analysis community.
  • Coyote is typically delivered through phishing campaigns, where users are enticed to click on malicious links. The Trojan activates only when specific banking sites are accessed, reducing the likelihood of detection during non-targeted activities. Once active, it communicates with command-and-control (C2) servers to execute various commands, such as keylogging, screenshot capture, and displaying fake banking overlays, making it a versatile and significant threat.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the evolution of Coyote malware suggests several implications for organizations and employees. As malware authors refine their techniques, future iterations of Coyote and similar Trojans are expected to become more sophisticated and adaptable. This could lead to faster adaptation to security measures and more complex evasion tactics, posing significant challenges for cybersecurity teams in detecting and mitigating such threats. Future variants of Coyote may increasingly focus on targeted attacks customized for specific organizations or industries. This could involve deeper reconnaissance and more precise exploitation of vulnerabilities unique to each target, potentially resulting in more damaging and costly breaches.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
YARA Rules import “pe”
rule coyote_nimloader { meta:
hash = “110b616bc12c29b070b0dc60c197a4d63b3e3caae6bb80a25b8864489a51da79”
hash = “1bed3755276abd9b54db13882fcf29c543ebf604be3b7fcf060cbd6d68bcd23f” strings:
$nim1 = “strformat.nim” fullword ascii
$nim2 = “fatal.nim” fullword ascii
$nim3 = “io.nim” fullword ascii
$export_name = “chrome_elf.dll” fullword ascii condition:
pe.characteristics & pe.DLL and pe.number_of_sections > 8 and $export_name and (2 of ($nim*))
}
Source: Surface web

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Upgrade to an email security solution that provides advanced phishing protection, business email compromise detection, internal email protection, and account compromise detection.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Add the Yara rules for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear-phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Hunters International Ransomware, DarkVault Ransomware | Malware – Coyote
  • Hunters International Ransomware – One of the ransomware groups.
  • DarkVault Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Coyote
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from the DarkVault Ransomware techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

MuddyWater Cyber Threat Analysis: Phishing Campaigns and Advanced Malware Tactics

  • Threat Actors: MuddyWater
  • Attack Type: Spear-phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Israel, Saudi Arabia, Turkey, India, Portugal, Azerbaijan, and Jordan
  • Target Industries: Municipalities, Airlines, Travel agencies, Media outlets, and Government entities
  • Business Impact: Data Loss, Data exfiltration

Summary:
MuddyWater, a persistent and sophisticated threat group, has been conducting extensive phishing campaigns primarily targeting organizations in the Middle East, including Israel, Saudi Arabia, Turkey, India, Portugal, Azerbaijan, and Jordan. Their focus encompasses a diverse range of sectors such as municipalities, airlines, travel agencies, media outlets, and government entities, reflecting their strategic interests and objectives.

The group typically initiates their attacks by sending large volumes of spear-phishing emails from compromised accounts. These emails contain meticulously crafted lures tailored to specific industries. For example, early campaigns aimed at municipalities included lures promoting a new municipal app with a subject like “Special Offer: New App for Municipalities – Limited Time Only!” More recent campaigns have adopted more generic themes such as invitations to webinars and online courses, allowing the same lure to be reused across different targets and regions. While these campaigns initially employed the locally spoken languages of their targets, there has been an increasing use of the English language.

A significant advancement in MuddyWater’s attack methods is the deployment of the custom-made BugSleep backdoor, introduced in May 2024, which partially replaces their use of legitimate Remote Monitoring and Management (RMM) tools. BugSleep is a sophisticated malware that includes several versions with varying features and bug fixes, suggesting a trial-and-error development approach. The typical infection chain begins with the abuse of Egnyte subdomains, which are used for seemingly legitimate file-sharing. Recipients receive links that appear to come from legitimate sources, aligning with the naming conventions of the targeted country. For instance, in a link sent to a transportation company in Saudi Arabia, the displayed name was Khaled Mashal, a former prominent leader of Hamas.

BugSleep employs several evasion techniques, such as making multiple calls to the Sleep API to evade sandboxes and enabling flags to prevent other processes from injecting DLLs or generating dynamic code. The malware creates a mutex, decrypts its configuration (including the Command and Control (C&C) IP address and port), and ensures persistence by creating scheduled tasks that run the malware at regular intervals. The malware’s communication with the C&C server is encrypted, with every message following a specific format. BugSleep can perform various commands based on the data sent from the C&C, and it incorporates additional evasion methods to protect against Endpoint Detection and Response (EDR) solutions.

MuddyWater’s campaigns have been linked to over 50 spear-phishing emails targeting more than 10 sectors and hundreds of recipients since February 2024. Their operations have been consistently attributed to them due to distinct patterns of behavior and tools observed over several years. The group’s activity highlights their persistent nature and evolving tactics, posing a significant threat to a wide array of targets. Their espionage-driven campaigns aim to gather intelligence and disrupt operations in strategically important sectors, with a notable increase in activity and focus on higher volume rather than highly specific targets. The shift to simpler, more versatile phishing lures and the development of tailored malware like BugSleep underscores their adaptability and continued operational threat.

Relevancy & Insights:
MuddyWater, an Iranian threat group active since at least 2017, has targeted a diverse range of sectors including telecommunications, defense, local government, and oil and natural gas across Asia, Africa, Europe, and North America. Known for using tools developed in Python, C#, and PowerShell, they exploit vulnerabilities and utilize open- source tools for unauthorized access, espionage, intellectual property theft, and occasionally deploying ransomware. Their recent deployment of the BugSleep backdoor underscores their ongoing cyber espionage activities, aimed at stealing sensitive data and providing illicit access to Iranian government entities, often sharing these accesses with other cyber actors. The group has intensified operations in Israel since October 2023 amid geopolitical tensions, alongside targeting entities in Saudi Arabia, Turkey, Azerbaijan, India, and Portugal. Organizations in sectors of strategic importance and regions targeted by MuddyWater should prioritize robust cybersecurity measures and vigilance against evolving threats to mitigate potential impacts.

ETLM Assessment:
MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS) and active since 2017. MuddyWater conducts widespread cyber espionage globally, with recent escalations in Israel and targeting sectors such as telecommunications, defense, local government, and oil and natural gas across Asia, Africa, Europe, and North America. They exploit vulnerabilities through phishing campaigns from compromised email accounts, deploying tools like Atera Agent and Screen Connect. Known for leveraging malware variants like PowGoop, Small Sieve, Canopy (Starwhale), and most recently, the new BugSleep backdoor, MuddyWater’s tactics emphasize persistence and strategic data theft. As part of the broader state- sponsored threat landscape, their operations highlight the evolving sophistication in cyber espionage. Future assessments indicate ongoing threats, necessitating vigilant cybersecurity practices, including regular updates, user education against phishing, and robust defenses tailored to detect and counter such advanced persistent threats.

Recommendations:

  • Enhance Phishing Awareness: Educate employees about phishing tactics and encourage vigilance against suspicious emails, especially those with enticing offers or urgent requests.
  • Implement Robust Email Security: Deploy advanced email security measures to detect and block phishing attempts, including sender authentication, URL scanning, and attachment analysis.
  • Update and Patch Systems: Regularly update software and systems to patch known vulnerabilities that threat actors like MuddyWater exploit.
  • Monitor for Malicious Activity: Implement robust monitoring and logging to detect unusual network traffic or behaviors associated with malware like BugSleep.
  • Deploy Endpoint Protection: Use endpoint protection platforms that can detect and respond to advanced malware and phishing attempts, including behavior-based analysis and sandboxing.
  • Enhance Incident Response Capabilities: Develop and test incident response plans to quickly mitigate and recover from cyber-attacks, including phishing campaigns and malware infections.
  • Stay Informed and Share Threat Intelligence: Continuously monitor threat intelligence sources for updates on MuddyWater’s tactics and techniques and share relevant information within your organization and with industry peers.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Chinese hackers deploy new malware
Researchers have recently published a report on “DodgeBox,” a newly discovered malware loader associated with the Chinese threat actor APT41. DodgeBox is used to install a new backdoor dubbed “MoonWalk” that uses Google Drive for command-and- control communications. According to the researchers, what sets DodgeBox apart from other malware is its unique algorithms and techniques. The telemetry suggests the malware has been used to target entities in Thailand and Taiwan, which aligns with APT41’s previous targeting.

ETLM Assessment:
The consolidation of ties among a new Russian-North Korean security partnership signed during President Vladimir Putin’s visit to Pyongyang, and comments by Xi Jinping and Putin at the Shanghai Cooperation Organization about cooperating to resist external interference and push back on American hegemony signal the intensification of efforts by the so-called axis of ill will to dominate their respective neighborhoods. The observed campaign is likely a state-sponsored effort to gain intelligence in the hotly contested region and many others similar to this one are expected to be going on at the same time.

4. Rise in Malware/Ransomware and Phishing

The Hunters International Ransomware impacts the Carigali Hess Operating Company

  • Attack Type: Ransomware
  • Target Industry: Gas
  • Target Geography: Malaysia
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Malaysia; (www[.]carigalihess[.]com), was compromised by the Hunters International Ransomware. Carigali Hess Operating Company (CHOC) is a joint venture between PETRONAS Carigali JDA Ltd. and Hess Oil Company of Thailand Ltd. The company operates in the Malaysia-Thailand Joint Development Area (JDA) on Block A-18, focusing on gas production. The breached data includes sensitive and confidential organizational information.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine once the data exfiltration gets completed by the Ransomware group.
  • Recent updates about the Hunters International ransomware group reveal significant developments since its emergence in late 2023. Notably, Hunters International is strongly linked to the infamous Hive ransomware, utilizing similar source code and infrastructure. After Hive’s operations were disrupted by an international law enforcement action in January 2023, Hunters International emerged, reportedly acquiring Hive’s source code and infrastructure rather than being a direct rebrand of Hive.
  • The Hunters International Ransomware group primarily targets countries such as the United States of America, Taiwan, Italy, Belgium, and Ireland.
  • The Hunters International Ransomware group primarily targets industries, including Industrial Machinery, Heavy Construction, Health Care Providers, Electronic Equipment, and Business Support Services.
  • Based on the Hunters International Ransomware victims list from 1 Jan 2023 to 17 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1 Jan 2023 to 17 July 2024 are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that Hunters International Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on Carigali Hess Operating Company, a prominent Gas company in Malaysia, underscores the extensive threat posed by this ransomware strain in the Southeast Asia region.

The DarkVault Ransomware impacts the Sequel Global

  • Attack Type: Ransomware
  • Target Industry: Logistics
  • Target Geography: India
  • Ransomware: DarkVault Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from India; (www[.]sequelglobal[.]com), was compromised by the DarkVault Ransomware. Sequel Logistics is a supply chain management company, providing solutions specifically for critical logistics requirements, on a worldwide basis. The company was founded in 2004 in Bangalore, and over the years, has developed specialized capabilities and domain knowledge, to design, execute, and manage the supply chain and logistics of high-value and critical products for B2B & B2C business in India, the US, and Europe. The compromised data includes confidential and sensitive information belonging to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • DarkVault ransomware has emerged as a notable threat in the cybercrime landscape. This ransomware group has been particularly active in recent months, targeting organizations with the intent to encrypt their data and demand ransoms.
  • DarkVault has upgraded its encryption mechanisms, making it more challenging for victims to recover their data without paying the ransom. Their new tactics involve the use of double and even triple extortion techniques.
  • The DarkVault Ransomware group primarily targets countries such as Brazil, the United States of America, Lithuania, Canada, and the United Kingdom.
  • The DarkVault Ransomware group primarily targets industries, such as Software, Computer Services, Real Estate, Industrial Machinery, and the Internet.
  • Based on the DarkVault Ransomware victims list from 1 Jan 2023 to 17 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the DarkVault Ransomware from 1st Jan 2023 to 17 July 2024 are as follows:

ETLM Assessment:
The DarkVault ransomware group has honed its approach to deploying ransomware by leveraging a variety of sophisticated techniques. These include phishing emails, which lure victims into clicking on malicious links or attachments and exploiting vulnerabilities in unpatched software to gain initial access to systems. According to CYFIRMA’s assessment, DarkVault is likely to continue its aggressive targeting of a wide array of industries on a global scale. Their focus is particularly intense in the United States, Europe, and Asia. A recent attack on Sequel Global, a leading Logistics company based in India, highlights the broad and severe threat posed by DarkVault, especially in South Asia. This incident underscores the group’s capacity to disrupt operations and underscores the critical need for robust cybersecurity defenses across diverse regions and sectors.

5. Vulnerabilities and Exploits

Vulnerability in Apache Wicket

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Universal components / Libraries
  • Vulnerability: CVE-2024-36522 (CVSS Base Score 9.8)
  • Vulnerability Type : Improper Control of Generation of Code (‘Code Injection’)
  • Patch: Available

Summary:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

Relevancy & Insights:
The vulnerability exists due to improper input validation. A remote attacker can perform XSLT injection and execute arbitrary code on the target system.

Impact:
Successful exploitation of this vulnerability may result in complete compromise of vulnerable systems.

Affected Products: https[:]//lists[.]apache[.]org/thread/lm84pzcbh34rsv9spz9cm24g4jspzbqg

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in Apache Wicket can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Apache Wicket is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding web applications built using this component-based framework across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

RansomHub Ransomware attacked and Published data of the Coca-Cola – Myanmar office

  • Threat Actors: RansomHub Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: Myanmar
  • Target Industry: Food and Beverages
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that RansomHub Ransomware attacked and published data of the Coca-Cola – Myanmar office (www[.]coca-cola[.]com[.]mm) on its dark web website. The Coca-Cola Company is an American multinational corporation. It manufactures, sells, and markets soft drinks including Coca-Cola, other non-alcoholic beverage concentrates and syrups, and alcoholic beverages. Coca-Cola operates in Myanmar through its local subsidiary, Coca-Cola Pinya Beverages Myanmar Ltd. The Myanmar office is involved in manufacturing and distributing Coca-Cola products and has made significant investments in local production facilities. The data leak, following the ransomware attack, encompasses sensitive and confidential information related to the organization. The total size of the compromised is 800 GB.

Source: Dark Web

Relevancy & Insights:

  • RansomHub is believed to have evolved from the now-defunct Knight ransomware. Both ransomware families share substantial code similarities, including being written in the Go programming language and using identical command execution methods.
  • RansomHub has recently been reported to target VMware ESXi environments using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that RansomHub Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on the Coca-Cola – Myanmar office, a prominent Food and Beverage company located in Myanmar, underscores the extensive threat posed by this particular ransomware strain in the Southeast Asia region.

7. Data Leaks

Indonesian Government Employees Data Advertised on a Leak Site

  • Attack Type: Access for sale
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to Indonesian Government Employees in an underground forum. A threat actor shared an alleged data leak on a dark web forum. According to the threat actor, the alleged leak belongs to an online attendance service for government employees in Blora district, Indonesia.

The forum post also contains a data sample from the alleged leak. According to the sample, the leak contains IDs, email addresses, names, passwords, usernames, and other data points. Price information, details of the leak, and information about the time of the leak are not stated. The threat actor only says that those interested can DM for more information.

Source: Underground Forums

PT Tekno Mandiri Abadi Indonesia data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Automotive
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to PT. Tekno Mandiri Abadi in an underground forum. A hacker has claimed to possess and is now selling the customer data of PT. Tekno Mandiri Abadi, a distributor of Epson Indonesia. According to the hacker, the compromised data includes comprehensive personal and business information of 60,000 customers.

The data fields allegedly available in the breach are extensive, covering customer IDs, contact information, business phone numbers, mobile numbers, emails, fax numbers, websites, primary currencies, notes, billing addresses, cities, provinces, shipping addresses, accounts receivable, advance accounts, invoice totals, including tax, taxpayer identification numbers (NPWP), tax obligations, national identity numbers (NIK), VAT registration numbers (NPPKP), tax addresses, initial balances, initial balance dates, currency balances, and more.

The hacker has provided a sample of personal data from the breach to validate their claims, emphasizing the scale of the breach and the substantial amount of customer records involved. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as “Sedapmalam” poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by “Sedapmalam” typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a potential data leak related to 1Tx(Singapore). 1TX is a tech-focused organization that offers a variety of innovation and performance-testing tools & services to assist organizations in successfully digitalizing. A threat actor claimed that 1Tx.io suffered a data breach, potentially exposing the information of up to 23,000 companies. The compromised data, formatted in a CSV file with 23,305 rows, includes various sensitive details.

The data fields allegedly include company IDs, account types, company names, emails, first and last names, roles, user IDs, and other pertinent information, such as phone numbers, skillsets, and marketing consent status. This breach could have far-reaching implications for the affected companies and individuals.

Source: Underground forums

The CYFIRMA Research team observed a potential access sale related to a Japanese electronics company. IntelBroker claims to be selling access to a Japanese electronics company. The company has a revenue of $60 billion. Access includes API (customers, inventory, orders) and any point.

Source: Underground forums

ETLM Assessment :
Threat Actor ‘IntelBroker’ group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.