Self Assessment

Weekly Intelligence Report – 21 Sep 2023

Published On : 2023-09-21
Share :
Weekly Intelligence Report – 21 Sep 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Industries: Business Support Services, Heavy Construction.
Target Geography: United States of America.

Introduction
CYFIRMA Research and Advisory Team has found ransomware known as 3AM while monitoring various underground forums as part of our Threat Discovery Process.

1 3AM:
3AM is a new ransomware that has been coded using the Rust programming language. Its primary objective is to encrypt files stored on a victim’s computer. In addition to encryption, 3AM alters the filenames of the encrypted files by adding the “.threeamtime” extension. To communicate with the victim and demand a ransom for file decryption, the ransomware creates a ransom note titled “RECOVER-FILES.txt.”

It was employed in a ransomware attack by a threat actor who initially tried to deploy LockBit on a target’s network. However, when the attempt to deploy LockBit was thwarted or blocked, the threat actor swiftly switched to using 3AM.

There is still uncertainty surrounding any potential connections between the developers of 3AM and established cybercriminals.

The initial suspicious activity by the threat actor involved the utilization of the “gpresult” command to extract policy settings applied to a specific user on the computer. Additionally, the attacker executed various Cobalt Strike components and tried to elevate privileges using “PsExec.”

Subsequently, the attackers conducted reconnaissance through commands such as “whoami,” “netstat,” “quser,” and “net share.” They also sought to enumerate other servers for lateral movement using the “quser” and “net view” commands. Furthermore, they established persistence by creating a new user and employed the “Wput” tool to exfiltrate victims’ files to their FTP server.

Ransomware Analysis:
The ransomware is a 64-bit executable coded in the Rust programming language and is designed to recognize the following command-line parameters.

  • “-k” – 32 Base64 characters, referred to as “Access key” in the ransom note
  • “-p” – Unknown
  • “-h” – Unknown
  • “-m” – Method, where the code checks one of two values before running encryption logic:
    • “local”
    • “net”
  • “-s” – determines offsets within files for encryption to control encryption speed. This is expressed in the form of decimal digits.

The command-line parameters “-m” and “-h” are exclusive options, and they cannot be used together. The usage of these parameters, with their respective values of “local” and “net,” closely resembles arguments utilized by the Conti ransomware group.

When the malware is executed, it attempts to run the following commands, most of which attempt to stop various security and backup related software:

  • “netsh.exe” advfirewall firewall set rule “group=”Network Discovery”” new enable=Yes
  • “wbadmin.exe” delete systemstatebackup -keepVersions:0 -quiet
  • “wbadmin.exe” DELETE SYSTEMSTATEBACKUP
  • “wbadmin.exe” DELETE SYSTEMSTATEBACKUP -deleteOldest
  • “bcdedit.exe” /set {default} recoveryenabled No
  • “bcdedit.exe” /set {default} bootstatuspolicy ignoreallfailures
  • “wmic.exe” SHADOWCOPY DELETE /nointeractive
  • “cmd.exe” /c wevtutil cl security
  • “cmd.exe” /c wevtutil cl system
  • “cmd.exe” /c wevtutil cl application
  • “net” stop /y vmcomp
  • “net” stop /y vmwp
  • “net” stop /y veeam
  • “net” stop /y Back
  • “net” stop /y xchange
  • “net” stop /y backup
  • “net” stop /y Backup
  • “net” stop /y acronis
  • “net” stop /y AcronisAgent
  • “net” stop /y AcrSch2Svc
  • “net” stop /y sql
  • “net” stop /y Enterprise
  • “net” stop /y Veeam
  • “net” stop /y VeeamTransportSvc
  • “net” stop /y VeeamNFSSvc
  • “net” stop /y AcrSch
  • “net” stop /y bedbg
  • “net” stop /y DCAgent
  • “net” stop /y EPSecurity
  • “net” stop /y EPUpdate
  • “net” stop /y Eraser
  • “net” stop /y EsgShKernel
  • “net” stop /y FA_Scheduler
  • “net” stop /y IISAdmin
  • “net” stop /y IMAP4
  • “net” stop /y MBAM
  • “net” stop /y Endpoint
  • “net” stop /y Afee
  • “net” stop /y McShield
  • “net” stop /y task
  • “net” stop /y mfemms
  • “net” stop /y mfevtp
  • “net” stop /y mms
  • “net” stop /y MsDts
  • “net” stop /y Exchange
  • “net” stop /y ntrt
  • “net” stop /y PDVF
  • “net” stop /y POP3
  • “net” stop /y Report
  • “net” stop /y RESvc
  • “net” stop /y Monitor
  • “net” stop /y Smcinst
  • “net” stop /y SmcService
  • “net” stop /y SMTP
  • “net” stop /y SNAC
  • “net” stop /y swi_
  • “net” stop /y CCSF
  • “net” stop /y ccEvtMgr
  • “net” stop /y ccSetMgr
  • “net” stop /y TrueKey
  • “net” stop /y tmlisten
  • “net” stop /y UIODetect
  • “net” stop /y W3S
  • “net” stop /y WRSVC
  • “net” stop /y NetMsmq
  • “net” stop /y ekrn
  • “net” stop /y EhttpSrv
  • “net” stop /y ESHASRV
  • “net” stop /y AVP
  • “net” stop /y klnagent
  • “net” stop /y wbengine
  • “net” stop /y KAVF
  • “net” stop /y mfefire
  • “net” stop /y svc$
  • “net” stop /y memtas
  • “net” stop /y mepocs
  • “net” stop /y GxVss
  • “net” stop /y GxCVD
  • “net” stop /y GxBlr
  • “net” stop /y GxFWD
  • “net” stop /y GxCIMgr
  • “net” stop /y BackupExecVSSProvider
  • “net” stop /y BackupExecManagementService
  • “net” stop /y BackupExecJobEngine
  • “net” stop /y BackupExecDiveciMediaService
  • “net” stop /y BackupExecAgentBrowser
  • “net” stop /y BackupExecAgentAccelerator
  • “net” stop /y vss
  • “net” stop /y BacupExecRPCService
  • “net” stop /y CASAD2WebSvc
  • “net” stop /y CAARCUpdateSvc
  • “net” stop /y YooBackup
  • “net” stop /y YooIT

Subsequently, the ransomware conducts a disk scan, encrypting any files that meet predefined criteria while simultaneously erasing the original files.

Following the encryption process, the malware tries to execute the command to delete volume shadow backup copies.

Screenshot of a Files Encrypted by 3AM Ransomware. (Source: Surface Web)

Ransom Note of 3AM (Source: Surface Web)

Geography targeted by 3AM Ransomware.

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Disabling Security Measures: The attackers systematically attempt to disable various security and backup-related software using a wide range of commands. Disabling these security measures is a tactic employed by ransomware to ensure successful encryption.
  • Volume Shadow Copy Deletion: After encrypting files, the ransomware attempts to delete Volume Shadow Copies (VSS). This action is a well-known ransomware tactic aimed at obstructing victims from recovering their files via backup copies.
  • By looking into the victims list we can state that the primary target of this ransomware is the United States.

ETLM assessment
CYFIRMA’s Assessment based on available information states that, the emergence of the 3AM ransomware, coded in Rust, and its deployment as a fallback option after the initial LockBit attempt highlights a growing trend of ransomware operating with a degree of independence and adaptability. The fact that 3AM was deployed in an actual attack suggests it may gain traction among threat actors. As for predictions, we can anticipate an increase in the usage of Rust-based ransomware variants like 3AM, as this programming language offers certain advantages to attackers. Moreover, the ability of threat actors to quickly switch to alternative ransomware strains poses a significant challenge for cybersecurity defenders. While all sectors and technology users face risks, organizations in sectors with valuable data should be particularly vigilant in strengthening their defenses against these evolving threats.

We will continue to monitor and provide a more comprehensive assessment when further information becomes available.

Following are the TTPs based on MITRE Attack Framework.

Sr.No Tactics Techniques/Sub-Techniques
1 TA0002:Execution T1059: Command and Scripting Interpreter
T1053: Scheduled Task/Job
2 TA0003: Persistence T1053: Scheduled Task/Job
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
3 TA0004: Privilege Escalation T1053: Scheduled Task/Job
T1548.002: Abuse Elevation Control Mechanism: Bypass User Account Control
4 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1562.001: Impair Defenses: Disable or Modify Tools
5 TA0007:Discovery T1033: System Owner/User Discovery
T1049: System Network Connections Discovery
T1057: Process Discovery
T1087: Account Discovery
6 TA0011: Exfiltration T1020: Automated Exfiltration
7 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Cyber espionage, Stealing sensitive Information Threat Actor: Transparent Tribe (aka APT36)
Target Technology: Android OS
Target Entities: Military, Diplomat, Activist
Target Geographies: India & Pakistan

Active Malware of the Week
This week “CapraRAT” is trending

CapraRAT
The threat actor APT36, also known as Transparent Tribe, is a suspected Pakistani threat actor that targets military, diplomatic personnel, and the Indian Education sector. They distribute Android apps through their own websites and use social engineering to avoid the Google Play Store. Recently, researchers observed they are using Android apps resembling YouTube to distribute their ‘CapraRAT’, which acts as spyware, collecting data and accessing sensitive information.

Three packages associated with CapraRAT employ various deceptive tactics. Two packages impersonate the legitimate YouTube app to deceive users, while the third engages in romance-based social engineering by connecting to a YouTube channel attributed to a persona named “Piya Sharma.” This channel contains short clips featuring a woman in diverse locations. These tactics are used to entice users into downloading malicious content while masquerading as legitimate applications.

Attack Method
Initially, the malicious APKs are distributed outside of Google Play (Android’s official app store). This distribution method strongly suggests that victims are likely to be first enticed through social engineering to download and install them.

Connection to a YouTube Channel
A noteworthy discovery in researchers’ investigation involves a newly identified APK that establishes a connection with a YouTube channel owned by an individual named Piya Sharma. This YouTube channel features a collection of short clips featuring a woman in various locations. What makes this finding particularly intriguing is that the APK adopts both the persona and the name of Piya Sharma. This observation underscores the threat actor’s persistent use of romance-based social engineering techniques to entice and convince targets to install these applications. It is highly likely that Piya Sharma’s identity is being exploited as a linked persona within this scheme.

Analysis of CapraRAT
Researchers performed static analysis on two distinct YouTube-themed CapraRAT APKs.

  • The first APK, named “yt.apk,” was uploaded to VirusTotal in July 2023.
  • while the second, “YouTube_052647.apk,” made its appearance in August 2023.
  • Furthermore, researchers identified a third APK named “Piya Sharma.apk,” linked to the YouTube channel of Piya Sharma and uploaded to VirusTotal in April 2023. Notably, this app requests multiple permissions, including those related to microphone access, which align with expected recording or search features. However, certain permissions, such as the ability to send and view SMS, appear unrelated to the app’s intended functionality.

Once the CapraRAT is up and running on the device, it performs the following actions:

  • Recording with the microphone, front & rear cameras
  • Collecting SMS and multimedia message contents, call logs
  • Sending SMS messages, blocking incoming SMS
  • Initiating phone calls
  • Taking screen captures
  • Overriding system settings such as GPS & Network
  • Modifying files on the phone’s filesystem

Analysis of CapraRAT’s Configuration and Functionality
Upon launching the app, the ‘MainActivity’ utilizes a ‘load_web’ method to initiate a WebView object, loading the YouTube website. This approach results in a user experience distinct from the native Android YouTube app, resembling the viewing of YouTube through a mobile web browser within the trojanized CapraRAT app’s window. Because CapraRAT is a framework inserted into a variety of Android applications, the files housing malicious activity are often named and arranged differently depending on the app. Researchers have analysed the CapraRAT APKs, which contain the following files:

The CapraRAT configuration file, referred to interchangeably as “setting” or “settings,” contains default configuration data and versioning metadata. Notably, the version syntax in CapraRAT, such as “A.F.U.3” in YouTube_052647.apk and “V.U.H.3” in Piya Sharma.apk. However, it’s essential to note that these version numbers do not exhibit a clear connection to the C2 domains.

The ‘MainActivity’ plays a pivotal role in driving the application’s key features. This activity ensures persistence through the ‘onCreate’ method, utilizing ‘Autostarter,’ an open-source project that allows developers to automatically launch an Android application. It initializes the ‘TPSClient’ class as an object named ‘mTCPService.’ Subsequently, this method calls the ‘serviceRefresh’ method, creating an alarm at the interval specified in the settings file’s ‘timeForAlarm’ variable. In this case, the value ‘0xea60′ corresponds to 60,000 milliseconds, resulting in the alarm and persistence launcher running once per minute.’TPSClient’ contains CapraRAT’s commands, invoked through the ‘run’ method using a series of switch statements that map the string command to a related method. TPSClient has a method check_permissions() that is not in Extra_Class. This method checks the following series of Android permissions and generates a string with a True or False result for each:

  • READ_EXTERNAL_STORAGE
  • READ_CALL_LOG
  • CAMERA
  • READ_CONTACTS
  • ACCESS_FINE_LOCATION
  • RECORD_AUDIO
  • READ_PHONE_STATE

C2 & Infrastructure
CapraRAT’s configuration file holds the C2 server address and port information. The domains used by the malware are associated with Transparent Tribe, and they appear to use Windows Server infrastructure for C2. Additionally, an IP address linked to one of the domains has a history of DNS tunneling lookups, suggesting possible prior infections or connections to other campaigns. The exact relationship between these campaigns remains unclear.

INSIGHTS

  • Transparent Tribe, a threat actor active since 2013, deploys sophisticated malware in its operations, including the Android-based capraRAT. This malicious application functions as a Remote Access Trojan (RAT), enabling the theft of sensitive data, including contact information, call logs, SMS messages, location data, and audio recordings.
  • Transparent Tribe is a well-established threat actor known for its consistent patterns, which allow for easy identification of their tools due to their relatively low operational security measures. In this campaign, the group has used the tactic of creating YouTube-like apps to distribute Android spyware to targets through social media. Given their history, individuals and organizations involved in diplomatic, military, or activist activities in India and Pakistan regions should assess their defences against this persistent threat actor and its associated threats.
  • This threat actor consistently updates its malware arsenal, operational strategies, and target selection. They employ diverse tactics to deceive victims and continually evolve their techniques while introducing new tools. A common social engineering approach used by Transparent Tribe involves creating applications that mimic those used for deceptive purposes.

ETLM ASSESSMENT
From the ETLM Perspective CYFIRMA believes that CapraRAT is likely to continue evolving as a sophisticated and persistent threat, targeting organizations across various sectors. As organizations enhance their cybersecurity defences, CapraRAT may attempt to exploit emerging vulnerabilities or leverage social engineering tactics more effectively to gain access. CapraRAT’s specific capability to record audio and video, as well as access communication data, adds an additional layer of concern, as it may compromise the privacy of both employees and clients. This, in turn, could lead to complex legal and compliance challenges for organizations to navigate in the future.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
    • Avoid downloading and executing files from unverified sources.
    • Avoid free versions of paid software.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enforce policies to validate third-party software before installation.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Do not install a third-party version of an application already on your device.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Web Attacks, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Reputational Damage.
  • Ransomware –Play Ransomware | Malware – CapraRAT
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following: ❍ Malware – CapraRAT
  • Behavior –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities,defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Earth Lusca Deploys New Linux-based Malware SPRYSOCKS
Threat Actors: Earth Lusca
Attack Type: Web Attack
Objective: Espionage
Target Technology: Linux
Target Geographies: Asia and the Balkans
Target Industries: Government Sector
Business Impact: Operational Disruption

Summary
The China-based cyber threat group; Earth Lusca, has been identified as targeting government entities worldwide, using a new Linux backdoor called SprySOCKS. This group was first reported by researchers in January 2022 for its cyberattacks on public and private sector organizations across Asia, Australia, Europe, and North America. Earth Lusca, active since 2021, employs spear-phishing and watering hole attacks for cyber espionage. Recent cybersecurity findings confirm Earth Lusca’s ongoing activities, with an expanded focus on foreign affairs, technology, and telecommunications government departments, primarily in Southeast Asia, Central Asia, and the Balkans. The group initiates infections by exploiting known security vulnerabilities in various servers, allowing them to deploy web shells and execute Cobalt Strike for lateral movement. Their goals include document and email credential exfiltration, as well as deploying advanced backdoors like ShadowPad and a Linux version of Winnti for long-term espionage. SprySOCKS, the newly discovered Linux backdoor, is delivered alongside Cobalt Strike and Winnti. This backdoor has its origins in the open-source Windows backdoor Trochilus and is loaded using an ELF injector component called mandibule. It can gather system information, initiate an interactive shell, create and terminate SOCKS proxies, and perform file and directory operations. Earth Lusca’s SprySOCKS communication uses the Transmission Control Protocol (TCP) and appears to mirror the structure of a Windows-based trojan called RedLeaves, which itself is based on Trochilus. Multiple versions of SprySOCKS have been identified, indicating ongoing development and modification by the threat actors.

Relevancy & Insights:
To date, researchers have identified at least two distinct versions of SprySOCKS, denoted as versions 1.1 and 1.3.6. This discovery implies an ongoing process of modification and enhancement of the malware by the threat actors, as they continually introduce new features and updates

ETLM Assessment:
SprySOCKS is a recently discovered malware deployed by Earth Lusca to infiltrate government departments in Asia. Notably, Chinese threat actors, including Earth Lusca, have a history of employing malware like ShadowPad in cyber espionage campaigns across diverse industries. As these Chinese threat actors tend to utilize successful malware repeatedly, there’s a possibility that SprySOCKS may see increased adoption among other threat actors from China if it proves effective in achieving their objectives. This underscores the potential for SprySOCKS to become a more widespread tool in the arsenal of Chinese threat actors, following a similar trajectory to previously successful malware like ShadowPad.

Recommendations:

  • Conduct regular vulnerability assessments and penetration testing to identify and remediate weaknesses in your network and systems. Stay informed about the latest security vulnerabilities and apply patches promptly.
  • Invest in threat intelligence services to stay updated on emerging threats and tactics used by threat actors, like Earth Lusca. This knowledge can help you proactively defend against specific threats.
  • Conduct regular security audits and assessments to evaluate the effectiveness of your security measures and identify areas for improvement.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Colombian government affected by a telecom provider cyberattack
A reported cyberattack has hit Colombian telecommunication provider; IFX Networks, and has affected the company’s customers, which include, according to statements by Colombia’s ICT Ministry at least twenty Colombian government agencies, as well as more than 700 companies in Latin America. The Colombian governmental agencies include the health ministry, the health regulator, and the superior council of the judiciary. Colombia’s cybersecurity unit (PMU Ciber) has established a command post to cope with the emergency. Many courts had to cease operations and the judiciary appears to have been particularly heavily struck.

Colombia’s President Gustavo Petro, while visiting New York for this week’s UN General Assembly, has been quoted that more than fifty government agencies were affected by a ransomware attack on a widely used telco provider (without direct reference to IFX), and stated that the attack’s widespread impact showed the company didn’t have the right cybersecurity measures in place and suggested this placed the company in breach of its contracted responsibilities. The Colombian government is now reportedly considering civil lawsuits and possibly criminal prosecution of IFX Networks over what Information and Telecommunications Minister Mauricio Lizcano characterized as failures in security protocols.

ETLM Assessment:
According to a preliminary assessment, the reported attack has been the work of a ransomware gang, probably motivated by financial gains. At this stage, however, a traditional cyberespionage operation covered by a ransomware attack cannot be ruled out.

A new Iranian cyberespionage campaign
Researchers are warning against a widespread campaign by Iranian state-sponsored actor; Peach Sandstorm (also known as HOLMIUM). The threat actor has been launching password-spraying campaigns against thousands of organizations since the beginning of the year, with a particular focus on the satellite, defense, and pharmaceutical sectors. According to researchers, Peach Sandstorm has succeeded in breaching at least several organizations and exfiltrating data and according to the researchers the capabilities observed in the campaign are concerning, as the attackers have been observed using legitimate credentials to authenticate to targets’ systems, persistent in targets’ environments, and deploy a range of tools to carry out additional activity.

ETLM Assessment:
The campaign seems to be a part of a widespread Iranian attempt to gain access to technologies and intellectual property, the country has been cut off by the international sanctions on the regime. There are likely more similar campaigns by other Iranian actors pursuing the same goals.

Rise in Malware/Ransomware and Phishing

TSC is Impacted by Play Ransomware
Attack Type: Ransomware
Target Industry: Construction
Target Geography: The United States of America
Ransomware: Play Ransomware
Objective: Data Theft, Data Encryption, Financial Gains
Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]t-s-c[.]com), was compromised by Play Ransomware. TSC Services is a drilling contractor with equipment for their new builds and upgrades, including semisubs, drillships, jackups, and platforms. The data that was compromised has not yet been made public on the leak site, Play Ransomware leak site claims that the compromised data consists of confidential private and personal information, documents related to clients and employees, contracts, identification records, project details, financial information, and more.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Recently we observed that the Play group breaks into MSP (managed service providers ) systems and uses their remote monitoring and management (RMM) tools to get unfettered access to the networks and systems of customers of the MSPs. It is a tactic that other threat actors have used with substantial impact. The most notable example remains the REvil ransomware group’s attack on multiple MSPs via vulnerabilities in Kaseya’s Virtual System Administrator (VSA) network monitoring tool. The attack resulted in the encryption of data on the systems of more than 1,000 customers of these MSPs. The Play actors gain access to a customer environment — via the victim’s MSP — they move quickly to deploy additional exploits and broaden their foothold.
  • Play’s focus is directed towards midsize enterprises, within sectors like finance, legal services, software development, shipping, law enforcement, and logistics. Their primary geographical targets encompass the United States, Australia, the United Kingdom, Italy, and other nations. Moreover, Play’s ransomware operations extend to encompass governmental bodies at state, local, and tribal levels, across the same set of countries.
  • The group’s arsenal has seen expansion through the incorporation of fresh exploits, including tools like ProxyNotShell, OWASSRF, and a method for remote code execution on Microsoft Exchange Servers. Beyond utilizing remote desktop protocol servers as a means of infiltrating networks, Play ransomware has also demonstrated utilization of vulnerabilities within FortiOS, specifically those tracked as CVE-2018- 13379 and CVE-2020-12812.
  • Based on the Play Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Sectors Most Affected by Play Ransomware

ETLM Assessment:
CYFIRMA’s assessment remains consistent: we anticipate that the Play ransomware will continue to target US-based companies, as illustrated in the graph above. Nevertheless, recent incidents like the TSC attack demonstrate that other major construction corporations are not immune to potential targeting.

Vulnerabilities and Exploits

Vulnerability in Trend Micro Endpoint Security Products
Attack Type: Vulnerabilities & Exploits
Target Technology: Antivirus software/Personal firewalls
Vulnerability: CVE-2023-41179 (CVSS Base Score 9.1)
Vulnerability Type: OS Command Injection

Summary:
The vulnerability allows a local user to escalate privileges on the system.

Relevancy & Insights:
The vulnerability exists due to improper input validation within the third-party AV uninstaller module shipped with the software.

Impact:
A local user can execute arbitrary commands with elevated privileges.

Affected Products:
https[:]//success[.]trendmicro[.]com/dcx/s/solution/000294994?language=en_US

Recommendations:
Apply the Vendor Patch: Ensure that the recommended patches and updates provided by Trend Micro are promptly applied to the affected systems.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 5 products most affected.

Latest Cyber-Attacks, Incidents, and Breaches

Pro-Russian DDoS attacks impact Canada
Threat Actors: NoName057(16)
Attack Type: DDoS
Objective: Operational Disruption
Target Technology: Web Application
Target Geographies: Canada
Target Industries: Government, Banking, and Transportation
Business Impact: Operational Disruption

Summary:
Lately, the Canadian government, banking sector, and transportation industries have experienced a surge in distributed denial of service (DDoS) attacks directed towards them. These illicit actions have been attributed to state-backed cyber threat actors affiliated with Russia. Starting in March 2022, NoName057(16), a hacktivist operator or group with pro-Russian leanings, has asserted accountability for numerous Distributed Denial of Service (DDoS) campaigns targeting entities in countries perceived as anti- Russian. The underlying infrastructure supporting NoName057(16) is hosted within Russia and is likely managed by individuals with expertise in system design and upkeep. Organizations’ web servers have been targeted by NoName057(16) using a botnet. The Canadian Centre for Cyber Security issued an advisory aimed at alerting the public to these incidents, raising awareness of potential impacts on government services, and providing guidance to organizations that may become targets of such illicit actions.

Source: Telegram

Relevancy & Insights:
Canada has experienced a series of distributed denial-of-service (DDoS) attacks on its government agencies, financial institutions, and transportation industries, and these attacks have been attributed to the pro-Russian cybercrime group; NoName057(16). The Canadian Centre for Cyber Security has confirmed that NoName057(16) has been targeting organizations’ web servers with the use of a botnet. Additionally, the alert highlighted the ongoing Russia-Ukraine conflict, noting persistent state-backed Russian cyberattacks against Ukraine and its allies.

ETLM Assessment:
CYFIRMA assesses there will be continued DDoS attacks on government, banking, and transportation sectors against NATO countries, by pro -Russian hacktivists.

Data Leaks

Classblue Data Advertised in Leak Site
Attack Type: Data Leaks
Target Industry: Software
Target Geography: India
Target Technology: SQL Database
Objective: Data Theft, Financial Gains
Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to Classblue, {www[.]classblue[.]in}. Classblue is a complete coaching class management software and mobile app in India, that manage student admissions, payments, performance, attendance, etc. The compromised data comprises confidential information belonging to Classblue in SQL format.


Source: Underground forums

Relevancy & Insights:
Opportunistic cybercriminals driven by financial incentives are continually searching for exposed and susceptible systems and applications. Most of these attackers conduct their activities in clandestine online forums, where they engage in discussions related to their illicit pursuits, including the buying and selling of pilfered digital assets. In contrast to financially motivated groups like ransomware or extortion outfits, who often publicize their attacks, these cybercriminals prefer to operate discreetly. They exploit unpatched systems or vulnerabilities in applications and systems to gain access and pilfer valuable data. Subsequently, the stolen data is advertised for sale in underground forums, circulated among other attackers, and repurposed for use in various illicit activities.

ETLM Assessment:
India remains one of the most targeted countries in the world by cybercriminals. CYFIRMA assesses that Indian institutions that do not have robust security measures and infrastructure will remain at high risk of potential attack.

Other Observations

CYFIRMA Research team observed a potential data leak related to the OTRS Group, {www[.]otrs[.]com}. The OTRS Group is a vendor and world’s leading provider of open- source help desk software; OTRS Help Desk, and the open-source IT Service Management (ITSM) software; OTRS ITSM. The data that has been compromised is in SQL format and includes both sensitive and confidential information, totalling 3GB.


Source: Underground forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.