Self Assessment

Weekly Intelligence Report – 19 May 2023

Published On : 2023-05-19
Share :
Weekly Intelligence Report – 19 May 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Espionage, and Data Destruction.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Play Ransomware | Malware – Merdoor
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Merdoor
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

An Unknown China-based Threat Actor Observed Stealing Information from Korean Companies

  • Suspected Threat Actors: Unknown
  • Attack Type: Web Attack
  • Target Geography: Korea
  • Target Industry: Manufacturing Industry
  • Objective: Data Theft
  • Target Technology: Windows Server
  • Business Impact: Data Loss and Operational Disruption

In a recent development, researchers observed a China-based unknown threat actor targeting Korea-based companies and shared very limited information about the whole incident. One company targeted was in the semiconductor industry and the other was in smart manufacturing, by utilizing artificial intelligence. Researchers also suspected that threat actors named Xiaoqiying and Dalbit could be behind this attack. The threat actor employed FRP (Fast Reverse Proxy) and deployed it on the victim’s vulnerable server. Within this server, a variety of hacking tools like CobaltStrike, VPN, and remote control reside, alongside numerous log files were uploaded. These log files are stored within directories named numerically. Among the stealer logs, one can find credentials, network details, and assumed proprietary data, belonging to various companies.

The operation, led by the China-based unknown threat actor, focused on the outright theft of information and credentials. There is a possibility that the acquired data could be employed to aid and assist the same industries in China.

The specific vulnerability used by the threat actor to access the server remains undisclosed. However, it appears that they exploited a Remote Code Execution vulnerability for their malicious activities.

Major Geopolitical Developments in Cybersecurity

Chinese Hackers Targeting EU Foreign Affairs Institutions

The Chinese nation-state actor known as Mustang Panda or Bronze President has been linked to the new set of sophisticated and targeted attacks, aimed at European foreign affairs institutions, since the beginning of the year. According to researchers, the APT is using a custom firmware implant, designed explicitly for TP-Link routers, which includes a custom backdoor named ‘Horse Shell’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks.

It is presently uncertain how exactly the altered firmware images were installed on the compromised routers, as well as how it was exploited and involved in actual assaults. Initial access is thought to have been obtained via taking advantage of well-known security holes or brute-forcing systems with pre-set or weak passwords. The malicious implant gives the attackers access to the router, allowing them to upload and download files, as well as relay communication between two clients.

According to researchers, the discovery is yet another example of a long-standing trend of Chinese threat actors to exploit internet-facing network devices and modify their underlying software or firmware for espionage purposes. Mustang Panda itself has targeted both NGOs and governmental organizations for espionage purposes before. However, it has previously focused on Asia, while the latest attack has been targeting undisclosed European countries.

Leaked documents claim Russian hackers breached a gas pipeline operator in Canada

Recently leaked classified U.S. intelligence files suggest that a pro-Russian hacktivist group may have breached the network of a Canadian gas pipeline company in February. The group, known as Zarya, is reported to be an offshoot of Killnet; a well-known hacktivist group that has previously targeted websites and organizations in the United States.

The briefing describes intercepted communication between Zarya and a representative of the FSB; Russia’s primary intelligence service, including the FSB representative instructing hackers on how to manipulate controls to cause an emergency pipeline shutdown. The briefing is part of a larger set of leaked documents that show how the United States gathers intelligence on its major allies, enemies, and rivals.

The FSB officer stated in his instructions that while “a successful operation would cause an explosion,” the objective was “not to cause loss of life” but rather to cause financial damage. The capacity of Zarya to create an explosion was questioned by several experts, who claimed that physical safety measures would have most certainly prevented such a result.

Russian hackers’ front operation in Sudan aims at Sweden

Researchers have reported on a supposed Islamist Sudanese hacktivist collective, dubbed Anonymous Sudan, which appears in fact to be a false-flag operation, conducted by Russian intelligence services. A recently published report concludes that the group uses a false pretext to disguise a Russian operation, directed at Sweden to interfere with Sweden’s accession to NATO, using a mix of nuisance-level distributed denial-of-service (DDoS) attacks and influence operations, directed at Sweden’s Muslim minority and Turkish public opinion.

The group has demonstrated a depth of understanding of Swedish politics and its societal and religious frictions and access to money, much beyond an average hacktivist organization, while the timing and organization of the attacks and operational similarities to other Russian psyops are just some of the reasons why researchers have concluded that Anonymous Sudan is a Russian front.

The collective on their part has tried to deflect the accusation by stating that they’re not Russian but repaying Russia for its help in the past, which is yet another implausible claim since the ongoing mass use of violence in Sudan would suggests that actual Sudanese Islamist hacktivists would have more pressing concerns in their homeland.

Other Observations

CYFIRMA Research team observed a potential data leak related to Liferay, (www[.]liferay[.]com). Liferay is an open-source company that provides free documentation and paid professional service to users of its software. Mainly focused on enterprise portal technology, the company has its headquarters in the United States of America. The data breach comprises of confidential and sensitive information of customers.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.